9d7abb8a46
fix: P0-07 complete frontend TOTP login flow
...
Backend changes:
- Add VerifyTOTPAfterPasswordLogin handler in auth_handler.go
- Add route /auth/login/totp-verify in router.go
Frontend changes:
- Update TokenBundle type to include requires_totp and user_id fields
- Add TOTPVerifyRequest type for TOTP verification
- Add verifyTOTPAfterPasswordLogin() API function
New login flow when user has TOTP enabled:
1. loginByPassword returns {requires_totp: true, user_id: <id>}
2. Frontend prompts user for TOTP code
3. Frontend calls verifyTOTPAfterPasswordLogin({user_id, code})
4. If TOTP valid, full TokenBundle with tokens is returned
2026-04-18 14:50:25 +08:00
0795e126cc
fix: resolve P0 security issues per governance baseline
...
P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation
P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures
P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous
P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification
Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts
All 518 frontend tests pass, all backend tests pass.
2026-04-18 09:32:54 +08:00
7849c3c3ed
docs: update TEST_PLAN.md with completed status
2026-04-18 07:48:19 +08:00
8b8c05bb60
test: add Stage 3-5 component and layout test coverage
...
Add tests for:
- PageLayout components: ContentCard, FilterCard, TableCard, TreeCard, PageLayout
- AuthLayout layout component
- LoginLogDetailDrawer and OperationLogDetailDrawer page components
All 518 tests pass across 82 test files.
2026-04-18 07:46:42 +08:00
40d146b6aa
test: add Stage 1 lib and Stage 2 services test coverage
...
Add comprehensive unit tests for:
- lib layer: config, device-fingerprint, errors, storage, hooks/useBreadcrumbs, http
- services layer: devices, login-logs, operation-logs, permissions, profile, roles, settings, stats, import-export
All 491 tests pass across 74 test files.
2026-04-17 23:59:15 +08:00
861736cf4d
fix: exclude test files from tsconfig.app.json to resolve TS2304 build error
...
P0 F-01: Frontend build was failing with "Cannot find name 'beforeEach'"
because test files were being compiled by tsconfig.app.json which lacked
vitest globals. Added exclude patterns to tsconfig.app.json.
Updated PROJECT_REAL_COMPLETION_REVIEW_2026-04-10.md to reflect fix.
2026-04-11 23:45:43 +08:00
339c740365
test: update playwright script and fix jsdom alert mock
2026-04-11 23:03:04 +08:00
dbff591039
fix: update admin flows and review report
2026-04-10 08:09:48 +08:00
1b96715b55
chore: 完善 Docker 部署配置并修复测试超时
...
- 新增 Dockerfile: 多阶段构建,优化镜像大小
- 新增 .dockerignore: 加速构建,排除不必要文件
- 更新 docker-compose.yml: 使用 SQLite 简化部署
- 修复 vitest.config.js: testTimeout 改为 60000ms 修复慢测试超时
2026-04-08 22:13:46 +08:00
a85d822419
fix: 统一API响应格式并修复前端测试
...
- 所有Handler方法使用标准{code:0,message:"success",data:...}响应格式
- 修复Cursor分页响应包装(GetAllDevices,GetLoginLogs,ListUsers等)
- 修复AuthHandler和SMSHandler认证方法响应格式
- 修复operation_log.go admin用户operation_type前缀问题
- 修复DashboardPage嵌套stats结构
- 修复LoginLogsPage reset功能stale closure问题
- 修复UsersPage批量操作API调用
- 修复多个前端测试(mock格式、按钮选择、断言逻辑)
- 添加OAuth测试域名白名单
- 新增代码审查流程文档
2026-04-08 20:06:54 +08:00
5b6bd93179
refactor: 整理项目根目录结构
...
整理内容:
- 删除 60+ 临时测试输出文件 (*.txt)
- 移动二进制文件到 bin/ 目录
- 移动 Shell 脚本到 scripts/ 目录
- scripts/dev/: check_gitea.sh, check_sub2api.sh, run_tests.sh
- scripts/deploy/: deploy_*.sh, simple_deploy.sh
- scripts/ops/: fix_nginx.sh, fix_ssl.sh, install_docker.sh
- scripts/test/: test_*.sh, test_*.bat
- 移动批处理文件到 scripts/
- 移动 Python 脚本到 tools/
- 清理临时日志文件
保留根目录必要文件:
- go.mod, go.sum, go.work
- Makefile, docker-compose.yml
- .env.example, .gitignore
- README.md, AGENTS.md, DEPLOY_GUIDE.md
验证: go build ./... && go test ./... 通过
2026-04-07 18:10:36 +08:00
3ae11237ab
fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭
...
P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证
P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性
P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2
P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用
2026-04-03 21:50:51 +08:00
765a50b7d4
fix: 生产安全修复 + Go SDK + CAS SSO框架
...
安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern
新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持
其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复
2026-04-03 17:38:31 +08:00
4718980ab5
feat: admin frontend - React + Vite, auth pages, user management, roles, permissions, webhooks, devices, logs
2026-04-02 11:20:20 +08:00
