chore(release): v1.0.7

- README/CHANGELOG: add v1.0.7 entry\n- Server: JWT expiry validated server-side (401 codes)\n- Web: logout/redirect on 401; proxy forwards Authorization\n- Server: bill service uses repository consistently

server/handler/auth.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"crypto/sha256"
 	"encoding/hex"
+	"errors"
 	"net/http"
 	"time"
 
@@ -131,6 +132,7 @@ func ValidateToken(c *gin.Context) {
 		c.JSON(http.StatusUnauthorized, gin.H{
 			"success": false,
 			"error":   "未提供 Token",
+			"code":    "TOKEN_MISSING",
 		})
 		return
 	}
@@ -147,12 +149,20 @@ func ValidateToken(c *gin.Context) {
 
 	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
 		return []byte(secret), nil
-	})
+	}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name}))
 
 	if err != nil || !token.Valid {
+		code := "TOKEN_INVALID"
+		message := "Token 无效"
+		if err != nil && errors.Is(err, jwt.ErrTokenExpired) {
+			code = "TOKEN_EXPIRED"
+			message = "Token 已过期"
+		}
+
 		c.JSON(http.StatusUnauthorized, gin.H{
 			"success": false,
-			"error":   "Token 无效或已过期",
+			"error":   message,
+			"code":    code,
 		})
 		return
 	}
@@ -162,6 +172,7 @@ func ValidateToken(c *gin.Context) {
 		c.JSON(http.StatusUnauthorized, gin.H{
 			"success": false,
 			"error":   "Token 解析失败",
+			"code":    "TOKEN_INVALID",
 		})
 		return
 	}

server/handler/review.go

@@ -69,4 +69,3 @@ func Review(c *gin.Context) {
 		},
 	})
 }
-