From 518e5c8284695ca87a49136b6f5646636c717249 Mon Sep 17 00:00:00 2001
From: "liweiliang0905@gmail.com" <liweiliang0905@gmail.com>
Date: Thu, 22 Jan 2026 14:24:58 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96=E7=99=BB=E5=BD=95?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD=20-=20=E6=9C=8D=E5=8A=A1=E7=AB=AF=E8=AE=A4?=
 =?UTF-8?q?=E8=AF=81=20+=20Cookie=20+=20=E6=96=B0UI?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

主要改进:
1. 添加服务端认证中间件，未登录用户自动重定向到登录页
2. 使用 HTTPOnly Cookie 存储 token（比 localStorage 更安全）
3. 添加"记住我"功能（勾选：30天，不勾选：1天）
4. 添加登出 API (/api/auth/logout)
5. 登录/注册页面采用 Neumorphism 设计风格
   - 健康主题配色（青色 + 绿色）
   - Lora + Raleway 字体组合
   - 新拟态阴影效果
6. 支持登录后重定向到原页面

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 src/vitals/core/auth.py |  23 +-
 src/vitals/web/app.py   | 763 +++++++++++++++++++++++++++++++---------
 2 files changed, 622 insertions(+), 164 deletions(-)

diff --git a/src/vitals/core/auth.py b/src/vitals/core/auth.py
index 0bc37b1..d929f47 100644
--- a/src/vitals/core/auth.py
+++ b/src/vitals/core/auth.py
@@ -11,7 +11,8 @@ import jwt
 # JWT 配置
 JWT_SECRET = os.environ.get("JWT_SECRET", "vitals-dev-secret-key-change-in-production")
 JWT_ALGORITHM = "HS256"
-JWT_EXPIRE_DAYS = 7
+JWT_EXPIRE_DAYS = 1  # 默认 1 天
+JWT_EXPIRE_DAYS_REMEMBER = 30  # 记住我：30 天
 
 
 def hash_password(password: str) -> str:
@@ -25,18 +26,32 @@ def verify_password(password: str, password_hash: str) -> bool:
     return bcrypt.checkpw(password.encode("utf-8"), password_hash.encode("utf-8"))
 
 
-def create_token(user_id: int, username: str, is_admin: bool = False) -> str:
-    """创建 JWT Token"""
+def create_token(user_id: int, username: str, is_admin: bool = False, remember_me: bool = False) -> str:
+    """创建 JWT Token
+
+    Args:
+        user_id: 用户 ID
+        username: 用户名
+        is_admin: 是否管理员
+        remember_me: 是否记住登录状态（True: 30天, False: 1天）
+    """
+    expire_days = JWT_EXPIRE_DAYS_REMEMBER if remember_me else JWT_EXPIRE_DAYS
     payload = {
         "user_id": user_id,
         "username": username,
         "is_admin": is_admin,
-        "exp": datetime.utcnow() + timedelta(days=JWT_EXPIRE_DAYS),
+        "exp": datetime.utcnow() + timedelta(days=expire_days),
         "iat": datetime.utcnow(),
     }
     return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
 
 
+def get_token_expire_seconds(remember_me: bool = False) -> int:
+    """获取 token 过期时间（秒）"""
+    days = JWT_EXPIRE_DAYS_REMEMBER if remember_me else JWT_EXPIRE_DAYS
+    return days * 24 * 60 * 60
+
+
 def decode_token(token: str) -> Optional[dict]:
     """解码 JWT Token，返回 payload 或 None（如果无效/过期）"""
     try:
diff --git a/src/vitals/web/app.py b/src/vitals/web/app.py
index ba50ede..8eb43e2 100644
--- a/src/vitals/web/app.py
+++ b/src/vitals/web/app.py
@@ -5,16 +5,17 @@ from datetime import date, datetime, time, timedelta
 from pathlib import Path
 from typing import Optional
 
-from fastapi import Depends, FastAPI, File, Form, Header, HTTPException, Query, Request, UploadFile
+from fastapi import Cookie, Depends, FastAPI, File, Form, Header, HTTPException, Query, Request, Response, UploadFile
 from fastapi.middleware.cors import CORSMiddleware
-from fastapi.responses import FileResponse, HTMLResponse, RedirectResponse
+from fastapi.responses import FileResponse, HTMLResponse, JSONResponse, RedirectResponse
+from starlette.middleware.base import BaseHTTPMiddleware
 from fastapi.staticfiles import StaticFiles
 from pydantic import BaseModel, field_validator
 from uuid import uuid4
 
 from ..core import database as db
 from ..core.models import Exercise, Meal, Sleep, UserConfig, Weight, User, Reading, Invite
-from ..core.auth import hash_password, verify_password, create_token, decode_token, generate_invite_code
+from ..core.auth import hash_password, verify_password, create_token, decode_token, generate_invite_code, get_token_expire_seconds
 
