fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复

internal/service/auth_email.go

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"time"
 
 	"github.com/user-management-system/internal/auth"
 	"github.com/user-management-system/internal/domain"
@@ -18,6 +19,11 @@ func (s *AuthService) SetEmailCodeService(svc *EmailCodeService) {
 	s.emailCodeSvc = svc
 }
 
+// HasEmailCodeService 判断邮箱验证码登录服务是否已配置
+func (s *AuthService) HasEmailCodeService() bool {
+	return s != nil && s.emailCodeSvc != nil
+}
+
 func (s *AuthService) RegisterWithActivation(ctx context.Context, req *RegisterRequest) (*UserInfo, error) {
 	if err := s.validatePassword(req.Password); err != nil {
 		return nil, err
@@ -83,8 +89,11 @@ func (s *AuthService) RegisterWithActivation(ctx context.Context, req *RegisterR
 		if nickname == "" {
 			nickname = req.Username
 		}
+		// 使用独立上下文避免请求结束后被取消
 		go func() {
-			if err := s.emailActivationSvc.SendActivationEmail(ctx, user.ID, req.Email, nickname); err != nil {
+			bgCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+			defer cancel()
+			if err := s.emailActivationSvc.SendActivationEmail(bgCtx, user.ID, req.Email, nickname); err != nil {
 				log.Printf("auth: send activation email failed, user_id=%d email=%s err=%v", user.ID, req.Email, err)
 			}
 		}()

internal/service/email.go

@@ -294,12 +294,14 @@ func buildActivationEmailBody(username, activationURL, siteName string, ttl time
 }
 
 func generateEmailCode() (string, error) {
-	buffer := make([]byte, 3)
+	// 使用 6 字节随机数提供足够的熵（48 位）
+	buffer := make([]byte, 6)
 	if _, err := cryptorand.Read(buffer); err != nil {
 		return "", fmt.Errorf("generate email code failed: %w", err)
 	}
 
-	value := int(buffer[0])<<16 | int(buffer[1])<<8 | int(buffer[2])
+	value := int(buffer[0])<<40 | int(buffer[1])<<32 | int(buffer[2])<<24 |
+		int(buffer[3])<<16 | int(buffer[4])<<8 | int(buffer[5])
 	value = value % 1000000
 	if value < 100000 {
 		value += 100000

internal/service/sms.go

@@ -373,12 +373,14 @@ func isValidPhone(phone string) bool {
 }
 
 func generateSMSCode() (string, error) {
-	b := make([]byte, 4)
+	// 使用 6 字节随机数提供足够的熵（48 位）
+	b := make([]byte, 6)
 	if _, err := cryptorand.Read(b); err != nil {
 		return "", err
 	}
 
-	n := int(b[0])<<24 | int(b[1])<<16 | int(b[2])<<8 | int(b[3])
+	n := int(b[0])<<40 | int(b[1])<<32 | int(b[2])<<24 |
+		int(b[3])<<16 | int(b[4])<<8 | int(b[5])
 	if n < 0 {
 		n = -n
 	}