fish/trade
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: fish:ff09715511ed72d27ced49c2b5bf7a98cff8e518
Branches Tags
fish:main
..
compare: fish:1f6a9f641941b6db4410e80d2705cfdf3fea40de
Branches Tags
fish:main

7 Commits
ff09715511 ... 1f6a9f6419

Author SHA1 Message Date
fish
1f6a9f6419 登录页面禁止上下滚动 2026-05-03 20:53:33 +08:00
fish
467b667921 删除 docker-compose.server.yml 2026-05-03 20:52:41 +08:00
fish
c46ea04993 删除 tushare/.env,token 已写死在代码中 2026-05-03 20:51:45 +08:00
fish
79d2f292f1 将 auth 数据库从 SQLite 迁移到 PostgreSQL 2026-05-03 20:50:28 +08:00
fish
fbcde3cc71 移除 backend .env,暂时关闭 JWT,改为一次性登录 2026-05-03 20:41:43 +08:00
fish
d0e5ddb678 将 TUSHARE_TOKEN 写死到代码中,移除 .env 引用 2026-05-03 20:35:18 +08:00
fish
d742d4972c 管理员默认密码 admin/admin,首次登录强制改密码;增加服务器部署配置 
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-03 17:44:08 +08:00
24 changed files with 330 additions and 200 deletions
Expand all files Collapse all files

2
CLAUDE.md
View File

@@ -38,8 +38,6 @@ docker-compose exec postgres psql -U trade -d futures -c \
"SELECT ts_code, trade_date, composite, signal FROM scores ORDER BY trade_date DESC LIMIT 5;"
```
`tushare/.env` 必须存在且含 `TUSHARE_TOKEN=xxx`(已 gitignored)。
## 关键架构
**单进程串行流水线**:`src.main.main()` 先按命令行参数(显式 `ts_code` 优先,否则 `contracts.active_contract(symbol)` 按当月主力自动选)定下合约,再调 `run()` 顺序执行 `fetcher → storage(candles) → scorer → storage(scores)`。无后台任务、无队列,每次 CLI 调用处理一个合约一日。

13
README.md
View File

@@ -10,17 +10,7 @@
## 快速开始
### 1. 配置 tushare token
将 token 写入 `tushare/.env`
```bash
echo "TUSHARE_TOKEN=你的token" > tushare/.env
```
该文件已被 gitignore 排除,不会进入版本库。
### 2. 启动全栈服务
### 1. 启动全栈服务
```bash
docker-compose up -d
@@ -165,7 +155,6 @@ trade/
├── tushare/ # Python 数据服务
│ ├── Dockerfile
│ ├── requirements.txt
│ ├── .env # TUSHARE_TOKEN(本地,不入库)
│ └── src/ # 数据采集 + 打分 + FastAPI
│ ├── api.py # FastAPI 服务入口
│ ├── models.py

11
docker-compose.yml
View File

@@ -17,14 +17,14 @@ services:
tushare:
build: ./tushare
container_name: trade-tushare
env_file: ./tushare/.env
# token 已写死在代码中,无需 env_file
environment:
- DATABASE_URL=postgresql://trade:trade@postgres:5432/futures
depends_on:
postgres:
condition: service_healthy
ports:
- "8000:8000"
- "4001:8000"
command: ["uvicorn", "src.api:app", "--host", "0.0.0.0", "--port", "8000"]
web:
@@ -32,17 +32,14 @@ services:
context: ./web
dockerfile: backend/Dockerfile
container_name: trade-web
env_file: ./web/backend/.env
# .env 已移除,环境变量直接写在此处
environment:
- LISTEN_ADDR=:8080
- DATABASE_URL=postgres://trade:trade@postgres:5432/futures?sslmode=disable
- AUTH_DB_PATH=/app/auth/auth.db
depends_on:
- postgres
ports:
- "8080:8080"
volumes:
- ./data:/app/auth
- "4000:8080"
restart: unless-stopped
volumes:

