feat: auth service + security audit fixes + cleanup legacy services
Major changes:
- Add auth-svc: JWT auth, register/login/refresh, password reset
- Add auth UI: modals, pages (/login, /register, /forgot-password)
- Add usage tracking (usage_metrics table, daily limits)
- Add tiered rate limiting (free/pro/business)
- Add LLM usage limits per tier
Security fixes:
- All repos now require userID for Update/Delete operations
- JWT middleware in chat-svc, llm-svc, agent-svc, discover-svc
- ErrNotFound/ErrForbidden errors for proper access control
Cleanup:
- Remove legacy TypeScript services/ directory
- Remove computer-svc (to be reimplemented)
- Remove old deploy/docker configs
New files:
- backend/cmd/auth-svc/main.go
- backend/internal/auth/{types,repository}.go
- backend/internal/usage/{types,repository}.go
- backend/pkg/middleware/{llm_limits,ratelimit_tiered}.go
- backend/webui/src/components/auth/*
- backend/webui/src/app/(auth)/*
Made-with: Cursor
This commit is contained in:
home
@@ -105,21 +105,35 @@ func (r *CollectionRepository) GetByUserID(ctx context.Context, userID string, l
|
||||
return collections, nil
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) Update(ctx context.Context, c *Collection) error {
|
||||
func (r *CollectionRepository) Update(ctx context.Context, c *Collection, userID string) error {
|
||||
query := `
|
||||
UPDATE collections
|
||||
SET name = $2, description = $3, is_public = $4, context_enabled = $5, updated_at = NOW()
|
||||
WHERE id = $1
|
||||
WHERE id = $1 AND user_id = $6
|
||||
`
|
||||
_, err := r.db.db.ExecContext(ctx, query,
|
||||
c.ID, c.Name, c.Description, c.IsPublic, c.ContextEnabled,
|
||||
result, err := r.db.db.ExecContext(ctx, query,
|
||||
c.ID, c.Name, c.Description, c.IsPublic, c.ContextEnabled, userID,
|
||||
)
|
||||
return err
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rows, _ := result.RowsAffected()
|
||||
if rows == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) Delete(ctx context.Context, id string) error {
|
||||
_, err := r.db.db.ExecContext(ctx, "DELETE FROM collections WHERE id = $1", id)
|
||||
return err
|
||||
func (r *CollectionRepository) Delete(ctx context.Context, id, userID string) error {
|
||||
result, err := r.db.db.ExecContext(ctx, "DELETE FROM collections WHERE id = $1 AND user_id = $2", id, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rows, _ := result.RowsAffected()
|
||||
if rows == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) AddItem(ctx context.Context, item *CollectionItem) error {
|
||||
@@ -135,7 +149,20 @@ func (r *CollectionRepository) AddItem(ctx context.Context, item *CollectionItem
|
||||
).Scan(&item.ID, &item.CreatedAt, &item.SortOrder)
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) GetItems(ctx context.Context, collectionID string) ([]CollectionItem, error) {
|
||||
func (r *CollectionRepository) GetItems(ctx context.Context, collectionID, userID string) ([]CollectionItem, error) {
|
||||
var ownerID string
|
||||
var isPublic bool
|
||||
err := r.db.db.QueryRowContext(ctx, "SELECT user_id, is_public FROM collections WHERE id = $1", collectionID).Scan(&ownerID, &isPublic)
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if ownerID != userID && !isPublic {
|
||||
return nil, ErrForbidden
|
||||
}
|
||||
|
||||
query := `
|
||||
SELECT id, collection_id, item_type, title, content, url, metadata, created_at, sort_order
|
||||
FROM collection_items
|
||||
@@ -168,13 +195,25 @@ func (r *CollectionRepository) GetItems(ctx context.Context, collectionID string
|
||||
return items, nil
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) RemoveItem(ctx context.Context, itemID string) error {
|
||||
_, err := r.db.db.ExecContext(ctx, "DELETE FROM collection_items WHERE id = $1", itemID)
|
||||
return err
|
||||
func (r *CollectionRepository) RemoveItem(ctx context.Context, itemID, userID string) error {
|
||||
query := `
|
||||
DELETE FROM collection_items
|
||||
WHERE id = $1
|
||||
AND collection_id IN (SELECT id FROM collections WHERE user_id = $2)
|
||||
`
|
||||
result, err := r.db.db.ExecContext(ctx, query, itemID, userID)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rows, _ := result.RowsAffected()
|
||||
if rows == 0 {
|
||||
return ErrNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *CollectionRepository) GetCollectionContext(ctx context.Context, collectionID string) (string, error) {
|
||||
items, err := r.GetItems(ctx, collectionID)
|
||||
func (r *CollectionRepository) GetCollectionContext(ctx context.Context, collectionID, userID string) (string, error) {
|
||||
items, err := r.GetItems(ctx, collectionID, userID)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user