feat(auth): add SMS/email verification code support for registration

- Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago · d3137955c3
parent adf0cd36ca
commit d3137955c3
23 changed files with 616 additions and 265 deletions
--- a/api/auth/login.go
+++ b/api/auth/login.go
@ -47,7 +47,7 @@ type UserInfo struct {
 // LoginWithCodeRequest 验证码登录请求
 type LoginWithCodeRequest struct {
-	Type   string `json:"type" src:"json" desc:"类型: email/phone"`
+	Type   string `json:"type" src:"json" desc:"类型: email/sms"`
 	Target string `json:"target" src:"json" desc:"邮箱或手机号"`
 	Code   string `json:"code" src:"json" desc:"验证码"`
 }
@ -55,8 +55,8 @@ type LoginWithCodeRequest struct {
 // loginWithCode 验证码登录
 func loginWithCode(x *vigo.X, req *LoginWithCodeRequest) (*AuthResponse, error) {
 	// 参数校验
-	if req.Type != "email" && req.Type != "phone" {
+	if req.Type != "email" && req.Type != "sms" {
-		return nil, vigo.ErrInvalidArg.WithString("invalid type, must be email or phone")
+		return nil, vigo.ErrInvalidArg.WithString("invalid type, must be email or sms")
 	}
 	if req.Target == "" || req.Code == "" {
 		return nil, vigo.ErrInvalidArg.WithString("target and code are required")
@ -180,7 +180,7 @@ func refresh(x *vigo.X, req *RefreshRequest) (*AuthResponse, error) {
 	refreshToken := req.RefreshToken
 	// Body 为空时从 Cookie 读取
 	if refreshToken == "" {
-		if c, err := x.Request.Cookie(refreshCookieName); err == nil {
+		if c, err := x.Request.Cookie(refreshCookieName()); err == nil {
 			refreshToken = c.Value
 		}
 	}
@ -253,17 +253,15 @@ func logout(x *vigo.X) error {
 // ========== Cookie 辅助函数 ==========
-const (
+func accessCookieName() string { return cfg.Global.JWT.CookiePrefix + "access" }
-	accessCookieName  = "vb_access"
+func refreshCookieName() string { return cfg.Global.JWT.CookiePrefix + "refresh" }
 	refreshCookieName = "vb_refresh"
 )
 // setTokenCookies 设置 HttpOnly Cookie
 func setTokenCookies(x *vigo.X, tokenPair *jwt.TokenPair) {
 	refreshTokenPath := Router.String() + "/refresh"
 	cp := cfg.Global.JWT.CookiePath
 	http.SetCookie(x.ResponseWriter(), &http.Cookie{
-		Name:     accessCookieName,
+		Name:     accessCookieName(),
 		Value:    tokenPair.AccessToken,
 		Path:     cp,
 		MaxAge:   int(cfg.Global.JWT.AccessExpiry.Seconds()),
@ -272,7 +270,7 @@ func setTokenCookies(x *vigo.X, tokenPair *jwt.TokenPair) {
 		SameSite: http.SameSiteStrictMode,
 	})
 	http.SetCookie(x.ResponseWriter(), &http.Cookie{
-		Name:     refreshCookieName,
+		Name:     refreshCookieName(),
 		Value:    tokenPair.RefreshToken,
 		Path:     refreshTokenPath,
 		MaxAge:   int(cfg.Global.JWT.RefreshExpiry.Seconds()),
@ -287,14 +285,14 @@ func clearTokenCookies(x *vigo.X) {
 	cp := cfg.Global.JWT.CookiePath
 	refreshTokenPath := Router.String() + "/refresh"
 	http.SetCookie(x.ResponseWriter(), &http.Cookie{
-		Name:     accessCookieName,
+		Name:     accessCookieName(),
 		Value:    "",
 		Path:     cp,
 		MaxAge:   -1,
 		HttpOnly: true,
 	})
 	http.SetCookie(x.ResponseWriter(), &http.Cookie{
-		Name:     refreshCookieName,
+		Name:     refreshCookieName(),
 		Value:    "",
 		Path:     refreshTokenPath,
 		MaxAge:   -1,
--- a/api/auth/register.go
+++ b/api/auth/register.go
@ -30,6 +30,8 @@ type RegisterRequest struct {
 	Password  string `json:"password" src:"json" desc:"密码"`
 	Email     string `json:"email,omitempty" src:"json" desc:"邮箱"`
 	Phone     string `json:"phone,omitempty" src:"json" desc:"手机号"`
 	EmailCode string `json:"email_code,omitempty" src:"json" desc:"邮箱验证码"`
 	PhoneCode string `json:"phone_code,omitempty" src:"json" desc:"手机号验证码"`
 	Nickname  string `json:"nickname,omitempty" src:"json" desc:"昵称"`
 }
@ -63,8 +65,10 @@ func register(x *vigo.X, req *RegisterRequest) (*AuthResponse, error) {
 	// 检查注册配置
 	requireEmail, _ := models.GetSettingBool(models.SettingAuthRegRequireEmail)
 	requirePhone, _ := models.GetSettingBool(models.SettingAuthRegRequirePhone)
 	emailEnabled, _ := models.GetSettingBool(models.SettingEmailEnabled)
 	smsEnabled, _ := models.GetSettingBool(models.SettingSMSEnabled)
-	// 校验必填字段
+	// 校验必填字段（优先于服务检查）
 	if requireEmail && req.Email == "" {
 		return nil, vigo.ErrInvalidArg.WithString("email is required")
 	}
@ -72,6 +76,36 @@ func register(x *vigo.X, req *RegisterRequest) (*AuthResponse, error) {
 		return nil, vigo.ErrInvalidArg.WithString("phone is required")
 	}
 	// 服务开启时至少一种验证方式
 	if emailEnabled || smsEnabled {
 		hasEmail := req.Email != "" && req.EmailCode != ""
 		hasPhone := req.Phone != "" && req.PhoneCode != ""
 		if emailEnabled && smsEnabled {
 			if !hasEmail && !hasPhone {
 				return nil, vigo.ErrInvalidArg.WithString("email or phone verification is required")
 			}
 		} else if emailEnabled && !hasEmail {
 			return nil, vigo.ErrInvalidArg.WithString("email verification is required")
 		} else if smsEnabled && !hasPhone {
 			return nil, vigo.ErrInvalidArg.WithString("phone verification is required")
 		}
 	}
 	// 校验邮箱验证码（提供了邮箱时）
 	if req.Email != "" {
 		if err := validateRegisterCode(req.Email, req.EmailCode, "email"); err != nil {
 			return nil, err
 		}
 	}
 	// 校验手机验证码（提供了手机号时）
 	if req.Phone != "" {
 		if err := validateRegisterCode(req.Phone, req.PhoneCode, "sms"); err != nil {
 			return nil, err
 		}
 	}
 	// 使用事务处理注册，防止并发创建多个首个管理员用户
 	var user *models.User
 	err := cfg.DB().Transaction(func(tx *gorm.DB) error {
@ -174,3 +208,38 @@ func register(x *vigo.X, req *RegisterRequest) (*AuthResponse, error) {
 	// 生成token
 	return generateAuthResponseForUser(x, user)
 }
 // validateRegisterCode 校验注册验证码
 func validateRegisterCode(target, code, codeType string) error {
 	if code == "" {
 		return vigo.ErrInvalidArg.WithString("verification code is required")
 	}
 	db := cfg.DB()
 	var verification models.VerificationCode
 	if err := db.Where("target = ? AND type = ? AND purpose = ?", target, codeType, models.CodePurposeRegister).
