Add authenticated login and SSO protection

app/api/assets/[id]/download/route.ts

@@ -1,14 +1,16 @@
 import { getAsset } from "@/lib/server/data-store";
 import { jsonError } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { readAssetForDownload } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const asset = await getAsset(id);
-    if (!asset) return jsonError("资产不存在", 404);
+    if (!asset || asset.ownerId !== user.id) return jsonError("资产不存在", 404);
     const file = await readAssetForDownload(asset);
     if (!file) return jsonError("资产文件不可下载", 404);
     return new Response(new Uint8Array(file.bytes), {

app/api/assets/[id]/inpaint/route.ts

@@ -1,5 +1,6 @@
 import { getAsset } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { saveMaskDataUrl } from "@/lib/server/storage";
 import { submitImageJob } from "@/lib/server/generation-service";
@@ -8,9 +9,10 @@ export const runtime = "nodejs";
 
 export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const asset = await getAsset(id);
-    if (!asset) return jsonError(new Error("Asset not found."), 404);
+    if (!asset || asset.ownerId !== user.id) return jsonError(new Error("Asset not found."), 404);
     const body = await readJsonBody<{
       prompt?: string;
       maskDataUrl?: string;
@@ -31,6 +33,7 @@ export async function POST(request: Request, context: { params: Promise<{ id: st
     }
     if (!maskUrl) throw new Error("maskDataUrl or maskUrl is required for inpainting.");
     const job = await submitImageJob({
+      ownerId: user.id,
       capability: "image.inpaint",
       prompt: body.prompt || "删除",
       imageUrls: [asset.url, maskUrl],

app/api/assets/[id]/route.ts

@@ -1,14 +1,16 @@
 import { deleteAsset, getAsset } from "@/lib/server/data-store";
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { deleteStoredAsset } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const asset = await getAsset(id);
-    if (!asset) return jsonError("资产不存在", 404);
+    if (!asset || asset.ownerId !== user.id) return jsonError("资产不存在", 404);
     await deleteStoredAsset(asset);
     await deleteAsset(id);
     return jsonOk({ ok: true, deletedAssetId: id });

app/api/assets/[id]/upscale/route.ts

@@ -1,5 +1,6 @@
 import { getAsset } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { submitImageJob } from "@/lib/server/generation-service";
 
@@ -7,14 +8,16 @@ export const runtime = "nodejs";
 
 export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const asset = await getAsset(id);
-    if (!asset) return jsonError(new Error("Asset not found."), 404);
+    if (!asset || asset.ownerId !== user.id) return jsonError(new Error("Asset not found."), 404);
     const body = await readJsonBody<{
       resolution?: "4k" | "8k";
       scale?: number;
     }>(request);
     const job = await submitImageJob({
+      ownerId: user.id,
       capability: "image.upscale",
       imageUrls: [asset.url],
       inputAssetIds: [asset.id],

app/api/assets/route.ts

@@ -1,13 +1,14 @@
 import { createAsset, listAssets } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
-import { DEFAULT_OWNER_ID } from "@/lib/server/runtime";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import type { AssetKind } from "@/lib/types";
 
 export const runtime = "nodejs";
 
 export async function GET() {
   try {
-    return jsonOk({ assets: await listAssets(DEFAULT_OWNER_ID) });
+    const user = await requireAppUser();
+    return jsonOk({ assets: await listAssets(user.id) });
   } catch (error) {
     return jsonError(error, 500);
   }
@@ -22,9 +23,10 @@ export async function POST(request: Request) {
       tags?: string[];
       source?: "upload" | "generated" | "edited" | "upscaled" | "external" | "seed";
     }>(request);
+    const user = await requireAppUser();
     if (!body.url) throw new Error("url is required");
     const asset = await createAsset({
-      ownerId: DEFAULT_OWNER_ID,
+      ownerId: user.id,
       kind: body.kind || "image",
       name: body.name || "外部图片",
       url: body.url,

