Enhance user authentication and authentication

Fix the modification of personal information
Fix the formatted page template

config/config.json

@@ -37,6 +37,12 @@
   "security": {
     "jwt_secret": "your-jwt-secret-key",
     "encryption_key": "your-encryption-key",
-    "jwt_refresh_threshold_hours": 6
+    "jwt_refresh_threshold_hours": 6,
+    "cookie": {
+      "secure": false,
+      "same_site": "Lax",
+      "domain": "",
+      "max_age": 86400
+    }
   }
 }

controllers/admin/auth.go

@@ -26,8 +26,33 @@ func LoginPageHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// 获取或生成CSRF令牌
+	var token string
+	if existingToken := utils.GetCSRFTokenFromCookie(r); existingToken != "" {
+		// 重用现有的Cookie令牌
+		token = existingToken
+	} else {
+		// 生成新的CSRF令牌并设置到Cookie
+		newToken, err := utils.GenerateCSRFToken()
+		if err != nil {
+			http.Error(w, "生成CSRF令牌失败", http.StatusInternalServerError)
+			return
+		}
+		token = newToken
+		utils.SetCSRFToken(w, token)
+	}
+
+	// 准备模板数据
+	extraData := map[string]interface{}{
+		"Title": "管理员登录",
+	}
 	data := utils.GetDefaultTemplateData()
-	data["Title"] = "管理员登录"
+	data["CSRFToken"] = token
+	
+	// 合并额外数据
+	for key, value := range extraData {
+		data[key] = value
+	}
 
 	utils.RenderTemplate(w, "login.html", data)
 }
@@ -97,15 +122,8 @@ func LoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// 设置JWT Cookie（HttpOnly，安全）
+	// 设置JWT Cookie（使用安全配置）
-	cookie := &http.Cookie{
+	cookie := utils.CreateSecureCookie("admin_session", token, utils.GetDefaultCookieMaxAge())
-		Name:     "admin_session",
-		Value:    token,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   false,        // 生产环境应设置为true（HTTPS）
-		MaxAge:   24 * 60 * 60, // 24小时
-	}
 	http.SetCookie(w, cookie)
 
 	utils.JsonResponse(w, http.StatusOK, true, "登录成功", map[string]interface{}{
@@ -132,15 +150,7 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
 // - 统一的Cookie清理函数，确保一致性
 // - 在JWT校验失败时自动调用，提升安全性和用户体验
 func clearInvalidJWTCookie(w http.ResponseWriter) {
-	cookie := &http.Cookie{
+	cookie := utils.CreateExpiredCookie("admin_session")
-		Name:     "admin_session",
-		Value:    "",
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   false,           // 生产环境应设置为true
-		MaxAge:   -1,              // 立即失效
-		Expires:  time.Unix(0, 0), // 确保过期
-	}
 	http.SetCookie(w, cookie)
 }
 
@@ -434,15 +444,8 @@ func GetCurrentAdminUserWithRefresh(w http.ResponseWriter, r *http.Request) (*JW
 		}
 		newToken, err := generateJWTToken(user)
 		if err == nil {
-			// 更新Cookie
+			// 更新Cookie（使用安全配置）
-			newCookie := &http.Cookie{
+			newCookie := utils.CreateSecureCookie("admin_session", newToken, utils.GetDefaultCookieMaxAge())
-				Name:     "admin_session",
-				Value:    newToken,
-				Path:     "/",
-				HttpOnly: true,
-				Secure:   false,        // 生产环境应设置为true（HTTPS）
-				MaxAge:   24 * 60 * 60, // 24小时
-			}
 			http.SetCookie(w, newCookie)
 			refreshed = true
 

controllers/admin/captcha.go

@@ -7,7 +7,8 @@ import (
 	"math/big"
 	"net/http"
 	"strings"
-	"time"
+
+	"networkDev/utils"
 
 	"github.com/mojocn/base64Captcha"
 )
@@ -62,15 +63,7 @@ func CaptchaHandler(w http.ResponseWriter, r *http.Request) {
 
 	// 将验证码ID存储到session中（这里简化处理，实际项目中应该使用更安全的方式）
 	// 设置cookie来存储验证码ID
-	cookie := &http.Cookie{
+	cookie := utils.CreateSecureCookie("captcha_id", id, 300) // 5分钟过期
-		Name:     "captcha_id",
-		Value:    id,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   false, // 生产环境应设置为true
-		MaxAge:   300,   // 5分钟过期
-		Expires:  time.Now().Add(5 * time.Minute),
-	}
 	http.SetCookie(w, cookie)
 
 	// 解码base64图片数据并返回

controllers/admin/handlers.go

@@ -26,21 +26,47 @@ func AdminIndexHandler(w http.ResponseWriter, r *http.Request) {
 // AdminLayoutHandler 后台布局页渲染
 // - 渲染 layout.html，包含顶部导航、侧边栏与动态内容容器
 func AdminLayoutHandler(w http.ResponseWriter, r *http.Request) {
-	data := utils.GetDefaultTemplateData()
+	// 获取或生成CSRF令牌
+	var token string
+	if existingToken := utils.GetCSRFTokenFromCookie(r); existingToken != "" {
+		// 重用现有的Cookie令牌
+		token = existingToken
+	} else {
+		// 生成新的CSRF令牌并设置到Cookie
+		newToken, err := utils.GenerateCSRFToken()
+		if err != nil {
+			http.Error(w, "生成CSRF令牌失败", http.StatusInternalServerError)
+			return
+		}
+		token = newToken
+		utils.SetCSRFToken(w, token)
+	}
+
+	// 准备额外的模板数据
+	extraData := make(map[string]interface{})
 
 	// 从数据库读取站点标题
-	db, err := database.GetDB()
+	db, dbErr := database.GetDB()
-	if err != nil {
+	if dbErr != nil {
-		data["Title"] = "凌动技术"
+		extraData["Title"] = "凌动技术"
 	} else {
-		siteTitle, err := services.FindSettingByName("site_title", db)
+		siteTitle, settingErr := services.FindSettingByName("site_title", db)
-		if err != nil || siteTitle == nil {
+		if settingErr != nil || siteTitle == nil {
-			data["Title"] = "凌动技术"
+			extraData["Title"] = "凌动技术"
 		} else {
-			data["Title"] = siteTitle.Value
+			extraData["Title"] = siteTitle.Value
 		}
 	}
 
+	// 准备模板数据
+	data := utils.GetDefaultTemplateData()
+	data["CSRFToken"] = token
+	
+	// 合并额外数据
+	for key, value := range extraData {
+		data[key] = value
+	}
+
 	utils.RenderTemplate(w, "layout.html", data)
 }
 

controllers/admin/user.go

@@ -160,15 +160,8 @@ func UserPasswordUpdateHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// 更新Cookie
+	// 更新Cookie（使用安全配置）
-	cookie := &http.Cookie{
+	cookie := utils.CreateSecureCookie("admin_session", newToken, utils.GetDefaultCookieMaxAge())
-		Name:     "admin_session",
-		Value:    newToken,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   false,        // 生产环境应设置为true（HTTPS）
-		MaxAge:   24 * 60 * 60, // 24小时
-	}
 	http.SetCookie(w, cookie)
 
