- Return false instead of throwing error when no refresh token exists
- Prevent logout on refresh error, just log warning and return false
- Avoid throwing errors that could break the application flow
- Fix hardcoded table name 'user_roles' to use GORM model for proper table prefix support
- Simplify permission ID format from 'scope:roleCode:permission:level' to 'scope:permission:level'
- Update comments to reflect the new ID format
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add DB.Prefix "vb_" to cfg.DB config for global table prefix
- Remove TableName() methods from all models (User, Role, Permission, etc.)
- Remove Role.Scope field and its unique index with Code
- Let GORM auto-generate table names with configured prefix
- Add profile editing with avatar, nickname, email, phone fields
- Add identity providers section for OAuth account binding
- Add account security section with password change
- Add new i18n translations for profile and auth pages
- Update vbase.js with improved error handling and user info refresh
- Include ico component in default layout
- Add Phone field to UserInfoWithPerms response struct
- Add Phone to UpdateMeRequest for profile updates
- Include phone in user info query and update handlers
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add random avatar generation for new users in register
- Fix OAuth state parsing with type assertions and error handling
- Add TempToken field to CallbackResponse for bind flow
- Implement dynamic redirect URI resolution with X-Forwarded headers support
- Add memory cache fallback when Redis is unavailable
- Change default port from 4001 to 4000 in Makefile
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Change BindMode from bool to *bool in thirdparty auth for proper optional handling
- Change Error field from string to *string in OAuth callback request
- Change Email and Phone to *string pointers in bind with register request
- Add public /api/info endpoint for frontend configuration
- Update OAuth token request to use pointers for optional code and refresh_token
- Add desc tags to various request struct fields for API documentation
- Fix path parameter binding with explicit @code suffix for OAuth providers
- Change Description field to *string pointer in role creation
- Change Category field to *string pointer in settings list
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
- Remove local Auth interface definition from auth/auth.go
- Import and use pub.Auth from github.com/veypi/vigo/contrib/auth
- Update authFactory.New() to return pub.Auth type
- Add compile-time type check: var _ pub.Auth = &appAuth{}
- Update go.mod dependencies (add redis, update gorm, remove aliyun sms)
- Remove org-related test cases from edge_case_test.go
- Remove OrgResp type from main_test.go
- Update none_auth_test removing org endpoints
- Add permission grants in OAuth tests for proper access control
- Fix race condition tests with retry logic for SQLite locking
- Update resource_perm_test to accept 401 or 403 status codes
- Add new role_access_test.go for role API permission testing
- Add new scoped_auth_test.go for scoped permission testing
- Update API endpoints to use scoped permission codes (e.g., role:*)
- Fix role list scope parameter to use pointer type
- Add Options type alias in init.go for external use
- Remove org-related cache functions from libs/cache
- Add validatePermission function to check depth/level consistency
- Validate permission codes in Perm, Grant, and Check methods
- LevelCreate requires odd depth, other levels require even depth
- Update design.md examples from org to app/role model
- Add RoleID field to Permission struct documentation
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
- Replace GetUserID/GetOrgID with VBaseAuth.UserID/OrgID methods across all APIs
- Integrate vigoauth.Auth interface into appAuth for standard auth methods
- Move AuthMiddleware to PermLogin method in auth package
- Add role management methods: GetRole, ListRoles, GrantRoles, RevokeRoles, ListUserRoles
- Update ListUserPermissions and ListResourceUsers to return vigoauth types
- Export Redis client in cfg package
- Simplify app initialization by separating vigo.New in cli/main.go
- Remove deprecated auth/middleware.go file
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
- Add scope parameter to VBase constructor for multi-tenant support
- Replace hasPermission with checkPerm, checkPermOnResource, checkPermAny, checkPermAll
- Implement _isAdmin check for global wildcard permissions (*:*)
- Add _matchPermission with wildcard support (resource:*, *:*)
- Remove default 404 page from vrouter in root.html
- Add UserPermissionInfo and UserInfoWithPerms structs for detailed user info
- Extend /auth/me to return user permissions and global roles
- Remove unused isAdmin helper method from auth.go
- Update updateMe to return UserInfoWithPerms for consistency
- Add OAuth client CRUD and access control tests
- Add organization CRUD, tree and access control tests
- Add role CRUD, access control and system role protection tests
- Remove user:read permission from default user role
- Add project overview with tech stack (Go 1.24+, Vigo framework, GORM)
- Document common commands (make run, db operations, tests)
- Describe onion model request flow and middleware stages
- Explain RBAC permission system format and usage
