移除 backend .env，暂时关闭 JWT，改为一次性登录

web/backend/internal/middleware/auth.go

@@ -3,9 +3,7 @@ package middleware
 import (
 	"context"
 	"net/http"
-	"strings"
 
-	"trade/web/internal/auth"
 	"trade/web/internal/store"
 )
 
@@ -24,32 +22,14 @@ func FromContext(ctx context.Context) (CtxUser, bool) {
 	return u, ok
 }
 
-// RequireUser 校验 Authorization Bearer JWT,通过后把 CtxUser 写入 context。
-// 同时校验数据库里的 disabled 状态,被禁用的账户即使持有 token 也会被拒。
-func RequireUser(mgr *auth.Manager, s *store.AuthStore) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			tok := bearer(r)
-			if tok == "" {
-				writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "missing token"})
-				return
-			}
-			claims, err := mgr.Parse(tok)
-			if err != nil {
-				writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "invalid token"})
-				return
-			}
-			u, err := s.GetByID(claims.UserID)
-			if err != nil || u.Disabled {
-				writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "account disabled or removed"})
-				return
-			}
-			ctx := context.WithValue(r.Context(), userKey, CtxUser{
-				ID: u.ID, Username: u.Username, Role: u.Role,
-			})
-			next.ServeHTTP(w, r.WithContext(ctx))
+// RequireUser 不再校验 JWT，直接注入默认管理员用户，所有请求放行。
+func RequireUser(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctx := context.WithValue(r.Context(), userKey, CtxUser{
+			ID: 1, Username: "admin", Role: store.RoleAdmin,
 		})
-	}
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
 }
 
 func RequireAdmin(next http.Handler) http.Handler {
@@ -62,12 +42,3 @@ func RequireAdmin(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
-
-func bearer(r *http.Request) string {
-	h := r.Header.Get("Authorization")
-	const p = "Bearer "
-	if strings.HasPrefix(h, p) {
-		return strings.TrimSpace(h[len(p):])
-	}
-	return ""
-}