 	// 密码修改成功，已重新生成JWT令牌
@@ -260,20 +253,14 @@ func UserProfileUpdateHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// 重新签发JWT并写入Cookie
-	newUser := models.User{UUID: claims.UserUUID, Username: username, Role: claims.Role}
+	// 使用完整的用户信息（包含密码）来生成JWT令牌
-	token, err := generateJWTToken(newUser)
+	user.Username = username // 更新用户名
+	token, err := generateJWTToken(user)
 	if err != nil {
 		utils.JsonResponse(w, http.StatusInternalServerError, false, "生成新令牌失败", nil)
 		return
 	}
-	cookie := &http.Cookie{
+	cookie := utils.CreateSecureCookie("admin_session", token, utils.GetDefaultCookieMaxAge())
-		Name:     "admin_session",
-		Value:    token,
-		Path:     "/",
-		HttpOnly: true,
-		Secure:   false,
-		MaxAge:   24 * 60 * 60,
-	}
 	http.SetCookie(w, cookie)
 
 	utils.JsonResponse(w, http.StatusOK, true, "保存成功", map[string]interface{}{

cookies.txt

@@ -0,0 +1,5 @@
+# Netscape HTTP Cookie File
+# https://curl.se/docs/http-cookies.html
+# This file was generated by libcurl! Edit at your own risk.
+
+#HttpOnly_localhost	FALSE	/	TRUE	1761422606	csrf_token	QLYaH1VddKCyAFgijZ80OYxzDht7zVLPbXH-rprEXvM=

database/seed_user.go

@@ -8,21 +8,22 @@ import (
 )
 
 // SeedDefaultAdmin 初始化默认管理员账号
-// - 如果用户名为 admin 的用户已存在，则跳过
+// - 如果已存在任何管理员用户（role=0），则跳过
 // - 如不存在，则创建用户名为 admin、密码为 admin123（以 bcrypt 哈希存储）、角色 Role=0 的管理员
-// - ID和UUID将自动生成
+// - 根据需求：默认 admin 用户的 ID 固定为 10000
 func SeedDefaultAdmin() error {
 	db, err := GetDB()
 	if err != nil {
 		return err
 	}
 
-	// 检查是否存在用户名为 admin 的用户
+	// 检查是否存在任何管理员用户（role=0）
 	var count int64
-	if dbErr := db.Model(&models.User{}).Where("username = ?", "admin").Count(&count).Error; dbErr != nil {
+	if dbErr := db.Model(&models.User{}).Where("role = ?", 0).Count(&count).Error; dbErr != nil {
 		return dbErr
 	}
 	if count > 0 {
+		logrus.Info("已存在管理员用户，跳过默认管理员创建")
 		return nil
 	}
 

server/admin.go

@@ -3,6 +3,7 @@ package server
 import (
 	"net/http"
 	adminctl "networkDev/controllers/admin"
+	"networkDev/utils"
 )
 
 // RegisterAdminRoutes 注册管理员后台相关路由
@@ -23,7 +24,8 @@ func RegisterAdminRoutes(mux *http.ServeMux) {
 			return
 		}
 		if r.Method == http.MethodPost {
-			adminctl.LoginHandler(w, r)
+			// 应用CSRF保护
+			utils.RequireCSRFToken(adminctl.LoginHandler)(w, r)
 			return
 		}
 		w.WriteHeader(http.StatusMethodNotAllowed)
@@ -35,6 +37,9 @@ func RegisterAdminRoutes(mux *http.ServeMux) {
 	// 验证码生成路由（无需认证）
 	mux.HandleFunc("/admin/captcha", adminctl.CaptchaHandler)
 
+	// CSRF令牌获取API（无需认证，但需要在登录页面等地方获取）
+	mux.HandleFunc("/admin/api/csrf-token", utils.CSRFTokenHandler)
+
 	// 后台布局页（需要管理员认证）
 	mux.HandleFunc("/admin/layout", adminctl.AdminAuthRequired(adminctl.AdminLayoutHandler))
 
@@ -51,44 +56,44 @@ func RegisterAdminRoutes(mux *http.ServeMux) {
 
 	// 个人资料API
 	mux.HandleFunc("/admin/api/user/profile", adminctl.AdminAuthRequired(adminctl.UserProfileQueryHandler))
-	mux.HandleFunc("/admin/api/user/profile/update", adminctl.AdminAuthRequired(adminctl.UserProfileUpdateHandler))
+	mux.HandleFunc("/admin/api/user/profile/update", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.UserProfileUpdateHandler)))
-	mux.HandleFunc("/admin/api/user/password", adminctl.AdminAuthRequired(adminctl.UserPasswordUpdateHandler))
+	mux.HandleFunc("/admin/api/user/password", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.UserPasswordUpdateHandler)))
 
 	// 系统设置API
 	mux.HandleFunc("/admin/api/settings", adminctl.AdminAuthRequired(adminctl.SettingsQueryHandler))
-	mux.HandleFunc("/admin/api/settings/update", adminctl.AdminAuthRequired(adminctl.SettingsUpdateHandler))
+	mux.HandleFunc("/admin/api/settings/update", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.SettingsUpdateHandler)))
 
 	// 应用管理API
 	mux.HandleFunc("/admin/api/apps/list", adminctl.AdminAuthRequired(adminctl.AppsListHandler))
-	mux.HandleFunc("/admin/api/apps/create", adminctl.AdminAuthRequired(adminctl.AppCreateHandler))
+	mux.HandleFunc("/admin/api/apps/create", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppCreateHandler)))
-	mux.HandleFunc("/admin/api/apps/update", adminctl.AdminAuthRequired(adminctl.AppUpdateHandler))
+	mux.HandleFunc("/admin/api/apps/update", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateHandler)))
-	mux.HandleFunc("/admin/api/apps/delete", adminctl.AdminAuthRequired(adminctl.AppDeleteHandler))
+	mux.HandleFunc("/admin/api/apps/delete", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppDeleteHandler)))
-	mux.HandleFunc("/admin/api/apps/batch_delete", adminctl.AdminAuthRequired(adminctl.AppsBatchDeleteHandler))
+	mux.HandleFunc("/admin/api/apps/batch_delete", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppsBatchDeleteHandler)))
-	mux.HandleFunc("/admin/api/apps/batch_update_status", adminctl.AdminAuthRequired(adminctl.AppsBatchUpdateStatusHandler))
+	mux.HandleFunc("/admin/api/apps/batch_update_status", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppsBatchUpdateStatusHandler)))
-	mux.HandleFunc("/admin/api/apps/reset_secret", adminctl.AdminAuthRequired(adminctl.AppResetSecretHandler))
+	mux.HandleFunc("/admin/api/apps/reset_secret", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppResetSecretHandler)))
 	mux.HandleFunc("/admin/api/apps/get_app_data", adminctl.AdminAuthRequired(adminctl.AppGetAppDataHandler))
-	mux.HandleFunc("/admin/api/apps/update_app_data", adminctl.AdminAuthRequired(adminctl.AppUpdateAppDataHandler))
+	mux.HandleFunc("/admin/api/apps/update_app_data", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateAppDataHandler)))
 	mux.HandleFunc("/admin/api/apps/get_announcement", adminctl.AdminAuthRequired(adminctl.AppGetAnnouncementHandler))
-	mux.HandleFunc("/admin/api/apps/update_announcement", adminctl.AdminAuthRequired(adminctl.AppUpdateAnnouncementHandler))
+	mux.HandleFunc("/admin/api/apps/update_announcement", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateAnnouncementHandler)))
 	mux.HandleFunc("/admin/api/apps/get_multi_config", adminctl.AdminAuthRequired(adminctl.AppGetMultiConfigHandler))
-	mux.HandleFunc("/admin/api/apps/update_multi_config", adminctl.AdminAuthRequired(adminctl.AppUpdateMultiConfigHandler))
+	mux.HandleFunc("/admin/api/apps/update_multi_config", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateMultiConfigHandler)))
 	mux.HandleFunc("/admin/api/apps/get_bind_config", adminctl.AdminAuthRequired(adminctl.AppGetBindConfigHandler))
-	mux.HandleFunc("/admin/api/apps/update_bind_config", adminctl.AdminAuthRequired(adminctl.AppUpdateBindConfigHandler))
+	mux.HandleFunc("/admin/api/apps/update_bind_config", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateBindConfigHandler)))
 	mux.HandleFunc("/admin/api/apps/get_register_config", adminctl.AdminAuthRequired(adminctl.AppGetRegisterConfigHandler))
-	mux.HandleFunc("/admin/api/apps/update_register_config", adminctl.AdminAuthRequired(adminctl.AppUpdateRegisterConfigHandler))
+	mux.HandleFunc("/admin/api/apps/update_register_config", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.AppUpdateRegisterConfigHandler)))
 
