chore: sync various improvements and fixes

- Update gitignore and serena config - Improve connection and voting stores - Enhance admin routes and socket handling - Update client-screen views - Add auth middleware Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-03 23:31:38 +08:00
parent 39caecdd95
commit 83bf1d3a43
25 changed files with 284 additions and 122 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -41,3 +41,5 @@ packages/server/prisma/*.db-journal
 # Data files
 参与抽奖人员名单.xlsx
 测试清单.md
 .codeartsdoer
--- a/.serena/project.yml
+++ b/.serena/project.yml
@@ -84,6 +84,27 @@ excluded_tools: []
 # initial prompt for the project. It will always be given to the LLM upon activating the project
 # (contrary to the memories, which are loaded on demand).
 initial_prompt: ""
-
+# the name by which the project can be referenced within Serena
 project_name: "company-celebration2"
 # list of tools to include that would otherwise be disabled (particularly optional tools that are disabled by default)
 included_optional_tools: []
 # list of mode names to that are always to be included in the set of active modes
 # The full set of modes to be activated is base_modes + default_modes.
 # If the setting is undefined, the base_modes from the global configuration (serena_config.yml) apply.
 # Otherwise, this setting overrides the global configuration.
 # Set this to [] to disable base modes for this project.
 # Set this to a list of mode names to always include the respective modes for this project.
 base_modes:
 # list of mode names that are to be activated by default.
 # The full set of modes to be activated is base_modes + default_modes.
 # If the setting is undefined, the default_modes from the global configuration (serena_config.yml) apply.
 # Otherwise, this overrides the setting from the global configuration (serena_config.yml).
 # This setting can, in turn, be overridden by CLI parameters (--mode).
 default_modes:
 # fixed set of tools to use as the base tool set (if non-empty), replacing Serena's default set of tools.
 # This cannot be combined with non-empty excluded_tools or included_optional_tools.
 fixed_tools: []
--- a/packages/client-mobile/src/components.d.ts
+++ b/packages/client-mobile/src/components.d.ts
@@ -12,7 +12,6 @@ declare module 'vue' {
    ProgramCard: typeof import('./components/ProgramCard.vue')['default']
    RouterLink: typeof import('vue-router')['RouterLink']
    RouterView: typeof import('vue-router')['RouterView']
    StampDock: typeof import('./components/StampDock.vue')['default']
    VanButton: typeof import('vant/es')['Button']
    VanCell: typeof import('vant/es')['Cell']
    VanCellGroup: typeof import('vant/es')['CellGroup']
--- a/packages/client-mobile/src/stores/connection.ts
+++ b/packages/client-mobile/src/stores/connection.ts
@@ -18,7 +18,7 @@ type GalaSocket = Socket<ServerToClientEvents, ClientToServerEvents>;
 const STORAGE_KEYS = {
  USER_ID: 'gala_user_id',
  USER_NAME: 'gala_user_name',
-  DEPARTMENT: 'gala_department',
+  SESSION_TOKEN: 'gala_session_token',
 };
 // Helper functions for localStorage
@@ -50,7 +50,7 @@ export const useConnectionStore = defineStore('connection', () => {
  const reconnectAttempts = ref(0);
  const userId = ref<string | null>(loadFromStorage(STORAGE_KEYS.USER_ID, null));
  const userName = ref<string | null>(loadFromStorage(STORAGE_KEYS.USER_NAME, null));
-  const department = ref<string | null>(loadFromStorage(STORAGE_KEYS.DEPARTMENT, null));
+  const sessionToken = ref<string | null>(loadFromStorage(STORAGE_KEYS.SESSION_TOKEN, null));
  const votedCategories = ref<VoteCategory[]>([]);
  // Computed
@@ -85,6 +85,7 @@ export const useConnectionStore = defineStore('connection', () => {
      reconnectionDelayMax: CONFIG.RECONNECTION_DELAY_MAX_MS,
      timeout: CONFIG.HEARTBEAT_TIMEOUT_MS,
      transports: ['websocket', 'polling'],
      auth: sessionToken.value ? { token: sessionToken.value } : undefined,
    });
    // Connection events
@@ -193,8 +194,8 @@ export const useConnectionStore = defineStore('connection', () => {
      {
        userId: userId.value,
        userName: userName.value || 'Guest',
        department: department.value || '未知部门',
        role: 'user',
        sessionToken: sessionToken.value || undefined,
      },
      (response: any) => {
        if (response.success) {
@@ -264,15 +265,17 @@ export const useConnectionStore = defineStore('connection', () => {
