feat: add token-based API access (v0.6.0)

- Add Token GORM model with UserID/Name/Token/LastUsedAt/ExpiresAt fields
- Add TokenManager controller: List/Create/Delete/Verify operations
- Add token HTTP handlers: list, create, revoke
- Update AuthVerify to support Bearer token auth; API tokens use "ust_" prefix to distinguish from session tokens
- Add one-step file upload endpoint: PUT /api/v1/upload/:filename (returns {"status":200,"data":{"code":"..."}})
- Add token management routes: GET/POST/DELETE /api/token
- Add /self page: personal center with account info, token management table, and curl usage guide
- Add "个人中心 / API Token" nav link for users with token_manage permission

🤖 Generated with [Qoder][https://qoder.com]

internal/model/token.go

@@ -0,0 +1,19 @@
+package model
+
+import "time"
+
+// Token is a personal API token for programmatic file upload.
+// Token values are prefixed with "ust_" to distinguish them from session tokens.
+type Token struct {
+	ID         uint       `gorm:"primarykey" json:"id"`
+	UserID     uint       `gorm:"not null;index" json:"user_id"`
+	User       User       `gorm:"foreignKey:UserID" json:"-"`
+	Name       string     `gorm:"not null" json:"name"`
+	Token      string     `gorm:"uniqueIndex;not null" json:"-"`
+	CreatedAt  time.Time  `json:"created_at"`
+	LastUsedAt *time.Time `json:"last_used_at"`
+	ExpiresAt  *time.Time `json:"expires_at"`
+}
+
+// TokenPrefix is the prefix for all API token values.
+const TokenPrefix = "ust_"