diff --git a/api/user/user.go b/api/user/user.go
index 6992b62..5585de5 100644
--- a/api/user/user.go
+++ b/api/user/user.go
@@ -78,9 +78,10 @@ var _ = Router.Patch("/:user_id", auth.Check("user", "user_id", auth.DoUpdate),
 
 type patchOpts struct {
 	ID       string  `json:"id"  parse:"path@user_id"`
-	Username *string `json:"username"  parse:"json"`
 	Nickname *string `json:"nickname"  parse:"json"`
 	Icon     *string `json:"icon"  parse:"json"`
+
+	Username *string `json:"username"  parse:"json"`
 	Email    *string `json:"email"  parse:"json"`
 	Phone    *string `json:"phone"  parse:"json"`
 	Status   *uint   `json:"status"  parse:"json"`
@@ -98,7 +99,7 @@ func userPatch(x *vigo.X) (any, error) {
 	if err != nil {
 		return nil, err
 	}
-	optsMap := make(map[string]interface{})
+	optsMap := make(map[string]any)
 	if opts.Username != nil {
 		optsMap["username"] = opts.Username
 	}
diff --git a/go.mod b/go.mod
index b1c1fe0..fecea93 100644
--- a/go.mod
+++ b/go.mod
@@ -8,23 +8,25 @@ replace github.com/vyes/vigo => ../vigo/
 
 require (
 	github.com/glebarez/sqlite v1.11.0
-	github.com/golang-jwt/jwt/v5 v5.2.2
+	github.com/golang-jwt/jwt/v5 v5.2.3
 	github.com/google/uuid v1.6.0
 	github.com/veypi/vyes-ui v0.0.0-00010101000000-000000000000
 	github.com/vyes/vigo v0.0.0-00010101000000-000000000000
-	gorm.io/driver/mysql v1.5.7
-	gorm.io/driver/postgres v1.5.11
-	gorm.io/gorm v1.30.0
+	golang.org/x/crypto v0.40.0
+	gorm.io/driver/mysql v1.6.0
+	gorm.io/driver/postgres v1.6.0
+	gorm.io/gorm v1.30.1
 )
 
 require (
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
-	github.com/go-sql-driver/mysql v1.7.0 // indirect
+	github.com/go-sql-driver/mysql v1.8.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
-	github.com/jackc/pgx/v5 v5.5.5 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/pgx/v5 v5.6.0 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/kr/text v0.2.0 // indirect
@@ -33,7 +35,6 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rs/zerolog v1.34.0 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/net v0.42.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
diff --git a/go.sum b/go.sum
index e3b939c..5640d3b 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,5 @@
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -9,23 +11,23 @@ github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9g
 github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
-github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
-github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
-github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
+github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a h1:bbPeKD0xmW/Y25WS6cokEszi5g+S0QxI/d45PkRi7Nk=
-github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
-github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.6.0 h1:SWJzexBzPL5jb0GEsrPMLIsi/3jOo7RHlzTjcAeDrPY=
+github.com/jackc/pgx/v5 v5.6.0/go.mod h1:DNZ/vlrUnhWCoFGxHAG8U2ljioxukquj7utPDgtQdTw=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -55,8 +57,6 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/veypi/utils v0.4.2 h1:utIQwkLRDssddbAcZz2Q9xPm3nfANPKsD5lmIGBa7CA=
-github.com/veypi/utils v0.4.2/go.mod h1:GDeV3o1EE73dRrZ3cu/j97gPwXyzqtkWiM3D2I+e+6k=
 golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
 golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
 golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
@@ -78,13 +78,12 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYs
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-gorm.io/driver/mysql v1.5.7 h1:MndhOPYOfEp2rHKgkZIhJ16eVUIRf2HmzgoPmh7FCWo=
-gorm.io/driver/mysql v1.5.7/go.mod h1:sEtPWMiqiN1N1cMXoXmBbd8C6/l+TESwriotuRRpkDM=
-gorm.io/driver/postgres v1.5.11 h1:ubBVAfbKEUld/twyKZ0IYn9rSQh448EdelLYk9Mv314=
-gorm.io/driver/postgres v1.5.11/go.mod h1:DX3GReXH+3FPWGrrgffdvCk3DQ1dwDPdmbenSkweRGI=
-gorm.io/gorm v1.25.7/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
-gorm.io/gorm v1.30.0 h1:qbT5aPv1UH8gI99OsRlvDToLxW5zR7FzS9acZDOZcgs=
-gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
+gorm.io/driver/mysql v1.6.0 h1:eNbLmNTpPpTOVZi8MMxCi2aaIm0ZpInbORNXDwyLGvg=
+gorm.io/driver/mysql v1.6.0/go.mod h1:D/oCC2GWK3M/dqoLxnOlaNKmXz8WNTfcS9y5ovaSqKo=
+gorm.io/driver/postgres v1.6.0 h1:2dxzU8xJ+ivvqTRph34QX+WrRaJlmfyPqXmoGVjMBa4=
+gorm.io/driver/postgres v1.6.0/go.mod h1:vUw0mrGgrTK+uPHEhAdV4sfFELrByKVGnaVRkXDhtWo=
+gorm.io/gorm v1.30.1 h1:lSHg33jJTBxs2mgJRfRZeLDG+WZaHYCk3Wtfl6Ngzo4=
+gorm.io/gorm v1.30.1/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
 modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE=
 modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
 modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
diff --git a/init.go b/init.go
index 8c6cc26..a654e8e 100644
--- a/init.go
+++ b/init.go
@@ -11,6 +11,7 @@ import (
 	"github.com/veypi/OneAuth/api"
 	"github.com/veypi/vyes-ui"
 	"github.com/vyes/vigo"
+	"github.com/vyes/vigo/contrib/cors"
 	"github.com/vyes/vigo/contrib/vyes"
 )
 
