fix: disable provenance in docker build to fix GitLab Registry 0B display

Add `--provenance=false` flag to `docker build` command. This stops Docker BuildKit
from generating OCI Referrers/attestations, which are not correctly parsed by GitLab
Container Registry and cause the UI to display 0B size and "missing manifest digest" errors.

.dockerignore

@@ -1,4 +1,6 @@
 delta-force-guide-server.iml
 build/
+!.gitlab-ci.yml
+!build/libs/*.jar
 .idea/
 .gradle

.github/workflows/build-and-deploy.yml

@@ -0,0 +1,127 @@
+name: Build and Deploy
+
+on:
+  release:
+    types: [published]
+
+env:
+  APP_NAME: delta-force-guide-server
+  IMAGE_REGISTRY: ${{ vars.GITLAB_REGISTRY }}
+  IMAGE_NAME: ${{ vars.GITLAB_IMAGE_NAME }}
+
+jobs:
+  # ================================================================
+  # Job 1 — Package: build the JAR with Gradle
+  # ================================================================
+  package:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 21 (Corretto)
+        uses: actions/setup-java@v4
+        with:
+          java-version: 21
+          distribution: corretto
+          cache: gradle
+
+      - name: Set up Gradle
+        uses: gradle/actions/setup-gradle@v4
+
+      - name: Build with Gradle
+        run: ./gradlew build
+
+      - name: Upload JAR artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: app-jar
+          path: build/libs/delta-force-guide-server-*.jar
+          retention-days: 1
+
+  # ================================================================
+  # Job 2 — Build & push Docker image to GitHub Container Registry
+  # ================================================================
+  build-and-push:
+    needs: package
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download JAR artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: app-jar
+          path: build/libs
+
+      - name: Resolve JAR file path
+        id: jar
+        run: echo "file=$(ls build/libs/delta-force-guide-server-*.jar | head -1)" >> "$GITHUB_OUTPUT"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitLab Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.IMAGE_REGISTRY }}
+          username: ${{ vars.GITLAB_REGISTRY_USER }}
+          password: ${{ secrets.GITLAB_REGISTRY_PASSWORD }}
+
+      - name: Generate image tags
+        id: meta
+        run: |
+          echo "version=${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
+          echo "latest=${{ env.IMAGE_NAME }}:latest" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: Dockerfile.ci
+          build-args: JAR_FILE=${{ steps.jar.outputs.file }}
+          push: true
+          tags: |
+            ${{ steps.meta.outputs.version }}
+            ${{ steps.meta.outputs.latest }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+  # ================================================================
+  # Job 3 — Deploy on the target server via SSH
+  # ================================================================
+  deploy:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    steps:
+      - name: Deploy via SSH
+        uses: appleboy/ssh-action@v1.2.0
+        with:
+          host: ${{ secrets.DEPLOY_HOST }}
+          username: ${{ secrets.DEPLOY_USER }}
+          key: ${{ secrets.DEPLOY_SSH_KEY }}
+          script: |
+            set -e
+
+            echo '=== Pulling image ==='
+            echo '${{ secrets.GITLAB_REGISTRY_PASSWORD }}' | docker login ${{ env.IMAGE_REGISTRY }} \
+              -u ${{ vars.GITLAB_REGISTRY_USER }} --password-stdin
+            docker pull ${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+
+            echo '=== Stopping old container ==='
+            docker stop ${{ env.APP_NAME }} || true
+            docker rm ${{ env.APP_NAME }} || true
+
+            echo '=== Starting new container ==='
+            docker run -d \
+              --name ${{ env.APP_NAME }} \
+              --restart unless-stopped \
+              -p ${DEPLOY_PORT:-8080}:8080 \
+              ${{ env.IMAGE_NAME }}:${{ github.event.release.tag_name }}
+
+            echo '=== Cleaning up old images ==='
+            docker image prune -f
+
+            echo '=== Deployment complete ==='

.gitignore

@@ -143,6 +143,13 @@ test/
 gradle-app.setting
 .gradletasknamecache
 
+### Claude Code
+.claude/settings.local.json
+.claude/memory/
+.claude/plans/
+.claude/worktrees/
+.claude/scheduled_tasks.json
+
 # Eclipse Gradle plugin generated files
 # Eclipse Core
 .project

.gitlab-ci.yml

@@ -0,0 +1,58 @@
+variables:
+  GRADLE_OPTS: -Dorg.gradle.daemon=false
+  DOCKER_HOST: unix:///var/run/docker.sock
+
+stages:
+  - build
+  - package
+  - deploy
+
+build:
+  stage: build
+  image: amazoncorretto:21-alpine
+  cache:
+    key: gradle
+    paths:
+      - .gradle/wrapper
+      - .gradle/caches
+  before_script:
+    - chmod +x gradlew
+  script:
+    - ./gradlew bootJar -x test -PartefactVersion="$CI_COMMIT_TAG"
+  artifacts:
+    paths:
+      - build/libs/*.jar
+    expire_in: 30 min
+  rules:
+    - if: $CI_COMMIT_TAG
+
+package:
+  stage: package
+  image: docker:27
+  needs:
+    - build
+  script:
+    - JAR_FILE=$(find build/libs -name '*.jar' | head -1)
+    - echo "Building Docker image for tag $CI_COMMIT_TAG with JAR $JAR_FILE"
+    - docker build
+        --provenance=false
+        -f Dockerfile.ci
+        --build-arg JAR_FILE="$JAR_FILE"
+        -t "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+        .
+    - docker tag "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG" "$CI_REGISTRY_IMAGE:latest"
+  rules:
+    - if: $CI_COMMIT_TAG
+
+deploy:
+  stage: deploy
+  image: docker:27
+  needs:
+    - package
+  script:
+    - echo "Pushing image $CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+    - docker login "$CI_REGISTRY" -u "$CI_REGISTRY_USER" -p "$CI_REGISTRY_PASSWORD"
+    - docker push "$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG"
+    - docker push "$CI_REGISTRY_IMAGE:latest"
+  rules:
+    - if: $CI_COMMIT_TAG

CLAUDE.md

@@ -0,0 +1,109 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Coding Standards
+
+- **Style**: Follow the Google Java Coding Style as the foundation.
+- **Indentation**: Use 4 spaces — no tabs.
+- **Line length**: Maximum 100 characters per line.
+- **Comments**: All code comments must use British English spelling (e.g. "colour" not "color", "behaviour" not "behavior", "serialise" not "serialize", "analyse" not "analyze", "traveller" not "traveler").
+
+## Build & Test Commands
+
+```bash
+# Build the project (skip tests)
+./gradlew build -x test
+
+# Run all tests
+./gradlew test
+
+# Run a single test class
+./gradlew test --tests "com.onixbyte.deltaforceguide.service.PasswordEncoderTest"
+
+# Run a specific test method
+./gradlew test --tests "com.onixbyte.deltaforceguide.service.PasswordEncoderTest.generatePassword"
+
+# Build the full JAR
+./gradlew bootJar
+```
+
+The project uses Gradle with Java 21 (Amazon Corretto). Tests use JUnit 5 with the Spring Boot test framework, H2 in-memory database for test runtime, and Spring Security test support. Tests require an active `dev` profile.
+
+## Code Architecture
+
+**Delta Force Guide Server** — A REST API backend for managing Delta Force game firearm builds/modifications.
+
+### Package structure
+
+```
+com.onixbyte.deltaforceguide
+├── client/           # External service clients (TokenClient for JWT)
+├── config/           # Spring beans: Security, CORS, Cache/Redis, Jackson, MyBatis, Spring Data
+├── controller/       # REST controllers (Firearm, Modification, Tag, Auth)
+├── domain/
+│   ├── converter/    # JPA attribute converters (FirearmTypeConverter)
+│   ├── dto/          # Request/response records (FirearmRequest, ModificationResponse, etc.)
+│   └── entity/       # JPA entities (Firearm, Modification, User, Accessory, Tuning)
+├── enumeration/      # Enums (FirearmType)
+├── exeption/         # BizException (custom runtime exception with HTTP status)
+├── filter/           # TokenAuthenticationFilter (JWT auth via OncePerRequestFilter)
+├── manager/          # Thin @Transactional wrappers around repositories
+├── mapper/           # MyBatis mappers (configured but currently unused)
+├── properties/       # @ConfigurationProperties records (Cors, Token, Cookie)
+├── repository/       # Spring Data JPA repositories
+├── security/
+│   ├── authentication/  # Custom UsernamePasswordAuthentication impl
+│   └── provider/        # UsernamePasswordAuthenticationProvider
+├── service/          # Business logic layer (FirearmService, ModificationService, AuthService, etc.)
+├── shared/           # Constants and utility classes (CookieName, CredentialProvider, JacksonModules)
+└── utils/            # Helpers (DateTimeUtil)
+```
+
+### Key design decisions
+
+- **JPA + native queries**: Most CRUD uses Spring Data JPA. Native queries (in `ModificationRepository`) handle JSONB tag filtering with Postgres `@>` operator.
+- **Custom auth flow**: JWT tokens in httpOnly cookies (`AccessToken`). Spring Security with a custom `UsernamePasswordAuthenticationProvider` and `TokenAuthenticationFilter`. Tokens are auto-renewed within 5 min of expiry.
+- **JSONB storage**: `Modification.tags` and `Modification.accessories` (including nested `Tuning` objects) are stored as JSONB columns using Hypersistence Utils `JsonType`.
+- **Strict layering**: The call chain must follow `Controller → Service → Manager → Repository/Mapper`. Skipping layers (e.g. Controller calling Manager directly, Service calling Repository directly) is not permitted. Each layer has a distinct responsibility: Controller handles HTTP concerns, Service contains business logic, Manager manages `@Transactional` boundaries and data access coordination, Repository/Mapper handles raw data access.
+- **DTOs as Java records**: All request/response objects are immutable records with static `from()` factory methods for entity→DTO conversion.
+- **Flyway migrations**: SQL migrations in `src/main/resources/db/migration/` — V2 (init), V3 (bullet/damage fields), V4 (user), V5 (accessories JSONB column).
+
+### Data model
+
+- `firearm` table: id, name, type (int→FirearmType enum), level, calibre, fire_rate, armour_damage, body_damage, review
+- `modification` table: id, firearm_id (FK→firearm), name, code, tags (jsonb), accessories (jsonb), note, author, video_url
+- `app_user` table: id, username, email
+- `user_credential` table: user_id, provider, credential (hashed)
+
+### API endpoints
+
+| Path                          | Methods          | Auth                                 |
+|-------------------------------|------------------|--------------------------------------|
+| `/firearms`                   | GET, POST        | GET public, POST requires auth       |
+| `/firearms/{id}`              | GET, PUT, DELETE | GET public, PUT/DELETE requires auth |
+| `/modifications`              | GET, POST        | GET public, POST requires auth       |
+| `/modifications/{id}`         | GET, PUT, DELETE | GET public, PUT/DELETE requires auth |
+| `/modifications/batch`        | POST             | Requires auth                        |
+| `/modifications/batch-delete` | DELETE           | Requires auth                        |
+| `/tags`                       | GET              | Public                               |
+| `/auth/login`                 | POST             | Public                               |
+| `/auth/logout`                | POST             | Authenticated                        |
+
+### Commit convention
+
+Conventional commits: `feat:`, `chore:`, `fix:`. Messages are in English, present tense imperative style.
+
+### External dependencies
+
+- **DB**: PostgreSQL (via Flyway migrations), H2 in test
+- **Cache**: Redis (via Spring Cache + RedisTemplate with GenericJackson2JsonRedisSerializer)
+- **Auth**: java-jwt (auth0), BCrypt
+- **Docs**: springdoc-openapi (Swagger UI) on dev profile
+- **Onixbyte internal libs**: version-catalogue, tuple, common-toolbox, math-toolbox, identity-generator, captcha, regions
+- **AWS**: S3 SDK
+
+### Profiles
+
+- `dev`: Enables Swagger UI, connects to dev DB/Redis at `dfguide.onixbyte.cn`. Config in `config/application-dev.yaml`.
+- Default profile: Used for production, no Swagger, connects to production datasource.