  /**
   * Set user info (and persist to localStorage)
   */
-  function setUser(id: string, name: string, dept: string) {
+  function setUser(id: string, name: string, token?: string) {
    userId.value = id;
    userName.value = name;
-    department.value = dept;
+    if (token) {
      sessionToken.value = token;
      saveToStorage(STORAGE_KEYS.SESSION_TOKEN, token);
    }
    // Persist to localStorage
    saveToStorage(STORAGE_KEYS.USER_ID, id);
    saveToStorage(STORAGE_KEYS.USER_NAME, name);
    saveToStorage(STORAGE_KEYS.DEPARTMENT, dept);
    // Rejoin if already connected
    if (socket.value?.connected) {
@@ -287,13 +290,13 @@ export const useConnectionStore = defineStore('connection', () => {
    // Clear state
    userId.value = null;
    userName.value = null;
    department.value = null;
    votedCategories.value = [];
    sessionToken.value = null;
    // Clear localStorage
    localStorage.removeItem(STORAGE_KEYS.USER_ID);
    localStorage.removeItem(STORAGE_KEYS.USER_NAME);
-    localStorage.removeItem(STORAGE_KEYS.DEPARTMENT);
+    localStorage.removeItem(STORAGE_KEYS.SESSION_TOKEN);
    // Disconnect socket
    disconnect();
@@ -333,7 +336,7 @@ export const useConnectionStore = defineStore('connection', () => {
    reconnectAttempts,
    userId,
    userName,
-    department,
+    sessionToken,
    votedCategories,
    // Computed
--- a/packages/client-mobile/src/stores/voting.ts
+++ b/packages/client-mobile/src/stores/voting.ts
@@ -152,6 +152,10 @@ export const useVotingStore = defineStore('voting', () => {
      showToast({ message: '请先选择一个奖项', position: 'bottom' });
      return false;
    }
    if (!connectionStore.sessionToken) {
      showToast({ message: '请先扫码登录', position: 'bottom' });
      return false;
    }
    // 检查是否已为该节目投过票（任何奖项）
    const existingAward = getProgramAward(programId);
--- a/packages/client-mobile/src/views/ScanLoginView.vue
+++ b/packages/client-mobile/src/views/ScanLoginView.vue
@@ -14,7 +14,6 @@ const isValidating = ref<boolean>(true);
 const isValid = ref<boolean>(false);
 const isSubmitting = ref<boolean>(false);
 const userName = ref<string>('');
 const department = ref<string>('技术部');
 const errorMessage = ref<string>('');
 // API base URL - use LAN IP for mobile access
@@ -22,7 +21,7 @@ const apiUrl = import.meta.env.VITE_API_URL || 'http://192.168.1.5:3000';
 // Computed
 const canSubmit = computed(() => {
-  return userName.value.trim().length > 0 && department.value.trim().length > 0;
+  return userName.value.trim().length > 0;
 });
 // Validate token on mount
@@ -92,7 +91,6 @@ async function handleSubmit() {
      body: JSON.stringify({
        scanToken: token.value,
        userName: userName.value.trim(),
        department: department.value.trim(),
      }),
    });
@@ -101,8 +99,9 @@ async function handleSubmit() {
    if (result.success) {
      // Set user info in connection store
-      const userId = result.data?.sessionToken || `user_${Date.now()}`;
+      const userId = result.data?.userId || `user_${Date.now()}`;
-      connectionStore.setUser(userId, userName.value.trim(), department.value.trim());
+      const sessionToken = result.data?.sessionToken;
      connectionStore.setUser(userId, userName.value.trim(), sessionToken);
      showToast({ message: '登录成功！', type: 'success' });
@@ -156,13 +155,6 @@ async function handleSubmit() {
            :rules="[{ required: true, message: '请输入姓名' }]"
            maxlength="20"
          />
          <van-field
            v-model="department"
            label="部门"
            placeholder="请输入您的部门"
            :rules="[{ required: true, message: '请输入部门' }]"
            maxlength="20"
          />
        </van-cell-group>
        <div class="button-wrapper">
--- a/packages/client-screen/src/router/index.ts
+++ b/packages/client-screen/src/router/index.ts
@@ -2,24 +2,18 @@ import { createRouter, createWebHistory, type RouteLocationNormalized } from 'vu
 // Admin auth constants
 const ADMIN_TOKEN_KEY = 'gala_admin_token';
 const ADMIN_ACCESS_CODE = '20268888';
 // Auth guard for admin routes
 function requireAdminAuth(to: RouteLocationNormalized) {
  const token = localStorage.getItem(ADMIN_TOKEN_KEY);
-  if (!token || token !== generateToken(ADMIN_ACCESS_CODE)) {
+  if (!token) {
    return { path: '/admin/login', query: { redirect: to.fullPath } };
  }
  return true;