 		Order("created_at DESC").First(&verification).Error; err != nil {
 		return vigo.ErrInvalidArg.WithString("invalid verification code")
 	}
 	maxAttempts, _ := models.GetSettingInt(models.SettingCodeMaxAttempt)
 	if maxAttempts == 0 {
 		maxAttempts = 3
 	}
 	if !verification.CanRetry(maxAttempts) {
 		return vigo.ErrInvalidArg.WithString("verification code expired or max attempts exceeded")
 	}
 	if verification.Code != code {
 		db.Model(&verification).UpdateColumn("attempts", verification.Attempts+1)
 		return vigo.ErrInvalidArg.WithString("invalid verification code")
 	}
 	now := time.Now()
 	verification.Status = models.CodeStatusUsed
 	verification.UsedAt = &now
 	db.Save(&verification)
 	return nil
 }
--- a/auth/auth.go
+++ b/auth/auth.go
@ -511,7 +511,7 @@ func parsePermissionID(x *vigo.X, code string) (string, error) {
 // extractToken 从请求中提取 token，优先级: Cookie > Authorization Header > Query
 func extractToken(x *vigo.X) string {
 	// 1. Cookie (HttpOnly，浏览器自动携带)
-	if c, err := x.Request.Cookie("vb_access"); err == nil && c.Value != "" {
+	if c, err := x.Request.Cookie(cfg.Global.JWT.CookiePrefix + "access"); err == nil && c.Value != "" {
 		return c.Value
 	}
--- a/cfg/cfg.go
+++ b/cfg/cfg.go
@ -40,6 +40,7 @@ type JWTConfig struct {
 	RefreshExpiry time.Duration `json:"refresh_expiry" usage:"Refresh Token 有效期"`
 	Issuer        string        `json:"issuer" usage:"JWT 签发者"`
 	CookiePath    string        `json:"cookie_path" usage:"Cookie Path，默认 / 全站，可限定为 /api/ 等"`
 	CookiePrefix  string        `json:"cookie_prefix"`
 }
 // InitAdminConfig 初始管理员配置
@ -66,6 +67,7 @@ var Global = &Options{
 		RefreshExpiry: 30 * 24 * time.Hour,
 		Issuer:        "vbase",
 		CookiePath:    "/",
 		CookiePrefix:  "vb_",
 	},
 	InitAdmin: InitAdminConfig{
 		Username: "admin",
--- a/go.mod
+++ b/go.mod
@ -12,22 +12,36 @@ require (
 )
 require (
 	github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
 	github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1 // indirect
 	github.com/alibabacloud-go/debug v1.0.1 // indirect
 	github.com/alibabacloud-go/dysmsapi-20170525/v5 v5.5.1 // indirect
 	github.com/alibabacloud-go/tea v1.5.0 // indirect
 	github.com/alibabacloud-go/tea-utils/v2 v2.0.9 // indirect
 	github.com/aliyun/credentials-go v1.4.5 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/clbanning/mxj/v2 v2.7.0 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
 	github.com/kr/pretty v0.3.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/rs/zerolog v1.34.0 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	golang.org/x/net v0.50.0 // indirect
 	golang.org/x/sys v0.41.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@ -1,21 +1,102 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/alibabacloud-go/alibabacloud-gateway-pop v0.0.6/go.mod h1:4EUIoxs/do24zMOGGqYVWgw0s9NtiylnJglOeEB5UJo=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4/go.mod h1:sCavSAvdzOjul4cEqeVtvlSaSScfNsTQ+46HwlTL1hc=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 h1:zE8vH9C7JiZLNJJQ5OwjU9mSi4T9ef9u3BURT6LCLC8=
 github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5/go.mod h1:tWnyE9AjF8J8qqLk645oUmVUnFybApTQWklQmi5tY6g=
 github.com/alibabacloud-go/darabonba-array v0.1.0/go.mod h1:BLKxr0brnggqOJPqT09DFJ8g3fsDshapUD3C3aOEFaI=
 github.com/alibabacloud-go/darabonba-encode-util v0.0.2/go.mod h1:JiW9higWHYXm7F4PKuMgEUETNZasrDM6vqVr/Can7H8=
 github.com/alibabacloud-go/darabonba-map v0.0.2/go.mod h1:28AJaX8FOE/ym8OUFWga+MtEzBunJwQGceGQlvaPGPc=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.1.14/go.mod h1:lxFGfobinVsQ49ntjpgWghXmIF0/Sm4+wvBJ1h5RtaE=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1 h1:R8b55YFS4K9x5P5IdgA+QWinVfVmulzqaJG/tr6HhxM=
 github.com/alibabacloud-go/darabonba-openapi/v2 v2.2.1/go.mod h1:OCFim1kMbp2m+V8WS5IBnnVrk6nXaJiDwZpg3uqw8Po=
 github.com/alibabacloud-go/darabonba-signature-util v0.0.7/go.mod h1:oUzCYV2fcCH797xKdL6BDH8ADIHlzrtKVjeRtunBNTQ=
 github.com/alibabacloud-go/darabonba-string v1.0.2/go.mod h1:93cTfV3vuPhhEwGGpKKqhVW4jLe7tDpo3LUM0i0g6mA=
 github.com/alibabacloud-go/debug v0.0.0-20190504072949-9472017b5c68/go.mod h1:6pb/Qy8c+lqua8cFpEy7g39NRRqOWc3rOwAy8m5Y2BY=
 github.com/alibabacloud-go/debug v1.0.0/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc=
 github.com/alibabacloud-go/debug v1.0.1 h1:MsW9SmUtbb1Fnt3ieC6NNZi6aEwrXfDksD4QA6GSbPg=
 github.com/alibabacloud-go/debug v1.0.1/go.mod h1:8gfgZCCAC3+SCzjWtY053FrOcd4/qlH6IHTI4QyICOc=
 github.com/alibabacloud-go/dysmsapi-20170525/v5 v5.5.1 h1:CyJ1adk5jlg7acrbG1sgdZ+EXTZNZHwhNQAf6VFfySo=
 github.com/alibabacloud-go/dysmsapi-20170525/v5 v5.5.1/go.mod h1:J1zab9/VxVJGdZ5pSK/BbUot7CkaSkRXdaLKAXXRLoY=
 github.com/alibabacloud-go/endpoint-util v1.1.0/go.mod h1:O5FuCALmCKs2Ff7JFJMudHs0I5EBgecXXxZRyswlEjE=
 github.com/alibabacloud-go/openapi-util v0.1.0/go.mod h1:sQuElr4ywwFRlCCberQwKRFhRzIyG4QTP/P4y1CJ6Ws=
 github.com/alibabacloud-go/tea v1.1.0/go.mod h1:IkGyUSX4Ba1V+k4pCtJUc6jDpZLFph9QMy2VUPTwukg=
 github.com/alibabacloud-go/tea v1.1.7/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
 github.com/alibabacloud-go/tea v1.1.8/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
 github.com/alibabacloud-go/tea v1.1.11/go.mod h1:/tmnEaQMyb4Ky1/5D+SE1BAsa5zj/KeGOFfwYm3N/p4=
 github.com/alibabacloud-go/tea v1.1.17/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
 github.com/alibabacloud-go/tea v1.1.20/go.mod h1:nXxjm6CIFkBhwW4FQkNrolwbfon8Svy6cujmKFUq98A=
 github.com/alibabacloud-go/tea v1.2.2/go.mod h1:CF3vOzEMAG+bR4WOql8gc2G9H3EkH3ZLAQdpmpXMgwk=
 github.com/alibabacloud-go/tea v1.3.13/go.mod h1:A560v/JTQ1n5zklt2BEpurJzZTI8TUT+Psg2drWlxRg=
 github.com/alibabacloud-go/tea v1.5.0 h1:8pUo8WzMChtJT+jpLIcN1vzMi6SW3rihzzBoihPGUvs=
 github.com/alibabacloud-go/tea v1.5.0/go.mod h1:hgSs82CkOiehSQMoiFN79dL6zsGX7pVGvnn9SIEs8/0=