app/api/assets/upload/route.ts

@@ -1,17 +1,19 @@
 import { jsonError, jsonOk } from "@/lib/server/api";
-import { DEFAULT_OWNER_ID, requestOrigin } from "@/lib/server/runtime";
+import { requireAppUser } from "@/lib/server/auth/current-user";
+import { requestOrigin } from "@/lib/server/runtime";
 import { saveUploadAsset } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function POST(request: Request) {
   try {
+    const user = await requireAppUser();
     const form = await request.formData();
     const files = form.getAll("files").filter((item): item is File => item instanceof File);
     if (!files.length) throw new Error("No files uploaded.");
     const assets = await Promise.all(files.map(async (file) => {
       return saveUploadAsset({
-        ownerId: DEFAULT_OWNER_ID,
+        ownerId: user.id,
         bytes: Buffer.from(await file.arrayBuffer()),
         fileName: file.name,
         contentType: file.type || "application/octet-stream",

app/api/auth/callback/route.ts

@@ -0,0 +1,11 @@
+import { completeAuthorizationCallback, redirectToLoginWithError } from "@/lib/server/auth/oauth";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request) {
+  try {
+    return await completeAuthorizationCallback(request);
+  } catch {
+    return redirectToLoginWithError(request, "callback_failed");
+  }
+}

app/api/auth/captcha/route.ts

@@ -0,0 +1,25 @@
+import { getAuthRuntimeConfig } from "@/lib/auth/config";
+import { jsonError } from "@/lib/server/api";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request) {
+  try {
+    const config = getAuthRuntimeConfig();
+    if (!config.authBaseUrl) throw new Error("认证中心地址未配置。");
+    const randomStr = new URL(request.url).searchParams.get("randomStr")?.trim();
+    if (!randomStr) throw new Error("randomStr is required.");
+    const response = await fetch(`${config.authBaseUrl}/code/image?randomStr=${encodeURIComponent(randomStr)}`, {
+      cache: "no-store"
+    });
+    if (!response.ok) throw new Error(`验证码获取失败：${response.status}`);
+    return new Response(new Uint8Array(await response.arrayBuffer()), {
+      headers: {
+        "Content-Type": response.headers.get("content-type") || "image/png",
+        "Cache-Control": "no-store"
+      }
+    });
+  } catch (error) {
+    return jsonError(error, 500);
+  }
+}

app/api/auth/login/route.ts

@@ -0,0 +1,11 @@
+import { createAuthorizeRedirect, redirectToLoginWithError } from "@/lib/server/auth/oauth";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request) {
+  try {
+    return await createAuthorizeRedirect(request);
+  } catch {
+    return redirectToLoginWithError(request, "auth_not_configured");
+  }
+}

app/api/auth/logout/route.ts

@@ -0,0 +1,11 @@
+import { clearAuthCookies } from "@/lib/server/auth/oauth";
+
+export const runtime = "nodejs";
+
+export async function GET(request: Request) {
+  return clearAuthCookies(request);
+}
+
+export async function POST(request: Request) {
+  return clearAuthCookies(request);
+}

app/api/auth/me/route.ts

@@ -0,0 +1,16 @@
+import { getAuthRuntimeConfig } from "@/lib/auth/config";
+import { jsonOk } from "@/lib/server/api";
+import { getOptionalAuthSession } from "@/lib/server/auth/current-user";
+
+export const runtime = "nodejs";
+
+export async function GET() {
+  const config = getAuthRuntimeConfig();
+  const session = await getOptionalAuthSession();
+  return jsonOk({
+    authenticated: Boolean(session),
+    authRequired: config.required,
+    authConfigured: config.configured,
+    user: session?.user || null
+  });
+}

