From 19fa8b381c41198f8e2cc9767a4332198c78f101 Mon Sep 17 00:00:00 2001
From: luorijun <luorijun@outlook.com>
Date: Fri, 9 Jan 2026 17:22:02 +0800
Subject: [PATCH] =?UTF-8?q?=E6=89=A9=E5=B1=95=E4=BB=A4=E7=89=8C=E5=86=85?=
 =?UTF-8?q?=E7=9C=81=E5=87=BD=E6=95=B0=E4=BB=A5=E6=94=AF=E6=8C=81=E5=A4=9A?=
 =?UTF-8?q?=E8=B4=A6=E5=8F=B7=E6=B1=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 web/auth/endpoints.go | 48 +++++++++++++++++++++++++++++++++++--------
 1 file changed, 40 insertions(+), 8 deletions(-)

diff --git a/web/auth/endpoints.go b/web/auth/endpoints.go
index d8e757d..3cb12e5 100644
--- a/web/auth/endpoints.go
+++ b/web/auth/endpoints.go
@@ -490,12 +490,23 @@ type RevokeReq struct {
 
 // Introspect 令牌检查端点
 func Introspect(ctx *fiber.Ctx) error {
-	// 验证权限
-	authCtx, err := GetAuthCtx(ctx).PermitUser()
-	if err != nil {
-		return err
+	authCtx := GetAuthCtx(ctx)
+
+	// 尝试验证用户权限
+	if _, err := authCtx.PermitUser(); err == nil {
+		return introspectUser(ctx, authCtx)
 	}
 
+	// 尝试验证管理员权限
+	if _, err := authCtx.PermitAdmin(); err == nil {
+		return introspectAdmin(ctx, authCtx)
+	}
+
+	return ErrAuthenticateForbidden
+}
+
+// introspectUser 获取并返回用户信息
+func introspectUser(ctx *fiber.Ctx, authCtx *AuthCtx) error {
 	// 获取用户信息
 	profile, err := q.User.
 		Where(q.User.ID.Eq(authCtx.User.ID)).
@@ -519,12 +530,33 @@ func Introspect(ctx *fiber.Ctx) error {
 	if profile.IDNo != nil && *profile.IDNo != "" {
 		profile.IDNo = u.P(maskIdNo(*profile.IDNo))
 	}
-	return ctx.JSON(IntrospectResp{*profile, hasPassword})
+
+	return ctx.JSON(struct {
+		m.User
+		HasPassword bool `json:"has_password"` // 是否设置了密码
+	}{*profile, hasPassword})
 }
 
-type IntrospectResp struct {
-	m.User
-	HasPassword bool `json:"has_password"` // 是否设置了密码
+// introspectAdmin 获取并返回管理员信息
+func introspectAdmin(ctx *fiber.Ctx, authCtx *AuthCtx) error {
+	// 获取管理员信息
+	profile, err := q.Admin.
+		Where(q.Admin.ID.Eq(authCtx.Admin.ID)).
+		Omit(q.Admin.DeletedAt).
+		Take()
+	if err != nil {
+		return err
+	}
+
+	// 不返回密码
+	profile.Password = ""
+
+	// 掩码敏感信息
+	if profile.Phone != nil && *profile.Phone != "" {
+		profile.Phone = u.P(maskPhone(*profile.Phone))
+	}
+
+	return ctx.JSON(profile)
 }
 
 func maskPhone(phone string) string {