管理员默认密码 admin/admin，首次登录强制改密码；增加服务器部署配置

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

docker-compose.server.yml

@@ -0,0 +1,64 @@
+services:
+  postgres:
+    image: postgres:18.3-alpine3.23
+    container_name: trade-postgres
+    environment:
+      POSTGRES_USER: trade
+      POSTGRES_PASSWORD: trade
+      POSTGRES_DB: futures
+    volumes:
+      - pgdata:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U trade -d futures"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  tushare:
+    image: registry.fishestlife.com/trade-tushare:latest
+    container_name: trade-tushare
+    env_file: ./tushare/.env
+    environment:
+      - DATABASE_URL=postgresql://trade:trade@postgres:5432/futures
+    depends_on:
+      postgres:
+        condition: service_healthy
+    ports:
+      - "4001:8000"
+    command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"]
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+  web:
+    image: registry.fishestlife.com/trade-web:latest
+    container_name: trade-web
+    env_file: ./web/backend/.env
+    environment:
+      - LISTEN_ADDR=:8080
+      - DATABASE_URL=postgres://trade:trade@postgres:5432/futures?sslmode=disable
+      - AUTH_DB_PATH=/app/auth/auth.db
+    depends_on:
+      - postgres
+    ports:
+      - "4000:8080"
+    volumes:
+      - ./data:/app/auth
+    restart: unless-stopped
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
+
+volumes:
+  pgdata:

docker-compose.yml

@@ -24,7 +24,7 @@ services:
       postgres:
         condition: service_healthy
     ports:
-      - "8000:8000"
+      - "4001:8000"
     command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"]
 
   web:
@@ -40,7 +40,7 @@ services:
     depends_on:
       - postgres
     ports:
-      - "8080:8080"
+      - "4000:8080"
     volumes:
       - ./data:/app/auth
     restart: unless-stopped

web/backend/internal/auth/bootstrap.go

@@ -6,9 +6,9 @@ import (
 	"trade/web/internal/store"
 )
 
-// Bootstrap 在 auth.db 没有任何 admin 时,从 ADMIN_USER/ADMIN_PASS 写入一条管理员;
-// 已存在 admin 时静默跳过,避免轮换 env 时静默改密。
-func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
+// Bootstrap 在 auth.db 没有任何 admin 时,写入默认管理员 admin/admin;
+// 并强制首次登录后改密码。已存在 admin 时静默跳过。
+func Bootstrap(s *store.AuthStore) error {
 	n, err := s.CountAdmins()
 	if err != nil {
 		return err
@@ -16,17 +16,17 @@ func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
 	if n > 0 {
 		return nil
 	}
-	if adminUser == "" || adminPass == "" {
-		log.Printf("[bootstrap] auth.db 无 admin,但 ADMIN_USER/ADMIN_PASS 未设置,跳过引导")
-		return nil
-	}
-	hash, err := HashPassword(adminPass)
+	hash, err := HashPassword("admin")
 	if err != nil {
 		return err
 	}
-	if _, err := s.CreateUser(adminUser, hash, store.RoleAdmin); err != nil {
+	u, err := s.CreateUser("admin", hash, store.RoleAdmin)
+	if err != nil {
 		return err
 	}
-	log.Printf("[bootstrap] admin %q created", adminUser)
+	if err := s.SetForcePasswordChange(u.ID, true); err != nil {
+		return err
+	}
+	log.Printf("[bootstrap] admin created (default password), force password change enabled")
 	return nil
 }

web/backend/internal/config/config.go

@@ -11,8 +11,6 @@ type Config struct {
 	DatabaseURL    string
 	AuthDBPath     string
 	JWTSecret      []byte
-	AdminUser      string
-	AdminPass      string
 	TushareAPIURL  string
 }
 
@@ -21,8 +19,6 @@ func Load() (*Config, error) {
 		ListenAddr:    getenv("LISTEN_ADDR", ":8080"),
 		DatabaseURL:   os.Getenv("DATABASE_URL"),
 		AuthDBPath:    getenv("AUTH_DB_PATH", "/app/auth/auth.db"),
-		AdminUser:     strings.TrimSpace(os.Getenv("ADMIN_USER")),
-		AdminPass:     os.Getenv("ADMIN_PASS"),
 		TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"),
 	}
 	if cfg.DatabaseURL == "" {

