long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: P2 security and correctness issues

Browse Source 
P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security

P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage

P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)

P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring

P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing

P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.

Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)

Frontend updated to match new API endpoints.
This commit is contained in:
long-agent
2026-04-18 20:48:11 +08:00
parent a754545072
commit adb251e4ad
13 changed files with 75 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
internal/auth/jwt.go
View File

@@ -74,22 +74,13 @@ func generateJTI() (string, error) {
// NewJWT creates a legacy HS256 JWT manager for compatibility in tests and callers
// that still only provide a shared secret.
func NewJWT(secret string, accessTokenExpire, refreshTokenExpire time.Duration) *JWT {
manager, err := NewJWTWithOptions(JWTOptions{
func NewJWT(secret string, accessTokenExpire, refreshTokenExpire time.Duration) (*JWT, error) {
return NewJWTWithOptions(JWTOptions{
Algorithm: jwtAlgorithmHS256,
HS256Secret: secret,
AccessTokenExpire: accessTokenExpire,
RefreshTokenExpire: refreshTokenExpire,
})
if err != nil {
return &JWT{
algorithm: jwtAlgorithmHS256,
accessTokenExpire: accessTokenExpire,
refreshTokenExpire: refreshTokenExpire,
initErr: err,
}
}
return manager
}
func (j *JWT) ensureReady() error {

11
internal/auth/jwt_closure_test.go
View File

@@ -10,13 +10,12 @@ import (
)
func TestNewJWT_DoesNotPanicOnInvalidLegacyConfig(t *testing.T) {
manager := NewJWT("", 2*time.Hour, 7*24*time.Hour)
if manager == nil {
t.Fatal("expected manager instance")
manager, err := NewJWT("", 2*time.Hour, 7*24*time.Hour)
if err == nil {
t.Fatal("expected error for empty secret")
}
if _, err := manager.GenerateAccessToken(1, "tester", 0); err == nil {
t.Fatal("expected invalid legacy manager to return error")
if manager != nil {
t.Fatal("expected nil manager for empty secret")
}
}