app/api/auth/password/route.ts

@@ -0,0 +1,119 @@
+import { SESSION_COOKIE_NAME, getAuthRuntimeConfig, safeNextPath, shouldUseSecureAuthCookie } from "@/lib/auth/config";
+import { createSessionCookieValue } from "@/lib/auth/session";
+import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { createSessionFromClaims, verifyAuthJwt } from "@/lib/server/auth/jwt";
+
+export const runtime = "nodejs";
+
+type PasswordTokenResponse = {
+  access_token?: string;
+  refresh_token?: string;
+  expires_in?: string | number;
+  token_type?: string;
+  error?: string;
+  error_description?: string;
+  msg?: string;
+  message?: string;
+  [key: string]: unknown;
+};
+
+export async function POST(request: Request) {
+  try {
+    const config = getAuthRuntimeConfig();
+    if (!config.configured || !config.tokenUrl || !config.clientSecret || !config.sessionSecret) {
+      throw new PasswordLoginError(`认证配置不完整：${config.missing.join(", ") || "未知配置"}`, 500);
+    }
+    const body = await readJsonBody<{
+      username?: string;
+      password?: string;
+      code?: string;
+      randomStr?: string;
+      next?: string;
+    }>(request);
+    const username = body.username?.trim();
+    const password = body.password || "";
+    const code = body.code?.trim();
+    const randomStr = body.randomStr?.trim();
+    if (!username || !password || !code || !randomStr) throw new PasswordLoginError("账号、密码和验证码不能为空。");
+
+    const token = await exchangePasswordToken({
+      tokenUrl: config.tokenUrl,
+      clientId: config.clientId,
+      clientSecret: config.clientSecret,
+      scope: config.scope,
+      username,
+      password,
+      code,
+      randomStr
+    });
+    if (!token.access_token) throw new PasswordLoginError("认证中心没有返回 access_token。", 502);
+    const claims = await verifyAuthJwt(token.access_token, config);
+    const session = createSessionFromClaims(claims, config, parseExpiresIn(token.expires_in));
+    const response = jsonOk({
+      ok: true,
+      redirectTo: safeNextPath(body.next),
+      user: session.user
+    });
+    response.cookies.set(SESSION_COOKIE_NAME, await createSessionCookieValue(session, config.sessionSecret), {
+      httpOnly: true,
+      sameSite: "lax",
+      secure: shouldUseSecureAuthCookie(request.url),
+      path: "/",
+      expires: new Date(session.expiresAt * 1000)
+    });
+    return response;
+  } catch (error) {
+    return jsonError(error, 401);
+  }
+}
+
+async function exchangePasswordToken(input: {
+  tokenUrl: string;
+  clientId: string;
+  clientSecret: string;
+  scope: string;
+  username: string;
+  password: string;
+  code: string;
+  randomStr: string;
+}): Promise<PasswordTokenResponse> {
+  const form = new URLSearchParams();
+  form.set("grant_type", "password");
+  form.set("scope", input.scope);
+  form.set("username", input.username);
+  form.set("password", input.password);
+  form.set("code", input.code);
+  form.set("randomStr", input.randomStr);
+  const response = await fetch(input.tokenUrl, {
+    method: "POST",
+    headers: {
+      Authorization: `Basic ${Buffer.from(`${input.clientId}:${input.clientSecret}`).toString("base64")}`,
+      "Content-Type": "application/x-www-form-urlencoded"
+    },
+    body: form
+  });
+  const payload = await response.json().catch(() => ({})) as PasswordTokenResponse;
+  if (!response.ok) {
+    throw new PasswordLoginError(payload.error_description || payload.msg || payload.message || payload.error || "登录失败。", response.status);
+  }
+  return payload;
+}
+
+function parseExpiresIn(value: string | number | undefined): number | undefined {
+  if (typeof value === "number" && Number.isFinite(value)) return value;
+  if (typeof value === "string" && value.trim()) {
+    const parsed = Number(value);
+    if (Number.isFinite(parsed)) return parsed;
+  }
+  return undefined;
+}
+
+class PasswordLoginError extends Error {
+  status: number;
+
+  constructor(message: string, status = 400) {
+    super(message);
+    this.name = "PasswordLoginError";
+    this.status = status;
+  }
+}

app/api/generations/image/[id]/retry/route.ts

@@ -1,4 +1,5 @@
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { retryImageJob } from "@/lib/server/generation-service";
 
