feat(security): Auth Token HttpOnly Cookie — XSS 安全加固

后端:
- axum-extra 启用 cookie feature
- login/register/refresh 设置 HttpOnly + Secure + SameSite=Strict cookies
- 新增 POST /api/v1/auth/logout 清除 cookies
- auth_middleware 支持 cookie 提取路径（fallback from header）
- CORS: 添加 allow_credentials(true) + COOKIE header

前端 (admin-v2):
- authStore: token 仅存内存，不再写 localStorage（account 保留）
- request.ts: 添加 withCredentials: true 发送 cookies
- 修复 refresh token rotation bug（之前不更新 stored refreshToken）
- logout 调用后端清除 cookie 端点

向后兼容: API 客户端仍可用 Authorization: Bearer header
Desktop (Ed25519 设备认证) 完全不受影响

crates/zclaw-saas/src/auth/mod.rs

@@ -103,9 +103,10 @@ fn extract_client_ip(req: &Request) -> Option<String> {
         .map(|s| s.to_string())
 }
 
-/// 认证中间件: 从 JWT 或 API Token 提取身份
+/// 认证中间件: 从 JWT Cookie / Authorization Header / API Token 提取身份
 pub async fn auth_middleware(
     State(state): State<AppState>,
+    jar: axum_extra::extract::cookie::CookieJar,
     mut req: Request,
     next: Next,
 ) -> Response {
@@ -114,25 +115,30 @@ pub async fn auth_middleware(
         .get(header::AUTHORIZATION)
         .and_then(|v| v.to_str().ok());
 
-    let result = if let Some(auth) = auth_header {
-        if let Some(token) = auth.strip_prefix("Bearer ") {
-            if token.starts_with("zclaw_") {
-                // API Token 路径
-                verify_api_token(&state, token, client_ip.clone()).await
-            } else {
-                // JWT 路径
-                let verify_result = jwt::verify_token(token, state.jwt_secret.expose_secret());
-                verify_result
-                    .map(|claims| AuthContext {
-                        account_id: claims.sub,
-                        role: claims.role,
-                        permissions: claims.permissions,
-                        client_ip,
-                    })
-                    .map_err(|_| SaasError::Unauthorized)
-            }
+    // 尝试从 Authorization header 提取 token
+    let header_token = auth_header.and_then(|auth| auth.strip_prefix("Bearer "));
+
+    // 尝试从 HttpOnly cookie 提取 token (仅当 header 不存在时)
+    let cookie_token = jar.get("zclaw_access_token").map(|c| c.value().to_string());
+
+    let token = header_token
+        .or(cookie_token.as_deref());
+
+    let result = if let Some(token) = token {
+        if token.starts_with("zclaw_") {
+            // API Token 路径
+            verify_api_token(&state, token, client_ip.clone()).await
         } else {
-            Err(SaasError::Unauthorized)
+            // JWT 路径
+            let verify_result = jwt::verify_token(token, state.jwt_secret.expose_secret());
+            verify_result
+                .map(|claims| AuthContext {
+                    account_id: claims.sub,
+                    role: claims.role,
+                    permissions: claims.permissions,
+                    client_ip,
+                })
+                .map_err(|_| SaasError::Unauthorized)
         }
     } else {
         Err(SaasError::Unauthorized)
@@ -155,6 +161,7 @@ pub fn routes() -> axum::Router<AppState> {
         .route("/api/v1/auth/register", post(handlers::register))
         .route("/api/v1/auth/login", post(handlers::login))
         .route("/api/v1/auth/refresh", post(handlers::refresh))
+        .route("/api/v1/auth/logout", post(handlers::logout))
 }
 
 /// 需要认证的路由