chore: update planning notes
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+35
@@ -35,3 +35,38 @@
|
||||
| `go build ./...` | build succeeds | pass |
|
||||
| `npx tsc -b` | typecheck succeeds | pass |
|
||||
| `npm run build` | Next.js and Vite production builds succeed; existing large-chunk warning only | pass |
|
||||
|
||||
## Session: 2026-07-11
|
||||
|
||||
### Phase 7: Device Management Discovery and Design
|
||||
- **Status:** in_progress
|
||||
- Loaded repository instructions, go-zero workflow rules, frontend design guidance, and the existing planning state.
|
||||
- Confirmed a clean worktree before starting the device management task.
|
||||
- Located an existing account-management component and server device list/removal logic for focused inspection.
|
||||
- Confirmed the current device endpoints are placeholder implementations over stateless user-only tokens; selective revocation is not yet real.
|
||||
- Completed the session-registry design, including token `sid`, legacy-token migration, request metadata context, throttled last-seen updates, expiry filtering, and atomic revoke semantics.
|
||||
|
||||
### Phase 8: Device Management Implementation
|
||||
- **Status:** in_progress
|
||||
- Added the maintained `github.com/mileusna/useragent` dependency for normalized, display-only device metadata.
|
||||
- Implemented token `sid` claims, session context, UA normalization, memory/PostgreSQL session persistence, active-session authentication, last-seen throttling, listing, revoke-others, and logout revocation.
|
||||
- First targeted test run compiled successfully; the legacy placeholder test failed because removal now correctly requires a current authenticated session context. The test is being upgraded to the production contract.
|
||||
- Replaced the placeholder test with multi-device lifecycle coverage and added UA parsing, legacy migration, revocation, logout, and middleware metadata/session-context tests.
|
||||
- Targeted Go tests now pass: `go test ./internal/modules/auth ./internal/handler`.
|
||||
- Rebuilt the account device section with explicit async states, semantic rows, normalized metadata, responsive stacking, duplicate-submit protection, optimistic post-removal reconciliation, and aligned Chinese/English copy.
|
||||
- Frontend TypeScript validation passes: `npx tsc -b`.
|
||||
- Added the follow-up requirement for server-configurable desktop/mobile web-session limits; implementation will extend the API response spec before regeneration.
|
||||
- Updated and validated `img_infinite_canvas.api`, then regenerated go-zero types with the documented `goctl` fallback; the device list response now includes `limits.desktop` and `limits.mobile`.
|
||||
- Added `Auth.DeviceLimits.Desktop/Mobile` defaults to local and deployment config, wired them through the auth service, and replaced hard-coded UI counts with API-driven interpolation.
|
||||
- Documented the configuration and effective API policy in `server/README.md` and `server/API.md`.
|
||||
- Focused Go tests and frontend TypeScript validation pass after the configurable-limit change.
|
||||
- Full verification passes: `go mod tidy`, API validation, `go test ./...`, `go build ./...`, and `npm run build` (only the existing Vite large-chunk warning remains).
|
||||
- Initial alternate-port preview starts exposed two environment constraints: go-zero requires a config filename extension and Next permits one dev server per repo. Switched to a `.yaml` stdin symlink for the backend and the production Next server for the second frontend port.
|
||||
- The isolated preview is live at `http://localhost:5174` with the new backend on `http://localhost:8889`; the frontend page, auth-options proxy, and protected-device 401 boundary respond correctly.
|
||||
- The in-app browser runtime has no available browser backend in this environment, so authenticated screenshot inspection could not be completed there.
|
||||
- Race-enabled auth/middleware tests pass, frontend typecheck and diff checks pass, and the preview proxy still enforces a 401 on unauthenticated device access.
|
||||
- Reproduced the reported limit bug with a deterministic failing service test: two desktop tokens remained valid with `Desktop: 1`.
|
||||
- Implemented atomic same-type enforcement in memory and PostgreSQL stores; new logins keep the newest session and revoke oldest overflow sessions.
|
||||
- Added device-list reconciliation for sessions created before enforcement and verified current-session preservation.
|
||||
- Changed the device API timestamp contract to RFC3339 UTC and formatted it with the browser's local timezone via `Intl.DateTimeFormat`.
|
||||
- Regression tests now pass for configured desktop limit 1, pre-enforcement reconciliation, concurrent PostgreSQL logins, and timezone-neutral API timestamps.
|
||||
|
||||
Reference in New Issue
Block a user