 }
 // Simple token generator (not cryptographically secure, but sufficient for internal event)
 function generateToken(code: string): string {
  return btoa(`gala2026:${code}:${code.split('').reverse().join('')}`);
 }
 // Export for use in login component
-export { ADMIN_TOKEN_KEY, ADMIN_ACCESS_CODE, generateToken };
+export { ADMIN_TOKEN_KEY };
 const router = createRouter({
  history: createWebHistory('/screen/'),
--- a/packages/client-screen/src/stores/admin.ts
+++ b/packages/client-screen/src/stores/admin.ts
@@ -14,6 +14,7 @@ import type {
 } from '@gala/shared/types';
 import { PRIZE_CONFIG } from '@gala/shared/types';
 import { SOCKET_EVENTS } from '@gala/shared/constants';
 import { ADMIN_TOKEN_KEY } from '../router';
 type GalaSocket = Socket<ServerToClientEvents, ClientToServerEvents>;
@@ -162,6 +163,8 @@ export const useAdminStore = defineStore('admin', () => {
    isConnecting.value = true;
    restoreState();
    const adminToken = localStorage.getItem(ADMIN_TOKEN_KEY) || '';
    const socketInstance = io(import.meta.env.VITE_SOCKET_URL || '', {
      reconnection: true,
      reconnectionAttempts: Infinity,
@@ -169,6 +172,7 @@ export const useAdminStore = defineStore('admin', () => {
      reconnectionDelayMax: 5000,
      timeout: 10000,
      transports: ['websocket', 'polling'],
      auth: adminToken ? { token: adminToken } : undefined,
    });
    socketInstance.on('connect', () => {
@@ -181,6 +185,7 @@ export const useAdminStore = defineStore('admin', () => {
        userId: 'admin_main',
        userName: 'Admin Console',
        role: 'admin',
        sessionToken: adminToken || undefined,
      }, () => { });
      // Request state sync
--- a/packages/client-screen/src/views/AdminControl.vue
+++ b/packages/client-screen/src/views/AdminControl.vue
@@ -4,6 +4,7 @@ import { useRouter } from 'vue-router';
 import { useAdminStore } from '../stores/admin';
 import { PRIZE_CONFIG } from '@gala/shared/types';
 import type { PrizeConfig, LotteryRound } from '@gala/shared/types';
 import { ADMIN_TOKEN_KEY } from '../router';
 // 简单的防抖函数
 function debounce<T extends (...args: any[]) => void>(fn: T, delay: number = 300): (...args: Parameters<T>) => void {
@@ -35,6 +36,15 @@ function debounceLeading<T extends (...args: any[]) => void>(fn: T, delay: numbe
 const router = useRouter();
 const admin = useAdminStore();
 const adminToken = () => localStorage.getItem(ADMIN_TOKEN_KEY) || '';
 function getAdminHeaders(extra?: Record<string, string>) {
  return {
    'Content-Type': 'application/json',
    'x-session-token': adminToken(),
    ...extra,
  };
 }
 // Local UI state
 const confirmResetCode = ref('');
@@ -89,7 +99,9 @@ async function readJsonSafe(res: Response): Promise<any> {
 async function loadPrizeConfig() {
  prizeConfigLoading.value = true;
  try {
-    const res = await fetch('/api/admin/prizes');
+    const res = await fetch('/api/admin/prizes', {
      headers: getAdminHeaders(),
    });
    const data = await readJsonSafe(res);
    if (!res.ok) {
      throw new Error(data?.error || data?.message || `加载奖项配置失败(${res.status})`);
@@ -112,7 +124,7 @@ async function savePrizeConfig() {
  try {
    const res = await fetch('/api/admin/prizes', {
      method: 'PUT',
-      headers: { 'Content-Type': 'application/json' },
+      headers: getAdminHeaders(),
      body: JSON.stringify({ prizes: editingPrizes.value }),
    });
    const data = await readJsonSafe(res);
@@ -172,6 +184,7 @@ async function importParticipants() {
    const response = await fetch('/api/admin/participants/import', {
      method: 'POST',
      headers: { 'x-session-token': adminToken() },
      body: formData,
    });
@@ -219,7 +232,9 @@ const tagLabels: Record<string, string> = {
 // Load existing participants from server
 async function loadParticipants() {
  try {
-    const response = await fetch('/api/admin/participants');
+    const response = await fetch('/api/admin/participants', {
      headers: getAdminHeaders(),
    });
    const data = await readJsonSafe(response);
    if (!response.ok) {
      throw new Error(data?.error || data?.message || `加载参与者失败(${response.status})`);
@@ -331,7 +346,7 @@ async function redrawCurrentRound() {
  try {
    const res = await fetch('/api/admin/lottery/redraw', {
      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: getAdminHeaders(),
    });
    const data = await res.json();