10
tushare/main.py
View File

@@ -1,16 +1,12 @@
import os
import sys
import tushare as ts
TUSHARE_TOKEN = "76efd8465f9f2591aa42a385268e06acf6b80b7a15be2267ad2281b7"
def main() -> int:
token = os.environ.get("TUSHARE_TOKEN")
if not token:
print("[ERROR] 未设置 TUSHARE_TOKEN 环境变量", file=sys.stderr)
return 1
ts.set_token(token)
ts.set_token(TUSHARE_TOKEN)
pro = ts.pro_api()
df = pro.trade_cal(exchange="SHFE", start_date="20260101", end_date="20260110")

8
tushare/src/fetcher.py
View File

@@ -1,15 +1,13 @@
import os
from typing import Optional
import pandas as pd
import tushare as ts
TUSHARE_TOKEN = "76efd8465f9f2591aa42a385268e06acf6b80b7a15be2267ad2281b7"
def _init_api():
token = os.environ.get("TUSHARE_TOKEN")
if not token:
raise RuntimeError("TUSHARE_TOKEN 环境变量未设置")
ts.set_token(token)
ts.set_token(TUSHARE_TOKEN)
return ts.pro_api()

8
web/backend/.env.example
View File

@@ -1,8 +0,0 @@
# 拷贝为 web/backend/.env 后填入真实值。.env 已被 .gitignore 排除。
# 首次启动时,若 auth.db 中没有任何 admin 用户,会用下面这一对凭据创建管理员;
# 一旦 admin 已存在,这两个变量会被忽略,改它们不会改密码。
ADMIN_USER=admin
ADMIN_PASS=changeme
# JWT 签名密钥;生成方式:openssl rand -hex 32
JWT_SECRET=replace-with-32-bytes-hex

6
web/backend/Dockerfile
View File

@@ -21,7 +21,6 @@ WORKDIR /src
COPY backend ./
COPY --from=ui /ui/dist ./dist
# 用 modernc.org/sqlite 纯 Go 驱动,无 CGO,无需 gcc/musl-dev
ENV CGO_ENABLED=0 GOOS=linux
RUN go mod tidy && \
@@ -36,7 +35,7 @@ RUN apk add --no-cache tzdata ca-certificates && \
echo "Asia/Shanghai" > /etc/timezone && \
apk del tzdata && \
adduser -D -u 1000 app && \
mkdir -p /app/data /app/auth && \
mkdir -p /app/data && \
chown -R app:app /app
WORKDIR /app
@@ -45,8 +44,7 @@ USER app
COPY --from=api --chown=app:app /out/web /app/web
ENV TZ=Asia/Shanghai \
LISTEN_ADDR=:8080 \
AUTH_DB_PATH=/app/auth/auth.db
LISTEN_ADDR=:8080
EXPOSE 8080

1
web/backend/go.mod
View File

@@ -7,5 +7,4 @@ require (
github.com/golang-jwt/jwt/v5 v5.2.1
github.com/lib/pq v1.10.9
golang.org/x/crypto v0.27.0
modernc.org/sqlite v1.32.0
)

1
web/backend/go.sum
View File

@@ -2,4 +2,3 @@ github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITL
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
golang.org/x/crypto v0.27.0/go.mod h1:1Xngt8kV6Dvbssa53Ziq6Eqn0HqbZi5Z6R0ZpwQzt70=
modernc.org/sqlite v1.32.0/go.mod h1:UqoylwmTb9F+IqXERT8bW9zzOWN8qwAIcLdzeBZs4hA=

