fix(miniprogram): 小程序审计修复 — 安全加固+功能链路+输入验证

安全修复:
- H1: Token 刷新竞态条件 → Singleton Promise 模式防止并发刷新
- H4: 移除 store 中的 token 明文状态，统一走 secure storage
- H5: 登录/绑定手机号添加 loading 防重复点击保护
- H6: Analytics 改用 request.ts 统一请求层，不再绕过认证
- M1: logout 清理所有残留数据(openid/tenant_id/analytics_queue)
- M2/M7: 敏感数据(user/openid/tenant_id)统一走加密存储
- M3: 移除开发日志中的请求体打印
- M4: secure-storage 解密失败返回 null 而非空串

功能修复:
- F1: 今日体征概览 API 支持 patient_id 查询参数(后端+前端)
- F2: 积分商城对无患者档案用户展示引导 UI
- M6: daily-monitoring 添加 Zod 数值范围验证

清理:
- L4: 移除 devLogin 开发辅助函数

apps/miniprogram/src/stores/auth.ts

@@ -10,8 +10,6 @@ interface BindPhoneResp {
 }
 
 interface AuthState {
-  token: string | null;
-  refreshToken: string | null;
   user: { id: string; username: string; display_name?: string; phone?: string; tenant_id?: string } | null;
   roles: string[];
   currentPatient: authApi.PatientInfo | null;
@@ -25,11 +23,10 @@ interface AuthState {
   logout: () => void;
   restore: () => void;
   isMedicalStaff: () => boolean;
+  hasPatientProfile: () => boolean;
 }
 
 export const useAuthStore = create<AuthState>((set, get) => ({
-  token: null,
-  refreshToken: null,
   user: null,
   roles: [],
   currentPatient: null,
@@ -41,31 +38,36 @@ export const useAuthStore = create<AuthState>((set, get) => ({
     return roles.some((r) => r === 'doctor' || r === 'nurse' || r === 'admin');
   },
 
+  hasPatientProfile: () => {
+    return !!get().currentPatient;
+  },
+
   restore: () => {
-    const token = secureGet('access_token') || null;
-    const refreshToken = secureGet('refresh_token') || null;
     const user = Taro.getStorageSync('user') || null;
     const roles = Taro.getStorageSync('user_roles') || [];
     const currentPatient = Taro.getStorageSync('current_patient') || null;
-    set({ token, refreshToken, user, roles, currentPatient });
+    set({ user, roles, currentPatient });
   },
 
   login: async (code: string) => {
+    if (get().loading) return false;
     set({ loading: true });
     try {
       const resp = await authApi.wechatLogin(code);
       if (resp.bound && resp.token) {
         const { access_token, refresh_token, user } = resp.token;
-        const roles = (resp as any).roles?.map((r: any) => r.code || r.name || r) || [];
+        const roles = (resp as Record<string, unknown>).roles instanceof Array
+          ? ((resp as Record<string, unknown>).roles as Array<Record<string, string>>).map((r) => r.code || r.name || String(r))
+          : [];
         secureSet('access_token', access_token);
         secureSet('refresh_token', refresh_token);
-        Taro.setStorageSync('user', user);
-        Taro.setStorageSync('user_roles', roles);
-        Taro.setStorageSync('tenant_id', (user as any).tenant_id || '');
-        set({ token: access_token, refreshToken: refresh_token, user, roles, loading: false });
+        secureSet('user_data', JSON.stringify(user));
+        secureSet('user_roles', JSON.stringify(roles));
+        secureSet('tenant_id', user.tenant_id || '');
+        set({ user, roles, loading: false });
         return true;
       }
-      Taro.setStorageSync('wechat_openid', resp.openid);
+      secureSet('wechat_openid', resp.openid);
       set({ loading: false });
       return false;
     } catch {
@@ -75,23 +77,26 @@ export const useAuthStore = create<AuthState>((set, get) => ({
   },
 
   bindPhone: async (encryptedData: string, iv: string) => {
+    if (get().loading) return false;
     set({ loading: true });
     try {
-      const openid = Taro.getStorageSync('wechat_openid') || '';
+      const openid = secureGet('wechat_openid') || '';
       if (!openid) {
         set({ loading: false });
         return false;
       }
-      const resp = await authApi.wechatBindPhone(openid, encryptedData, iv) as any;
-      const { access_token, refresh_token, user } = resp;
-      const roles = resp.roles?.map((r: any) => r.code || r.name || r) || [];
-      secureSet('access_token', access_token);
-      secureSet('refresh_token', refresh_token);
-      Taro.setStorageSync('user', user);
-      Taro.setStorageSync('user_roles', roles);
-      Taro.setStorageSync('tenant_id', user.tenant_id || '');
-      Taro.removeStorageSync('wechat_openid');
-      set({ token: access_token, refreshToken: refresh_token, user, roles, loading: false });
+      const resp = await authApi.wechatBindPhone(openid, encryptedData, iv) as Record<string, unknown>;
+      const tokenData = resp as { access_token: string; refresh_token: string; user: AuthState['user'] };
+      const roles = resp.roles instanceof Array
+        ? (resp.roles as Array<Record<string, string>>).map((r) => r.code || r.name || String(r))
+        : [];
+      secureSet('access_token', tokenData.access_token);
+      secureSet('refresh_token', tokenData.refresh_token);
+      secureSet('user_data', JSON.stringify(tokenData.user));
+      secureSet('user_roles', JSON.stringify(roles));
+      secureSet('tenant_id', tokenData.user?.tenant_id || '');
+      secureRemove('wechat_openid');
+      set({ user: tokenData.user, roles, loading: false });
       return true;
     } catch {
       set({ loading: false });
@@ -113,18 +118,22 @@ export const useAuthStore = create<AuthState>((set, get) => ({
         get().setCurrentPatient(patients[0]);
       }
     } catch {
-      // ignore
+      // 患者列表加载失败不阻塞流程
     }
   },
 
   logout: () => {
     secureRemove('access_token');
     secureRemove('refresh_token');
-    Taro.removeStorageSync('user');
-    Taro.removeStorageSync('user_roles');
+    secureRemove('user_data');
+    secureRemove('user_roles');
+    secureRemove('tenant_id');
+    secureRemove('wechat_openid');
     Taro.removeStorageSync('current_patient');
     Taro.removeStorageSync('current_patient_id');
-    set({ token: null, refreshToken: null, user: null, roles: [], currentPatient: null, patients: [] });
+    Taro.removeStorageSync('analytics_queue');
+    Taro.removeStorageSync('edit_patient');
+    set({ user: null, roles: [], currentPatient: null, patients: [] });
     Taro.redirectTo({ url: '/pages/login/index' });
   },
 }));