    if (data.success) {
@@ -386,7 +401,7 @@ async function confirmAdvancedCleanup() {
  try {
    const res = await fetch('/api/admin/cleanup', {
      method: 'POST',
-      headers: { 'Content-Type': 'application/json' },
+      headers: getAdminHeaders(),
      body: JSON.stringify({
        lottery: cleanupOptions.value.lottery,
        voting: cleanupOptions.value.voting,
--- a/packages/client-screen/src/views/AdminLogin.vue
+++ b/packages/client-screen/src/views/AdminLogin.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import { ref } from 'vue';
 import { useRouter, useRoute } from 'vue-router';
-import { ADMIN_TOKEN_KEY, ADMIN_ACCESS_CODE, generateToken } from '../router';
+import { ADMIN_TOKEN_KEY } from '../router';
 const router = useRouter();
 const route = useRoute();
@@ -20,22 +20,29 @@ async function handleLogin() {
  isLoading.value = true;
-  // Simulate network delay for UX
+  try {
-  await new Promise(resolve => setTimeout(resolve, 500));
+    const response = await fetch('/api/admin/login', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ accessCode: accessCode.value.trim() }),
    });
    const result = await response.json();
-  if (accessCode.value === ADMIN_ACCESS_CODE) {
+    if (!response.ok || !result.success) {
-    // Save token to localStorage
+      error.value = result.error || '访问码错误';
    localStorage.setItem(ADMIN_TOKEN_KEY, generateToken(ADMIN_ACCESS_CODE));
    // Redirect to console or original destination
    const redirect = route.query.redirect as string || '/admin/director-console';
    router.push(redirect);
  } else {
    error.value = '访问码错误';
      accessCode.value = '';
      return;
    }
    localStorage.setItem(ADMIN_TOKEN_KEY, result.data.sessionToken);
    const redirect = route.query.redirect as string || '/admin/director-console';
    router.push(redirect);
  } catch (e) {
    error.value = '网络错误，请重试';
  } finally {
    isLoading.value = false;
  }
 }
 function handleKeydown(e: KeyboardEvent) {
--- a/packages/client-screen/src/views/LotteryResultsView.vue
+++ b/packages/client-screen/src/views/LotteryResultsView.vue
@@ -22,7 +22,9 @@ function goBack() {
 // Fetch lottery results from API
 async function fetchLotteryResults() {
  try {
-    const res = await fetch('/api/admin/lottery/results');
+    const res = await fetch('/api/admin/lottery/results', {
      headers: { 'x-session-token': localStorage.getItem('gala_admin_token') || '' },
    });
    const data = await res.json();
    if (data.success && data.data?.draws) {
      lotteryResults.value = data.data.draws;
--- a/packages/client-screen/src/views/LuckyDrawView.vue
+++ b/packages/client-screen/src/views/LuckyDrawView.vue
@@ -30,7 +30,7 @@ const prizes = ref<Array<{ level: string; name: string; winnerCount: number; poo
 // 从 API 获取奖项配置
 async function fetchPrizes() {
  try {
-    const response = await fetch('/api/admin/prizes');
+    const response = await fetch('/api/public/prizes');
    const data = await response.json();
    if (data.success && data.data?.prizes) {
      prizes.value = data.data.prizes;
@@ -53,7 +53,7 @@ let realParticipants: Participant[] = [];
 async function fetchParticipants() {
  try {
    isLoading.value = true;
-    const response = await fetch('/api/admin/participants');
+    const response = await fetch('/api/public/participants');
    const data = await response.json();
    if (data.success && data.data?.participants) {
--- a/packages/server/load-test/vote-load-test.yaml
+++ b/packages/server/load-test/vote-load-test.yaml
@@ -146,7 +146,6 @@ scenarios:
            userId: "{{ userId }}"
            userName: "压测用户-{{ userId }}"
            role: "user"
            department: "测试部门"
      - think: 0.5
      - loop:
          - function: "selectRandomProgram"
@@ -176,7 +175,6 @@ scenarios:
            userId: "{{ userId }}"
            userName: "速投用户-{{ userId }}"
            role: "user"
            department: "压力测试"
      - loop:
          - function: "selectRandomProgram"
          - function: "selectRandomTicketType"
@@ -204,5 +202,4 @@ scenarios:
            userId: "{{ userId }}"
            userName: "观望用户-{{ userId }}"
            role: "user"
            department: "观望组"
      - think: 8  # 长时间停留
--- a/packages/server/load-test/vote-real-scenario.yaml
+++ b/packages/server/load-test/vote-real-scenario.yaml
@@ -81,7 +81,6 @@ scenarios:
            userId: "{{ userId }}"