 # 初始化数据库
 db.init_db()
@@ -69,6 +70,62 @@ app.add_middleware(
     allow_headers=["*"],
 )
 
+
+# 认证中间件
+class AuthMiddleware(BaseHTTPMiddleware):
+    """服务端认证中间件 - 未登录用户重定向到登录页"""
+
+    # 不需要认证的路径前缀
+    PUBLIC_PREFIXES = (
+        "/api/auth/login",
+        "/api/auth/register",
+        "/login",
+        "/register",
+        "/static",
+        "/photos",
+        "/docs",
+        "/openapi.json",
+        "/favicon.ico",
+    )
+
+    async def dispatch(self, request: Request, call_next):
+        path = request.url.path
+
+        # 检查是否为公开路径
+        if any(path.startswith(prefix) for prefix in self.PUBLIC_PREFIXES):
+            return await call_next(request)
+
+        # 从 Cookie 获取 token
+        token = request.cookies.get("auth_token")
+
+        # API 请求也支持 Header 认证（向后兼容）
+        if not token and path.startswith("/api/"):
+            auth_header = request.headers.get("Authorization")
+            if auth_header and auth_header.startswith("Bearer "):
+                token = auth_header[7:]
+
+        # 验证 token
+        if token:
+            payload = decode_token(token)
+            if payload:
+                # token 有效，继续处理
+                return await call_next(request)
+
+        # 未认证
+        if path.startswith("/api/"):
+            # API 请求返回 401
+            return JSONResponse(
+                status_code=401,
+                content={"detail": "未登录或登录已过期"}
+            )
+        else:
+            # 页面请求重定向到登录页
+            redirect_url = f"/login?redirect={path}" if path != "/" else "/login"
+            return RedirectResponse(url=redirect_url, status_code=302)
+
+
+app.add_middleware(AuthMiddleware)
+
 # 静态文件
 static_dir = Path(__file__).parent / "static"
 if static_dir.exists():
@@ -348,6 +405,7 @@ class ReadingResponse(BaseModel):
 class LoginInput(BaseModel):
     username: str
     password: str
+    remember_me: bool = False
 
 
 class RegisterInput(BaseModel):
@@ -469,8 +527,8 @@ def get_current_user_id(authorization: Optional[str] = Header(None)) -> int:
 
 # ===== 认证 API =====
 
-@app.post("/api/auth/login", response_model=TokenResponse)
-async def login(data: LoginInput):
+@app.post("/api/auth/login")
+async def login(data: LoginInput, response: Response):
     """用户登录"""
     user = db.get_user_by_name(data.username)
     if not user:
@@ -482,20 +540,33 @@ async def login(data: LoginInput):
     if user.is_disabled:
         raise HTTPException(status_code=403, detail="账户已被禁用")
 
-    token = create_token(user.id, user.name, user.is_admin)
-    return TokenResponse(
-        token=token,
-        user=AuthUserResponse(
-            id=user.id,
-            name=user.name,
-            is_admin=user.is_admin,
-            is_disabled=user.is_disabled,
-        )
+    # 创建 token（根据 remember_me 设置不同的过期时间）
+    token = create_token(user.id, user.name, user.is_admin, data.remember_me)
+
+    # 设置 HTTPOnly Cookie
+    max_age = get_token_expire_seconds(data.remember_me) if data.remember_me else None
+    response.set_cookie(
+        key="auth_token",
+        value=token,
+        httponly=True,
+        secure=False,  # HTTP 环境，生产环境应设为 True
+        samesite="lax",
+        max_age=max_age,  # None 表示会话 Cookie
     )
 
+    return {
+        "token": token,
+        "user": {
+            "id": user.id,
+            "name": user.name,
+            "is_admin": user.is_admin,
+            "is_disabled": user.is_disabled,
+        }
+    }
 
