long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
93 Commits 3 Branches 0 Tags
3f3bb82f1de8da3cfed2158aec51f53947a6a8f1
Commit Graph

20 Commits

Author SHA1 Message Date
long-agent
8095307d82 fix: P0/P1 security and quality fixes 
P0-01: Add ESCAPE clause to LIKE queries in operation_log.go and device.go
P0-02: Add atomic Increment to L1Cache and L2Cache interfaces
P0-07: Add TOTP verification step after password login
P1-01: Sanitize error messages in error.go middleware
P1-03: Remove err.Error() from export error messages
P1-04: Add error return to CountByResultSince in login_log.go
P1-05: Add transactional DeleteCascade to RoleRepository
P1-06: Add PasswordChangedAt tracking for JWT token invalidation
P1-07: Wrap theme SetDefault in database transaction
P1-08: Use config values for database pool parameters
P1-09: Add rows.Err() checks in social_account_repo.go
P1-10: Validate sortOrder with map in user.go ORDER BY
P1-11: Add GORM tags to Announcement struct
P1-15: Add pageSize upper limit (100) to device and log handlers
 2026-04-18 15:33:12 +08:00
long-agent
32a3d4c9e0 fix: P0-01 prevent LIKE injection in operation_log and device repos 
- operation_log.go Search(): add escapeLikePattern + ESCAPE clause
- device.go ListAllCursor(): add escapeLikePattern + ESCAPE clause

The ESCAPE clause is required for SQLite to properly interpret
backslash as an escape character.
 2026-04-18 13:06:44 +08:00
long-agent
bb7c5e7fe2 fix: P0-08 cursor pagination sort consistency 
Cursor pagination now only applies when sorting by created_at.
Other sort fields (username, last_login_time, updated_at) will
not use cursor pagination to prevent data inconsistency.

Fixes: UserRepository.ListCursor() allowing sort fields that
don't match the cursor predicate.
 2026-04-18 10:13:37 +08:00
long-agent
0795e126cc fix: resolve P0 security issues per governance baseline 
P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.
 2026-04-18 09:32:54 +08:00
long-agent
582ad7a069 test: add comprehensive test coverage and improve code quality 
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
 2026-04-17 20:43:50 +08:00
long-agent
09beb173cc feat: complete production readiness improvements 
- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing
 2026-04-12 16:15:32 +08:00
long-agent
4193b46b5f docs: add false completion prevention rules and fix swagger gaps 
Changes:
- Add FALSE_COMPLETION_PREVENTION.md documenting false completion patterns
- Add integrity check script (scripts/check-integrity.sh) for automated verification
- Fix swagger annotation gaps in 3 handlers (+10 annotations):
  - password_reset_handler.go: +4 annotations
  - totp_handler.go: +4 annotations
  - log_handler.go: +2 annotations
- Define IntegrationRedisSuite type for Redis integration tests
- Update QUALITY_STANDARD.md with swagger completeness and response format requirements
- Update PROJECT_EXPERIENCE_SUMMARY.md with new learnings on false completion

Integrity check now validates:
- Swagger annotation completeness per handler
- Response format uniformity (with OAuth whitelist)
- Test infrastructure type definitions
- Repository test coverage
 2026-04-11 23:38:43 +08:00
long-agent
1929c42e35 test: add comprehensive ListCursor tests with keyword, time range, and role filters 2026-04-11 22:26:18 +08:00
long-agent
8257897bf5 test: add tests for GetPermissionsByIDs, GetUserRolesAndPermissions, ListCursor 
Repository test coverage improved to 80.4%

- role_permission_repository_test.go: GetPermissionsByIDs test
- user_role_repository_test.go: GetUserRolesAndPermissions test
- user_repository_test.go: ListCursor test
 2026-04-11 22:19:44 +08:00
long-agent
5389d2bcf5 fix: replace MySQL NOW() with SQLite-compatible datetime('now') 
- Set function: use GORM clause.OnConflict for cross-database upsert
- BatchSet function: replace NOW() with datetime('now')
- Add tests for Set and BatchSet (both now 100%/85.7% covered)
 2026-04-11 22:13:00 +08:00
long-agent
8f5a315bdf test: add ListLogsForExportBatch test to improve coverage 2026-04-11 22:01:43 +08:00
long-agent
289aab2930 test: add repository tests to improve coverage from 46.6% to 74% 
New test files:
- custom_field_repository_test.go: 10 tests for CustomFieldRepository & UserCustomFieldValueRepository
- login_log_repository_test.go: 3 tests for ListCursor, ListByUserIDCursor, ListAllForExport
- operation_log_repository_test.go: 1 test for ListCursor
- role_repository_test.go: 2 tests for GetAncestorIDs, GetAncestors
- social_account_repository_test.go: 8 CRUD tests
- theme_repository_test.go: 10 tests for ThemeConfigRepository
- user_role_repository_test.go: 1 test for DeleteByUserAndRole

