fix(external-admin): hide app catalog before login

This commit is contained in:
zhx 2026-07-15 19:14:55 +08:00
parent 7748b186f5
commit c556b44cf6
4 changed files with 13 additions and 34 deletions

View File

@ -236,15 +236,6 @@ func (h *Handler) ResetPassword(c *gin.Context) {
response.OK(c, account)
}
func (h *Handler) ListApps(c *gin.Context) {
apps, err := h.service.ListApps(c.Request.Context())
if err != nil {
response.ServerError(c, "获取 App 列表失败")
return
}
response.OK(c, gin.H{"items": apps, "total": len(apps)})
}
func (h *Handler) Login(c *gin.Context) {
// The global App middleware supplies the main-admin default before this anonymous
// route runs. No tenant is authoritative until a credential row resolves, so do

View File

@ -49,7 +49,6 @@ func RegisterExternalRoutes(api *gin.RouterGroup, h *Handler, handlers BusinessH
// service workers or intermediary proxies. This middleware runs before session
// auth so 4xx/5xx responses carry the same protection as successful responses.
auth.Use(noStore())
auth.GET("/apps", h.ListApps)
auth.POST("/login", h.Login)
protectedAuth := auth.Group("")

View File

@ -43,3 +43,16 @@ func TestExternalAuthResponsesAlwaysDisableCachingIncludingErrors(t *testing.T)
})
}
}
func TestExternalAuthDoesNotExposeAppCatalogBeforeLogin(t *testing.T) {
gin.SetMode(gin.TestMode)
engine := gin.New()
RegisterExternalRoutes(engine.Group("/api/v1"), New(nil, nil, Config{}, nil), BusinessHandlers{})
request := httptest.NewRequest(http.MethodGet, "/api/v1/external/auth/apps", nil)
responseRecorder := httptest.NewRecorder()
engine.ServeHTTP(responseRecorder, request)
if responseRecorder.Code != http.StatusNotFound {
t.Fatalf("anonymous App catalog status=%d body=%s", responseRecorder.Code, responseRecorder.Body.String())
}
}

View File

@ -65,30 +65,6 @@ func NewService(db *gorm.DB, userDB *sql.DB, cfg Config) *Service {
return &Service{db: db, userDB: userDB, cfg: cfg, dummyHash: dummyHash}
}
func (s *Service) ListApps(ctx context.Context) ([]App, error) {
if s.userDB == nil {
return nil, errors.New("user mysql is not configured")
}
rows, err := s.userDB.QueryContext(ctx, `
SELECT app_code, app_name, logo_url
FROM apps
WHERE status = 'active'
ORDER BY app_name ASC, app_code ASC`)
if err != nil {
return nil, err
}
defer rows.Close()
apps := []App{}
for rows.Next() {
var app App
if err := rows.Scan(&app.AppCode, &app.AppName, &app.LogoURL); err != nil {
return nil, err
}
apps = append(apps, app)
}
return apps, rows.Err()
}
func (s *Service) ResolveTarget(ctx context.Context, appCode string, target string) (LinkedUser, error) {
appCode = normalizeAppCode(appCode)
target = strings.TrimSpace(target)