feat(api): add UserDTO and update user API to use DTO (Refs: 需求 4)#15
Closed
hailaz wants to merge 228 commits into
Closed
feat(api): add UserDTO and update user API to use DTO (Refs: 需求 4)#15hailaz wants to merge 228 commits into
hailaz wants to merge 228 commits into
Conversation
## Summary Standardize source plugin-owned E2E tests under each plugin's own `hack/tests` tree and update the shared E2E runner/governance rules accordingly. ## Changes - Define source plugin E2E ownership as `apps/lina-plugins/<plugin-id>/hack/tests/e2e/` - Define plugin-owned POM and helpers as `hack/tests/pages/` and `hack/tests/support/` - Update Lina E2E, feedback, review, and root `AGENTS.md` guidance to match the new layout - Update Playwright discovery, E2E validation, module scope handling, and TypeScript include paths for plugin-owned tests - Add `plugin-demo-source` smoke coverage to verify plugin test discovery - Restore the E2E PostgreSQL helper default password ## Verification - `pnpm -C hack/tests exec node scripts/validate-e2e.mjs` - `openspec validate multi-tenant --strict` - Scanned for stale `<plugin-id>/e2e`, `e2e-pages`, and `e2e-support` standard references --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary
- Moves the framework's built-in source-plugin E2E tests
(`content-notice`, `monitor-{loginlog,online,operlog,server}`,
`org-center`) into each plugin's own `hack/tests/{e2e,pages,support}`
directory, completing the source-plugin E2E ownership standard
introduced in #5.
- Introduces `@host-tests/*` and `xlsx` path aliases in
`hack/tests/tsconfig.json` and wires Playwright via the new top-level
`tsconfig` option so plugin-owned tests reference host
fixtures/pages/support through stable aliases instead of 6–7 level
relative paths.
- Updates `hack/tests/config/execution-manifest.json` module scopes,
legacy directory map, and `serialIsolation` for the new plugin-owned
locations; tightens the `e2e/content` reason text to match what remains
under the host tree.
- Updates host i18n regressions `TC0108` / `TC0110` to import
`NoticePage` / `DeptPage` / `PostPage` from the new plugin locations.
- Ticks `FB-3` in `openspec/changes/multi-tenant/tasks.md`.
## Verification
- `pnpm exec tsc --noEmit` (from `hack/tests`)
- `node hack/tests/scripts/validate-e2e.mjs` — 165 files / 30 scopes
- `openspec validate multi-tenant --strict`
- `pnpm test` full suite — **471 pass / 12 skipped / 1 pre-existing
TC-67k 60s timeout**; all 108 plugin-owned tests resolved the
`@host-tests/*` aliases at runtime.
## Test plan
- [x] Type check
- [x] E2E validator
- [x] OpenSpec validator
- [x] Full Playwright suite (parallel + serial)
- [x] Retry of previously-failing TCs confirms 6/7 were environment /
pre-existing flakes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…ifications, and scheduled jobs - Introduced mock data for roles and role bindings to facilitate access control demonstrations. - Added example configuration parameters for demonstration purposes. - Included online session records to support session monitoring demos. - Created inbox notification messages and delivery records for showcasing notification features. - Established scheduled job groups, jobs, and execution logs to illustrate job management functionalities. - Updated test to reflect changes in SQL file references for plugin host calls.
## Summary
End-to-end hardening of the access/refresh token lifecycle across host
backend and Vben frontend. Four commits, all auth-scoped:
- **`fix(auth): prevent logout recursion on expired sessions`** — split
`clearSession` out of `logout`; 401 paths only clear local session
instead of recursing into `/auth/logout`.
- **`fix(auth): refresh access token before reauthentication`** —
introduce host `/auth/refresh` endpoint, JWT `tokenType` claim (`access`
vs `refresh`), refresh token issuance on login/tenant select/tenant
switch, frontend `doRefreshToken` flow. Protected APIs and dynamic
plugin routes now only accept `access` tokens.
- **`refactor(auth): share JWT tokenType literals via pkg/authtoken`** —
extract the `"access"`/`"refresh"` literals into `pkg/authtoken` so the
host signer/parser, dynamic route parser, and multi-tenant impersonation
signer share one source of truth.
- **`fix(auth): harden refresh against tenant eviction and 401 storms`**
- Backend `Refresh` re-validates tenant membership (`bizerr`-coded
denials revoke the session, infra errors keep it so transient DB blips
do not kick users offline) and rejects refresh tokens claiming negative
tenant IDs.
- Frontend refresh queue stores `{resolve, reject}` pairs, rejects them
on refresh failure instead of replaying with an empty token, and drains
again after `doReAuthenticate` so late-arriving 401s do not hang.
## Test plan
- [x] `cd apps/lina-core && go test ./internal/service/auth -count=1` —
covers refresh issuance, tenant flow, tenant eviction
(`TestRefreshRejectsAfterTenantMembershipRemoved`), infra-error
preservation (`TestRefreshPreservesSessionOnTenantProviderInfraError`),
negative-tenant rejection, refresh-token-as-access-token rejection,
revoked-session rejection.
- [x] `cd apps/lina-core && go test
./internal/service/plugin/internal/runtime -run
'Test(ParseDynamicRouteTokenRejectsRefreshToken|DynamicRouteIdentitySnapshotFiltersRolesByTokenTenant|TouchDynamicRouteSessionKeepsExistingSessionWhenTimestampDoesNotChange)$'
-count=1`
- [x] `cd apps/lina-plugins/multi-tenant && go test
./backend/internal/service/impersonate -count=1`
- [x] `cd apps/lina-vben && pnpm -F @vben/request exec vitest run` — 30
/ 30 incl. two new tests (`should reject queued 401 requests when
refresh fails`, `should not hang requests that 401 during the
doReAuthenticate window`).
