a620906209
|
99cf35c1ec
|
docs: 稽核文檔改為執行紀錄、開 provider-verification-gaps change 規劃遺留缺口
Run Tests / test (pull_request) Successful in 2m1s
- 稽核報告:已完成的修補計畫改寫為執行紀錄(commit 對照表 + 偏差說明),
未處理事項收斂為三項(verification 缺口 / 效能優化 / 新功能路線圖)
- 新 change provider-verification-gaps:規劃 schedules/reviews 公開子端點
過濾與預約入口檢查(含「既有預約不受影響」政策決定),待實作
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 19:06:34 +08:00 |
|
a620906209
|
520ec487ee
|
Merge pull request 'chore(openspec): 補歸檔 2026-06-11-audit-remediation change' (#29) from fix/audit-remediation into master
Deploy Production / deploy (push) Successful in 16s
Run Tests / test (push) Successful in 1m53s
Reviewed-on: #29
|
2026-06-11 10:46:30 +00:00 |
|
a620906209
|
a97a7d096c
|
chore(openspec): 補歸檔 2026-06-11-audit-remediation change
Run Tests / test (pull_request) Successful in 2m2s
事後補齊本次稽核修補的 OpenSpec 歷史紀錄(proposal / design /
tasks / 規格增量),主規格已於實作時直接更新,本 archive 僅為
變更軌跡。design.md 記錄 5 項關鍵決策(artisan command 取代
HTTP 端點、10/min 為基準、列表過濾而非禁止上架等)。
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 18:44:14 +08:00 |
|
a620906209
|
0dffca31bb
|
Merge pull request 'security: 2026-06-11 稽核修補——封鎖 admin/register P0 漏洞、is_verified 業務約束、預約核心測試' (#28) from fix/audit-remediation into master
Deploy Production / deploy (push) Successful in 20s
Run Tests / test (push) Successful in 2m9s
Reviewed-on: #28
|
2026-06-11 10:21:31 +00:00 |
|
a620906209
|
7ca91da138
|
docs: 操作體驗優化計畫——實測定位 OPcache 停用 + bind mount 為主因
Run Tests / test (pull_request) Successful in 2m7s
實測:API 快取命中仍 2.49s、容器測試比本機慢 14 倍;
容器內 opcache 已載入但 disabled。計畫分三階段,O1.1 啟用
OPcache 為最高投報率項目。
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:55:56 +08:00 |
|
a620906209
|
cec2078035
|
test(auth): 同步 admin register 端點移除——刪除過時測試、更新覆蓋規格
原 test_admin_register_* 測的是已移除的 P0 漏洞端點,
端點關閉防護與帳號建立改由 AdminAccountCreationTest 覆蓋。
容器內全套件 146 passed / 378 assertions。
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:52:37 +08:00 |
|
a620906209
|
d3a0d300c6
|
docs(openspec): 規格清理——補 Purpose、修正前端 repo 描述、補 admin 查詢端點
- auth-test-coverage:補歸檔後遺留的 TBD Purpose
- member-portal-ui:前端實際位於本 repo frontend/,修正獨立 repo 描述
- admin-auth:補 check-member / check-provider 端點規格
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:49:00 +08:00 |
|
a620906209
|
63b25f96ac
|
test(booking): 補預約核心測試——狀態機/防超賣/Scheduler/聊天授權/Admin 權限邊界
稽核 P2-1:平台核心業務(預約)原本零測試覆蓋。
- BookingLifecycleTest:七狀態機合法/非法轉移、名額帳務、24h 取消截止、授權邊界(17 案例)
- BookingOversellTest:confirm 時 lockForUpdate 防超賣不變式、名額釋放回收(3 案例)
- BookingSchedulerTest:48h 過期與日期完成的時間邊界(6 案例)
- BookingChatAuthTest:HTTP 與 presence channel 雙防線(8 案例)
- AdminEndpointAuthTest:非 admin 一律 403、Admin 不可繞過狀態機(5 案例)
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:46:46 +08:00 |
|
a620906209
|
3c38d085bd
|
feat(offers): 未驗證教練的課程不對公開端點曝光
is_verified 原本只有 Admin toggle 開關、無任何業務約束(稽核 P1-1)。
- DivingOffer 新增 visibleToPublic scope:provider_id null 或教練已驗證
- 公開 index/show 套用過濾,未驗證教練課程列表排除、詳情 404
- toggle-verified 後 flush diving_offers 快取標籤,切換立即生效
- 新增 provider-verification 規格(含已知限制註記)與 7 條可見性測試
