P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security
P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage
P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)
P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring
P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing
P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.
Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)
Frontend updated to match new API endpoints.
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