@@ -22,5 +23,6 @@ var uifs embed.FS
 var (
 	_ = Router.Extend("v", vyesui.Router)
 	_ = Router.Extend("api", api.Router)
+	_ = Router.SubRouter("/*path").UseBefore(cors.AllowAny)
 	_ = vyes.WrapUI(Router, uifs)
 )
diff --git a/libs/auth/jwt.go b/libs/auth/jwt.go
index 9070f4e..7136439 100644
--- a/libs/auth/jwt.go
+++ b/libs/auth/jwt.go
@@ -15,10 +15,17 @@ import (
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/veypi/OneAuth/cfg"
-	"github.com/veypi/OneAuth/errs"
 	"github.com/vyes/vigo"
 )
 
+var (
+	AuthNotFound = vigo.NewError("auth not found").WithCode(40100)
+	AuthFailed   = vigo.NewError("auth failed").WithCode(40101)
+	AuthExpired  = vigo.NewError("auth expired").WithCode(40102)
+	AuthInvalid  = vigo.NewError("auth invalid").WithCode(40103)
+	AuthNoPerm   = vigo.NewError("auth no permission").WithCode(40104)
+)
+
 func GenJwt(claim *Claims) (string, error) {
 	return GenJwtWithKey(claim, cfg.Config.Key)
 }
@@ -31,20 +38,24 @@ func GenJwtWithKey(claim *Claims, key string) (string, error) {
 
 }
 
-func ParseJwt(tokenString string) (*Claims, error) {
+func ParseJwt(tokenString string, keys ...string) (*Claims, error) {
+	key := cfg.Config.Key
+	if len(keys) > 0 {
+		key = keys[0]
+	}
 	claims := &Claims{}
-	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (interface{}, error) {
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (any, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
 		}
-		return []byte(cfg.Config.Key), nil
+		return []byte(key), nil
 	})
 	if errors.Is(err, jwt.ErrTokenExpired) {
-		return nil, errs.AuthExpired
+		return nil, AuthExpired
 	}
 
 	if err != nil || !token.Valid {
-		return nil, errs.AuthInvalid
+		return nil, AuthInvalid
 	}
 	return claims, nil
 }
@@ -54,7 +65,7 @@ func checkJWT(x *vigo.X) (*Claims, error) {
 	if authHeader == "" {
 		authHeader = x.Request.URL.Query().Get("Authorization")
 		if authHeader == "" {
-			return nil, errs.AuthNotFound
+			return nil, AuthNotFound
 		}
 	}
 	// Token is typically in the format "Bearer <token>"
@@ -66,6 +77,7 @@ func checkJWT(x *vigo.X) (*Claims, error) {
 		return nil, err
 	}
 	x.Set("token", claims)
+	x.Set("uid", claims.UID)
 
