fix: address multiple code audit findings

- CORS: replace wildcard with explicit origin list from CORS_ORIGINS env
- Auth: enforce strong defaults, JWT blacklist (RevokedToken model), login rate limiting
- Auth: validate password length before bcrypt (72-byte limit)
- Scheduler: single-threaded worker to mitigate SQLite write contention
- Scheduler: graceful shutdown (wait=True)
- Snapshots: add prune_snapshots() with configurable retention count
- Storage: isolate localStorage keys via VITE_APP_KEY prefix
- Config: add cors_origins, login_rate_limit, snapshot_retention_count settings

backend/app/routers/upstreams.py

@@ -154,8 +154,18 @@ def test_upstream(uid: int, db: Session = Depends(get_db), _=Depends(get_current
     try:
         client.login()
         groups = client.get_available_groups(u.groups_endpoint)
+        u.last_status = "healthy"
+        u.last_error = None
+        u.last_checked_at = datetime.now(timezone.utc)
+        u.consecutive_failures = 0
+        db.commit()
         return TestResult(success=True, message=f"连接成功，获取到 {len(groups)} 个分组")
     except Exception as exc:
+        u.last_status = "unhealthy"
+        u.last_error = str(exc)
+        u.last_checked_at = datetime.now(timezone.utc)
+        u.consecutive_failures = (u.consecutive_failures or 0) + 1
+        db.commit()
         return TestResult(success=False, message="连接失败", detail=str(exc))