 	// API接口管理API
 	mux.HandleFunc("/admin/api/apis/list", adminctl.AdminAuthRequired(adminctl.APIListHandler))
-	mux.HandleFunc("/admin/api/apis/update", adminctl.AdminAuthRequired(adminctl.APIUpdateHandler))
+	mux.HandleFunc("/admin/api/apis/update", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.APIUpdateHandler)))
 	mux.HandleFunc("/admin/api/apis/apps", adminctl.AdminAuthRequired(adminctl.APIGetAppsHandler))
 	mux.HandleFunc("/admin/api/apis/types", adminctl.AdminAuthRequired(adminctl.APIGetTypesHandler))
-	mux.HandleFunc("/admin/api/apis/generate_keys", adminctl.AdminAuthRequired(adminctl.APIGenerateKeysHandler))
+	mux.HandleFunc("/admin/api/apis/generate_keys", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.APIGenerateKeysHandler)))
 
 	// 变量管理API
 	mux.HandleFunc("/admin/variable/list", adminctl.AdminAuthRequired(adminctl.VariableListHandler))
 	mux.HandleFunc("/admin/variable/apps", adminctl.AdminAuthRequired(adminctl.VariableGetAppsHandler))
-	mux.HandleFunc("/admin/variable/create", adminctl.AdminAuthRequired(adminctl.VariableCreateHandler))
+	mux.HandleFunc("/admin/variable/create", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.VariableCreateHandler)))
-	mux.HandleFunc("/admin/variable/update", adminctl.AdminAuthRequired(adminctl.VariableUpdateHandler))
+	mux.HandleFunc("/admin/variable/update", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.VariableUpdateHandler)))
-	mux.HandleFunc("/admin/variable/delete", adminctl.AdminAuthRequired(adminctl.VariableDeleteHandler))
+	mux.HandleFunc("/admin/variable/delete", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.VariableDeleteHandler)))
-	mux.HandleFunc("/admin/variable/batch_delete", adminctl.AdminAuthRequired(adminctl.VariablesBatchDeleteHandler))
+	mux.HandleFunc("/admin/variable/batch_delete", adminctl.AdminAuthRequired(utils.RequireCSRFToken(adminctl.VariablesBatchDeleteHandler)))
 }

utils/common.go

@@ -55,6 +55,25 @@ func GetDefaultTemplateData() map[string]interface{} {
 	}
 }
 
+// GetTemplateDataWithCSRF 获取包含CSRF令牌的模板数据
+// 合并默认数据和CSRF令牌，用于需要CSRF保护的页面
+func GetTemplateDataWithCSRF(r *http.Request, additionalData map[string]interface{}) map[string]interface{} {
+	// 获取默认模板数据
+	data := GetDefaultTemplateData()
+	
+	// 添加CSRF令牌
+	data["CSRFToken"] = GetCSRFTokenForTemplate(r)
+	
+	// 合并额外数据
+	if additionalData != nil {
+		for key, value := range additionalData {
+			data[key] = value
+		}
+	}
+	
+	return data
+}
+
 // GetClientIP 获取客户端IP地址
 // 优先从 X-Forwarded-For 和 X-Real-IP 头部获取，否则使用 RemoteAddr
 func GetClientIP(r *http.Request) string {

utils/cookie.go

@@ -0,0 +1,77 @@
+package utils
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/spf13/viper"
+)
+
+// CreateSecureCookie 创建安全的Cookie
+// name: Cookie名称
+// value: Cookie值
+// maxAge: 过期时间（秒），0表示会话Cookie，-1表示立即过期
+func CreateSecureCookie(name, value string, maxAge int) *http.Cookie {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    value,
+		Path:     "/",
+		HttpOnly: true,
+		MaxAge:   maxAge,
+	}
+
+	// 从配置读取安全设置
+	if viper.GetBool("security.cookie.secure") {
+		cookie.Secure = true
+	}
+
+	// 设置SameSite属性
+	sameSite := viper.GetString("security.cookie.same_site")
+	switch sameSite {
+	case "Strict":
+		cookie.SameSite = http.SameSiteStrictMode
+	case "Lax":
+		cookie.SameSite = http.SameSiteLaxMode
+	case "None":
+		cookie.SameSite = http.SameSiteNoneMode
+		// SameSite=None 必须配合 Secure=true 使用
+		cookie.Secure = true
+	default:
+		cookie.SameSite = http.SameSiteStrictMode
+	}
+
+	// 设置Domain（如果配置了）
+	domain := viper.GetString("security.cookie.domain")
+	if domain != "" {
+		cookie.Domain = domain
+	}
+
+	// 如果maxAge > 0，设置Expires时间
+	if maxAge > 0 {
+		cookie.Expires = time.Now().Add(time.Duration(maxAge) * time.Second)
+	} else if maxAge == -1 {
+		// 立即过期
+		cookie.Expires = time.Unix(0, 0)
+	}
+
+	return cookie
+}
+
+// CreateSessionCookie 创建会话Cookie（浏览器关闭时过期）
+func CreateSessionCookie(name, value string) *http.Cookie {
+	return CreateSecureCookie(name, value, 0)
+}
+
+// CreateExpiredCookie 创建立即过期的Cookie（用于清理）
+func CreateExpiredCookie(name string) *http.Cookie {
+	return CreateSecureCookie(name, "", -1)
+}
+
+// GetDefaultCookieMaxAge 获取默认Cookie过期时间
+func GetDefaultCookieMaxAge() int {
+	maxAge := viper.GetInt("security.cookie.max_age")
+	if maxAge <= 0 {
+		return 86400 // 默认24小时
+	}
+	return maxAge
+}

utils/crypto.go

@@ -291,7 +291,8 @@ func DecryptStringWithSalt(enc, salt string) (string, error) {
 }
 
 // HashPasswordWithSalt 使用盐值对密码进行哈希处理
-// 将密码和盐值组合后使用bcrypt进行哈希
+// 将密码和盐值组合后先用SHA256处理，再使用bcrypt进行哈希
+// 这样可以避免bcrypt的72字节限制问题
 // password: 原始密码
 // salt: 密码盐值
 // 返回: bcrypt哈希值和错误信息
@@ -299,8 +300,12 @@ func HashPasswordWithSalt(password, salt string) (string, error) {
 	// 将密码和盐值组合
 	combined := password + salt
 
+	// 先使用SHA256处理组合后的字符串，确保长度固定且不超过bcrypt限制
+	hash := sha256.Sum256([]byte(combined))
+	sha256Hash := fmt.Sprintf("%x", hash) // 64字节的十六进制字符串
+
 	// 使用bcrypt进行哈希（成本因子10，平衡安全性和性能）
-	hashed, err := bcrypt.GenerateFromPassword([]byte(combined), 10)
+	hashed, err := bcrypt.GenerateFromPassword([]byte(sha256Hash), 10)
 	if err != nil {
 		return "", err
 	}
@@ -317,8 +322,12 @@ func VerifyPasswordWithSalt(password, salt, hashedPassword string) bool {
 	// 将密码和盐值组合
 	combined := password + salt
 