 	return claims, nil
 }
@@ -86,7 +98,7 @@ func Check(target string, pid string, l AuthLevel) func(x *vigo.X) (any, error)
 			tid = x.Params.Get(pid)
 		}
 		if !claims.Access.Check(target, tid, l) {
-			// return nil, errs.AuthNoPerm
+			return nil, AuthNoPerm
 		}
 		return claims, nil
 	}
diff --git a/models/app.go b/models/app.go
index cdd00cc..ff68ca3 100644
--- a/models/app.go
+++ b/models/app.go
@@ -12,27 +12,27 @@ const AUSTATUS_REJECT = "reject"
 
 type App struct {
 	BaseModel
-	Name       string  `json:"name" methods:"post,*patch,*list" parse:"json"`
-	Icon       string  `json:"icon" methods:"post,*patch" parse:"json"`
-	Des        string  `json:"des" methods:"*post,*patch" parse:"json"`
-	Typ        string  `json:"typ" gorm:"default:public" methods:"post,*patch" parse:"json"`
-	Status     string  `json:"status" gorm:"default:ok" methods:"post,*patch" parse:"json"`
-	InitRoleID *string `json:"init_role_id" gorm:"index;type:varchar(32);default: null" methods:"*patch" parse:"json"`
+	Name       string  `json:"name"  parse:"json"`
+	Icon       string  `json:"icon"  parse:"json"`
+	Des        string  `json:"des"  parse:"json"`
+	Typ        string  `json:"typ" gorm:"default:public"  parse:"json"`
+	Status     string  `json:"status" gorm:"default:ok"  parse:"json"`
+	InitRoleID *string `json:"init_role_id" gorm:"index;type:varchar(32);default: null"  parse:"json"`
 	InitRole   *Role   `json:"init_role" gorm:"foreignKey:InitRoleID;references:ID"`
-	InitUrl    string  `json:"init_url" methods:"*patch" parse:"json"`
-	UserCount  uint    `json:"user_count"`
+	InitUrl    string  `json:"init_url"  parse:"json"`
+	UserCount  uint    `json:"user_count" default:"0"`
 	Key        string  `json:"-"`
 }
 
 type AppUser struct {
 	BaseModel
-	AppID string `json:"app_id" methods:"get,list,post,patch,delete" parse:"path"`
+	AppID string `json:"app_id"  parse:"path"`
 	App   *App   `json:"app" gorm:"foreignKey:AppID;references:ID"`
 
-	UserID string `json:"user_id" methods:"get,*list,post" parse:"json"`
+	UserID string `json:"user_id"  parse:"json"`
 	User   *User  `json:"user" gorm:"foreignKey:UserID;references:ID"`
 
-	Status string `json:"status" methods:"post,*patch,*list" parse:"json"`
+	Status string `json:"status"  parse:"json"`
 }
 
 func (m *AppUser) onOk(tx *gorm.DB) (err error) {
@@ -77,11 +77,11 @@ type Resource struct {
 
 type Role struct {
 	BaseModel
-	AppID     string    `json:"app_id" methods:"*list,post" parse:"path"`
+	AppID     string    `json:"app_id" parse:"path@app_id"`
 	App       *App      `json:"-" gorm:"foreignKey:AppID;references:ID"`
-	Name      string    `json:"name" methods:"post,*patch,*list" parse:"json"`
-	Des       string    `json:"des" methods:"post,*patch" parse:"json"`
-	UserCount uint      `json:"user_count"`
+	Name      string    `json:"name" parse:"json"`
+	Des       string    `json:"des" parse:"json"`
+	UserCount uint      `json:"user_count" default:"0"`
 	Access    []*Access `json:"-"`
 }
 
