fish/trade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

管理员默认密码 admin/admin,首次登录强制改密码;增加服务器部署配置

Browse Source 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
fish
2026-05-03 17:44:08 +08:00
parent ff09715511
commit d742d4972c
14 changed files with 350 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
web/backend/internal/auth/bootstrap.go
View File

@@ -6,9 +6,9 @@ import (
"trade/web/internal/store"
)
// Bootstrap 在 auth.db 没有任何 admin 时,从 ADMIN_USER/ADMIN_PASS 写入一条管理员;
// 已存在 admin 时静默跳过,避免轮换 env 时静默改密
func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
// Bootstrap 在 auth.db 没有任何 admin 时,写入默认管理员 admin/admin;
// 并强制首次登录后改密码。已存在 admin 时静默跳过。
func Bootstrap(s *store.AuthStore) error {
n, err := s.CountAdmins()
if err != nil {
return err
@@ -16,17 +16,17 @@ func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
if n > 0 {
return nil
}
if adminUser == "" || adminPass == "" {
log.Printf("[bootstrap] auth.db 无 admin,但 ADMIN_USER/ADMIN_PASS 未设置,跳过引导")
return nil
}
hash, err := HashPassword(adminPass)
hash, err := HashPassword("admin")
if err != nil {
return err
}
if _, err := s.CreateUser(adminUser, hash, store.RoleAdmin); err != nil {
u, err := s.CreateUser("admin", hash, store.RoleAdmin)
if err != nil {
return err
}
log.Printf("[bootstrap] admin %q created", adminUser)
if err := s.SetForcePasswordChange(u.ID, true); err != nil {
return err
}
log.Printf("[bootstrap] admin created (default password), force password change enabled")
return nil
}

4
web/backend/internal/config/config.go
View File

@@ -11,8 +11,6 @@ type Config struct {
DatabaseURL string
AuthDBPath string
JWTSecret []byte
AdminUser string
AdminPass string
TushareAPIURL string
}
@@ -21,8 +19,6 @@ func Load() (*Config, error) {
ListenAddr: getenv("LISTEN_ADDR", ":8080"),
DatabaseURL: os.Getenv("DATABASE_URL"),
AuthDBPath: getenv("AUTH_DB_PATH", "/app/auth/auth.db"),
AdminUser: strings.TrimSpace(os.Getenv("ADMIN_USER")),
AdminPass: os.Getenv("ADMIN_PASS"),
TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"),
}
if cfg.DatabaseURL == "" {

85
web/backend/internal/handlers/auth.go
View File

@@ -16,14 +16,21 @@ type loginReq struct {
}
type loginResp struct {
Token string `json:"token"`
User publicUserView `json:"user"`
Token string `json:"token"`
User publicUserView `json:"user"`
RequirePasswordChange bool `json:"require_password_change"`
}
type publicUserView struct {
ID int64 `json:"id"`
Username string `json:"username"`
Role string `json:"role"`
ID int64 `json:"id"`
Username string `json:"username"`
Role string `json:"role"`
ForcePasswordChange bool `json:"force_password_change"`
}
type changePasswordReq struct {
OldPassword string `json:"old_password"`
NewPassword string `json:"new_password"`
}
func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -54,10 +61,63 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
}
writeJSON(w, http.StatusOK, loginResp{
Token: token,
User: publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
User: publicUserView{
ID: u.ID,
Username: u.Username,
Role: u.Role,
ForcePasswordChange: u.ForcePasswordChange,
},
RequirePasswordChange: u.ForcePasswordChange,
})
}
func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
me, ok := middleware.FromContext(r.Context())
if !ok {
writeErr(w, http.StatusUnauthorized, "no user")
return
}
var req changePasswordReq
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeErr(w, http.StatusBadRequest, "invalid json")
return
}
if req.OldPassword == "" || req.NewPassword == "" {
writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
return
}
if len(req.NewPassword) < 6 {
writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
return
}
u, err := d.Auth.GetByID(me.ID)
if err != nil {
writeErr(w, http.StatusUnauthorized, "user not found")
return
}
if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
writeErr(w, http.StatusUnauthorized, "旧密码错误")
return
}
hash, err := auth.HashPassword(req.NewPassword)
if err != nil {
writeErr(w, http.StatusInternalServerError, "hash failed")
return
}
if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
// 改密码后清除强制改密标记
if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
@@ -80,11 +140,12 @@ func (d *Deps) Me(w http.ResponseWriter, r *http.Request) {
// sanitize 把内部 User 转成对外视图,剥掉 password_hash。
func sanitize(u *store.User) map[string]any {
return map[string]any{
"id": u.ID,
"username": u.Username,
"role": u.Role,
"disabled": u.Disabled,
"created_at": u.CreatedAt,
"updated_at": u.UpdatedAt,
"id": u.ID,
"username": u.Username,
"role": u.Role,
"disabled": u.Disabled,
"force_password_change": u.ForcePasswordChange,
"created_at": u.CreatedAt,
"updated_at": u.UpdatedAt,
}
}