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:42:43 +08:00 |
|
a620906209
|
88a81aac41
|
docs(openspec): 同步 login-rate-limiting 規格門檻至實作值 10/min
規格原寫 5/min,實作與測試(commit 0dabc4e)皆為 throttle:10,1,
以實作為準消除規格漂移,並註記放寬理由(帳號鎖定已涵蓋暴力破解防護)。
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:37:19 +08:00 |
|
a620906209
|
aeb8c975e2
|
security(auth): 移除公開 admin/register 端點,改由 app:create-admin 建立管理員
P0 漏洞:原 POST /api/admin/register 無任何防護,任何人可註冊管理員帳號。
- 移除路由、AuthController::registerAdmin、對應 Swagger 文件
- 新增 app:create-admin artisan command(密碼門檻 min:8)
- 補 AdminAccountCreationTest 防止端點被重新打開
- 同步 admin-auth 規格,並收錄 2026-06-11 稽核報告與路線圖文檔
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
2026-06-11 17:36:33 +08:00 |
|
a620906209
|
51784ecc64
|
Merge pull request 'fix(test): 修正 AuthRateLimitTest 過期的 throttle 門檻斷言' (#27) from test/auth-tests-coverage into master
Run Tests / test (push) Successful in 2m35s
Deploy Production / deploy (push) Successful in 17s
Reviewed-on: #27
|
2026-06-07 20:06:03 +00:00 |
|
a620906209
|
ca5b843362
|
chore(openspec): 歸檔 auth-tests 變更並建立 auth-test-coverage 主規格
Run Tests / test (pull_request) Failing after 43s
34 項驗收情境與測試已 1:1 對應且全數通過,將變更移至
openspec/changes/archive/2026-06-07-auth-tests/,並依其內容建立
openspec/specs/auth-test-coverage/spec.md 作為主規格文件。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-08 04:02:05 +08:00 |
|
a620906209
|
6f446f601f
|
test(auth): 新增三角色登入/註冊/登出、P2 帳號鎖定、OAuth state 驗證測試
新增 34 個 Feature 測試(AuthLoginTest 19、AuthLockoutTest 11、
AuthOAuthTest 4)涵蓋 member/provider/admin 的註冊、登入、登出與跨角色
隔離;P2 帳號鎖定的 Fixed Window 計數、companion cache key 與 email
正規化;以及 P2 OAuth state 的 CSRF 驗證與一次性消耗。
同時新增 .gitea/workflows/test.yml 在 push/PR 時於 CI 自動執行測試
(含 GD 等擴充套件安裝),並補上對應的 OpenSpec 變更文件
(proposal/design/spec/tasks,34 項驗收情境與測試 1:1 對應)。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-08 04:01:33 +08:00 |
|
a620906209
|
0dabc4ebb5
|
fix(test): 修正 AuthRateLimitTest 過期的 throttle 門檻斷言
commit 2a0e9255(P2 帳號鎖定上線)已將 member/provider 登入的 IP throttle
從 5,1 調整為 10,1(避免 IP throttle 搶在帳號鎖定的 423 之前觸發 429),
但測試的迴圈次數與註解仍停留在舊版 5,1,導致預期 429 卻收到 401。
同步將迴圈次數改為 10、區塊註解改為 throttle:10,1,使其對齊現行設定。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-08 04:01:20 +08:00 |
|
a620906209
|
ca1b83a2e3
|
Merge pull request 'Merge branch 'master' into feat/demo-seeder' (#26) from feat/demo-seeder into master
Deploy Production / deploy (push) Successful in 10s
Reviewed-on: #26
|
2026-06-02 17:51:49 +00:00 |
|
a620906209
|
855d9e1d4a
|
Merge branch 'master' into feat/demo-seeder
|
2026-06-02 17:50:01 +00:00 |
|
a620906209
|
981f753480
|
Merge pull request 'fix(auth): 補 StartSession middleware 給 OAuth routes' (#24) from security/auth-p2-lockout-oauth-state into master
Deploy Production / deploy (push) Successful in 12s
Reviewed-on: #24
|
2026-06-02 17:47:57 +00:00 |
|
a620906209
|
3b90edf843
|
fix(auth): 補 StartSession middleware 給 OAuth routes
api.php 的 route 預設無 session middleware,
移除 stateless() 後 session() 呼叫直接 500。