- Document multi-tenancy patterns (B2C/B2B/Platform)
- Add API response format and error code conventions
- Include Vigo handler pattern with parameter binding
- Document vhtml frontend structure
- Add /api/auth/users endpoint for authenticated users to search other users
- Only return public info (id, username, nickname, avatar) in search results
- Change /api/user routes to require user:admin permission instead of user:read
- Update auth tests to use /api/auth/me for self updates
- Add tests for new user search endpoint
- Add tests/README.md with comprehensive documentation for running and adding tests
- Change TestDBFile from file-based 'test.db' to in-memory 'file::memory:?cache=shared'
- Remove file cleanup in setup() and teardown() functions since memory database requires no cleanup
- Simplify setup() by removing comments and streamlining database configuration
- Move and split 'auth/auth_test.go' into the 'tests/' directory
- Add 'tests/main_test.go' for global test suite setup
- Add 'tests/helpers_test.go' for shared test utilities
- Create separate test files for different auth scenarios ('auth_test.go', 'none_auth_test.go')
- Add focused tests for org permissions and middleware ('org_permission_test.go', 'resource_perm_test.go', 'org_load_middleware_test.go')
- Add 'clean_run.sh' script to reset database and restart server for clean test environment
- Update 'README.md' with detailed troubleshooting guide and pitfalls
- Add '04_org_load_middleware.sh' to test LoadOrg middleware functionality
- Update 'run_all.sh' to include new middleware test
- Fix BASE_URL handling in 'lib.sh' and test scripts to support custom environments
- Update '02_resource_perm.sh' to fix admin permission checks
- Remove debug logging from 'auth.go'
- Add 00_none_auth.sh for unauthenticated access testing
- Replace 01_basic_auth.sh with 01_setup_users.sh for comprehensive user setup
- Replace 02_user_permission.sh with 02_resource_perm.sh for cross-user permission tests
- Update lib.sh to handle non-numeric code fields in response
- Update README.md with new test structure and usage instructions
- Update run_all.sh with new test sequence
- Fix owner ID lookup to prioritize PathParams and Query over Context
- Prevent incorrect owner match when context contains current user ID
- Reset InitAdmin.Password to empty so first registered user becomes admin
- Fix api request functions to use array-based curl options
- Fix token refresh to use refresh_token instead of access_token
- Fix string comparison operator from == to =
- Add get_refresh_token helper function
- Handle empty response in check_http_code
- Update README with new functions and correct command syntax
- Remove set -e from lib.sh to avoid premature exits
- Add api/org/add_member.go for adding organization members
- Register POST /api/orgs/{id}/members endpoint
- Fix PermWithOwner to check owner before permission
- Remove user:update from user role (should use owner check)
- Add service enabled check in verification send
Use database transaction for batch settings update to ensure atomicity.
If any individual update fails, the entire batch will be rolled back,
preventing partial configuration updates.
- Wrap all updates in db.Transaction()
- Return detailed error on failure
Add validation for the 'purpose' parameter in verification code requests
to ensure only allowed values are accepted.
Valid purposes: register, login, reset_password, bind
Invalid purposes will be rejected with 400 Bad Request.
Fix the logic for code.max_daily_count setting to correctly handle:
- 0: Disable verification code service entirely
- -1: No limit on daily sends
- >0: Limit daily sends to the specified number
Previously both 0 and -1 were treated as unlimited, which was incorrect.
The documentation states 0 should disable the service.
Encrypt OAuth Provider ClientSecret before storing in database to prevent
sensitive credential exposure in case of database breach.
- Encrypt ClientSecret on create using cfg.Config.Key.Encrypt()
- Encrypt ClientSecret on update when provided
- Decrypt ClientSecret before use in OAuth token exchange
- Add AES-GCM encryption/decryption functions to crypto package
- Gracefully handle legacy plaintext secrets during transition
Fix a bug where the count variable was not reset before checking
email and phone uniqueness. This could cause false positives if
a previous check had count > 0, incorrectly reporting that email
or phone already exists when they don't.
- Reset count to 0 before email check
- Reset count to 0 before phone check
Add permission check in settings update API to ensure only admin users
can modify system settings. This fixes a security vulnerability where
any authenticated user could modify critical configurations.
- Check 'setting:update' permission before allowing updates
- Return 403 Forbidden for non-admin users
- Replace separate DB/DSN fields with unified config.Database struct
- Remove cfg/db.go and move DB client to config.Database.Client()
- Update auth to use event-driven initialization via vb.init.auth event
- Refactor models initialization to use event system (vb.init.settings/oauth/admin)
- Update CLI to use event.Start() instead of manual InitDB() call
- Fix auth_test.go to use new DB config structure
- Update agents.md documentation with new CLI flags format
veypi