+	// 先使用SHA256处理组合后的字符串，与哈希生成逻辑保持一致
+	hash := sha256.Sum256([]byte(combined))
+	sha256Hash := fmt.Sprintf("%x", hash) // 64字节的十六进制字符串
+
 	// 使用bcrypt验证
-	err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(combined))
+	err := bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(sha256Hash))
 	return err == nil
 }
 

utils/csrf.go

@@ -0,0 +1,168 @@
+package utils
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"net/http"
+)
+
+const (
+	CSRFTokenLength = 32
+	CSRFCookieName  = "csrf_token"
+	CSRFHeaderName  = "X-CSRF-Token"
+	CSRFFormField   = "csrf_token"
+)
+
+// generateRandomBytes 生成指定长度的随机字节
+func generateRandomBytes(length int) ([]byte, error) {
+	bytes := make([]byte, length)
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return nil, err
+	}
+	return bytes, nil
+}
+
+// GenerateCSRFToken 生成CSRF令牌
+func GenerateCSRFToken() (string, error) {
+	bytes, err := generateRandomBytes(CSRFTokenLength)
+	if err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(bytes), nil
+}
+
+// SetCSRFToken 设置CSRF令牌到Cookie和响应头
+func SetCSRFToken(w http.ResponseWriter, token string) {
+	// 设置CSRF令牌到Cookie
+	cookie := CreateSecureCookie(CSRFCookieName, token, 3600) // 1小时过期
+	http.SetCookie(w, cookie)
+
+	// 设置CSRF令牌到响应头，方便JavaScript获取
+	w.Header().Set("X-CSRF-Token", token)
+}
+
+// GetCSRFTokenFromRequest 从请求中获取CSRF令牌
+// 优先级：Header > Form > Cookie
+func GetCSRFTokenFromRequest(r *http.Request) string {
+	// 1. 从Header获取
+	if token := r.Header.Get(CSRFHeaderName); token != "" {
+		return token
+	}
+
+	// 2. 从Form获取
+	if token := r.FormValue(CSRFFormField); token != "" {
+		return token
+	}
+
+	// 3. 从Cookie获取（作为备选）
+	if cookie, err := r.Cookie(CSRFCookieName); err == nil {
+		return cookie.Value
+	}
+
+	return ""
+}
+
+// GetCSRFTokenFromCookie 从Cookie中获取CSRF令牌
+func GetCSRFTokenFromCookie(r *http.Request) string {
+	cookie, err := r.Cookie(CSRFCookieName)
+	if err != nil {
+		return ""
+	}
+	return cookie.Value
+}
+
+// ValidateCSRFToken 验证CSRF令牌
+func ValidateCSRFToken(r *http.Request) bool {
+	// 获取Cookie中的令牌（服务器端存储的）
+	cookieToken := GetCSRFTokenFromCookie(r)
+	if cookieToken == "" {
+		return false
+	}
+
+	// 获取请求中的令牌（客户端提交的）
+	requestToken := GetCSRFTokenFromRequest(r)
+	if requestToken == "" {
+		return false
+	}
+
+	// 使用常量时间比较防止时序攻击
+	return subtle.ConstantTimeCompare([]byte(cookieToken), []byte(requestToken)) == 1
+}
+
+// CSRFProtection CSRF保护中间件
+func CSRFProtection(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// 对于GET、HEAD、OPTIONS请求，只生成令牌，不验证
+		if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
+			// 生成新的CSRF令牌
+			token, err := GenerateCSRFToken()
+			if err != nil {
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				return
+			}
+			SetCSRFToken(w, token)
+			next(w, r)
+			return
+		}
+
+		// 对于POST、PUT、DELETE等修改性请求，验证CSRF令牌
+		if !ValidateCSRFToken(r) {
+			JsonResponse(w, http.StatusForbidden, false, "CSRF令牌验证失败", nil)
+			return
+		}
+
+		// 验证通过，继续处理请求
+		next(w, r)
+	}
+}
+
+// RequireCSRFToken 要求CSRF令牌的中间件（用于特定路由）
+func RequireCSRFToken(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if !ValidateCSRFToken(r) {
+			JsonResponse(w, http.StatusForbidden, false, "CSRF令牌验证失败", nil)
+			return
+		}
+		next(w, r)
+	}
+}
+
+// GetCSRFTokenForTemplate 获取用于模板的CSRF令牌
+func GetCSRFTokenForTemplate(r *http.Request) string {
+	// 尝试从Cookie获取现有令牌
+	if token := GetCSRFTokenFromCookie(r); token != "" {
+		return token
+	}
+
+	// 如果没有现有令牌，生成新的（但不设置到响应中）
+	token, err := GenerateCSRFToken()
+	if err != nil {
+		return ""
+	}
+	return token
+}
+
+// CSRFTokenHandler 专门用于获取CSRF令牌的API端点
+func CSRFTokenHandler(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		JsonResponse(w, http.StatusMethodNotAllowed, false, "只支持GET请求", nil)
+		return
+	}
+
+	// 生成新的CSRF令牌
+	token, err := GenerateCSRFToken()
+	if err != nil {
+		JsonResponse(w, http.StatusInternalServerError, false, "生成CSRF令牌失败", nil)
+		return
+	}
+
+	// 设置令牌到Cookie和响应头
+	SetCSRFToken(w, token)
+
+	// 返回令牌给前端
+	JsonResponse(w, http.StatusOK, true, "CSRF令牌获取成功", map[string]interface{}{
+		"csrf_token": token,
+	})
+}

web/static/js/admin.js

@@ -6,6 +6,63 @@ const rootPath = (function (src) {
   return src.substring(0, src.lastIndexOf('/') + 1);
 })();
 
+// CSRF令牌管理
+const CSRFManager = {
+  // 缓存的CSRF令牌
+  token: null,
+  
+  // 获取CSRF令牌
+  async getToken() {
+    if (this.token) {
+      return this.token;
+    }
+    
+    try {
+      const response = await fetch('/admin/api/csrf-token', {
+        method: 'GET',
+        headers: {
+          'X-Requested-With': 'XMLHttpRequest'
+        }
+      });
+      
+      if (response.ok) {
+        const data = await response.json();
+        if (data.code === 0 && data.data && data.data.csrf_token) {
+          this.token = data.data.csrf_token;
+          return this.token;
+        }
+      }
+    } catch (error) {
+      console.error('获取CSRF令牌失败:', error);
+    }
+    
+    return null;
+  },
+  
+  // 清除缓存的令牌
+  clearToken() {
+    this.token = null;
+  },
+  
+  // 为fetch请求添加CSRF令牌
+  async addCSRFHeader(headers = {}) {
+    const token = await this.getToken();
+    if (token) {
+      headers['X-CSRF-Token'] = token;
+    }
+    return headers;
+  }
+};
+
+// 增强的fetch函数，自动添加CSRF令牌
+window.fetchWithCSRF = async function(url, options = {}) {
+  const headers = await CSRFManager.addCSRFHeader(options.headers || {});
+  return fetch(url, {
+    ...options,
+    headers
+  });
+};
+
 const app = document.querySelector('#app')
 
 addLink({ href: layuicss }).then(() => {
@@ -150,7 +207,7 @@ loadScript(layuijs, function () {
         });
         
