|
|
0795e126cc
|
fix: resolve P0 security issues per governance baseline
P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation
P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures
P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous
P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification
Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts
All 518 frontend tests pass, all backend tests pass.
|
2026-04-18 09:32:54 +08:00 |
|
|
|
40d146b6aa
|
test: add Stage 1 lib and Stage 2 services test coverage
Add comprehensive unit tests for:
- lib layer: config, device-fingerprint, errors, storage, hooks/useBreadcrumbs, http
- services layer: devices, login-logs, operation-logs, permissions, profile, roles, settings, stats, import-export
All 491 tests pass across 74 test files.
|
2026-04-17 23:59:15 +08:00 |
|
