First commit

2025-12-18 13:50:39 +08:00
parent 569f4882e5
commit 642842c29e
218 changed files with 86902 additions and 0 deletions
--- a/backend/internal/handler/admin/account_handler.go
+++ b/backend/internal/handler/admin/account_handler.go
@@ -0,0 +1,537 @@
+package admin
+
+import (
+	"strconv"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// OAuthHandler handles OAuth-related operations for accounts
+type OAuthHandler struct {
+	oauthService *service.OAuthService
+	adminService service.AdminService
+}
+
+// NewOAuthHandler creates a new OAuth handler
+func NewOAuthHandler(oauthService *service.OAuthService, adminService service.AdminService) *OAuthHandler {
+	return &OAuthHandler{
+		oauthService: oauthService,
+		adminService: adminService,
+	}
+}
+
+// AccountHandler handles admin account management
+type AccountHandler struct {
+	adminService        service.AdminService
+	oauthService        *service.OAuthService
+	rateLimitService    *service.RateLimitService
+	accountUsageService *service.AccountUsageService
+	accountTestService  *service.AccountTestService
+}
+
+// NewAccountHandler creates a new admin account handler
+func NewAccountHandler(adminService service.AdminService, oauthService *service.OAuthService, rateLimitService *service.RateLimitService, accountUsageService *service.AccountUsageService, accountTestService *service.AccountTestService) *AccountHandler {
+	return &AccountHandler{
+		adminService:        adminService,
+		oauthService:        oauthService,
+		rateLimitService:    rateLimitService,
+		accountUsageService: accountUsageService,
+		accountTestService:  accountTestService,
+	}
+}
+
+// CreateAccountRequest represents create account request
+type CreateAccountRequest struct {
+	Name        string                 `json:"name" binding:"required"`
+	Platform    string                 `json:"platform" binding:"required"`
+	Type        string                 `json:"type" binding:"required,oneof=oauth setup-token apikey"`
+	Credentials map[string]interface{} `json:"credentials" binding:"required"`
+	Extra       map[string]interface{} `json:"extra"`
+	ProxyID     *int64                 `json:"proxy_id"`
+	Concurrency int                    `json:"concurrency"`
+	Priority    int                    `json:"priority"`
+	GroupIDs    []int64                `json:"group_ids"`
+}
+
+// UpdateAccountRequest represents update account request
+// 使用指针类型来区分"未提供"和"设置为0"
+type UpdateAccountRequest struct {
+	Name        string                 `json:"name"`
+	Type        string                 `json:"type" binding:"omitempty,oneof=oauth setup-token apikey"`
+	Credentials map[string]interface{} `json:"credentials"`
+	Extra       map[string]interface{} `json:"extra"`
+	ProxyID     *int64                 `json:"proxy_id"`
+	Concurrency *int                   `json:"concurrency"`
+	Priority    *int                   `json:"priority"`
+	Status      string                 `json:"status" binding:"omitempty,oneof=active inactive"`
+	GroupIDs    *[]int64               `json:"group_ids"`
+}
+
+// List handles listing all accounts with pagination
+// GET /api/v1/admin/accounts
+func (h *AccountHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	platform := c.Query("platform")
+	accountType := c.Query("type")
+	status := c.Query("status")
+	search := c.Query("search")
+
+	accounts, total, err := h.adminService.ListAccounts(c.Request.Context(), page, pageSize, platform, accountType, status, search)
+	if err != nil {
+		response.InternalError(c, "Failed to list accounts: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, accounts, total, page, pageSize)
+}
+
+// GetByID handles getting an account by ID
+// GET /api/v1/admin/accounts/:id
+func (h *AccountHandler) GetByID(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	account, err := h.adminService.GetAccount(c.Request.Context(), accountID)
+	if err != nil {
+		response.NotFound(c, "Account not found")
+		return
+	}
+
+	response.Success(c, account)
+}
+
+// Create handles creating a new account
+// POST /api/v1/admin/accounts
+func (h *AccountHandler) Create(c *gin.Context) {
+	var req CreateAccountRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	account, err := h.adminService.CreateAccount(c.Request.Context(), &service.CreateAccountInput{