5
web/backend/internal/handlers/users.go
View File

@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
writeErr(w, statusForErr(err), err.Error())
return
}
// 管理员重置密码后,强制用户下次登录改密
if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
writeErr(w, statusForErr(err), err.Error())
return
}
}
if req.Disabled != nil {
// 禁止禁用自己,避免管理员锁死自己

1
web/backend/internal/router/router.go
View File

@@ -26,6 +26,7 @@ func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist f
r.Post("/logout", d.Logout)
r.Get("/me", d.Me)
r.Post("/change-password", d.ChangePassword)
r.Get("/scores", d.ListScores)
r.Get("/scores/{id}", d.GetScore)
r.Get("/contracts", d.ListContracts)

49
web/backend/internal/store/auth.go
View File

@@ -13,13 +13,14 @@ import (
type AuthStore struct{ db *sql.DB }
type User struct {
ID int64 `json:"id"`
Username string `json:"username"`
PasswordHash string `json:"-"`
Role string `json:"role"`
Disabled bool `json:"disabled"`
CreatedAt string `json:"created_at"`
UpdatedAt string `json:"updated_at"`
ID int64 `json:"id"`
Username string `json:"username"`
PasswordHash string `json:"-"`
Role string `json:"role"`
Disabled bool `json:"disabled"`
ForcePasswordChange bool `json:"force_password_change"`
CreatedAt string `json:"created_at"`
UpdatedAt string `json:"updated_at"`
}
const (
@@ -64,7 +65,12 @@ func (s *AuthStore) init() error {
);
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
`)
return err
if err != nil {
return err
}
// 兼容旧表:添加 force_password_change 列(已存在则忽略错误)
_, _ = s.db.Exec(`ALTER TABLE users ADD COLUMN force_password_change INTEGER NOT NULL DEFAULT 0`)
return nil
}
func (s *AuthStore) CountAdmins() (int, error) {
@@ -89,19 +95,19 @@ func (s *AuthStore) CreateUser(username, passwordHash, role string) (*User, erro
}
func (s *AuthStore) GetByUsername(username string) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE username = ?`, username)
return scanUser(row)
}
func (s *AuthStore) GetByID(id int64) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE id = ?`, id)
return scanUser(row)
}
func (s *AuthStore) ListUsers() ([]User, error) {
rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users ORDER BY id ASC`)
if err != nil {
return nil, err
@@ -131,6 +137,23 @@ func (s *AuthStore) UpdatePassword(id int64, hash string) error {
return nil
}
func (s *AuthStore) SetForcePasswordChange(id int64, v bool) error {
now := time.Now().Format("2006-01-02 15:04:05")
val := 0
if v {
val = 1
}
res, err := s.db.Exec(`UPDATE users SET force_password_change = ?, updated_at = ? WHERE id = ?`, val, now, id)
if err != nil {
return err
}
n, _ := res.RowsAffected()
if n == 0 {
return ErrNotFound
}
return nil
}
func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
now := time.Now().Format("2006-01-02 15:04:05")
v := 0
@@ -167,13 +190,15 @@ type rowScanner interface {
func scanUser(r rowScanner) (*User, error) {
var u User
var disabled int
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &u.CreatedAt, &u.UpdatedAt); err != nil {
var forceChange int
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &forceChange, &u.CreatedAt, &u.UpdatedAt); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNotFound
}
return nil, err
}
u.Disabled = disabled != 0
u.ForcePasswordChange = forceChange != 0
return &u, nil
}

2
web/backend/main.go
View File

@@ -36,7 +36,7 @@ func main() {
}
defer authDB.Close()
if err := auth.Bootstrap(authDB, cfg.AdminUser, cfg.AdminPass); err != nil {
if err := auth.Bootstrap(authDB); err != nil {
log.Fatalf("bootstrap: %v", err)
}