Dockerfile.ci

@@ -0,0 +1,7 @@
+FROM amazoncorretto:21-alpine
+WORKDIR /app
+
+ARG JAR_FILE
+COPY ${JAR_FILE} app.jar
+
+ENTRYPOINT ["java", "-jar", "app.jar"]

build.gradle.kts

@@ -49,10 +49,12 @@ dependencies {
     implementation(libs.flyway.core)
     implementation(libs.flyway.postgresql)
     implementation(libs.jackson.jsr310)
-    implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.16")
+    implementation(libs.spring.boot.starter.doc)
+    implementation(libs.spring.boot.starter.security)
     testImplementation(libs.spring.boot.starter.test)
     testImplementation(libs.reactor.test)
     testImplementation(libs.mybatis.starter.test)
+    testImplementation(libs.spring.security.test)
     runtimeOnly(libs.postgres.driver)
     testRuntimeOnly(libs.h2.database)
     testRuntimeOnly(libs.junit.launcher)

gradle.properties

@@ -1 +1 @@
-artefactVersion = 1.1.0
+artefactVersion = 1.2.0

gradle/libs.versions.toml

@@ -18,6 +18,7 @@ mybatisVersion = "3.0.5"
 jacksonVersion = "2.19.2"
 hypersistenceVersion = "3.14.0"
 springDependencyManagementVersion = "1.1.7"
+springDocVersion = "2.8.16"
 
 [libraries]
 # General Utilities
@@ -57,16 +58,19 @@ spring-boot-configurationProcessor = { group = "org.springframework.boot", name
 spring-boot-actuator = { group = "org.springframework.boot", name = "spring-boot-starter-actuator" }
 
 # Security & Auth
-spring-boot-starter-security = { group = "org.springframework.boot", name = "spring-boot-starter-security", version.ref = "springBootVersion" }
+spring-boot-starter-security = { group = "org.springframework.boot", name = "spring-boot-starter-security" }
 jwt-core = { group = "com.auth0", name = "java-jwt", version.ref = "javaJwtVersion" }
 
+# Spring Doc
+spring-boot-starter-doc = { group = "org.springdoc", name = "springdoc-openapi-starter-webmvc-ui", version.ref = "springDocVersion" }
+
 # Cloud Services
 aws-sdk-bom = { group = "software.amazon.awssdk", name = "bom", version.ref = "awsSdkVersion" }
 aws-sdk-s3 = { group = "software.amazon.awssdk", name = "s3" }
 
 # Testing
 spring-boot-starter-test = { group = "org.springframework.boot", name = "spring-boot-starter-test", version.ref = "springBootVersion" }
-spring-security-test = { group = "org.springframework.security", name = "spring-security-test", version.ref = "springSecurityVersion" }
+spring-security-test = { group = "org.springframework.security", name = "spring-security-test" }
 reactor-test = { group = "io.projectreactor", name = "reactor-test", version.ref = "reactorVersion" }
 junit-launcher = { group = "org.junit.platform", name = "junit-platform-launcher", version.ref = "junitPlatformVersion" }
 mybatis-starter-test = { group = "org.mybatis.spring.boot", name = "mybatis-spring-boot-starter-test", version.ref = "mybatisVersion" }

src/main/java/com/onixbyte/deltaforceguide/client/TokenClient.java

@@ -0,0 +1,70 @@
+package com.onixbyte.deltaforceguide.client;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.properties.TokenProperties;
+import com.onixbyte.deltaforceguide.utils.DateTimeUtil;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Component;
+
+import java.time.LocalDateTime;
+
+@Component
+public class TokenClient {
+
+    private final Algorithm algorithm;
+    private final TokenProperties tokenProperties;
+    private final JWTVerifier verifier;
+
+    /**
+     * Constructs a new TokenClient with the necessary algorithm and token properties.
+     *
+     * @param algorithm       the signing algorithm used to secure the JWT
+     * @param tokenProperties the configuration properties for the token, such as issuer and
+     *                        validity period
+     */
+    @Autowired
+    public TokenClient(
+            Algorithm algorithm,
+            TokenProperties tokenProperties,
+            JWTVerifier verifier
+    ) {
+        this.algorithm = algorithm;
+        this.tokenProperties = tokenProperties;
+        this.verifier = verifier;
+    }
+
+    /**
+     * Generate a JSON Web Token to the current user.
+     *
+     * @param user the current user for whom the token is being generated
+     * @return a JWT string
+     */
+    public String generateToken(User user) {
+        var issuedAt = LocalDateTime.now();
+        var expiresAt = issuedAt.plus(tokenProperties.validTime());
+
+        return JWT.create()
+                .withSubject(user.getUsername())
+                .withIssuer(tokenProperties.issuer())
+                .withIssuedAt(DateTimeUtil.asInstant(issuedAt))
+                .withExpiresAt(DateTimeUtil.asInstant(expiresAt))
+                .sign(algorithm);
+    }
+
+    /**
+     * Verify and decode token.
+     *
+     * @param token a JWT token
+     * @return information included in the given token
+     * @throws com.auth0.jwt.exceptions.JWTVerificationException if the token is invalid, such as
+     *                                                           expired, or not signed by
+     *                                                           specific server
+     */
+    public DecodedJWT verifyToken(String token) {
+        return verifier.verify(token);
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/config/CorsConfig.java

@@ -2,46 +2,37 @@ package com.onixbyte.deltaforceguide.config;
 
 import com.onixbyte.deltaforceguide.properties.CorsProperties;
 import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpMethod;
-import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.cors.CorsConfiguration;
-import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+import org.springframework.web.cors.CorsConfigurationSource;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-import java.util.Optional;
+import java.util.List;
 import java.util.stream.Stream;
 
 @Configuration
 @EnableConfigurationProperties({CorsProperties.class})
-public class CorsConfig implements WebMvcConfigurer {
+public class CorsConfig {
 
-    private final CorsProperties properties;
+    @Bean
-
+    public CorsConfigurationSource corsConfigurationSource(
-    public CorsConfig(CorsProperties properties) {
+            CorsProperties properties
-        this.properties = properties;
+    ) {
-    }
+        var corsConfiguration = new CorsConfiguration();
-
+        corsConfiguration.setAllowCredentials(properties.allowCredentials());
-    @Override
+        corsConfiguration.setAllowedOrigins(List.of(properties.allowedOrigins()));
-    public void addCorsMappings(CorsRegistry registry) {
+        corsConfiguration.setAllowedHeaders(List.of(properties.allowedHeaders()));
-        registry.addMapping("/**")
+        corsConfiguration.setAllowedMethods(Stream.of(properties.allowedMethods())
-                .allowedOrigins(toSafeArray(properties.allowedOrigins()))
-                .allowedHeaders(toSafeArray(properties.allowedHeaders()))
-                .allowedMethods(toHttpMethodNames(properties.allowedMethods()))
-                .allowCredentials(properties.allowCredentials())
-                .maxAge(properties.maxAge().toSeconds())
-                .exposedHeaders(toSafeArray(properties.exposedHeaders()));
-    }
-
-    private static String[] toSafeArray(String[] values) {
-        return values == null ? new String[0] : values;
-    }
-
-    private static String[] toHttpMethodNames(HttpMethod[] methods) {
-        return Optional.ofNullable(methods)
-                .stream()
-                .flatMap(Stream::of)
                 .map(HttpMethod::name)
-                .toList()
+                .toList());
-                .toArray(String[]::new);
+        corsConfiguration.setMaxAge(properties.maxAge());
-    }
+        corsConfiguration.setAllowPrivateNetwork(properties.allowPrivateNetwork());
+        corsConfiguration.setExposedHeaders(List.of(properties.exposedHeaders()));
 
+        var corsConfigurationSource = new UrlBasedCorsConfigurationSource();
+        corsConfigurationSource.registerCorsConfiguration("/**", corsConfiguration);
+        return corsConfigurationSource;
+    }
 }

src/main/java/com/onixbyte/deltaforceguide/config/SecurityConfig.java

@@ -0,0 +1,76 @@
+package com.onixbyte.deltaforceguide.config;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.onixbyte.deltaforceguide.filter.TokenAuthenticationFilter;
+import com.onixbyte.deltaforceguide.properties.CookieProperties;
+import com.onixbyte.deltaforceguide.properties.TokenProperties;
+import com.onixbyte.deltaforceguide.security.provider.UsernamePasswordAuthenticationProvider;
+import org.springframework.boot.context.properties.EnableConfigurationProperties;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.access.ExceptionTranslationFilter;
+import org.springframework.web.cors.CorsConfigurationSource;
+
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity
+@EnableConfigurationProperties({TokenProperties.class, CookieProperties.class})
+public class SecurityConfig {
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(
+            HttpSecurity httpSecurity,
+            CorsConfigurationSource corsConfigurationSource,
+            TokenAuthenticationFilter tokenAuthenticationFilter
+    ) throws Exception {
+        return httpSecurity
+                .cors((cors) -> cors
+                        .configurationSource(corsConfigurationSource))
+                .csrf(AbstractHttpConfigurer::disable)
+                .sessionManagement((customiser) -> customiser
+                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+                .authorizeHttpRequests((customiser) -> customiser
+                        .anyRequest().permitAll()
+                )
+                .addFilterAfter(tokenAuthenticationFilter, ExceptionTranslationFilter.class)
+                .build();
+    }
+
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return new BCryptPasswordEncoder();
+    }
+
+    @Bean
+    public AuthenticationManager authenticationManager(
+            UsernamePasswordAuthenticationProvider usernamePasswordAuthenticationProvider
+    ) {
+        return new ProviderManager(
+                usernamePasswordAuthenticationProvider
+        );
+    }
+
+    @Bean
+    public Algorithm algorithm(TokenProperties properties) {
+        return Algorithm.HMAC256(properties.secret());
+    }
+
+    @Bean
+    public JWTVerifier verifier(Algorithm algorithm, TokenProperties tokenProperties) {
+        return JWT.require(algorithm)
+                .withIssuer(tokenProperties.issuer())
+                .build();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/controller/AuthController.java

