long-agent
adb251e4ad
P2-10: Change ActivateEmail from GET to POST - token now passed in request body instead of URL query parameter for better security P2-11: Change ValidateResetToken from GET to POST - token now passed in request body instead of URL query parameter to prevent log leakage P2-12: Note - /uploads static exposure remains (requires architectural decision about file serving) P2-13: cursor.Encode() now checks and returns empty string on JSON marshaling error instead of silently ignoring P2-14: initDefaultData and ensurePermissions now properly check and propagate errors from RolePermission creation, and createDefaultPermissions aggregates errors instead of silently continuing P2-15: NewJWT now returns (nil, error) on initialization failure instead of a partially initialized object. All callers updated to handle the error return. Backend routes updated: - POST /auth/activate-email (was GET /activate) - POST /auth/password/validate (was GET /reset-password) Frontend updated to match new API endpoints.
14 KiB
14 KiB