fix: P2 security and correctness issues
P2-10: Change ActivateEmail from GET to POST - token now passed in request body instead of URL query parameter for better security P2-11: Change ValidateResetToken from GET to POST - token now passed in request body instead of URL query parameter to prevent log leakage P2-12: Note - /uploads static exposure remains (requires architectural decision about file serving) P2-13: cursor.Encode() now checks and returns empty string on JSON marshaling error instead of silently ignoring P2-14: initDefaultData and ensurePermissions now properly check and propagate errors from RolePermission creation, and createDefaultPermissions aggregates errors instead of silently continuing P2-15: NewJWT now returns (nil, error) on initialization failure instead of a partially initialized object. All callers updated to handle the error return. Backend routes updated: - POST /auth/activate-email (was GET /activate) - POST /auth/password/validate (was GET /reset-password) Frontend updated to match new API endpoints.
This commit is contained in:
@@ -26,7 +26,10 @@ func (c *Cursor) Encode() string {
|
||||
if c == nil || c.LastID == 0 {
|
||||
return ""
|
||||
}
|
||||
data, _ := json.Marshal(c)
|
||||
data, err := json.Marshal(c)
|
||||
if err != nil {
|
||||
return ""
|
||||
}
|
||||
return base64.URLEncoding.WithPadding(base64.NoPadding).EncodeToString(data)
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user