只對 /auth/google/* 兩個 route 加 StartSession,不影響其他 API endpoint。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-03 01:44:29 +08:00 |
|
a620906209
|
b06d8524db
|
Merge pull request 'security(auth): P2 帳號鎖定 + OAuth state 驗證' (#23) from security/auth-p2-lockout-oauth-state into master
Deploy Production / deploy (push) Successful in 31s
Reviewed-on: #23
|
2026-06-02 17:39:02 +00:00 |
|
a620906209
|
2a0e9255ae
|
security(auth): P2 帳號鎖定 + OAuth state 驗證
- Account lockout:連續失敗 5 次鎖定 15 分鐘(Fixed Window,Cache)
- Member / Provider 各自獨立 namespace
- Email 正規化(strtolower+trim)
- 不存在帳號不累計計數(防 Cache 污染)
- companion key 記錄 locked_until(ISO 8601)
- OAuth CSRF 防護:移除 stateless(),手動 state 生成與驗證
- session('oauth_state') + session('state') 雙寫確保 Socialite 內建驗證通過
- state mismatch redirect 至 /login?error=oauth_failed
- throttle 從 5,1 調整為 10,1,避免 IP throttle 在 lockout 前觸發
- NormalizesEmail Trait、config/auth_lockout.php
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-03 01:20:25 +08:00 |
|
a620906209
|
b2e20767d8
|
Merge pull request 'security(auth): P1 Token Refresh + sessionStorage' (#22) from security/auth-p1-token-refresh into master
Deploy Production / deploy (push) Successful in 30s
Reviewed-on: #22
|
2026-06-01 20:34:52 +00:00 |
|
a620906209
|
d9f0fe11c6
|
security(auth): P1 Token Refresh + sessionStorage
- 新增三個 refresh 端點(member/provider/admin),revoke 舊 token 發行新 7 天 token
- axios.js / coachAxios.js:401 interceptor 改為 refresh-then-retry,含 isRefreshing queue 防並發、isRedirecting flag 防雙重 redirect
- auth.js / coachAuth.js / AuthCallbackView.vue:localStorage 全改為 sessionStorage
- echo.js / notificationAxios.js:同步改為 sessionStorage
- notifications.js:401 時停止 polling(stopPolling),不印 error log
- 新增 TokenRefreshTest.php(11 tests / 24 assertions):refresh 成功/失效/跨角色 403
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-02 04:33:35 +08:00 |
|
a620906209
|
a94c2462b8
|
Merge pull request 'security(auth): P0 認證安全強化' (#21) from security/auth-p0-hardening into master
Deploy Production / deploy (push) Successful in 36s
Reviewed-on: #21
|
2026-06-01 17:58:24 +00:00 |
|
a620906209
|
cb9c9a9385
|
security(auth): P0 認證安全強化
- Token 過期時間設為 7 天(sanctum.php expiration)
- prune-expired 每日排程清除過期 token 記錄
- Google OAuth redirect 改用 URL fragment(#token=)避免 token 出現在 server log
- SocialAuthController env() 改 config() 修正 config:cache 下 redirect 失效問題
- 登入端點加 rate limiting:member/provider throttle:5,1,admin throttle:3,1
- axios/coachAxios 加 401 response interceptor,token 過期自動登出
- 修正 migration SQLite 相容性(MODIFY COLUMN),Feature tests 從 7 通過恢復至 41
- 新增 AuthRateLimitTest(5 tests)驗證各角色頻率限制行為
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-06-02 01:54:40 +08:00 |
|
a620906209
|
5b13a014be
|
Merge pull request 'docs: 更新 README 反映最新功能與技術棧' (#20) from docs/update-readme into master
Deploy Production / deploy (push) Successful in 14s
Reviewed-on: #20
|
2026-05-28 19:18:17 +00:00 |
|
a620906209
|
8d1ea49abc
|
docs: 更新 README 反映最新功能與技術棧
新增:即時訊息、Reverb WebSocket、Sentry、/health、CI/CD、本地開發說明。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 03:17:44 +08:00 |
