管理员默认密码 admin/admin，首次登录强制改密码；增加服务器部署配置

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

web/backend/internal/handlers/auth.go

@@ -16,14 +16,21 @@ type loginReq struct {
 }
 
 type loginResp struct {
-	Token string         `json:"token"`
-	User  publicUserView `json:"user"`
+	Token                 string         `json:"token"`
+	User                  publicUserView `json:"user"`
+	RequirePasswordChange bool           `json:"require_password_change"`
 }
 
 type publicUserView struct {
-	ID       int64  `json:"id"`
-	Username string `json:"username"`
-	Role     string `json:"role"`
+	ID                  int64  `json:"id"`
+	Username            string `json:"username"`
+	Role                string `json:"role"`
+	ForcePasswordChange bool   `json:"force_password_change"`
+}
+
+type changePasswordReq struct {
+	OldPassword string `json:"old_password"`
+	NewPassword string `json:"new_password"`
 }
 
 func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -54,10 +61,63 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, loginResp{
 		Token: token,
-		User:  publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
+		User: publicUserView{
+			ID:                  u.ID,
+			Username:            u.Username,
+			Role:                u.Role,
+			ForcePasswordChange: u.ForcePasswordChange,
+		},
+		RequirePasswordChange: u.ForcePasswordChange,
 	})
 }
 
+func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	me, ok := middleware.FromContext(r.Context())
+	if !ok {
+		writeErr(w, http.StatusUnauthorized, "no user")
+		return
+	}
+	var req changePasswordReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	if req.OldPassword == "" || req.NewPassword == "" {
+		writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
+		return
+	}
+	if len(req.NewPassword) < 6 {
+		writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
+		return
+	}
+
+	u, err := d.Auth.GetByID(me.ID)
+	if err != nil {
+		writeErr(w, http.StatusUnauthorized, "user not found")
+		return
+	}
+	if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
+		writeErr(w, http.StatusUnauthorized, "旧密码错误")
+		return
+	}
+
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, "hash failed")
+		return
+	}
+	if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	// 改密码后清除强制改密标记
+	if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
 func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
 	// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
@@ -80,11 +140,12 @@ func (d *Deps) Me(w http.ResponseWriter, r *http.Request) {
 // sanitize 把内部 User 转成对外视图,剥掉 password_hash。
 func sanitize(u *store.User) map[string]any {
 	return map[string]any{
-		"id":         u.ID,
-		"username":   u.Username,
-		"role":       u.Role,
-		"disabled":   u.Disabled,
-		"created_at": u.CreatedAt,
-		"updated_at": u.UpdatedAt,
+		"id":                    u.ID,
+		"username":              u.Username,
+		"role":                  u.Role,
+		"disabled":              u.Disabled,
+		"force_password_change": u.ForcePasswordChange,
+		"created_at":            u.CreatedAt,
+		"updated_at":            u.UpdatedAt,
 	}
 }

web/backend/internal/handlers/users.go

@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
 			writeErr(w, statusForErr(err), err.Error())
 			return
 		}
+		// 管理员重置密码后,强制用户下次登录改密
+		if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
+			writeErr(w, statusForErr(err), err.Error())
+			return
+		}
 	}
 	if req.Disabled != nil {
 		// 禁止禁用自己,避免管理员锁死自己