20
web/backend/internal/auth/bootstrap.go
View File

@@ -6,9 +6,9 @@ import (
"trade/web/internal/store"
)
// Bootstrap 在 auth.db 没有任何 admin 时,从 ADMIN_USER/ADMIN_PASS 写入一条管理员;
// 已存在 admin 时静默跳过,避免轮换 env 时静默改密
func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
// Bootstrap 在 auth.db 没有任何 admin 时,写入默认管理员 admin/admin;
// 并强制首次登录后改密码。已存在 admin 时静默跳过。
func Bootstrap(s *store.AuthStore) error {
n, err := s.CountAdmins()
if err != nil {
return err
@@ -16,17 +16,17 @@ func Bootstrap(s *store.AuthStore, adminUser, adminPass string) error {
if n > 0 {
return nil
}
if adminUser == "" || adminPass == "" {
log.Printf("[bootstrap] auth.db 无 admin,但 ADMIN_USER/ADMIN_PASS 未设置,跳过引导")
return nil
}
hash, err := HashPassword(adminPass)
hash, err := HashPassword("admin")
if err != nil {
return err
}
if _, err := s.CreateUser(adminUser, hash, store.RoleAdmin); err != nil {
u, err := s.CreateUser("admin", hash, store.RoleAdmin)
if err != nil {
return err
}
log.Printf("[bootstrap] admin %q created", adminUser)
if err := s.SetForcePasswordChange(u.ID, true); err != nil {
return err
}
log.Printf("[bootstrap] admin created (default password), force password change enabled")
return nil
}

13
web/backend/internal/config/config.go
View File

@@ -3,16 +3,11 @@ package config
import (
"fmt"
"os"
"strings"
)
type Config struct {
ListenAddr string
DatabaseURL string
AuthDBPath string
JWTSecret []byte
AdminUser string
AdminPass string
TushareAPIURL string
}
@@ -20,19 +15,11 @@ func Load() (*Config, error) {
cfg := &Config{
ListenAddr: getenv("LISTEN_ADDR", ":8080"),
DatabaseURL: os.Getenv("DATABASE_URL"),
AuthDBPath: getenv("AUTH_DB_PATH", "/app/auth/auth.db"),
AdminUser: strings.TrimSpace(os.Getenv("ADMIN_USER")),
AdminPass: os.Getenv("ADMIN_PASS"),
TushareAPIURL: getenv("TUSHARE_API_URL", "http://tushare:8000"),
}
if cfg.DatabaseURL == "" {
return nil, fmt.Errorf("DATABASE_URL 环境变量未设置")
}
secret := strings.TrimSpace(os.Getenv("JWT_SECRET"))
if len(secret) < 16 {
return nil, fmt.Errorf("JWT_SECRET 必须至少 16 个字符 (建议 openssl rand -hex 32)")
}
cfg.JWTSecret = []byte(secret)
return cfg, nil
}

71
web/backend/internal/handlers/auth.go
View File

@@ -18,12 +18,19 @@ type loginReq struct {
type loginResp struct {
Token string `json:"token"`
User publicUserView `json:"user"`
RequirePasswordChange bool `json:"require_password_change"`
}
type publicUserView struct {
ID int64 `json:"id"`
Username string `json:"username"`
Role string `json:"role"`
ForcePasswordChange bool `json:"force_password_change"`
}
type changePasswordReq struct {
OldPassword string `json:"old_password"`
NewPassword string `json:"new_password"`
}
func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
@@ -47,15 +54,64 @@ func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
writeErr(w, http.StatusUnauthorized, "用户名或密码错误")
return
}
token, _, err := d.JWT.Issue(u.ID, u.Username, u.Role)
if err != nil {
writeErr(w, http.StatusInternalServerError, "issue token failed")
// 暂时不用 JWT返回固定 token
writeJSON(w, http.StatusOK, loginResp{
Token: "noop",
User: publicUserView{
ID: u.ID,
Username: u.Username,
Role: u.Role,
ForcePasswordChange: u.ForcePasswordChange,
},
RequirePasswordChange: u.ForcePasswordChange,
})
}
func (d *Deps) ChangePassword(w http.ResponseWriter, r *http.Request) {
me, ok := middleware.FromContext(r.Context())
if !ok {
writeErr(w, http.StatusUnauthorized, "no user")
return
}
writeJSON(w, http.StatusOK, loginResp{
Token: token,
User: publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
})
var req changePasswordReq
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeErr(w, http.StatusBadRequest, "invalid json")
return
}
if req.OldPassword == "" || req.NewPassword == "" {
writeErr(w, http.StatusBadRequest, "旧密码和新密码都不能为空")
return
}
if len(req.NewPassword) < 6 {
writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
return
}
u, err := d.Auth.GetByID(me.ID)
if err != nil {
writeErr(w, http.StatusUnauthorized, "user not found")
return
}
if !auth.CheckPassword(u.PasswordHash, req.OldPassword) {
writeErr(w, http.StatusUnauthorized, "旧密码错误")
return
}
hash, err := auth.HashPassword(req.NewPassword)
if err != nil {
writeErr(w, http.StatusInternalServerError, "hash failed")
return
}
if err := d.Auth.UpdatePassword(me.ID, hash); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
// 改密码后清除强制改密标记
if err := d.Auth.SetForcePasswordChange(me.ID, false); err != nil {
writeErr(w, http.StatusInternalServerError, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
}
func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
@@ -84,6 +140,7 @@ func sanitize(u *store.User) map[string]any {
"username": u.Username,
"role": u.Role,
"disabled": u.Disabled,
"force_password_change": u.ForcePasswordChange,
"created_at": u.CreatedAt,
"updated_at": u.UpdatedAt,
}

