- Replace db.Where("key = ?", ...) with db.Where(&Setting{Key: ...}) for type-safe queries
- Replace db.Order("category, key") with structured clause.OrderBy in list API
- Replace tx.Where("key = ?", ...) with tx.Where(&models.Setting{Key: ...}) in update API
- Replace db.Where("key = ?", ...) with db.Where(&Setting{Key: ...}) in InitSettings, settingCache, SetSetting
- Add validateRegisterCode function to verify codes during registration
- Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder
- Make cookie names configurable via JWT CookiePrefix setting
- Rename login type "phone" to "sms" for consistency
- Add 1-minute TTL cache for setting values
- Add $fetch wrapper replacing raw fetch calls across all UI pages
- Add verification code inputs with countdown send buttons to register UI
- Move CSS/JS assets from root.html to auth and default layouts
- Add scope parameter to VBase permission check methods
- Add i18n entries for verification code messages (zh/en)
- Fix route guard to use next('/403') instead of router.push
- Add PermissionInput struct with scope, permission_id, and level fields
- Support adding permissions individually with custom scope and level
- Support removing permissions by ID via dedicated remove field
- Keep legacy replace mode for backward compatibility
- Default level to 7 (admin) and scope to "vb" when not specified
- Add GET /{id}/users endpoint for paginated role user listing
- Add PUT /{id}/users endpoint for batch role user assignment
- Use transaction to atomically sync user-role associations
- Prevent modification of system role user assignments
- Change login to call IncrTokenVersion instead of GetTokenVersion
- Add IncrTokenVersion public function wrapping incrTokenVersion
- Existing tokens become invalid when user logs in again
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Add `OnUserCreate` hook variable in `cfg/cfg.go` for custom callbacks
- Invoke `OnUserCreate` after successful user registration in `api/auth/register.go`
- Log warning when user creation hook fails
- Add POST /api/auth/users endpoint for batch user query
- Add IDs filter to SearchUsersRequest for batch lookup
- Add Name and Icon fields to PublicUserInfo response
- Implement searchUsersByIDs with deduplication and ordering
- Extract buildPublicUserInfo helper for consistent public info mapping
- Move VBaseProvider initialization from init() to Init() function
- Move role initialization (admin/user) from api/init.go to Init()
- Remove global VBaseProvider variable reference from tests
- Use NewAuth factory function instead of direct auth.Factory.New call
- Rename appAuth to vbaseProvider implementing auth.Provider interface
- Replace auth.VBaseAuth with cfg.Auth (auth.Auth struct) for middleware
- Add global cfg.Auth instance with SetProvider injection in init.go
- Update all API handlers to use cfg.Auth.RequireXxx instead of PermXxx
- Update tests to use cfg.Auth for permission checks
- Remove Login/Perm methods from Provider (now in auth.Auth struct)
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add Phone field to UserInfoWithPerms response struct
- Add Phone to UpdateMeRequest for profile updates
- Include phone in user info query and update handlers
- Add random avatar generation for new users in register
- Fix OAuth state parsing with type assertions and error handling
- Add TempToken field to CallbackResponse for bind flow
- Implement dynamic redirect URI resolution with X-Forwarded headers support
- Add memory cache fallback when Redis is unavailable
- Change default port from 4001 to 4000 in Makefile
- Change BindMode from bool to *bool in thirdparty auth for proper optional handling
- Change Error field from string to *string in OAuth callback request
- Change Email and Phone to *string pointers in bind with register request
- Add public /api/info endpoint for frontend configuration
- Update OAuth token request to use pointers for optional code and refresh_token
- Add desc tags to various request struct fields for API documentation
- Fix path parameter binding with explicit @code suffix for OAuth providers
- Change Description field to *string pointer in role creation
- Change Category field to *string pointer in settings list
- Update API endpoints to use scoped permission codes (e.g., role:*)
- Fix role list scope parameter to use pointer type
- Add Options type alias in init.go for external use
- Remove org-related cache functions from libs/cache
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
- Replace GetUserID/GetOrgID with VBaseAuth.UserID/OrgID methods across all APIs
- Integrate vigoauth.Auth interface into appAuth for standard auth methods
- Move AuthMiddleware to PermLogin method in auth package
- Add role management methods: GetRole, ListRoles, GrantRoles, RevokeRoles, ListUserRoles
- Update ListUserPermissions and ListResourceUsers to return vigoauth types
- Export Redis client in cfg package
- Simplify app initialization by separating vigo.New in cli/main.go
- Remove deprecated auth/middleware.go file
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
- Add UserPermissionInfo and UserInfoWithPerms structs for detailed user info
- Extend /auth/me to return user permissions and global roles
- Remove unused isAdmin helper method from auth.go
- Update updateMe to return UserInfoWithPerms for consistency
- Add /api/auth/users endpoint for authenticated users to search other users
- Only return public info (id, username, nickname, avatar) in search results
- Change /api/user routes to require user:admin permission instead of user:read
- Update auth tests to use /api/auth/me for self updates
- Add tests for new user search endpoint
- Add 'clean_run.sh' script to reset database and restart server for clean test environment
- Update 'README.md' with detailed troubleshooting guide and pitfalls
- Add '04_org_load_middleware.sh' to test LoadOrg middleware functionality
- Update 'run_all.sh' to include new middleware test
- Fix BASE_URL handling in 'lib.sh' and test scripts to support custom environments
- Update '02_resource_perm.sh' to fix admin permission checks
- Remove debug logging from 'auth.go'
- Add api/org/add_member.go for adding organization members
- Register POST /api/orgs/{id}/members endpoint
- Fix PermWithOwner to check owner before permission
- Remove user:update from user role (should use owner check)
- Add service enabled check in verification send
Use database transaction for batch settings update to ensure atomicity.
If any individual update fails, the entire batch will be rolled back,
preventing partial configuration updates.
- Wrap all updates in db.Transaction()
- Return detailed error on failure
Add validation for the 'purpose' parameter in verification code requests
to ensure only allowed values are accepted.
Valid purposes: register, login, reset_password, bind
Invalid purposes will be rejected with 400 Bad Request.
Fix the logic for code.max_daily_count setting to correctly handle:
- 0: Disable verification code service entirely
- -1: No limit on daily sends
- >0: Limit daily sends to the specified number
Previously both 0 and -1 were treated as unlimited, which was incorrect.
The documentation states 0 should disable the service.
Encrypt OAuth Provider ClientSecret before storing in database to prevent
sensitive credential exposure in case of database breach.
- Encrypt ClientSecret on create using cfg.Config.Key.Encrypt()
- Encrypt ClientSecret on update when provided
- Decrypt ClientSecret before use in OAuth token exchange
- Add AES-GCM encryption/decryption functions to crypto package
- Gracefully handle legacy plaintext secrets during transition
Fix a bug where the count variable was not reset before checking
email and phone uniqueness. This could cause false positives if
a previous check had count > 0, incorrectly reporting that email
or phone already exists when they don't.
- Reset count to 0 before email check
- Reset count to 0 before phone check
Add permission check in settings update API to ensure only admin users
can modify system settings. This fixes a security vulnerability where
any authenticated user could modify critical configurations.
- Check 'setting:update' permission before allowing updates
- Return 403 Forbidden for non-admin users
veypi