fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml) - Auth store: synchronously restore state at creation to eliminate flash-of-login-page on refresh - MainLayout: menu highlight now tracks current route via useLocation - Add extractErrorMessage() utility to reduce repeated error parsing - Fix all clippy warnings across 4 crates (erp-auth, erp-config, erp-workflow, erp-message): remove unnecessary casts, use div_ceil, collapse nested ifs, reduce function arguments with DTOs
2026-04-11 12:36:34 +08:00
parent 5c899e6f4a
commit 3a05523d23
35 changed files with 283 additions and 187 deletions
--- a/crates/erp-auth/src/handler/auth_handler.rs
+++ b/crates/erp-auth/src/handler/auth_handler.rs
@@ -8,7 +8,7 @@ use erp_core::types::{ApiResponse, TenantContext};

 use crate::auth_state::AuthState;
 use crate::dto::{LoginReq, LoginResp, RefreshReq};
-use crate::service::auth_service::AuthService;
+use crate::service::auth_service::{AuthService, JwtConfig};

 /// POST /api/v1/auth/login
 ///
@@ -29,14 +29,18 @@ where

    let tenant_id = state.default_tenant_id;

+    let jwt_config = JwtConfig {
+        secret: &state.jwt_secret,
+        access_ttl_secs: state.access_ttl_secs,
+        refresh_ttl_secs: state.refresh_ttl_secs,
+    };
+
    let resp = AuthService::login(
        tenant_id,
        &req.username,
        &req.password,
        &state.db,
-        &state.jwt_secret,
-        state.access_ttl_secs,
-        state.refresh_ttl_secs,
+        &jwt_config,
        &state.event_bus,
    )
    .await?;
@@ -56,12 +60,16 @@ where
    AuthState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
+    let jwt_config = JwtConfig {
+        secret: &state.jwt_secret,
+        access_ttl_secs: state.access_ttl_secs,
+        refresh_ttl_secs: state.refresh_ttl_secs,
+    };
+
    let resp = AuthService::refresh(
        &req.refresh_token,
        &state.db,
-        &state.jwt_secret,
-        state.access_ttl_secs,
-        state.refresh_ttl_secs,
+        &jwt_config,
    )
    .await?;

--- a/crates/erp-auth/src/handler/org_handler.rs
+++ b/crates/erp-auth/src/handler/org_handler.rs
@@ -184,10 +184,7 @@ where
        id,
        ctx.tenant_id,
        ctx.user_id,
-        &req.name,
-        &req.code,
-        &req.manager_id,
-        &req.sort_order,
+        &req,
        &state.db,
    )
    .await?;
@@ -291,10 +288,7 @@ where
        id,
        ctx.tenant_id,
        ctx.user_id,
-        &req.name,
-        &req.code,
-        &req.level,
-        &req.sort_order,
+        &req,
        &state.db,
    )
    .await?;
--- a/crates/erp-auth/src/handler/role_handler.rs
+++ b/crates/erp-auth/src/handler/role_handler.rs
@@ -32,7 +32,7 @@ where

    let page = pagination.page.unwrap_or(1);
    let page_size = pagination.limit();
-    let total_pages = (total + page_size - 1) / page_size;
+    let total_pages = total.div_ceil(page_size);

    Ok(Json(ApiResponse::ok(PaginatedResponse {
        data: roles,
--- a/crates/erp-auth/src/handler/user_handler.rs
+++ b/crates/erp-auth/src/handler/user_handler.rs
@@ -31,7 +31,7 @@ where

    let page = pagination.page.unwrap_or(1);
    let page_size = pagination.limit();
-    let total_pages = (total + page_size - 1) / page_size;
+    let total_pages = total.div_ceil(page_size);

    Ok(Json(ApiResponse::ok(PaginatedResponse {
        data: users,