2
web/backend/internal/handlers/deps.go
View File

@@ -5,7 +5,6 @@ import (
"log"
"net/http"
"trade/web/internal/auth"
"trade/web/internal/store"
)
@@ -13,7 +12,6 @@ import (
type Deps struct {
Auth *store.AuthStore
Futures *store.FuturesStore
JWT *auth.Manager
TushareURL string
}

5
web/backend/internal/handlers/users.go
View File

@@ -100,6 +100,11 @@ func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
writeErr(w, statusForErr(err), err.Error())
return
}
// 管理员重置密码后,强制用户下次登录改密
if err := d.Auth.SetForcePasswordChange(id, true); err != nil {
writeErr(w, statusForErr(err), err.Error())
return
}
}
if req.Disabled != nil {
// 禁止禁用自己,避免管理员锁死自己

35
web/backend/internal/middleware/auth.go
View File

@@ -3,9 +3,7 @@ package middleware
import (
"context"
"net/http"
"strings"
"trade/web/internal/auth"
"trade/web/internal/store"
)
@@ -24,33 +22,15 @@ func FromContext(ctx context.Context) (CtxUser, bool) {
return u, ok
}
// RequireUser 校验 Authorization Bearer JWT,通过后把 CtxUser 写入 context
// 同时校验数据库里的 disabled 状态,被禁用的账户即使持有 token 也会被拒。
func RequireUser(mgr *auth.Manager, s *store.AuthStore) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
// RequireUser 不再校验 JWT直接注入默认管理员用户所有请求放行
func RequireUser(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
tok := bearer(r)
if tok == "" {
writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "missing token"})
return
}
claims, err := mgr.Parse(tok)
if err != nil {
writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "invalid token"})
return
}
u, err := s.GetByID(claims.UserID)
if err != nil || u.Disabled {
writeJSON(w, http.StatusUnauthorized, map[string]string{"error": "account disabled or removed"})
return
}
ctx := context.WithValue(r.Context(), userKey, CtxUser{
ID: u.ID, Username: u.Username, Role: u.Role,
ID: 1, Username: "admin", Role: store.RoleAdmin,
})
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
func RequireAdmin(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -62,12 +42,3 @@ func RequireAdmin(next http.Handler) http.Handler {
next.ServeHTTP(w, r)
})
}
func bearer(r *http.Request) string {
h := r.Header.Get("Authorization")
const p = "Bearer "
if strings.HasPrefix(h, p) {
return strings.TrimSpace(h[len(p):])
}
return ""
}

