lafay
15e7c99353
chore(config): update allowed origins from bbs to withyou domain
...
Build Backend / build (push) Failing after 46s
Build Backend / build-docker (push) Has been skipped
Update WebSocket and CORS allowed origins to reflect the project rename from "Carrot BBS" to "WithYou", changing bbs.littlelan.cn to withyou.littlelan.cn.
2026-04-22 16:40:11 +08:00
lafay
bdfcbdadea
fix(cors): add admin.littlelan.cn and browser.littlelan.cn, support *.littlelan.cn subdomains
Build Backend / build (push) Successful in 12m24s
Build Backend / build-docker (push) Successful in 13m8s
2026-03-19 22:46:21 +08:00
lafay
b0f209fdf8
fix(security): security audit fixes for API vulnerabilities
...
Build Backend / build (push) Successful in 4m47s
Build Backend / build-docker (push) Successful in 2m22s
Security fixes:
- Fix sensitive data exposure: UserResponse no longer contains email/phone
- Add UserSelfResponse for authenticated user's own data
- Protect Gorse endpoints with admin role requirement
- Add rate limiting (10 req/min) to auth endpoints
- Fix CORS configuration to use allowed origins list
- Add pagination parameter validation (max 100 per page)
Changes:
- dto/dto.go: Add UserSelfResponse type
- dto/user_converter.go: Add ConvertUserToSelfResponse
- handler/user_handler.go: Use secure response types
- middleware/cors.go: Implement origin whitelist
- middleware/ratelimit.go: Enhance rate limiter
- router/router.go: Add auth rate limit, protect Gorse
- service/admin_*.go: Use ConvertUserToResponse
2026-03-19 13:49:51 +08:00
lan
86ef150fec
Replace websocket flow with SSE support in backend.
...
Update handlers, services, router, and data conversion logic to support server-sent events and related message pipeline changes.
Made-with: Cursor
2026-03-10 12:58:23 +08:00
lan
4d8f2ec997
Initial backend repository commit.
...
Set up project files and add .gitignore to exclude local build/runtime artifacts.
Made-with: Cursor
2026-03-09 21:28:58 +08:00