Modified test files:
- device_repository_test.go: Added ListAllCursor tests
- user_repository_test.go: Added AdvancedSearch tests
- webhook_repository_test.go: Added ListByCreatorPaginated test

Updated documentation with new coverage status.
 2026-04-11 21:58:28 +08:00
long-agent
4764814de1 test: add device repository tests for full CRUD coverage 
Added 15 test cases covering:
- Create, GetByID, GetByDeviceID
- Update, Delete
- List, ListByUserID, ListByStatus
- UpdateStatus, Exists
- DeleteByUserID, DeleteAllByUserIDExcept
- GetActiveDevices, TrustDevice, UntrustDevice
- GetTrustedDevices, ListAll

Coverage: 46.6% -> 49.0% (+2.4%)
Addresses P1: repository layer test coverage
 2026-04-11 21:32:06 +08:00
long-agent
c2096ff008 fix: wrap AssignRoles in transaction and eliminate N+1 queries 
- AssignRoles: wrap DeleteByUserID + BatchCreate in DB transaction (P1)
- GetUserRoles: use GetByIDs batch query instead of per-role GetByID loop (N+1 fix)
- ListAdmins: use GetByIDs batch query instead of per-user GetByID loop (N+1 fix)
- Add WithTx/DB methods to UserRoleRepository for transaction support
- Add GetByIDs to UserRepository (batch user lookup)
- Add .gitattributes to normalize line endings to LF (P2)
 2026-04-11 10:32:33 +08:00
long-agent
dbff591039 fix: update admin flows and review report 2026-04-10 08:09:48 +08:00
long-agent
3548b69aaa test: add comprehensive UserRepository coverage tests 
Added tests for UserRepository operations:
- TestUserRepository_GetByPhone
- TestUserRepository_ListByStatus
- TestUserRepository_UpdateStatus
- TestUserRepository_BatchUpdateStatus
- TestUserRepository_BatchDelete
- TestUserRepository_Search
- TestUserRepository_Search_LikePattern (tests LIKE escape)

repository package coverage: 46% → 47.2%
 2026-04-09 09:57:58 +08:00
long-agent
a85d822419 fix: 统一API响应格式并修复前端测试 
- 所有Handler方法使用标准{code:0,message:"success",data:...}响应格式
- 修复Cursor分页响应包装(GetAllDevices,GetLoginLogs,ListUsers等)
- 修复AuthHandler和SMSHandler认证方法响应格式
- 修复operation_log.go admin用户operation_type前缀问题
- 修复DashboardPage嵌套stats结构
- 修复LoginLogsPage reset功能stale closure问题
- 修复UsersPage批量操作API调用
- 修复多个前端测试(mock格式、按钮选择、断言逻辑)
- 添加OAuth测试域名白名单
- 新增代码审查流程文档
 2026-04-08 20:06:54 +08:00
long-agent
5ca3633be4 feat: 系统全面优化 - 设备管理/登录日志导出/性能监控/设置页面 
后端:
- 新增全局设备管理 API(DeviceHandler.GetAllDevices)
- 新增登录日志导出功能(LogHandler.ExportLoginLogs, CSV/XLSX)
- 新增设置服务(SettingsService)和设置页面 API
- 设备管理支持多条件筛选(状态/信任状态/关键词)
- 登录日志支持流式导出防 OOM
- 操作日志支持按方法/时间范围搜索
- 主题配置服务(ThemeService)
- 增强监控健康检查(Prometheus metrics + SLO)
- 移除旧 ratelimit.go(已迁移至 robustness)
- 修复 SocialAccount NULL 扫描问题
- 新增 API 契约测试、Handler 测试、Settings 测试

前端:
- 新增管理员设备管理页面(DevicesPage)
- 新增管理员登录日志导出功能
- 新增系统设置页面(SettingsPage)
- 设备管理支持筛选和分页
- 增强 HTTP 响应类型

测试:
- 业务逻辑测试 68 个(含并发 CONC_001~003)
- 规模测试 16 个(P99 百分位统计)
- E2E 测试、集成测试、契约测试
- 性能基准测试、鲁棒性测试

全面测试通过(38 个测试包)
 2026-04-07 12:08:16 +08:00
long-agent
765a50b7d4 fix: 生产安全修复 + Go SDK + CAS SSO框架 
安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复
 2026-04-03 17:38:31 +08:00
long-agent
dcc1f186f8 feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00