|
a620906209
|
9be50d493b
|
Merge pull request 'fix: 改用 BusyBox 相容的 flock 語法' (#19) from fix/sentry-composer into master
Deploy Production / deploy (push) Successful in 21s
Reviewed-on: #19
|
2026-05-28 19:04:47 +00:00 |
|
a620906209
|
0a6bfd9df8
|
fix: 改用 BusyBox 相容的 flock 語法
BusyBox flock 不支援 -w,移除 timeout 參數。
等待行為不變,預設會阻塞直到取得鎖。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 03:04:12 +08:00 |
|
a620906209
|
127101adb3
|
Merge pull request 'fix: 修正 CI 並發 fetch 導致 git ref 衝突' (#18) from fix/sentry-composer into master
Deploy Production / deploy (push) Failing after 1s
Reviewed-on: #18
|
2026-05-28 19:03:13 +00:00 |
|
a620906209
|
0160d72467
|
fix: 修正 CI 並發 fetch 導致 git ref 衝突
git pull 改為 flock + fetch + reset --hard:
- flock 防止兩次 CI 同時更新 ref 產生 race condition
- reset --hard 比 pull 更適合 CI 環境,不做 merge
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 03:00:57 +08:00 |
|
a620906209
|
cfd0455597
|
Merge pull request 'fix: 補上 sentry/sentry-laravel 的 composer 異動' (#17) from fix/sentry-composer into master
Deploy Production / deploy (push) Failing after 1s
Reviewed-on: #17
|
2026-05-28 18:38:45 +00:00 |
|
a620906209
|
8974a22584
|
fix: 補上 sentry/sentry-laravel 的 composer 異動
前次 Sentry 整合 commit 漏掉 composer.json / composer.lock。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 02:38:06 +08:00 |
|
a620906209
|
9bde1ae344
|
Merge pull request 'feat: 整合 Sentry 錯誤監控' (#16) from feature/health-endpoint into master
Deploy Production / deploy (push) Successful in 16s
Reviewed-on: #16
|
2026-05-28 18:32:11 +00:00 |
|
a620906209
|
3ad5972a5a
|
feat: 整合 Sentry 錯誤監控
安裝 sentry/sentry-laravel,掛載例外捕捉至 bootstrap/app.php。
.env 透過 SENTRY_LARAVEL_DSN 設定,空值時自動停用。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 02:29:00 +08:00 |
|
a620906209
|
b770aab42a
|
Merge pull request 'refactor: 精簡 /health 回應欄位' (#15) from feature/health-endpoint into master
Deploy Production / deploy (push) Successful in 16s
Reviewed-on: #15
|
2026-05-28 18:05:29 +00:00 |
|
a620906209
|
8d41f473e4
|
refactor: 精簡 /health 回應欄位
移除 php_version、laravel、environment、memory_mb,
保留 status、timestamp、checks 三欄。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 02:04:24 +08:00 |
|
a620906209
|
5463fd70b1
|
Merge pull request 'chore:新增 swagger-api-docs-completion change 規劃' (#14) from feature/health-endpoint into master
Deploy Production / deploy (push) Successful in 25s
Reviewed-on: #14
|
2026-05-28 17:58:55 +00:00 |
|
a620906209
|
54dd4bb7a6
|
feat: 新增 /health 端點供 UptimeRobot 監控
檢查 DB 連線、Redis ping、Cache 讀寫,任一失敗回傳 503。
回應包含 timestamp、environment、PHP/Laravel 版本、記憶體用量。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 01:57:04 +08:00 |
|
a620906209
|
71b35533f4
|
Merge branch 'master' of https://github.com/a620906209/CFDivePlatform
|
2026-05-29 01:20:12 +08:00 |
|
a620906209
|
eff2dd273c
|
Merge pull request 'docs(openspec): archive realtime-booking-chat,同步主 specs' (#13) from feature/realtime-booking-chat into master
Deploy Production / deploy (push) Successful in 20s
