fix(auth): O(n) session lookup -> direct DB query, init passwordHistory empty

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

server/service/auth/index.ts

@@ -47,7 +47,7 @@ export class AuthService {
         password: passwordHash,
         role: "user",
         status: "active",
-        passwordHistory: JSON.stringify([passwordHash]),
+        passwordHistory: "[]",
       })
       .returning();
 
@@ -95,23 +95,18 @@ export class AuthService {
     refreshToken: string
   ): Promise<{ accessToken: string; newRefreshToken: string }> {
     // 查找有效 session
-    const sessions = await dbGlobal
+    const [session] = await dbGlobal
       .select()
       .from(userSessions)
-      .where(isNull(userSessions.revokedAt));
-
-    let matchedSession: (typeof sessions)[0] | null = null;
-    for (const s of sessions) {
-      if (s.id === refreshToken && s.expiresAt > new Date()) {
-        matchedSession = s;
-        break;
-      }
-    }
+      .where(eq(userSessions.id, refreshToken))
+      .limit(1);
 
-    if (!matchedSession) {
+    if (!session || session.revokedAt !== null || session.expiresAt <= new Date()) {
       throw { code: "SESSION_REVOKED", message: "Session 已失效" };
     }
 
+    const matchedSession = session;
+
     const [user] = await dbGlobal
       .select()
       .from(users)