 github.com/alibabacloud-go/tea-utils v1.3.1/go.mod h1:EI/o33aBfj3hETm4RLiAxF/ThQdSngxrpF8rKUDJjPE=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.5/go.mod h1:dL6vbUT35E4F4bFTHL845eUloqaerYBYPsdWR2/jhe4=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.7/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.9 h1:y6pUIlhjxbZl9ObDAcmA1H3c21eaAxADHTDQmBnAIgA=
 github.com/alibabacloud-go/tea-utils/v2 v2.0.9/go.mod h1:qxn986l+q33J5VkialKMqT/TTs3E+U9MJpd001iWQ9I=
 github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
 github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0=
 github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM=
 github.com/aliyun/credentials-go v1.4.5 h1:O76WYKgdy1oQYYiJkERjlA2dxGuvLRrzuO2ScrtGWSk=
 github.com/aliyun/credentials-go v1.4.5/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/clbanning/mxj/v2 v2.7.0 h1:WA/La7UGCanFe5NpHF0Q3DNtnCsVoxbPKuyBNHWRyME=
 github.com/clbanning/mxj/v2 v2.7.0/go.mod h1:hNiWqW14h+kc+MdF9C6/YoRfjEJoR3ou6tn/Qo+ve2s=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJDs0=
 github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
 github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
 github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
 github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/klauspost/cpuid/v2 v2.2.3 h1:sxCkb+qR91z4vsqw4vGGZlDgPz3G7gjaLyK3V8y70BU=
 github.com/klauspost/cpuid/v2 v2.2.3/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@ -24,35 +105,205 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/redis/go-redis/v9 v9.18.0 h1:pMkxYPkEbMPwRdenAzUNyFNrDgHx9U+DrBabWNfSRQs=
 github.com/redis/go-redis/v9 v9.18.0/go.mod h1:k3ufPphLU5YXwNTUcCRXGxUoF1fqxnhFQmscfkCoDA0=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v1.1.0/go.mod h1:tcbTF8ujkAEcZ8TElKY+i30BzYlVhC/LOxJk7iOWnoo=
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/tjfoc/gmsm v1.3.2/go.mod h1:HaUcFuY0auTiaHB9MHFGCPx5IaLhTUd2atbCFBQXn9w=
 github.com/tjfoc/gmsm v1.4.1 h1:aMe1GlZb+0bLjn+cKTPEvvn9oUEBlJitaZiiBwsbgho=
 github.com/tjfoc/gmsm v1.4.1/go.mod h1:j4INPkHWMrhJb38G+J6W4Tw0AbuN8Thu3PbdVYhVcTE=
 github.com/veypi/vigo v0.6.0 h1:W7jE8KsetNLh/+s+tK5sNn/fEqIrVIAfIUNlY+SxVLw=
 github.com/veypi/vigo v0.6.0/go.mod h1:XMvYldUYl1C1SrA89ZafHHbVFNjXJtdoB05nYIJjv4I=
 github.com/veypi/vigo v0.6.4/go.mod h1:x8HRMvi68wtaTn8PIAPf3omhx/wls8X76jkY6/hMY6Y=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.1.30/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191219195013-becbf705a915/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200510223506-06a226fb4e37/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201012173705-84dcc777aaee/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
 golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
 golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200506145744-7e3656a0809f/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
 golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
 golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200509044756-6aff5f38e54f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.21.0/go.mod h1:ooXLefLobQVslOqselCNF4SxFAaoS6KujMbsGzSDmX0=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190328211700-ab21143f2384/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200509030707-2212a7e161a5/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
 google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
 google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/ini.v1 v1.56.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/libs/sms/aliyun.go
+++ b/libs/sms/aliyun.go
@ -7,22 +7,37 @@
 package sms
 import (
 	"encoding/json"
 	"fmt"
 	openapi "github.com/alibabacloud-go/darabonba-openapi/v2/client"
 	dysmsapi20170525 "github.com/alibabacloud-go/dysmsapi-20170525/v5/client"
 	util "github.com/alibabacloud-go/tea-utils/v2/service"
 	"github.com/alibabacloud-go/tea/tea"
 )
 // AliyunProvider 阿里云短信
 type AliyunProvider struct {
-	accessKey    string
+	client       *dysmsapi20170525.Client
 	accessSecret string
 	signName     string
 	templateCode string
 }
 // NewAliyunProvider 创建阿里云短信提供商
 func NewAliyunProvider(accessKey, accessSecret, signName, templateCode string) (*AliyunProvider, error) {
 	config := &openapi.Config{
 		AccessKeyId:     tea.String(accessKey),
 		AccessKeySecret: tea.String(accessSecret),
 	}
 	config.Endpoint = tea.String("dysmsapi.aliyuncs.com")
 	client, err := dysmsapi20170525.NewClient(config)
 	if err != nil {
 		return nil, fmt.Errorf("create aliyun sms client: %w", err)
 	}
 	return &AliyunProvider{
-		accessKey:    accessKey,
+		client:       client,
 		accessSecret: accessSecret,
 		signName:     signName,
 		templateCode: templateCode,
 	}, nil
@ -30,8 +45,23 @@ func NewAliyunProvider(accessKey, accessSecret, signName, templateCode string) (
 // Send 发送短信
 func (p *AliyunProvider) Send(phone, code string) error {
-	// TODO: 实现阿里云短信发送逻辑
+	param, _ := json.Marshal(map[string]string{"code": code})
-	// 这里简化处理，实际应调用阿里云 SDK
+
-	fmt.Printf("[AliyunSMS] Send code %s to %s\n", code, phone)
+	req := &dysmsapi20170525.SendSmsRequest{
 		PhoneNumbers:  tea.String(phone),
 		SignName:      tea.String(p.signName),
 		TemplateCode:  tea.String(p.templateCode),
 		TemplateParam: tea.String(string(param)),
 	}
 	resp, err := p.client.SendSmsWithOptions(req, &util.RuntimeOptions{})
 	if err != nil {
 		return fmt.Errorf("send sms: %w", err)
 	}
 	if *resp.Body.Code != "OK" {
 		return fmt.Errorf("send sms failed: %s", tea.StringValue(resp.Body.Message))
 	}
 	return nil
 }
--- a/models/setting.go
+++ b/models/setting.go
@ -10,9 +10,11 @@ import (
 	"encoding/json"
 	"fmt"
 	"strconv"
 	"time"
 	"github.com/veypi/vbase/cfg"
 	"github.com/veypi/vigo"
 	"github.com/veypi/vigo/contrib/cache"
 )
 // Setting 系统配置表（线上配置，存储在数据库）