@@ -0,0 +1,58 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.LoginRequest;
+import com.onixbyte.deltaforceguide.domain.dto.UserResponse;
+import com.onixbyte.deltaforceguide.client.TokenClient;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
+import com.onixbyte.deltaforceguide.service.AuthService;
+import com.onixbyte.deltaforceguide.service.CookieService;
+import com.onixbyte.deltaforceguide.shared.CookieName;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.ResponseEntity;
+import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+import java.time.Duration;
+
+@Tag(name = "用户鉴权", description = "处理用户登录与退出功能")
+@RestController
+@RequestMapping("/auth")
+public class AuthController {
+
+    private final AuthService authService;
+    private final TokenClient tokenClient;
+    private final CookieService cookieService;
+
+    public AuthController(AuthService authService, TokenClient tokenClient, CookieService cookieService) {
+        this.authService = authService;
+        this.tokenClient = tokenClient;
+        this.cookieService = cookieService;
+    }
+
+    @Operation(description = "用户登录")
+    @PostMapping("/login")
+    public ResponseEntity<UserResponse> login(@Validated @RequestBody LoginRequest request) {
+        var user = authService.login(request);
+        var accessToken = tokenClient.generateToken(user);
+        var accessTokenCookie = cookieService.buildCookie(CookieName.ACCESS_TOKEN, accessToken);
+
+        return ResponseEntity.ok()
+                .header(HttpHeaders.SET_COOKIE, accessTokenCookie.toString())
+                .body(UserResponse.from(user));
+    }
+
+    @RequiresAuth
+    @Operation(description = "退出登录")
+    @PostMapping("/logout")
+    public ResponseEntity<Void> logout() {
+        var expiredCookie = cookieService.buildCookie(CookieName.ACCESS_TOKEN, "", Duration.ZERO);
+        return ResponseEntity.noContent()
+                .header(HttpHeaders.SET_COOKIE, expiredCookie.toString())
+                .build();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/controller/DailyPasswordController.java

@@ -0,0 +1,27 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.service.DailyPasswordService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Tag(name = "每日密码", description = "获取每日密码信息")
+@RestController
+@RequestMapping("/daily-passwords")
+public class DailyPasswordController {
+
+    private final DailyPasswordService dailyPasswordService;
+
+    public DailyPasswordController(DailyPasswordService dailyPasswordService) {
+        this.dailyPasswordService = dailyPasswordService;
+    }
+
+    @Operation(description = "获取当日的每日密码数据，该数据将被缓存一天")
+    @GetMapping
+    public DailyPasswordResponse getDailyPassword() {
+        return dailyPasswordService.getDailyPassword();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/controller/FirearmController.java

@@ -1,21 +1,21 @@
 package com.onixbyte.deltaforceguide.controller;
 
+import com.onixbyte.deltaforceguide.domain.dto.FirearmRequest;
 import com.onixbyte.deltaforceguide.domain.dto.FirearmResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.FirearmService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Sort;
 import org.springframework.validation.annotation.Validated;
-import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.*;
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestParam;
-import org.springframework.web.bind.annotation.RestController;
 
-@Validated
+@Tag(name = "武器管理", description = "与武器有关的操作")
 @RestController
 @RequestMapping("/firearms")
 public class FirearmController {
@@ -26,6 +26,8 @@ public class FirearmController {
         this.firearmService = firearmService;
     }
 
+    @Operation(description = "获取分页武器数据")
+    @Validated
     @GetMapping
     public PageResponse<FirearmResponse> pageQuery(
             @RequestParam(defaultValue = "0") @Min(0) int page,
@@ -37,9 +39,29 @@ public class FirearmController {
         return firearmService.pageQuery(type, PageRequest.of(page, size, Sort.by(direction, sortBy)));
     }
 
+    @Operation(description = "获取指定武器的数据")
     @GetMapping("/{id}")
     public FirearmResponse queryById(@PathVariable Long id) {
         return firearmService.queryById(id);
     }
-}
 
+    @RequiresAuth
+    @PostMapping
+    public FirearmResponse addFirearm(@Validated @RequestBody FirearmRequest request) {
+        return firearmService.addFirearm(request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "更新指定武器的数据")
+    @PutMapping("/{id}")
+    public FirearmResponse updateFirearm(@PathVariable Long id, @Validated @RequestBody FirearmRequest request) {
+        return firearmService.updateFirearm(id, request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "删除指定武器的数据")
+    @DeleteMapping("/{id}")
+    public void deleteFirearm(@PathVariable Long id) {
+        firearmService.deleteFirearm(id);
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/controller/GlobalExceptionHandler.java

@@ -0,0 +1,19 @@
+package com.onixbyte.deltaforceguide.controller;
+
+import com.onixbyte.deltaforceguide.domain.dto.ErrorResponse;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+
+@RestControllerAdvice
+public class GlobalExceptionHandler {
+
+    @ExceptionHandler(BizException.class)
+    public ResponseEntity<ErrorResponse> handleBizException(BizException exception) {
+        var status = exception.getStatus();
+        return ResponseEntity.status(status)
+                .body(new ErrorResponse(exception.getMessage()));
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/controller/ModificationController.java

@@ -1,23 +1,33 @@
 package com.onixbyte.deltaforceguide.controller;
 
+import com.onixbyte.deltaforceguide.domain.dto.ModificationBatchCreateRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
+import com.onixbyte.deltaforceguide.security.annotation.RequiresAuth;
 import com.onixbyte.deltaforceguide.service.ModificationService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
+import jakarta.validation.Valid;
 import jakarta.validation.constraints.Max;
 import jakarta.validation.constraints.Min;
 import jakarta.validation.constraints.Positive;
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Sort;
 import org.springframework.validation.annotation.Validated;
+import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.PutMapping;
+import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
 import java.util.List;
 
-@Validated
+@Tag(name = "改装管理", description = "对枪械改装的管理")
 @RestController
 @RequestMapping("/modifications")
 public class ModificationController {
@@ -28,6 +38,8 @@ public class ModificationController {
         this.modificationService = modificationService;
     }
 
+    @Operation(description = "分页查询改装信息")
+    @Validated
     @GetMapping
     public PageResponse<ModificationResponse> pageQuery(
             @RequestParam(defaultValue = "0") @Min(0) int page,
@@ -40,8 +52,45 @@ public class ModificationController {
         return modificationService.pageQuery(firearmId, tags, PageRequest.of(page, size, Sort.by(direction, sortBy)));
     }
 
+    @Operation(description = "查询指定改装的信息")
     @GetMapping("/{id}")
     public ModificationResponse queryById(@PathVariable Long id) {
         return modificationService.queryById(id);
     }
+
+    @RequiresAuth
+    @Operation(description = "创建改装")
+    @PostMapping
+    public ModificationResponse create(@Valid @RequestBody ModificationRequest request) {
+        return modificationService.create(request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "批量创建改装")
+    @PostMapping("/batch")
+    public List<ModificationResponse> batchCreate(@Valid @RequestBody ModificationBatchCreateRequest request) {
+        return modificationService.batchCreate(request.modifications());
+    }
+
+    @RequiresAuth
+    @Operation(description = "修改指定改装")
+    @PutMapping("/{id}")
+    public ModificationResponse update(@PathVariable Long id, @Valid @RequestBody ModificationRequest request) {
+        return modificationService.update(id, request);
+    }
+
+    @RequiresAuth
+    @Operation(description = "删除指定改装")
+    @DeleteMapping("/{id}")
+    public void delete(@PathVariable Long id) {
+        modificationService.delete(id);
+    }
+
+    @RequiresAuth
+    @Operation(description = "批量删除改装")
+    @DeleteMapping("/batch-delete")
+    @Validated
+    public void batchDelete(@RequestParam List<@Positive Long> ids) {
+        modificationService.batchDelete(ids);
+    }
 }

src/main/java/com/onixbyte/deltaforceguide/controller/TagController.java

@@ -1,5 +1,7 @@
 package com.onixbyte.deltaforceguide.controller;
 
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.tags.Tag;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
@@ -8,6 +10,7 @@ import com.onixbyte.deltaforceguide.service.ModificationService;
 
 import java.util.List;
 
+@Tag(name = "标签管理", description = "管理标签信息")
 @RestController
 @RequestMapping("/tags")
 public class TagController {
@@ -18,6 +21,7 @@ public class TagController {
         this.modificationService = modificationService;
     }
 
+    @Operation(description = "查询指定武器或所有武器的标签")
     @GetMapping
     public List<String> getTags(@RequestParam(required = false) Long firearmId) {
         return modificationService.findAllTags(firearmId);

src/main/java/com/onixbyte/deltaforceguide/domain/dto/AccessoryRequest.java

@@ -0,0 +1,20 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public record AccessoryRequest(
+        @NotBlank(message = "插槽名称不能为空")
+        String slotName,
+        @NotBlank(message = "配件名称不能为空")
+        String accessoryName,
+        List<@Valid TuningRequest> tunings
+) {
+    public List<TuningRequest> tunings() {
+        return tunings == null ? new ArrayList<>() : tunings;
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/AccessoryResponse.java

@@ -0,0 +1,22 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.Accessory;
+
+import java.util.List;
+
+public record AccessoryResponse(
+        String slotName,
+        String accessoryName,
+        List<TuningResponse> tunings
+) {
+    public static AccessoryResponse from(Accessory accessory) {
+        return new AccessoryResponse(
+                accessory.getSlotName(),
+                accessory.getAccessoryName(),
+                accessory.getTunings() == null
+                        ? List.of()
+                        : accessory.getTunings().stream().map(TuningResponse::from).toList()
+        );
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/DailyPassword.java

@@ -0,0 +1,7 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+public record DailyPassword(
+        String mapName,
+        String password
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/DailyPasswordData.java

@@ -0,0 +1,14 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import java.time.LocalDateTime;
+import java.util.List;
+
+public record DailyPasswordData(
+        String updateDate,
+        Integer totalCount,
+        List<DailyPassword> passwords,
+        String source,
+        LocalDateTime lastUpdated,
+        Long timestamp
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/DailyPasswordMetadata.java

@@ -0,0 +1,7 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+public record DailyPasswordMetadata(
+        String version,
+        String author
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/DailyPasswordResponse.java

