- Add shared users cache object to VBase constructor
- Add User(id) API for reactive user info lookup
- Implement _flushUserRequests for batch POST /api/auth/users
- Cache and sync current user into shared users cache
- Clear users cache on logout
- Add POST /api/auth/users endpoint for batch user query
- Add IDs filter to SearchUsersRequest for batch lookup
- Add Name and Icon fields to PublicUserInfo response
- Implement searchUsersByIDs with deduplication and ordering
- Extract buildPublicUserInfo helper for consistent public info mapping
- Replace $env.$vbase with $mod.$vbase in callback.html OAuth handlers
- Update login.html to use $mod.$vbase for login/register API calls
- Update profile.html to use $mod.$vbase for user data and logout
- Fix OAuth providers page to reference $mod.$vbase correctly
- Move beforeEnter router guard logic from env.js to routes.js export function
- Update $env references to $mod in env.js, ico.html, and layout/default.html
- Export routes as function that receives $mod context for dependency injection
- Remove router guard from env.js initialization module
- Move VBaseProvider initialization from init() to Init() function
- Move role initialization (admin/user) from api/init.go to Init()
- Remove global VBaseProvider variable reference from tests
- Use NewAuth factory function instead of direct auth.Factory.New call
- Add jwt package import for token parsing
- Add private ctxKeyTokenParsed constant to track parse status
- Remove unused VBaseProvider variable
- Rewrite UserID method with lazy token parsing logic
- Check cached token status to avoid repeated parsing
- Extract and parse token from request when needed
- Validate token type is access token
- Cache userID and parsed status in request context
- Rename appAuth to vbaseProvider implementing auth.Provider interface
- Replace auth.VBaseAuth with cfg.Auth (auth.Auth struct) for middleware
- Add global cfg.Auth instance with SetProvider injection in init.go
- Update all API handlers to use cfg.Auth.RequireXxx instead of PermXxx
- Update tests to use cfg.Auth for permission checks
- Remove Login/Perm methods from Provider (now in auth.Auth struct)
- Add role detail dialog with tabs for permissions and users
- Implement permission selector with level badges (create/read/write/admin)
- Add user management with avatar display and search functionality
- Add i18n translations for new role management features
- Update default DB charset from utf8 to utf8mb4
- Return false instead of throwing error when no refresh token exists
- Prevent logout on refresh error, just log warning and return false
- Avoid throwing errors that could break the application flow
- Fix hardcoded table name 'user_roles' to use GORM model for proper table prefix support
- Simplify permission ID format from 'scope:roleCode:permission:level' to 'scope:permission:level'
- Update comments to reflect the new ID format
- Add Scope and Level fields to UserPermissionInfo response
- Include role-based permissions in /auth/me endpoint
- Implement diff-based permission sync for role initialization
- Remove Scope field from Role model queries (create, patch, grant)
- Add permission-based route guards in UI (perm: '*')
- Fix register to return error on default role assignment failure
- Fix token refresh to only fetch user when token exists
- Fix code formatting in api/init.go (remove extra spaces)
- Add DB.Prefix "vb_" to cfg.DB config for global table prefix
- Remove TableName() methods from all models (User, Role, Permission, etc.)
- Remove Role.Scope field and its unique index with Code
- Let GORM auto-generate table names with configured prefix
- Add profile editing with avatar, nickname, email, phone fields
- Add identity providers section for OAuth account binding
- Add account security section with password change
- Add new i18n translations for profile and auth pages
- Update vbase.js with improved error handling and user info refresh
- Include ico component in default layout
- Add Phone field to UserInfoWithPerms response struct
- Add Phone to UpdateMeRequest for profile updates
- Include phone in user info query and update handlers
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add random avatar generation for new users in register
- Fix OAuth state parsing with type assertions and error handling
- Add TempToken field to CallbackResponse for bind flow
- Implement dynamic redirect URI resolution with X-Forwarded headers support
- Add memory cache fallback when Redis is unavailable
- Change default port from 4001 to 4000 in Makefile
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Change BindMode from bool to *bool in thirdparty auth for proper optional handling
- Change Error field from string to *string in OAuth callback request
- Change Email and Phone to *string pointers in bind with register request
- Add public /api/info endpoint for frontend configuration
- Update OAuth token request to use pointers for optional code and refresh_token
- Add desc tags to various request struct fields for API documentation
- Fix path parameter binding with explicit @code suffix for OAuth providers
- Change Description field to *string pointer in role creation
- Change Category field to *string pointer in settings list
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
- Remove local Auth interface definition from auth/auth.go
- Import and use pub.Auth from github.com/veypi/vigo/contrib/auth
- Update authFactory.New() to return pub.Auth type
- Add compile-time type check: var _ pub.Auth = &appAuth{}
- Update go.mod dependencies (add redis, update gorm, remove aliyun sms)
- Remove org-related test cases from edge_case_test.go
- Remove OrgResp type from main_test.go
- Update none_auth_test removing org endpoints
- Add permission grants in OAuth tests for proper access control
- Fix race condition tests with retry logic for SQLite locking
- Update resource_perm_test to accept 401 or 403 status codes
