new-api

Author	SHA1	Message	Date
CaIon	59c582d13c	fix: harden token auth error handling to prevent info leakage Some checks failed Publish Docker image (Multi Registries, native amd64+arm64) / Build & push (amd64) [native] (push) Has been cancelled Details Publish Docker image (Multi Registries, native amd64+arm64) / Build & push (arm64) [native] (push) Has been cancelled Details Publish Docker image (Multi Registries, native amd64+arm64) / Create multi-arch manifests (Docker Hub) (push) Has been cancelled Details Build Electron App / build (windows-latest) (push) Has been cancelled Details Build Electron App / release (push) Has been cancelled Details Release (Linux, macOS, Windows) / Linux Release (push) Has been cancelled Details Release (Linux, macOS, Windows) / macOS Release (push) Has been cancelled Details Release (Linux, macOS, Windows) / Windows Release (push) Has been cancelled Details - Create model/errors.go to centralize all sentinel errors - ValidateAccessToken now returns error to distinguish DB failures - ValidateUserToken uses unified ErrTokenInvalid for all auth failures (expired/exhausted/disabled/not-found) to prevent token enumeration - authHelper and TokenAuthReadOnly use i18n messages instead of hardcoded Chinese strings - All err.Error() removed from user-facing responses; DB errors logged server-side and return generic "contact admin" message (HTTP 500) - Migrate ErrRedeemFailed, ErrTwoFANotEnabled to model/errors.go	2026-04-12 17:39:00 +08:00