-@app.post("/api/auth/register", response_model=TokenResponse)
-async def register(data: RegisterInput):
+
+@app.post("/api/auth/register")
+async def register(data: RegisterInput, response: Response):
     """用户注册（需要邀请码）"""
     # 验证邀请码
     invite = db.get_invite_by_code(data.invite_code)
@@ -528,18 +599,34 @@ async def register(data: RegisterInput):
     # 获取创建的用户
     user = db.get_user(user_id)
 
-    # 生成 token
+    # 生成 token 并设置 Cookie
     token = create_token(user.id, user.name, user.is_admin)
-    return TokenResponse(
-        token=token,
-        user=AuthUserResponse(
-            id=user.id,
-            name=user.name,
-            is_admin=user.is_admin,
-            is_disabled=user.is_disabled,
-        )
+    response.set_cookie(
+        key="auth_token",
+        value=token,
+        httponly=True,
+        secure=False,
+        samesite="lax",
+        max_age=get_token_expire_seconds(False),  # 注册默认 1 天
     )
 
+    return {
+        "token": token,
+        "user": {
+            "id": user.id,
+            "name": user.name,
+            "is_admin": user.is_admin,
+            "is_disabled": user.is_disabled,
+        }
+    }
+
+
+@app.post("/api/auth/logout")
+async def logout(response: Response):
+    """用户登出"""
+    response.delete_cookie(key="auth_token")
+    return {"message": "登出成功"}
+
 
 @app.get("/api/auth/me", response_model=AuthUserResponse)
 async def get_me(user: User = Depends(require_user)):
@@ -1797,7 +1884,7 @@ async def clear_data(request: DataClearInput):
 