@@ -6,8 +7,9 @@ export const runtime = "nodejs";
 
 export async function POST(request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
-    const job = await retryImageJob(id, requestOrigin(request));
+    const job = await retryImageJob(id, requestOrigin(request), user.id);
     return jsonOk({ job }, { status: 202 });
   } catch (error) {
     return jsonError(error);

app/api/generations/image/[id]/route.ts

@@ -1,14 +1,16 @@
 import { deleteAsset, deleteGenerationJob, getAsset, getGenerationJob } from "@/lib/server/data-store";
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { deleteStoredAsset } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job) return jsonError(new Error("Generation job not found."), 404);
+    if (!job || job.ownerId !== user.id) return jsonError(new Error("Generation job not found."), 404);
     return jsonOk({ job });
   } catch (error) {
     return jsonError(error, 500);
@@ -17,9 +19,10 @@ export async function GET(_request: Request, context: { params: Promise<{ id: st
 
 export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job || job.capability === "video.generate") return jsonError("任务不存在", 404);
+    if (!job || job.ownerId !== user.id || job.capability === "video.generate") return jsonError("任务不存在", 404);
     const deletedAssetIds: string[] = [];
     for (const assetId of job.outputAssetIds) {
       const asset = await getAsset(assetId);

app/api/generations/image/route.ts

@@ -1,5 +1,6 @@
 import { getGenerationJob, listGenerationJobs } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { submitImageJob } from "@/lib/server/generation-service";
 import { assemblePrompt, type PromptAssemblyInput, type PromptMaterial } from "@/lib/prompt/assembler";
@@ -9,7 +10,8 @@ export const runtime = "nodejs";
 
 export async function GET() {
   try {
-    const jobs = (await listGenerationJobs()).filter((job) => job.capability !== "video.generate");
+    const user = await requireAppUser();
+    const jobs = (await listGenerationJobs(user.id)).filter((job) => job.capability !== "video.generate");
     return jsonOk({ jobs });
   } catch (error) {
     return jsonError(error, 500);
@@ -18,6 +20,7 @@ export async function GET() {
 
 export async function POST(request: Request) {
   try {
+    const user = await requireAppUser();
     const body = await readJsonBody<{
       capability?: EnabledImageCapability;
       prompt?: string;
@@ -41,6 +44,7 @@ export async function POST(request: Request) {
       .filter((material) => material.type === "image")
       .map((material) => material.url);
     const job = await submitImageJob({
+      ownerId: user.id,
       capability,
       prompt: body.prompt || assembled?.prompt,
       imageUrls: body.imageUrls || materialImages,

app/api/generations/video/[id]/route.ts

@@ -1,14 +1,16 @@
 import { deleteAsset, deleteGenerationJob, getAsset, getGenerationJob } from "@/lib/server/data-store";
 import { jsonError, jsonOk } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { deleteStoredAsset } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job) return jsonError(new Error("Generation job not found."), 404);
+    if (!job || job.ownerId !== user.id) return jsonError(new Error("Generation job not found."), 404);
     return jsonOk({ job });
   } catch (error) {
     return jsonError(error, 500);
@@ -17,9 +19,10 @@ export async function GET(_request: Request, context: { params: Promise<{ id: st
 
 export async function DELETE(_request: Request, context: { params: Promise<{ id: string }> }) {
   try {
+    const user = await requireAppUser();
     const { id } = await context.params;
     const job = await getGenerationJob(id);
-    if (!job || job.capability !== "video.generate") return jsonError("任务不存在", 404);
+    if (!job || job.ownerId !== user.id || job.capability !== "video.generate") return jsonError("任务不存在", 404);
     const deletedAssetIds: string[] = [];
     for (const assetId of job.outputAssetIds) {
       const asset = await getAsset(assetId);

app/api/generations/video/route.ts

@@ -1,5 +1,6 @@
 import { listGenerationJobs } from "@/lib/server/data-store";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { requestOrigin } from "@/lib/server/runtime";
 import { submitVideoJob, type SubmitVideoJobInput } from "@/lib/server/video-generation-service";
 
