管理员默认密码 admin/admin，首次登录强制改密码；增加服务器部署配置

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 17:44:08 +08:00
parent ff09715511
commit d742d4972c
14 changed files with 350 additions and 49 deletions
--- a/web/backend/internal/auth/bootstrap.go
+++ b/web/backend/internal/auth/bootstrap.go
@@ -6,9 +6,9 @@ import (
 	"trade/web/internal/store"
 )

-// Bootstrap 在 auth.db 没有任何 admin 时,从 ADMIN_USER/ADMIN_PASS 写入一条管理员;
-// 已存在 admin 时静默跳过,避免轮换 env 时静默改密。
-func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
+// Bootstrap 在 auth.db 没有任何 admin 时,写入默认管理员 admin/admin;
+// 并强制首次登录后改密码。已存在 admin 时静默跳过。
+func Bootstrap(s *store.AuthStore) error {
 	n, err := s.CountAdmins()
 	if err != nil {
 		return err
@@ -16,17 +16,17 @@ func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
 	if n > 0 {
 		return nil
 	}
-	if adminUser == "" || adminPass == "" {
-		log.Printf("[bootstrap] auth.db 无 admin,但 ADMIN_USER/ADMIN_PASS 未设置,跳过引导")
-		return nil
-	}
-	hash, err := HashPassword(adminPass)
+	hash, err := HashPassword("admin")
 	if err != nil {
 		return err
 	}
-	if _, err := s.CreateUser(adminUser, hash, store.RoleAdmin); err != nil {
+	u, err := s.CreateUser("admin", hash, store.RoleAdmin)
+	if err != nil {
 		return err
 	}
-	log.Printf("[bootstrap] admin %q created", adminUser)
+	if err := s.SetForcePasswordChange(u.ID, true); err != nil {
+		return err
+	}
+	log.Printf("[bootstrap] admin created (default password), force password change enabled")
 	return nil
 }
--- a/web/backend/internal/config/config.go
+++ b/web/backend/internal/config/config.go
@@ -11,8 +11,6 @@ type Config struct {
 	DatabaseURL    string
 	AuthDBPath     string
 	JWTSecret      []byte
-	AdminUser      string
-	AdminPass      string
 	TushareAPIURL  string
 }

@@ -21,8 +19,6 @@ func Load() (*Config, error) {
 		ListenAddr:    getenv("LISTEN_ADDR", ":8080"),
 		DatabaseURL:   os.Getenv("DATABASE_URL"),
 		AuthDBPath:    getenv("AUTH_DB_PATH", "/app/auth/auth.db"),
-		AdminUser:     strings.TrimSpace(os.Getenv("ADMIN_USER")),
-		AdminPass:     os.Getenv("ADMIN_PASS"),
 		TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"),
 	}
 	if cfg.DatabaseURL == "" {
--- a/web/backend/internal/handlers/auth.go
+++ b/web/backend/internal/handlers/auth.go
@@ -16,14 +16,21 @@ type loginReq struct {
 }

 type loginResp struct {
-	Token string         `json:"token"`
-	User  publicUserView `json:"user"`
+	Token                 string         `json:"token"`
+	User                  publicUserView `json:"user"`
+	RequirePasswordChange bool           `json:"require_password_change"`
 }

 type publicUserView struct {
-	ID       int64  `json:"id"`
-	Username string `json:"username"`
-	Role     string `json:"role"`
+	ID                  int64  `json:"id"`
+	Username            string `json:"username"`
+	Role                string `json:"role"`
+	ForcePasswordChange bool   `json:"force_password_change"`
+}
+
+type changePasswordReq struct {
+	OldPassword string `json:"old_password"`
+	NewPassword string `json:"new_password"`
 }

 func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -54,10 +61,63 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, loginResp{
 		Token: token,
-		User:  publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
+		User: publicUserView{
+			ID:                  u.ID,
+			Username:            u.Username,
+			Role:                u.Role,
+			ForcePasswordChange: u.ForcePasswordChange,
+		},
+		RequirePasswordChange: u.ForcePasswordChange,
 	})
 }