 
 def get_login_page_html() -> str:
-    """生成登录页面 HTML"""
+    """生成登录页面 HTML - Neumorphism 设计风格"""
     return """
 <!DOCTYPE html>
 <html lang="zh-CN">
@@ -1805,119 +1892,312 @@ def get_login_page_html() -> str:
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>登录 - Vitals 健康管理</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Lora:wght@400;500;600;700&family=Raleway:wght@300;400;500;600;700&display=swap" rel="stylesheet">
     <style>
         * { margin: 0; padding: 0; box-sizing: border-box; }
+
         body {
-            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            font-family: 'Raleway', -apple-system, BlinkMacSystemFont, sans-serif;
+            background: #ECFEFF;
             min-height: 100vh;
             display: flex;
             align-items: center;
             justify-content: center;
             padding: 20px;
         }
+
         .login-card {
-            background: white;
-            border-radius: 16px;
-            padding: 40px;
+            background: #ECFEFF;
+            border-radius: 24px;
+            padding: 48px 40px;
             width: 100%;
-            max-width: 400px;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+            max-width: 420px;
+            box-shadow:
+                -10px -10px 30px rgba(255, 255, 255, 0.8),
+                10px 10px 30px rgba(0, 0, 0, 0.1);
         }
+
         .logo {
             text-align: center;
-            margin-bottom: 30px;
+            margin-bottom: 36px;
         }
+
+        .logo-icon {
+            width: 64px;
+            height: 64px;
+            background: linear-gradient(135deg, #0891B2, #22D3EE);
+            border-radius: 16px;
+            display: inline-flex;
+            align-items: center;
+            justify-content: center;
+            margin-bottom: 16px;
+            box-shadow:
+                -4px -4px 10px rgba(255, 255, 255, 0.8),
+                4px 4px 10px rgba(0, 0, 0, 0.1);
+        }
+
+        .logo-icon svg {
+            width: 36px;
+            height: 36px;
+            color: white;
+        }
+
         .logo h1 {
+            font-family: 'Lora', serif;
             font-size: 2rem;
-            color: #667eea;
+            font-weight: 600;
+            color: #164E63;
             margin-bottom: 8px;
         }
+
         .logo p {
-            color: #666;
-            font-size: 0.9rem;
+            color: #0891B2;
+            font-size: 0.95rem;
+            font-weight: 400;
         }
+
         .form-group {
-            margin-bottom: 20px;
+            margin-bottom: 24px;
         }
+
         .form-group label {
             display: block;
-            margin-bottom: 8px;
+            margin-bottom: 10px;
             font-weight: 500;
-            color: #333;
+            color: #164E63;
+            font-size: 0.9rem;
         }
+
         .form-group input {
             width: 100%;
-            padding: 14px 16px;
-            border: 2px solid #e0e0e0;
-            border-radius: 10px;
+            padding: 16px 20px;
+            border: none;
+            border-radius: 12px;
             font-size: 1rem;
-            transition: border-color 0.2s;
+            font-family: 'Raleway', sans-serif;
+            background: #ECFEFF;
+            color: #164E63;
+            box-shadow:
+                inset 3px 3px 8px rgba(0, 0, 0, 0.08),
+                inset -3px -3px 8px rgba(255, 255, 255, 0.9);
+            transition: box-shadow 0.2s ease;
         }
+
         .form-group input:focus {
             outline: none;
-            border-color: #667eea;
+            box-shadow:
+                inset 3px 3px 8px rgba(0, 0, 0, 0.08),
+                inset -3px -3px 8px rgba(255, 255, 255, 0.9),
+                0 0 0 3px rgba(8, 145, 178, 0.2);
         }
-        .btn {
-            width: 100%;
-            padding: 14px;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
-            color: white;
-            border: none;
-            border-radius: 10px;
-            font-size: 1rem;
-            font-weight: 600;
+
+        .form-group input::placeholder {
+            color: #94A3B8;
+        }
+
+        .remember-row {
+            display: flex;
+            align-items: center;
+            margin-bottom: 28px;
+        }
+
+        .checkbox-wrapper {
+            display: flex;
+            align-items: center;
             cursor: pointer;
-            transition: transform 0.2s, box-shadow 0.2s;
         }
-        .btn:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 5px 20px rgba(102, 126, 234, 0.4);
-        }
-        .btn:disabled {
-            opacity: 0.6;
-            cursor: not-allowed;
-            transform: none;
-        }
-        .error-msg {
-            background: #fee2e2;
-            color: #dc2626;
-            padding: 12px;
-            border-radius: 8px;
-            margin-bottom: 20px;
+
+        .checkbox-wrapper input[type="checkbox"] {
             display: none;
         }
+
+        .checkbox-custom {
+            width: 22px;
+            height: 22px;
+            border-radius: 6px;
+            background: #ECFEFF;
+            box-shadow:
+                inset 2px 2px 5px rgba(0, 0, 0, 0.08),
+                inset -2px -2px 5px rgba(255, 255, 255, 0.9);
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            margin-right: 10px;
+            transition: all 0.2s ease;
+        }
+
+        .checkbox-wrapper input[type="checkbox"]:checked + .checkbox-custom {
+            background: linear-gradient(135deg, #0891B2, #22D3EE);
+            box-shadow:
+                -2px -2px 5px rgba(255, 255, 255, 0.8),
+                2px 2px 5px rgba(0, 0, 0, 0.1);
+        }
+
+        .checkbox-custom svg {
+            width: 14px;
