fish/trade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

管理员默认密码 admin/admin,首次登录强制改密码;增加服务器部署配置

Browse Source 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
fish
2026-05-03 17:44:08 +08:00
parent ff09715511
commit d742d4972c
14 changed files with 350 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
docker-compose.server.yml Normal file
View File

@@ -0,0 +1,64 @@
services:
postgres:
image: postgres:18.3-alpine3.23
container_name: trade-postgres
environment:
POSTGRES_USER: trade
POSTGRES_PASSWORD: trade
POSTGRES_DB: futures
volumes:
- pgdata:/var/lib/postgresql
healthcheck:
test: ["CMD-SHELL", "pg_isready -U trade -d futures"]
interval: 5s
timeout: 5s
retries: 5
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
tushare:
image: registry.fishestlife.com/trade-tushare:latest
container_name: trade-tushare
env_file: ./tushare/.env
environment:
- DATABASE_URL=postgresql://trade:trade@postgres:5432/futures
depends_on:
postgres:
condition: service_healthy
ports:
- "4001:8000"
command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"]
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
web:
image: registry.fishestlife.com/trade-web:latest
container_name: trade-web
env_file: ./web/backend/.env
environment:
- LISTEN_ADDR=:8080
- DATABASE_URL=postgres://trade:trade@postgres:5432/futures?sslmode=disable
- AUTH_DB_PATH=/app/auth/auth.db
depends_on:
- postgres
ports:
- "4000:8080"
volumes:
- ./data:/app/auth
restart: unless-stopped
logging:
driver: json-file
options:
max-size: "10m"
max-file: "3"
volumes:
pgdata:

4
docker-compose.yml
View File

@@ -24,7 +24,7 @@ services:
postgres: postgres:
condition: service_healthy condition: service_healthy
ports: ports:
- "8000:8000" - "4001:8000"
command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"] command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"]
web: web:
@@ -40,7 +40,7 @@ services:
depends_on: depends_on:
- postgres - postgres
ports: ports:
- "8080:8080" - "4000:8080"
volumes: volumes:
- ./data:/app/auth - ./data:/app/auth
restart: unless-stopped restart: unless-stopped

20
web/backend/internal/auth/bootstrap.go
View File

@@ -6,9 +6,9 @@ import (
"trade/web/internal/store" "trade/web/internal/store"
) )
// Bootstrap 在 auth.db 没有任何 admin 时,从 ADMIN_USER/ADMIN_PASS 写入一条管理员; // Bootstrap 在 auth.db 没有任何 admin 时,写入默认管理员 admin/admin;
// 已存在 admin 时静默跳过,避免轮换 env 时静默改密 // 并强制首次登录后改密码。已存在 admin 时静默跳过。
func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error { func Bootstrap(s *store.AuthStore) error {
n, err := s.CountAdmins() n, err := s.CountAdmins()
if err != nil { if err != nil {
return err return err
@@ -16,17 +16,17 @@ func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
if n > 0 { if n > 0 {
return nil return nil
} }
if adminUser == "" || adminPass == "" { hash, err := HashPassword("admin")
log.Printf("[bootstrap] auth.db 无 admin,但 ADMIN_USER/ADMIN_PASS 未设置,跳过引导")
return nil
}
hash, err := HashPassword(adminPass)
if err != nil { if err != nil {
return err return err
} }
if _, err := s.CreateUser(adminUser, hash, store.RoleAdmin); err != nil { u, err := s.CreateUser("admin", hash, store.RoleAdmin)
if err != nil {
return err return err
} }
log.Printf("[bootstrap] admin %q created", adminUser) if err := s.SetForcePasswordChange(u.ID, true); err != nil {
return err
}
log.Printf("[bootstrap] admin created (default password), force password change enabled")
return nil return nil
} }