- Add new role_access_test.go for role API permission testing
- Add new scoped_auth_test.go for scoped permission testing
- Update API endpoints to use scoped permission codes (e.g., role:*)
- Fix role list scope parameter to use pointer type
- Add Options type alias in init.go for external use
- Remove org-related cache functions from libs/cache
- Add validatePermission function to check depth/level consistency
- Validate permission codes in Perm, Grant, and Check methods
- LevelCreate requires odd depth, other levels require even depth
- Update design.md examples from org to app/role model
- Add RoleID field to Permission struct documentation
- Delete org API endpoints (add_member, create, del, get, list, member, patch, tree)
- Delete models/org.go and remove Org/OrgMember models
- Delete org-related test files (org_crud, org_load_middleware, org_permission, multi_tenant)
- Delete org test scripts (03_org_permission.sh, 04_org_load_middleware.sh)
- Simplify auth/auth.go by removing org context and role loading logic
- Remove org claims from JWT tokens and login/register responses
- Redesign Permission model with hierarchical level-based access control
- Add auth/design.md with new permission system specification
- Update user and role APIs to work without org context
- Replace GetUserID/GetOrgID with VBaseAuth.UserID/OrgID methods across all APIs
- Integrate vigoauth.Auth interface into appAuth for standard auth methods
- Move AuthMiddleware to PermLogin method in auth package
- Add role management methods: GetRole, ListRoles, GrantRoles, RevokeRoles, ListUserRoles
- Update ListUserPermissions and ListResourceUsers to return vigoauth types
- Export Redis client in cfg package
- Simplify app initialization by separating vigo.New in cli/main.go
- Remove deprecated auth/middleware.go file
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
- Add scope parameter to VBase constructor for multi-tenant support
- Replace hasPermission with checkPerm, checkPermOnResource, checkPermAny, checkPermAll
- Implement _isAdmin check for global wildcard permissions (*:*)
- Add _matchPermission with wildcard support (resource:*, *:*)
- Remove default 404 page from vrouter in root.html
- Add UserPermissionInfo and UserInfoWithPerms structs for detailed user info
- Extend /auth/me to return user permissions and global roles
- Remove unused isAdmin helper method from auth.go
- Update updateMe to return UserInfoWithPerms for consistency
- Add OAuth client CRUD and access control tests
- Add organization CRUD, tree and access control tests
- Add role CRUD, access control and system role protection tests
- Remove user:read permission from default user role
- Add project overview with tech stack (Go 1.24+, Vigo framework, GORM)
- Document common commands (make run, db operations, tests)
- Describe onion model request flow and middleware stages
- Explain RBAC permission system format and usage
- Document multi-tenancy patterns (B2C/B2B/Platform)
- Add API response format and error code conventions
- Include Vigo handler pattern with parameter binding
- Document vhtml frontend structure
- Add /api/auth/users endpoint for authenticated users to search other users
- Only return public info (id, username, nickname, avatar) in search results
- Change /api/user routes to require user:admin permission instead of user:read
- Update auth tests to use /api/auth/me for self updates
- Add tests for new user search endpoint
- Add tests/README.md with comprehensive documentation for running and adding tests
- Change TestDBFile from file-based 'test.db' to in-memory 'file::memory:?cache=shared'
- Remove file cleanup in setup() and teardown() functions since memory database requires no cleanup
- Simplify setup() by removing comments and streamlining database configuration
- Move and split 'auth/auth_test.go' into the 'tests/' directory
- Add 'tests/main_test.go' for global test suite setup
- Add 'tests/helpers_test.go' for shared test utilities
- Create separate test files for different auth scenarios ('auth_test.go', 'none_auth_test.go')
- Add focused tests for org permissions and middleware ('org_permission_test.go', 'resource_perm_test.go', 'org_load_middleware_test.go')
- Add 'clean_run.sh' script to reset database and restart server for clean test environment
- Update 'README.md' with detailed troubleshooting guide and pitfalls
- Add '04_org_load_middleware.sh' to test LoadOrg middleware functionality
- Update 'run_all.sh' to include new middleware test
- Fix BASE_URL handling in 'lib.sh' and test scripts to support custom environments
- Update '02_resource_perm.sh' to fix admin permission checks
- Remove debug logging from 'auth.go'
- Add 00_none_auth.sh for unauthenticated access testing
- Replace 01_basic_auth.sh with 01_setup_users.sh for comprehensive user setup
- Replace 02_user_permission.sh with 02_resource_perm.sh for cross-user permission tests
- Update lib.sh to handle non-numeric code fields in response
- Update README.md with new test structure and usage instructions
- Update run_all.sh with new test sequence
- Fix owner ID lookup to prioritize PathParams and Query over Context
- Prevent incorrect owner match when context contains current user ID
- Reset InitAdmin.Password to empty so first registered user becomes admin
- Fix api request functions to use array-based curl options
- Fix token refresh to use refresh_token instead of access_token
- Fix string comparison operator from == to =
- Add get_refresh_token helper function
- Handle empty response in check_http_code
- Update README with new functions and correct command syntax
- Remove set -e from lib.sh to avoid premature exits
- Add api/org/add_member.go for adding organization members
- Register POST /api/orgs/{id}/members endpoint
- Fix PermWithOwner to check owner before permission
- Remove user:update from user role (should use owner check)
- Add service enabled check in verification send
veypi