+            height: 14px;
+            color: white;
+            opacity: 0;
+            transition: opacity 0.2s ease;
+        }
+
+        .checkbox-wrapper input[type="checkbox"]:checked + .checkbox-custom svg {
+            opacity: 1;
+        }
+
+        .checkbox-label {
+            color: #164E63;
+            font-size: 0.9rem;
+            user-select: none;
+        }
+
+        .btn {
+            width: 100%;
+            padding: 16px;
+            background: linear-gradient(135deg, #059669, #10B981);
+            color: white;
+            border: none;
+            border-radius: 12px;
+            font-size: 1rem;
+            font-weight: 600;
+            font-family: 'Raleway', sans-serif;
+            cursor: pointer;
+            box-shadow:
+                -4px -4px 10px rgba(255, 255, 255, 0.8),
+                4px 4px 10px rgba(0, 0, 0, 0.15);
+            transition: all 0.15s ease;
+        }
+
+        .btn:hover {
+            box-shadow:
+                -2px -2px 5px rgba(255, 255, 255, 0.8),
+                2px 2px 5px rgba(0, 0, 0, 0.15);
+        }
+
+        .btn:active {
+            box-shadow:
+                inset 2px 2px 5px rgba(0, 0, 0, 0.2),
+                inset -2px -2px 5px rgba(255, 255, 255, 0.1);
+        }
+
+        .btn:disabled {
+            opacity: 0.7;
+            cursor: not-allowed;
+        }
+
+        .btn.success {
+            background: linear-gradient(135deg, #059669, #10B981);
+        }
+
+        .error-msg {
+            background: #FEE2E2;
+            color: #DC2626;
+            padding: 14px 16px;
+            border-radius: 12px;
+            margin-bottom: 24px;
+            display: none;
+            font-size: 0.9rem;
+            box-shadow:
+                inset 2px 2px 5px rgba(0, 0, 0, 0.05),
+                inset -2px -2px 5px rgba(255, 255, 255, 0.5);
+        }
+
+        .divider {
+            display: flex;
+            align-items: center;
+            margin: 28px 0;
+        }
+
+        .divider::before,
+        .divider::after {
+            content: '';
+            flex: 1;
+            height: 1px;
+            background: linear-gradient(to right, transparent, rgba(8, 145, 178, 0.3), transparent);
+        }
+
+        .divider span {
+            padding: 0 16px;
+            color: #94A3B8;
+            font-size: 0.85rem;
+        }
+
         .links {
             text-align: center;
-            margin-top: 20px;
         }
+
+        .links p {
+            color: #64748B;
+            font-size: 0.9rem;
+        }
+
         .links a {
-            color: #667eea;
+            color: #0891B2;
             text-decoration: none;
+            font-weight: 500;
+            transition: color 0.2s ease;
         }
+
         .links a:hover {
-            text-decoration: underline;
+            color: #164E63;
+        }
+
+        /* 响应式 */
+        @media (max-width: 480px) {
+            .login-card {
+                padding: 36px 24px;
+            }
+        }
+
+        /* 减少动画 */
+        @media (prefers-reduced-motion: reduce) {
+            * {
+                transition: none !important;
+            }
         }
     </style>
 </head>
 <body>
     <div class="login-card">
         <div class="logo">
+            <div class="logo-icon">
+                <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                    <path d="M22 12h-4l-3 9L9 3l-3 9H2"/>
+                </svg>
+            </div>
             <h1>Vitals</h1>
-            <p>健康管理，从登录开始</p>
+            <p>健康管理，从这里开始</p>
         </div>
+
         <div id="error" class="error-msg"></div>
+
         <form id="loginForm">
             <div class="form-group">
-                <label>用户名</label>
-                <input type="text" id="username" name="username" required autofocus>
+                <label for="username">用户名</label>
+                <input type="text" id="username" name="username" placeholder="请输入用户名" required autofocus>
             </div>
             <div class="form-group">
-                <label>密码</label>
-                <input type="password" id="password" name="password" required>
+                <label for="password">密码</label>
+                <input type="password" id="password" name="password" placeholder="请输入密码" required>
+            </div>
+            <div class="remember-row">
+                <label class="checkbox-wrapper">
+                    <input type="checkbox" id="rememberMe" name="rememberMe">
+                    <span class="checkbox-custom">
+                        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="3" stroke-linecap="round" stroke-linejoin="round">
+                            <polyline points="20 6 9 17 4 12"/>
+                        </svg>
+                    </span>
+                    <span class="checkbox-label">记住我（30天内免登录）</span>
+                </label>
             </div>
             <button type="submit" class="btn" id="submitBtn">登录</button>
         </form>
+
+        <div class="divider"><span>或</span></div>
+
         <div class="links">
             <p>没有账号？<a href="/register">立即注册</a></p>
         </div>
@@ -1937,35 +2217,43 @@ def get_login_page_html() -> str:
                 const response = await fetch('/api/auth/login', {
                     method: 'POST',
                     headers: { 'Content-Type': 'application/json' },
+                    credentials: 'same-origin',
                     body: JSON.stringify({
                         username: document.getElementById('username').value,
                         password: document.getElementById('password').value,
+                        remember_me: document.getElementById('rememberMe').checked,
                     })
                 });
 