@@ -0,0 +1,9 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+public record DailyPasswordResponse(
+        String status,
+        String message,
+        DailyPasswordData data,
+        DailyPasswordMetadata metadata
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/ErrorResponse.java

@@ -0,0 +1,7 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+public record ErrorResponse(
+        String message
+) {
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/FirearmRequest.java

@@ -0,0 +1,15 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+
+public record FirearmRequest(
+        String name,
+        FirearmType type,
+        String level,
+        String calibre,
+        Integer fireRate,
+        Integer armourDamage,
+        Integer bodyDamage,
+        String review
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/LoginRequest.java

@@ -0,0 +1,15 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotBlank;
+
+@Schema(description = "登录请求")
+public record LoginRequest(
+        @NotBlank(message = "登录名称不能为空")
+        @Schema(description = "用户名或电子邮箱", requiredMode = Schema.RequiredMode.REQUIRED)
+        String principle,
+        @NotBlank(message = "登录口令不能为空")
+        @Schema(description = "密码", requiredMode = Schema.RequiredMode.REQUIRED)
+        String credential
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/domain/dto/ModificationBatchCreateRequest.java

@@ -0,0 +1,13 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotEmpty;
+
+import java.util.List;
+
+public record ModificationBatchCreateRequest(
+        @NotEmpty(message = "批量创建列表不能为空")
+        List<@Valid ModificationRequest> modifications
+) {
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/ModificationBatchDeleteRequest.java

@@ -0,0 +1,13 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.Positive;
+
+import java.util.List;
+
+public record ModificationBatchDeleteRequest(
+        @NotEmpty(message = "批量删除ID列表不能为空")
+        List<@Positive(message = "ID必须为正数") Long> ids
+) {
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/ModificationRequest.java

@@ -0,0 +1,33 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Positive;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public record ModificationRequest(
+        @NotNull(message = "武器ID不能为空")
+        @Positive(message = "武器ID必须为正数")
+        Long firearmId,
+        @NotBlank(message = "改装名称不能为空")
+        String name,
+        @NotBlank(message = "改装代码不能为空")
+        String code,
+        List<@NotBlank(message = "标签不能为空") String> tags,
+        List<@Valid AccessoryRequest> accessories,
+        String note,
+        String author,
+        String videoUrl
+) {
+    public List<String> tags() {
+        return tags == null ? new ArrayList<>() : tags;
+    }
+
+    public List<AccessoryRequest> accessories() {
+        return accessories == null ? new ArrayList<>() : accessories;
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/ModificationResponse.java

@@ -10,6 +10,7 @@ public record ModificationResponse(
         String name,
         String code,
         List<String> tags,
+        List<AccessoryResponse> accessories,
         String note,
         String author,
         String videoUrl
@@ -21,6 +22,9 @@ public record ModificationResponse(
                 modification.getName(),
                 modification.getCode(),
                 modification.getTags(),
+                modification.getAccessories() == null
+                        ? List.of()
+                        : modification.getAccessories().stream().map(AccessoryResponse::from).toList(),
                 modification.getNote(),
                 modification.getAuthor(),
                 modification.getVideoUrl()

src/main/java/com/onixbyte/deltaforceguide/domain/dto/TuningRequest.java

@@ -0,0 +1,13 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
+
+public record TuningRequest(
+        @NotBlank(message = "调校项名称不能为空")
+        String tuningName,
+        @NotNull(message = "调校值不能为空")
+        Double tuningValue
+) {
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/TuningResponse.java

@@ -0,0 +1,16 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.Tuning;
+
+public record TuningResponse(
+        String tuningName,
+        Double tuningValue
+) {
+    public static TuningResponse from(Tuning tuning) {
+        return new TuningResponse(
+                tuning.getTuningName(),
+                tuning.getTuningValue()
+        );
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/domain/dto/UserResponse.java

@@ -0,0 +1,17 @@
+package com.onixbyte.deltaforceguide.domain.dto;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+
+public record UserResponse(
+        Long id,
+        String username,
+        String email
+) {
+    public static UserResponse from(User user) {
+        return new UserResponse(
+                user.getId(),
+                user.getUsername(),
+                user.getEmail()
+        );
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/domain/entity/Accessory.java

@@ -0,0 +1,48 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class Accessory {
+
+    private String slotName;
+
+    private String accessoryName;
+
+    private List<Tuning> tunings = new ArrayList<>();
+
+    public Accessory() {
+    }
+
+    public String getSlotName() {
+        return slotName;
+    }
+
+    public void setSlotName(String slotName) {
+        this.slotName = slotName;
+    }
+
+    public String getAccessoryName() {
+        return accessoryName;
+    }
+
+    public void setAccessoryName(String accessoryName) {
+        this.accessoryName = accessoryName;
+    }
+
+    public List<Tuning> getTunings() {
+        return tunings;
+    }
+
+    public void setTunings(List<Tuning> tunings) {
+        this.tunings = tunings;
+    }
+
+    public void addTuning(Tuning tuning) {
+        this.tunings.add(tuning);
+    }
+
+    public void removeTuning(Tuning tuning) {
+        this.tunings.remove(tuning);
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/domain/entity/Firearm.java

@@ -140,5 +140,88 @@ public class Firearm {
         this.modifications.remove(modification);
         modification.setFirearm(null);
     }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private String name;
+        private FirearmType type;
+        private String level;
+        private String review;
+        private String calibre;
+        private Integer fireRate;
+        private Integer armourDamage;
+        private Integer bodyDamage;
+        private List<Modification> modifications;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder name(String name) {
+            this.name = name;
+            return this;
+        }
+
+        public Builder type(FirearmType type) {
+            this.type = type;
+            return this;
+        }
+
+        public Builder level(String level) {
+            this.level = level;
+            return this;
+        }
+
+        public Builder review(String review) {
+            this.review = review;
+            return this;
+        }
+
+        public Builder calibre(String calibre) {
+            this.calibre = calibre;
+            return this;
+        }
+
+        public Builder fireRate(Integer fireRate) {
+            this.fireRate = fireRate;
+            return this;
+        }
+
+        public Builder armourDamage(Integer armourDamage) {
+            this.armourDamage = armourDamage;
+            return this;
+        }
+
+        public Builder bodyDamage(Integer bodyDamage) {
+            this.bodyDamage = bodyDamage;
+            return this;
+        }
+
+        public Builder modifications(List<Modification> modifications) {
+            this.modifications = modifications;
+            return this;
+        }
+
+        public Firearm build() {
+            Firearm firearm = new Firearm();
+            firearm.id = this.id;
+            firearm.name = this.name;
+            firearm.type = this.type;
+            firearm.level = this.level;
+            firearm.review = this.review;
+            firearm.calibre = this.calibre;
+            firearm.fireRate = this.fireRate;
+            firearm.armourDamage = this.armourDamage;
+            firearm.bodyDamage = this.bodyDamage;
+            firearm.modifications = this.modifications == null ? new ArrayList<>() : this.modifications;
+            return firearm;
+        }
+    }
 }
 

src/main/java/com/onixbyte/deltaforceguide/domain/entity/Modification.java

@@ -1,17 +1,7 @@
 package com.onixbyte.deltaforceguide.domain.entity;
 
 import io.hypersistence.utils.hibernate.type.json.JsonType;
-import jakarta.persistence.Column;
+import jakarta.persistence.*;
-import jakarta.persistence.Entity;
-import jakarta.persistence.FetchType;
-import jakarta.persistence.ForeignKey;
-import jakarta.persistence.GeneratedValue;
-import jakarta.persistence.GenerationType;
-import jakarta.persistence.Id;
-import jakarta.persistence.Index;
-import jakarta.persistence.JoinColumn;
-import jakarta.persistence.ManyToOne;
-import jakarta.persistence.Table;
 import org.hibernate.annotations.Type;
 
 import java.util.ArrayList;
@@ -41,9 +31,13 @@ public class Modification {
     private String code;
 
     @Type(JsonType.class)
-    @Column(name = "tags", columnDefinition = "json")
+    @Column(name = "tags", columnDefinition = "jsonb")
     private List<String> tags = new ArrayList<>();
 
+    @Type(JsonType.class)
+    @Column(name = "accessories", columnDefinition = "jsonb")
+    private List<Accessory> accessories = new ArrayList<>();
+
     @Column(name = "note", columnDefinition = "TEXT")
     private String note;
 
@@ -93,6 +87,22 @@ public class Modification {
         this.tags = tags;
     }
 
+    public List<Accessory> getAccessories() {
+        return accessories;
+    }
+
+    public void setAccessories(List<Accessory> accessories) {
+        this.accessories = accessories;
+    }
+
+    public void addAccessory(Accessory modificationAccessory) {
+        this.accessories.add(modificationAccessory);
+    }
+
+    public void removeAccessory(Accessory modificationAccessory) {
+        this.accessories.remove(modificationAccessory);
+    }
+
     public String getNote() {
         return note;
     }
@@ -116,5 +126,81 @@ public class Modification {
     public void setVideoUrl(String videoUrl) {
         this.videoUrl = videoUrl;
     }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private Firearm firearm;
+        private String name;
+        private String code;
+        private List<String> tags;
+        private List<Accessory> accessories;
+        private String note;
+        private String author;
+        private String videoUrl;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder firearm(Firearm firearm) {
+            this.firearm = firearm;
+            return this;
+        }
+
+        public Builder name(String name) {
+            this.name = name;
+            return this;
+        }
+
+        public Builder code(String code) {
+            this.code = code;
+            return this;
+        }
+
+        public Builder tags(List<String> tags) {
+            this.tags = tags;
+            return this;
+        }
+
+        public Builder accessories(List<Accessory> accessories) {
+            this.accessories = accessories;
+            return this;
+        }
+
+        public Builder note(String note) {
+            this.note = note;
+            return this;
+        }
+
+        public Builder author(String author) {
+            this.author = author;
+            return this;
+        }
+
+        public Builder videoUrl(String videoUrl) {
+            this.videoUrl = videoUrl;
+            return this;
+        }
+
+        public Modification build() {
+            Modification modification = new Modification();
+            modification.id = this.id;
+            modification.firearm = this.firearm;
+            modification.name = this.name;
+            modification.code = this.code;
+            modification.tags = this.tags == null ? new ArrayList<>() : this.tags;
+            modification.accessories = this.accessories == null ? new ArrayList<>() : this.accessories;
+            modification.note = this.note;
+            modification.author = this.author;
+            modification.videoUrl = this.videoUrl;
+            return modification;
+        }
+    }
 }
 

src/main/java/com/onixbyte/deltaforceguide/domain/entity/Tuning.java

@@ -0,0 +1,26 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+public class Tuning {
+
+    private String tuningName;
+    private Double tuningValue;
+
+    public Tuning() {
+    }
+
+    public String getTuningName() {
+        return tuningName;
+    }
+
+    public void setTuningName(String tuningName) {
+        this.tuningName = tuningName;
+    }
+
+    public Double getTuningValue() {
+        return tuningValue;
+    }
+
+    public void setTuningValue(Double tuningValue) {
+        this.tuningValue = tuningValue;
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/domain/entity/User.java