            userName: "快投-{{ userId }}"
            role: "user"
            department: "快速组"
      # 快速投7票（每票间隔 0.2-0.4 秒）
      - loop:
          - function: "selectSequentialTicket"
@@ -108,7 +107,6 @@ scenarios:
            userId: "{{ userId }}"
            userName: "正常-{{ userId }}"
            role: "user"
            department: "正常组"
      # 正常速度投7票（每票间隔 1-2 秒，看节目、思考）
      - loop:
          - function: "selectSequentialTicket"
@@ -136,7 +134,6 @@ scenarios:
            userId: "{{ userId }}"
            userName: "慢投-{{ userId }}"
            role: "user"
            department: "慢速组"
      # 先观望 5-10 秒
      - function: "randomLongDelay"
      - think: "{{ longDelay }}"
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -12,6 +12,13 @@ import { participantService } from './services/participant.service';
 async function main(): Promise<void> {
  try {
    if (!config.adminAccessCode) {
      logger.warn('ADMIN_ACCESS_CODE 未配置，管理员登录将被拒绝');
    }
    if (!config.isDev && config.jwtSecret === 'dev-secret-change-in-production') {
      logger.error('生产环境禁止使用默认 JWT_SECRET，请配置环境变量');
      process.exit(1);
    }
    // Connect to Database
    logger.info('Connecting to Database...');
    await connectDatabase();
@@ -79,4 +86,3 @@ async function main(): Promise<void> {
 }
 main();
--- a/packages/server/src/middleware/auth.ts
+++ b/packages/server/src/middleware/auth.ts
@@ -0,0 +1,64 @@
 import type { Request, Response, NextFunction } from 'express';
 import { extractBearerToken, verifySessionToken } from '../utils/auth';
 export interface AuthenticatedRequest extends Request {
  user?: {
    userId: string;
    userName?: string;
    role: 'user' | 'admin' | 'screen';
    token: string;
  };
 }
 function getTokenFromRequest(req: Request): string | null {
  const bearer = extractBearerToken(req.headers.authorization);
  if (bearer) return bearer;
  const headerToken = req.headers['x-session-token'];
  if (typeof headerToken === 'string' && headerToken.trim()) {
    return headerToken.trim();
  }
  return null;
 }
 export async function requireAuth(
  req: AuthenticatedRequest,
  res: Response,
  next: NextFunction
 ): Promise<void> {
  const token = getTokenFromRequest(req);
  if (!token) {
    res.status(401).json({ success: false, error: 'UNAUTHORIZED', message: 'Missing session token' });
    return;
  }
  const user = await verifySessionToken(token);
  if (!user) {
    res.status(401).json({ success: false, error: 'UNAUTHORIZED', message: 'Invalid session token' });
    return;
  }
  req.user = user;
  next();
 }
 export async function requireAdmin(
  req: AuthenticatedRequest,
  res: Response,
  next: NextFunction
 ): Promise<void> {
  const token = getTokenFromRequest(req);
  if (!token) {
    res.status(401).json({ success: false, error: 'UNAUTHORIZED', message: 'Missing session token' });
    return;
  }
  const user = await verifySessionToken(token);
  if (!user || user.role !== 'admin') {
    res.status(403).json({ success: false, error: 'FORBIDDEN', message: 'Admin access required' });
    return;
  }
  req.user = user;
  next();
 }
--- a/packages/server/src/routes/admin.routes.ts
+++ b/packages/server/src/routes/admin.routes.ts
@@ -4,10 +4,50 @@ import { participantService } from '../services/participant.service';
 import { prizeConfigService } from '../services/prize-config.service';
 import { programConfigService } from '../services/program-config.service';
 import { adminService } from '../services/admin.service';
 import { requireAdmin } from '../middleware/auth';
 import { createSessionToken } from '../utils/auth';
 import { config } from '../config';
 const router: IRouter = Router();
 const upload = multer({ storage: multer.memoryStorage() });
 /**
 * POST /api/admin/login
 * Admin login to obtain session token
 */
 router.post('/login', async (req, res, next) => {
  try {
    const { accessCode } = req.body as { accessCode?: string };
    if (!accessCode) {
      return res.status(400).json({ success: false, error: '访问码不能为空' });
    }
    if (!config.adminAccessCode) {
      return res.status(500).json({ success: false, error: '服务端未配置访问码' });
    }
    if (accessCode !== config.adminAccessCode) {
      return res.status(401).json({ success: false, error: '访问码错误' });
    }
    const sessionToken = await createSessionToken(
      { userId: 'admin_main', userName: 'Admin Console', role: 'admin' },
