user-system

Author	SHA1	Message	Date
long-agent	1f7a223768	refactor: 提取分页魔法数字为 pagination 常量 - handler 层: device/log/webhook/user handler 使用 pagination.DefaultPageSize/MaxPageSize - service 层: device/login_log/operation_log service 使用 pagination.DefaultPageSize - repository 层: user repository 使用 pagination.DefaultPageSize/MaxPageSize - 消除 8 处硬编码的 20/100 分页魔法数字	2026-05-08 12:40:36 +08:00
long-agent	2a18a6fb47	fix(n+1): 批量查询替代循环单查 - IsAdminBootstrapRequired: userRepo.GetByID 循环 → GetByIDs 批量 - AssignRoles: roleRepo.GetByID 循环 → GetByIDs 批量 - 在 userRepositoryInterface 补充 GetByIDs 方法签名	2026-05-08 08:05:26 +08:00
long-agent	3f3bb82f1d	fix: v6 code review P0 auth/IDOR fixes + frontend regression patches Backend fixes: - auth_handler: P0 认证逻辑修复 - ratelimit: 限速中间件增强 + 新增单元测试 - auth_service: 认证服务逻辑完善 + 新增测试 - server: server 配置增强 + 新增测试 - handler_test: 新增 handler 层集成测试 - auth_bootstrap_test: bootstrap 路径测试 Frontend patches: - LoginPage/RegisterPage: CSRF + 表单交互修复 - BootstrapAdminPage: 引导流程修复 - DevicesPage: 设备管理页修复 - auth/social-accounts/users/webhooks services: 类型修正 - csrf.ts: CSRF token 处理修正 - E2E 脚本: CDP smoke + auth e2e 增强 Docs: - FULL_CODE_REVIEW_REPORT_2026-04-20 - report-v6 执行计划 - REAL_PROJECT_STATUS 更新 - .gitignore: 新增 .gocache-*/config.yaml 排除验证: go build/vet 0错误, go test 42/42 PASS, 0 FAIL	2026-04-23 07:14:12 +08:00
long-agent	0795e126cc	fix: resolve P0 security issues per governance baseline P0-01: LIKE injection fix in device.go (2 locations) - Added escapeLikePattern() to prevent LIKE pattern manipulation P0-03: Token refresh blacklist fail-closed - RefreshToken() now returns error if cache.Set fails - Prevents token double-spend on cache failures P0-05: CORS dangerous default configuration - Default changed to empty origins, credentials off - init() panics if default config is dangerous P0-06: UpdateUser IDOR vulnerability fix - Added authorization check (self-or-admin) - Prevents unauthorized user profile modification Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts All 518 frontend tests pass, all backend tests pass.	2026-04-18 09:32:54 +08:00
long-agent	582ad7a069	test: add comprehensive test coverage and improve code quality - Add new test files for auth, service, and handler modules - Improve test organization and coverage - Refactor code for better maintainability - Add captcha, settings, stats, and theme handler tests - Add auth module tests (CAS, OAuth, password, SSO, state) - Add service layer tests for auth, export, permissions, roles - All Go tests pass (exit code 0) - All frontend tests pass (325 tests in 59 files)	2026-04-17 20:43:50 +08:00
long-agent	0564bfd9ad	docs: add Swagger annotations to 13 API handlers Added @Summary, @Description, @Tags, @Param, @Success, @Failure, @Router annotations to all major handler endpoints for OpenAPI/Swagger auto-generation. Covers 86 annotations across: - auth_handler.go (25): all auth endpoints - user_handler.go (14): CRUD + roles + admin management - device_handler.go (13): device CRUD + trust management - role_handler.go (8): role CRUD + permissions - custom_field_handler.go (7): field CRUD + user values - permission_handler.go (7): permission CRUD + tree - log_handler.go (3): login/operation logs - captcha_handler.go (3): generate/verify - stats_handler.go (2): dashboard + user stats - avatar_handler.go (1): upload avatar - totp_handler.go (1): totp status - password_reset_handler.go (1): forgot password Partially addresses P2: missing Swagger annotations (PRODUCTION_GAP_ANALYSIS_2026-04-08)	2026-04-11 21:23:52 +08:00
long-agent	8fe4669b97	fix: unify handler response format in user_handler.go - List/Get/Update/Delete users: standardize to {code, message, data} format - UpdateUserStatus: standardize to {code, message} format - handleError: standardize to {code, message} format (was {error: ...}) - All inline bad request errors now use {code: 400, message: ...} consistently	2026-04-11 11:22:10 +08:00
long-agent	8c1cf54213	fix: resolve P0 stub/false-positive issues found in SENIOR_DEV_REVIEW audit - Remove dead stub UploadAvatar in user_handler.go (real impl in avatar_handler.go) - Fix GetAuthCapabilities to call service (was returning hardcoded static JSON, missing admin_bootstrap_required) - Replace AdminRoleID=1 hardcoded constant with getAdminRoleID(ctx) dynamic lookup by code="admin" - Fix double Argon2id hash computation in ChangePassword (hash once, reuse) - Add PredefinedRoles seed to newIsolatedDB test infrastructure (fixes broken ADMIN_* tests)	2026-04-11 10:27:29 +08:00
long-agent	dbff591039	fix: update admin flows and review report	2026-04-10 08:09:48 +08:00
long-agent	a85d822419	fix: 统一API响应格式并修复前端测试 - 所有Handler方法使用标准{code:0,message:"success",data:...}响应格式 - 修复Cursor分页响应包装(GetAllDevices,GetLoginLogs,ListUsers等) - 修复AuthHandler和SMSHandler认证方法响应格式 - 修复operation_log.go admin用户operation_type前缀问题 - 修复DashboardPage嵌套stats结构 - 修复LoginLogsPage reset功能stale closure问题 - 修复UsersPage批量操作API调用 - 修复多个前端测试(mock格式、按钮选择、断言逻辑) - 添加OAuth测试域名白名单 - 新增代码审查流程文档	2026-04-08 20:06:54 +08:00
long-agent	5ca3633be4	feat: 系统全面优化 - 设备管理/登录日志导出/性能监控/设置页面后端： - 新增全局设备管理 API（DeviceHandler.GetAllDevices） - 新增登录日志导出功能（LogHandler.ExportLoginLogs, CSV/XLSX） - 新增设置服务（SettingsService）和设置页面 API - 设备管理支持多条件筛选（状态/信任状态/关键词） - 登录日志支持流式导出防 OOM - 操作日志支持按方法/时间范围搜索 - 主题配置服务（ThemeService） - 增强监控健康检查（Prometheus metrics + SLO） - 移除旧 ratelimit.go（已迁移至 robustness） - 修复 SocialAccount NULL 扫描问题 - 新增 API 契约测试、Handler 测试、Settings 测试前端： - 新增管理员设备管理页面（DevicesPage） - 新增管理员登录日志导出功能 - 新增系统设置页面（SettingsPage） - 设备管理支持筛选和分页 - 增强 HTTP 响应类型测试： - 业务逻辑测试 68 个（含并发 CONC_001~003） - 规模测试 16 个（P99 百分位统计） - E2E 测试、集成测试、契约测试 - 性能基准测试、鲁棒性测试全面测试通过（38 个测试包）	2026-04-07 12:08:16 +08:00
long-agent	dcc1f186f8	feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers	2026-04-02 11:19:50 +08:00

12 Commits