feat: auth service + security audit fixes + cleanup legacy services
Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier
Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control
Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs
New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*
Made-with: Cursor
This commit is contained in:
home
@@ -181,7 +181,10 @@ func main() {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
messages, _ := threadRepo.GetMessages(c.Context(), threadID, 100, 0)
|
||||
messages, err := threadRepo.GetMessages(c.Context(), threadID, userID, 100, 0)
|
||||
if err != nil && err != db.ErrForbidden {
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to get messages"})
|
||||
}
|
||||
thread.Messages = messages
|
||||
|
||||
return c.JSON(thread)
|
||||
@@ -225,12 +228,15 @@ func main() {
|
||||
TokensUsed: req.TokensUsed,
|
||||
}
|
||||
|
||||
if err := threadRepo.AddMessage(c.Context(), msg); err != nil {
|
||||
if err := threadRepo.AddMessage(c.Context(), msg, userID); err != nil {
|
||||
if err == db.ErrForbidden {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to add message"})
|
||||
}
|
||||
|
||||
if thread.Title == "New Thread" && req.Role == "user" {
|
||||
threadRepo.GenerateTitle(c.Context(), threadID, req.Content)
|
||||
threadRepo.GenerateTitle(c.Context(), threadID, req.Content, userID)
|
||||
}
|
||||
|
||||
return c.Status(201).JSON(msg)
|
||||
@@ -250,7 +256,10 @@ func main() {
|
||||
}
|
||||
|
||||
shareID := generateShareID()
|
||||
if err := threadRepo.SetShareID(c.Context(), threadID, shareID); err != nil {
|
||||
if err := threadRepo.SetShareID(c.Context(), threadID, shareID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Thread not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to share thread"})
|
||||
}
|
||||
|
||||
@@ -264,16 +273,10 @@ func main() {
|
||||
threadID := c.Params("id")
|
||||
userID := middleware.GetUserID(c)
|
||||
|
||||
thread, err := threadRepo.GetByID(c.Context(), threadID)
|
||||
if err != nil || thread == nil {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Thread not found"})
|
||||
}
|
||||
|
||||
if thread.UserID != userID {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
if err := threadRepo.Delete(c.Context(), threadID); err != nil {
|
||||
if err := threadRepo.Delete(c.Context(), threadID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Thread not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to delete thread"})
|
||||
}
|
||||
|
||||
@@ -290,7 +293,7 @@ func main() {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Shared thread not found"})
|
||||
}
|
||||
|
||||
messages, _ := threadRepo.GetMessages(c.Context(), thread.ID, 100, 0)
|
||||
messages, _ := threadRepo.GetMessages(c.Context(), thread.ID, thread.UserID, 100, 0)
|
||||
thread.Messages = messages
|
||||
|
||||
return c.JSON(thread)
|
||||
@@ -353,15 +356,6 @@ func main() {
|
||||
spaceID := c.Params("id")
|
||||
userID := middleware.GetUserID(c)
|
||||
|
||||
space, err := spaceRepo.GetByID(c.Context(), spaceID)
|
||||
if err != nil || space == nil {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Space not found"})
|
||||
}
|
||||
|
||||
if space.UserID != userID {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
var req db.Space
|
||||
if err := c.BodyParser(&req); err != nil {
|
||||
return c.Status(400).JSON(fiber.Map{"error": "Invalid request"})
|
||||
@@ -370,7 +364,10 @@ func main() {
|
||||
req.ID = spaceID
|
||||
req.UserID = userID
|
||||
|
||||
if err := spaceRepo.Update(c.Context(), &req); err != nil {
|
||||
if err := spaceRepo.Update(c.Context(), &req, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Space not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to update space"})
|
||||
}
|
||||
|
||||
@@ -381,16 +378,10 @@ func main() {
|
||||
spaceID := c.Params("id")
|
||||
userID := middleware.GetUserID(c)
|
||||
|
||||
space, err := spaceRepo.GetByID(c.Context(), spaceID)
|
||||
if err != nil || space == nil {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Space not found"})
|
||||
}
|
||||
|
||||
if space.UserID != userID {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
if err := spaceRepo.Delete(c.Context(), spaceID); err != nil {
|
||||
if err := spaceRepo.Delete(c.Context(), spaceID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Space not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to delete space"})
|
||||
}
|
||||
|
||||
@@ -445,8 +436,12 @@ func main() {
|
||||
|
||||
memory.Delete("/:id", func(c *fiber.Ctx) error {
|
||||
memID := c.Params("id")
|
||||
userID := middleware.GetUserID(c)
|
||||
|
||||
if err := memoryRepo.Delete(c.Context(), memID); err != nil {
|
||||
if err := memoryRepo.Delete(c.Context(), memID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Memory not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to delete memory"})
|
||||
}
|
||||
|
||||
@@ -493,7 +488,7 @@ func main() {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
messages, _ := threadRepo.GetMessages(c.Context(), threadID, 100, 0)
|
||||
messages, _ := threadRepo.GetMessages(c.Context(), threadID, userID, 100, 0)
|
||||
|
||||
var query, answer string
|
||||
for _, msg := range messages {
|
||||
@@ -559,7 +554,10 @@ func main() {
|
||||
}
|
||||
|
||||
shareID := generateShareID()
|
||||
if err := pageRepo.SetShareID(c.Context(), pageID, shareID); err != nil {
|
||||
if err := pageRepo.SetShareID(c.Context(), pageID, shareID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Page not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to share page"})
|
||||
}
|
||||
|
||||
@@ -586,16 +584,10 @@ func main() {
|
||||
pageID := c.Params("id")
|
||||
userID := middleware.GetUserID(c)
|
||||
|
||||
page, err := pageRepo.GetByID(c.Context(), pageID)
|
||||
if err != nil || page == nil {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Page not found"})
|
||||
}
|
||||
|
||||
if page.UserID != userID {
|
||||
return c.Status(403).JSON(fiber.Map{"error": "Access denied"})
|
||||
}
|
||||
|
||||
if err := pageRepo.Delete(c.Context(), pageID); err != nil {
|
||||
if err := pageRepo.Delete(c.Context(), pageID, userID); err != nil {
|
||||
if err == db.ErrNotFound {
|
||||
return c.Status(404).JSON(fiber.Map{"error": "Page not found"})
|
||||
}
|
||||
return c.Status(500).JSON(fiber.Map{"error": "Failed to delete page"})
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user