                 const data = await response.json();
 
                 if (response.ok) {
-                    localStorage.setItem('token', data.token);
+                    // 保存用户信息（非敏感）
                     localStorage.setItem('user', JSON.stringify(data.user));
-                    window.location.href = '/';
+
+                    // 显示成功状态
+                    btn.textContent = '✓ 登录成功';
+                    btn.classList.add('success');
+
+                    // 跳转
+                    setTimeout(() => {
+                        const params = new URLSearchParams(window.location.search);
+                        const redirect = params.get('redirect') || '/';
+                        window.location.href = redirect;
+                    }, 500);
                 } else {
                     error.textContent = data.detail || '登录失败';
                     error.style.display = 'block';
+                    btn.disabled = false;
+                    btn.textContent = '登录';
                 }
             } catch (err) {
                 error.textContent = '网络错误，请稍后重试';
                 error.style.display = 'block';
-            } finally {
                 btn.disabled = false;
                 btn.textContent = '登录';
             }
         });
-
-        // 如果已登录，跳转到首页
-        if (localStorage.getItem('token')) {
-            window.location.href = '/';
-        }
     </script>
 </body>
 </html>
@@ -1973,7 +2261,7 @@ def get_login_page_html() -> str:
 
 
 def get_register_page_html() -> str:
-    """生成注册页面 HTML"""
+    """生成注册页面 HTML - Neumorphism 设计风格"""
     return """
 <!DOCTYPE html>
 <html lang="zh-CN">
@@ -1981,133 +2269,258 @@ def get_register_page_html() -> str:
     <meta charset="UTF-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <title>注册 - Vitals 健康管理</title>
+    <link rel="preconnect" href="https://fonts.googleapis.com">
+    <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+    <link href="https://fonts.googleapis.com/css2?family=Lora:wght@400;500;600;700&family=Raleway:wght@300;400;500;600;700&display=swap" rel="stylesheet">
     <style>
         * { margin: 0; padding: 0; box-sizing: border-box; }
+
         body {
-            font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            font-family: 'Raleway', -apple-system, BlinkMacSystemFont, sans-serif;
+            background: #ECFEFF;
             min-height: 100vh;
             display: flex;
             align-items: center;
             justify-content: center;
             padding: 20px;
         }
+
         .register-card {
-            background: white;
-            border-radius: 16px;
+            background: #ECFEFF;
+            border-radius: 24px;
             padding: 40px;
             width: 100%;
-            max-width: 400px;
-            box-shadow: 0 20px 60px rgba(0,0,0,0.3);
+            max-width: 420px;
+            box-shadow:
+                -10px -10px 30px rgba(255, 255, 255, 0.8),
+                10px 10px 30px rgba(0, 0, 0, 0.1);
         }
+
         .logo {
             text-align: center;
-            margin-bottom: 30px;
+            margin-bottom: 32px;
         }
+
+        .logo-icon {
+            width: 56px;
+            height: 56px;
+            background: linear-gradient(135deg, #0891B2, #22D3EE);
+            border-radius: 14px;
+            display: inline-flex;
+            align-items: center;
+            justify-content: center;
+            margin-bottom: 14px;
+            box-shadow:
+                -4px -4px 10px rgba(255, 255, 255, 0.8),
+                4px 4px 10px rgba(0, 0, 0, 0.1);
+        }
+
+        .logo-icon svg {
+            width: 32px;
+            height: 32px;
+            color: white;
+        }
+
         .logo h1 {
-            font-size: 2rem;
-            color: #667eea;
-            margin-bottom: 8px;
+            font-family: 'Lora', serif;
+            font-size: 1.8rem;
+            font-weight: 600;
+            color: #164E63;
+            margin-bottom: 6px;
         }
+
         .logo p {
-            color: #666;
+            color: #0891B2;
             font-size: 0.9rem;
+            font-weight: 400;
         }
+
         .form-group {
             margin-bottom: 20px;
         }
+
         .form-group label {
             display: block;
             margin-bottom: 8px;
             font-weight: 500;
-            color: #333;
+            color: #164E63;
+            font-size: 0.85rem;
         }
+
         .form-group input {
             width: 100%;
-            padding: 14px 16px;
-            border: 2px solid #e0e0e0;
-            border-radius: 10px;
-            font-size: 1rem;
-            transition: border-color 0.2s;
+            padding: 14px 18px;
+            border: none;
+            border-radius: 12px;
+            font-size: 0.95rem;
+            font-family: 'Raleway', sans-serif;
+            background: #ECFEFF;
+            color: #164E63;
+            box-shadow:
+                inset 3px 3px 8px rgba(0, 0, 0, 0.08),
+                inset -3px -3px 8px rgba(255, 255, 255, 0.9);
+            transition: box-shadow 0.2s ease;
         }
+
         .form-group input:focus {
             outline: none;
-            border-color: #667eea;
+            box-shadow:
+                inset 3px 3px 8px rgba(0, 0, 0, 0.08),
+                inset -3px -3px 8px rgba(255, 255, 255, 0.9),
+                0 0 0 3px rgba(8, 145, 178, 0.2);
         }
+
+        .form-group input::placeholder {
+            color: #94A3B8;
+        }
+
         .form-group .hint {
-            font-size: 0.85rem;
-            color: #888;
-            margin-top: 6px;