@@ -7,7 +8,8 @@ export const runtime = "nodejs";
 
 export async function GET() {
   try {
-    const jobs = (await listGenerationJobs()).filter((job) => job.capability === "video.generate");
+    const user = await requireAppUser();
+    const jobs = (await listGenerationJobs(user.id)).filter((job) => job.capability === "video.generate");
     return jsonOk({ jobs });
   } catch (error) {
     return jsonError(error, 500);
@@ -16,8 +18,9 @@ export async function GET() {
 
 export async function POST(request: Request) {
   try {
+    const user = await requireAppUser();
     const body = await readJsonBody<SubmitVideoJobInput & Record<string, unknown>>(request);
-    const job = await submitVideoJob(body, requestOrigin(request));
+    const job = await submitVideoJob({ ...body, ownerId: user.id }, requestOrigin(request));
     return jsonOk({ job }, { status: 202 });
   } catch (error) {
     return jsonError(error);

app/api/health/route.ts

@@ -1,4 +1,5 @@
 import { jsonOk } from "@/lib/server/api";
+import { authConfigSummary, getAuthRuntimeConfig } from "@/lib/auth/config";
 import { getEffectiveImageEngine, getEvolinkImageSettings, shouldMockEvolinkApi } from "@/lib/evolink/image-client";
 import { getVisibleImageCapabilities } from "@/lib/jimeng/capabilities";
 import { shouldMockVisualApi } from "@/lib/volcengine/visual-client";
@@ -8,6 +9,7 @@ export const runtime = "nodejs";
 
 export async function GET() {
   const evolink = getEvolinkImageSettings();
+  const auth = getAuthRuntimeConfig();
   return jsonOk({
     ok: true,
     appId: "zhinian-web-studio",
@@ -15,6 +17,7 @@ export async function GET() {
     visualApiMode: shouldMockVisualApi() ? "mock" : "volcengine",
     evolinkMode: shouldMockEvolinkApi() ? "mock" : "evolink",
     seedanceMode: shouldMockSeedance() ? "mock" : "seedance",
+    authMode: authConfigSummary(auth),
     capabilities: [
       ...getVisibleImageCapabilities().map((capability) => {
         const engine = getEffectiveImageEngine(capability.id);

app/api/prompt/assemble/route.ts

@@ -1,10 +1,12 @@
 import { assemblePrompt, type PromptAssemblyInput } from "@/lib/prompt/assembler";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 
 export const runtime = "nodejs";
 
 export async function POST(request: Request) {
   try {
+    await requireAppUser();
     const body = await readJsonBody<PromptAssemblyInput & Record<string, unknown>>(request);
     return jsonOk(assemblePrompt(body));
   } catch (error) {

app/api/settings/route.ts

@@ -1,10 +1,12 @@
 import { getApiSettings, saveApiSettings } from "@/lib/server/app-settings";
 import { jsonError, jsonOk, readJsonBody } from "@/lib/server/api";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 
 export const runtime = "nodejs";
 
 export async function GET() {
   try {
+    await requireAppUser();
     return jsonOk(await getApiSettings());
   } catch (error) {
     return jsonError(error, 500);
@@ -13,6 +15,7 @@ export async function GET() {
 
 export async function POST(request: Request) {
   try {
+    await requireAppUser();
     const body = await readJsonBody<{ values?: Record<string, unknown> }>(request);
     return jsonOk(await saveApiSettings(body.values || {}));
   } catch (error) {

app/auth/login/page.tsx

@@ -0,0 +1,38 @@
+import { redirect } from "next/navigation";
+import { AuthLoginPanel } from "@/components/auth-login-panel";
+import { getAuthRuntimeConfig, safeNextPath } from "@/lib/auth/config";
+import { getOptionalAuthSession } from "@/lib/server/auth/current-user";
+
+const errorMessages: Record<string, string> = {
+  auth_not_configured: "认证配置不完整，请先在服务器环境变量中配置 SSO。",
+  callback_failed: "登录回调处理失败，请重新登录。",
+  state_invalid: "登录状态已失效，请重新登录。"
+};
+
+export default async function LoginPage({
+  searchParams
+}: {
+  searchParams?: Promise<Record<string, string | string[] | undefined>>;
+}) {
+  const params = await searchParams;
+  const next = safeNextPath(singleParam(params?.next));
+  const session = await getOptionalAuthSession();
+  if (session) redirect(next);
+
+  const config = getAuthRuntimeConfig();
+  const errorCode = singleParam(params?.error);
+  const message = errorCode ? errorMessages[errorCode] || "登录失败，请重新登录。" : null;
+
+  return (
+    <AuthLoginPanel
+      next={next}
+      configured={config.configured}
+      message={message}
+      missing={!config.configured && config.required ? config.missing : []}
+    />
+  );
+}
+
+function singleParam(value: string | string[] | undefined): string | undefined {
+  return Array.isArray(value) ? value[0] : value;
+}