7
web/backend/internal/router/router.go
View File

@@ -7,13 +7,11 @@ import (
"github.com/go-chi/chi/v5"
"trade/web/internal/auth"
"trade/web/internal/handlers"
mw "trade/web/internal/middleware"
"trade/web/internal/store"
)
func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist fs.FS) http.Handler {
func New(d *handlers.Deps, dist fs.FS) http.Handler {
r := chi.NewRouter()
r.Use(mw.Recover)
r.Use(mw.Logger)
@@ -22,10 +20,11 @@ func New(d *handlers.Deps, mgr *auth.Manager, authStore *store.AuthStore, dist f
r.Post("/login", d.Login)
r.Group(func(r chi.Router) {
r.Use(mw.RequireUser(mgr, authStore))
r.Use(mw.RequireUser)
r.Post("/logout", d.Logout)
r.Get("/me", d.Me)
r.Post("/change-password", d.ChangePassword)
r.Get("/scores", d.ListScores)
r.Get("/scores/{id}", d.GetScore)
r.Get("/contracts", d.ListContracts)

72
web/backend/internal/store/auth.go
View File

@@ -4,10 +4,9 @@ import (
"database/sql"
"errors"
"fmt"
"path/filepath"
"time"
_ "modernc.org/sqlite"
_ "github.com/lib/pq"
)
type AuthStore struct{ db *sql.DB }
@@ -18,6 +17,7 @@ type User struct {
PasswordHash string `json:"-"`
Role string `json:"role"`
Disabled bool `json:"disabled"`
ForcePasswordChange bool `json:"force_password_change"`
CreatedAt string `json:"created_at"`
UpdatedAt string `json:"updated_at"`
}
@@ -29,18 +29,14 @@ const (
var ErrNotFound = errors.New("user not found")
func OpenAuth(path string) (*AuthStore, error) {
if dir := filepath.Dir(path); dir != "" {
_ = ensureDir(dir)
}
dsn := fmt.Sprintf("file:%s?_pragma=journal_mode(WAL)&_pragma=foreign_keys(1)&_pragma=busy_timeout(5000)", path)
db, err := sql.Open("sqlite", dsn)
func OpenAuth(databaseURL string) (*AuthStore, error) {
db, err := sql.Open("postgres", databaseURL)
if err != nil {
return nil, fmt.Errorf("open auth.db: %w", err)
return nil, fmt.Errorf("open auth db: %w", err)
}
db.SetMaxOpenConns(1) // sqlite write 单连接更稳
db.SetMaxOpenConns(8)
if err := db.Ping(); err != nil {
return nil, fmt.Errorf("ping auth.db: %w", err)
return nil, fmt.Errorf("ping auth db: %w", err)
}
s := &AuthStore{db: db}
if err := s.init(); err != nil {
@@ -54,18 +50,23 @@ func (s *AuthStore) Close() error { return s.db.Close() }
func (s *AuthStore) init() error {
_, err := s.db.Exec(`
CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
id SERIAL PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
password_hash TEXT NOT NULL,
role TEXT NOT NULL CHECK(role IN ('admin','user')),
disabled INTEGER NOT NULL DEFAULT 0,
disabled BOOLEAN NOT NULL DEFAULT FALSE,
created_at TEXT NOT NULL,
updated_at TEXT NOT NULL
);
CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
`)
if err != nil {
return err
}
// 兼容旧表:添加 force_password_change 列(已存在则忽略错误)
_, _ = s.db.Exec(`ALTER TABLE users ADD COLUMN IF NOT EXISTS force_password_change BOOLEAN NOT NULL DEFAULT FALSE`)
return nil
}
func (s *AuthStore) CountAdmins() (int, error) {
var n int
@@ -75,33 +76,33 @@ func (s *AuthStore) CountAdmins() (int, error) {
func (s *AuthStore) CreateUser(username, passwordHash, role string) (*User, error) {
now := time.Now().Format("2006-01-02 15:04:05")
res, err := s.db.Exec(
var id int64
err := s.db.QueryRow(
`INSERT INTO users(username, password_hash, role, disabled, created_at, updated_at)
VALUES (?, ?, ?, 0, ?, ?)`,
