- Replace permission selector dialog with inline add form (scope/id/level)
- Replace per-user role API calls with batch PUT /api/roles/{id}/users
- Add isLogin() async method with lazy _ensureAuth initialization
- Clean up login page CSS: replace hardcoded colors with CSS variables
- Add Chrome autofill style override for dark theme support
- Use @submit.prevent instead of manual e.preventDefault()
- Remove redundant inline comments from script sections
- Remove scope parameter from VBase constructor
- Add _ensureAuth with smart refresh logic (refresh if stale >12min)
- Add background token refresh timer (every 12 minutes)
- Add centralized onAuthSuccess handler for all login flows
- Remove axios response interceptor from env.js
- Clean up timer and state on clear()
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Add shared users cache object to VBase constructor
- Add User(id) API for reactive user info lookup
- Implement _flushUserRequests for batch POST /api/auth/users
- Cache and sync current user into shared users cache
- Clear users cache on logout
- Return false instead of throwing error when no refresh token exists
- Prevent logout on refresh error, just log warning and return false
- Avoid throwing errors that could break the application flow
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add profile editing with avatar, nickname, email, phone fields
- Add identity providers section for OAuth account binding
- Add account security section with password change
- Add new i18n translations for profile and auth pages
- Update vbase.js with improved error handling and user info refresh
- Include ico component in default layout
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
- Add scope parameter to VBase constructor for multi-tenant support
- Replace hasPermission with checkPerm, checkPermOnResource, checkPermAny, checkPermAll
- Implement _isAdmin check for global wildcard permissions (*:*)
- Add _matchPermission with wildcard support (resource:*, *:*)
- Remove default 404 page from vrouter in root.html
veypi