fix: Remove console.log statements, add share permission check, update stage-9 plan, and add OAuth learning doc

- Replace console.log with NestJS Logger in prisma.service.ts
- Remove security-sensitive password logging in users.service.ts
- Remove debug logging in spaces.controller.ts and register page
- Add proper permission check in share.service.ts (was TODO)
- Remove stale TODO comment in tiptap-utils.ts
- Use immutable pattern in users.service.ts avatar URL handling
- Update stage-9 plan: mark all 20 features as completed
- Add OAuth learning doc covering GitHub/Google full flow and principles

Author: Jason-chen-coder

apps/api/src/prisma/prisma.service.ts

@@ -1,18 +1,20 @@
-import { Injectable, OnModuleInit, OnModuleDestroy } from '@nestjs/common';
+import { Injectable, OnModuleInit, OnModuleDestroy, Logger } from '@nestjs/common';
 import { PrismaClient } from '@prisma/client';
 
 @Injectable()
 export class PrismaService
   extends PrismaClient
   implements OnModuleInit, OnModuleDestroy
 {
+  private readonly logger = new Logger(PrismaService.name);
+
   async onModuleInit() {
     await this.$connect();
-    console.log('✅ Prisma Client connected to database');
+    this.logger.log('Prisma Client connected to database');
   }
 
   async onModuleDestroy() {
     await this.$disconnect();
-    console.log('👋 Prisma Client disconnected from database');
+    this.logger.log('Prisma Client disconnected from database');
   }
 }

apps/api/src/share/share.service.ts

@@ -21,20 +21,24 @@ export class ShareService {
   async create(userId: string, createShareDto: CreateShareDto) {
     const { documentId, type, password, expiresAt } = createShareDto;
 
-    // Check if document exists and user has permission (ownership or write)
-    // For simplicity, checking if user is owner or has access.
-    // Ideally use a permission guard system, but here we enforce it before creation.
     const document = await this.prisma.document.findUnique({
       where: { id: documentId },
-      include: { space: true },
+      include: {
+        space: {
+          include: {
+            permissions: { where: { userId } },
+          },
+        },
+      },
     });
 
     if (!document) {
       throw new NotFoundException('Document not found');
     }
 
-    // TODO: Strict permission check can be added here.
-    // Assuming the controller guard handles basic access, but we should verify ownership or editor role.
+    if (document.space.permissions.length === 0) {
+      throw new ForbiddenException('No permission to share this document');
+    }
 
     let hashedPassword = null;
     if (type === ShareType.PASSWORD && password) {
@@ -142,7 +146,7 @@ export class ShareService {
         where: { id: share.id },
         data: { viewCount: { increment: 1 } },
       })
-      .catch(console.error);
+      .catch(() => undefined);
 
     if (share.type === ShareType.PASSWORD) {
       if (!accessToken) {

apps/api/src/spaces/spaces.controller.ts

@@ -66,18 +66,8 @@ export class SpacesController {
 
   @Delete(':id')
   @ApiOperation({ summary: '删除空间' })
-  async remove(@Request() req: RequestWithUser, @Param('id') id: string) {
-    console.log(
-      `[SpacesController] Deleting space ${id} for user ${req.user.id}`,
-    );
-    try {
-      const result = await this.spacesService.remove(id, req.user.id);
-      console.log(`[SpacesController] Successfully deleted space ${id}`);
-      return result;
-    } catch (error) {
-      console.error(`[SpacesController] Failed to delete space ${id}:`, error);
-      throw error;
-    }
+  remove(@Request() req: RequestWithUser, @Param('id') id: string) {
+    return this.spacesService.remove(id, req.user.id);
   }
 
   // ==================== Member Management ====================

apps/api/src/users/users.service.ts

@@ -21,9 +21,6 @@ export class UsersService {
     }
 
     // 哈希密码
-    console.log(
-      `Creating user ${email}, password length before hash: ${password.length}`,
-    );
     const hashedPassword = await bcrypt.hash(password, 10);
 
     // 创建用户
@@ -75,12 +72,7 @@ export class UsersService {
     plainPassword: string,
     hashedPassword: string,
   ): Promise<boolean> {
-    console.log(
-      `Validating password. Plain length: ${plainPassword.length}, Hash length: ${hashedPassword.length}`,
-    );
-    const result = await bcrypt.compare(plainPassword, hashedPassword);
-    console.log(`Password validation result: ${result}`);
-    return result;
+    return bcrypt.compare(plainPassword, hashedPassword);
   }
 
   async updatePassword(userId: string, newPassword: string) {
@@ -118,7 +110,7 @@ export class UsersService {
     if (user.avatarUrl && !user.avatarUrl.startsWith('http')) {
       const baseUrl =
         process.env.MINIO_PUBLIC_ENDPOINT || 'http://localhost:9000';
-      user.avatarUrl = `${baseUrl}/${user.avatarUrl}`;
+      return { ...user, avatarUrl: `${baseUrl}/${user.avatarUrl}` };
     }
     return user;
   }

apps/web/src/app/auth/register/page.tsx

@@ -54,10 +54,6 @@ export default function RegisterPage() {
     setIsLoading(true);
 
     try {
-      console.log('Register attempt:', {
-        email: formData.email,
-        passwordLength: formData.password.length,
-      });
       await register({
         email: formData.email,
         name: formData.name,

apps/web/src/lib/tiptap-utils.ts

@@ -251,8 +251,6 @@ export function findNodePosition(props: {
     let foundNode: PMNode | null = null
 
     editor.state.doc.descendants((currentNode, pos) => {
-      // TODO: Needed?
-      // if (currentNode.type && currentNode.type.name === node!.type.name) {
       if (currentNode === node) {
         foundPos = pos
         foundNode = currentNode