diff --git a/models/init.go b/models/init.go
index 92bfb27..d6c45d3 100644
--- a/models/init.go
+++ b/models/init.go
@@ -54,8 +54,7 @@ func InitDB() error {
 	logv.AssertError(cfg.DB().Where("id = ?", app.ID).Attrs(app).FirstOrCreate(app).Error)
 	initRole := map[string]map[string]uint{
 		"user": {"admin": 5, "normal": 1},
-		"app":  {"admin": 5, "normal": 2},
-		"fs":   {"admin": 5, "normal": 5},
+		"app":  {"admin": 5, "normal": 1},
 	}
 	adminID := ""
 	for r, roles := range initRole {
diff --git a/models/token.go b/models/token.go
index db9bd5f..65f54f8 100644
--- a/models/token.go
+++ b/models/token.go
@@ -7,12 +7,12 @@ import "time"
 // OverPerm 非oa应用获取oa数据的权限，由用户设定
 type Token struct {
 	BaseModel
-	UserID    string    `json:"user_id" gorm:"index;type:varchar(32)" methods:"*post,list" parse:"json"`
+	UserID    string    `json:"user_id" gorm:"index;type:varchar(32)"  parse:"json"`
 	User      *User     `json:"-"`
-	AppID     string    `json:"app_id" gorm:"index;type:varchar(32)" methods:"post,list" parse:"json"`
+	AppID     string    `json:"app_id" gorm:"index;type:varchar(32)"  parse:"json"`
 	App       *App      `json:"-"`
-	ExpiredAt time.Time `json:"expired_at" methods:"*post,*patch" parse:"json"`
-	OverPerm  string    `json:"over_perm" methods:"*post,*patch" parse:"json"`
-	Device    string    `json:"device" methods:"*post" parse:"json"`
+	ExpiredAt time.Time `json:"expired_at"  parse:"json"`
+	OverPerm  string    `json:"over_perm"  parse:"json"`
+	Device    string    `json:"device"  parse:"json"`
 	Ip        string    `json:"ip"`
 }
diff --git a/models/user.go b/models/user.go
index a29281f..1848347 100644
--- a/models/user.go
+++ b/models/user.go
@@ -9,17 +9,17 @@ import (
 // code 64 hex / 32 byte / 256 bit
 type User struct {
 	BaseModel
-	Username string `json:"username" gorm:"type:varchar(100);unique;default:not null" methods:" post,*patch,*list" parse:"json"`
-	Nickname string `json:"nickname" gorm:"type:varchar(100)" methods:"*post,*patch,*list" parse:"json"`
-	Icon     string `json:"icon" methods:"*post,*patch" parse:"json"`
+	Username string `json:"username" gorm:"type:varchar(100);unique;default:not null"  parse:"json"`
+	Nickname string `json:"nickname" gorm:"type:varchar(100)"  parse:"json"`
+	Icon     string `json:"icon"  parse:"json"`
 
-	Email string `json:"email" gorm:"unique;type:varchar(50);default:null" methods:"*post,*patch,*list" parse:"json"`
-	Phone string `json:"phone" gorm:"type:varchar(30);unique;default:null" methods:"*post,*patch,*list" parse:"json"`
+	Email string `json:"email" gorm:"unique;type:varchar(50);default:null"  parse:"json"`
+	Phone string `json:"phone" gorm:"type:varchar(30);unique;default:null"  parse:"json"`
 
-	Status uint `json:"status" methods:"*patch,*list" parse:"json"`
+	Status uint `json:"status"  parse:"json"`
 
 	Salt string `json:"-" gorm:"type:varchar(32)"`
-	Code string `json:"-" gorm:"type:varchar(64)" methods:"post" parse:"json"`
+	Code string `json:"-" gorm:"type:varchar(64)"  parse:"json"`
 }
 
 type UserRole struct {
diff --git a/ui/assets/common.css b/ui/assets/common.css
index b86d577..ad99145 100644
--- a/ui/assets/common.css
+++ b/ui/assets/common.css
@@ -1,6 +1,6 @@
  :root {
    /* 颜色 */
-   --color-primary: #4361ee;
+   --color-primary: #92a5ff;
    --color-secondary: #3f37c9;
    --color-success: #28a745;
    --color-danger: #dc3545;
diff --git a/ui/env.js b/ui/env.js
index d094067..79cc7b6 100644
--- a/ui/env.js
+++ b/ui/env.js
@@ -5,8 +5,8 @@ export default ($env) => {
   console.log($env, $vyes.root)
   token.setBaseUrl($env.root)
   token.wrapAxios($env.$axios)
-  $env.$global.token = token
-  $env.$global.user = token.body()
+  $env.$G.token = token
+  $env.$G.user = token.body()
 