app/generated-results/[...path]/route.ts

@@ -1,9 +1,14 @@
+import { getAssetByStoragePath } from "@/lib/server/data-store";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { readLocalServedFile } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ path: string[] }> }) {
+  const user = await requireAppUser();
   const { path } = await context.params;
+  const asset = await getAssetByStoragePath(["generated-results", ...path].join("/"));
+  if (!asset || asset.ownerId !== user.id) return new Response("Not found", { status: 404 });
   const file = await readLocalServedFile("generated-results", path);
   if (!file) return new Response("Not found", { status: 404 });
   return new Response(new Uint8Array(file.bytes), {

app/globals.css

@@ -2455,7 +2455,7 @@ button:active:not(:disabled),
   }
 
   .settings-tabs {
-    grid-template-columns: repeat(5, minmax(0, 1fr));
+    grid-template-columns: repeat(6, minmax(0, 1fr));
   }
 
   .asset-view-switch button,
@@ -2513,3 +2513,225 @@ button:active:not(:disabled),
     margin-bottom: 10px;
   }
 }
+
+.topbar-account {
+  justify-self: end;
+  display: inline-flex;
+  align-items: center;
+  gap: 8px;
+  min-width: 0;
+}
+
+.account-chip {
+  min-height: 38px;
+  max-width: 190px;
+  display: inline-flex;
+  align-items: center;
+  gap: 7px;
+  padding: 0 11px;
+  border: 1px solid var(--line);
+  border-radius: 999px;
+  background: rgba(255, 255, 255, 0.72);
+  color: var(--muted-strong);
+  font-size: 13px;
+  font-weight: 800;
+  white-space: nowrap;
+}
+
+.account-chip span {
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+}
+
+.account-chip svg,
+.logout-button svg,
+.login-link svg {
+  width: 16px;
+  height: 16px;
+  flex: 0 0 auto;
+}
+
+.logout-button {
+  width: 38px;
+  min-height: 38px;
+  padding: 0;
+  border-radius: 999px;
+}
+
+.auth-shell {
+  min-height: 100dvh;
+  background:
+    linear-gradient(90deg, rgba(220, 227, 221, 0.55) 1px, transparent 1px),
+    linear-gradient(180deg, rgba(220, 227, 221, 0.45) 1px, transparent 1px),
+    var(--bg);
+  background-size: 44px 44px;
+}
+
+.auth-main {
+  width: 100%;
+  min-height: 100dvh;
+  padding: 0;
+}
+
+.auth-page {
+  min-height: 100dvh;
+  width: min(1120px, 100%);
+  margin: 0 auto;
+  display: grid;
+  grid-template-columns: minmax(280px, 0.9fr) minmax(340px, 440px);
+  align-items: center;
+  gap: clamp(28px, 6vw, 72px);
+  padding: clamp(36px, 8vw, 76px) 24px;
+}
+
+.auth-brand-panel {
+  display: grid;
+  justify-items: start;
+  gap: 16px;
+}
+
+.auth-brand-logo {
+  display: block;
+  width: min(292px, 76vw);
+  height: auto;
+  object-fit: contain;
+}
+
+.auth-brand-panel h1 {
+  margin: 0;
+  max-width: 9em;
+  font-size: clamp(36px, 5vw, 58px);
+  line-height: 1.05;
+  font-weight: 900;
+  color: var(--ink);
+}
+
+.auth-panel {
+  width: 100%;
+  display: grid;
+  justify-items: stretch;
+  gap: 18px;
+  padding: 28px;
+}
+
+.auth-panel h2 {
+  margin: 0;
+  font-size: 24px;
+  line-height: 1.2;
+}
+
+.auth-password-form {
+  width: 100%;
+  display: grid;
+  gap: 14px;
+}
+
+.auth-password-form .field {
+  margin-bottom: 0;
+}
+
+.auth-captcha-row {
+  display: grid;
+  grid-template-columns: minmax(0, 1fr) 118px;
+  gap: 8px;
+  align-items: center;
+}
+
+.auth-captcha-button {
+  height: 44px;
+  border: 1px solid var(--line);
+  border-radius: 8px;
+  background: #ffffff;
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  padding: 0;
+  overflow: hidden;
+}
+
+.auth-captcha-button img {
+  width: 100%;
+  height: 100%;
+  display: block;
+  object-fit: cover;
+}
+
+.auth-submit,
+.auth-submit.button {
+  width: 100%;
+  min-height: 46px;
+}
+
+@media (max-width: 920px) {
+  .topbar {
+    grid-template-columns: auto minmax(0, 1fr) auto;
+  }
+
+  .top-nav {
+    justify-self: center;
+  }
+
+  .account-chip {
+    max-width: 150px;
+  }
+}
+
+@media (max-width: 700px) {
+  .topbar-account {
+    grid-column: 1 / -1;
+    justify-self: stretch;
+    justify-content: flex-end;
+  }
+
+  .account-chip {
+    max-width: min(260px, calc(100vw - 92px));
+  }
+
+  .auth-page {
+    grid-template-columns: 1fr;
+    align-content: center;
+    gap: 24px;
+    padding: 34px 14px;
+  }
+
+  .auth-brand-panel {
+    justify-items: center;
+    text-align: center;
+    gap: 10px;
+  }
+
+  .auth-brand-panel h1 {
+    font-size: 34px;
+  }
+
+  .auth-panel {
+    padding: 20px;
+  }
+}
+
+@media (max-width: 560px) {
+  .topbar {
+    grid-template-columns: auto minmax(0, 1fr);
+  }
+
+  .topbar-account {
+    padding-top: 0;
+  }
+
+  .account-chip {
+    min-height: 34px;
+    max-width: calc(100vw - 78px);
+    padding: 0 9px;
+    font-size: 12px;
+  }
+
+  .logout-button {
+    width: 34px;
+    min-height: 34px;
+  }
+
+  .auth-captcha-row {
+    grid-template-columns: minmax(0, 1fr) 104px;
+  }
+}