@@ -0,0 +1,114 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.GenerationType;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.Table;
+
+import java.util.ArrayList;
+import java.util.List;
+
+@Entity
+@Table(name = "app_user")
+public class User {
+
+    @Id
+    @GeneratedValue(strategy = GenerationType.IDENTITY)
+    private Long id;
+
+    @Column(name = "username", nullable = false)
+    private String username;
+
+    @Column(name = "email", nullable = false)
+    private String email;
+
+    @OneToMany(mappedBy = "user", cascade = CascadeType.ALL, orphanRemoval = true)
+    private List<UserCredential> credentials = new ArrayList<>();
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getUsername() {
+        return username;
+    }
+
+    public void setUsername(String username) {
+        this.username = username;
+    }
+
+    public String getEmail() {
+        return email;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public List<UserCredential> getCredentials() {
+        return credentials;
+    }
+
+    public void setCredentials(List<UserCredential> credentials) {
+        this.credentials = credentials;
+    }
+
+    public void addCredential(UserCredential credential) {
+        this.credentials.add(credential);
+        credential.setUser(this);
+    }
+
+    public void removeCredential(UserCredential credential) {
+        this.credentials.remove(credential);
+        credential.setUser(null);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long id;
+        private String username;
+        private String email;
+        private List<UserCredential> credentials;
+
+        public Builder id(Long id) {
+            this.id = id;
+            return this;
+        }
+
+        public Builder username(String username) {
+            this.username = username;
+            return this;
+        }
+
+        public Builder email(String email) {
+            this.email = email;
+            return this;
+        }
+
+        public Builder credentials(List<UserCredential> credentials) {
+            this.credentials = credentials;
+            return this;
+        }
+
+        public User build() {
+            User user = new User();
+            user.id = this.id;
+            user.username = this.username;
+            user.email = this.email;
+            user.credentials = this.credentials == null ? new ArrayList<>() : this.credentials;
+            return user;
+        }
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/domain/entity/UserCredential.java

@@ -0,0 +1,138 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.AttributeOverride;
+import jakarta.persistence.AttributeOverrides;
+import jakarta.persistence.EmbeddedId;
+import jakarta.persistence.Entity;
+import jakarta.persistence.FetchType;
+import jakarta.persistence.ForeignKey;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.MapsId;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "app_user_credential")
+public class UserCredential {
+
+	@EmbeddedId
+	@AttributeOverrides({
+		@AttributeOverride(name = "userId", column = @Column(name = "user_id")),
+		@AttributeOverride(name = "provider", column = @Column(name = "provider"))
+	})
+	private UserCredentialId id = new UserCredentialId();
+
+	@MapsId("userId")
+	@ManyToOne(fetch = FetchType.LAZY, optional = false)
+	@JoinColumn(name = "user_id", nullable = false, foreignKey = @ForeignKey(name = "fk_user_credential_user"))
+	private User user;
+
+	@Column(name = "credential", nullable = false, length = 255)
+	private String credential;
+
+	public UserCredentialId getId() {
+		return id;
+	}
+
+	public void setId(UserCredentialId id) {
+		this.id = id;
+	}
+
+	public User getUser() {
+		return user;
+	}
+
+	public void setUser(User user) {
+		this.user = user;
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setUserId(user == null ? null : user.getId());
+	}
+
+	public Long getUserId() {
+		return id == null ? null : id.getUserId();
+	}
+
+	public void setUserId(Long userId) {
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setUserId(userId);
+	}
+
+	public String getProvider() {
+		return id == null ? null : id.getProvider();
+	}
+
+	public void setProvider(String provider) {
+		if (this.id == null) {
+			this.id = new UserCredentialId();
+		}
+		this.id.setProvider(provider);
+	}
+
+	public String getCredential() {
+		return credential;
+	}
+
+	public void setCredential(String credential) {
+		this.credential = credential;
+	}
+
+	public static Builder builder() {
+		return new Builder();
+	}
+
+	public static class Builder {
+
+		private UserCredentialId id;
+		private User user;
+		private Long userId;
+		private String provider;
+		private String credential;
+
+		public Builder id(UserCredentialId id) {
+			this.id = id;
+			return this;
+		}
+
+		public Builder user(User user) {
+			this.user = user;
+			return this;
+		}
+
+		public Builder userId(Long userId) {
+			this.userId = userId;
+			return this;
+		}
+
+		public Builder provider(String provider) {
+			this.provider = provider;
+			return this;
+		}
+
+		public Builder credential(String credential) {
+			this.credential = credential;
+			return this;
+		}
+
+		public UserCredential build() {
+			UserCredential userCredential = new UserCredential();
+			userCredential.id = this.id == null ? new UserCredentialId() : this.id;
+			userCredential.user = this.user;
+			if (this.user != null) {
+				userCredential.id.setUserId(this.user.getId());
+			}
+			if (this.userId != null) {
+				userCredential.id.setUserId(this.userId);
+			}
+			if (this.provider != null) {
+				userCredential.id.setProvider(this.provider);
+			}
+			userCredential.credential = this.credential;
+			return userCredential;
+		}
+	}
+}

src/main/java/com/onixbyte/deltaforceguide/domain/entity/UserCredentialId.java

@@ -0,0 +1,76 @@
+package com.onixbyte.deltaforceguide.domain.entity;
+
+import jakarta.persistence.Embeddable;
+
+import java.io.Serializable;
+import java.util.Objects;
+
+@Embeddable
+public class UserCredentialId implements Serializable {
+
+    private Long userId;
+
+    private String provider;
+
+    public Long getUserId() {
+        return userId;
+    }
+
+    public void setUserId(Long userId) {
+        this.userId = userId;
+    }
+
+    public String getProvider() {
+        return provider;
+    }
+
+    public void setProvider(String provider) {
+        this.provider = provider;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o == null || getClass() != o.getClass()) {
+            return false;
+        }
+        UserCredentialId that = (UserCredentialId) o;
+        return Objects.equals(userId, that.userId) && Objects.equals(provider, that.provider);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(userId, provider);
+    }
+
+    public static Builder builder() {
+        return new Builder();
+    }
+
+    public static class Builder {
+
+        private Long userId;
+        private String provider;
+
+        public Builder userId(Long userId) {
+            this.userId = userId;
+            return this;
+        }
+
+        public Builder provider(String provider) {
+            this.provider = provider;
+            return this;
+        }
+
+        public UserCredentialId build() {
+            UserCredentialId id = new UserCredentialId();
+            id.userId = this.userId;
+            id.provider = this.provider;
+            return id;
+        }
+    }
+}
+
+

src/main/java/com/onixbyte/deltaforceguide/exeption/BizException.java

@@ -0,0 +1,35 @@
+package com.onixbyte.deltaforceguide.exeption;
+
+import org.springframework.http.HttpStatus;
+
+public class BizException extends RuntimeException {
+
+    /**
+     * The HTTP status code associated with this business exception.
+     * <p>
+     * This status code indicates the appropriate HTTP response status that should be returned to
+     * clients when this exception occurs. It enables consistent error handling across
+     * REST API endpoints.
+     */
+    private final HttpStatus status;
+
+    public BizException(String message) {
+        super(message);
+        this.status = HttpStatus.INTERNAL_SERVER_ERROR;
+    }
+
+    public BizException(HttpStatus status, String message) {
+        super(message);
+        this.status = status;
+    }
+
+    /**
+     * Returns the HTTP status code associated with this business exception.
+     *
+     * @return the HTTP status code that should be used in the error response
+     */
+    public HttpStatus getStatus() {
+        return status;
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/filter/TokenAuthenticationFilter.java

@@ -0,0 +1,102 @@
+package com.onixbyte.deltaforceguide.filter;
+
+import com.auth0.jwt.exceptions.JWTVerificationException;
+import com.onixbyte.deltaforceguide.client.TokenClient;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import com.onixbyte.deltaforceguide.service.CookieService;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.Cookie;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.jspecify.annotations.NonNull;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.servlet.HandlerExceptionResolver;
+import org.springframework.web.util.WebUtils;
+
+import java.io.IOException;
+import java.time.Duration;
+import java.time.Instant;
+import java.util.Objects;
+import java.util.Optional;
+
+@Component
+public class TokenAuthenticationFilter extends OncePerRequestFilter {
+
+    private final static Logger log = LoggerFactory.getLogger(TokenAuthenticationFilter.class);
+    private static final Duration ACCESS_TOKEN_RENEW_THRESHOLD = Duration.ofMinutes(5);
+
+    private final UserManager userManager;
+    private final TokenClient tokenClient;
+    private final CookieService cookieService;
+    private final HandlerExceptionResolver handlerExceptionResolver;
+
+    public TokenAuthenticationFilter(
+            UserManager userManager,
+            TokenClient tokenClient,
+            CookieService cookieService,
+            HandlerExceptionResolver handlerExceptionResolver
+    ) {
+        this.userManager = userManager;
+        this.tokenClient = tokenClient;
+        this.cookieService = cookieService;
+        this.handlerExceptionResolver = handlerExceptionResolver;
+    }
+
+    @Override
+    protected void doFilterInternal(
+            @NonNull HttpServletRequest request,
+            @NonNull HttpServletResponse response,
+            @NonNull FilterChain filterChain
+    ) throws ServletException, IOException {
+        var token = Optional.ofNullable(WebUtils.getCookie(request, "AccessToken"))
+                .map(Cookie::getValue)
+                .orElse(null);
+        if (Objects.isNull(token) || token.isBlank()) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
+        try {
+            var decodedToken = tokenClient.verifyToken(token);
+            var username = decodedToken.getSubject();
+
+            var userWrapper = userManager.findByUsername(username);
+            if (userWrapper.isEmpty()) {
+                throw new BizException(HttpStatus.UNAUTHORIZED, "登录已过期，请重新登录");
+            }
+
+            var user = userWrapper.get();
+            var authentication = UsernamePasswordAuthentication.authenticated(user);
+            SecurityContextHolder.getContext().setAuthentication(authentication);
+
+            if (shouldRenew(decodedToken.getExpiresAt().toInstant())) {
+                var renewedToken = tokenClient.generateToken(user);
+                var renewedTokenCookie = cookieService.buildCookie("AccessToken", renewedToken);
+                response.addHeader(HttpHeaders.SET_COOKIE, renewedTokenCookie.toString());
+            }
+
+            filterChain.doFilter(request, response);
+        } catch (JWTVerificationException e) {
+            log.error("JWT verification failed.", e);
+            handlerExceptionResolver.resolveException(request, response, null,
+                    new BizException(HttpStatus.UNAUTHORIZED, "登录已过期，请重新登录"));
+        } catch (BizException e) {
+            handlerExceptionResolver.resolveException(request, response, null, e);
+        }
+    }
+
+    private boolean shouldRenew(Instant expiresAt) {
+        return Duration.between(Instant.now(), expiresAt).compareTo(ACCESS_TOKEN_RENEW_THRESHOLD) < 0;
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/manager/CookieManager.java

