fix confirmed deployment risks

backend/internal/handler/auth_handler.go

@@ -170,12 +170,11 @@ func (h *AuthHandler) Login(c *gin.Context) {
 		return
 	}
 
-	token, user, err := h.authService.Login(c.Request.Context(), req.Email, req.Password)
+	user, err := h.authService.Login(c.Request.Context(), req.Email, req.Password)
 	if err != nil {
 		response.ErrorFrom(c, err)
 		return
 	}
-	_ = token // token 由 authService.Login 返回但此处由 respondWithTokenPair 重新生成
 
 	// Check if TOTP 2FA is enabled for this user
 	if h.totpService != nil && h.settingSvc.IsTotpEnabled(c.Request.Context()) && user.TotpEnabled {
@@ -270,7 +269,11 @@ func (h *AuthHandler) Login2FA(c *gin.Context) {
 	}
 
 	// Delete the login session (only after all checks pass)
-	_ = h.totpService.DeleteLoginSession(c.Request.Context(), req.TempToken)
+	if err := h.totpService.DeleteLoginSession(c.Request.Context(), req.TempToken); err != nil {
+		slog.Warn("login_2fa_delete_session_failed", "user_id", session.UserID, "error", err)
+		response.InternalError(c, "Failed to finalize 2FA login session")
+		return
+	}
 
 	h.respondWithTokenPair(c, user)
 }