fix(middleware): 管理员JWT增加TokenVersion校验

管理员改密后旧JWT会被拒绝，并补充单元测试覆盖。
2026-02-07 16:28:19 +08:00
parent a9e256ce8c
commit 65c0d8b51f
4 changed files with 203 additions and 3 deletions
--- a/backend/internal/server/middleware/admin_auth.go
+++ b/backend/internal/server/middleware/admin_auth.go
@@ -176,6 +176,12 @@ func validateJWTForAdmin(
 		return false
 	}

+	// 校验 TokenVersion，确保管理员改密后旧 token 失效
+	if claims.TokenVersion != user.TokenVersion {
+		AbortWithError(c, 401, "TOKEN_REVOKED", "Token has been revoked (password changed)")
+		return false
+	}
+
 	// 检查管理员权限
 	if !user.IsAdmin() {
 		AbortWithError(c, 403, "FORBIDDEN", "Admin access required")