 
   $env.$router.addRoutes(routes)
@@ -16,7 +16,7 @@ export default ($env) => {
         await token.refresh()
       }
       if (token.isExpired()) {
-        token.logout(to.path)
+        token.logout(to.fullPath)
       }
     } else {
       next();
diff --git a/ui/ico.html b/ui/ico.html
index 62f4747..5c4712a 100644
--- a/ui/ico.html
+++ b/ui/ico.html
@@ -70,10 +70,10 @@
 </style>
 
 <body>
-  <div class="header-user ml-auto" v-if="user.name">
-    <img :src="user.icon" class="user-avatar" alt="用户头像">
-    <a href='/profile' class="user-name">{{ user.name }}</a>
-    <button @click="token.logout()" class="auth-btn logout-btn">
+  <div class="header-user ml-auto" v-if="$G.user.name">
+    <img :src="$G.user.icon" class="user-avatar" alt="用户头像">
+    <a href='/profile' class="user-name">{{ $G.user.name }}</a>
+    <button @click="$G.token.logout()" class="auth-btn logout-btn">
       退出
     </button>
   </div>
@@ -84,9 +84,4 @@
   </div>
 </body>
 
-<script setup>
-  import token from 'token'
-  user = token.body() || {}
-</script>
-
 </html>
diff --git a/ui/layout/app.html b/ui/layout/app.html
index 60498d9..d5daa2b 100644
--- a/ui/layout/app.html
+++ b/ui/layout/app.html
@@ -54,7 +54,7 @@
 
 
     .menu a[active] {
-      background: #409EFF;
+      background: #c3e1ff;
     }
 
     .content {
@@ -85,7 +85,7 @@
       </div>
       <a class="ml-auto" href="/">应用权限管理</a>
       <!-- 新增跳转到/home的链接 -->
-      <div refu='ico' class="ml-auto" style="margin-left: auto;"></div>
+      <div vsrc='ico' class="ml-auto" style="margin-left: auto;"></div>
 
     </header>
 
@@ -109,8 +109,9 @@
 <script setup>
   id = $router.params.id;
   try {
-    $env.app = await $axios.get(`/api/app/${id}`)
+    app = await $axios.get(`/api/app/${id}`)
     document.title = `${app.name} - 项目主页`
+    $G.app = app
   } catch (e) {
     $router.push('/')
     console.log(e)
diff --git a/ui/layout/default.html b/ui/layout/default.html
index d6adab4..7af1b7b 100644
--- a/ui/layout/default.html
+++ b/ui/layout/default.html
@@ -54,7 +54,7 @@
 
 
     .menu a[active] {
-      background: #409EFF;
+      background: #c3e1ff;
     }
 
     .content {
@@ -84,13 +84,13 @@
         <a href="@/">首页</a>
       </div>
       <a class="ml-auto" href="/">应用权限管理</a>
-      <!-- 新增跳转到/home的链接 -->
-      <div refu='ico' class="ml-auto" style="margin-left: auto;"></div>
+      <div vsrc='ico.html' class="ml-auto" style="margin-left: auto;"></div>
 
     </header>
 
     <div class="main-container">
       <vslot v='user' class="menu" name='menu'>
+        <a href="/" class="">HOME</a>
         <a href="/app" class="">应用管理</a>
         <a href="/profile" class="">个人中心</a>
         <a href="/settings">系统设置</a>
diff --git a/ui/page/app.html b/ui/page/app.html
index 28046b9..68c2473 100644
--- a/ui/page/app.html
+++ b/ui/page/app.html
@@ -7,6 +7,12 @@
   <title>应用</title>
 
   <style>
+    body {
+      width: 100%;
+      height: 100%;
+      padding: 20px;
+    }
+
     header {
       display: flex;
       justify-content: start;
@@ -19,7 +25,7 @@
     header h1 {
       font-size: 2.5rem;
       font-weight: 700;
-      color: var(--primary-color);
+      color: var(--color-primary);
       margin: 0;
     }
 
@@ -42,7 +48,7 @@
 
     .search-bar input:focus {
       outline: none;
-      border-color: var(--primary-color);
+      border-color: var(--color-primary);
       box-shadow: 0 0 0 3px rgba(74, 108, 247, 0.2);
     }
 
