si-meng-spec/ToDoList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13 Commits 1 Branch 0 Tags
bfdf0c9987df1681c0ad434c562a58ff6f29ec05
Commit Graph

8 Commits

Author SHA1 Message Date
祀梦
bfdf0c9987 fix: replace passlib with native bcrypt (Python 3.13 compatibility) 
passlib 1.7.4 has a known bug with bcrypt 4.x on Python 3.13 where
detect_wrap_bug passes an over-72-byte hash as a password, causing
ValueError on every login attempt.

Switched to bcrypt.hashpw/checkpw directly, removing the passlib
dependency entirely.

Also fixed 401 page reload on /auth/login endpoint.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 17:12:10 +08:00
祀梦
5af8cb5486 feat: add goal management module (long-term goals with phases, milestones, reviews) 
Backend:
- Goal model: title, description, status (active/paused/completed/abandoned),
  progress (auto-computed from milestones), target_date, category, color, icon
- GoalStep model: unified phase/milestone with parent nesting
- GoalReview model: periodic reflection with rating
- goal_tasks M2M: link existing tasks to goals
- /api/goals CRUD + steps CRUD + reviews + task linking + status toggle
- Progress auto-calculated from milestone completion ratio

Frontend:
- GoalPage: card grid with progress bars, status filter
- GoalDetailPage: step tree (phases > milestones), reviews, linked tasks
- GoalDialog: create/edit form with color/icon picker
- Goal navigation in AppHeader
- useGoalStore: full Pinia store for all goal operations

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 16:34:39 +08:00
祀梦
9d4d869d57 fix: harden authentication system (JWT, cookies, rate limiting, password policy) 
- Replace hardcoded JWT secret with randomly generated key persisted to file
- Replace hardcoded default password with random password shown in logs
- Migrate token storage from localStorage to HttpOnly SameSite=strict cookie
- Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout)
- Add token_version for JWT revocation on password change
- Add password strength validation (min 6 chars, 3+ unique characters)
- Inject decoded user payload into request.state.user in auth middleware
- Add /api/auth/me and /api/auth/logout endpoints
- Narrow auth middleware exception handling (JWTError only, not all Exception)
- Update updated_at timestamp on password change
- Remove localStorage token management from frontend (axios, router, store)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-17 15:54:45 +08:00
祀梦
e3f73048a7 refactor: remove all asset/account functionality (models, schemas, routers, store, views, components, tests, docs) 2026-05-17 12:59:52 +08:00
祀梦
9c5ef36fe8 fix: path traversal via URL-encoded ../, Feb 29 leap year crash, missing response_model, dead code, duplicate utcnow 2026-05-17 12:36:45 +08:00
祀梦
5f23b8ef5b fix: computed fields missing in anniversary endpoints + missing account_id validation in installment update 2026-05-17 12:00:54 +08:00
祀梦
3c03866021 feat: add JWT authentication and AGENTS.md 2026-05-17 11:21:41 +08:00
祀梦
2979197b1c release: Elysia ToDo v1.0.0 
鍏ㄦ爤涓汉淇℃伅绠$悊搴旂敤锛岄泦鎴愬緟鍔炰换鍔°€佷範鎯墦鍗°€佺邯蹇垫棩鎻愰啋銆佽祫浜ф€昏鍔熻兘銆

Made-with: Cursor
 2026-03-14 22:21:26 +08:00