@@ -0,0 +1,37 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.properties.CookieProperties;
+import org.springframework.boot.web.server.Cookie;
+import org.springframework.stereotype.Component;
+
+import java.time.Duration;
+
+@Component
+public class CookieManager {
+
+    private final CookieProperties cookieProperties;
+
+    public CookieManager(CookieProperties cookieProperties) {
+        this.cookieProperties = cookieProperties;
+    }
+
+    public Boolean getHttpOnly() {
+        return cookieProperties.httpOnly();
+    }
+
+    public Boolean getSecure() {
+        return cookieProperties.secure();
+    }
+
+    public Cookie.SameSite getSameSite() {
+        return cookieProperties.sameSite();
+    }
+
+    public String getPath() {
+        return cookieProperties.path();
+    }
+
+    public Duration getMaxAge() {
+        return cookieProperties.maxAge();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/manager/DailyPasswordManager.java

@@ -0,0 +1,76 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.fasterxml.jackson.databind.DeserializationFeature;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.PropertyNamingStrategies;
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.shared.JacksonModules;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.redis.core.RedisTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.converter.json.MappingJackson2HttpMessageConverter;
+import org.springframework.stereotype.Component;
+import org.springframework.web.client.RestClient;
+
+import java.time.Duration;
+import java.time.LocalDate;
+import java.util.Objects;
+
+@Component
+public class DailyPasswordManager {
+
+    private static final String CACHE_KEY_PREFIX = "daily-password:";
+
+    private final RestClient restClient;
+    private final RedisTemplate<String, Object> redisTemplate;
+
+    @Autowired
+    public DailyPasswordManager(
+            RestClient.Builder restClientBuilder,
+            RedisTemplate<String, Object> redisTemplate
+    ) {
+        var snakeCaseMapper = new ObjectMapper();
+        snakeCaseMapper.setPropertyNamingStrategy(
+                PropertyNamingStrategies.SnakeCaseStrategy.INSTANCE);
+        snakeCaseMapper.configure(
+                DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
+        snakeCaseMapper.registerModule(JacksonModules.DATE_TIME_MODULE);
+
+        this.restClient = restClientBuilder
+                .baseUrl("https://tmini.net/api")
+                .messageConverters(converters -> {
+                    converters.removeIf(
+                            MappingJackson2HttpMessageConverter.class::isInstance);
+                    converters.add(
+                            new MappingJackson2HttpMessageConverter(snakeCaseMapper));
+                })
+                .build();
+        this.redisTemplate = redisTemplate;
+    }
+
+    public DailyPasswordResponse getDailyPassword() {
+        var key = CACHE_KEY_PREFIX + LocalDate.now();
+
+        var cached = redisTemplate.opsForValue().get(key);
+        if (cached != null) {
+            return (DailyPasswordResponse) cached;
+        }
+
+        var response = restClient.get()
+                .uri((uriBuilder) -> uriBuilder
+                        .path("/sjzmm")
+                        .queryParam("ckey", "")
+                        .queryParam("type", "json")
+                        .build())
+                .retrieve()
+                .body(DailyPasswordResponse.class);
+
+        if (Objects.isNull(response)) {
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "暂无每日密码数据。");
+        }
+
+        redisTemplate.opsForValue().set(key, response, Duration.ofDays(1L));
+        return response;
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/manager/UserCredentialManager.java

@@ -0,0 +1,47 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.repository.UserCredentialRepository;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.List;
+import java.util.Optional;
+
+@Component
+public class UserCredentialManager {
+
+    private final UserCredentialRepository userCredentialRepository;
+
+    public UserCredentialManager(UserCredentialRepository userCredentialRepository) {
+        this.userCredentialRepository = userCredentialRepository;
+    }
+
+    @Transactional(readOnly = true)
+    public List<UserCredential> findAllByUserId(Long userId) {
+        return userCredentialRepository.findAllByUserId(userId);
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<UserCredential> findByUserIdAndProvider(Long userId, String provider) {
+        return userCredentialRepository.findByUserIdAndProvider(userId, provider);
+    }
+
+    @Transactional
+    public UserCredential save(UserCredential userCredential) {
+        return userCredentialRepository.save(userCredential);
+    }
+
+    @Transactional
+    public void deleteByUserIdAndProvider(Long userId, String provider) {
+        userCredentialRepository.deleteByUserIdAndProvider(userId, provider);
+    }
+
+    @Transactional
+    public void deleteAllByUserId(Long userId) {
+        userCredentialRepository.deleteAllByUserId(userId);
+    }
+}
+
+
+

src/main/java/com/onixbyte/deltaforceguide/manager/UserManager.java

@@ -0,0 +1,54 @@
+package com.onixbyte.deltaforceguide.manager;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.repository.UserRepository;
+import org.springframework.stereotype.Component;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.List;
+import java.util.Optional;
+
+@Component
+public class UserManager {
+
+    private final UserRepository userRepository;
+
+    public UserManager(UserRepository userRepository) {
+        this.userRepository = userRepository;
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<User> findById(Long id) {
+        return userRepository.findById(id);
+    }
+
+    @Transactional(readOnly = true)
+    public List<User> findAll() {
+        return userRepository.findAll();
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<User> findByUsername(String username) {
+        return userRepository.findByUsername(username);
+    }
+
+    @Transactional(readOnly = true)
+    public Optional<User> findByEmail(String email) {
+        return userRepository.findByEmail(email);
+    }
+
+    @Transactional
+    public User save(User user) {
+        return userRepository.save(user);
+    }
+
+    @Transactional
+    public void deleteById(Long id) {
+        userRepository.deleteById(id);
+    }
+
+    public Optional<User> findByUsernameOrEmail(String principal) {
+        return userRepository.findByUsernameOrEmail(principal);
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/properties/CookieProperties.java

@@ -0,0 +1,17 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.boot.context.properties.bind.DefaultValue;
+import org.springframework.boot.web.server.Cookie;
+
+import java.time.Duration;
+
+@ConfigurationProperties(prefix = "app.cookie")
+public record CookieProperties(
+        @DefaultValue("true") Boolean httpOnly,
+        @DefaultValue("true") Boolean secure,
+        @DefaultValue("/") String path,
+        @DefaultValue("PT2H") Duration maxAge,
+        @DefaultValue("LAX") Cookie.SameSite sameSite
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/properties/TokenProperties.java

@@ -0,0 +1,13 @@
+package com.onixbyte.deltaforceguide.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+
+import java.time.Duration;
+
+@ConfigurationProperties(prefix = "app.jwt")
+public record TokenProperties(
+        String issuer,
+        String secret,
+        Duration validTime
+) {
+}

src/main/java/com/onixbyte/deltaforceguide/repository/UserCredentialRepository.java

@@ -0,0 +1,52 @@
+package com.onixbyte.deltaforceguide.repository;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.domain.entity.UserCredentialId;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.EntityGraph;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+
+@Repository
+public interface UserCredentialRepository extends JpaRepository<UserCredential, UserCredentialId> {
+
+    @EntityGraph(attributePaths = {"user"})
+    @Query("""
+            select uc
+            from UserCredential uc
+            where uc.user.id = :userId
+            """)
+    List<UserCredential> findAllByUserId(@Param("userId") Long userId);
+
+    @EntityGraph(attributePaths = {"user"})
+    @Query("""
+            select uc
+            from UserCredential uc
+            where uc.user.id = :userId
+              and uc.id.provider = :provider
+            """)
+    Optional<UserCredential> findByUserIdAndProvider(@Param("userId") Long userId, @Param("provider") String provider);
+
+    @Modifying
+    @Query("""
+            delete from UserCredential uc
+            where uc.user.id = :userId
+              and uc.id.provider = :provider
+            """)
+    void deleteByUserIdAndProvider(@Param("userId") Long userId, @Param("provider") String provider);
+
+    @Modifying
+    @Query("""
+            delete from UserCredential uc
+            where uc.user.id = :userId
+            """)
+    void deleteAllByUserId(@Param("userId") Long userId);
+}
+
+
+

src/main/java/com/onixbyte/deltaforceguide/repository/UserRepository.java

@@ -0,0 +1,40 @@
+package com.onixbyte.deltaforceguide.repository;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import org.jspecify.annotations.NonNull;
+import org.springframework.data.jpa.repository.EntityGraph;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+
+@Repository
+public interface UserRepository extends JpaRepository<User, Long> {
+
+    @Override
+    @EntityGraph(attributePaths = {"credentials"})
+    @NonNull
+    Optional<User> findById(@NonNull Long id);
+
+    @EntityGraph(attributePaths = {"credentials"})
+    Optional<User> findByUsername(String username);
+
+    @EntityGraph(attributePaths = {"credentials"})
+    Optional<User> findByEmail(String email);
+
+    boolean existsByUsername(String username);
+
+    boolean existsByEmail(String email);
+
+    @EntityGraph(attributePaths = {"credentials"})
+    @Query("""
+            select u
+            from User u
+            where u.username = :principal
+               or u.email = :principal
+            """)
+    Optional<User> findByUsernameOrEmail(@Param("principal") String principal);
+}
+

src/main/java/com/onixbyte/deltaforceguide/security/annotation/RequiresAuth.java

@@ -0,0 +1,14 @@
+package com.onixbyte.deltaforceguide.security.annotation;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target({ElementType.METHOD, ElementType.TYPE})
+@Retention(RetentionPolicy.RUNTIME)
+@PreAuthorize("isAuthenticated()")
+public @interface RequiresAuth {
+}

src/main/java/com/onixbyte/deltaforceguide/security/authentication/UsernamePasswordAuthentication.java

