security: harden admin password change and production session headers

routes/admin_api/account_api.py

@@ -14,15 +14,35 @@ from routes.decorators import admin_required
 @admin_api_bp.route("/admin/password", methods=["PUT"])
 @admin_required
 def update_admin_password():
-    """修改管理员密码"""
+    """修改管理员密码（要求提供当前密码并校验新密码强度）"""
     data = request.json or {}
+    current_password = (data.get("current_password") or "").strip()
     new_password = (data.get("new_password") or "").strip()
 
+    if not current_password:
+        return jsonify({"error": "当前密码不能为空"}), 400
+
     if not new_password:
-        return jsonify({"error": "密码不能为空"}), 400
+        return jsonify({"error": "新密码不能为空"}), 400
+
+    if current_password == new_password:
+        return jsonify({"error": "新密码不能与当前密码相同"}), 400
+
+    is_valid, error_msg = validate_password(new_password)
+    if not is_valid:
+        return jsonify({"error": error_msg}), 400
 
     username = session.get("admin_username")
+    if not username:
+        return jsonify({"error": "未登录"}), 401
+
+    admin = database.verify_admin(username, current_password)
+    if not admin:
+        return jsonify({"error": "当前密码错误"}), 401
+
     if database.update_admin_password(username, new_password):
+        session["admin_reauth_until"] = 0
+        session.modified = True
         return jsonify({"success": True})
     return jsonify({"error": "修改失败"}), 400