      config.adminTokenTtlSeconds
    );
    return res.json({
      success: true,
      data: {
        sessionToken,
        expiresIn: config.adminTokenTtlSeconds,
      },
    });
  } catch (error) {
    next(error);
  }
 });
 // Admin auth guard (applies to all routes below)
 router.use(requireAdmin);
 /**
 * GET /api/admin/stats
 * Get system statistics
@@ -296,4 +336,3 @@ router.post('/cleanup', async (req, res, next) => {
 });
 export default router;
--- a/packages/server/src/routes/scan.routes.ts
+++ b/packages/server/src/routes/scan.routes.ts
@@ -97,19 +97,18 @@ router.post('/scanned', async (req, res, next) => {
 */
 router.post('/confirm', async (req, res, next) => {
  try {
-    const { scanToken, userName, department } = req.body;
+    const { scanToken, userName } = req.body;
-    if (!scanToken || !userName || !department) {
+    if (!scanToken || !userName) {
      return res.status(400).json({
        success: false,
-        error: 'scanToken, userName, and department are required',
+        error: 'scanToken and userName are required',
      });
    }
    const result = await scanLoginService.confirmLogin(
      scanToken,
-      userName,
+      userName
      department
    );
    if (result.success && result.data) {
@@ -121,7 +120,6 @@ router.post('/confirm', async (req, res, next) => {
        userInfo: {
          userId: result.data.userId,
          userName,
          department,
          sessionToken: result.data.sessionToken,
        },
      };
--- a/packages/server/src/routes/vote.routes.ts
+++ b/packages/server/src/routes/vote.routes.ts
@@ -3,6 +3,7 @@ import { voteService } from '../services/vote.service';
 import { voteSubmitSchema } from '@gala/shared/utils';
 import { VOTE_CATEGORIES } from '@gala/shared/types';
 import type { VoteCategory } from '@gala/shared/types';
 import { requireAuth } from '../middleware/auth';
 const router: IRouter = Router();
@@ -10,10 +11,9 @@ const router: IRouter = Router();
 * POST /api/vote/submit
 * Submit a vote (HTTP fallback for WebSocket)
 */
-router.post('/submit', async (req, res, next) => {
+router.post('/submit', requireAuth, async (req, res, next) => {
  try {
-    // TODO: Get userId from auth middleware
+    const userId = (req as any).user?.userId as string;
    const userId = req.headers['x-user-id'] as string;
    if (!userId) {
      return res.status(401).json({
        success: false,
@@ -121,9 +121,9 @@ router.get('/results', async (_req, res, next) => {
 * GET /api/vote/status
 * Get user's vote status
 */
-router.get('/status', async (req, res, next) => {
+router.get('/status', requireAuth, async (req, res, next) => {
  try {
-    const userId = req.headers['x-user-id'] as string;
+    const userId = (req as any).user?.userId as string;
    if (!userId) {
      return res.status(401).json({
        success: false,
--- a/packages/server/src/services/admin.service.ts
+++ b/packages/server/src/services/admin.service.ts
@@ -326,7 +326,6 @@ class AdminService extends EventEmitter {
  async addVoteStamp(
    programId: string,
    userName: string,
    department: string,
    ticketType: string,
    options?: { revokedProgramId?: string }
  ): Promise<{ success: boolean; stamp?: VoteStamp; programVotes?: number; totalVotes?: number; revokedProgramId?: string; revokedProgramVotes?: number }> {
@@ -353,7 +352,6 @@ class AdminService extends EventEmitter {
    const stamp: VoteStamp = {
      id: `stamp_${Date.now()}_${Math.random().toString(36).substr(2, 5)}`,
      userName,
      department,
      ticketType,
      x: 10 + Math.random() * 80,  // Random X position (10-90%)
      y: 10 + Math.random() * 80,  // Random Y position (10-90%)
--- a/packages/server/src/services/scan-login.service.ts
+++ b/packages/server/src/services/scan-login.service.ts
@@ -1,12 +1,11 @@
 import { v4 as uuidv4 } from 'uuid';
 import jwt from 'jsonwebtoken';
 import { redis } from '../config/redis';
 import { config } from '../config';
 import { logger } from '../utils/logger';
 import type { ScanTokenData, ScanLoginStatus } from '@gala/shared/types';
 import { createSessionToken } from '../utils/auth';
 const SCAN_TOKEN_PREFIX = 'scan:';
 const SESSION_TOKEN_PREFIX = 'session:';
 const SCAN_TOKEN_TTL = 5 * 60; // 5 minutes
 const SESSION_TOKEN_TTL = 24 * 60 * 60; // 24 hours
@@ -145,8 +144,7 @@ class ScanLoginService {
   */
  async confirmLogin(