@@ -0,0 +1,76 @@
+package com.onixbyte.deltaforceguide.security.authentication;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.CredentialsContainer;
+import org.springframework.security.core.GrantedAuthority;
+
+import java.util.Collection;
+import java.util.List;
+
+public class UsernamePasswordAuthentication implements Authentication, CredentialsContainer {
+    private final String username;
+    private String password;
+    private boolean authenticated;
+    private User user;
+
+    private UsernamePasswordAuthentication(String username, String password, boolean authenticated, User user) {
+        this.username = username;
+        this.password = password;
+        this.authenticated = authenticated;
+        this.user = user;
+    }
+
+    public static UsernamePasswordAuthentication unauthenticated(String username, String password) {
+        return new UsernamePasswordAuthentication(username, password, false, null);
+    }
+
+    public static UsernamePasswordAuthentication authenticated(User user) {
+        return new UsernamePasswordAuthentication(user.getUsername(), null, true, user);
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return List.of();
+    }
+
+    @Override
+    public String getCredentials() {
+        return password;
+    }
+
+    @Override
+    public User getDetails() {
+        return user;
+    }
+
+    @Override
+    public String getPrincipal() {
+        return username;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return authenticated;
+    }
+
+    @Override
+    public void setAuthenticated(boolean authenticated) throws IllegalArgumentException {
+        this.authenticated = authenticated;
+    }
+
+    @Override
+    public String getName() {
+        return username;
+    }
+
+    @Override
+    public void eraseCredentials() {
+        this.password = null;
+    }
+
+    public void setDetails(User user) {
+        this.user = user;
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/security/provider/UsernamePasswordAuthenticationProvider.java

@@ -0,0 +1,83 @@
+package com.onixbyte.deltaforceguide.security.provider;
+
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import com.onixbyte.deltaforceguide.repository.UserCredentialRepository;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import com.onixbyte.deltaforceguide.shared.CredentialProvider;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.data.domain.Example;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.stereotype.Component;
+
+@Component
+public class UsernamePasswordAuthenticationProvider implements AuthenticationProvider {
+
+    private static final Logger log = LoggerFactory.getLogger(UsernamePasswordAuthenticationProvider.class);
+    private final UserManager userManager;
+    private final PasswordEncoder passwordEncoder;
+    private final UserCredentialRepository userCredentialRepository;
+
+    @Autowired
+    public UsernamePasswordAuthenticationProvider(
+            UserManager userManager,
+            PasswordEncoder passwordEncoder,
+            UserCredentialRepository userCredentialRepository
+    ) {
+        this.userManager = userManager;
+        this.passwordEncoder = passwordEncoder;
+        this.userCredentialRepository = userCredentialRepository;
+    }
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        if (!(authentication instanceof UsernamePasswordAuthentication usernamePasswordAuthentication)) {
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "用户认证失败，请稍后再试。");
+        }
+
+        // get userContainer from database
+        var userContainer = userManager.findByUsernameOrEmail(usernamePasswordAuthentication.getPrincipal());
+        if (userContainer.isEmpty()) {
+            log.error("User {} is trying to authenticate but no userContainer found.", usernamePasswordAuthentication.getPrincipal());
+            throw new BizException(HttpStatus.UNAUTHORIZED, "用户名或密码错误。");
+        }
+
+        var user = userContainer.get();
+
+        var userCredentialExample = new UserCredential();
+        userCredentialExample.setUserId(user.getId());
+        userCredentialExample.setProvider(CredentialProvider.LOCAL);
+
+        // get userContainer credentials from database
+        var userCredentials = userCredentialRepository.findOne(Example.of(userCredentialExample))
+                .orElseThrow(() -> new BizException(HttpStatus.UNAUTHORIZED, "您还没有配置密码，请联系管理员处理。"));
+
+        // validate password
+        if (!passwordEncoder.matches(usernamePasswordAuthentication.getCredentials(), userCredentials.getCredential())) {
+            log.error("User {} is trying to authenticate but password is incorrect.", usernamePasswordAuthentication.getPrincipal());
+            throw new BizException(HttpStatus.UNAUTHORIZED, "用户名或密码错误。");
+        }
+
+        // erase credentials
+        usernamePasswordAuthentication.eraseCredentials();
+
+        // set values
+        usernamePasswordAuthentication.setAuthenticated(true);
+        usernamePasswordAuthentication.setDetails(user);
+
+        return usernamePasswordAuthentication;
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return UsernamePasswordAuthentication.class.isAssignableFrom(authentication);
+    }
+}
+

src/main/java/com/onixbyte/deltaforceguide/service/AuthService.java

@@ -0,0 +1,40 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.dto.LoginRequest;
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.exeption.BizException;
+import com.onixbyte.deltaforceguide.security.authentication.UsernamePasswordAuthentication;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.stereotype.Service;
+
+import java.util.Objects;
+import java.util.Optional;
+
+@Service
+public class AuthService {
+
+    private static final Logger log = LoggerFactory.getLogger(AuthService.class);
+    private final AuthenticationManager authenticationManager;
+
+    public AuthService(AuthenticationManager authenticationManager) {
+        this.authenticationManager = authenticationManager;
+    }
+
+    public User login(LoginRequest request) {
+        var _authentication = authenticationManager.authenticate(UsernamePasswordAuthentication
+                .unauthenticated(request.principle(), request.credential()));
+        if (!(_authentication instanceof UsernamePasswordAuthentication authentication)) {
+            log.error(
+                    "Type mismatched, required type is UsernamePasswordAuthentication but got {}.",
+                    _authentication.getClass()
+            );
+            throw new BizException(HttpStatus.INTERNAL_SERVER_ERROR, "登录服务异常，请稍后再试。");
+        }
+
+        return authentication.getDetails();
+    }
+
+}

src/main/java/com/onixbyte/deltaforceguide/service/CookieService.java

@@ -0,0 +1,47 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.manager.CookieManager;
+import org.springframework.http.ResponseCookie;
+import org.springframework.stereotype.Service;
+
+import java.time.Duration;
+
+@Service
+public class CookieService {
+
+    private final CookieManager cookieManager;
+
+    public CookieService(CookieManager cookieManager) {
+        this.cookieManager = cookieManager;
+    }
+
+    public ResponseCookie buildCookie(String cookieName, String value) {
+        return buildCookieInternal(cookieName, value, cookieManager.getMaxAge());
+    }
+
+    public ResponseCookie buildCookie(String cookieName, String value, Duration validDuration) {
+        return buildCookieInternal(cookieName, value, validDuration);
+    }
+
+    /**
+     * Creates a response cookie builder with specified name, value and valid duration.
+     *
+     * @param name   name of the cookie
+     * @param value  value of the cookie
+     * @param maxAge valid duration of the cookie
+     * @return cookie builder
+     */
+    protected ResponseCookie buildCookieInternal(
+            String name,
+            String value,
+            Duration maxAge
+    ) {
+        return ResponseCookie.from(name, value)
+                .secure(cookieManager.getSecure())
+                .maxAge(maxAge)
+                .httpOnly(cookieManager.getHttpOnly())
+                .path(cookieManager.getPath())
+                .sameSite(cookieManager.getSameSite().attributeValue())
+                .build();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/service/DailyPasswordService.java

@@ -0,0 +1,19 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.dto.DailyPasswordResponse;
+import com.onixbyte.deltaforceguide.manager.DailyPasswordManager;
+import org.springframework.stereotype.Service;
+
+@Service
+public class DailyPasswordService {
+
+    private final DailyPasswordManager dailyPasswordManager;
+
+    public DailyPasswordService(DailyPasswordManager dailyPasswordManager) {
+        this.dailyPasswordManager = dailyPasswordManager;
+    }
+
+    public DailyPasswordResponse getDailyPassword() {
+        return dailyPasswordManager.getDailyPassword();
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/service/FirearmService.java

@@ -1,9 +1,11 @@
 package com.onixbyte.deltaforceguide.service;
 
+import com.onixbyte.deltaforceguide.domain.dto.FirearmRequest;
 import com.onixbyte.deltaforceguide.domain.dto.FirearmResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
 import com.onixbyte.deltaforceguide.domain.entity.Firearm;
 import com.onixbyte.deltaforceguide.enumeration.FirearmType;
+import com.onixbyte.deltaforceguide.exeption.BizException;
 import com.onixbyte.deltaforceguide.repository.FirearmRepository;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
@@ -36,5 +38,43 @@ public class FirearmService {
                 .map(FirearmResponse::from)
                 .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
     }
-}
 
+    public FirearmResponse addFirearm(FirearmRequest request) {
+        var firearm = firearmRepository.save(Firearm.builder()
+                .name(request.name())
+                .type(request.type())
+                .level(request.level())
+                .calibre(request.calibre())
+                .fireRate(request.fireRate())
+                .armourDamage(request.armourDamage())
+                .bodyDamage(request.bodyDamage())
+                .review(request.review())
+                .build());
+        
+        return FirearmResponse.from(firearm);
+    }
+
+    @Transactional
+    public FirearmResponse updateFirearm(Long id, FirearmRequest request) {
+        var firearm = firearmRepository.findById(id)
+                .orElseThrow(() -> new BizException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
+
+        firearm.setName(request.name());
+        firearm.setType(request.type());
+        firearm.setLevel(request.level());
+        firearm.setCalibre(request.calibre());
+        firearm.setFireRate(request.fireRate());
+        firearm.setArmourDamage(request.armourDamage());
+        firearm.setBodyDamage(request.bodyDamage());
+        firearm.setReview(request.review());
+
+        return FirearmResponse.from(firearmRepository.save(firearm));
+    }
+
+    @Transactional
+    public void deleteFirearm(Long id) {
+        Firearm firearm = firearmRepository.findById(id)
+                .orElseThrow(() -> new BizException(HttpStatus.NOT_FOUND, "Firearm not found: " + id));
+        firearmRepository.delete(firearm);
+    }
+}

src/main/java/com/onixbyte/deltaforceguide/service/ModificationService.java

@@ -1,8 +1,15 @@
 package com.onixbyte.deltaforceguide.service;
 
+import com.onixbyte.deltaforceguide.domain.dto.AccessoryRequest;
+import com.onixbyte.deltaforceguide.domain.dto.ModificationRequest;
 import com.onixbyte.deltaforceguide.domain.dto.ModificationResponse;
 import com.onixbyte.deltaforceguide.domain.dto.PageResponse;
+import com.onixbyte.deltaforceguide.domain.dto.TuningRequest;
+import com.onixbyte.deltaforceguide.domain.entity.Accessory;
+import com.onixbyte.deltaforceguide.domain.entity.Firearm;
 import com.onixbyte.deltaforceguide.domain.entity.Modification;
+import com.onixbyte.deltaforceguide.domain.entity.Tuning;
+import com.onixbyte.deltaforceguide.repository.FirearmRepository;
 import com.onixbyte.deltaforceguide.repository.ModificationRepository;
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -13,16 +20,27 @@ import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.server.ResponseStatusException;
 
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.LinkedHashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 
 @Service
 public class ModificationService {
 
     private final ModificationRepository modificationRepository;
+    private final FirearmRepository firearmRepository;
     private final ObjectMapper objectMapper;
 
-    public ModificationService(ModificationRepository modificationRepository, ObjectMapper objectMapper) {
+    public ModificationService(
+            ModificationRepository modificationRepository,
+            FirearmRepository firearmRepository,
+            ObjectMapper objectMapper
+    ) {
         this.modificationRepository = modificationRepository;
+        this.firearmRepository = firearmRepository;
         this.objectMapper = objectMapper;
     }
 