4
web/backend/internal/config/config.go
View File

@@ -11,8 +11,6 @@ type Config struct {
DatabaseURL string DatabaseURL string
AuthDBPath string AuthDBPath string
JWTSecret []byte JWTSecret []byte
AdminUser string
AdminPass string
TushareAPIURL string TushareAPIURL string
} }
@@ -21,8 +19,6 @@ func Load() (*Config, error) {
ListenAddr: getenv("LISTEN_ADDR", ":8080"), ListenAddr: getenv("LISTEN_ADDR", ":8080"),
DatabaseURL: os.Getenv("DATABASE_URL"), DatabaseURL: os.Getenv("DATABASE_URL"),
AuthDBPath: getenv("AUTH_DB_PATH", "/app/auth/auth.db"), AuthDBPath: getenv("AUTH_DB_PATH", "/app/auth/auth.db"),
AdminUser: strings.TrimSpace(os.Getenv("ADMIN_USER")),
AdminPass: os.Getenv("ADMIN_PASS"),
TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"), TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"),
} }
if cfg.DatabaseURL == "" { if cfg.DatabaseURL == "" {

85
web/backend/internal/handlers/auth.go
View File

@@ -16,14 +16,21 @@ type loginReq struct {
} }
type loginResp struct { type loginResp struct {
Token string `json:"token"` Token string `json:"token"`
User publicUserView `json:"user"` User publicUserView `json:"user"`
RequirePasswordChange bool `json:"require_password_change"`
} }
type publicUserView struct { type publicUserView struct {
ID int64 `json:"id"` ID int64 `json:"id"`
Username string `json:"username"` Username string `json:"username"`
Role string `json:"role"` Role string `json:"role"`
ForcePasswordChange bool `json:"force_password_change"`
}
type changePasswordReq struct {
OldPassword string `json:"old_password"`
NewPassword string `json:"new_password"`
} }
func (d *Deps) Login(w http.ResponseWriter, r *http.Request) { func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -54,10 +61,63 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
} }
writeJSON(w, http.StatusOK, loginResp{ writeJSON(w, http.StatusOK, loginResp{
Token: token, Token: token,
User: publicUserView{ID: u.ID, Username: u.Username, Role: u.Role}, User: publicUserView{
ID: u.ID,
Username: u.Username,
Role: u.Role,
ForcePasswordChange: u.ForcePasswordChange,
},
RequirePasswordChange: u.ForcePasswordChange,
}) })
} }
func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
me, ok := middleware.FromContext(r.Context())
if !ok {
writeErr(w, http.StatusUnauthorized, "no user")
return
}
var req changePasswordReq
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeErr(w, http.StatusBadRequest, "invalid json")
return
}
if req.OldPassword == "" || req.NewPassword == "" {
writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
return
}
if len(req.NewPassword) < 6 {
writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
return
}
u, err := d.Auth.GetByID(me.ID)
if err != nil {
writeErr(w, http.StatusUnauthorized, "user not found")
return
}
if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
writeErr(w, http.StatusUnauthorized, "旧密码错误")
return
}
hash, err := auth.HashPassword(req.NewPassword)
if err != nil {
writeErr(w, http.StatusInternalServerError, "hash failed")
return
}
if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
// 改密码后清除强制改密标记
if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) { func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。 // JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"}) writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
@@ -80,11 +140,12 @@ func (d *Deps) Me(w http.ResponseWriter, r *http.Request) {
// sanitize 把内部 User 转成对外视图,剥掉 password_hash。 // sanitize 把内部 User 转成对外视图,剥掉 password_hash。
func sanitize(u *store.User) map[string]any { func sanitize(u *store.User) map[string]any {
return map[string]any{ return map[string]any{
"id": u.ID, "id": u.ID,
"username": u.Username, "username": u.Username,
"role": u.Role, "role": u.Role,
"disabled": u.Disabled, "disabled": u.Disabled,
"created_at": u.CreatedAt, "force_password_change": u.ForcePasswordChange,
"updated_at": u.UpdatedAt, "created_at": u.CreatedAt,
"updated_at": u.UpdatedAt,
} }
} }

5
web/backend/internal/handlers/users.go
View File

@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
writeErr(w, statusForErr(err), err.Error()) writeErr(w, statusForErr(err), err.Error())
return return
} }
// 管理员重置密码后,强制用户下次登录改密
if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
writeErr(w, statusForErr(err), err.Error())
return
}
} }
if req.Disabled != nil { if req.Disabled != nil {
// 禁止禁用自己,避免管理员锁死自己 // 禁止禁用自己,避免管理员锁死自己

