- Add PermissionInput struct with scope, permission_id, and level fields
- Support adding permissions individually with custom scope and level
- Support removing permissions by ID via dedicated remove field
- Keep legacy replace mode for backward compatibility
- Default level to 7 (admin) and scope to "vb" when not specified
- Add GET /{id}/users endpoint for paginated role user listing
- Add PUT /{id}/users endpoint for batch role user assignment
- Use transaction to atomically sync user-role associations
- Prevent modification of system role user assignments
- Remove scope parameter from VBase constructor
- Add _ensureAuth with smart refresh logic (refresh if stale >12min)
- Add background token refresh timer (every 12 minutes)
- Add centralized onAuthSuccess handler for all login flows
- Remove axios response interceptor from env.js
- Clean up timer and state on clear()
- Change login to call IncrTokenVersion instead of GetTokenVersion
- Add IncrTokenVersion public function wrapping incrTokenVersion
- Existing tokens become invalid when user logs in again
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Add `OnUserCreate` hook variable in `cfg/cfg.go` for custom callbacks
- Invoke `OnUserCreate` after successful user registration in `api/auth/register.go`
- Log warning when user creation hook fails
- Rename $mod.$vbase to $mod.$auth in env.js initialization
- Add guard condition to prevent duplicate VBase initialization
- Update all page and layout templates to use $auth instead of $vbase
- Update route guard in routes.js to reference $mod.$auth
- Add shared users cache object to VBase constructor
- Add User(id) API for reactive user info lookup
- Implement _flushUserRequests for batch POST /api/auth/users
- Cache and sync current user into shared users cache
- Clear users cache on logout
- Add POST /api/auth/users endpoint for batch user query
- Add IDs filter to SearchUsersRequest for batch lookup
- Add Name and Icon fields to PublicUserInfo response
- Implement searchUsersByIDs with deduplication and ordering
- Extract buildPublicUserInfo helper for consistent public info mapping
- Replace $env.$vbase with $mod.$vbase in callback.html OAuth handlers
- Update login.html to use $mod.$vbase for login/register API calls
- Update profile.html to use $mod.$vbase for user data and logout
- Fix OAuth providers page to reference $mod.$vbase correctly
- Move beforeEnter router guard logic from env.js to routes.js export function
- Update $env references to $mod in env.js, ico.html, and layout/default.html
- Export routes as function that receives $mod context for dependency injection
- Remove router guard from env.js initialization module
- Move VBaseProvider initialization from init() to Init() function
- Move role initialization (admin/user) from api/init.go to Init()
- Remove global VBaseProvider variable reference from tests
- Use NewAuth factory function instead of direct auth.Factory.New call
- Add jwt package import for token parsing
- Add private ctxKeyTokenParsed constant to track parse status
- Remove unused VBaseProvider variable
- Rewrite UserID method with lazy token parsing logic
- Check cached token status to avoid repeated parsing
- Extract and parse token from request when needed
- Validate token type is access token
- Cache userID and parsed status in request context
- Rename appAuth to vbaseProvider implementing auth.Provider interface
- Replace auth.VBaseAuth with cfg.Auth (auth.Auth struct) for middleware
- Add global cfg.Auth instance with SetProvider injection in init.go
- Update all API handlers to use cfg.Auth.RequireXxx instead of PermXxx
- Update tests to use cfg.Auth for permission checks
- Remove Login/Perm methods from Provider (now in auth.Auth struct)
- Add role detail dialog with tabs for permissions and users
- Implement permission selector with level badges (create/read/write/admin)
- Add user management with avatar display and search functionality
- Add i18n translations for new role management features
- Update default DB charset from utf8 to utf8mb4
- Return false instead of throwing error when no refresh token exists
- Prevent logout on refresh error, just log warning and return false
- Avoid throwing errors that could break the application flow
- Fix hardcoded table name 'user_roles' to use GORM model for proper table prefix support
- Simplify permission ID format from 'scope:roleCode:permission:level' to 'scope:permission:level'
- Update comments to reflect the new ID format
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add DB.Prefix "vb_" to cfg.DB config for global table prefix
- Remove TableName() methods from all models (User, Role, Permission, etc.)
- Remove Role.Scope field and its unique index with Code
- Let GORM auto-generate table names with configured prefix
- Add profile editing with avatar, nickname, email, phone fields
- Add identity providers section for OAuth account binding
- Add account security section with password change
- Add new i18n translations for profile and auth pages
- Update vbase.js with improved error handling and user info refresh
- Include ico component in default layout
- Add Phone field to UserInfoWithPerms response struct
- Add Phone to UpdateMeRequest for profile updates
- Include phone in user info query and update handlers
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add random avatar generation for new users in register
- Fix OAuth state parsing with type assertions and error handling
- Add TempToken field to CallbackResponse for bind flow
- Implement dynamic redirect URI resolution with X-Forwarded headers support
- Add memory cache fallback when Redis is unavailable
- Change default port from 4001 to 4000 in Makefile
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Change BindMode from bool to *bool in thirdparty auth for proper optional handling
- Change Error field from string to *string in OAuth callback request
- Change Email and Phone to *string pointers in bind with register request
- Add public /api/info endpoint for frontend configuration
- Update OAuth token request to use pointers for optional code and refresh_token
- Add desc tags to various request struct fields for API documentation
- Fix path parameter binding with explicit @code suffix for OAuth providers
- Change Description field to *string pointer in role creation
- Change Category field to *string pointer in settings list
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
- Remove local Auth interface definition from auth/auth.go
- Import and use pub.Auth from github.com/veypi/vigo/contrib/auth
- Update authFactory.New() to return pub.Auth type
- Add compile-time type check: var _ pub.Auth = &appAuth{}
- Update go.mod dependencies (add redis, update gorm, remove aliyun sms)
- Remove org-related test cases from edge_case_test.go
- Remove OrgResp type from main_test.go
- Update none_auth_test removing org endpoints
- Add permission grants in OAuth tests for proper access control
- Fix race condition tests with retry logic for SQLite locking
- Update resource_perm_test to accept 401 or 403 status codes
- Add new role_access_test.go for role API permission testing
- Add new scoped_auth_test.go for scoped permission testing
- Update API endpoints to use scoped permission codes (e.g., role:*)
- Fix role list scope parameter to use pointer type
- Add Options type alias in init.go for external use
- Remove org-related cache functions from libs/cache
- Add validatePermission function to check depth/level consistency
- Validate permission codes in Perm, Grant, and Check methods
- LevelCreate requires odd depth, other levels require even depth
- Update design.md examples from org to app/role model
- Add RoleID field to Permission struct documentation
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
- Replace GetUserID/GetOrgID with VBaseAuth.UserID/OrgID methods across all APIs
- Integrate vigoauth.Auth interface into appAuth for standard auth methods
- Move AuthMiddleware to PermLogin method in auth package
- Add role management methods: GetRole, ListRoles, GrantRoles, RevokeRoles, ListUserRoles
- Update ListUserPermissions and ListResourceUsers to return vigoauth types
- Export Redis client in cfg package
- Simplify app initialization by separating vigo.New in cli/main.go
- Remove deprecated auth/middleware.go file
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
veypi