0795e126cc
fix: resolve P0 security issues per governance baseline
...
P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation
P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures
P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous
P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification
Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts
All 518 frontend tests pass, all backend tests pass.
2026-04-18 09:32:54 +08:00
582ad7a069
test: add comprehensive test coverage and improve code quality
...
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
0564bfd9ad
docs: add Swagger annotations to 13 API handlers
...
Added @Summary, @Description, @Tags, @Param, @Success, @Failure,
@Router annotations to all major handler endpoints for OpenAPI/Swagger
auto-generation. Covers 86 annotations across:
- auth_handler.go (25): all auth endpoints
- user_handler.go (14): CRUD + roles + admin management
- device_handler.go (13): device CRUD + trust management
- role_handler.go (8): role CRUD + permissions
- custom_field_handler.go (7): field CRUD + user values
- permission_handler.go (7): permission CRUD + tree
- log_handler.go (3): login/operation logs
- captcha_handler.go (3): generate/verify
- stats_handler.go (2): dashboard + user stats
- avatar_handler.go (1): upload avatar
- totp_handler.go (1): totp status
- password_reset_handler.go (1): forgot password
Partially addresses P2: missing Swagger annotations
(PRODUCTION_GAP_ANALYSIS_2026-04-08)
2026-04-11 21:23:52 +08:00
8fe4669b97
fix: unify handler response format in user_handler.go
...
- List/Get/Update/Delete users: standardize to {code, message, data} format
- UpdateUserStatus: standardize to {code, message} format
- handleError: standardize to {code, message} format (was {error: ...})
- All inline bad request errors now use {code: 400, message: ...} consistently
2026-04-11 11:22:10 +08:00
8c1cf54213
fix: resolve P0 stub/false-positive issues found in SENIOR_DEV_REVIEW audit
...
- Remove dead stub UploadAvatar in user_handler.go (real impl in avatar_handler.go)
- Fix GetAuthCapabilities to call service (was returning hardcoded static JSON, missing admin_bootstrap_required)
- Replace AdminRoleID=1 hardcoded constant with getAdminRoleID(ctx) dynamic lookup by code="admin"
- Fix double Argon2id hash computation in ChangePassword (hash once, reuse)
- Add PredefinedRoles seed to newIsolatedDB test infrastructure (fixes broken ADMIN_* tests)
2026-04-11 10:27:29 +08:00
dbff591039
fix: update admin flows and review report
2026-04-10 08:09:48 +08:00
a85d822419
fix: 统一API响应格式并修复前端测试
...
- 所有Handler方法使用标准{code:0,message:"success",data:...}响应格式
- 修复Cursor分页响应包装(GetAllDevices,GetLoginLogs,ListUsers等)
- 修复AuthHandler和SMSHandler认证方法响应格式
- 修复operation_log.go admin用户operation_type前缀问题
- 修复DashboardPage嵌套stats结构
- 修复LoginLogsPage reset功能stale closure问题
- 修复UsersPage批量操作API调用
- 修复多个前端测试(mock格式、按钮选择、断言逻辑)
- 添加OAuth测试域名白名单
- 新增代码审查流程文档
2026-04-08 20:06:54 +08:00
5ca3633be4
feat: 系统全面优化 - 设备管理/登录日志导出/性能监控/设置页面
...
后端:
- 新增全局设备管理 API(DeviceHandler.GetAllDevices)
- 新增登录日志导出功能(LogHandler.ExportLoginLogs, CSV/XLSX)
- 新增设置服务(SettingsService)和设置页面 API
- 设备管理支持多条件筛选(状态/信任状态/关键词)
- 登录日志支持流式导出防 OOM
- 操作日志支持按方法/时间范围搜索
- 主题配置服务(ThemeService)
- 增强监控健康检查(Prometheus metrics + SLO)
- 移除旧 ratelimit.go(已迁移至 robustness)
- 修复 SocialAccount NULL 扫描问题
- 新增 API 契约测试、Handler 测试、Settings 测试
前端:
- 新增管理员设备管理页面(DevicesPage)
- 新增管理员登录日志导出功能
- 新增系统设置页面(SettingsPage)
- 设备管理支持筛选和分页
- 增强 HTTP 响应类型
测试:
- 业务逻辑测试 68 个(含并发 CONC_001~003)
- 规模测试 16 个(P99 百分位统计)
- E2E 测试、集成测试、契约测试
- 性能基准测试、鲁棒性测试
全面测试通过(38 个测试包)
2026-04-07 12:08:16 +08:00
dcc1f186f8
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