@ -151,13 +153,17 @@ func InitSettings() error {
 	return nil
 }
-// GetSetting 获取配置值
+var settingCache = cache.NewCache(time.Minute, func(key string) (string, error) {
 func GetSetting(key string) (string, error) {
 	var s Setting
 	if err := cfg.DB().Where("`key` = ?", key).First(&s).Error; err != nil {
 		return "", err
 	}
 	return s.Value, nil
 })
 // GetSetting 获取配置值
 func GetSetting(key string) (string, error) {
 	return settingCache.Get(key)
 }
 // GetSettingBool 获取布尔配置
--- a/ui/env.js
+++ b/ui/env.js
@ -1,7 +1,6 @@
 import VBase from './vbase.js'
 export default async ($mod) => {
  console.log('load vbase')
  // Load i18n
  try {
    const langs = await (await fetch($mod.scoped + '/langs.json')).json()
@ -10,8 +9,28 @@ export default async ($mod) => {
    console.error('Failed to load langs.json', e)
  }
  if (!$mod.$auth) {
    let VBase = (await import($mod.scoped + '/vbase.js')).default
    $mod.users = {}
-    const vbase = new VBase($mod.scoped, null, $mod.users)
+    const vbase = new VBase($mod.scoped, $mod.scoped + '/login', $mod.users)
    $mod.$auth = vbase
  }
  $mod.$fetch = async (url, opts = {}) => {
    let fullUrl = url
    if (opts.params) {
      const qs = new URLSearchParams()
      for (const [k, v] of Object.entries(opts.params)) {
        if (v != null) qs.append(k, v)
      }
      fullUrl += '?' + qs.toString()
    }
    const init = { method: opts.method || 'GET', headers: {} }
    if (opts.body != null && init.method !== 'GET') {
      init.headers['Content-Type'] = 'application/json'
      init.body = JSON.stringify(opts.body)
    }
    const r = await $mod.fetch(fullUrl, init)
    const d = await r.json().catch(() => ({}))
    if (!r.ok) throw new Error(d.message || d.error || `HTTP ${r.status}`)
    return d
  }
 }
--- a/ui/langs.json
+++ b/ui/langs.json
@ -15,8 +15,12 @@
    "auth.confirm_password": "确认密码",
    "auth.create_account": "创建账户",
    "auth.email": "邮箱",
    "auth.email_code_required": "请完成邮箱验证",
    "auth.email_disabled": "邮箱登录未启用",
    "auth.email_or_phone": "邮箱或手机号",
    "auth.email_or_phone_required": "请完成邮箱或手机号验证",
    "auth.enter_email_code": "请输入邮箱验证码",
    "auth.enter_phone_code": "请输入手机验证码",
    "auth.fill_all_fields": "请填写所有必填字段",
    "auth.fill_required": "请填写所有必填项",
    "auth.forgot_password": "忘记密码？",
@ -36,6 +40,7 @@
    "auth.password_changed": "密码修改成功",
    "auth.password_too_short": "密码至少8个字符",
    "auth.passwords_not_match": "两次输入的密码不一致",
    "auth.phone_code_required": "请完成手机号验证",
    "auth.phone_placeholder": "请输入手机号",
    "auth.register": "注册",
    "auth.register_failed": "注册失败",
@ -224,8 +229,12 @@
    "auth.create_account": "Create Account",
    "auth.create_new": "Create New",
    "auth.email": "Email",
    "auth.email_code_required": "Email verification required",
    "auth.email_disabled": "Email login is disabled",
    "auth.email_or_phone": "Email or Phone",
    "auth.email_or_phone_required": "Email or phone verification required",
    "auth.enter_email_code": "Enter email verification code",
    "auth.enter_phone_code": "Enter phone verification code",
    "auth.fill_all_fields": "Please fill in all required fields",
    "auth.fill_required": "Please fill in all required fields",
    "auth.forgot_password": "Forgot password?",
@ -246,6 +255,7 @@
    "auth.password_changed": "Password changed successfully",
    "auth.password_too_short": "Password must be at least 8 characters",
    "auth.passwords_not_match": "Passwords do not match",
    "auth.phone_code_required": "Phone verification required",
    "auth.phone_placeholder": "Enter your phone number",
    "auth.register": "Register",
    "auth.register_failed": "Registration failed",
--- a/ui/layout/auth.html
+++ b/ui/layout/auth.html
@ -3,6 +3,11 @@
 <head>
  <meta name="description" content="Auth Layout with animated background">
  <link rel="stylesheet" href="/assets/global.css">
  <link rel="stylesheet" href="/v/global.css">
  <link href="/assets/libs/animate/animate.min.css" rel="stylesheet">
  <link href="/assets/libs/font-awesome/css/all.min.css" rel="stylesheet">
  <script src="/assets/libs/echarts.min.js"></script>
  <style>
    body {
      height: 100%;
--- a/ui/layout/default.html
+++ b/ui/layout/default.html
@ -4,6 +4,11 @@
 <head>
  <meta name="description" content="Default Layout">
  <title>VBase</title>
  <link rel="stylesheet" href="/assets/global.css">
  <link rel="stylesheet" href="/v/global.css">
  <link href="/assets/libs/animate/animate.min.css" rel="stylesheet">
  <link href="/assets/libs/font-awesome/css/all.min.css" rel="stylesheet">
  <script src="/assets/libs/echarts.min.js"></script>
  <style>
    .layout-container {
      display: flex;
--- a/ui/page/auth/login.html
+++ b/ui/page/auth/login.html
@ -414,19 +414,30 @@
          </a>
        </div>
        <span>{{ $t('auth.use_info_register') }}</span>
-
+        <div class="input-group code-input-row" v-if="emailEnabled">
-        <div class="input-group">
+          <input type="email" :placeholder="$t('auth.email')" v:value="signUpForm.email" />
-          <input type="text" :placeholder="$t('auth.username')" v:value="signUpForm.username" required />
+          <button type="button" class="send-code-btn" @click="sendEmailCode"
            :disabled="emailCountDown > 0 || emailSendLoading">
            {{ emailCountDown > 0 ? emailCountDown + 's' : emailSendLoading ? '...' : $t('auth.send_code') }}
          </button>
        </div>
        <div class="input-group" v-if="emailEnabled">
-          <input type="email" :placeholder="$t('auth.email')" v:value="signUpForm.email" />
+          <input type="text" :placeholder="$t('auth.enter_email_code')" v:value="signUpForm.emailCode" />
        </div>
-        <div class="input-group" v-if="smsEnabled">
+        <div class="input-group code-input-row" v-if="smsEnabled">