+		Name:        req.Name,
+		Platform:    req.Platform,
+		Type:        req.Type,
+		Credentials: req.Credentials,
+		Extra:       req.Extra,
+		ProxyID:     req.ProxyID,
+		Concurrency: req.Concurrency,
+		Priority:    req.Priority,
+		GroupIDs:    req.GroupIDs,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to create account: "+err.Error())
+		return
+	}
+
+	response.Success(c, account)
+}
+
+// Update handles updating an account
+// PUT /api/v1/admin/accounts/:id
+func (h *AccountHandler) Update(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	var req UpdateAccountRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	account, err := h.adminService.UpdateAccount(c.Request.Context(), accountID, &service.UpdateAccountInput{
+		Name:        req.Name,
+		Type:        req.Type,
+		Credentials: req.Credentials,
+		Extra:       req.Extra,
+		ProxyID:     req.ProxyID,
+		Concurrency: req.Concurrency, // 指针类型，nil 表示未提供
+		Priority:    req.Priority,    // 指针类型，nil 表示未提供
+		Status:      req.Status,
+		GroupIDs:    req.GroupIDs,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to update account: "+err.Error())
+		return
+	}
+
+	response.Success(c, account)
+}
+
+// Delete handles deleting an account
+// DELETE /api/v1/admin/accounts/:id
+func (h *AccountHandler) Delete(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	err = h.adminService.DeleteAccount(c.Request.Context(), accountID)
+	if err != nil {
+		response.InternalError(c, "Failed to delete account: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Account deleted successfully"})
+}
+
+// Test handles testing account connectivity with SSE streaming
+// POST /api/v1/admin/accounts/:id/test
+func (h *AccountHandler) Test(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	// Use AccountTestService to test the account with SSE streaming
+	if err := h.accountTestService.TestAccountConnection(c, accountID); err != nil {
+		// Error already sent via SSE, just log
+		return
+	}
+}
+
+// Refresh handles refreshing account credentials
+// POST /api/v1/admin/accounts/:id/refresh
+func (h *AccountHandler) Refresh(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	// Get account
+	account, err := h.adminService.GetAccount(c.Request.Context(), accountID)
+	if err != nil {
+		response.NotFound(c, "Account not found")
+		return
+	}
+
+	// Only refresh OAuth-based accounts (oauth and setup-token)
+	if !account.IsOAuth() {
+		response.BadRequest(c, "Cannot refresh non-OAuth account credentials")
+		return
+	}
+
+	// Use OAuth service to refresh token
+	tokenInfo, err := h.oauthService.RefreshAccountToken(c.Request.Context(), account)
+	if err != nil {
+		response.InternalError(c, "Failed to refresh credentials: "+err.Error())
+		return
+	}
+
+	// Update account credentials
+	newCredentials := map[string]interface{}{
+		"access_token":  tokenInfo.AccessToken,
+		"token_type":    tokenInfo.TokenType,
+		"expires_in":    tokenInfo.ExpiresIn,
+		"expires_at":    tokenInfo.ExpiresAt,
+		"refresh_token": tokenInfo.RefreshToken,
+		"scope":         tokenInfo.Scope,
+	}
+
+	updatedAccount, err := h.adminService.UpdateAccount(c.Request.Context(), accountID, &service.UpdateAccountInput{
+		Credentials: newCredentials,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to update account credentials: "+err.Error())
+		return
+	}
+
+	response.Success(c, updatedAccount)
+}
+
+// GetStats handles getting account statistics
+// GET /api/v1/admin/accounts/:id/stats
+func (h *AccountHandler) GetStats(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	// Return mock data for now
+	_ = accountID
+	response.Success(c, gin.H{
+		"total_requests":        0,
+		"successful_requests":   0,
+		"failed_requests":       0,
+		"total_tokens":          0,
+		"average_response_time": 0,
+	})
+}
+
+// ClearError handles clearing account error
+// POST /api/v1/admin/accounts/:id/clear-error
+func (h *AccountHandler) ClearError(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	account, err := h.adminService.ClearAccountError(c.Request.Context(), accountID)
+	if err != nil {
+		response.InternalError(c, "Failed to clear error: "+err.Error())
+		return
+	}
+
+	response.Success(c, account)
+}
+
+// BatchCreate handles batch creating accounts
+// POST /api/v1/admin/accounts/batch
