fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证

安全修复:
- H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新
- H4: 移除 store 中的 token 明文状态，统一走 secure storage
- H5: 登录/绑定手机号添加 loading 防重复点击保护
- H6: Analytics 改用 request.ts 统一请求层，不再绕过认证
- M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue)
- M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储
- M3: 移除开发日志中的请求体打印
- M4: secure-storage 解密失败返回 null 而非空串

功能修复:
- F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端)
- F2: 积分商城对无患者档案用户展示引导 UI
- M6: daily-monitoring 添加 Zod 数值范围验证

清理:
- L4: 移除 devLogin 开发辅助函数

apps/miniprogram/src/services/analytics.ts

@@ -1,4 +1,6 @@
 import Taro from '@tarojs/taro';
+import { api } from './request';
+import { secureGet } from '@/utils/secure-storage';
 
 type EventName =
   | 'page_view'
@@ -36,7 +38,11 @@ function setQueue(queue: AnalyticsEvent[]): void {
 }
 
 export function trackEvent(event: EventName | string, properties?: Record<string, unknown>): void {
-  const userId = Taro.getStorageSync('user')?.id;
+  let userId: string | undefined;
+  try {
+    const raw = secureGet('user_data');
+    userId = raw ? JSON.parse(raw).id : undefined;
+  } catch { /* ignore */ }
   const patientId = Taro.getStorageSync('current_patient_id');
 
   const evt: AnalyticsEvent = {
@@ -64,12 +70,7 @@ export async function flushEvents(): Promise<void> {
   setQueue([]);
 
   try {
-    const BASE_URL = process.env.TARO_APP_API_URL || 'http://localhost:3000/api/v1';
-    await Taro.request({
-      url: `${BASE_URL}/analytics/batch`,
-      method: 'POST',
-      data: { events: batch },
-    });
+    await api.post('/analytics/batch', { events: batch });
   } catch {
     // 发送失败，回填队列
     const current = getQueue();

apps/miniprogram/src/services/auth.ts

@@ -42,8 +42,3 @@ export async function wechatBindPhone(openid: string, encryptedData: string, iv:
 export async function getPatients() {
   return api.get<PatientInfo[]>('/health/patients');
 }
-
-/** 开发模式：用户名密码直登 */
-export async function devLogin(username: string, password: string) {
-  return api.post<LoginResp['token']>('/auth/login', { username, password });
-}

apps/miniprogram/src/services/health.ts

@@ -15,8 +15,10 @@ export interface TodaySummary {
   weight?: { value: number; status: string; reference_range?: string };
 }
 
-export async function getTodaySummary() {
-  return api.get<TodaySummary>('/health/vital-signs/today');
+export async function getTodaySummary(patientId?: string) {
+  const params: Record<string, string> = {};
+  if (patientId) params.patient_id = patientId;
+  return api.get<TodaySummary>('/health/vital-signs/today', params);
 }
 
 /**

apps/miniprogram/src/services/request.ts

@@ -16,12 +16,21 @@ async function getHeaders(): Promise<Record<string, string>> {
   if (token) headers['Authorization'] = `Bearer ${token}`;
   const patientId = Taro.getStorageSync('current_patient_id');
   if (patientId) headers['X-Patient-Id'] = patientId;
-  const tenantId = Taro.getStorageSync('tenant_id');
+  const tenantId = secureGet('tenant_id');
   if (tenantId) headers['X-Tenant-Id'] = tenantId;
   return headers;
 }
 
+let refreshPromise: Promise<boolean> | null = null;
+
 async function tryRefreshToken(): Promise<boolean> {
+  if (refreshPromise) return refreshPromise;
+  refreshPromise = doRefresh();
+  refreshPromise.finally(() => { refreshPromise = null; });
+  return refreshPromise;
+}
+
+async function doRefresh(): Promise<boolean> {
   const refreshToken = secureGet('refresh_token');
   if (!refreshToken) return false;
   try {
@@ -35,8 +44,8 @@ async function tryRefreshToken(): Promise<boolean> {
       secureSet('refresh_token', res.data.data.refresh_token);
       return true;
     }
-  } catch (err) {
-    console.error('[tryRefreshToken] token 刷新失败:', err);
+  } catch {
+    // token 刷新失败
   }
   secureRemove('access_token');
   secureRemove('refresh_token');
@@ -47,7 +56,7 @@ export async function request<T>(method: string, path: string, data?: unknown):
   const headers = await getHeaders();
   const url = `${BASE_URL}${path}`;
   if (IS_DEV) {
-    console.log(`[API] ${method} ${path}`, data ?? '');
+    console.log(`[API] ${method} ${path}`);
   }
   const res = await Taro.request({ url, method: method as any, data, header: headers, timeout: 30000 });
   if (IS_DEV) {