修改登录逻辑，使用RSA-OAEP 包裹每会话独立 AES-GCM 密钥 + 加密提交凭据

accounts/es_client.py

@@ -1,19 +1,14 @@
 import base64
 from elastic.es_connect import get_user_by_username as es_get_user_by_username
-from .crypto import salt_for_username, derive_password
 
 def get_user_by_username(username: str):
-    """
-    期望ES中存储的是明文密码，登录时按用户名盐派生后对nonce做HMAC验证。
-    """
     es_user = es_get_user_by_username(username)
     if es_user:
-        salt = salt_for_username(username)
-        derived = derive_password(es_user.get('password', ''), salt)
         return {
             'user_id': es_user.get('user_id', 0),
             'username': es_user.get('username', ''),
-            'password': base64.b64encode(derived).decode('ascii'),
+            'password_hash': es_user.get('password_hash'),
+            'password_salt': es_user.get('password_salt'),
             'permission': es_user.get('permission', 1),
         }
     return None