fix: 增强认证异常处理和JWT过滤器健壮性，防止登录500错误

src/main/java/com/qqflow/engine/common/exception/GlobalExceptionHandler.java

@@ -4,6 +4,8 @@ import com.qqflow.engine.common.Result;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InternalAuthenticationServiceException;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.validation.BindException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
@@ -30,6 +32,16 @@ public class GlobalExceptionHandler {
         return Result.error(400, "用户名或密码错误");
     }
 
+    @ExceptionHandler({InternalAuthenticationServiceException.class, AuthenticationException.class})
+    public Result<Void> handleAuthenticationException(AuthenticationException e) {
+        log.warn("认证异常: {}", e.getMessage());
+        Throwable cause = e.getCause();
+        if (cause instanceof BadCredentialsException) {
+            return Result.error(400, "用户名或密码错误");
+        }
+        return Result.error(400, e.getMessage());
+    }
+
     @ExceptionHandler(BindException.class)
     public Result<Void> handleBindException(BindException e) {
         String msg = e.getAllErrors().get(0).getDefaultMessage();

src/main/java/com/qqflow/engine/config/security/JwtAuthenticationFilter.java

@@ -9,12 +9,14 @@ import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
 import java.io.IOException;
 
+@Slf4j
 @Component
 public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
@@ -32,11 +34,15 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
                 LoginUser loginUser = jwtUtils.parseLoginUser(token);
                 if (loginUser != null && SecurityContextHolder.getContext().getAuthentication() == null) {
                     UsernamePasswordAuthenticationToken authentication =
-                            new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
+                            new UsernamePasswordAuthenticationToken(
+                                    loginUser, null,
+                                    loginUser.getAuthorities() != null ? loginUser.getAuthorities() : java.util.Collections.emptyList()
+                            );
                     authentication.setDetails(new WebAuthenticationDetailsSource().buildDetails(request));
                     SecurityContextHolder.getContext().setAuthentication(authentication);
                 }
-            } catch (Exception ignored) {
+            } catch (Exception e) {
+                log.debug("JWT token解析失败: {}", e.getMessage());
             }
         }
         chain.doFilter(request, response);

src/main/java/com/qqflow/engine/domain/system/service/impl/SysUserServiceImpl.java

@@ -196,7 +196,7 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser>
     @Override
     public Set<String> loadUserPermissions(Long userId) {
         List<String> permissions = this.baseMapper.selectPermissionsByUserId(userId);
-        return new java.util.HashSet<>(permissions);
+        return permissions != null ? new java.util.HashSet<>(permissions) : new java.util.HashSet<>();
     }
 
     @Override