@@ -76,9 +82,9 @@
     }
 
     .filter-btn.active {
-      background-color: var(--primary-color);
+      background-color: var(--color-primary);
       color: white;
-      border-color: var(--primary-color);
+      border-color: var(--color-primary);
     }
 
     .app-grid {
@@ -200,8 +206,8 @@
     }
 
     .btn-primary {
-      background-color: var(--primary-color);
-      color: white;
+      background-color: var(--color-primary);
+      color: var(--color-text);
       border: none;
     }
 
@@ -211,8 +217,8 @@
 
     .btn-outline {
       background-color: transparent;
-      color: var(--primary-color);
-      border: 1px solid var(--primary-color);
+      color: var(--color-primary);
+      border: 1px solid var(--color-primary);
     }
 
     .btn-outline:hover {
@@ -232,7 +238,7 @@
       width: 40px;
       height: 40px;
       border: 4px solid rgba(74, 108, 247, 0.1);
-      border-left-color: var(--primary-color);
+      border-left-color: var(--color-primary);
       border-radius: 50%;
       animation: spin 1s linear infinite;
       margin-bottom: 15px;
diff --git a/ui/page/app/auth.html b/ui/page/app/auth.html
index 6ac8954..3c11c90 100644
--- a/ui/page/app/auth.html
+++ b/ui/page/app/auth.html
@@ -42,6 +42,8 @@
   <div class="sub-header">角色表</div>
   <v-table :axios='$axios' :onerr="onerr" :keys="role_keys" :api='role_url'>
     <v-btn vslot='_addon' size='sm' @click='show_user(row)' color='#2c9'>权限表</v-btn>
+    <v-btn v-if='row.id!==$G.app.init_role_id' vslot='_addon' size='sm' @click='update_app({init_role_id: row.id})'
+      color='#953'>设为初始角色</v-btn>
   </v-table>
   <v-dialog v:show='show'>
     <div class="dialog">
@@ -73,7 +75,7 @@
     {name: 'id', label: 'ID', disabled: true, style: {width: '2rem'}},
     {name: 'name', required: true, label: '资源名'},
     {name: 'tid', label: '限制域', editable: true},
-    {name: 'level', label: '权限等级', editable: true},
+    {name: 'level', label: '权限等级', type: 'number', editable: true},
     {name: 'created_at', label: '创建时间', disabled: true, field: (r) => new Date(r.created_at).toLocaleString()},
     {name: 'updated_at', label: '更新时间', disabled: true, field: (r) => new Date(r.updated_at).toLocaleString()},
   ]
@@ -92,10 +94,20 @@
   access_url = ``
   role_url = `/api/app/${id}/role`
   user_role_url = `/api/user/_/user_role/${selected_role.id}`
+  update_app = (props) => {
+    $axios.patch(`/api/app/${id}`, props).then((res) => {
+      if (res) {
+        Object.assign($G.app, res)
+      }
+    }).catch((e) => {
+      console.warn(e)
+    })
+  }
   onerr = (e) => {
     console.warn(e)
     // history.back()
   }
+  console.log($G.app)
 </script>
 
 </html>
diff --git a/ui/page/app/index.html b/ui/page/app/index.html
index ff2619e..50739f4 100644
--- a/ui/page/app/index.html
+++ b/ui/page/app/index.html
@@ -204,7 +204,7 @@
             <i class="fas fa-key"></i>
           </div>
           <div class="stat-info">
-            <h3>{{app.id ? app.id.substring(0, 8) : 'N/A'}}</h3>
+            <h3>{{$G.app.id ? $G.app.id.substring(0, 8) : 'N/A'}}</h3>
             <p>项目ID (缩略)</p>
           </div>
         </div>
diff --git a/ui/page/app/user.html b/ui/page/app/user.html
index c3b9d3a..50827dd 100644
--- a/ui/page/app/user.html
+++ b/ui/page/app/user.html
@@ -35,7 +35,7 @@
   <v-dialog v:show='show'>
     <div class="dialog">
       <div class="text-2xl">{{selected.username}} 角色表</div>
-      <v-table :axios='$axios' :keys="au_keys" :api='`/api/user/${app.id}/user_role`'></v-table>
+      <v-table :axios='$axios' :keys="au_keys" :api='`/api/user/${$G.app.id}/user_role`'></v-table>
     </div>
   </v-dialog>
 </body>
diff --git a/ui/page/profile.html b/ui/page/profile.html
index 77b66e3..f5dc426 100644
--- a/ui/page/profile.html
+++ b/ui/page/profile.html
@@ -8,6 +8,8 @@
 </head>
 <style>
   body {
+    max-width: 600px;
+    margin: 0 auto;
     border-radius: 8px;
     padding: 20px;
     display: flex;
@@ -69,7 +71,6 @@
 
