fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.

internal/api/handler/user_handler.go

@@ -185,6 +185,22 @@ func (h *UserHandler) UpdateUser(c *gin.Context) {
 		return
 	}
 
+	// Authorization: only self or admin can update user profile
+	currentUserID := c.GetInt64("user_id")
+	isAdmin := false
+	if roles, ok := c.Get("user_roles"); ok {
+		for _, role := range roles.([]*domain.Role) {
+			if role.Code == "admin" {
+				isAdmin = true
+				break
+			}
+		}
+	}
+	if currentUserID != id && !isAdmin {
+		c.JSON(http.StatusForbidden, gin.H{"code": 403, "message": "permission denied"})
+		return
+	}
+
 	var req struct {
 		Email    *string `json:"email"`
 		Nickname *string `json:"nickname"`

internal/api/middleware/cors.go

@@ -10,11 +10,22 @@ import (
 )
 
 var corsConfig = config.CORSConfig{
-	AllowedOrigins:   []string{"*"},
-	AllowCredentials: true,
+	AllowedOrigins:   []string{}, // 默认为空，必须显式配置
+	AllowCredentials: false,     // 默认关闭凭证，必须显式启用
+}
+
+// init 在包初始化时检测危险的 CORS 配置组合
+func init() {
+	// 检测危险的通配符 + Credentials 组合
+	for _, origin := range corsConfig.AllowedOrigins {
+		if origin == "*" && corsConfig.AllowCredentials {
+			panic("CORS 配置错误: AllowedOrigins 包含 '*' 且 AllowCredentials 为 true 是危险组合")
+		}
+	}
 }
 
 func SetCORSConfig(cfg config.CORSConfig) {
+	// 注意：显式配置危险组合时不会panic，但生产环境应避免使用
 	corsConfig = cfg
 }