- Add OAuth client CRUD and access control tests
- Add organization CRUD, tree and access control tests
- Add role CRUD, access control and system role protection tests
- Remove user:read permission from default user role
- Add project overview with tech stack (Go 1.24+, Vigo framework, GORM)
- Document common commands (make run, db operations, tests)
- Describe onion model request flow and middleware stages
- Explain RBAC permission system format and usage
- Document multi-tenancy patterns (B2C/B2B/Platform)
- Add API response format and error code conventions
- Include Vigo handler pattern with parameter binding
- Document vhtml frontend structure
- Add /api/auth/users endpoint for authenticated users to search other users
- Only return public info (id, username, nickname, avatar) in search results
- Change /api/user routes to require user:admin permission instead of user:read
- Update auth tests to use /api/auth/me for self updates
- Add tests for new user search endpoint
- Add tests/README.md with comprehensive documentation for running and adding tests
- Change TestDBFile from file-based 'test.db' to in-memory 'file::memory:?cache=shared'
- Remove file cleanup in setup() and teardown() functions since memory database requires no cleanup
- Simplify setup() by removing comments and streamlining database configuration
- Move and split 'auth/auth_test.go' into the 'tests/' directory
- Add 'tests/main_test.go' for global test suite setup
- Add 'tests/helpers_test.go' for shared test utilities
- Create separate test files for different auth scenarios ('auth_test.go', 'none_auth_test.go')
- Add focused tests for org permissions and middleware ('org_permission_test.go', 'resource_perm_test.go', 'org_load_middleware_test.go')
- Add 'clean_run.sh' script to reset database and restart server for clean test environment
- Update 'README.md' with detailed troubleshooting guide and pitfalls
- Add '04_org_load_middleware.sh' to test LoadOrg middleware functionality
- Update 'run_all.sh' to include new middleware test
- Fix BASE_URL handling in 'lib.sh' and test scripts to support custom environments
- Update '02_resource_perm.sh' to fix admin permission checks
- Remove debug logging from 'auth.go'
- Add 00_none_auth.sh for unauthenticated access testing
- Replace 01_basic_auth.sh with 01_setup_users.sh for comprehensive user setup
- Replace 02_user_permission.sh with 02_resource_perm.sh for cross-user permission tests
- Update lib.sh to handle non-numeric code fields in response
- Update README.md with new test structure and usage instructions
- Update run_all.sh with new test sequence
- Fix owner ID lookup to prioritize PathParams and Query over Context
- Prevent incorrect owner match when context contains current user ID
- Reset InitAdmin.Password to empty so first registered user becomes admin
- Fix api request functions to use array-based curl options
- Fix token refresh to use refresh_token instead of access_token
- Fix string comparison operator from == to =
- Add get_refresh_token helper function
- Handle empty response in check_http_code
- Update README with new functions and correct command syntax
- Remove set -e from lib.sh to avoid premature exits
- Add api/org/add_member.go for adding organization members
- Register POST /api/orgs/{id}/members endpoint
- Fix PermWithOwner to check owner before permission
- Remove user:update from user role (should use owner check)
- Add service enabled check in verification send
Use database transaction for batch settings update to ensure atomicity.
If any individual update fails, the entire batch will be rolled back,
preventing partial configuration updates.
- Wrap all updates in db.Transaction()
- Return detailed error on failure
Add validation for the 'purpose' parameter in verification code requests
to ensure only allowed values are accepted.
Valid purposes: register, login, reset_password, bind
Invalid purposes will be rejected with 400 Bad Request.
Fix the logic for code.max_daily_count setting to correctly handle:
- 0: Disable verification code service entirely
- -1: No limit on daily sends
- >0: Limit daily sends to the specified number
Previously both 0 and -1 were treated as unlimited, which was incorrect.
The documentation states 0 should disable the service.
Encrypt OAuth Provider ClientSecret before storing in database to prevent
sensitive credential exposure in case of database breach.
- Encrypt ClientSecret on create using cfg.Config.Key.Encrypt()
- Encrypt ClientSecret on update when provided
- Decrypt ClientSecret before use in OAuth token exchange
- Add AES-GCM encryption/decryption functions to crypto package
- Gracefully handle legacy plaintext secrets during transition
Fix a bug where the count variable was not reset before checking
email and phone uniqueness. This could cause false positives if
a previous check had count > 0, incorrectly reporting that email
or phone already exists when they don't.
- Reset count to 0 before email check
- Reset count to 0 before phone check
Add permission check in settings update API to ensure only admin users
can modify system settings. This fixes a security vulnerability where
any authenticated user could modify critical configurations.
- Check 'setting:update' permission before allowing updates
- Return 403 Forbidden for non-admin users
- Replace separate DB/DSN fields with unified config.Database struct
- Remove cfg/db.go and move DB client to config.Database.Client()
- Update auth to use event-driven initialization via vb.init.auth event
- Refactor models initialization to use event system (vb.init.settings/oauth/admin)
- Update CLI to use event.Start() instead of manual InitDB() call
- Fix auth_test.go to use new DB config structure
- Update agents.md documentation with new CLI flags format
veypi