 <body>
   <h1 class="text-2xl text-center">个人信息修改</h1>
-
   <div class="form-group">
     <label>用户名</label>
     <input type="text" !value="user.username" @input="user.username = $event.target.value" placeholder="请输入用户名">
@@ -104,11 +105,12 @@
 
 <script setup>
   // 初始化用户数据
+
   user = {
-    id: Guser.uid,
-    username: Guser.username,
+    id: $G.token?.body()?.uid,
+    username: '',
     nickname: "",
-    icon: Guser.icon || "",
+    icon: "",
     email: "",
     phone: "",
     status: 0
diff --git a/ui/routes.js b/ui/routes.js
index c456114..1af7207 100644
--- a/ui/routes.js
+++ b/ui/routes.js
@@ -6,11 +6,11 @@
  */
 
 const routes = [
-  { path: '/', component: '/page/index.html', name: 'home', meta: { auth: true } },
+  { path: '/', component: '/page/index.html', name: 'home', layout: 'default', meta: { auth: true } },
   { path: '/login', component: '/page/login.html', name: 'login', meta: { auth: false } },
-  { path: '/profile', component: '/page/profile.html', name: 'profile', meta: { auth: true } },
-  { path: '/app', component: '/page/app.html', name: 'app', meta: { auth: true } },
-  { path: '/settings', component: '/page/settings.html', name: 'settings', meta: { auth: true } },
+  { path: '/profile', component: '/page/profile.html', layout: 'default', meta: { auth: true } },
+  { path: '/app', component: '/page/app.html', name: 'app', layout: 'default', meta: { auth: true } },
+  { path: '/settings', component: '/page/settings.html', layout: 'default', meta: { auth: true } },
   {
     path: '/app/:id', layout: 'app', meta: { auth: true },
     children: [
diff --git a/ui/token.js b/ui/token.js
index 914a61e..1c1bf2d 100644
--- a/ui/token.js
+++ b/ui/token.js
@@ -69,11 +69,16 @@ class TokenService {
     }
     return this.__cache
   }
-  logout(to) {
+  logout(to, querys) {
     this.clearToken();
-    let url = this.#url + '/login';
-    url += '?redirect='
-    location.href = url + (to || window.location.pathname);
+    let url = new URL(this.#url, window.location.origin)
+    let redirect = to || window.location.pathname
+    url.searchParams.set('redirect', redirect)
+    for (let key in querys) {
+      url.searchParams.set(key, querys[key]);
+    }
+    url.pathname += '/login'
+    location.href = url.toString()
   }
 
   async refresh() {
@@ -87,13 +92,13 @@ class TokenService {
         method: 'post',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ refresh: refreshToken })
-      }).then(res => res.json())
+      }).then(res => res.text())
       this.__cache = null; // 清除缓存
       this.setToken(data);
     } catch (e) {
       console.error('Token刷新失败:', e);
       this.clearToken()
-      // logout();
+      logout();
     }
   }
   isExpired() {
@@ -163,7 +168,7 @@ class TokenService {
 
         // 如果重试次数超过 3 次，则不再重试，直接跳转到登录页
         if (originalRequest.__retryCount >= 3) {
-          that.logout()
+          // that.logout()
           // 拒绝原始请求的 Promise，停止后续处理
           return Promise.reject(error);
         }
@@ -204,7 +209,7 @@ class TokenService {
           // 拒绝等待队列中的所有请求
           processQueue(refreshError);
           // that.clearToken();
-          // that.logout();
+          that.logout();
           // 拒绝原始请求的 Promise
           return Promise.reject(refreshError);
         } finally {