web/backend/internal/handlers/auth.go

@@ -18,12 +18,19 @@ type loginReq struct {
 type loginResp struct {
 	Token                 string         `json:"token"`
 	User                  publicUserView `json:"user"`
+	RequirePasswordChange bool           `json:"require_password_change"`
 }
 
 type publicUserView struct {
 	ID                  int64  `json:"id"`
 	Username            string `json:"username"`
 	Role                string `json:"role"`
+	ForcePasswordChange bool   `json:"force_password_change"`
+}
+
+type changePasswordReq struct {
+	OldPassword string `json:"old_password"`
+	NewPassword string `json:"new_password"`
 }
 
 func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -54,10 +61,63 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
 	}
 	writeJSON(w, http.StatusOK, loginResp{
 		Token: token,
-		User:  publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
+		User: publicUserView{
+			ID:                  u.ID,
+			Username:            u.Username,
+			Role:                u.Role,
+			ForcePasswordChange: u.ForcePasswordChange,
+		},
+		RequirePasswordChange: u.ForcePasswordChange,
 	})
 }
 
+func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	me, ok := middleware.FromContext(r.Context())
+	if !ok {
+		writeErr(w, http.StatusUnauthorized, "no user")
+		return
+	}
+	var req changePasswordReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	if req.OldPassword == "" || req.NewPassword == "" {
+		writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
+		return
+	}
+	if len(req.NewPassword) < 6 {
+		writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
+		return
+	}
+
+	u, err := d.Auth.GetByID(me.ID)
+	if err != nil {
+		writeErr(w, http.StatusUnauthorized, "user not found")
+		return
+	}
+	if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
+		writeErr(w, http.StatusUnauthorized, "旧密码错误")
+		return
+	}
+
+	hash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, "hash failed")
+		return
+	}
+	if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	// 改密码后清除强制改密标记
+	if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
 func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
 	// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
 	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
@@ -84,6 +144,7 @@ func sanitize(u *store.User) map[string]any {
 		"username":              u.Username,
 		"role":                  u.Role,
 		"disabled":              u.Disabled,
+		"force_password_change": u.ForcePasswordChange,
 		"created_at":            u.CreatedAt,
 		"updated_at":            u.UpdatedAt,
 	}

web/backend/internal/handlers/users.go

@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
 			writeErr(w, statusForErr(err), err.Error())
 			return
 		}
+		// 管理员重置密码后,强制用户下次登录改密
+		if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
+			writeErr(w, statusForErr(err), err.Error())
+			return
+		}
 	}
 	if req.Disabled != nil {
 		// 禁止禁用自己,避免管理员锁死自己

web/backend/internal/router/router.go

@@ -26,6 +26,7 @@ func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist f
 
 			r.Post("/logout", d.Logout)
 			r.Get("/me", d.Me)
+			r.Post("/change-password", d.ChangePassword)
 			r.Get("/scores", d.ListScores)
 			r.Get("/scores/{id}", d.GetScore)
 			r.Get("/contracts", d.ListContracts)

web/backend/internal/store/auth.go

@@ -18,6 +18,7 @@ type User struct {
 	PasswordHash        string `json:"-"`
 	Role                string `json:"role"`
 	Disabled            bool   `json:"disabled"`
+	ForcePasswordChange bool   `json:"force_password_change"`
 	CreatedAt           string `json:"created_at"`
 	UpdatedAt           string `json:"updated_at"`
 }
@@ -64,8 +65,13 @@ func (s *AuthStore) init() error {
 		);
 		CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
 	`)
+	if err != nil {
 		return err
 	}
+	// 兼容旧表：添加 force_password_change 列（已存在则忽略错误）
+	_, _ = s.db.Exec(`ALTER TABLE users ADD COLUMN force_password_change INTEGER NOT NULL DEFAULT 0`)
+	return nil
+}
 
 func (s *AuthStore) CountAdmins() (int, error) {
 	var n int
@@ -89,19 +95,19 @@ func (s *AuthStore) CreateUser(username, passwordHash, role string) (*User, erro
 }
 
 func (s *AuthStore) GetByUsername(username string) (*User, error) {
-	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users WHERE username = ?`, username)
 	return scanUser(row)
 }
 
 func (s *AuthStore) GetByID(id int64) (*User, error) {
-	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users WHERE id = ?`, id)
 	return scanUser(row)
 }
 
 func (s *AuthStore) ListUsers() ([]User, error) {
-	rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
+	rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
 		FROM users ORDER BY id ASC`)
 	if err != nil {
 		return nil, err
@@ -131,6 +137,23 @@ func (s *AuthStore) UpdatePassword(id int64, hash string) error {
 	return nil
 }
 