         // 调用登出接口
-        fetch('/admin/logout', {
+        fetchWithCSRF('/admin/logout', {
           method: 'POST',
           headers: {
             'Content-Type': 'application/json',

web/template/admin/apis.html

@@ -1,10 +1,8 @@
 {{ define "apis.html" }}
 <section>
-  <h2>接口管理</h2>
+  <h2>接口管理</h2>d
-
-
   <div class="layui-card" style="margin-top:12px">
-    <div class="layui-card-header">筛选</div>
+    <div class="layui-card-header">筛选</div>d
     <div class="layui-card-body">
       <form class="layui-form layui-form-pane" id="apiFilterForm" lay-filter="apiFilterForm">
         <div class="layui-form-item">
@@ -12,7 +10,7 @@
             <label class="layui-form-label">应用</label>
             <div class="layui-input-inline">
               <select name="app_uuid" lay-filter="appSelect" lay-search="">
-                <option value="">请选择应用</option>
+                <option value="">请选择应用</option>e
               </select>
             </div>
           </div>
@@ -73,14 +71,18 @@
         <label class="layui-form-label" style="cursor: pointer;" data-tips="submit-keys">提交密钥</label>
         <div class="layui-input-block">
           <div id="submit-rc4" style="display:none">
-            <input type="text" name="submit_private_key" placeholder="RC4密钥（16位十六进制，大写）" autocomplete="off" class="layui-input" readonly />
+            <input type="text" name="submit_private_key" placeholder="RC4密钥（16位十六进制，大写）" autocomplete="off"
+              class="layui-input" readonly />
           </div>
           <div id="submit-rsa" style="display:none">
-            <textarea name="submit_public_key" placeholder="RSA 公钥（PEM 明文）" class="layui-textarea" rows="4" readonly></textarea>
+            <textarea name="submit_public_key" placeholder="RSA 公钥（PEM 明文）" class="layui-textarea" rows="4"
-            <textarea name="submit_private_key" placeholder="RSA 私钥（PEM 明文）" class="layui-textarea" rows="6" style="margin-top:8px;" readonly></textarea>
+              readonly></textarea>
+            <textarea name="submit_private_key" placeholder="RSA 私钥（PEM 明文）" class="layui-textarea" rows="6"
+              style="margin-top:8px;" readonly></textarea>
           </div>
           <div id="submit-easy" style="display:none">
-            <input type="text" name="submit_private_key" placeholder="易加密密钥（15-30位整数数组，逗号分隔）" autocomplete="off" class="layui-input" readonly />
+            <input type="text" name="submit_private_key" placeholder="易加密密钥（15-30位整数数组，逗号分隔）" autocomplete="off"
+              class="layui-input" readonly />
           </div>
           <div style="margin-top:8px;">
             <button type="button" class="layui-btn layui-btn-sm" id="btnGenSubmitKeys">重新生成</button>
@@ -105,14 +107,18 @@
         <label class="layui-form-label" style="cursor: pointer;" data-tips="return-keys">返回密钥</label>
         <div class="layui-input-block">
           <div id="return-rc4" style="display:none">
-            <input type="text" name="return_private_key" placeholder="RC4密钥（16位十六进制，大写）" autocomplete="off" class="layui-input" readonly />
+            <input type="text" name="return_private_key" placeholder="RC4密钥（16位十六进制，大写）" autocomplete="off"
+              class="layui-input" readonly />
           </div>
           <div id="return-rsa" style="display:none">
-            <textarea name="return_public_key" placeholder="RSA 公钥（PEM 明文）" class="layui-textarea" rows="4" readonly></textarea>
+            <textarea name="return_public_key" placeholder="RSA 公钥（PEM 明文）" class="layui-textarea" rows="4"
-            <textarea name="return_private_key" placeholder="RSA 私钥（PEM 明文）" class="layui-textarea" rows="6" style="margin-top:8px;" readonly></textarea>
+              readonly></textarea>
+            <textarea name="return_private_key" placeholder="RSA 私钥（PEM 明文）" class="layui-textarea" rows="6"
+              style="margin-top:8px;" readonly></textarea>
           </div>
           <div id="return-easy" style="display:none">
-            <input type="text" name="return_private_key" placeholder="易加密密钥（15-30位整数数组，逗号分隔）" autocomplete="off" class="layui-input" readonly />
+            <input type="text" name="return_private_key" placeholder="易加密密钥（15-30位整数数组，逗号分隔）" autocomplete="off"
+              class="layui-input" readonly />
           </div>
           <div style="margin-top:8px;">
             <button type="button" class="layui-btn layui-btn-sm" id="btnGenReturnKeys">重新生成</button>

web/template/admin/apps.html

@@ -3,9 +3,12 @@
   <h2>应用管理</h2>
   <div class="layui-btn-container" style="margin:12px 0">
     <button class="layui-btn" id="btnAddApp"><i class="layui-icon layui-icon-add-1"></i> 新增应用</button>
-    <button class="layui-btn layui-btn-danger" id="btnBatchDeleteApps"><i class="layui-icon layui-icon-delete"></i> 批量删除</button>
+    <button class="layui-btn layui-btn-danger" id="btnBatchDeleteApps"><i class="layui-icon layui-icon-delete"></i>
-    <button class="layui-btn layui-btn-normal" id="btnBatchEnableApps"><i class="layui-icon layui-icon-ok-circle"></i> 批量启用</button>
+      批量删除</button>
-    <button class="layui-btn layui-btn-warm" id="btnBatchDisableApps"><i class="layui-icon layui-icon-close-fill"></i> 批量禁用</button>
+    <button class="layui-btn layui-btn-normal" id="btnBatchEnableApps"><i class="layui-icon layui-icon-ok-circle"></i>
+      批量启用</button>
+    <button class="layui-btn layui-btn-warm" id="btnBatchDisableApps"><i class="layui-icon layui-icon-close-fill"></i>
+      批量禁用</button>
   </div>
 
   <div class="layui-card" style="margin-top:12px">
@@ -58,7 +61,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="app-name">应用名称</label>
         <div class="layui-input-block">
-          <input type="text" name="name" placeholder="请输入应用名称" autocomplete="off" class="layui-input" lay-verify="required" />
+          <input type="text" name="name" placeholder="请输入应用名称" autocomplete="off" class="layui-input"
+            lay-verify="required" />
         </div>
       </div>
       <div class="layui-form-item">
@@ -119,7 +123,8 @@
         <div class="layui-inline">
           <label class="layui-form-label" style="cursor: pointer;" data-tips="clean-interval">清理间隔</label>
           <div class="layui-input-inline">
-            <input type="number" name="clean_interval" class="layui-input" placeholder="请输入" lay-verify="required|number" min="1">
+            <input type="number" name="clean_interval" class="layui-input" placeholder="请输入"
+              lay-verify="required|number" min="1">
           </div>
           <div class="layui-form-mid layui-text-em">小时</div>
         </div>
@@ -128,7 +133,8 @@
         <div class="layui-inline">
           <label class="layui-form-label" style="cursor: pointer;" data-tips="check-interval">校验间隔</label>
           <div class="layui-input-inline">
-            <input type="number" name="check_interval" class="layui-input" placeholder="请输入" lay-verify="required|number" min="1">
+            <input type="number" name="check_interval" class="layui-input" placeholder="请输入"
+              lay-verify="required|number" min="1">
           </div>
           <div class="layui-form-mid layui-text-em">分钟</div>
         </div>
@@ -136,7 +142,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="multi-open-count">多开数量</label>
         <div class="layui-input-block">
-          <input type="number" name="multi_open_count" class="layui-input" placeholder="请输入允许的多开数量" lay-verify="required|number" min="1">
+          <input type="number" name="multi_open_count" class="layui-input" placeholder="请输入允许的多开数量"
+            lay-verify="required|number" min="1">
         </div>
       </div>
     </form>
@@ -173,19 +180,22 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="machine-free-count">免费次数</label>
         <div class="layui-input-block">
-          <input type="number" name="machine_free_count" class="layui-input" placeholder="请输入" lay-verify="number" min="0">
+          <input type="number" name="machine_free_count" class="layui-input" placeholder="请输入" lay-verify="number"
+            min="0">
         </div>
       </div>
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="machine-rebind-count">重绑次数</label>
         <div class="layui-input-block">
-          <input type="number" name="machine_rebind_count" class="layui-input" placeholder="请输入" lay-verify="number" min="0">
+          <input type="number" name="machine_rebind_count" class="layui-input" placeholder="请输入" lay-verify="number"
+            min="0">
         </div>
       </div>
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="machine-rebind-deduct">重绑扣除</label>
         <div class="layui-input-block">
-          <input type="number" name="machine_rebind_deduct" class="layui-input" placeholder="请输入重绑扣除时间（分钟）" lay-verify="number" min="0">
+          <input type="number" name="machine_rebind_deduct" class="layui-input" placeholder="请输入重绑扣除时间（分钟）"
+            lay-verify="number" min="0">
         </div>
       </div>
 
