# Report v6 Blocking Fixes Implementation Plan > **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking. **Goal:** 修复 `FULL_CODE_REVIEW_REPORT_2026-04-20.md` 中当前阻塞上线的认证、授权和假成功问题,并为每项修复补齐回归验证。 **Architecture:** 以后端授权和认证闭环为主,优先通过测试锁定期望行为,再做最小实现修改。每个批次修复后运行受影响测试集,最后跑完整后端/前端门禁。 **Tech Stack:** Go, Gin, GORM, React, Vitest, PowerShell, Git --- ### Task 1: 锁定 TOTP 二阶段登录闭环 **Files:** - Modify: `internal/service/auth.go` - Modify: `internal/api/handler/auth_handler.go` - Modify: `frontend/admin/src/services/auth.ts` - Modify: `frontend/admin/src/types/auth.ts` - Test: `internal/service/auth_social_test.go` - Test: `internal/api/handler/auth_handler_test.go` - [ ] **Step 1: 写服务层失败测试** - [ ] **Step 2: 运行服务层测试确认当前允许无首因子直接换 token** - [ ] **Step 3: 实现临时登录态或 challenge 约束** - [ ] **Step 4: 写 handler/前端契约测试** - [ ] **Step 5: 运行受影响测试并确认通过** ### Task 2: 修复设备接口 IDOR **Files:** - Modify: `internal/api/handler/device_handler.go` - Modify: `internal/service/device.go` - Test: `internal/api/handler/device_handler_test.go` - Test: `internal/service/device_service_test.go` - [ ] **Step 1: 写失败测试覆盖跨用户读取/修改/删除/信任设备** - [ ] **Step 2: 运行测试确认当前越权成立** - [ ] **Step 3: 在 handler 和 service 层补 owner/admin 双层校验** - [ ] **Step 4: 运行受影响测试并确认通过** ### Task 3: 修复修改密码接口授权模型 **Files:** - Modify: `internal/api/handler/user_handler.go` - Modify: `internal/service/user_service.go` - Test: `internal/api/handler/user_handler_test.go` - [ ] **Step 1: 写失败测试覆盖非本人访问 `/users/:id/password`** - [ ] **Step 2: 运行测试确认当前缺口存在** - [ ] **Step 3: 增加 self-or-admin 校验并明确管理员重置策略** - [ ] **Step 4: 运行受影响测试并确认通过** ### Task 4: 清理 `user_roles` 到 `role_codes` 协议漂移 **Files:** - Modify: `internal/api/handler/user_handler.go` - Modify: `internal/api/handler/avatar_handler.go` - Test: `internal/api/handler/user_handler_test.go` - Test: `internal/api/handler/avatar_handler_test.go` - [ ] **Step 1: 写失败测试覆盖管理员跨用户操作被误拒绝** - [ ] **Step 2: 运行测试确认当前回归存在** - [ ] **Step 3: 统一读取 `role_codes` 或复用 RBAC helper** - [ ] **Step 4: 运行受影响测试并确认通过** ### Task 5: 去掉 OAuth 假成功响应 **Files:** - Modify: `internal/api/handler/auth_handler.go` - Test: `internal/api/handler/auth_handler_test.go` - [ ] **Step 1: 写失败测试覆盖 OAuth provider 列表与入口行为** - [ ] **Step 2: 运行测试确认 handler 当前没有调用 service** - [ ] **Step 3: 改成真实 service 分发或显式错误返回** - [ ] **Step 4: 运行受影响测试并确认通过** ### Task 6: 全量回归与提交流程 **Files:** - Modify: `docs/code-review/FULL_CODE_REVIEW_REPORT_2026-04-20.md` - Modify: `docs/status/REAL_PROJECT_STATUS.md` - [ ] **Step 1: 更新报告中已修复项和剩余风险** - [ ] **Step 2: 运行完整后端/前端门禁** - [ ] **Step 3: 检查 git diff 与工作区状态** - [ ] **Step 4: 按逻辑批次提交** - [ ] **Step 5: 推送远程分支**