+            font-size: 0.8rem;
+            color: #64748B;
+            margin-top: 8px;
+            padding-left: 4px;
         }
+
         .btn {
             width: 100%;
-            padding: 14px;
-            background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+            padding: 15px;
+            background: linear-gradient(135deg, #059669, #10B981);
             color: white;
             border: none;
-            border-radius: 10px;
+            border-radius: 12px;
             font-size: 1rem;
             font-weight: 600;
+            font-family: 'Raleway', sans-serif;
             cursor: pointer;
-            transition: transform 0.2s, box-shadow 0.2s;
+            box-shadow:
+                -4px -4px 10px rgba(255, 255, 255, 0.8),
+                4px 4px 10px rgba(0, 0, 0, 0.15);
+            transition: all 0.15s ease;
+            margin-top: 8px;
         }
+
         .btn:hover {
-            transform: translateY(-2px);
-            box-shadow: 0 5px 20px rgba(102, 126, 234, 0.4);
+            box-shadow:
+                -2px -2px 5px rgba(255, 255, 255, 0.8),
+                2px 2px 5px rgba(0, 0, 0, 0.15);
         }
+
+        .btn:active {
+            box-shadow:
+                inset 2px 2px 5px rgba(0, 0, 0, 0.2),
+                inset -2px -2px 5px rgba(255, 255, 255, 0.1);
+        }
+
         .btn:disabled {
-            opacity: 0.6;
+            opacity: 0.7;
             cursor: not-allowed;
-            transform: none;
         }
+
         .error-msg {
-            background: #fee2e2;
-            color: #dc2626;
-            padding: 12px;
-            border-radius: 8px;
+            background: #FEE2E2;
+            color: #DC2626;
+            padding: 12px 14px;
+            border-radius: 12px;
             margin-bottom: 20px;
             display: none;
+            font-size: 0.85rem;
+            box-shadow:
+                inset 2px 2px 5px rgba(0, 0, 0, 0.05),
+                inset -2px -2px 5px rgba(255, 255, 255, 0.5);
         }
+
+        .divider {
+            display: flex;
+            align-items: center;
+            margin: 24px 0;
+        }
+
+        .divider::before,
+        .divider::after {
+            content: '';
+            flex: 1;
+            height: 1px;
+            background: linear-gradient(to right, transparent, rgba(8, 145, 178, 0.3), transparent);
+        }
+
+        .divider span {
+            padding: 0 16px;
+            color: #94A3B8;
+            font-size: 0.85rem;
+        }
+
         .links {
             text-align: center;
-            margin-top: 20px;
         }
+
+        .links p {
+            color: #64748B;
+            font-size: 0.9rem;
+        }
+
         .links a {
-            color: #667eea;
+            color: #0891B2;
             text-decoration: none;
+            font-weight: 500;
+            transition: color 0.2s ease;
         }
+
         .links a:hover {
-            text-decoration: underline;
+            color: #164E63;
+        }
+
+        /* 响应式 */
+        @media (max-width: 480px) {
+            .register-card {
+                padding: 32px 20px;
+            }
+        }
+
+        /* 减少动画 */
+        @media (prefers-reduced-motion: reduce) {
+            * {
+                transition: none !important;
+            }
         }
     </style>
 </head>
 <body>
     <div class="register-card">
         <div class="logo">
+            <div class="logo-icon">
+                <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+                    <path d="M22 12h-4l-3 9L9 3l-3 9H2"/>
+                </svg>
+            </div>
             <h1>Vitals</h1>
             <p>创建账号，开始健康管理</p>
         </div>
+
         <div id="error" class="error-msg"></div>
+
         <form id="registerForm">
             <div class="form-group">
-                <label>邀请码 *</label>
-                <input type="text" id="inviteCode" name="inviteCode" required placeholder="请输入邀请码">
+                <label for="inviteCode">邀请码</label>
+                <input type="text" id="inviteCode" name="inviteCode" placeholder="请输入邀请码" required>
                 <p class="hint">需要邀请码才能注册，请联系管理员获取</p>
             </div>
             <div class="form-group">
-                <label>用户名 *</label>
-                <input type="text" id="username" name="username" required placeholder="2-50 个字符">
+                <label for="username">用户名</label>
+                <input type="text" id="username" name="username" placeholder="2-50 个字符" required>
             </div>
             <div class="form-group">
-                <label>密码 *</label>
-                <input type="password" id="password" name="password" required placeholder="至少 6 位">
+                <label for="password">密码</label>
+                <input type="password" id="password" name="password" placeholder="至少 6 位" required>
             </div>
             <div class="form-group">
-                <label>确认密码 *</label>
-                <input type="password" id="confirmPassword" name="confirmPassword" required placeholder="再次输入密码">
+                <label for="confirmPassword">确认密码</label>
+                <input type="password" id="confirmPassword" name="confirmPassword" placeholder="再次输入密码" required>
             </div>
             <button type="submit" class="btn" id="submitBtn">注册</button>
         </form>
+
+        <div class="divider"><span>或</span></div>
+
         <div class="links">
             <p>已有账号？<a href="/login">立即登录</a></p>
         </div>
@@ -2128,6 +2541,12 @@ def get_register_page_html() -> str:
                 return;
             }
 