VALUES ($1, $2, $3, FALSE, $4, $5) RETURNING id`,
username, passwordHash, role, now, now,
)
).Scan(&id)
if err != nil {
return nil, err
}
id, _ := res.LastInsertId()
return &User{ID: id, Username: username, PasswordHash: passwordHash, Role: role,
CreatedAt: now, UpdatedAt: now}, nil
}
func (s *AuthStore) GetByUsername(username string) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
FROM users WHERE username = ?`, username)
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE username = $1`, username)
return scanUser(row)
}
func (s *AuthStore) GetByID(id int64) (*User, error) {
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
FROM users WHERE id = ?`, id)
row := s.db.QueryRow(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users WHERE id = $1`, id)
return scanUser(row)
}
func (s *AuthStore) ListUsers() ([]User, error) {
rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, created_at, updated_at
rows, err := s.db.Query(`SELECT id, username, password_hash, role, disabled, force_password_change, created_at, updated_at
FROM users ORDER BY id ASC`)
if err != nil {
return nil, err
@@ -120,7 +121,20 @@ func (s *AuthStore) ListUsers() ([]User, error) {
func (s *AuthStore) UpdatePassword(id int64, hash string) error {
now := time.Now().Format("2006-01-02 15:04:05")
res, err := s.db.Exec(`UPDATE users SET password_hash = ?, updated_at = ? WHERE id = ?`, hash, now, id)
res, err := s.db.Exec(`UPDATE users SET password_hash = $1, updated_at = $2 WHERE id = $3`, hash, now, id)
if err != nil {
return err
}
n, _ := res.RowsAffected()
if n == 0 {
return ErrNotFound
}
return nil
}
func (s *AuthStore) SetForcePasswordChange(id int64, v bool) error {
now := time.Now().Format("2006-01-02 15:04:05")
res, err := s.db.Exec(`UPDATE users SET force_password_change = $1, updated_at = $2 WHERE id = $3`, v, now, id)
if err != nil {
return err
}
@@ -133,11 +147,7 @@ func (s *AuthStore) UpdatePassword(id int64, hash string) error {
func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
now := time.Now().Format("2006-01-02 15:04:05")
v := 0
if disabled {
v = 1
}
res, err := s.db.Exec(`UPDATE users SET disabled = ?, updated_at = ? WHERE id = ?`, v, now, id)
res, err := s.db.Exec(`UPDATE users SET disabled = $1, updated_at = $2 WHERE id = $3`, disabled, now, id)
if err != nil {
return err
}
@@ -149,7 +159,7 @@ func (s *AuthStore) SetDisabled(id int64, disabled bool) error {
}
func (s *AuthStore) DeleteUser(id int64) error {
res, err := s.db.Exec(`DELETE FROM users WHERE id = ?`, id)
res, err := s.db.Exec(`DELETE FROM users WHERE id = $1`, id)
if err != nil {
return err
}
@@ -166,14 +176,12 @@ type rowScanner interface {
func scanUser(r rowScanner) (*User, error) {
var u User
var disabled int
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &disabled, &u.CreatedAt, &u.UpdatedAt); err != nil {
if err := r.Scan(&u.ID, &u.Username, &u.PasswordHash, &u.Role, &u.Disabled, &u.ForcePasswordChange, &u.CreatedAt, &u.UpdatedAt); err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, ErrNotFound
}
return nil, err
}
u.Disabled = disabled != 0
return &u, nil
}

10
web/backend/internal/store/util.go
View File

@@ -1,10 +0,0 @@
package store
import "os"
func ensureDir(dir string) error {
if _, err := os.Stat(dir); err == nil {
return nil
}
return os.MkdirAll(dir, 0o755)
}