+func (h *AccountHandler) BatchCreate(c *gin.Context) {
+	var req struct {
+		Accounts []CreateAccountRequest `json:"accounts" binding:"required,min=1"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"success": len(req.Accounts),
+		"failed":  0,
+		"results": []gin.H{},
+	})
+}
+
+// ========== OAuth Handlers ==========
+
+// GenerateAuthURLRequest represents the request for generating auth URL
+type GenerateAuthURLRequest struct {
+	ProxyID *int64 `json:"proxy_id"`
+}
+
+// GenerateAuthURL generates OAuth authorization URL with full scope
+// POST /api/v1/admin/accounts/generate-auth-url
+func (h *OAuthHandler) GenerateAuthURL(c *gin.Context) {
+	var req GenerateAuthURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		// Allow empty body
+		req = GenerateAuthURLRequest{}
+	}
+
+	result, err := h.oauthService.GenerateAuthURL(c.Request.Context(), req.ProxyID)
+	if err != nil {
+		response.InternalError(c, "Failed to generate auth URL: "+err.Error())
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// GenerateSetupTokenURL generates OAuth authorization URL for setup token (inference only)
+// POST /api/v1/admin/accounts/generate-setup-token-url
+func (h *OAuthHandler) GenerateSetupTokenURL(c *gin.Context) {
+	var req GenerateAuthURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		// Allow empty body
+		req = GenerateAuthURLRequest{}
+	}
+
+	result, err := h.oauthService.GenerateSetupTokenURL(c.Request.Context(), req.ProxyID)
+	if err != nil {
+		response.InternalError(c, "Failed to generate setup token URL: "+err.Error())
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// ExchangeCodeRequest represents the request for exchanging auth code
+type ExchangeCodeRequest struct {
+	SessionID string `json:"session_id" binding:"required"`
+	Code      string `json:"code" binding:"required"`
+	ProxyID   *int64 `json:"proxy_id"`
+}
+
+// ExchangeCode exchanges authorization code for tokens
+// POST /api/v1/admin/accounts/exchange-code
+func (h *OAuthHandler) ExchangeCode(c *gin.Context) {
+	var req ExchangeCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.oauthService.ExchangeCode(c.Request.Context(), &service.ExchangeCodeInput{
+		SessionID: req.SessionID,
+		Code:      req.Code,
+		ProxyID:   req.ProxyID,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to exchange code: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// ExchangeSetupTokenCode exchanges authorization code for setup token
+// POST /api/v1/admin/accounts/exchange-setup-token-code
+func (h *OAuthHandler) ExchangeSetupTokenCode(c *gin.Context) {
+	var req ExchangeCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.oauthService.ExchangeCode(c.Request.Context(), &service.ExchangeCodeInput{
+		SessionID: req.SessionID,
+		Code:      req.Code,
+		ProxyID:   req.ProxyID,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to exchange code: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// CookieAuthRequest represents the request for cookie-based authentication
+type CookieAuthRequest struct {
+	SessionKey string `json:"code" binding:"required"` // Using 'code' field as sessionKey (frontend sends it this way)
+	ProxyID    *int64 `json:"proxy_id"`
+}
+
+// CookieAuth performs OAuth using sessionKey (cookie-based auto-auth)
+// POST /api/v1/admin/accounts/cookie-auth
+func (h *OAuthHandler) CookieAuth(c *gin.Context) {
+	var req CookieAuthRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.oauthService.CookieAuth(c.Request.Context(), &service.CookieAuthInput{
+		SessionKey: req.SessionKey,
+		ProxyID:    req.ProxyID,
+		Scope:      "full",
+	})
+	if err != nil {
+		response.BadRequest(c, "Cookie auth failed: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// SetupTokenCookieAuth performs OAuth using sessionKey for setup token (inference only)
+// POST /api/v1/admin/accounts/setup-token-cookie-auth
+func (h *OAuthHandler) SetupTokenCookieAuth(c *gin.Context) {
+	var req CookieAuthRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.oauthService.CookieAuth(c.Request.Context(), &service.CookieAuthInput{
+		SessionKey: req.SessionKey,
+		ProxyID:    req.ProxyID,
+		Scope:      "inference",
+	})
+	if err != nil {
+		response.BadRequest(c, "Cookie auth failed: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// GetUsage handles getting account usage information