          <input type="text" :placeholder="$t('auth.phone_placeholder')" v:value="signUpForm.phone" />
          <button type="button" class="send-code-btn" @click="sendPhoneCode"
            :disabled="phoneCountDown > 0 || phoneSendLoading">
            {{ phoneCountDown > 0 ? phoneCountDown + 's' : phoneSendLoading ? '...' : $t('auth.send_code') }}
          </button>
        </div>
        <div class="input-group" v-if="smsEnabled">
          <input type="text" :placeholder="$t('auth.enter_phone_code')" v:value="signUpForm.phoneCode" />
        </div>
        <div class="input-group">
          <input type="text" :placeholder="$t('auth.username')" v:value="signUpForm.username" required />
        </div>
        <div class="input-group">
          <input type="password" :placeholder="$t('auth.password')" v:value="signUpForm.password" required />
        </div>
@ -541,6 +552,13 @@
  timer = null;
  sendCodeLoading = false;
  emailCountDown = 0;
  phoneCountDown = 0;
  emailTimer = null;
  phoneTimer = null;
  emailSendLoading = false;
  phoneSendLoading = false;
  signInForm = {
    username: '',
    password: '',
@ -552,6 +570,8 @@
    username: '',
    email: '',
    phone: '',
    emailCode: '',
    phoneCode: '',
    password: '',
    confirmPassword: ''
  };
@ -588,13 +608,7 @@
  handleOAuth = async (provider) => {
    try {
-      const params = new URLSearchParams({provider, redirect});
+      const data = await $fetch('/api/auth/authorize/thirdparty', {params: {provider, redirect}});
      const res = await fetch('/api/auth/authorize/thirdparty?' + params);
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      if (data?.auth_url) {
        window.location.href = data.auth_url;
      }
@ -605,12 +619,7 @@
  loadConfig = async () => {
    try {
-      const res = await fetch('/api/info');
+      const info = await $fetch('/api/info');
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const info = await res.json();
      if (info.oauth_providers) {
        providers = info.oauth_providers;
@ -678,6 +687,64 @@
    }
  };
  sendEmailCode = async () => {
    if (emailCountDown > 0 || emailSendLoading) return;
    if (!signUpForm.email) {
      signUpError = $t('auth.target_required');
      return;
    }
    emailSendLoading = true;
    try {
      await $fetch('/api/verification/send', {
        method: 'POST',
        body: {type: 'email', target: signUpForm.email, purpose: 'register'}
      });
      $message.success($t('auth.code_sent'));
      emailCountDown = 60;
      if (emailTimer) clearInterval(emailTimer);
      emailTimer = setInterval(() => {
        emailCountDown--;
        if (emailCountDown <= 0) {
          clearInterval(emailTimer);
          emailTimer = null;
        }
      }, 1000);
    } catch (e) {
      signUpError = e.message || 'Failed to send code';
    } finally {
      emailSendLoading = false;
    }
  };
  sendPhoneCode = async () => {
    if (phoneCountDown > 0 || phoneSendLoading) return;
    if (!signUpForm.phone) {
      signUpError = $t('auth.target_required');
      return;
    }
    phoneSendLoading = true;
    try {
      await $fetch('/api/verification/send', {
        method: 'POST',
        body: {type: 'sms', target: signUpForm.phone, purpose: 'register'}
      });
      $message.success($t('auth.code_sent'));
      phoneCountDown = 60;
      if (phoneTimer) clearInterval(phoneTimer);
      phoneTimer = setInterval(() => {
        phoneCountDown--;
        if (phoneCountDown <= 0) {
          clearInterval(phoneTimer);
          phoneTimer = null;
        }
      }, 1000);
    } catch (e) {
      signUpError = e.message || 'Failed to send code';
    } finally {
      phoneSendLoading = false;
    }
  };
  handleSignIn = async (e) => {
    if (signInLoading) return;
@ -690,17 +757,11 @@
          throw new Error($t('auth.target_and_code_required'));
        }
-        const type = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(signInForm.target) ? 'email' : 'phone';
+        const type = /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(signInForm.target) ? 'email' : 'sms';
-        const res = await fetch('/api/auth/login/code', {
+        const data = await $fetch('/api/auth/login/code', {
          method: 'POST',
-          headers: {'Content-Type': 'application/json'},
+          body: {type, target: signInForm.target, code: signInForm.code}
          body: JSON.stringify({type, target: signInForm.target, code: signInForm.code})
        });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        const data = await res.json();
        if (data?.user) {
          await $mod.$auth.onAuthSuccess(data.user);
@ -755,24 +816,36 @@
      return;
    }
    const hasEmail = signUpForm.email && signUpForm.emailCode;
    const hasPhone = signUpForm.phone && signUpForm.phoneCode;
    if (emailEnabled && smsEnabled) {
      if (!hasEmail && !hasPhone) {
        signUpError = $t('auth.email_or_phone_required');
        return;
      }
    } else if (emailEnabled && !hasEmail) {
      signUpError = $t('auth.email_code_required');
      return;
    } else if (smsEnabled && !hasPhone) {
      signUpError = $t('auth.phone_code_required');
      return;
    }
    signUpLoading = true;
    try {
-      const res = await fetch('/api/auth/register', {
+      const data = await $fetch('/api/auth/register', {
        method: 'POST',
-        headers: {'Content-Type': 'application/json'},
+        body: {
        body: JSON.stringify({
          username: signUpForm.username,
          email: signUpForm.email || undefined,
          phone: signUpForm.phone || undefined,
          email_code: signUpForm.emailCode || undefined,
          phone_code: signUpForm.phoneCode || undefined,
          password: signUpForm.password
        })
      });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
