- Replace global user token version with per-session versioning in JWT claims
- Add session CRUD operations with DB + Redis dual-write caching strategy
- Create/list/revoke individual sessions and batch revoke other sessions
- Update login flow to create sessions with device info and IP extraction
- Update refresh flow to validate and rotate session-level token version
- Update logout to revoke only the current session instead of all tokens
- Add session management UI page with device/browser detection and relative time display
- Add i18n keys for session management in both Chinese and English
- Add sessions route and navigation menu items in both default and icon layouts
- Add validateRegisterCode function to verify codes during registration
- Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder
- Make cookie names configurable via JWT CookiePrefix setting
- Rename login type "phone" to "sms" for consistency
- Add 1-minute TTL cache for setting values
- Add $fetch wrapper replacing raw fetch calls across all UI pages
- Add verification code inputs with countdown send buttons to register UI
- Move CSS/JS assets from root.html to auth and default layouts
- Add scope parameter to VBase permission check methods
- Add i18n entries for verification code messages (zh/en)
- Fix route guard to use next('/403') instead of router.push
- Replace permission selector dialog with inline add form (scope/id/level)
- Replace per-user role API calls with batch PUT /api/roles/{id}/users
- Add isLogin() async method with lazy _ensureAuth initialization
- Clean up login page CSS: replace hardcoded colors with CSS variables
- Add Chrome autofill style override for dark theme support
- Use @submit.prevent instead of manual e.preventDefault()
- Remove redundant inline comments from script sections
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Rename $mod.$vbase to $mod.$auth in env.js initialization
- Add guard condition to prevent duplicate VBase initialization
- Update all page and layout templates to use $auth instead of $vbase
- Update route guard in routes.js to reference $mod.$auth
- Move beforeEnter router guard logic from env.js to routes.js export function
- Update $env references to $mod in env.js, ico.html, and layout/default.html
- Export routes as function that receives $mod context for dependency injection
- Remove router guard from env.js initialization module
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
veypi