fix(saas): P0 安全修复 + P1 功能补全 — 角色提升、Admin 引导、IP 记录、密码修改

P0 安全修复:
- 修复 account update 自角色提升漏洞: 非 admin 用户更新自己时剥离 role 字段
- 添加 Admin 引导机制: accounts 表为空时自动从环境变量创建 super_admin

P1 功能补全:
- 所有 17 个 log_operation 调用点传入真实客户端 IP (ConnectInfo + X-Forwarded-For)
- AuthContext 新增 client_ip 字段, middleware 层自动提取
- main.rs 使用 into_make_service_with_connect_info 启用 SocketAddr 注入
- 新增 PUT /api/v1/auth/password 密码修改端点 (验证旧密码 + argon2 哈希)
- 桌面端 SaaS 设置页添加密码修改 UI (折叠式表单)
- SaaSClient 添加 changePassword() 方法
- 集成测试修复: 注入模拟 ConnectInfo 适配 onshot 测试模式

crates/zclaw-saas/src/auth/handlers.rs

@@ -1,18 +1,20 @@
 //! 认证 HTTP 处理器
 
-use axum::{extract::State, http::StatusCode, Json};
+use axum::{extract::{State, ConnectInfo}, http::StatusCode, Json};
+use std::net::SocketAddr;
 use secrecy::ExposeSecret;
 use crate::state::AppState;
 use crate::error::{SaasError, SaasResult};
 use super::{
     jwt::create_token,
     password::{hash_password, verify_password},
-    types::{AuthContext, LoginRequest, LoginResponse, RegisterRequest, AccountPublic},
+    types::{AuthContext, LoginRequest, LoginResponse, RegisterRequest, ChangePasswordRequest, AccountPublic},
 };
 
 /// POST /api/v1/auth/register
 pub async fn register(
     State(state): State<AppState>,
+    ConnectInfo(addr): ConnectInfo<SocketAddr>,
     Json(req): Json<RegisterRequest>,
 ) -> SaasResult<(StatusCode, Json<AccountPublic>)> {
     if req.username.len() < 3 {
@@ -54,7 +56,8 @@ pub async fn register(
     .execute(&state.db)
     .await?;
 
-    log_operation(&state.db, &account_id, "account.create", "account", &account_id, None, None).await?;
+    let client_ip = addr.ip().to_string();
+    log_operation(&state.db, &account_id, "account.create", "account", &account_id, None, Some(&client_ip)).await?;
 
     Ok((StatusCode::CREATED, Json(AccountPublic {
         id: account_id,
@@ -71,6 +74,7 @@ pub async fn register(
 /// POST /api/v1/auth/login
 pub async fn login(
     State(state): State<AppState>,
+    ConnectInfo(addr): ConnectInfo<SocketAddr>,
     Json(req): Json<LoginRequest>,
 ) -> SaasResult<Json<LoginResponse>> {
     let row: Option<(String, String, String, String, String, String, bool, String)> =
@@ -112,7 +116,8 @@ pub async fn login(
     sqlx::query("UPDATE accounts SET last_login_at = ?1 WHERE id = ?2")
         .bind(&now).bind(&id)
         .execute(&state.db).await?;
-    log_operation(&state.db, &id, "account.login", "account", &id, None, None).await?;
+    let client_ip = addr.ip().to_string();
+    log_operation(&state.db, &id, "account.login", "account", &id, None, Some(&client_ip)).await?;
 
     Ok(Json(LoginResponse {
         token,
@@ -158,6 +163,45 @@ pub async fn me(
     }))
 }
 
+/// PUT /api/v1/auth/password — 修改密码
+pub async fn change_password(
+    State(state): State<AppState>,
+    axum::extract::Extension(ctx): axum::extract::Extension<AuthContext>,
+    Json(req): Json<ChangePasswordRequest>,
+) -> SaasResult<Json<serde_json::Value>> {
+    if req.new_password.len() < 8 {
+        return Err(SaasError::InvalidInput("新密码至少 8 个字符".into()));
+    }
+
+    // 获取当前密码哈希
+    let (password_hash,): (String,) = sqlx::query_as(
+        "SELECT password_hash FROM accounts WHERE id = ?1"
+    )
+    .bind(&ctx.account_id)
+    .fetch_one(&state.db)
+    .await?;
+
+    // 验证旧密码
+    if !verify_password(&req.old_password, &password_hash)? {
+        return Err(SaasError::AuthError("旧密码错误".into()));
+    }
+
+    // 更新密码
+    let new_hash = hash_password(&req.new_password)?;
+    let now = chrono::Utc::now().to_rfc3339();
+    sqlx::query("UPDATE accounts SET password_hash = ?1, updated_at = ?2 WHERE id = ?3")
+        .bind(&new_hash)
+        .bind(&now)
+        .bind(&ctx.account_id)
+        .execute(&state.db)
+        .await?;
+
+    log_operation(&state.db, &ctx.account_id, "account.change_password", "account", &ctx.account_id,
+        None, ctx.client_ip.as_deref()).await?;
+
+    Ok(Json(serde_json::json!({"ok": true, "message": "密码修改成功"})))
+}
+
 pub(crate) async fn get_role_permissions(db: &sqlx::SqlitePool, role: &str) -> SaasResult<Vec<String>> {
     let row: Option<(String,)> = sqlx::query_as(
         "SELECT permissions FROM roles WHERE id = ?1"