    scanToken: string,
-    userName: string,
+    userName: string
    department: string
  ): Promise<{
    success: boolean;
    data?: {
@@ -176,22 +174,14 @@ class ScanLoginService {
      // Generate user ID and session token
      const userId = `user_${Date.now()}_${uuidv4().slice(0, 8)}`;
-      const sessionToken = jwt.sign(
+      const sessionToken = await createSessionToken(
-        { userId, userName, department },
+        { userId, userName, role: 'user' },
-        config.jwtSecret || 'gala-secret-key',
+        SESSION_TOKEN_TTL
        { expiresIn: '24h' }
      );
      // Store session
      await redis.setex(
        `${SESSION_TOKEN_PREFIX}${sessionToken}`,
        SESSION_TOKEN_TTL,
        JSON.stringify({ userId, userName, department })
      );
      // Update scan token status
      tokenData.status = 'confirmed';
-      tokenData.userInfo = { userId, userName, department };
+      tokenData.userInfo = { userId, userName };
      await redis.setex(
        `${SCAN_TOKEN_PREFIX}${scanToken}`,
--- a/packages/server/src/services/wechat.service.ts
+++ b/packages/server/src/services/wechat.service.ts
@@ -1,5 +1,4 @@
 import { v4 as uuidv4 } from 'uuid';
 import jwt from 'jsonwebtoken';
 import { redis } from '../config/redis';
 import { config } from '../config';
 import { logger } from '../utils/logger';
@@ -8,9 +7,9 @@ import type {
  WechatAccessTokenResponse,
  WechatUserInfo,
 } from '@gala/shared/types';
 import { createSessionToken } from '../utils/auth';
 const WECHAT_STATE_PREFIX = 'wechat:state:';
 const SESSION_TOKEN_PREFIX = 'session:';
 const STATE_TTL = 5 * 60; // 5 minutes
 const SESSION_TOKEN_TTL = 24 * 60 * 60; // 24 hours
@@ -52,7 +51,7 @@ class WechatService {
   */
  async createLoginState(pcSocketId: string): Promise<{
    success: boolean;
-    data?: { authUrl: string; state: string; expiresAt: number };
+    data?: { appId: string; redirectUri: string; state: string; expiresAt: number };
    error?: string;
  }> {
    if (!this.isConfigured()) {
@@ -77,13 +76,16 @@ class WechatService {
        JSON.stringify(stateData)
      );
      const authUrl = this.generateAuthUrl(state);
      logger.info({ state, pcSocketId }, 'WeChat login state created');
      return {
        success: true,
-        data: { authUrl, state, expiresAt },
+        data: {
          appId: this.appId,
          redirectUri: this.redirectUri,
          state,
          expiresAt,
        },
      };
    } catch (error) {
      logger.error({ error }, 'Failed to create WeChat login state');
@@ -204,17 +206,9 @@ class WechatService {
      const userId = `wx_${openid.slice(0, 16)}`;
      const userName = userInfo?.nickname || `微信用户_${openid.slice(-6)}`;
-      const sessionToken = jwt.sign(
+      const sessionToken = await createSessionToken(
-        { userId, userName, openid },
+        { userId, userName, openid, role: 'user' },
-        config.jwtSecret || 'gala-secret-key',
+        SESSION_TOKEN_TTL
        { expiresIn: '24h' }
      );
      // Store session
      await redis.setex(
        `${SESSION_TOKEN_PREFIX}${sessionToken}`,
        SESSION_TOKEN_TTL,
        JSON.stringify({ userId, userName, openid })
      );
      // Delete used state
--- a/packages/server/src/socket/index.ts
+++ b/packages/server/src/socket/index.ts
@@ -8,6 +8,7 @@ import { voteService } from '../services/vote.service';
 import { votingEngine } from '../services/voting.engine';
 import { adminService } from '../services/admin.service';
 import { SOCKET_EVENTS, SOCKET_ROOMS, TICKET_TYPES, VOTE_KEYS, type TicketType } from '@gala/shared/constants';
 import { extractBearerToken, verifySessionToken } from '../utils/auth';
 import type {
  ServerToClientEvents,
  ClientToServerEvents,
@@ -32,6 +33,16 @@ export type GalaServer = Server<ClientToServerEvents, ServerToClientEvents, Inte
 let io: GalaServer;
 function getTokenFromSocket(socket: GalaSocket, payloadToken?: string): string | null {
  if (payloadToken) return payloadToken;
  const authToken = (socket.handshake.auth as any)?.token;
  if (typeof authToken === 'string' && authToken.trim()) return authToken.trim();
  const headerToken = socket.handshake.headers['x-session-token'];
  if (typeof headerToken === 'string' && headerToken.trim()) return headerToken.trim();
  const bearer = extractBearerToken(socket.handshake.headers.authorization);
  return bearer || null;
 }
