- Replace global user token version with per-session versioning in JWT claims
- Add session CRUD operations with DB + Redis dual-write caching strategy
- Create/list/revoke individual sessions and batch revoke other sessions
- Update login flow to create sessions with device info and IP extraction
- Update refresh flow to validate and rotate session-level token version
- Update logout to revoke only the current session instead of all tokens
- Add session management UI page with device/browser detection and relative time display
- Add i18n keys for session management in both Chinese and English
- Add sessions route and navigation menu items in both default and icon layouts
- Add validateRegisterCode function to verify codes during registration
- Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder
- Make cookie names configurable via JWT CookiePrefix setting
- Rename login type "phone" to "sms" for consistency
- Add 1-minute TTL cache for setting values
- Add $fetch wrapper replacing raw fetch calls across all UI pages
- Add verification code inputs with countdown send buttons to register UI
- Move CSS/JS assets from root.html to auth and default layouts
- Add scope parameter to VBase permission check methods
- Add i18n entries for verification code messages (zh/en)
- Fix route guard to use next('/403') instead of router.push
- Replace permission selector dialog with inline add form (scope/id/level)
- Replace per-user role API calls with batch PUT /api/roles/{id}/users
- Add isLogin() async method with lazy _ensureAuth initialization
- Clean up login page CSS: replace hardcoded colors with CSS variables
- Add Chrome autofill style override for dark theme support
- Use @submit.prevent instead of manual e.preventDefault()
- Remove redundant inline comments from script sections
- Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft
- Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh
- Implement strict refresh token rotation: version must match exactly, increment on each refresh
- Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields
- Remove session-based token tracking and cache blacklist in favor of version increment revocation
- Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client
- Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach
- Add CookiePath config option and change default access token expiry from 24h to 15min
- Update Vigo app initialization to use functional options pattern
- Add empty-body cookie read fallback in refresh endpoint
- Rename $mod.$vbase to $mod.$auth in env.js initialization
- Add guard condition to prevent duplicate VBase initialization
- Update all page and layout templates to use $auth instead of $vbase
- Update route guard in routes.js to reference $mod.$auth
- Replace $env.$vbase with $mod.$vbase in callback.html OAuth handlers
- Update login.html to use $mod.$vbase for login/register API calls
- Update profile.html to use $mod.$vbase for user data and logout
- Fix OAuth providers page to reference $mod.$vbase correctly
- Add role detail dialog with tabs for permissions and users
- Implement permission selector with level badges (create/read/write/admin)
- Add user management with avatar display and search functionality
- Add i18n translations for new role management features
- Update default DB charset from utf8 to utf8mb4
- Add profile editing with avatar, nickname, email, phone fields
- Add identity providers section for OAuth account binding
- Add account security section with password change
- Add new i18n translations for profile and auth pages
- Update vbase.js with improved error handling and user info refresh
- Include ico component in default layout
- Add new OAuth callback page with loading states and error handling
- Create reusable icon component (ico.html) for SVG icons
- Remove deprecated public.html layout, merge into default
- Update login page with improved third-party auth integration
- Add i18n translations for OAuth-related messages
- Update routes to include callback page and handle auth redirects
- Enhance vbase.js with OAuth utilities and token management
- Add new settings page with application, auth, security, email, SMS configuration
- Add OAuth identity providers management page with CRUD operations
- Update login page to support dynamic OAuth providers and verification code login
- Add navigation menu items for settings and OAuth providers
- Add i18n translations for settings and OAuth provider management
- Add routes for /settings and /oauth/providers pages
- Merge login and register into single page with sliding animation
- Add dual login modes: username/password and verification code
- Add OAuth buttons for GitHub, WeChat, Google (placeholder)
- Add animated bubble background effect
- Implement responsive design for mobile devices
- Add comprehensive i18n translations for auth flows
- Remove separate register.html page
- Update routes to use new unified auth page
- Rename cfg.Config to cfg.Global for consistency
- Simplify cli/main.go to use vbase.App.Run() pattern
- Update init.go to create app with vigo.New and Init function
- Update all references from cfg.Config to cfg.Global across api, libs, models, and tests
- Fix VBase constructor parameter order in ui/vbase.js
- Update ui/env.js to use new VBase('vb', '/') initialization
veypi