crates/zclaw-saas/src/auth/mod.rs

@@ -10,16 +10,18 @@ use axum::{
     http::header,
     middleware::Next,
     response::{IntoResponse, Response},
+    extract::ConnectInfo,
 };
 use secrecy::ExposeSecret;
 use crate::error::SaasError;
 use crate::state::AppState;
 use types::AuthContext;
+use std::net::SocketAddr;
 
 /// 通过 API Token 验证身份
 ///
 /// 流程: SHA-256 哈希 → 查 api_tokens 表 → 检查有效期 → 获取关联账号角色权限 → 更新 last_used_at
-async fn verify_api_token(state: &AppState, raw_token: &str) -> Result<AuthContext, SaasError> {
+async fn verify_api_token(state: &AppState, raw_token: &str, client_ip: Option<String>) -> Result<AuthContext, SaasError> {
     use sha2::{Sha256, Digest};
 
     let token_hash = hex::encode(Sha256::digest(raw_token.as_bytes()));
@@ -77,15 +79,36 @@ async fn verify_api_token(state: &AppState, raw_token: &str) -> Result<AuthConte
         account_id,
         role,
         permissions,
+        client_ip,
     })
 }
 
+/// 从请求中提取客户端 IP
+fn extract_client_ip(req: &Request) -> Option<String> {
+    // 优先从 ConnectInfo 获取
+    if let Some(ConnectInfo(addr)) = req.extensions().get::<ConnectInfo<SocketAddr>>() {
+        return Some(addr.ip().to_string());
+    }
+    // 回退到 X-Forwarded-For / X-Real-IP
+    if let Some(forwarded) = req.headers()
+        .get("x-forwarded-for")
+        .and_then(|v| v.to_str().ok())
+    {
+        return Some(forwarded.split(',').next()?.trim().to_string());
+    }
+    req.headers()
+        .get("x-real-ip")
+        .and_then(|v| v.to_str().ok())
+        .map(|s| s.to_string())
+}
+
 /// 认证中间件: 从 JWT 或 API Token 提取身份
 pub async fn auth_middleware(
     State(state): State<AppState>,
     mut req: Request,
     next: Next,
 ) -> Response {
+    let client_ip = extract_client_ip(&req);
     let auth_header = req.headers()
         .get(header::AUTHORIZATION)
         .and_then(|v| v.to_str().ok());
@@ -94,7 +117,7 @@ pub async fn auth_middleware(
         if let Some(token) = auth.strip_prefix("Bearer ") {
             if token.starts_with("zclaw_") {
                 // API Token 路径
-                verify_api_token(&state, token).await
+                verify_api_token(&state, token, client_ip.clone()).await
             } else {
                 // JWT 路径
                 jwt::verify_token(token, state.jwt_secret.expose_secret())
@@ -102,6 +125,7 @@ pub async fn auth_middleware(
                         account_id: claims.sub,
                         role: claims.role,
                         permissions: claims.permissions,
+                        client_ip,
                     })
                     .map_err(|_| SaasError::Unauthorized)
             }
@@ -132,9 +156,10 @@ pub fn routes() -> axum::Router<AppState> {
 
 /// 需要认证的路由
 pub fn protected_routes() -> axum::Router<AppState> {
-    use axum::routing::{get, post};
+    use axum::routing::{get, post, put};
 
     axum::Router::new()
         .route("/api/v1/auth/refresh", post(handlers::refresh))
         .route("/api/v1/auth/me", get(handlers::me))
+        .route("/api/v1/auth/password", put(handlers::change_password))
 }

crates/zclaw-saas/src/auth/types.rs

@@ -26,6 +26,13 @@ pub struct RegisterRequest {
     pub display_name: Option<String>,
 }
 
+/// 修改密码请求
+#[derive(Debug, Deserialize)]
+pub struct ChangePasswordRequest {
+    pub old_password: String,
+    pub new_password: String,
+}
+
 /// 公开账号信息 (无敏感数据)
 #[derive(Debug, Clone, Serialize)]
 pub struct AccountPublic {
@@ -45,4 +52,5 @@ pub struct AuthContext {
     pub account_id: String,
     pub role: String,
     pub permissions: Vec<String>,
+    pub client_ip: Option<String>,
 }