Conversation
Define the OpenAPI contract for XBuilder Account as the source of truth for replacing Casdoor. Cover hosted sign-in, Account OAuth, Account-issued app-scoped OAuth tokens, account sessions, account user management, admin APIs, app management, audit logs, and authorization boundaries. Updates #3112 Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Add the shared 415 OAuth error response for form-encoded Account OAuth endpoints so the API contract matches backend validation for unsupported request content types. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Reorder OAuth response components by error scope and remove the unsupported media type response example to match sibling OAuth responses. Clarify that unsupported form content types return an OAuth invalid_request error before form-body OAuth parameters are read. This is a follow-up to #3236. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Clarify the Account OAuth authorization redirect contract so Account Web implementers know which query parameters are present when authorization continues through hosted sign-in. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Clarify that provider credential handoff passes short-lived provider codes through PAR to XBuilder Account instead of handing them to hosted sign-in. Describe hosted sign-in as the place for post-handoff interactions when account completion, identity linking, or conflict handling is required. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Remove the provider-code variant and method discriminator from `CreateAccountSessionRequest` so the Account session endpoint documents only administrator-managed password sign-in. Provider credential handoff remains modeled through PAR instead of Account session creation. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Clarify that provider credential handoff can complete authorization without entering hosted sign-in when the account is resolved and no hosted interaction is required. Document hosted sign-in as the interaction branch for Account Web and align the Account OAuth authorize contract with the Location-based next step semantics. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Remove the `current` field from Account session response schemas. Clients can identify the active session through `GET /account/session` when needed instead of relying on session list responses. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Name callback and message union branches so OpenAPI renderers show meaningful alternatives instead of anonymous object variants. Model identity provider form-post callbacks as distinct authorization-code and OAuth-error request shapes. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Upgrade `xgolsw` to include unit literal completion support and teach the code editor to consume LSP `filterText` and `textEdit`. This lets unit suffix items match typed number text and apply the server-provided replacement range without changing the existing word completion path. Updates goplus/xgolsw#316 Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
* fix: add stage white background in viewers (#3235) * Support course series file sync (#3233) * feat: support course series file sync * refactor: simplify imported project metadata * fix: pass signal when creating project releases * Support markdown tables in Copilot messages (#3230) * feat(spx-gui): support markdown tables in copilot messages * perf(spx-gui): hoist markdown extensions * refactor(spx-gui): remove jwt-decode and reduce cached username dependencies (#3224) * remove jwt-based username parsing from sign-in flow * reduce cached username dependencies * harden signed-in user sync and cache scoping * decouple user-scoped storage from cached usernames * remove local cached username * restore cached username for user-scoped state * refine signed-in user fetching and clarify auth session versioning * revert signed-in user query key with unresolved username * remove wrong comments * Fix potential deadlock during token refreshing (#3248) * Avoid potential memory leak in AnimationPlayer (#3249) * fix(spx-gui): hide pivot marker in thumbnails (#3252) * fix(spx-gui): expose full sprite names (#3254) * feat(spx-gui): support XGo unit completions (#3238) Upgrade `xgolsw` to include unit literal completion support and teach the code editor to consume LSP `filterText` and `textEdit`. This lets unit suffix items match typed number text and apply the server-provided replacement range without changing the existing word completion path. Updates goplus/xgolsw#316 Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> --------- Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> Co-authored-by: chennan <chennan@qiniu.com> Co-authored-by: Aofei Sheng <aofei@aofeisheng.com>
Document dedicated avatar upload endpoints for current users and admins. Make avatar subresource mutations return no content so they do not expose parent resources as response bodies. Remove username and avatar from account user patch requests so profile writes stay scoped to concrete endpoints. Allow account app status updates through the account app patch endpoint instead of a dedicated status subresource endpoint. Clarify account user field ownership, stable user identity guidance, and OpenAPI description formatting around OAuth redirects and cookie-backed mutations. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Allow Account-issued app-scoped OAuth tokens to access the current account user mutation endpoints when they have the `account:user:write` scope. Document the OAuth scope string format and add an Account-specific 401 response for endpoints that support both account session cookies and OAuth bearer tokens. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
Document `ui_locales` on Account OAuth PAR and the corresponding `uiLocales` Account Web route parameter so hosted sign-in can preserve an app-selected UI language preference. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
