chore: ignore runtime data

.gitignore

@@ -27,3 +27,6 @@ coverage/
 .env.*
 .env.local
 .env.*.local
+
+# Local runtime data (contains secrets/user data)
+sproutgate-backend/data/

sproutgate-backend/API_DOCS.md

@@ -214,11 +214,11 @@
 
 ## 管理端接口（需要管理员 Token）
 
-管理员 Token 存放在 `data/config/admin.json` 中，默认值为 `shumengya520`。
+管理员 Token 存放在 `data/config/admin.json` 中；如果文件不存在，后端启动时会自动生成并写入该文件。
 请求时可使用以下任一方式携带：
-- Query：`?token=shumengya520`
+- Query：`?token=<admin-token>`
-- Header：`X-Admin-Token: shumengya520`
+- Header：`X-Admin-Token: <admin-token>`
-- Header：`Authorization: Bearer shumengya520`
+- Header：`Authorization: Bearer <admin-token>`
 
 ### 获取用户列表
 `GET /api/admin/users`

sproutgate-backend/data/config/admin.json

@@ -1,3 +0,0 @@
-{
-  "token": "shumengya520"
-}

sproutgate-backend/data/config/auth.json

@@ -1,4 +0,0 @@
-{
-  "jwtSecret": "c3Byb3V0Z2F0ZS1zZWNyZXQ=",
-  "issuer": "sproutgate"
-}

sproutgate-backend/data/config/email.json

@@ -1,9 +0,0 @@
-{
-  "fromName": "萌芽账户认证中心",
-  "fromAddress": "notice@smyhub.com",
-  "username": "notice@smyhub.com",
-  "password": "tyh@19900420",
-  "smtpHost": "smtp.qiye.aliyun.com",
-  "smtpPort": 465,
-  "encryption": "SSL"
-}

sproutgate-backend/data/users/YWRtaW4.json

@@ -1,16 +0,0 @@
-{
-  "account": "admin",
-  "passwordHash": "$2a$10$T3XCFYOldB7b3RLuu.oxJeXTIdifjXIRyZdf/nHFIEwWAFRedysHi",
-  "username": "管理员",
-  "email": "admin@smyhub.com",
-  "level": 0,
-  "sproutCoins": 0,
-  "secondaryEmails": [
-    "mail@smyhub.com"
-  ],
-  "phone": "74074091740",
-  "avatarUrl": "https://img.shumengya.top/i/2025/11/02/69073c02060d3.webp",
-  "bio": "我是管理员",
-  "createdAt": "2026-03-14T18:38:07+08:00",
-  "updatedAt": "2026-03-14T19:26:11+08:00"
-}

sproutgate-backend/data/users/c2h1bWVuZ3lh.json

@@ -1,13 +0,0 @@
-{
-  "account": "shumengya",
-  "passwordHash": "$2a$10$f6JZ6S26BdfK8dxHQ/eeb.q9adTbkBmyprta8WlMCR3v5gMpERlgO",
-  "username": "树萌芽",
-  "email": "mail@smyhub.com",
-  "level": 0,
-  "sproutCoins": 100,
-  "secondaryEmails": [],
-  "avatarUrl": "https://img.shumengya.top/i/2025/11/02/69073c018174e.webp",
-  "bio": "(=^･ω･^=) 喵~",
-  "createdAt": "2026-03-14T18:12:20+08:00",
-  "updatedAt": "2026-03-14T18:12:20+08:00"
-}

sproutgate-backend/internal/storage/storage.go

@@ -119,9 +119,12 @@ func (s *Store) EmailConfig() EmailConfig {
 }
 
 func (s *Store) loadOrCreateAdminConfig() error {
-	defaultToken := "shumengya520"
 	if _, err := os.Stat(s.adminConfigPath); errors.Is(err, os.ErrNotExist) {
-		cfg := AdminConfig{Token: defaultToken}
+		token, err := generateToken()
+		if err != nil {
+			return err
+		}
+		cfg := AdminConfig{Token: token}
 		if err := writeJSONFile(s.adminConfigPath, cfg); err != nil {
 			return err
 		}
@@ -133,7 +136,11 @@ func (s *Store) loadOrCreateAdminConfig() error {
 		return err
 	}
 	if strings.TrimSpace(cfg.Token) == "" {
-		cfg.Token = defaultToken
+		token, err := generateToken()
+		if err != nil {
+			return err
+		}
+		cfg.Token = token
 		if err := writeJSONFile(s.adminConfigPath, cfg); err != nil {
 			return err
 		}
@@ -194,7 +201,7 @@ func (s *Store) loadOrCreateEmailConfig() error {
 			FromName:    "萌芽账户认证中心",
 			FromAddress: "notice@smyhub.com",
 			Username:    "",
-			Password:    "tyh@19900420",
+			Password:    "",
 			SMTPHost:    "smtp.qiye.aliyun.com",
 			SMTPPort:    465,
 			Encryption:  "SSL",
@@ -243,6 +250,14 @@ func generateSecret() ([]byte, error) {
 	return secret, err
 }
 
+func generateToken() (string, error) {
+	secret, err := generateSecret()
+	if err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(secret), nil
+}
+
 func (s *Store) ListUsers() ([]models.UserRecord, error) {
 	s.mu.Lock()
 	defer s.mu.Unlock()