feat: 分类/变体体系 + 用户认证 + 管理后台

- 运行时分类体系：Shell/Python/JavaScript/Ruby/PHP 各含变体
- 用户注册/登录（JWT + bcrypt），首个注册用户为管理员
- 管理后台 /admin 动态管理分类和变体
- 脚本市场支持按分类筛选
- CodeMirror 语言模式根据分类名称自动切换
- 结果页展示该分类下所有变体的运行命令
- source 命令变体用于 Shell 类继承环境变量

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

backend/internal/auth/auth.go

@@ -0,0 +1,122 @@
+package auth
+
+import (
+	"errors"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+
+	"gitea.kmux.cn/zhilv/scriptforge/internal/model"
+)
+
+var (
+	ErrUserExists     = errors.New("username already exists")
+	ErrInvalidCredentials = errors.New("invalid username or password")
+)
+
+type AuthService struct {
+	db      *gorm.DB
+	jwtKey  []byte
+}
+
+func NewAuthService(db *gorm.DB, jwtKey string) *AuthService {
+	return &AuthService{db: db, jwtKey: []byte(jwtKey)}
+}
+
+type Claims struct {
+	UserID   uint   `json:"user_id"`
+	Username string `json:"username"`
+	Role     string `json:"role"`
+	jwt.RegisteredClaims
+}
+
+func (s *AuthService) Register(username, password string) (*model.User, error) {
+	var existing model.User
+	if err := s.db.Where("username = ?", username).First(&existing).Error; err == nil {
+		return nil, ErrUserExists
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, err
+	}
+
+	// First user becomes admin
+	var userCount int64
+	s.db.Model(&model.User{}).Count(&userCount)
+	role := "user"
+	if userCount == 0 {
+		role = "admin"
+	}
+
+	user := model.User{
+		Username:     username,
+		PasswordHash: string(hash),
+		Role:         role,
+	}
+
+	if err := s.db.Create(&user).Error; err != nil {
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (s *AuthService) Login(username, password string) (*model.User, string, error) {
+	var user model.User
+	if err := s.db.Where("username = ?", username).First(&user).Error; err != nil {
+		return nil, "", ErrInvalidCredentials
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)); err != nil {
+		return nil, "", ErrInvalidCredentials
+	}
+
+	token, err := s.GenerateToken(user.ID, user.Username, user.Role)
+	if err != nil {
+		return nil, "", err
+	}
+	return &user, token, nil
+}
+
+func (s *AuthService) GenerateToken(userID uint, username, role string) (string, error) {
+	claims := Claims{
+		UserID:   userID,
+		Username: username,
+		Role:     role,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(7 * 24 * time.Hour)),
+		},
+	}
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(s.jwtKey)
+}
+
+func (s *AuthService) ParseToken(tokenStr string) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(t *jwt.Token) (interface{}, error) {
+		return s.jwtKey, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	claims, ok := token.Claims.(*Claims)
+	if !ok {
+		return nil, errors.New("invalid claims")
+	}
+	return claims, nil
+}
+
+func (s *AuthService) GetUserByID(id uint) (*model.User, error) {
+	var user model.User
+	err := s.db.First(&user, id).Error
+	return &user, err
+}
+
+func (s *AuthService) IsAdmin(userID uint) bool {
+	var user model.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		return false
+	}
+	return user.Role == "admin"
+}