 /**
 * Initialize Socket.io server
 */
@@ -191,32 +202,58 @@ async function handleJoin(
  };
  try {
-    const { userId, userName, role, department } = data;
+    const { userId, userName, role, sessionToken } = data;
    const token = getTokenFromSocket(socket, sessionToken);
    const authUser = token ? await verifySessionToken(token) : null;
    if (token && !authUser) {
      safeCallback({
        success: false,
        error: 'UNAUTHORIZED',
        message: 'Invalid session token',
      });
      return;
    }
    if (role === 'admin' && (!authUser || authUser.role !== 'admin')) {
      safeCallback({
        success: false,
        error: 'UNAUTHORIZED',
        message: 'Admin access required',
      });
      return;
    }
    const effectiveRole = authUser?.role || role;
    const effectiveUserId = authUser?.userId || userId;
    const effectiveUserName = authUser?.userName || userName;
    // Store user data in socket
-    socket.data.userId = userId;
+    socket.data.userId = effectiveUserId;
-    socket.data.userName = userName;
+    socket.data.userName = effectiveUserName;
-    socket.data.department = department || '未知部门';
+    socket.data.role = effectiveRole;
    socket.data.role = role;
    socket.data.connectedAt = new Date();
    socket.data.sessionId = socket.id;
    (socket.data as any).sessionToken = token || undefined;
    (socket.data as any).authenticated = !!authUser;
    // Join appropriate rooms
    await socket.join(SOCKET_ROOMS.ALL);
-    if (role === 'user') {
+    if (effectiveRole === 'user') {
      await socket.join(SOCKET_ROOMS.MOBILE_USERS);
-    } else if (role === 'screen') {
+    } else if (effectiveRole === 'screen') {
      await socket.join(SOCKET_ROOMS.SCREEN_DISPLAY);
-    } else if (role === 'admin') {
+    } else if (effectiveRole === 'admin') {
      await socket.join(SOCKET_ROOMS.ADMIN);
    }
    // Get user's voted categories and tickets
-    const votedCategories = await voteService.getUserVotedCategories(userId);
+    const votedCategories = await voteService.getUserVotedCategories(effectiveUserId);
-    const userTickets = await redis.hgetall(VOTE_KEYS.userTickets(userId));
+    const userTickets = await redis.hgetall(VOTE_KEYS.userTickets(effectiveUserId));
-    logger.info({ socketId: socket.id, userId, userName, role }, 'User joined');
+    logger.info({ socketId: socket.id, userId: effectiveUserId, userName: effectiveUserName, role: effectiveRole }, 'User joined');
    // Broadcast user count update
    const userCount = await getUserCount();
@@ -259,8 +296,9 @@ async function handleVoteSubmit(
  };
  const userId = socket.data.userId;
  const authenticated = (socket.data as any).authenticated === true;
-  if (!userId) {
+  if (!userId || !authenticated) {
    safeCallback({
      success: false,
      error: 'UNAUTHORIZED',
@@ -306,7 +344,6 @@ async function handleVoteSubmit(
      const stampResult = await adminService.addVoteStamp(
        data.candidateId,
        socket.data.userName || '匿名用户',
        socket.data.department || '未知部门',
        category,
        { revokedProgramId: result.revoked_program }
      );
@@ -359,7 +396,6 @@ async function handleVoteSubmit(
      const stampResult = await adminService.addVoteStamp(
        data.candidateId,
        socket.data.userName || '匿名用户',
        socket.data.department || '未知部门',
        data.category as string
      );
--- a/packages/shared/src/types/admin.types.ts
+++ b/packages/shared/src/types/admin.types.ts
@@ -69,7 +69,6 @@ export interface VotingProgram {
 export interface VoteStamp {
  id: string;
  userName: string;
  department: string;
  ticketType: string;
  x: number;                            // 随机 X 位置 (0-100%)
  y: number;                            // 随机 Y 位置 (0-100%)
--- a/packages/shared/src/types/socket.types.ts
+++ b/packages/shared/src/types/socket.types.ts
@@ -83,7 +83,6 @@ export interface DrawFilters {
 export interface JoinPayload {
  userId: string;
  userName: string;
  department?: string;
  role: UserRole;
  sessionToken?: string;
 }
@@ -192,10 +191,11 @@ export interface InterServerEvents {
 export interface SocketData {
  userId: string;
  userName: string;
  department: string;
  role: UserRole;
  connectedAt: Date;
  sessionId: string;
  sessionToken?: string;
  authenticated?: boolean;
 }
 // ============================================================================