        }
-      const data = await res.json();
+      });
      if (data?.user) {
        await $mod.$auth.onAuthSuccess(data.user);
--- a/ui/page/dashboard/index.html
+++ b/ui/page/dashboard/index.html
@ -73,7 +73,7 @@
  // Mock data fetch
  fetchStats = async () => {
    // In real app, call API
-    // const res = await $axios.get('/api/stats/dashboard');
+    // const res = await $fetch('/api/stats/dashboard');
    // stats = res;
  };
--- a/ui/page/sys/oauth/index.html
+++ b/ui/page/sys/oauth/index.html
@ -173,12 +173,7 @@
  loadApps = async () => {
    try {
-      const res = await fetch('/api/oauth/clients');
+      const data = await $fetch('/api/oauth/clients');
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      apps = data.items || [];
    } catch (e) {
      $message.error(e.message);
@ -209,24 +204,16 @@
    try {
      if (isEdit) {
-        const res = await fetch(`/api/oauth/clients/${formData.id}`, { method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({
+        await $fetch(`/api/oauth/clients/${formData.id}`, { method: 'PATCH', body: {
          name: formData.name,
          redirect_uri: formData.redirect_uri
-        }) });
+        } });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success('App updated');
      } else {
-        const res = await fetch('/api/oauth/clients', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({
+        await $fetch('/api/oauth/clients', { method: 'POST', body: {
          name: formData.name,
          redirect_uri: formData.redirect_uri
-        }) });
+        } });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success('App created');
      }
      closeModal();
@ -239,11 +226,7 @@
  deleteApp = async (app) => {
    try {
      await $message.confirm(`Delete app "${app.name}"?`);
-      const res = await fetch(`/api/oauth/clients/${app.id}`, { method: 'DELETE' });
+      await $fetch(`/api/oauth/clients/${app.id}`, { method: 'DELETE' });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success("Deleted");
      loadApps();
    } catch (e) {
--- a/ui/page/sys/oauth/providers.html
+++ b/ui/page/sys/oauth/providers.html
@ -227,12 +227,7 @@
  openEditModal = async (p) => {
    isEdit = true;
    try {
-      const res = await fetch(`/api/oauth/providers/${p.code}`);
+      const detail = await $fetch(`/api/oauth/providers/${p.code}`);
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const detail = await res.json();
      formData = {...detail, client_secret: ""};
      showModal = true;
    } catch (e) {
@ -245,17 +240,9 @@
  saveProvider = async () => {
    try {
      if (isEdit) {
-        const res = await fetch(`/api/oauth/providers/${formData.code}`, { method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formData) });
+        await $fetch(`/api/oauth/providers/${formData.code}`, { method: 'PATCH', body: formData });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
      } else {
-        const res = await fetch('/api/oauth/providers', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formData) });
+        await $fetch('/api/oauth/providers', { method: 'POST', body: formData });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
      }
      $message.success("Saved");
      closeModal();
@ -268,11 +255,7 @@
  deleteProvider = async (p) => {
    if (!confirm(`Delete ${p.name}?`)) return;
    try {
-      const res = await fetch(`/api/oauth/providers/${p.code}`, { method: 'DELETE' });
+      await $fetch(`/api/oauth/providers/${p.code}`, { method: 'DELETE' });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success("Deleted");
      loadProviders();
    } catch (e) {
--- a/ui/page/sys/role/index.html
+++ b/ui/page/sys/role/index.html
@ -523,12 +523,7 @@
  loadRoles = async () => {
    try {
-      const res = await fetch('/api/roles');
+      const data = await $fetch('/api/roles');
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      roles = data.items || [];
    } catch (e) {
      $message.error(e.message);
@ -572,18 +567,10 @@
          name: formData.name,
          description: formData.description
        };
-        const res = await fetch(`/api/roles/${formData.id}`, {method: 'PATCH', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(payload)});
+        await $fetch(`/api/roles/${formData.id}`, {method: 'PATCH', body: payload});
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success($t('org.updated'));
      } else {
-        const res = await fetch('/api/roles', {method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(formData)});
+        await $fetch('/api/roles', {method: 'POST', body: formData});
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success($t('org.created'));
      }
      closeModal();
@ -596,11 +583,7 @@
  deleteRole = async (r) => {
    try {
      await $message.confirm($t('role.delete_confirm'));
-      const res = await fetch(`/api/roles/${r.id}`, {method: 'DELETE'});
+      await $fetch(`/api/roles/${r.id}`, {method: 'DELETE'});
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('org.deleted'));
      loadRoles();
    } catch (e) {
@ -632,12 +615,7 @@
  loadRolePermissions = async () => {
    if (!currentRole) return;
    try {
-      const res = await fetch(`/api/roles/${currentRole.id}/permissions`);
+      rolePermissions = await $fetch(`/api/roles/${currentRole.id}/permissions`) || [];
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      rolePermissions = await res.json() || [];
    } catch (e) {
      $message.error(e.message);
    }
@ -650,20 +628,16 @@
    }
    permAdding = true;
    try {
-      const res = await fetch(`/api/roles/${currentRole.id}/permissions`, {
+      await $fetch(`/api/roles/${currentRole.id}/permissions`, {
-        method: 'PUT', headers: {'Content-Type': 'application/json'},