* docs(openapi): add XBuilder Account API spec (#3191) Define the OpenAPI contract for XBuilder Account as the source of truth for replacing Casdoor. Cover hosted sign-in, Account OAuth, Account-issued app-scoped OAuth tokens, account sessions, account user management, admin APIs, app management, audit logs, and authorization boundaries. Updates #3112 Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): document OAuth unsupported media type errors (#3236) Add the shared 415 OAuth error response for form-encoded Account OAuth endpoints so the API contract matches backend validation for unsupported request content types. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): refine OAuth error response documentation (#3237) Reorder OAuth response components by error scope and remove the unsupported media type response example to match sibling OAuth responses. Clarify that unsupported form content types return an OAuth invalid_request error before form-body OAuth parameters are read. This is a follow-up to #3236. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): document hosted sign-in redirects (#3239) Clarify the Account OAuth authorization redirect contract so Account Web implementers know which query parameters are present when authorization continues through hosted sign-in. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(account): clarify provider credential handoff through PAR (#3241) Clarify that provider credential handoff passes short-lived provider codes through PAR to XBuilder Account instead of handing them to hosted sign-in. Describe hosted sign-in as the place for post-handoff interactions when account completion, identity linking, or conflict handling is required. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): make account session password-only (#3242) Remove the provider-code variant and method discriminator from `CreateAccountSessionRequest` so the Account session endpoint documents only administrator-managed password sign-in. Provider credential handoff remains modeled through PAR instead of Account session creation. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(account): clarify OAuth handoff authorization flow (#3243) Clarify that provider credential handoff can complete authorization without entering hosted sign-in when the account is resolved and no hosted interaction is required. Document hosted sign-in as the interaction branch for Account Web and align the Account OAuth authorize contract with the Location-based next step semantics. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): remove account session current flag (#3244) Remove the `current` field from Account session response schemas. Clients can identify the active session through `GET /account/session` when needed instead of relying on session list responses. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(openapi): name union schema variants (#3245) Name callback and message union branches so OpenAPI renderers show meaningful alternatives instead of anonymous object variants. Model identity provider form-post callbacks as distinct authorization-code and OAuth-error request shapes. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(account): refine account API mutation contract (#3258) Document dedicated avatar upload endpoints for current users and admins. Make avatar subresource mutations return no content so they do not expose parent resources as response bodies. Remove username and avatar from account user patch requests so profile writes stay scoped to concrete endpoints. Allow account app status updates through the account app patch endpoint instead of a dedicated status subresource endpoint. Clarify account user field ownership, stable user identity guidance, and OpenAPI description formatting around OAuth redirects and cookie-backed mutations. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(account): document scoped account profile writes (#3262) Allow Account-issued app-scoped OAuth tokens to access the current account user mutation endpoints when they have the `account:user:write` scope. Document the OAuth scope string format and add an Account-specific 401 response for endpoints that support both account session cookies and OAuth bearer tokens. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> * docs(account): document hosted sign-in locale hints (#3263) Document `ui_locales` on Account OAuth PAR and the corresponding `uiLocales` Account Web route parameter so hosted sign-in can preserve an app-selected UI language preference. Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> --------- Signed-off-by: Aofei Sheng <aofei@aofeisheng.com> Co-authored-by: Aofei Sheng <aofei@aofeisheng.com> Co-authored-by: chennan <chennan@qiniu.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the XBuilder Account documentation, enhances the stage viewer screenshot functionality by hiding editor-only controls (like the pivot marker), adjusts UI styling, and improves code completion handling. The review feedback highlights a potential index mismatch bug in Vue 3 when using array refs inside v-for in StageViewer.vue, recommending a Map instead. Additionally, it identifies potential runtime TypeError crashes in NodeTransformer.vue and SpriteNode.vue due to missing null/undefined guards on Konva nodes.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…x mismatch (#3269) * fix(stage-viewer): use Map ref for spriteNodeRefs to avoid index mismatch in v-for In Vue 3, ref inside v-for does not guarantee the elements in the ref array match the order of the source array. Replace the array ref with a Map keyed by sprite ID and use a function ref callback to populate it, then look up the selected sprite node directly by ID. Generated with [FennoAI](https://github.com/apps/fennoai) Co-authored-by: nighca <1492263+nighca@users.noreply.github.com> * style(stage-viewer): fix Prettier formatting in StageViewer.vue Generated with [FennoAI](https://github.com/apps/fennoai) Co-authored-by: nighca <1492263+nighca@users.noreply.github.com> * refactor(stage-viewer): extract named setSpriteNodeRef, use shallowReactive Map - Extract inline v-for function ref into named `setSpriteNodeRef(id)` helper - Replace `as any` with `as InstanceType<typeof SpriteNode>` for a typed cast - Switch `spriteNodeRefs` from `ref(new Map(...))` to `shallowReactive(new Map(...))` so the Map is directly reactive without deep-wrapping its component-instance values - Update `selectedSpriteNode` to call `spriteNodeRefs.get()` directly (no `.value`) Generated with [FennoAI](https://github.com/apps/fennoai) Co-authored-by: nighca <1492263+nighca@users.noreply.github.com> * style(stage-viewer): format StageViewer.vue with Prettier Generated with [FennoAI](https://github.com/apps/fennoai) Co-authored-by: nighca <1492263+nighca@users.noreply.github.com> --------- Co-authored-by: fennoai[bot] <fennoai[bot]@users.noreply.github.com> Co-authored-by: nighca <1492263+nighca@users.noreply.github.com> Co-authored-by: fennoai[bot] <231223108+fennoai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[skip review]