Deprecate device password endpoints to resolve JWT authentication errors

[Copilot]

Users encountered "无效的JWT token" errors when attempting to reset device passwords through account-based authentication. Per maintainer guidance, the standalone device password system is being replaced by AutoAuth.

Changes

Deprecated 5 password management endpoints - All now return HTTP 410 with migration guidance:

• POST /devices/:uuid/password - Initial password setup
• PUT /devices/:uuid/password - Password modification
• DELETE /devices/:uuid/password - Password deletion
• PUT /devices/:uuid/password-hint - Password hint management
• GET /devices/:uuid/password-hint - Password hint retrieval

router.delete(
  "/:uuid/password",
  errors.catchAsync(async (req, res, next) => {
    return next(errors.createError(410, "此功能已弃用，请使用 AutoAuth 自动授权功能代替设备密码"));
  })
);

Backward compatibility preserved:

• Password validation middleware (uuidAuth, passwordMiddleware) remains unchanged
• Existing devices with passwords continue to authenticate normally
• Device GET responses still include hasPassword and passwordHint fields

Impact: Eliminates confusing JWT errors by directing users to the AutoAuth system. Reduces codebase by ~130 lines while maintaining compatibility for legacy devices.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• checkpoint.prisma.io
  • Triggering command: /usr/local/bin/node /home/REDACTED/work/ClassworksKV/ClassworksKV/node_modules/prisma/build/child {"product":"prisma","version":"6.19.0","cli_install_type":"local","information":"","local_timestamp":"2025-11-14T14:15:44Z","project_hash":"aa57ea34","cli_path":"/home/REDACTED/work/ClassworksKV/ClassworksKV/node_modules/.bin/prisma","cli_path_hash":"62597469","endpoint":"REDACTED","disable":false,"arch":"x64","os":"linux","node_version":"v20.19.5","ci":true,"ci_name":"GitHub Actions","command":"generate --postinstall \"UNABLE_TO_FIND_POSTINSTALL_TRIGGER__ENVAR_MISSING\"","schema_providers":["mysql"],"schema_preview_features":[],"schema_generators_providers":["prisma-client-js"],"cache_file":"/home/REDACTED/.cache/checkpoint-nodejs/prisma-62597469","cache_duration":43200000,"remind_duration":172800000,"force":false,"timeout":5000,"unref":true,"child_path":"/home/REDACTED/work/ClassworksKV/ClassworksKV/node_modules/prisma/build/child","client_event_id":"","previous_client_event_id":"","check_if_update_available":true} (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Classworks KV无法重置设备密码</issue_title>
<issue_description>我在学校大屏注册的，回到家我使用智教联盟账户登录Classworks KV，重置密码报错 删除密码失败：无效的JWT token，然后Classworks KV掉登录

您已登录绑定的账户，可以直接重置密码而无需输入当前密码

...

欸试了半天原来早上设置的密码是这个啊

Comments on the Issue (you are @copilot in this section)

@Sunwuyuan 谢谢你的反馈，现在独立的“设备密码”正在弃用，您可以使用“自动授权”功能管理设备登录、访问您的数据。

我们将尽快移除不再需要的功能UI，并增强项目使用体验。</comment_new>

• Fixes Classworks KV无法重置设备密码 #52

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.