+        method: 'PUT',
-        body: JSON.stringify({
+        body: {
          permissions: [{
            scope: newPerm.scope,
            permission_id: newPerm.permission_id,
            level: parseInt(newPerm.level)
          }]
        })
      });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
        }
      });
      $message.success($t('role.permissions_updated'));
      showPermForm = false;
      newPerm = {scope: 'vb', permission_id: '', level: 7};
@ -679,16 +653,10 @@
    if (!currentRole) return;
    try {
      await $message.confirm($t('role.remove_permission_confirm'));
-      const res = await fetch(`/api/roles/${currentRole.id}/permissions`, {
+      await $fetch(`/api/roles/${currentRole.id}/permissions`, {
-        method: 'PUT', headers: {'Content-Type': 'application/json'},
+        method: 'PUT',
-        body: JSON.stringify({
+        body: { remove: [p.id] }
          remove: [p.id]
        })
      });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('role.permission_removed'));
      loadRolePermissions();
    } catch (e) {
@ -705,12 +673,7 @@
  loadRoleUsers = async () => {
    if (!currentRole) return;
    try {
-      const res = await fetch(`/api/roles/${currentRole.id}/users?page=1&page_size=100`);
+      const data = await $fetch(`/api/roles/${currentRole.id}/users`, { params: { page: 1, page_size: 100 } });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      roleUsers = data.items || [];
    } catch (e) {
      $message.error(e.message);
@ -741,10 +704,7 @@
  searchAvailableUsers = async () => {
    try {
-      const params = new URLSearchParams({keyword: availableUserSearchQuery, limit: 50});
+      const json_ = await $fetch('/api/auth/users', { params: { keyword: availableUserSearchQuery, limit: 50 } });
      const res = await fetch('/api/auth/users?' + params);
      const json_ = await res.json();
      if (res.status !== 200) throw new Error(json_.message);
      availableUsers = json_?.items || [];
    } catch (e) {
      $message.error(e.message);
@ -769,15 +729,10 @@
  saveRoleUsers = async () => {
    if (!currentRole) return;
    try {
-      const res = await fetch(`/api/roles/${currentRole.id}/users`, {
+      await $fetch(`/api/roles/${currentRole.id}/users`, {
        method: 'PUT',
-        headers: {'Content-Type': 'application/json'},
+        body: {user_ids: selectedUserIds}
        body: JSON.stringify({user_ids: selectedUserIds})
      });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('role.users_updated'));
      closeUserSelector();
      loadRoleUsers();
@ -791,15 +746,10 @@
    try {
      await $message.confirm($t('role.remove_user_confirm'));
      const newIds = roleUsers.filter(ru => ru.id !== u.id).map(ru => ru.id);
-      const res = await fetch(`/api/roles/${currentRole.id}/users`, {
+      await $fetch(`/api/roles/${currentRole.id}/users`, {
        method: 'PUT',
-        headers: {'Content-Type': 'application/json'},
+        body: {user_ids: newIds}
        body: JSON.stringify({user_ids: newIds})
      });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('role.user_removed'));
      loadRoleUsers();
    } catch (e) {
--- a/ui/page/sys/settings.html
+++ b/ui/page/sys/settings.html
@ -672,12 +672,7 @@
  loadSettings = async () => {
    loading = true;
    try {
-      const res = await fetch('/api/settings');
+      const data = await $fetch('/api/settings');
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      if (data?.items) {
        const settingsMap = {};
        data.items.forEach(item => {
@ -724,11 +719,7 @@
        return;
      }
-      const res = await fetch('/api/settings', { method: 'PUT', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ settings: settingsToUpdate }) });
+      await $fetch('/api/settings', { method: 'PUT', body: { settings: settingsToUpdate } });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      originalSettings = { ...settings };
      $message.success($t('settings.save_success'));
    } catch (error) {
--- a/ui/page/sys/user/index.html
+++ b/ui/page/sys/user/index.html
@ -204,13 +204,8 @@
  loadUsers = async () => {
    try {
-      const res = await fetch('/api/users');
+      const data = await $fetch('/api/users');
-      if (res.status !== 200) {
+      users = data.items || [];
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      users = data.items || []; // Adjust based on actual API response structure (array or {items: []})
    } catch (e) {
      $message.error(e.message);
    }
@ -250,22 +245,14 @@
      if (isEdit) {
        const payload = { email: formData.email };
        if (formData.password) payload.password = formData.password;
-        const res = await fetch(`/api/users/${formData.id}`, { method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(payload) });
+        await $fetch(`/api/users/${formData.id}`, { method: 'PATCH', body: payload });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success("User updated");
      } else {
        if (!formData.password) {
            $message.error("Password is required for new users");
            return;
        }
-        const res = await fetch('/api/users', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(formData) });
+        await $fetch('/api/users', { method: 'POST', body: formData });
        if (res.status !== 200) {
          const err = await res.json();
          throw new Error(err.message);
        }
        $message.success("User created");
      }
      closeModal();
@ -278,11 +265,7 @@
  deleteUser = async (u) => {
    try {
      await $message.confirm(`Delete user "${u.username}"?`);
-      const res = await fetch(`/api/users/${u.id}`, { method: 'DELETE' });
+      await $fetch(`/api/users/${u.id}`, { method: 'DELETE' });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success("Deleted");