1
web/backend/internal/router/router.go
View File

@@ -26,6 +26,7 @@ func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist f
r.Post("/logout", d.Logout) r.Post("/logout", d.Logout)
r.Get("/me", d.Me) r.Get("/me", d.Me)
r.Post("/change-password", d.ChangePassword)
r.Get("/scores", d.ListScores) r.Get("/scores", d.ListScores)
r.Get("/scores/{id}", d.GetScore) r.Get("/scores/{id}", d.GetScore)
r.Get("/contracts", d.ListContracts) r.Get("/contracts", d.ListContracts)

49
web/backend/internal/store/auth.go
View File

@@ -13,13 +13,14 @@ import (
type AuthStore struct{ db *sql.DB } type AuthStore struct{ db *sql.DB }
type User struct { type User struct {
ID int64 `json:"id"` ID int64 `json:"id"`
Username string `json:"username"` Username string `json:"username"`
PasswordHash string `json:"-"` PasswordHash string `json:"-"`
Role string `json:"role"` Role string `json:"role"`
Disabled bool `json:"disabled"` Disabled bool `json:"disabled"`
CreatedAt string `json:"created_at"` ForcePasswordChange bool `json:"force_password_change"`
UpdatedAt string `json:"updated_at"` CreatedAt string `json:"created_at"`
UpdatedAt string `json:"updated_at"`
} }
const ( const (
@@ -64,7 +65,12 @@ func (s *AuthStore) init() error {
); );
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username); CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
`) `)
return err if err != nil {
return err
}
// 兼容旧表:添加 force_password_change 列(已存在则忽略错误)
_, _ = s.db.Exec(`ALTER TABLE users ADD COLUMN force_password_change INTEGER NOT NULL DEFAULT 0`)
return nil
} }
func (s *AuthStore) CountAdmins() (int, error) { func (s *AuthStore) CountAdmins() (int, error) {
@@ -89,19 +95,19 @@ func (s *AuthStore) CreateUser(username, passwordHash, role string) (*User, erro
} }
func (s *AuthStore) GetByUsername(username string) (*User, error) { func (s *AuthStore) GetByUsername(username string) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE username = ?`, username) FROM users WHERE username = ?`, username)
return scanUser(row) return scanUser(row)
} }
func (s *AuthStore) GetByID(id int64) (*User, error) { func (s *AuthStore) GetByID(id int64) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE id = ?`, id) FROM users WHERE id = ?`, id)
return scanUser(row) return scanUser(row)
} }
func (s *AuthStore) ListUsers() ([]User, error) { func (s *AuthStore) ListUsers() ([]User, error) {
rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, created_at, updated_at rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users ORDER BY id ASC`) FROM users ORDER BY id ASC`)
if err != nil { if err != nil {
return nil, err return nil, err
@@ -131,6 +137,23 @@ func (s *AuthStore) UpdatePassword(id int64, hash string) error {
return nil return nil
} }
func (s *AuthStore) SetForcePasswordChange(id int64, v bool) error {
now := time.Now().Format("2006-01-02 15:04:05")
val := 0
if v {
val = 1
}
res, err := s.db.Exec(`UPDATE users SET force_password_change = ?, updated_at = ? WHERE id = ?`, val, now, id)
if err != nil {
return err
}
n, _ := res.RowsAffected()
if n == 0 {
return ErrNotFound
}
return nil
}
func (s *AuthStore) SetDisabled(id int64, disabled bool) error { func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
now := time.Now().Format("2006-01-02 15:04:05") now := time.Now().Format("2006-01-02 15:04:05")
v := 0 v := 0
@@ -167,13 +190,15 @@ type rowScanner interface {
func scanUser(r rowScanner) (*User, error) { func scanUser(r rowScanner) (*User, error) {
var u User var u User
var disabled int var disabled int
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &u.CreatedAt, &u.UpdatedAt); err != nil { var forceChange int
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &forceChange, &u.CreatedAt, &u.UpdatedAt); err != nil {
if errors.Is(err, sql.ErrNoRows) { if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNotFound return nil, ErrNotFound
} }
return nil, err return nil, err
} }
u.Disabled = disabled != 0 u.Disabled = disabled != 0
u.ForcePasswordChange = forceChange != 0
return &u, nil return &u, nil
} }

