更新.gitignore文件，移除不必要的soul-api目录，确保版本控制的清晰性与一致性。

soul-api/internal/auth/adminjwt.go

@@ -0,0 +1,71 @@
+// Package auth 管理端 JWT：签发与校验，使用 Authorization: Bearer <token>
+package auth
+
+import (
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+const adminJWTExpire = 7 * 24 * time.Hour // 7 天
+
+// AdminClaims 管理端 JWT 载荷
+type AdminClaims struct {
+	jwt.RegisteredClaims
+	Username string `json:"username"`
+	Role     string `json:"role"`
+}
+
+// IssueAdminJWT 签发管理端 JWT，使用 ADMIN_SESSION_SECRET 签名（role 为空时默认 admin）
+func IssueAdminJWT(secret, username, role string) (string, error) {
+	if role == "" {
+		role = "admin"
+	}
+	now := time.Now()
+	claims := AdminClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(adminJWTExpire)),
+			IssuedAt:  jwt.NewNumericDate(now),
+			Subject:   "admin",
+		},
+		Username: username,
+		Role:     role,
+	}
+	tok := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return tok.SignedString([]byte(secret))
+}
+
+// ParseAdminJWT 校验并解析 JWT，返回 claims；无效或过期返回 nil, false
+func ParseAdminJWT(tokenString, secret string) (*AdminClaims, bool) {
+	if tokenString == "" || secret == "" {
+		return nil, false
+	}
+	tok, err := jwt.ParseWithClaims(tokenString, &AdminClaims{}, func(t *jwt.Token) (interface{}, error) {
+		return []byte(secret), nil
+	}, jwt.WithValidMethods([]string{"HS256"}))
+	if err != nil || !tok.Valid {
+		return nil, false
+	}
+	claims, ok := tok.Claims.(*AdminClaims)
+	if !ok || claims.Username == "" {
+		return nil, false
+	}
+	return claims, true
+}
+
+// GetAdminJWTFromRequest 从请求中读取 JWT：优先 Authorization: Bearer <token>，其次 Cookie admin_session（兼容旧端）
+func GetAdminJWTFromRequest(r *http.Request) string {
+	// 1. Authorization: Bearer <token>
+	ah := r.Header.Get("Authorization")
+	if strings.HasPrefix(ah, "Bearer ") {
+		return strings.TrimSpace(ah[7:])
+	}
+	// 2. Cookie（兼容：若值为 JWT 格式则可用）
+	c, err := r.Cookie(adminCookieName)
+	if err != nil || c == nil {
+		return ""
+	}
+	return strings.TrimSpace(c.Value)
+}

soul-api/internal/auth/adminsession.go

@@ -0,0 +1,71 @@
+// Package auth 管理端 session：与 next-project lib/admin-auth.ts 的 token 格式兼容（exp.signature）
+package auth
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+)
+
+const (
+	adminCookieName = "admin_session"
+	maxAgeSec       = 7 * 24 * 3600 // 7 天
+)
+
+// CreateAdminToken 生成签名 token，格式与 next 一致：exp.base64url(hmac_sha256(exp))
+func CreateAdminToken(secret string) string {
+	exp := time.Now().Unix() + maxAgeSec
+	payload := strconv.FormatInt(exp, 10)
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(payload))
+	sig := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
+	return payload + "." + sig
+}
+
+// VerifyAdminToken 校验 token：解析 exp、验签、验过期
+func VerifyAdminToken(token, secret string) bool {
+	if token == "" || secret == "" {
+		return false
+	}
+	dot := strings.Index(token, ".")
+	if dot <= 0 {
+		return false
+	}
+	payload := token[:dot]
+	sig := token[dot+1:]
+	exp, err := strconv.ParseInt(payload, 10, 64)
+	if err != nil || exp < time.Now().Unix() {
+		return false
+	}
+	mac := hmac.New(sha256.New, []byte(secret))
+	mac.Write([]byte(payload))
+	expected := base64.RawURLEncoding.EncodeToString(mac.Sum(nil))
+	return hmac.Equal([]byte(sig), []byte(expected))
+}
+
+// AdminCookieName 返回 Cookie 名
+func AdminCookieName() string { return adminCookieName }
+
+// MaxAgeSec 返回 session 有效秒数
+func MaxAgeSec() int { return maxAgeSec }
+
+// SetCookieHeaderValue 返回完整的 Set-Cookie 头内容（含 SameSite=None; Secure，供跨站时携带 Cookie）
+func SetCookieHeaderValue(token string, maxAge int) string {
+	if maxAge <= 0 {
+		return adminCookieName + "=; Path=/; Max-Age=0; HttpOnly; SameSite=None; Secure"
+	}
+	return adminCookieName + "=" + token + "; Path=/; Max-Age=" + strconv.Itoa(maxAge) + "; HttpOnly; SameSite=None; Secure"
+}
+
+// GetAdminTokenFromRequest 从请求 Cookie 中读取 admin_session
+func GetAdminTokenFromRequest(r *http.Request) string {
+	c, err := r.Cookie(adminCookieName)
+	if err != nil || c == nil {
+		return ""
+	}
+	return strings.TrimSpace(c.Value)
+}