user-system

long-agent/user-system

Fork 0

Commit Graph

Author	SHA1	Message	Date
Your Name	6be90ddff8	fix: close auth, permission, contract and e2e review blockers	2026-05-28 15:19:13 +08:00
long-agent	adb251e4ad	fix: P2 security and correctness issues P2-10: Change ActivateEmail from GET to POST - token now passed in request body instead of URL query parameter for better security P2-11: Change ValidateResetToken from GET to POST - token now passed in request body instead of URL query parameter to prevent log leakage P2-12: Note - /uploads static exposure remains (requires architectural decision about file serving) P2-13: cursor.Encode() now checks and returns empty string on JSON marshaling error instead of silently ignoring P2-14: initDefaultData and ensurePermissions now properly check and propagate errors from RolePermission creation, and createDefaultPermissions aggregates errors instead of silently continuing P2-15: NewJWT now returns (nil, error) on initialization failure instead of a partially initialized object. All callers updated to handle the error return. Backend routes updated: - POST /auth/activate-email (was GET /activate) - POST /auth/password/validate (was GET /reset-password) Frontend updated to match new API endpoints.	2026-04-18 20:48:11 +08:00
long-agent	4718980ab5	feat: admin frontend - React + Vite, auth pages, user management, roles, permissions, webhooks, devices, logs	2026-04-02 11:20:20 +08:00

Author

SHA1

Message

Date

Your Name

6be90ddff8

fix: close auth, permission, contract and e2e review blockers

2026-05-28 15:19:13 +08:00

long-agent

adb251e4ad

fix: P2 security and correctness issues

P2-10: Change ActivateEmail from GET to POST - token now passed in
request body instead of URL query parameter for better security

P2-11: Change ValidateResetToken from GET to POST - token now passed
in request body instead of URL query parameter to prevent log leakage

P2-12: Note - /uploads static exposure remains (requires architectural
decision about file serving)

P2-13: cursor.Encode() now checks and returns empty string on JSON
marshaling error instead of silently ignoring

P2-14: initDefaultData and ensurePermissions now properly check and
propagate errors from RolePermission creation, and createDefaultPermissions
aggregates errors instead of silently continuing

P2-15: NewJWT now returns (nil, error) on initialization failure
instead of a partially initialized object. All callers updated to handle
the error return.

Backend routes updated:
- POST /auth/activate-email (was GET /activate)
- POST /auth/password/validate (was GET /reset-password)

Frontend updated to match new API endpoints.

2026-04-18 20:48:11 +08:00

long-agent

4718980ab5

feat: admin frontend - React + Vite, auth pages, user management, roles, permissions, webhooks, devices, logs

2026-04-02 11:20:20 +08:00

3 Commits