@@ -231,7 +241,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="ip-rebind-deduct">重绑扣除</label>
         <div class="layui-input-block">
-          <input type="number" name="ip_rebind_deduct" class="layui-input" placeholder="请输入重绑扣除时间（分钟）" lay-verify="number" min="0">
+          <input type="number" name="ip_rebind_deduct" class="layui-input" placeholder="请输入重绑扣除时间（分钟）"
+            lay-verify="number" min="0">
         </div>
       </div>
     </form>
@@ -268,7 +279,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="register-count">注册次数</label>
         <div class="layui-input-block">
-          <input type="number" name="register_count" class="layui-input" placeholder="请输入" lay-verify="required|number" min="1">
+          <input type="number" name="register_count" class="layui-input" placeholder="请输入" lay-verify="required|number"
+            min="1">
         </div>
       </div>
 
@@ -293,7 +305,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label" style="cursor: pointer;" data-tips="trial-time">试用时间</label>
         <div class="layui-input-block">
-          <input type="number" name="trial_duration" class="layui-input" placeholder="请输入试用时间（分钟）" lay-verify="number" min="0">
+          <input type="number" name="trial_duration" class="layui-input" placeholder="请输入试用时间（分钟）" lay-verify="number"
+            min="0">
         </div>
       </div>
     </form>

web/template/admin/dashboard.html

@@ -38,9 +38,6 @@
     </div>
   </div>
 </section>
-
-
-
 <script>
   // 仪表盘统计脚本（采用箭头函数与中文注释）
   layui.use(['layer', 'util'], function () {
@@ -66,8 +63,6 @@ layui.use(['layer', 'util'], function(){
       }
     };
 
-
-
     // 函数：刷新基本信息和运行状态
     // 说明：请求后台获取最新的系统信息并更新页面显示
     const refreshSystemInfo = () => {

web/template/admin/layout.html

@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html>
+
 <head>
   <meta charset="utf-8" />
   <meta name="viewport" content="width=device-width" />
@@ -70,4 +71,5 @@
   </div>
   <script type="module" src="./static/js/admin.js"></script>
 </body>
+
 </html>

web/template/admin/login.html

@@ -1,6 +1,7 @@
 {{/* 管理员登录页面模板：使用layui构建的登录界面 */}}
 <!DOCTYPE html>
 <html>
+
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
@@ -21,6 +22,7 @@
             align-items: center;
             justify-content: center;
         }
+
         .demo-login-container {
             width: 400px;
             margin: 21px auto 0;
@@ -29,22 +31,26 @@
             box-shadow: 0 15px 35px rgba(0, 0, 0, 0.1);
             overflow: hidden;
         }
+
         .login-header {
             background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
             padding: 30px 20px;
             text-align: center;
             color: #fff;
         }
+
         .login-header h1 {
             margin: 0;
             font-size: 24px;
             font-weight: 300;
         }
+
         .login-header p {
             margin: 8px 0 0;
             opacity: 0.8;
             font-size: 14px;
         }
+
         .login-form {
             padding: 30px 20px;
         }
@@ -58,6 +64,7 @@
         .login-form .layui-form-item:last-child {
             margin-bottom: 0;
         }
+
         .demo-login-other .layui-icon {
             position: relative;
             display: inline-block;
@@ -65,6 +72,7 @@
             top: 2px;
             font-size: 26px;
         }
+
         .login-footer {
             text-align: center;
             padding: 20px;
@@ -80,12 +88,15 @@
                 margin: 10px auto;
                 border-radius: 4px;
             }
+
             .login-header {
                 padding: 25px 15px;
             }
+
             .login-header h1 {
                 font-size: 20px;
             }
+
             .login-form {
                 padding: 25px 15px;
             }
@@ -105,12 +116,15 @@
                 display: flex;
                 flex-direction: column;
             }
+
             .login-header {
                 padding: 20px 15px;
             }
+
             .login-header h1 {
                 font-size: 18px;
             }
+
             .login-form {
                 padding: 20px 15px;
             }
@@ -126,6 +140,7 @@
         }
     </style>
 </head>
+
 <body>
     <form class="layui-form">
         <div class="demo-login-container">
@@ -135,12 +150,16 @@
             </div>
 
             <div class="login-form">
+                <!-- CSRF令牌隐藏字段 -->
+                <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}" id="csrf-token">
+                
                 <div class="layui-form-item">
                     <div class="layui-input-wrap">
                         <div class="layui-input-prefix">
                             <i class="layui-icon layui-icon-username"></i>
                         </div>
-                        <input type="text" name="username" value="" lay-verify="required" placeholder="用户名" lay-reqtext="请填写用户名" autocomplete="off" class="layui-input" lay-affix="clear">
+                        <input type="text" name="username" value="" lay-verify="required" placeholder="用户名"
+                            lay-reqtext="请填写用户名" autocomplete="off" class="layui-input" lay-affix="clear">
                     </div>
                 </div>
 
@@ -149,7 +168,8 @@
                         <div class="layui-input-prefix">
                             <i class="layui-icon layui-icon-password"></i>
                         </div>
-                        <input type="password" name="password" value="" lay-verify="required" placeholder="密   码" lay-reqtext="请填写密码" autocomplete="off" class="layui-input" lay-affix="eye">
+                        <input type="password" name="password" value="" lay-verify="required" placeholder="密   码"
+                            lay-reqtext="请填写密码" autocomplete="off" class="layui-input" lay-affix="eye">
                     </div>
                 </div>
 
@@ -160,12 +180,16 @@
                                 <div class="layui-input-prefix">
                                     <i class="layui-icon layui-icon-vercode"></i>
                                 </div>
-                                <input type="text" name="captcha" value="" lay-verify="required" placeholder="验证码" lay-reqtext="请填写验证码" autocomplete="off" class="layui-input" lay-affix="clear">
+                                <input type="text" name="captcha" value="" lay-verify="required" placeholder="验证码"
+                                    lay-reqtext="请填写验证码" autocomplete="off" class="layui-input" lay-affix="clear">
                             </div>
                         </div>
                         <div class="layui-col-xs5">
                             <div style="margin-left: 5px; text-align: right;">
-                                <img id="captcha-img" src="/admin/captcha" onclick="this.src='/admin/captcha?t='+ new Date().getTime();" style="cursor: pointer; height: 38px; border-radius: 4px; width: 100%;" title="点击刷新验证码">
+                                <img id="captcha-img" src="/admin/captcha"
+                                    onclick="this.src='/admin/captcha?t='+ new Date().getTime();"
+                                    style="cursor: pointer; height: 38px; border-radius: 4px; width: 100%;"
+                                    title="点击刷新验证码">
                             </div>
                         </div>
                     </div>
@@ -195,11 +219,15 @@
                     shade: [0.1, '#fff']
                 });
 