+func (s *AuthStore) SetForcePasswordChange(id int64, v bool) error {
+	now := time.Now().Format("2006-01-02 15:04:05")
+	val := 0
+	if v {
+		val = 1
+	}
+	res, err := s.db.Exec(`UPDATE users SET force_password_change = ?, updated_at = ? WHERE id = ?`, val, now, id)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+
 func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
 	now := time.Now().Format("2006-01-02 15:04:05")
 	v := 0
@@ -167,13 +190,15 @@ type rowScanner interface {
 func scanUser(r rowScanner) (*User, error) {
 	var u User
 	var disabled int
-	if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &u.CreatedAt, &u.UpdatedAt); err != nil {
+	var forceChange int
+	if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &forceChange, &u.CreatedAt, &u.UpdatedAt); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, ErrNotFound
 		}
 		return nil, err
 	}
 	u.Disabled = disabled != 0
+	u.ForcePasswordChange = forceChange != 0
 	return &u, nil
 }
 

web/backend/main.go

@@ -36,7 +36,7 @@ func main() {
 	}
 	defer authDB.Close()
 
-	if err := auth.Bootstrap(authDB, cfg.AdminUser, cfg.AdminPass); err != nil {
+	if err := auth.Bootstrap(authDB); err != nil {
 		log.Fatalf("bootstrap: %v", err)
 	}
 

web/frontend/src/api/auth.ts

@@ -4,6 +4,7 @@ import type { AuthUser } from '@/stores/auth'
 export interface LoginResp {
   token: string
   user: AuthUser
+  require_password_change: boolean
 }
 
 export function login(username: string, password: string) {
@@ -17,3 +18,7 @@ export function logout() {
 export function me() {
   return client.get<AuthUser>('/me').then((r) => r.data)
 }
+
+export function changePassword(oldPassword: string, newPassword: string) {
+  return client.post('/change-password', { old_password: oldPassword, new_password: newPassword }).then((r) => r.data)
+}

web/frontend/src/router/index.ts

@@ -8,6 +8,12 @@ const routes: RouteRecordRaw[] = [
     component: () => import('@/views/LoginView.vue'),
     meta: { layout: 'blank', public: true },
   },
+  {
+    path: '/change-password',
+    name: 'change-password',
+    component: () => import('@/views/ChangePasswordView.vue'),
+    meta: { layout: 'blank' },
+  },
   { path: '/', redirect: '/scores' },
   {
     path: '/scores',
@@ -44,6 +50,9 @@ router.beforeEach((to) => {
   if (!auth.token) {
     return { path: '/login', query: { redirect: to.fullPath } }
   }
+  if (auth.requirePasswordChange && to.path !== '/change-password') {
+    return { path: '/change-password' }
+  }
   if (to.meta.adminOnly && !auth.isAdmin) {
     return { path: '/scores' }
   }

web/frontend/src/stores/auth.ts

@@ -4,11 +4,13 @@ export interface AuthUser {
   id: number
   username: string
   role: 'admin' | 'user'
+  force_password_change?: boolean
 }
 
 interface State {
   token: string
   user: AuthUser | null
+  requirePasswordChange: boolean
 }
 
 const STORAGE_KEY = 'trade.auth'
@@ -16,10 +18,15 @@ const STORAGE_KEY = 'trade.auth'
 function load(): State {
   try {
     const raw = localStorage.getItem(STORAGE_KEY)
-    if (!raw) return { token: '', user: null }
-    return JSON.parse(raw) as State
+    if (!raw) return { token: '', user: null, requirePasswordChange: false }
+    const parsed = JSON.parse(raw) as Partial<State>
+    return {
+      token: parsed.token || '',
+      user: parsed.user || null,
+      requirePasswordChange: parsed.requirePasswordChange ?? false,
+    }
   } catch {
-    return { token: '', user: null }
+    return { token: '', user: null, requirePasswordChange: false }
   }
 }
 
