- Replace global user token version with per-session versioning in JWT claims
- Add session CRUD operations with DB + Redis dual-write caching strategy
- Create/list/revoke individual sessions and batch revoke other sessions
- Update login flow to create sessions with device info and IP extraction
- Update refresh flow to validate and rotate session-level token version
- Update logout to revoke only the current session instead of all tokens
- Add session management UI page with device/browser detection and relative time display
- Add i18n keys for session management in both Chinese and English
- Add sessions route and navigation menu items in both default and icon layouts
- Add validateRegisterCode function to verify codes during registration
- Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder
- Make cookie names configurable via JWT CookiePrefix setting
- Rename login type "phone" to "sms" for consistency
- Add 1-minute TTL cache for setting values
- Add $fetch wrapper replacing raw fetch calls across all UI pages
- Add verification code inputs with countdown send buttons to register UI
- Move CSS/JS assets from root.html to auth and default layouts
- Add scope parameter to VBase permission check methods
- Add i18n entries for verification code messages (zh/en)
- Fix route guard to use next('/403') instead of router.push
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Add random avatar generation for new users in register
- Fix OAuth state parsing with type assertions and error handling
- Add TempToken field to CallbackResponse for bind flow
- Implement dynamic redirect URI resolution with X-Forwarded headers support
- Add memory cache fallback when Redis is unavailable
- Change default port from 4001 to 4000 in Makefile
- Update API endpoints to use scoped permission codes (e.g., role:*)
- Fix role list scope parameter to use pointer type
- Add Options type alias in init.go for external use
- Remove org-related cache functions from libs/cache
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
Encrypt OAuth Provider ClientSecret before storing in database to prevent
sensitive credential exposure in case of database breach.
- Encrypt ClientSecret on create using cfg.Config.Key.Encrypt()
- Encrypt ClientSecret on update when provided
- Decrypt ClientSecret before use in OAuth token exchange
- Add AES-GCM encryption/decryption functions to crypto package
- Gracefully handle legacy plaintext secrets during transition
veypi
veypi