huangzhenpc/yinghuoapi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): 强化 usage 端点信息暴露控制

Browse Source
This commit is contained in:
shaw
2026-01-08 17:45:31 +08:00
parent 6e8188ed64
commit 3fb43b91bf
3 changed files with 40 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/internal/handler/admin/usage_handler.go
View File

@@ -144,7 +144,7 @@ func (h *UsageHandler) List(c *gin.Context) {
out := make([]dto.UsageLog, 0, len(records)) out := make([]dto.UsageLog, 0, len(records))
for i := range records { for i := range records {
out = append(out, *dto.UsageLogFromService(&records[i])) out = append(out, *dto.UsageLogFromServiceAdmin(&records[i]))
} }
response.Paginated(c, out, result.Total, page, pageSize) response.Paginated(c, out, result.Total, page, pageSize)
} }

33
backend/internal/handler/dto/mappers.go
View File

@@ -234,7 +234,21 @@ func RedeemCodeFromService(rc *service.RedeemCode) *RedeemCode {
} }
} }
func UsageLogFromService(l *service.UsageLog) *UsageLog { // AccountSummaryFromService returns a minimal AccountSummary for usage log display.
// Only includes ID and Name - no sensitive fields like Credentials, Proxy, etc.
func AccountSummaryFromService(a *service.Account) *AccountSummary {
if a == nil {
return nil
}
return &AccountSummary{
ID: a.ID,
Name: a.Name,
}
}
// usageLogFromServiceBase is a helper that converts service UsageLog to DTO.
// The account parameter allows caller to control what Account info is included.
func usageLogFromServiceBase(l *service.UsageLog, account *AccountSummary) *UsageLog {
if l == nil { if l == nil {
return nil return nil
} }
@@ -269,12 +283,27 @@ func UsageLogFromService(l *service.UsageLog) *UsageLog {
CreatedAt: l.CreatedAt, CreatedAt: l.CreatedAt,
User: UserFromServiceShallow(l.User), User: UserFromServiceShallow(l.User),
APIKey: APIKeyFromService(l.APIKey), APIKey: APIKeyFromService(l.APIKey),
Account: AccountFromService(l.Account), Account: account,
Group: GroupFromServiceShallow(l.Group), Group: GroupFromServiceShallow(l.Group),
Subscription: UserSubscriptionFromService(l.Subscription), Subscription: UserSubscriptionFromService(l.Subscription),
} }
} }
// UsageLogFromService converts a service UsageLog to DTO for regular users.
// It excludes Account details - users should not see account information.
func UsageLogFromService(l *service.UsageLog) *UsageLog {
return usageLogFromServiceBase(l, nil)
}
// UsageLogFromServiceAdmin converts a service UsageLog to DTO for admin users.
// It includes minimal Account info (ID, Name only).
func UsageLogFromServiceAdmin(l *service.UsageLog) *UsageLog {
if l == nil {
return nil
}
return usageLogFromServiceBase(l, AccountSummaryFromService(l.Account))
}
func SettingFromService(s *service.Setting) *Setting { func SettingFromService(s *service.Setting) *Setting {
if s == nil { if s == nil {
return nil return nil

9
backend/internal/handler/dto/types.go
View File

@@ -184,11 +184,18 @@ type UsageLog struct {
User *User `json:"user,omitempty"` User *User `json:"user,omitempty"`
APIKey *APIKey `json:"api_key,omitempty"` APIKey *APIKey `json:"api_key,omitempty"`
Account *Account `json:"account,omitempty"` Account *AccountSummary `json:"account,omitempty"` // Use minimal AccountSummary to prevent data leakage
Group *Group `json:"group,omitempty"` Group *Group `json:"group,omitempty"`
Subscription *UserSubscription `json:"subscription,omitempty"` Subscription *UserSubscription `json:"subscription,omitempty"`
} }
// AccountSummary is a minimal account info for usage log display.
// It intentionally excludes sensitive fields like Credentials, Proxy, etc.
type AccountSummary struct {
ID int64 `json:"id"`
Name string `json:"name"`
}
type Setting struct { type Setting struct {
ID int64 `json:"id"` ID int64 `json:"id"`
Key string `json:"key"` Key string `json:"key"`