Reviewed-on: #13
|
2026-05-28 17:18:49 +00:00 |
|
a620906209
|
4a5559a79e
|
chore(openspec): 移除已 archive 的 change 原路徑
補上 mv 後未 stage 的刪除紀錄,保持 working tree 乾淨。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 01:17:41 +08:00 |
|
a620906209
|
83e0e599a0
|
docs(openspec): archive realtime-booking-chat,同步主 specs
- archive openspec/changes/realtime-booking-chat → archive/2026-05-29-realtime-booking-chat
- 新增 openspec/specs/booking-chat/spec.md(即時訊息完整規格)
- 新增 openspec/specs/user-presence/spec.md(Presence Channel 規格)
- 更新 openspec/specs/booking-lifecycle/spec.md(補訊息頻道語義與封存 Scenario)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-29 01:14:52 +08:00 |
|
a620906209
|
6fcf57a2d2
|
Merge pull request 'fix: 修正聊天室雙向即時同步失效問題' (#12) from feature/realtime-booking-chat into master
Deploy Production / deploy (push) Successful in 15s
Reviewed-on: #12
|
2026-05-28 15:12:20 +00:00 |
|
a620906209
|
5ba598c78f
|
fix: 修正聊天室雙向即時同步失效問題
- echo.js:還原 disconnect()/connect(),確保 Reverb 重連後重新授權 presence channel
- BookingChat.vue:移除 handleNotificationFallback(會覆蓋樂觀更新訊息導致重複)
- BookingChat.vue:改用 state_change 事件偵測重連('reconnected' 並非合法 Pusher.js 事件)
- BookingChat.vue:移除未使用的 useAuthStore / useCoachAuthStore / currentUserId 依賴
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-28 18:29:53 +08:00 |
|
a620906209
|
3809ac7ed0
|
Merge pull request 'fix: 避免 entrypoint 覆寫 .env 的 DB 憑證' (#11) from feature/realtime-booking-chat into master
Deploy Production / deploy (push) Successful in 44s
Reviewed-on: #11
|
2026-05-28 10:18:27 +00:00 |
|
a620906209
|
6b3a0816f5
|
fix: 聊天室樂觀更新 + private channel fallback
問題:presence channel 在另一方加入的瞬間可能短暫抖動,
導致雙方都收不到 MessageSent event,訊息消失需重整。
三項修正:
1. sendText 樂觀更新:訊息送出後立即顯示暫存訊息,
不依賴 WebSocket event 才出現。
2. MessageSent handler deduplication:自己的訊息收到
event 時,替換暫存訊息而非重複 push。
3. Private channel fallback:receiver 的 private channel
收到 notification.created 時,補拉一次訊息歷史,
確保 presence channel 失效時仍能同步。使用
stopListening 避免干擾 notifications store 的訂閱。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-28 17:59:10 +08:00 |
|
a620906209
|
1ba4ca893a
|
fix: 修正即時聊天室 presence channel 間歇性失效
三個根本原因:
1. updateEchoToken() 呼叫 disconnect/connect 會中斷已訂閱的
presence channel,改為只更新 auth header(不重連)。
同時將 setAuth() 的呼叫順序改為先 updateEchoToken() 再
startRealtime(),確保訂閱時使用最新 token。
2. BookingPresenceChannel::join() 未對 schedule null 做防守,
載入後若 schedule 不存在會 500,導致 auth 靜默失敗。
3. WebSocket 重連後 presence channel 不會自動恢復,
在 BookingChat 加入 reconnected 事件處理,重連後重訂閱。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-28 17:46:15 +08:00 |
|
a620906209
|
6286399a3b
|
fix: 修正 VITE_API_URL 預設值 typo(spack → space)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-28 17:28:17 +08:00 |
|
a620906209
|
f80319109c
|
fix: entrypoint 先啟動 php-fpm,init 任務移至背景
將 wait_for_mysql、migration、cache:clear 等耗時操作移至背景
subshell 執行,php-fpm 不再等待它們完成才啟動。
解決每次 docker restart 後 php-fpm 尚未就緒時 Nginx 回傳
502(無 CORS headers),前端看到 CORS error 的問題。
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-05-28 17:23:59 +08:00 |
|