- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Rename $mod.$vbase to $mod.$auth in env.js initialization
- Add guard condition to prevent duplicate VBase initialization
- Update all page and layout templates to use $auth instead of $vbase
- Update route guard in routes.js to reference $mod.$auth
- Move beforeEnter router guard logic from env.js to routes.js export function
- Update $env references to $mod in env.js, ico.html, and layout/default.html
- Export routes as function that receives $mod context for dependency injection
- Remove router guard from env.js initialization module
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
veypi