+                // 获取CSRF令牌
+                var csrfToken = document.getElementById('csrf-token').value;
+
                 // 发送登录请求
                 fetch('/admin/login', {
                     method: 'POST',
                     headers: {
                         'Content-Type': 'application/json',
+                        'X-CSRF-Token': csrfToken
                     },
                     body: JSON.stringify(data.field)
                 })
@@ -239,4 +267,5 @@
         });
     </script>
 </body>
+
 </html>

web/template/admin/settings.html

@@ -1,7 +1,6 @@
 {{ define "settings.html" }}
 <section>
   <h2>系统设置</h2>
-  
   <!-- 基本信息设置 -->
   <div class="layui-card" style="margin-top: 16px;">
     <div class="layui-card-header">基本信息设置</div>
@@ -61,7 +60,8 @@
           <label class="layui-form-label" style="cursor: pointer;" data-tips="session-timeout">会话超时</label>
           <div class="layui-input-block">
             <div style="display: flex; align-items: center; gap: 10px;">
-              <input type="number" name="session_timeout" placeholder="3600" min="300" max="86400" class="layui-input" style="width: 120px;" />
+              <input type="number" name="session_timeout" placeholder="3600" min="300" max="86400" class="layui-input"
+                style="width: 120px;" />
               <span class="layui-form-mid">秒（300-86400秒）</span>
             </div>
           </div>
@@ -103,7 +103,8 @@
         <div class="layui-form-item">
           <label class="layui-form-label" style="cursor: pointer;" data-tips="psb-record-link">备案链接</label>
           <div class="layui-input-block">
-            <input type="url" name="psb_record_link" placeholder="http://www.beian.gov.cn/portal/registerSystemInfo" class="layui-input" />
+            <input type="url" name="psb_record_link" placeholder="http://www.beian.gov.cn/portal/registerSystemInfo"
+              class="layui-input" />
           </div>
         </div>
       </form>

web/template/admin/user.html

@@ -1,145 +1,24 @@
 {{ define "user.html" }}
-<style>
+<section>
-/* 基础模块样式 */
+  <h2>个人资料</h2>
-.user-module {
+  <div class="layui-tab layui-tab-brief" lay-filter="userTabs" style="margin-top: 16px;">
-  margin-bottom: 20px;
-}
-
-.user-module .layui-card-header {
-  font-weight: 600;
-  transition: background-color 0.3s ease, color 0.3s ease;
-}
-
-.module-tabs {
-  margin-bottom: 20px;
-}
-
-.module-tabs .layui-tab-title li {
-  font-weight: 500;
-}
-
-.readonly-field {
-  cursor: not-allowed !important;
-  transition: background-color 0.3s ease, color 0.3s ease;
-}
-
-/* 浅色模式样式 */
-:root {
-  --user-card-header-bg: #f8f9fa;
-  --user-card-header-color: #333;
-  --user-readonly-bg: #f5f5f5;
-  --user-readonly-color: #666;
-  --user-card-bg: #ffffff;
-  --user-card-border: #e6e6e6;
-  --user-input-bg: #ffffff;
-  --user-input-border: #d9d9d9;
-  --user-input-color: #333;
-}
-
-/* 深色模式样式 */
-@media (prefers-color-scheme: dark) {
-  :root {
-    --user-card-header-bg: #2f2f2f;
-    --user-card-header-color: #e6e6e6;
-    --user-readonly-bg: #3a3a3a;
-    --user-readonly-color: #999;
-    --user-card-bg: #1f1f1f;
-    --user-card-border: #404040;
-    --user-input-bg: #2a2a2a;
-    --user-input-border: #404040;
-    --user-input-color: #e6e6e6;
-  }
-}
-
-/* 手动深色模式类 */
-.dark {
-  --user-card-header-bg: #2f2f2f;
-  --user-card-header-color: #e6e6e6;
-  --user-readonly-bg: #3a3a3a;
-  --user-readonly-color: #999;
-  --user-card-bg: #1f1f1f;
-  --user-card-border: #404040;
-  --user-input-bg: #2a2a2a;
-  --user-input-border: #404040;
-  --user-input-color: #e6e6e6;
-}
-
-/* 应用CSS变量到元素 */
-.user-module .layui-card-header {
-  background-color: var(--user-card-header-bg) !important;
-  color: var(--user-card-header-color) !important;
-}
-
-.readonly-field {
-  background-color: var(--user-readonly-bg) !important;
-  color: var(--user-readonly-color) !important;
-}
-
-.user-module .layui-card {
-  background-color: var(--user-card-bg);
-  border-color: var(--user-card-border);
-}
-
-.user-module .layui-input {
-  background-color: var(--user-input-bg);
-  border-color: var(--user-input-border);
-  color: var(--user-input-color);
-}
-
-/* 确保表单元素在深色模式下的可读性 */
-.user-module .layui-form-label {
-  color: var(--user-card-header-color);
-}
-
-/* 按钮在深色模式下的样式调整 */
-.user-module .layui-btn-primary {
-  background-color: var(--user-input-bg);
-  border-color: var(--user-input-border);
-  color: var(--user-input-color);
-}
-
-.user-module .layui-btn-primary:hover {
-  background-color: var(--user-readonly-bg);
-}
-
-/* 标签页在深色模式下的样式 */
-.module-tabs .layui-tab-title {
-  border-bottom-color: var(--user-card-border);
-}
-
-.module-tabs .layui-tab-title li {
-  color: var(--user-input-color);
-}
-
-.module-tabs .layui-tab-title .layui-this {
-  color: var(--lay-color-primary, #1e9fff);
-}
-
-/* 图标颜色适配 */
-.user-module .layui-icon {
-  color: var(--user-card-header-color);
-}
-</style>
-
-<div class="layui-tab layui-tab-brief module-tabs" lay-filter="userTabs">
     <ul class="layui-tab-title">
       <li class="layui-this">个人资料</li>
       <li>修改密码</li>
-    <li>修改用户名</li>
+      <li>修改用户名</li>d
     </ul>
     <div class="layui-tab-content">
       <!-- 个人资料模块 -->
       <div class="layui-tab-item layui-show">
-      <div class="layui-card user-module">
+        <div class="layui-card" style="margin-top: 16px;">
-        <div class="layui-card-header">
+          <div class="layui-card-header">个人资料</div>
-          <i class="layui-icon layui-icon-user"></i> 个人资料
-        </div>
           <div class="layui-card-body">
             <form class="layui-form" id="profileForm" lay-filter="profileForm">
               <div class="layui-form-item">
                 <label class="layui-form-label">UUID</label>
                 <div class="layui-input-block">
-                <input type="text" name="uuid" disabled readonly class="layui-input readonly-field" style="font-family: monospace; font-size: 12px;" />
+                  <input type="text" name="uuid" disabled readonly class="layui-input readonly-field"
+                    style="font-family: monospace; font-size: 12px;" />
                 </div>
               </div>
               <div class="layui-form-item">
@@ -167,28 +46,29 @@
 
