fix(security): security audit fixes for API vulnerabilities
Security fixes: - Fix sensitive data exposure: UserResponse no longer contains email/phone - Add UserSelfResponse for authenticated user's own data - Protect Gorse endpoints with admin role requirement - Add rate limiting (10 req/min) to auth endpoints - Fix CORS configuration to use allowed origins list - Add pagination parameter validation (max 100 per page) Changes: - dto/dto.go: Add UserSelfResponse type - dto/user_converter.go: Add ConvertUserToSelfResponse - handler/user_handler.go: Use secure response types - middleware/cors.go: Implement origin whitelist - middleware/ratelimit.go: Enhance rate limiter - router/router.go: Add auth rate limit, protect Gorse - service/admin_*.go: Use ConvertUserToResponse
This commit is contained in:
@@ -113,8 +113,9 @@ func (r *Router) setupRoutes() {
|
||||
// API v1
|
||||
v1 := r.engine.Group("/api/v1")
|
||||
{
|
||||
// 认证路由(公开)
|
||||
// 认证路由(公开,需要速率限制)
|
||||
auth := v1.Group("/auth")
|
||||
auth.Use(middleware.RateLimit(10)) // 每分钟最多10次请求
|
||||
{
|
||||
auth.POST("/register", r.userHandler.Register)
|
||||
auth.POST("/register/send-code", r.userHandler.SendRegisterCode)
|
||||
@@ -385,9 +386,11 @@ func (r *Router) setupRoutes() {
|
||||
}
|
||||
}
|
||||
|
||||
// Gorse 管理路由
|
||||
// Gorse 管理路由(需要管理员权限)
|
||||
if r.gorseHandler != nil {
|
||||
gorseGroup := v1.Group("/gorse")
|
||||
gorseGroup.Use(authMiddleware)
|
||||
gorseGroup.Use(middleware.RequireRole(r.casbinService, model.RoleAdmin, model.RoleSuperAdmin))
|
||||
{
|
||||
gorseGroup.GET("/status", r.gorseHandler.GetStatus)
|
||||
gorseGroup.POST("/import", r.gorseHandler.ImportData)
|
||||
|
||||
Reference in New Issue
Block a user