feat: add user management system with roles and permissions

- Introduce SQLite persistence via GORM (stored at <data>/.ushare.db)
- Add Role model with two built-in roles: admin (all perms) and user (upload only)
- Add three permissions: user_manage, upload, token_manage (reserved)
- Rewrite UserManager: DB-backed login with in-memory session tokens
- Auto-seed default roles and admin user on first startup
- Add AuthPermission middleware for fine-grained permission checks
- Add /api/uauth/me endpoint for current session info
- Add /api/admin/* CRUD routes for user and role management
- Add admin console page (/admin) with user table and role permissions view
- Show admin console link in share page for users with user_manage permission

🤖 Generated with [Qoder][https://qoder.com]

internal/controller/user.go

@@ -2,75 +2,149 @@ package controller
 
 import (
 	"context"
-	"github.com/loveuer/ushare/internal/model"
-	"github.com/loveuer/ushare/internal/opt"
-	"github.com/loveuer/ushare/internal/pkg/tool"
-	"github.com/pkg/errors"
+	"strings"
 	"sync"
 	"time"
+
+	"github.com/loveuer/nf/nft/log"
+	"github.com/loveuer/ushare/internal/model"
+	"github.com/loveuer/ushare/internal/opt"
+	"github.com/loveuer/ushare/internal/pkg/db"
+	"github.com/loveuer/ushare/internal/pkg/tool"
+	"github.com/pkg/errors"
 )
 
 type userManager struct {
 	sync.Mutex
-	ctx context.Context
-	um  map[string]*model.User
+	ctx      context.Context
+	sessions map[string]*model.Session
 }
 
-func (um *userManager) Login(username string, password string) (*model.User, error) {
-	var (
-		now = time.Now()
-	)
+var UserManager = &userManager{
+	sessions: make(map[string]*model.Session),
+}
 
-	if username != opt.Cfg.Username {
-		return nil, errors.New("账号或密码错误")
+func (um *userManager) seed(ctx context.Context) error {
+	// Seed default roles if they don't exist
+	defaultRoles := []model.Role{
+		{
+			Name:        model.RoleAdmin,
+			Label:       "管理员",
+			Permissions: strings.Join([]string{model.PermUserManage, model.PermUpload, model.PermTokenManage}, ","),
+		},
+		{
+			Name:        model.RoleUser,
+			Label:       "用户",
+			Permissions: model.PermUpload,
+		},
 	}
 
-	if !tool.ComparePassword(password, opt.Cfg.Password) {
-		return nil, errors.New("账号或密码错误")
+	for i := range defaultRoles {
+		role := &defaultRoles[i]
+		var existing model.Role
+		if err := db.Default.Session(ctx).Where("name = ?", role.Name).First(&existing).Error; err != nil {
+			if err := db.Default.Session(ctx).Create(role).Error; err != nil {
+				return errors.Wrap(err, "seed role failed")
+			}
+			log.Debug("controller.userManager.seed: created role %s", role.Name)
+		}
 	}
 
-	op := &model.User{
-		Id:       1,
+	// Seed default admin user only if no users exist
+	var count int64
+	db.Default.Session(ctx).Model(&model.User{}).Count(&count)
+	if count > 0 {
+		return nil
+	}
+
+	var adminRole model.Role
+	if err := db.Default.Session(ctx).Where("name = ?", model.RoleAdmin).First(&adminRole).Error; err != nil {
+		return errors.Wrap(err, "get admin role failed")
+	}
+
+	username := opt.Cfg.Username
+	if username == "" {
+		username = "admin"
+	}
+
+	// opt.Cfg.Password is already hashed by opt.Init(); store it directly.
+	adminUser := &model.User{
 		Username: username,
-		LoginAt:  now.Unix(),
-		Token:    tool.RandomString(32),
+		Password: opt.Cfg.Password,
+		RoleID:   adminRole.ID,
+		Active:   true,
+	}
+
+	if err := db.Default.Session(ctx).Create(adminUser).Error; err != nil {
+		return errors.Wrap(err, "seed admin user failed")
+	}
+
+	log.Debug("controller.userManager.seed: created admin user %s", username)
+	return nil
+}
+
+func (um *userManager) Login(username, password string) (*model.Session, error) {
+	now := time.Now()
+
+	user := new(model.User)
+	if err := db.Default.Session().
+		Where("username = ? AND active = ?", username, true).
+		Preload("Role").
+		First(user).Error; err != nil {
+		return nil, errors.New("账号或密码错误")
+	}
+
+	if !tool.ComparePassword(password, user.Password) {
+		return nil, errors.New("账号或密码错误")
+	}
+
+	session := &model.Session{
+		UserID:      user.ID,
+		Username:    user.Username,
+		Role:        user.Role.Name,
+		RoleLabel:   user.Role.Label,
+		Permissions: user.Role.PermissionList(),
+		LoginAt:     now.Unix(),
+		Token:       tool.RandomString(32),
 	}
 
 	um.Lock()
 	defer um.Unlock()
-	um.um[op.Token] = op
+	um.sessions[session.Token] = session
 
-	return op, nil
+	return session, nil
 }
 
-func (um *userManager) Verify(token string) (*model.User, error) {
+func (um *userManager) Verify(token string) (*model.Session, error) {
 	um.Lock()
 	defer um.Unlock()
 
-	op, ok := um.um[token]
+	session, ok := um.sessions[token]
 	if !ok {
 		return nil, errors.New("未登录或凭证已失效, 请重新登录")
 	}
 
-	return op, nil
+	return session, nil
 }
 
 func (um *userManager) Start(ctx context.Context) {
 	um.ctx = ctx
 
+	if err := um.seed(ctx); err != nil {
+		log.Fatal("controller.userManager.Start: seed failed: %s", err.Error())
+	}
+
 	go func() {
-
 		ticker := time.NewTicker(time.Minute)
-
 		for {
 			select {
 			case <-um.ctx.Done():
 				return
 			case now := <-ticker.C:
 				um.Lock()
-				for _, op := range um.um {
-					if now.Sub(time.UnixMilli(op.LoginAt)) > 8*time.Hour {
-						delete(um.um, op.Token)
+				for token, session := range um.sessions {
+					if now.Unix()-session.LoginAt > 8*3600 {
+						delete(um.sessions, token)
 					}
 				}
 				um.Unlock()
@@ -78,9 +152,3 @@ func (um *userManager) Start(ctx context.Context) {
 		}
 	}()
 }
-
-var (
-	UserManager = &userManager{
-		um: make(map[string]*model.User),
-	}
-)