@@ -29,14 +36,29 @@ export const useAuthStore = defineStore('auth', {
     isAdmin: (s) => s.user?.role === 'admin',
   },
   actions: {
-    setSession(token: string, user: AuthUser) {
+    setSession(token: string, user: AuthUser, requirePasswordChange?: boolean) {
       this.token = token
       this.user = user
-      localStorage.setItem(STORAGE_KEY, JSON.stringify({ token, user }))
+      this.requirePasswordChange = requirePasswordChange ?? false
+      localStorage.setItem(
+        STORAGE_KEY,
+        JSON.stringify({ token, user, requirePasswordChange: this.requirePasswordChange }),
+      )
+    },
+    clearRequirePasswordChange() {
+      this.requirePasswordChange = false
+      if (this.user) {
+        this.user.force_password_change = false
+        localStorage.setItem(
+          STORAGE_KEY,
+          JSON.stringify({ token: this.token, user: this.user, requirePasswordChange: false }),
+        )
+      }
     },
     logout() {
       this.token = ''
       this.user = null
+      this.requirePasswordChange = false
       localStorage.removeItem(STORAGE_KEY)
     },
   },

web/frontend/src/views/ChangePasswordView.vue

@@ -0,0 +1,109 @@
+<script setup lang="ts">
+import { reactive, ref } from 'vue'
+import { useRouter } from 'vue-router'
+import { ElMessage } from 'element-plus'
+import { changePassword } from '@/api/auth'
+import { useAuthStore } from '@/stores/auth'
+
+const auth = useAuthStore()
+const router = useRouter()
+
+const form = reactive({ oldPassword: '', newPassword: '', confirmPassword: '' })
+const loading = ref(false)
+
+async function submit() {
+  if (!form.oldPassword || !form.newPassword) {
+    ElMessage.warning('请输入旧密码和新密码')
+    return
+  }
+  if (form.newPassword.length < 6) {
+    ElMessage.warning('新密码至少 6 位')
+    return
+  }
+  if (form.newPassword !== form.confirmPassword) {
+    ElMessage.warning('两次输入的新密码不一致')
+    return
+  }
+  loading.value = true
+  try {
+    await changePassword(form.oldPassword, form.newPassword)
+    ElMessage.success('密码修改成功')
+    auth.clearRequirePasswordChange()
+    router.replace('/scores')
+  } catch {
+    // axios 拦截器已弹错
+  } finally {
+    loading.value = false
+  }
+}
+</script>
+
+<template>
+  <div class="login">
+    <div class="card">
+      <h2>修改密码</h2>
+      <p class="hint">首次登录或管理员重置密码后，请修改密码。</p>
+      <el-form @submit.prevent="submit" label-width="0">
+        <el-form-item>
+          <el-input
+            v-model="form.oldPassword"
+            type="password"
+            placeholder="旧密码"
+            show-password
+            autocomplete="current-password"
+          />
+        </el-form-item>
+        <el-form-item>
+          <el-input
+            v-model="form.newPassword"
+            type="password"
+            placeholder="新密码"
+            show-password
+            autocomplete="new-password"
+          />
+        </el-form-item>
+        <el-form-item>
+          <el-input
+            v-model="form.confirmPassword"
+            type="password"
+            placeholder="确认新密码"
+            show-password
+            autocomplete="new-password"
+            @keyup.enter="submit"
+          />
+        </el-form-item>
+        <el-button type="primary" :loading="loading" style="width: 100%" @click="submit">
+          确认修改
+        </el-button>
+      </el-form>
+    </div>
+  </div>
+</template>
+
+<style scoped>
+.login {
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  background: linear-gradient(135deg, #1f2d3d 0%, #3a506b 100%);
+}
+.card {
+  width: 360px;
+  padding: 36px 32px;
+  background: var(--el-bg-color);
+  color: var(--el-text-color-primary);
+  border-radius: 8px;
+  box-shadow: 0 12px 32px rgba(0, 0, 0, 0.18);
+}
+.card h2 {
+  margin: 0 0 8px;
+  text-align: center;
+}
+.hint {
+  margin: 0 0 24px;
+  color: var(--el-text-color-secondary);
+  font-size: 12px;
+  text-align: center;
+}
+</style>

web/frontend/src/views/LoginView.vue

@@ -20,9 +20,13 @@ async function submit() {
   loading.value = true
   try {
     const resp = await login(form.username.trim(), form.password)
-    auth.setSession(resp.token, resp.user)
+    auth.setSession(resp.token, resp.user, resp.require_password_change)
+    if (resp.require_password_change) {
+      router.replace('/change-password')
+    } else {
       const redirect = (route.query.redirect as string) || '/scores'
       router.replace(redirect)
+    }
   } catch {
     // axios 拦截器已弹错
   } finally {