59f68c3141
bugfix
2026-04-26 15:01:05 +08:00
8aada101ca
fix(rbac): remove MySQL-specific SQL for cross-database compatibility
...
- Replace DATE_SUB(NOW(), INTERVAL 300 SECOND) with Python-level time check
- Replace NOW() with parameterized timestamps from Python
- Lockout check now done in _is_locked() function (DB-agnostic)
- All UPDATE statements use parameterized values, not DB functions
- Works with MySQL, PostgreSQL, SQLite, SQL Server, Oracle
2026-04-26 11:04:15 +08:00
622b0558b9
fix(rbac): fix high-concurrency race conditions in login and cache
...
1. Login lockout race condition:
- Replace SELECT-then-UPDATE with atomic database operations
- Lockout check now in SQL WHERE clause (DATE_SUB comparison)
- Fail count increment: UPDATE ... SET count = count + 1 (atomic)
- Applied to checkUserPassword, basic_auth, up_login.dspy, phone_login.dspy
2. Cache threading.Lock -> asyncio.Lock:
- LRUCache now uses lazy-init asyncio.Lock
- Prevents blocking the event loop in async environment
- UserPermissions._rp_lock also uses asyncio.Lock
- Double-check pattern in load_roleperms prevents duplicate DB loads
3. Use database NOW() instead of Python curDateString for concurrent updates
2026-04-26 10:58:13 +08:00
3fdd4efeff
feat(rbac): add login tracking, lockout, secure cache
...
- Add created_at, last_login, login_fail_count, last_login_fail fields
- 3 failed logins locks account for 5 minutes
- LRU+TTL cache for UserPermissions, thread-safe
- All login methods update last_login
- Migration SQL for existing databases
2026-04-26 10:49:01 +08:00
059df2aef2
bugfix
2026-03-26 11:49:12 +08:00
0c69929a72
bugfix
2026-03-25 17:40:17 +08:00
6eb707d8bf
bugfix
2026-03-23 11:11:09 +08:00
yumoqing
819618a601
bugfix
2026-03-21 18:15:56 +08:00
yumoqing
5f805201ea
bugfix
2026-03-21 15:42:28 +08:00
yumoqing
4e27e9df68
bugfix
2026-03-21 15:31:36 +08:00
yumoqing
aec602ebd3
bugfix
2026-03-21 10:17:17 +08:00
f27f1ece0b
bugfix
2026-03-20 12:59:30 +08:00
e0c7596444
bugfix
2026-03-18 14:09:28 +08:00