       <!-- 修改密码模块 -->
       <div class="layui-tab-item">
-      <div class="layui-card user-module">
+        <div class="layui-card" style="margin-top: 16px;">
-        <div class="layui-card-header">
+          <div class="layui-card-header">修改密码</div>
-          <i class="layui-icon layui-icon-password"></i> 修改密码
-        </div>
           <div class="layui-card-body">
             <form class="layui-form" id="passwordForm" lay-filter="passwordForm" onsubmit="return false">
               <div class="layui-form-item">
                 <label class="layui-form-label">当前密码</label>
                 <div class="layui-input-block">
-                <input type="password" name="old_password" placeholder="请输入当前密码" autocomplete="off" class="layui-input" lay-verify="required" />
+                  <input type="password" name="old_password" placeholder="请输入当前密码" autocomplete="off"
+                    class="layui-input" lay-verify="required" />
                 </div>
               </div>
               <div class="layui-form-item">
                 <label class="layui-form-label">新密码</label>
                 <div class="layui-input-block">
-                <input type="password" name="new_password" placeholder="请输入新密码（至少6位）" autocomplete="off" class="layui-input" lay-verify="required" />
+                  <input type="password" name="new_password" placeholder="请输入新密码（至少6位）" autocomplete="off"
+                    class="layui-input" lay-verify="required" />
                 </div>
               </div>
               <div class="layui-form-item">
                 <label class="layui-form-label">确认密码</label>
                 <div class="layui-input-block">
-                <input type="password" name="confirm_password" placeholder="请再次输入新密码" autocomplete="off" class="layui-input" lay-verify="required" />
+                  <input type="password" name="confirm_password" placeholder="请再次输入新密码" autocomplete="off"
+                    class="layui-input" lay-verify="required" />
                 </div>
               </div>
               <div class="layui-form-item">
@@ -208,10 +88,8 @@
 
       <!-- 修改用户名模块 -->
       <div class="layui-tab-item">
-      <div class="layui-card user-module">
+        <div class="layui-card" style="margin-top: 16px;">
-        <div class="layui-card-header">
+          <div class="layui-card-header">修改用户名</div>
-          <i class="layui-icon layui-icon-edit"></i> 修改用户名
-        </div>
           <div class="layui-card-body">
             <form class="layui-form" id="usernameForm" lay-filter="usernameForm" onsubmit="return false">
               <div class="layui-form-item">
@@ -223,13 +101,15 @@
               <div class="layui-form-item">
                 <label class="layui-form-label">新用户名</label>
                 <div class="layui-input-block">
-                <input type="text" name="new_username" placeholder="请输入新用户名" autocomplete="off" class="layui-input" lay-verify="required" />
+                  <input type="text" name="new_username" placeholder="请输入新用户名" autocomplete="off" class="layui-input"
+                    lay-verify="required" />
                 </div>
               </div>
               <div class="layui-form-item">
                 <label class="layui-form-label">当前密码</label>
                 <div class="layui-input-block">
-                <input type="password" name="password" placeholder="请输入当前密码以确认身份" autocomplete="off" class="layui-input" lay-verify="required" />
+                  <input type="password" name="password" placeholder="请输入当前密码以确认身份" autocomplete="off"
+                    class="layui-input" lay-verify="required" />
                 </div>
               </div>
               <div class="layui-form-item">
@@ -430,8 +310,12 @@
                 // 重新加载个人资料
                 await loadProfile()
 
-            // 清空表单
+                // 清空表单（不显示重置提示）
-            UsernameModule.reset()
+                form.val('usernameForm', {
+                  new_username: '',
+                  password: '',
+                  current_username: userProfile?.username || ''
+                })
 
               } catch (e) {
                 layer.msg(e.message || '修改用户名失败', { icon: 2 })
@@ -469,4 +353,5 @@
       })
     })()
   </script>
+</section>
 {{ end }}

web/template/admin/variables.html

@@ -3,7 +3,8 @@
   <h2>变量管理</h2>
   <div class="layui-btn-container" style="margin:12px 0">
     <button class="layui-btn" id="btnAddVariable"><i class="layui-icon layui-icon-add-1"></i> 新增变量</button>
-    <button class="layui-btn layui-btn-danger" id="btnBatchDeleteVariables"><i class="layui-icon layui-icon-delete"></i> 批量删除</button>
+    <button class="layui-btn layui-btn-danger" id="btnBatchDeleteVariables"><i class="layui-icon layui-icon-delete"></i>
+      批量删除</button>
   </div>
 
   <div class="layui-card" style="margin-top:12px">
@@ -62,7 +63,8 @@
       <div class="layui-form-item">
         <label class="layui-form-label">变量别名</label>
         <div class="layui-input-block">
-          <input type="text" name="alias" lay-verify="required|alias" placeholder="请输入变量别名（英文开头，只能包含数字和英文字母）" autocomplete="off" class="layui-input" />
+          <input type="text" name="alias" lay-verify="required|alias" placeholder="请输入变量别名（英文开头，只能包含数字和英文字母）"
+            autocomplete="off" class="layui-input" />
         </div>
       </div>
       <div class="layui-form-item">

web/template/index.html

@@ -1,5 +1,6 @@
 <!DOCTYPE html>
 <html lang="zh-cn">
+
 <head>
     <title>{{.SystemName}} - 生活就像愤怒的小鸟，失败后总有几只猪在笑。</title>
     <!-- 站 点 协 议 -->
@@ -19,7 +20,8 @@
     <!-- 样 式 文 件 -->
     <link rel="stylesheet" href="//lib.baomitu.com/layui/2.8.17/css/layui.css" />
     <style>
-        html, body {
+        html,
+        body {
             width: 100%;
             height: 100%;
             overflow: hidden;
@@ -69,6 +71,7 @@
             from {
                 text-shadow: 0 0 20px rgba(0, 212, 255, 0.5);
             }
+
             to {
                 text-shadow: 0 0 30px rgba(0, 212, 255, 0.8), 0 0 40px rgba(0, 212, 255, 0.6);
             }
@@ -100,8 +103,13 @@
         }
 
         @keyframes shimmer {
-            0% { left: -100%; }
+            0% {
-            100% { left: 100%; }
+                left: -100%;
+            }
+
+            100% {
+                left: 100%;
+            }
         }
 
         .box-form .layui-form-item {
@@ -119,8 +127,15 @@
         }
 
         @keyframes pulse {
-            0%, 100% { opacity: 1; }
+
-            50% { opacity: 0.7; }
+            0%,
+            100% {
+                opacity: 1;
+            }
+
+            50% {
+                opacity: 0.7;
+            }
         }
 
         .info-text {
@@ -174,6 +189,7 @@
         }
     </style>
 </head>
+
 <body>
     <!-- 代 码 结 构 -->
     <div class="layui-container">
@@ -192,7 +208,9 @@
                 </div>
             </div>
             <div class="body_footer">{{.FooterText}}</div>
-        {{if or .ICPRecord .PSBRecord}}<div class="body_beian">{{if .ICPRecord}}<a href="{{.ICPRecordLink}}" target="_blank">{{.ICPRecord}}</a>{{end}}{{if and .ICPRecord .PSBRecord}} {{end}}{{if .PSBRecord}}<a href="{{.PSBRecordLink}}" target="_blank">{{.PSBRecord}}</a>{{end}}</div>{{end}}
+            {{if or .ICPRecord .PSBRecord}}<div class="body_beian">{{if .ICPRecord}}<a href="{{.ICPRecordLink}}"
+                    target="_blank">{{.ICPRecord}}</a>{{end}}{{if and .ICPRecord .PSBRecord}} {{end}}{{if .PSBRecord}}<a
+                    href="{{.PSBRecordLink}}" target="_blank">{{.PSBRecord}}</a>{{end}}</div>{{end}}
         </div>
     </div>
     <!--  资 源 引 入 -->
@@ -363,4 +381,5 @@
         animate();
     </script>
 </body>
+
 </html>