- [x] `cd apps/lina-vben && pnpm -F @lina/web-antd typecheck`
- [x] `cd hack/tests && pnpm exec playwright test
e2e/auth/TC0233-expired-session-logout-loop.ts --project=chromium` —
TC0233a (no logout storm on stale token) and TC0233b (refresh-then-retry
path) both pass.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This pull request addresses several maintenance issues in the CI/CD pipeline and refines the SQLite SQL translator's handling of PostgreSQL comment statements. The most important changes include updating GitHub Actions workflows to resolve deprecation warnings, switching to more robust action versions, and removing unnecessary debug logging from the SQLite translator and its tests. **GitHub Actions maintenance and warning cleanup:** * Upgraded `actions/setup-go` from `v5` to `v6` and `pnpm/action-setup` from `v4` to `v6` across all workflows for improved compatibility and to resolve deprecation warnings. [[1]](diffhunk://#diff-993609d1e993acb4eeef79ed9dad54194b6c9ed15a9eab32f08405c0339cf272L49-R60) [[2]](diffhunk://#diff-2ee59052448a421cff47b6ee98f786b57f3012d9f9132d37b9bde685a6266166L39-R45) [[3]](diffhunk://#diff-3c029feaffecba973036636cbec5eaec24fa02f80b3fbd62960738255238e4f7L57-R71) [[4]](diffhunk://#diff-52120b4145bd2cf9c735193f6a093a7944688b21f04e854447e34a5049fc829fL38-R44) [[5]](diffhunk://#diff-892add1f02013bfef6bfe38c6082b48f1957f125ab4716cf22424f137b8754dfL37-R48) [[6]](diffhunk://#diff-d38ce4cdc17f4173ce027ea199206522ca308703265f7380bf866a145bf8a8f5L21-R29) [[7]](diffhunk://#diff-d1f987969ebd72f880efb0c738249eacdfc531b95d073bf26a3c3a406f58bd6aL13-R24) * Replaced the deprecated `szenius/set-timezone@v2.0` action with native shell commands to set the timezone on Ubuntu runners, eliminating the dependency on Node.js 20 actions. [[1]](diffhunk://#diff-993609d1e993acb4eeef79ed9dad54194b6c9ed15a9eab32f08405c0339cf272L49-R60) [[2]](diffhunk://#diff-3c029feaffecba973036636cbec5eaec24fa02f80b3fbd62960738255238e4f7L57-R71) [[3]](diffhunk://#diff-892add1f02013bfef6bfe38c6082b48f1957f125ab4716cf22424f137b8754dfL37-R48) [[4]](diffhunk://#diff-d38ce4cdc17f4173ce027ea199206522ca308703265f7380bf866a145bf8a8f5L21-R29) * Explicitly disabled Go toolchain/module cache in `actions/setup-go` to avoid cache restore tar failure warnings. [[1]](diffhunk://#diff-993609d1e993acb4eeef79ed9dad54194b6c9ed15a9eab32f08405c0339cf272L49-R60) [[2]](diffhunk://#diff-2ee59052448a421cff47b6ee98f786b57f3012d9f9132d37b9bde685a6266166L39-R45) [[3]](diffhunk://#diff-3c029feaffecba973036636cbec5eaec24fa02f80b3fbd62960738255238e4f7L57-R71) [[4]](diffhunk://#diff-52120b4145bd2cf9c735193f6a093a7944688b21f04e854447e34a5049fc829fL38-R44) [[5]](diffhunk://#diff-892add1f02013bfef6bfe38c6082b48f1957f125ab4716cf22424f137b8754dfL37-R48) [[6]](diffhunk://#diff-d1f987969ebd72f880efb0c738249eacdfc531b95d073bf26a3c3a406f58bd6aL13-R24) * Updated the Windows runner label from `windows-latest` to `windows-2025-vs2026` to address platform redirection warnings. **SQLite SQL translator and test refinement:** * Removed unnecessary debug logging when skipping PostgreSQL comment statements in the SQLite translator, making the translation process silent for these cases. * Simplified and parallelized the related unit test by removing global logger handler hooks and log content assertions, ensuring tests remain self-contained and robust. [[1]](diffhunk://#diff-67f40cae72d449c63af47f51a614877a6143c01439ed001cc59d9aa67009bee3L9-L12) [[2]](diffhunk://#diff-67f40cae72d449c63af47f51a614877a6143c01439ed001cc59d9aa67009bee3L227-R228) [[3]](diffhunk://#diff-67f40cae72d449c63af47f51a614877a6143c01439ed001cc59d9aa67009bee3L246-R243) [[4]](diffhunk://#diff-67f40cae72d449c63af47f51a614877a6143c01439ed001cc59d9aa67009bee3L276-L287) [[5]](diffhunk://#diff-67f40cae72d449c63af47f51a614877a6143c01439ed001cc59d9aa67009bee3L320-L329) **Documentation and OpenSpec updates:** * Updated OpenSpec task records to reflect all the above changes, including validation commands and the rationale for each fix.
- Add UserDTO and UserListDTO in api/user/v1/dto.go - Exclude sensitive fields like password from DTO - Update GetRes and ListItem to use DTO instead of *entity.SysUser
…sistant files (Refs: 需求 4)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
功能描述
本 PR 实现了 API DTO(数据传输对象)模式,提高了 API 层的代码隔离和可维护性。
主要改动
UserDTO结构体用于用户 API 的请求和响应类型
审查检查清单