user-system

9 Commits 1 Branch 0 Tags

Author	SHA1	Message	Date
long-agent	3ae11237ab	fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用	2026-04-03 21:50:51 +08:00
long-agent	10d126ee12	docs: 添加系统性优化方案 (P1-P2)	2026-04-03 21:08:18 +08:00
long-agent	765a50b7d4	fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复	2026-04-03 17:38:31 +08:00
long-agent	44e60be918	docs: 添加项目全面审查报告（合并版）	2026-04-02 13:59:27 +08:00
long-agent	1cba56ea85	chore: add remaining files and cleanup	2026-04-02 11:48:04 +08:00
long-agent	bbeeb63dfa	docs: project docs, scripts, deployment configs, and evidence	2026-04-02 11:22:17 +08:00
long-agent	4718980ab5	feat: admin frontend - React + Vite, auth pages, user management, roles, permissions, webhooks, devices, logs	2026-04-02 11:20:20 +08:00
long-agent	dcc1f186f8	feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers	2026-04-02 11:19:50 +08:00
long-agent	e59a77bc49	Initial commit	2026-04-02 03:01:14 +00:00