      loadUsers();
    } catch (e) {
--- a/ui/page/user/profile.html
+++ b/ui/page/user/profile.html
@ -260,24 +260,14 @@
  loadBindings = async () => {
    try {
      // Get enabled providers
-      const res = await fetch('/api/auth/login-methods');
+      const providersData = await $fetch('/api/auth/login-methods');
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const providersData = await res.json();
      providers = providersData.methods.filter(p => p.type !== 'password' && p.type !== 'code' && p.type !== 'email_code' && p.type !== 'phone_code').map(p => ({
        code: p.type,
        name: p.name
      }));
      // Get current bindings
-      const resBind = await fetch('/api/auth/me/bindings');
+      bindings = await $fetch('/api/auth/me/bindings');
      if (resBind.status !== 200) {
        const err = await resBind.json();
        throw new Error(err.message);
      }
      bindings = await resBind.json();
    } catch (e) {
      console.error(e);
    }
@ -286,16 +276,12 @@
  updateProfile = async () => {
    loading = true;
    try {
-      const res = await fetch('/api/auth/me', { method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({
+      await $fetch('/api/auth/me', { method: 'PATCH', body: {
        nickname: user.nickname,
        email: user.email,
        phone: user.phone,
        avatar: user.avatar
-      }) });
+      } });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('common.save_success'));
      await loadUser();
    } catch (e) {
@ -309,14 +295,10 @@
    if (!passwordForm.new_password || !passwordForm.old_password) return;
    pwdLoading = true;
    try {
-      const res = await fetch('/api/auth/me/change-password', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({
+      await $fetch('/api/auth/me/change-password', { method: 'POST', body: {
        old_password: passwordForm.old_password,
        new_password: passwordForm.new_password
-      }) });
+      } });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('auth.password_changed'));
      passwordForm.old_password = '';
      passwordForm.new_password = '';
@ -343,13 +325,7 @@
  bind = async (provider) => {
    try {
-      const params = new URLSearchParams({ provider, redirect: redirect || '', bind_mode: true });
+      const data = await $fetch('/api/auth/authorize/thirdparty', { params: { provider, redirect: redirect || '', bind_mode: true } });
      const res = await fetch('/api/auth/authorize/thirdparty?' + params);
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      const data = await res.json();
      if (data.auth_url) {
        window.location.href = data.auth_url;
      }
@ -361,11 +337,7 @@
  unbind = async (provider) => {
    try {
      await $message.confirm($t('auth.unbind_confirm'));
-      const res = await fetch(`/api/auth/me/bindings/${provider}`, { method: 'DELETE' });
+      await $fetch(`/api/auth/me/bindings/${provider}`, { method: 'DELETE' });
      if (res.status !== 200) {
        const err = await res.json();
        throw new Error(err.message);
      }
      $message.success($t('common.success'));
      loadBindings();
    } catch (e) {
--- a/ui/root.html
+++ b/ui/root.html
@ -5,11 +5,6 @@
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>vbase</title>
  <script type="module" key='vhtml' src="/vhtml/vhtml.min.js"></script>
  <link rel="stylesheet" href="/assets/global.css">
  <link rel="stylesheet" href="/v/global.css">
  <link href="/assets/libs/animate/animate.min.css" rel="stylesheet">
  <link href="/assets/libs/font-awesome/css/all.min.css" rel="stylesheet">
  <script src="/assets/libs/echarts.min.js"></script>
 </head>
 <body>
--- a/ui/routes.js
+++ b/ui/routes.js
@ -51,7 +51,7 @@ export default ({ $mod }) => ({
      if (to.meta.perm) {
        if (!vbase.PermAdmin(to.meta.perm)) {
          console.warn('Access denied: requires permission', to.meta.perm);
-          $mod.$router.push('/403');
+          next('/403');
          return false;
        }
      }
--- a/ui/vbase.js
+++ b/ui/vbase.js
@ -50,6 +50,16 @@ class VBase {
    if (!this._initDone) {
      this._initDone = true;
      await this._ensureAuth();
    } else {
      const now = Date.now();
      const lastRefresh = parseInt(localStorage.getItem('vbase_last_refresh'), 10) || 0;
      if (now - lastRefresh > REFRESH_INTERVAL) {
        const ok = await this.refresh();
        if (!ok) {
          this.clear();
          return false;
        }
      }
    }
    return !!this._user;
  }
@ -260,23 +270,25 @@ class VBase {
  // ========== 权限检查 ==========
-  Perm(code, level = Level.Read) {
+  Perm(code, level = Level.Read, scope) {
    if (!this.user) return false;
    if (!code) return true;
    const perms = this.user.permissions || [];
-    return this._checkPermissionLevel(perms, code, level);
+    return this._checkPermissionLevel(perms, code, level, scope);
  }
-  PermCreate(code) { return this.Perm(code, Level.Create); }
+  PermCreate(code, scope) { return this.Perm(code, Level.Create, scope); }
-  PermRead(code) { return this.Perm(code, Level.Read); }
+  PermRead(code, scope) { return this.Perm(code, Level.Read, scope); }
-  PermWrite(code) { return this.Perm(code, Level.Write); }
+  PermWrite(code, scope) { return this.Perm(code, Level.Write, scope); }
-  PermAdmin(code) { return this.Perm(code, Level.Admin); }
+  PermAdmin(code, scope) { return this.Perm(code, Level.Admin, scope); }
  // ========== 内部方法 ==========
-  _checkPermissionLevel(perms, targetPermID, requiredLevel) {
+  _checkPermissionLevel(perms, targetPermID, requiredLevel, scope) {
    for (const p of perms) {
      if (scope && p.scope !== scope) continue;
      const permID = p.permission_id || p;
      const permLevel = p.level !== undefined ? p.level : Level.Read;