@@ -58,4 +76,134 @@ public class ModificationService {
     public List<String> findAllTags(Long firearmId) {
         return modificationRepository.findAllTags(firearmId);
     }
+
+    @Transactional
+    public ModificationResponse create(ModificationRequest request) {
+        Firearm firearm = firearmRepository.findById(request.firearmId())
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + request.firearmId()));
+
+        Modification modification = toEntity(request, firearm);
+        return ModificationResponse.from(modificationRepository.save(modification));
+    }
+
+    @Transactional
+    public List<ModificationResponse> batchCreate(List<ModificationRequest> requests) {
+        Set<Long> firearmIds = requests.stream()
+                .map(ModificationRequest::firearmId)
+                .collect(java.util.stream.Collectors.toCollection(LinkedHashSet::new));
+
+        Map<Long, Firearm> firearmMap = new HashMap<>();
+        firearmRepository.findAllById(firearmIds).forEach(firearm -> firearmMap.put(firearm.getId(), firearm));
+
+        if (firearmMap.size() != firearmIds.size()) {
+            List<Long> missingFirearmIds = firearmIds.stream()
+                    .filter(id -> !firearmMap.containsKey(id))
+                    .toList();
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + missingFirearmIds);
+        }
+
+        List<Modification> modifications = requests.stream()
+                .map(request -> toEntity(request, firearmMap.get(request.firearmId())))
+                .toList();
+        return modificationRepository.saveAll(modifications)
+                .stream()
+                .map(ModificationResponse::from)
+                .toList();
+    }
+
+    @Transactional
+    public ModificationResponse update(Long id, ModificationRequest request) {
+        Modification modification = modificationRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + id));
+        Firearm firearm = firearmRepository.findById(request.firearmId())
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Firearm not found: " + request.firearmId()));
+
+        modification.setFirearm(firearm);
+        modification.setName(request.name());
+        modification.setCode(request.code());
+        modification.setTags(safeTags(request.tags()));
+        modification.setAccessories(toAccessories(request.accessories()));
+        modification.setNote(request.note());
+        modification.setAuthor(request.author());
+        modification.setVideoUrl(request.videoUrl());
+
+        return ModificationResponse.from(modificationRepository.save(modification));
+    }
+
+    @Transactional
+    public void delete(Long id) {
+        Modification modification = modificationRepository.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + id));
+        modificationRepository.delete(modification);
+    }
+
+    @Transactional
+    public void batchDelete(List<Long> ids) {
+        Set<Long> uniqueIds = new LinkedHashSet<>(ids);
+        List<Modification> modifications = modificationRepository.findAllById(uniqueIds);
+
+        if (modifications.size() != uniqueIds.size()) {
+            Set<Long> foundIds = modifications.stream()
+                    .map(Modification::getId)
+                    .collect(java.util.stream.Collectors.toSet());
+            List<Long> missingIds = uniqueIds.stream()
+                    .filter(id -> !foundIds.contains(id))
+                    .toList();
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND, "Modification not found: " + missingIds);
+        }
+
+        modificationRepository.deleteAllInBatch(modifications);
+    }
+
+    private Modification toEntity(ModificationRequest request, Firearm firearm) {
+        return Modification.builder()
+                .firearm(firearm)
+                .name(request.name())
+                .code(request.code())
+                .tags(safeTags(request.tags()))
+                .accessories(toAccessories(request.accessories()))
+                .note(request.note())
+                .author(request.author())
+                .videoUrl(request.videoUrl())
+                .build();
+    }
+
+    private List<String> safeTags(List<String> tags) {
+        return tags == null ? new ArrayList<>() : tags;
+    }
+
+    private List<Accessory> toAccessories(List<AccessoryRequest> accessoryRequests) {
+        if (accessoryRequests == null) {
+            return new ArrayList<>();
+        }
+
+        return accessoryRequests.stream()
+                .map(this::toAccessory)
+                .toList();
+    }
+
+    private Accessory toAccessory(AccessoryRequest request) {
+        Accessory accessory = new Accessory();
+        accessory.setSlotName(request.slotName());
+        accessory.setAccessoryName(request.accessoryName());
+        accessory.setTunings(toTunings(request.tunings()));
+        return accessory;
+    }
+
+    private List<Tuning> toTunings(List<TuningRequest> tuningRequests) {
+        if (tuningRequests == null) {
+            return new ArrayList<>();
+        }
+
+        return tuningRequests.stream()
+                .map(this::toTuning)
+                .toList();
+    }
+
+    private Tuning toTuning(TuningRequest request) {
+        Tuning tuning = new Tuning();
+        tuning.setTuningName(request.tuningName());
+        tuning.setTuningValue(request.tuningValue());
+        return tuning;
+    }
 }

src/main/java/com/onixbyte/deltaforceguide/service/UserService.java

@@ -0,0 +1,100 @@
+package com.onixbyte.deltaforceguide.service;
+
+import com.onixbyte.deltaforceguide.domain.entity.User;
+import com.onixbyte.deltaforceguide.domain.entity.UserCredential;
+import com.onixbyte.deltaforceguide.manager.UserCredentialManager;
+import com.onixbyte.deltaforceguide.manager.UserManager;
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import org.springframework.web.server.ResponseStatusException;
+
+import java.util.List;
+
+@Service
+public class UserService {
+
+    private final UserManager userManager;
+    private final UserCredentialManager userCredentialManager;
+
+    public UserService(UserManager userManager, UserCredentialManager userCredentialManager) {
+        this.userManager = userManager;
+        this.userCredentialManager = userCredentialManager;
+    }
+
+    @Transactional(readOnly = true)
+    public List<User> findAll() {
+        return userManager.findAll();
+    }
+
+    @Transactional(readOnly = true)
+    public User queryById(Long id) {
+        return userManager.findById(id)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + id));
+    }
+
+    @Transactional(readOnly = true)
+    public User queryByUsername(String username) {
+        return userManager.findByUsername(username)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + username));
+    }
+
+    @Transactional
+    public User create(User user) {
+        return userManager.save(user);
+    }
+
+    @Transactional
+    public User update(User user) {
+        if (user.getId() == null || userManager.findById(user.getId()).isEmpty()) {
+            throw new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + user.getId());
+        }
+        return userManager.save(user);
+    }
+
+    @Transactional(readOnly = true)
+    public List<UserCredential> findCredentials(Long userId) {
+        ensureUserExists(userId);
+        return userCredentialManager.findAllByUserId(userId);
+    }
+
+    @Transactional(readOnly = true)
+    public UserCredential queryCredential(Long userId, String provider) {
+        ensureUserExists(userId);
+        return userCredentialManager.findByUserIdAndProvider(userId, provider)
+                .orElseThrow(() -> new ResponseStatusException(
+                        HttpStatus.NOT_FOUND,
+                        "User credential not found: userId=" + userId + ", provider=" + provider));
+    }
+
+    @Transactional
+    public UserCredential upsertCredential(Long userId, String provider, String credential) {
+        User user = ensureUserExists(userId);
+        UserCredential userCredential = userCredentialManager.findByUserIdAndProvider(userId, provider)
+                .orElseGet(UserCredential::new);
+        userCredential.setUser(user);
+        userCredential.setProvider(provider);
+        userCredential.setCredential(credential);
+        return userCredentialManager.save(userCredential);
+    }
+
+    @Transactional
+    public void deleteCredential(Long userId, String provider) {
+        ensureUserExists(userId);
+        userCredentialManager.deleteByUserIdAndProvider(userId, provider);
+    }
+
+    @Transactional
+    public void deleteById(Long id) {
+        ensureUserExists(id);
+        userCredentialManager.deleteAllByUserId(id);
+        userManager.deleteById(id);
+    }
+
+    private User ensureUserExists(Long userId) {
+        return userManager.findById(userId)
+                .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "User not found: " + userId));
+    }
+}
+
+

src/main/java/com/onixbyte/deltaforceguide/shared/CookieName.java

@@ -0,0 +1,6 @@
+package com.onixbyte.deltaforceguide.shared;
+
+public class CookieName {
+
+    public static final String ACCESS_TOKEN = "AccessToken";
+}

src/main/java/com/onixbyte/deltaforceguide/shared/CredentialProvider.java

@@ -0,0 +1,6 @@
+package com.onixbyte.deltaforceguide.shared;
+
+public class CredentialProvider {
+
+    public static final String LOCAL = "LOCAL";
+}

src/main/java/com/onixbyte/deltaforceguide/utils/DateTimeUtil.java

@@ -0,0 +1,13 @@
+package com.onixbyte.deltaforceguide.utils;
+
+import java.time.Instant;
+import java.time.LocalDateTime;
+import java.time.ZoneId;
+
+public class DateTimeUtil {
+
+    public static Instant asInstant(LocalDateTime ldt) {
+        return ldt.atZone(ZoneId.systemDefault())
+                .toInstant();
+    }
+}

src/main/resources/application.yaml

@@ -43,4 +43,3 @@ logging:
   level:
     org.hibernate:
       orm.connections.pooling: off
-

src/main/resources/db/migration/V3__bullet_and_damages.sql

@@ -1,4 +1,5 @@
 -- 创建新表
+DROP TABLE IF EXISTS firearm_new;
 CREATE TABLE firearm_new
 (
     id            BIGSERIAL   NOT NULL,
@@ -20,10 +21,10 @@ SELECT id,
        name,
        type,
        level,
-       calibre,
+       '',
+       0,
+       0,
        0,
-       armour_damage,
-       body_damage,
        review
 FROM firearm;
 

src/main/resources/db/migration/V4__user.sql

@@ -0,0 +1,18 @@
+DROP TABLE IF EXISTS app_user CASCADE;
+CREATE TABLE app_user
+(
+    id       BIGSERIAL    NOT NULL PRIMARY KEY,
+    username VARCHAR(255) NOT NULL,
+    email    VARCHAR(255) NOT NULL,
+    CONSTRAINT app_user_username_key UNIQUE (username),
+    CONSTRAINT app_user_email_key UNIQUE (email)
+);
+
+DROP TABLE IF EXISTS app_user_credential CASCADE;
+CREATE TABLE app_user_credential
+(
+    user_id    BIGINT       NOT NULL REFERENCES app_user (id),
+    provider   VARCHAR(255) NOT NULL,
+    credential VARCHAR(255) NOT NULL,
+    CONSTRAINT app_user_credential_pkey PRIMARY KEY (user_id, provider)
+);

src/main/resources/db/migration/V5__modification_accessories.sql

@@ -0,0 +1,2 @@
+ALTER TABLE modification
+    ADD accessories JSONB NOT NULL DEFAULT '[]';