+            if (password.length < 6) {
+                error.textContent = '密码至少需要 6 位';
+                error.style.display = 'block';
+                return;
+            }
+
             btn.disabled = true;
             btn.textContent = '注册中...';
             error.style.display = 'none';
@@ -2136,6 +2555,7 @@ def get_register_page_html() -> str:
                 const response = await fetch('/api/auth/register', {
                     method: 'POST',
                     headers: { 'Content-Type': 'application/json' },
+                    credentials: 'same-origin',
                     body: JSON.stringify({
                         username: document.getElementById('username').value,
                         password: password,
@@ -2146,26 +2566,28 @@ def get_register_page_html() -> str:
                 const data = await response.json();
 
                 if (response.ok) {
-                    localStorage.setItem('token', data.token);
+                    // 保存用户信息
                     localStorage.setItem('user', JSON.stringify(data.user));
-                    window.location.href = '/';
+
+                    // 显示成功
+                    btn.textContent = '✓ 注册成功';
+
+                    setTimeout(() => {
+                        window.location.href = '/';
+                    }, 500);
                 } else {
                     error.textContent = data.detail || '注册失败';
                     error.style.display = 'block';
+                    btn.disabled = false;
+                    btn.textContent = '注册';
                 }
             } catch (err) {
                 error.textContent = '网络错误，请稍后重试';
                 error.style.display = 'block';
-            } finally {
                 btn.disabled = false;
                 btn.textContent = '注册';
             }
         });
-
-        // 如果已登录，跳转到首页
-        if (localStorage.getItem('token')) {
-            window.location.href = '/';
-        }
     </script>
 </body>
 </html>
@@ -2483,49 +2905,70 @@ def get_admin_page_html() -> str:
             checkAuth();
         });
 
-        function getToken() {
-            return localStorage.getItem('token');
-        }
-
         function checkAuth() {
-            const token = getToken();
             const userStr = localStorage.getItem('user');
 
-            if (!token || !userStr) {
-                window.location.href = '/login';
+            if (!userStr) {
+                // 没有用户信息，尝试从 API 获取
+                fetch('/api/auth/me', { credentials: 'same-origin' })
+                    .then(res => {
+                        if (!res.ok) {
+                            window.location.href = '/login';
+                            return;
+                        }
+                        return res.json();
+                    })
+                    .then(user => {
+                        if (user) {
+                            localStorage.setItem('user', JSON.stringify(user));
+                            currentUser = user;
+                            initAdminPage();
+                        }
+                    })
+                    .catch(() => window.location.href = '/login');
                 return;
             }
 
             try {
                 currentUser = JSON.parse(userStr);
-                document.getElementById('userInfo').textContent = currentUser.name;
-
-                if (!currentUser.is_admin) {
-                    document.getElementById('unauthorizedView').style.display = 'block';
-                    return;
-                }
-
-                document.getElementById('adminContent').style.display = 'block';
-                loadUsers();
-                loadInvites();
+                initAdminPage();
             } catch (e) {
                 window.location.href = '/login';
             }
         }
 
-        function logout() {
-            localStorage.removeItem('token');
+        function initAdminPage() {
+            document.getElementById('userInfo').textContent = currentUser.name;
+
+            if (!currentUser.is_admin) {
+                document.getElementById('unauthorizedView').style.display = 'block';
+                return;
+            }
+
+            document.getElementById('adminContent').style.display = 'block';
+            loadUsers();
+            loadInvites();
+        }
+
+        async function logout() {
+            try {
+                await fetch('/api/auth/logout', {
+                    method: 'POST',
+                    credentials: 'same-origin'
+                });
+            } catch (e) {
+                // 忽略错误
+            }
             localStorage.removeItem('user');
             window.location.href = '/login';
         }
 
         async function apiRequest(url, options = {}) {
-            const token = getToken();
             const response = await fetch(url, {
                 ...options,
+                credentials: 'same-origin',
                 headers: {
                     'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${token}`,
                     ...options.headers,
                 }
             });