9
web/backend/main.go
View File

@@ -30,18 +30,17 @@ func main() {
}
defer futures.Close()
authDB, err := store.OpenAuth(cfg.AuthDBPath)
authDB, err := store.OpenAuth(cfg.DatabaseURL)
if err != nil {
log.Fatalf("open auth: %v", err)
}
defer authDB.Close()
if err := auth.Bootstrap(authDB, cfg.AdminUser, cfg.AdminPass); err != nil {
if err := auth.Bootstrap(authDB); err != nil {
log.Fatalf("bootstrap: %v", err)
}
mgr := auth.NewManager(cfg.JWTSecret)
deps := &handlers.Deps{Auth: authDB, Futures: futures, JWT: mgr, TushareURL: cfg.TushareAPIURL}
deps := &handlers.Deps{Auth: authDB, Futures: futures, TushareURL: cfg.TushareAPIURL}
dist, err := fs.Sub(distFS, "dist")
if err != nil {
@@ -50,7 +49,7 @@ func main() {
srv := &http.Server{
Addr: cfg.ListenAddr,
Handler: router.New(deps, mgr, authDB, dist),
Handler: router.New(deps, dist),
ReadHeaderTimeout: 10 * time.Second,
}

5
web/frontend/src/api/auth.ts
View File

@@ -4,6 +4,7 @@ import type { AuthUser } from '@/stores/auth'
export interface LoginResp {
token: string
user: AuthUser
require_password_change: boolean
}
export function login(username: string, password: string) {
@@ -17,3 +18,7 @@ export function logout() {
export function me() {
return client.get<AuthUser>('/me').then((r) => r.data)
}
export function changePassword(oldPassword: string, newPassword: string) {
return client.post('/change-password', { old_password: oldPassword, new_password: newPassword }).then((r) => r.data)
}

9
web/frontend/src/router/index.ts
View File

@@ -8,6 +8,12 @@ const routes: RouteRecordRaw[] = [
component: () => import('@/views/LoginView.vue'),
meta: { layout: 'blank', public: true },
},
{
path: '/change-password',
name: 'change-password',
component: () => import('@/views/ChangePasswordView.vue'),
meta: { layout: 'blank' },
},
{ path: '/', redirect: '/scores' },
{
path: '/scores',
@@ -44,6 +50,9 @@ router.beforeEach((to) => {
if (!auth.token) {
return { path: '/login', query: { redirect: to.fullPath } }
}
if (auth.requirePasswordChange && to.path !== '/change-password') {
return { path: '/change-password' }
}
if (to.meta.adminOnly && !auth.isAdmin) {
return { path: '/scores' }
}

32
web/frontend/src/stores/auth.ts
View File

@@ -4,11 +4,13 @@ export interface AuthUser {
id: number
username: string
role: 'admin' | 'user'
force_password_change?: boolean
}
interface State {
token: string
user: AuthUser | null
requirePasswordChange: boolean
}
const STORAGE_KEY = 'trade.auth'
@@ -16,10 +18,15 @@ const STORAGE_KEY = 'trade.auth'
function load(): State {
try {
const raw = localStorage.getItem(STORAGE_KEY)
if (!raw) return { token: '', user: null }
return JSON.parse(raw) as State
if (!raw) return { token: '', user: null, requirePasswordChange: false }
const parsed = JSON.parse(raw) as Partial<State>
return {
token: parsed.token || '',
user: parsed.user || null,
requirePasswordChange: parsed.requirePasswordChange ?? false,
}
} catch {
return { token: '', user: null }
return { token: '', user: null, requirePasswordChange: false }
}
}
@@ -29,14 +36,29 @@ export const useAuthStore = defineStore('auth', {
isAdmin: (s) => s.user?.role === 'admin',
},
actions: {
setSession(token: string, user: AuthUser) {
setSession(token: string, user: AuthUser, requirePasswordChange?: boolean) {
this.token = token
this.user = user
localStorage.setItem(STORAGE_KEY, JSON.stringify({ token, user }))
this.requirePasswordChange = requirePasswordChange ?? false
localStorage.setItem(
STORAGE_KEY,
JSON.stringify({ token, user, requirePasswordChange: this.requirePasswordChange }),
)
},
clearRequirePasswordChange() {
this.requirePasswordChange = false
if (this.user) {
this.user.force_password_change = false
localStorage.setItem(
STORAGE_KEY,
JSON.stringify({ token: this.token, user: this.user, requirePasswordChange: false }),
)
}
},
logout() {
this.token = ''
this.user = null
this.requirePasswordChange = false
localStorage.removeItem(STORAGE_KEY)
},
},