2
web/backend/main.go
View File

@@ -36,7 +36,7 @@ func main() {
} }
defer authDB.Close() defer authDB.Close()
if err := auth.Bootstrap(authDB, cfg.AdminUser, cfg.AdminPass); err != nil { if err := auth.Bootstrap(authDB); err != nil {
log.Fatalf("bootstrap: %v", err) log.Fatalf("bootstrap: %v", err)
} }

5
web/frontend/src/api/auth.ts
View File

@@ -4,6 +4,7 @@ import type { AuthUser } from '@/stores/auth'
export interface LoginResp { export interface LoginResp {
token: string token: string
user: AuthUser user: AuthUser
require_password_change: boolean
} }
export function login(username: string, password: string) { export function login(username: string, password: string) {
@@ -17,3 +18,7 @@ export function logout() {
export function me() { export function me() {
return client.get<AuthUser>('/me').then((r) => r.data) return client.get<AuthUser>('/me').then((r) => r.data)
} }
export function changePassword(oldPassword: string, newPassword: string) {
return client.post('/change-password', { old_password: oldPassword, new_password: newPassword }).then((r) => r.data)
}

9
web/frontend/src/router/index.ts
View File

@@ -8,6 +8,12 @@ const routes: RouteRecordRaw[] = [
component: () => import('@/views/LoginView.vue'), component: () => import('@/views/LoginView.vue'),
meta: { layout: 'blank', public: true }, meta: { layout: 'blank', public: true },
}, },
{
path: '/change-password',
name: 'change-password',
component: () => import('@/views/ChangePasswordView.vue'),
meta: { layout: 'blank' },
},
{ path: '/', redirect: '/scores' }, { path: '/', redirect: '/scores' },
{ {
path: '/scores', path: '/scores',
@@ -44,6 +50,9 @@ router.beforeEach((to) => {
if (!auth.token) { if (!auth.token) {
return { path: '/login', query: { redirect: to.fullPath } } return { path: '/login', query: { redirect: to.fullPath } }
} }
if (auth.requirePasswordChange && to.path !== '/change-password') {
return { path: '/change-password' }
}
if (to.meta.adminOnly && !auth.isAdmin) { if (to.meta.adminOnly && !auth.isAdmin) {
return { path: '/scores' } return { path: '/scores' }
} }

32
web/frontend/src/stores/auth.ts
View File

@@ -4,11 +4,13 @@ export interface AuthUser {
id: number id: number
username: string username: string
role: 'admin' | 'user' role: 'admin' | 'user'
force_password_change?: boolean
} }
interface State { interface State {
token: string token: string
user: AuthUser | null user: AuthUser | null
requirePasswordChange: boolean
} }
const STORAGE_KEY = 'trade.auth' const STORAGE_KEY = 'trade.auth'
@@ -16,10 +18,15 @@ const STORAGE_KEY = 'trade.auth'
function load(): State { function load(): State {
try { try {
const raw = localStorage.getItem(STORAGE_KEY) const raw = localStorage.getItem(STORAGE_KEY)
if (!raw) return { token: '', user: null } if (!raw) return { token: '', user: null, requirePasswordChange: false }
return JSON.parse(raw) as State const parsed = JSON.parse(raw) as Partial<State>
return {
token: parsed.token || '',
user: parsed.user || null,
requirePasswordChange: parsed.requirePasswordChange ?? false,
}
} catch { } catch {
return { token: '', user: null } return { token: '', user: null, requirePasswordChange: false }
} }
} }
@@ -29,14 +36,29 @@ export const useAuthStore = defineStore('auth', {
isAdmin: (s) => s.user?.role === 'admin', isAdmin: (s) => s.user?.role === 'admin',
}, },
actions: { actions: {
setSession(token: string, user: AuthUser) { setSession(token: string, user: AuthUser, requirePasswordChange?: boolean) {
this.token = token this.token = token
this.user = user this.user = user
localStorage.setItem(STORAGE_KEY, JSON.stringify({ token, user })) this.requirePasswordChange = requirePasswordChange ?? false
localStorage.setItem(
STORAGE_KEY,
JSON.stringify({ token, user, requirePasswordChange: this.requirePasswordChange }),
)
},
clearRequirePasswordChange() {
this.requirePasswordChange = false
if (this.user) {
this.user.force_password_change = false
localStorage.setItem(
STORAGE_KEY,
JSON.stringify({ token: this.token, user: this.user, requirePasswordChange: false }),
)
}
}, },
logout() { logout() {
this.token = '' this.token = ''
this.user = null this.user = null
this.requirePasswordChange = false
localStorage.removeItem(STORAGE_KEY) localStorage.removeItem(STORAGE_KEY)
}, },
}, },

