feat(auth): 添加TOTP双因素认证功能

- 实现MFA登录挑战和验证流程
- 添加TOTP启用、禁用和恢复码管理接口
- 集成前端MFA登录表单和验证界面
- 支持应急重置令牌配置
- 添加数据库迁移脚本和模型定义

Author: ZeroDeng01

README.md

@@ -146,6 +146,7 @@ docker-compose up -d
 | [🌐 Host 管理](docs/features/host.md) | 域名映射、DNS 配置、测速持久化 |
 | [🤖 Telegram 机器人](docs/features/telegram-bot.md) | 命令列表、配置指南 |
 | [📜 脚本功能](docs/script_support.md) | 节点过滤、内容后处理、函数参考 |
+| [🔐 双重验证（MFA）](docs/features/mfa.md) | TOTP 设置、恢复码、应急重置流程 |
 
 ### 👨‍💻 开发者
 

api/auth.go

@@ -131,47 +131,22 @@ func UserLogin(c *gin.Context) {
 	}
 	// 登录成功，清除失败记录
 	limiter.ClearFailures(ip)
-	// 生成token
-	token, err := GetToken(user)
-	if err != nil {
-		utils.Error("获取token失败: %v", err)
-		utils.FailWithMsg(c, "获取token失败")
-		return
-	}
-
-	// 异步发送登录通知
-	go func(username, ip string) {
-		location, err := geoip.GetLocation(ip)
+	if user.TOTPEnabled {
+		challengeToken, err := issuePendingMFAChallenge(user)
 		if err != nil {
-			location = "未知位置"
-		}
-		if location == "" {
-			location = "未知位置"
-		}
-		timeStr := time.Now().Format("2006-01-02 15:04:05")
-
-		payload := notifications.Payload{
-			Title:   "用户登录通知",
-			Message: fmt.Sprintf("用户 %s 已登录\nIP: %s (%s)\n时间: %s", username, ip, location, timeStr),
-			Data: map[string]interface{}{
-				"username": username,
-				"ip":       ip,
-				"location": location,
-				"time":     timeStr,
-			},
-			Time: timeStr,
+			utils.Error("生成 MFA 挑战失败: %v", err)
+			utils.FailWithMsg(c, "生成登录验证失败")
+			return
 		}
+		utils.OkDetailed(c, "需要进行二次验证", gin.H{
+			"requiresMFA":    true,
+			"challengeToken": challengeToken,
+			"methods":        []string{"totp", "recovery_code"},
+		})
+		return
+	}
 
-		notifications.Publish("security.user_login", payload)
-	}(username, ip)
-
-	// 登录成功返回token
-	utils.OkDetailed(c, "登录成功", gin.H{
-		"accessToken":  token,
-		"tokenType":    "Bearer",
-		"refreshToken": nil,
-		"expires":      nil,
-	})
+	respondLoginSuccess(c, user, ip)
 }
 
 // UserOut 用户退出登录
@@ -181,3 +156,28 @@ func UserOut(c *gin.Context) {
 		utils.OkWithMsg(c, "退出成功")
 	}
 }
+
+func notifyUserLogin(username, ip string) {
+	location, err := geoip.GetLocation(ip)
+	if err != nil {
+		location = "未知位置"
+	}
+	if location == "" {
+		location = "未知位置"
+	}
+	timeStr := time.Now().Format("2006-01-02 15:04:05")
+
+	payload := notifications.Payload{
+		Title:   "用户登录通知",
+		Message: fmt.Sprintf("用户 %s 已登录\nIP: %s (%s)\n时间: %s", username, ip, location, timeStr),
+		Data: map[string]interface{}{
+			"username": username,
+			"ip":       ip,
+			"location": location,
+			"time":     timeStr,
+		},
+		Time: timeStr,
+	}
+
+	notifications.Publish("security.user_login", payload)
+}