fix: v6 code review P0 auth/IDOR fixes + frontend regression patches
Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除 验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL
This commit is contained in:
@@ -7,6 +7,8 @@ import (
|
||||
"net/http"
|
||||
"os"
|
||||
"os/signal"
|
||||
"strconv"
|
||||
"strings"
|
||||
"syscall"
|
||||
"time"
|
||||
|
||||
@@ -43,10 +45,12 @@ func Serve(cfg *config.Config) error {
|
||||
// P1-3:Argon2id 启动时自适应校准
|
||||
auth.CalibrateArgon2id(500 * time.Millisecond)
|
||||
|
||||
accessTokenExpire := resolveJWTAccessTokenExpire(cfg)
|
||||
|
||||
// 初始化 JWT 管理器
|
||||
jwtManager, err := auth.NewJWTWithOptions(auth.JWTOptions{
|
||||
HS256Secret: cfg.JWT.Secret,
|
||||
AccessTokenExpire: time.Duration(cfg.JWT.AccessTokenExpireMinutes) * time.Minute,
|
||||
AccessTokenExpire: accessTokenExpire,
|
||||
RefreshTokenExpire: time.Duration(cfg.JWT.RefreshTokenExpireDays) * 24 * time.Hour,
|
||||
})
|
||||
if err != nil {
|
||||
@@ -125,6 +129,9 @@ func Serve(cfg *config.Config) error {
|
||||
totpService := service.NewTOTPService(userRepo)
|
||||
|
||||
passwordResetConfig := service.DefaultPasswordResetConfig()
|
||||
if err := configureAuthEmailServices(cfg, cacheManager, authService, passwordResetConfig); err != nil {
|
||||
return fmt.Errorf("configure auth email services failed: %w", err)
|
||||
}
|
||||
passwordResetService := service.NewPasswordResetService(userRepo, cacheManager, passwordResetConfig).
|
||||
WithPasswordHistoryRepo(passwordHistoryRepo)
|
||||
|
||||
@@ -259,3 +266,100 @@ func resolveGinMode(mode string) string {
|
||||
return gin.ReleaseMode
|
||||
}
|
||||
}
|
||||
|
||||
func configureAuthEmailServices(
|
||||
cfg *config.Config,
|
||||
cacheManager *cache.CacheManager,
|
||||
authService *service.AuthService,
|
||||
passwordResetConfig *service.PasswordResetConfig,
|
||||
) error {
|
||||
smtpConfig, enabled, err := resolveSMTPEmailConfigFromEnv()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !enabled || cacheManager == nil || authService == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
siteURL := resolveAuthEmailSiteURL(cfg)
|
||||
siteName := resolveAuthEmailSiteName(cfg)
|
||||
provider := service.NewSMTPEmailProvider(smtpConfig)
|
||||
|
||||
authService.SetEmailActivationService(
|
||||
service.NewEmailActivationService(provider, cacheManager, siteURL, siteName),
|
||||
)
|
||||
|
||||
emailCodeConfig := service.DefaultEmailCodeConfig()
|
||||
emailCodeConfig.SiteURL = siteURL
|
||||
emailCodeConfig.SiteName = siteName
|
||||
authService.SetEmailCodeService(service.NewEmailCodeService(provider, cacheManager, emailCodeConfig))
|
||||
|
||||
if passwordResetConfig != nil {
|
||||
passwordResetConfig.SMTPHost = smtpConfig.Host
|
||||
passwordResetConfig.SMTPPort = smtpConfig.Port
|
||||
passwordResetConfig.SMTPUser = smtpConfig.Username
|
||||
passwordResetConfig.SMTPPass = smtpConfig.Password
|
||||
passwordResetConfig.FromEmail = smtpConfig.FromEmail
|
||||
passwordResetConfig.SiteURL = siteURL
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
func resolveSMTPEmailConfigFromEnv() (service.SMTPEmailConfig, bool, error) {
|
||||
host := strings.TrimSpace(os.Getenv("EMAIL_HOST"))
|
||||
if host == "" {
|
||||
return service.SMTPEmailConfig{}, false, nil
|
||||
}
|
||||
|
||||
port := 587
|
||||
if rawPort := strings.TrimSpace(os.Getenv("EMAIL_PORT")); rawPort != "" {
|
||||
parsedPort, err := strconv.Atoi(rawPort)
|
||||
if err != nil || parsedPort <= 0 {
|
||||
return service.SMTPEmailConfig{}, false, fmt.Errorf("invalid EMAIL_PORT %q", rawPort)
|
||||
}
|
||||
port = parsedPort
|
||||
}
|
||||
|
||||
fromEmail := strings.TrimSpace(os.Getenv("EMAIL_FROM_EMAIL"))
|
||||
if fromEmail == "" {
|
||||
fromEmail = service.DefaultPasswordResetConfig().FromEmail
|
||||
}
|
||||
|
||||
return service.SMTPEmailConfig{
|
||||
Host: host,
|
||||
Port: port,
|
||||
Username: strings.TrimSpace(os.Getenv("EMAIL_USER")),
|
||||
Password: os.Getenv("EMAIL_PASS"),
|
||||
FromEmail: fromEmail,
|
||||
FromName: strings.TrimSpace(os.Getenv("EMAIL_FROM_NAME")),
|
||||
}, true, nil
|
||||
}
|
||||
|
||||
func resolveAuthEmailSiteURL(cfg *config.Config) string {
|
||||
if cfg != nil {
|
||||
if siteURL := strings.TrimSpace(cfg.Server.FrontendURL); siteURL != "" {
|
||||
return siteURL
|
||||
}
|
||||
}
|
||||
return service.DefaultEmailCodeConfig().SiteURL
|
||||
}
|
||||
|
||||
func resolveAuthEmailSiteName(cfg *config.Config) string {
|
||||
if cfg != nil {
|
||||
if siteName := strings.TrimSpace(cfg.Log.ServiceName); siteName != "" {
|
||||
return siteName
|
||||
}
|
||||
}
|
||||
return service.DefaultEmailCodeConfig().SiteName
|
||||
}
|
||||
|
||||
func resolveJWTAccessTokenExpire(cfg *config.Config) time.Duration {
|
||||
if cfg == nil {
|
||||
return 0
|
||||
}
|
||||
if cfg.JWT.AccessTokenExpireMinutes > 0 {
|
||||
return time.Duration(cfg.JWT.AccessTokenExpireMinutes) * time.Minute
|
||||
}
|
||||
return time.Duration(cfg.JWT.ExpireHour) * time.Hour
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user