109
web/frontend/src/views/ChangePasswordView.vue Normal file
View File

@@ -0,0 +1,109 @@
<script setup lang="ts">
import { reactive, ref } from 'vue'
import { useRouter } from 'vue-router'
import { ElMessage } from 'element-plus'
import { changePassword } from '@/api/auth'
import { useAuthStore } from '@/stores/auth'
const auth = useAuthStore()
const router = useRouter()
const form = reactive({ oldPassword: '', newPassword: '', confirmPassword: '' })
const loading = ref(false)
async function submit() {
if (!form.oldPassword || !form.newPassword) {
ElMessage.warning('请输入旧密码和新密码')
return
}
if (form.newPassword.length < 6) {
ElMessage.warning('新密码至少 6 位')
return
}
if (form.newPassword !== form.confirmPassword) {
ElMessage.warning('两次输入的新密码不一致')
return
}
loading.value = true
try {
await changePassword(form.oldPassword, form.newPassword)
ElMessage.success('密码修改成功')
auth.clearRequirePasswordChange()
router.replace('/scores')
} catch {
// axios 拦截器已弹错
} finally {
loading.value = false
}
}
</script>
<template>
<div class="login">
<div class="card">
<h2>修改密码</h2>
<p class="hint">首次登录或管理员重置密码后请修改密码</p>
<el-form @submit.prevent="submit" label-width="0">
<el-form-item>
<el-input
v-model="form.oldPassword"
type="password"
placeholder="旧密码"
show-password
autocomplete="current-password"
/>
</el-form-item>
<el-form-item>
<el-input
v-model="form.newPassword"
type="password"
placeholder="新密码"
show-password
autocomplete="new-password"
/>
</el-form-item>
<el-form-item>
<el-input
v-model="form.confirmPassword"
type="password"
placeholder="确认新密码"
show-password
autocomplete="new-password"
@keyup.enter="submit"
/>
</el-form-item>
<el-button type="primary" :loading="loading" style="width: 100%" @click="submit">
确认修改
</el-button>
</el-form>
</div>
</div>
</template>
<style scoped>
.login {
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
background: linear-gradient(135deg, #1f2d3d 0%, #3a506b 100%);
}
.card {
width: 360px;
padding: 36px 32px;
background: var(--el-bg-color);
color: var(--el-text-color-primary);
border-radius: 8px;
box-shadow: 0 12px 32px rgba(0, 0, 0, 0.18);
}
.card h2 {
margin: 0 0 8px;
text-align: center;
}
.hint {
margin: 0 0 24px;
color: var(--el-text-color-secondary);
font-size: 12px;
text-align: center;
}
</style>

9
web/frontend/src/views/LoginView.vue
View File

@@ -20,9 +20,13 @@ async function submit() {
loading.value = true
try {
const resp = await login(form.username.trim(), form.password)
auth.setSession(resp.token, resp.user)
auth.setSession(resp.token, resp.user, resp.require_password_change)
if (resp.require_password_change) {
router.replace('/change-password')
} else {
const redirect = (route.query.redirect as string) || '/scores'
router.replace(redirect)
}
} catch {
// axios 拦截器已弹错
} finally {
@@ -60,11 +64,12 @@ async function submit() {
<style scoped>
.login {
min-height: 100vh;
height: 100vh;
display: flex;
align-items: center;
justify-content: center;
background: linear-gradient(135deg, #1f2d3d 0%, #3a506b 100%);
overflow: hidden;
}
.card {
width: 360px;