109
web/frontend/src/views/ChangePasswordView.vue Normal file
View File

@@ -0,0 +1,109 @@
<script setup lang="ts">
import { reactive, ref } from 'vue'
import { useRouter } from 'vue-router'
import { ElMessage } from 'element-plus'
import { changePassword } from '@/api/auth'
import { useAuthStore } from '@/stores/auth'
const auth = useAuthStore()
const router = useRouter()
const form = reactive({ oldPassword: '', newPassword: '', confirmPassword: '' })
const loading = ref(false)
async function submit() {
if (!form.oldPassword || !form.newPassword) {
ElMessage.warning('请输入旧密码和新密码')
return
}
if (form.newPassword.length < 6) {
ElMessage.warning('新密码至少 6 位')
return
}
if (form.newPassword !== form.confirmPassword) {
ElMessage.warning('两次输入的新密码不一致')
return
}
loading.value = true
try {
await changePassword(form.oldPassword, form.newPassword)
ElMessage.success('密码修改成功')
auth.clearRequirePasswordChange()
router.replace('/scores')
} catch {
// axios 拦截器已弹错
} finally {
loading.value = false
}
}
</script>
<template>
<div class="login">
<div class="card">
<h2>修改密码</h2>
<p class="hint">首次登录或管理员重置密码后请修改密码</p>
<el-form @submit.prevent="submit" label-width="0">
<el-form-item>
<el-input
v-model="form.oldPassword"
type="password"
placeholder="旧密码"
show-password
autocomplete="current-password"
/>
</el-form-item>
<el-form-item>
<el-input
v-model="form.newPassword"
type="password"
placeholder="新密码"
show-password
autocomplete="new-password"
/>
</el-form-item>
<el-form-item>
<el-input
v-model="form.confirmPassword"
type="password"
placeholder="确认新密码"
show-password
autocomplete="new-password"
@keyup.enter="submit"
/>
</el-form-item>
<el-button type="primary" :loading="loading" style="width: 100%" @click="submit">
确认修改
</el-button>
</el-form>
</div>
</div>
</template>
<style scoped>
.login {
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
background: linear-gradient(135deg, #1f2d3d 0%, #3a506b 100%);
}
.card {
width: 360px;
padding: 36px 32px;
background: var(--el-bg-color);
color: var(--el-text-color-primary);
border-radius: 8px;
box-shadow: 0 12px 32px rgba(0, 0, 0, 0.18);
}
.card h2 {
margin: 0 0 8px;
text-align: center;
}
.hint {
margin: 0 0 24px;
color: var(--el-text-color-secondary);
font-size: 12px;
text-align: center;
}
</style>

10
web/frontend/src/views/LoginView.vue
View File

@@ -20,9 +20,13 @@ async function submit() {
loading.value = true loading.value = true
try { try {
const resp = await login(form.username.trim(), form.password) const resp = await login(form.username.trim(), form.password)
auth.setSession(resp.token, resp.user) auth.setSession(resp.token, resp.user, resp.require_password_change)
const redirect = (route.query.redirect as string) || '/scores' if (resp.require_password_change) {
router.replace(redirect) router.replace('/change-password')
} else {
const redirect = (route.query.redirect as string) || '/scores'
router.replace(redirect)
}
} catch { } catch {
// axios 拦截器已弹错 // axios 拦截器已弹错
} finally { } finally {