Token架构优化：防重放攻击清除token、防重复forceLogout、refreshToken空值防御

flutter_monisuo/lib/core/constants/api_endpoints.dart

@@ -33,7 +33,7 @@ class ApiEndpoints {
   /// 退出登錄
   static const String logout = '/api/user/logout';
 
-  /// 刷新 Token（後端尚未實現，預留接口）
+  /// 刷新 Token
   static const String tokenRefresh = '/api/auth/refresh';
 
   // ==================== 行情模塊 ====================

flutter_monisuo/lib/core/network/dio_client.dart

@@ -35,6 +35,9 @@ class DioClient {
   /// 未授權回調（token 徹底過期時觸發 AuthProvider.forceLogout）
   VoidCallback? onForceLogout;
 
+  /// 防止重複 forceLogout
+  bool hasForceLoggedOut = false;
+
   DioClient({this.navigatorKey}) {
     _dio = _createDio();
     _setupInterceptors();
@@ -133,8 +136,10 @@ class DioClient {
     return ApiResponse.fail(message);
   }
 
-  /// 徹底失效時清除數據並跳轉登錄頁
+  /// 徹底失效時清除數據並跳轉登錄頁（防重複調用）
   void forceLogout() {
+    if (hasForceLoggedOut) return;
+    hasForceLoggedOut = true;
     LocalStorage.clearUserData();
     onForceLogout?.call();
     final context = navigatorKey?.currentContext;
@@ -253,6 +258,8 @@ class _TokenRefreshInterceptor extends QueuedInterceptor {
     try {
       final newToken = await _refreshToken();
       if (newToken != null) {
+        // 刷新成功，重置 forceLogout 標記（用戶重新激活）
+        _client.hasForceLoggedOut = false;
         // 刷新成功，更新 header 並重試原始請求
         requestOptions.headers['Authorization'] = 'Bearer $newToken';
         final retryResponse = await _client._dio.fetch(requestOptions);