+func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	me, ok := middleware.FromContext(r.Context())
+	if !ok {
+		writeErr(w, http.StatusUnauthorized, "no user")
+		return
+	}
+	var req changePasswordReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	if req.OldPassword == "" || req.NewPassword == "" {
+		writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
+		return
+	}
+	if len(req.NewPassword) < 6 {
+		writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
+		return
+	}
+
+	u, err := d.Auth.GetByID(me.ID)
+	if err != nil {
+		writeErr(w, http.StatusUnauthorized, "user not found")
+		return
+	}
+	if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
+		writeErr(w, http.StatusUnauthorized, "旧密码错误")
+		return
+	}
+
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, "hash failed")
+		return
+	}
+	if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	// 改密码后清除强制改密标记
+	if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
 func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
 	// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
@@ -80,11 +140,12 @@ func (d *Deps) Me(w http.ResponseWriter, r *http.Request) {
 // sanitize 把内部 User 转成对外视图,剥掉 password_hash。
 func sanitize(u *store.User) map[string]any {
 	return map[string]any{
-		"id":         u.ID,
-		"username":   u.Username,
-		"role":       u.Role,
-		"disabled":   u.Disabled,
-		"created_at": u.CreatedAt,
-		"updated_at": u.UpdatedAt,
+		"id":                    u.ID,
+		"username":              u.Username,
+		"role":                  u.Role,
+		"disabled":              u.Disabled,
+		"force_password_change": u.ForcePasswordChange,
+		"created_at":            u.CreatedAt,
+		"updated_at":            u.UpdatedAt,
 	}
 }
--- a/web/backend/internal/handlers/users.go
+++ b/web/backend/internal/handlers/users.go
@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
 			writeErr(w, statusForErr(err), err.Error())
 			return
 		}
+		// 管理员重置密码后,强制用户下次登录改密
+		if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
+			writeErr(w, statusForErr(err), err.Error())
+			return
+		}
 	}
 	if req.Disabled != nil {
 		// 禁止禁用自己,避免管理员锁死自己
--- a/web/backend/internal/router/router.go
+++ b/web/backend/internal/router/router.go
@@ -26,6 +26,7 @@ func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist f

 			r.Post("/logout", d.Logout)
 			r.Get("/me", d.Me)
+			r.Post("/change-password", d.ChangePassword)
 			r.Get("/scores", d.ListScores)
 			r.Get("/scores/{id}", d.GetScore)
 			r.Get("/contracts", d.ListContracts)
--- a/web/backend/internal/store/auth.go
+++ b/web/backend/internal/store/auth.go
@@ -13,13 +13,14 @@ import (
 type AuthStore struct{ db *sql.DB }

 type User struct {
-	ID           int64  `json:"id"`
-	Username     string `json:"username"`
-	PasswordHash string `json:"-"`
-	Role         string `json:"role"`
-	Disabled     bool   `json:"disabled"`
-	CreatedAt    string `json:"created_at"`
-	UpdatedAt    string `json:"updated_at"`
+	ID                  int64  `json:"id"`
+	Username            string `json:"username"`
+	PasswordHash        string `json:"-"`
+	Role                string `json:"role"`
+	Disabled            bool   `json:"disabled"`
+	ForcePasswordChange bool   `json:"force_password_change"`
+	CreatedAt           string `json:"created_at"`
+	UpdatedAt           string `json:"updated_at"`
 }

 const (
@@ -64,7 +65,12 @@ func (s *AuthStore) init() error {
 		);
 		CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
 	`)
-	return err
+	if err != nil {
+		return err
+	}
+	// 兼容旧表：添加 force_password_change 列（已存在则忽略错误）
+	_, _ = s.db.Exec(`ALTER TABLE users ADD COLUMN force_password_change INTEGER NOT NULL DEFAULT 0`)
+	return nil
 }

 func (s *AuthStore) CountAdmins() (int, error) {
@@ -89,19 +95,19 @@ func (s *AuthStore) CreateUser(username, passwordHash, role string) (*User, erro
 }

 func (s *AuthStore) GetByUsername(username string) (*User, error) {
-	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users WHERE username = ?`, username)
 	return scanUser(row)
 }

 func (s *AuthStore) GetByID(id int64) (*User, error) {
-	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users WHERE id = ?`, id)
 	return scanUser(row)
 }

 func (s *AuthStore) ListUsers() ([]User, error) {
-	rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users ORDER BY id ASC`)
 	if err != nil {
 		return nil, err
@@ -131,6 +137,23 @@ func (s *AuthStore) UpdatePassword(id int64, hash string) error {
 	return nil
 }

+func (s *AuthStore) SetForcePasswordChange(id int64, v bool) error {
+	now := time.Now().Format("2006-01-02 15:04:05")
+	val := 0
+	if v {
+		val = 1
+	}
+	res, err := s.db.Exec(`UPDATE users SET force_password_change = ?, updated_at = ? WHERE id = ?`, val, now, id)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
 func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
 	now := time.Now().Format("2006-01-02 15:04:05")
 	v := 0
@@ -167,13 +190,15 @@ type rowScanner interface {
 func scanUser(r rowScanner) (*User, error) {
 	var u User
 	var disabled int
-	if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &u.CreatedAt, &u.UpdatedAt); err != nil {
+	var forceChange int
+	if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &forceChange, &u.CreatedAt, &u.UpdatedAt); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, ErrNotFound
 		}
 		return nil, err
 	}
 	u.Disabled = disabled != 0
+	u.ForcePasswordChange = forceChange != 0
 	return &u, nil
 }