app/layout.tsx

@@ -1,5 +1,6 @@
 import type { Metadata } from "next";
 import { AppShell } from "@/components/app-shell";
+import { getShellAuthState } from "@/lib/server/auth/current-user";
 import "./globals.css";
 
 export const metadata: Metadata = {
@@ -7,11 +8,12 @@ export const metadata: Metadata = {
   description: "智念AIGC平台：统一创作图片、视频、局部重绘与智能超清。"
 };
 
-export default function RootLayout({ children }: { children: React.ReactNode }) {
+export default async function RootLayout({ children }: { children: React.ReactNode }) {
+  const auth = await getShellAuthState();
   return (
     <html lang="zh-CN">
       <body>
-        <AppShell>{children}</AppShell>
+        <AppShell user={auth.user} authRequired={auth.authRequired}>{children}</AppShell>
       </body>
     </html>
   );

app/uploads/[...path]/route.ts

@@ -1,9 +1,14 @@
+import { getAssetByStoragePath } from "@/lib/server/data-store";
+import { requireAppUser } from "@/lib/server/auth/current-user";
 import { readLocalServedFile } from "@/lib/server/storage";
 
 export const runtime = "nodejs";
 
 export async function GET(_request: Request, context: { params: Promise<{ path: string[] }> }) {
+  const user = await requireAppUser();
   const { path } = await context.params;
+  const asset = await getAssetByStoragePath(["uploads", ...path].join("/"));
+  if (!asset || asset.ownerId !== user.id) return new Response("Not found", { status: 404 });
   const file = await readLocalServedFile("uploads", path);
   if (!file) return new Response("Not found", { status: 404 });
   return new Response(new Uint8Array(file.bytes), {