+// GET /api/v1/admin/accounts/:id/usage
+func (h *AccountHandler) GetUsage(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	usage, err := h.accountUsageService.GetUsage(c.Request.Context(), accountID)
+	if err != nil {
+		response.InternalError(c, "Failed to get usage: "+err.Error())
+		return
+	}
+
+	response.Success(c, usage)
+}
+
+// ClearRateLimit handles clearing account rate limit status
+// POST /api/v1/admin/accounts/:id/clear-rate-limit
+func (h *AccountHandler) ClearRateLimit(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	err = h.rateLimitService.ClearRateLimit(c.Request.Context(), accountID)
+	if err != nil {
+		response.InternalError(c, "Failed to clear rate limit: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Rate limit cleared successfully"})
+}
+
+// GetTodayStats handles getting account today statistics
+// GET /api/v1/admin/accounts/:id/today-stats
+func (h *AccountHandler) GetTodayStats(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	stats, err := h.accountUsageService.GetTodayStats(c.Request.Context(), accountID)
+	if err != nil {
+		response.InternalError(c, "Failed to get today stats: "+err.Error())
+		return
+	}
+
+	response.Success(c, stats)
+}
+
+// SetSchedulableRequest represents the request body for setting schedulable status
+type SetSchedulableRequest struct {
+	Schedulable bool `json:"schedulable"`
+}
+
+// SetSchedulable handles toggling account schedulable status
+// POST /api/v1/admin/accounts/:id/schedulable
+func (h *AccountHandler) SetSchedulable(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	var req SetSchedulableRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	account, err := h.adminService.SetAccountSchedulable(c.Request.Context(), accountID, req.Schedulable)
+	if err != nil {
+		response.InternalError(c, "Failed to update schedulable status: "+err.Error())
+		return
+	}
+
+	response.Success(c, account)
+}
--- a/backend/internal/handler/admin/dashboard_handler.go
+++ b/backend/internal/handler/admin/dashboard_handler.go
@@ -0,0 +1,274 @@
+package admin
+
+import (
+	"strconv"
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/pkg/timezone"
+	"sub2api/internal/repository"
+	"sub2api/internal/service"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+// DashboardHandler handles admin dashboard statistics
+type DashboardHandler struct {
+	adminService service.AdminService
+	usageRepo    *repository.UsageLogRepository
+	startTime    time.Time // Server start time for uptime calculation
+}
+
+// NewDashboardHandler creates a new admin dashboard handler
+func NewDashboardHandler(adminService service.AdminService, usageRepo *repository.UsageLogRepository) *DashboardHandler {
+	return &DashboardHandler{
+		adminService: adminService,
+		usageRepo:    usageRepo,
+		startTime:    time.Now(),
+	}
+}
+
+// parseTimeRange parses start_date, end_date query parameters
+func parseTimeRange(c *gin.Context) (time.Time, time.Time) {
+	now := timezone.Now()
+	startDate := c.Query("start_date")
+	endDate := c.Query("end_date")
+
+	var startTime, endTime time.Time
+
+	if startDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", startDate); err == nil {
+			startTime = t
+		} else {
+			startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+		}
+	} else {
+		startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+	}
+
+	if endDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", endDate); err == nil {
+			endTime = t.Add(24 * time.Hour) // Include the end date
+		} else {
+			endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+		}
+	} else {
+		endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+	}
+
+	return startTime, endTime
+}
+
+// GetStats handles getting dashboard statistics
+// GET /api/v1/admin/dashboard/stats
+func (h *DashboardHandler) GetStats(c *gin.Context) {
+	stats, err := h.usageRepo.GetDashboardStats(c.Request.Context())
+	if err != nil {
+		response.Error(c, 500, "Failed to get dashboard statistics")
+		return
+	}
+
+	// Calculate uptime in seconds
+	uptime := int64(time.Since(h.startTime).Seconds())
+
+	response.Success(c, gin.H{
+		// 用户统计
+		"total_users":     stats.TotalUsers,
+		"today_new_users": stats.TodayNewUsers,
+		"active_users":    stats.ActiveUsers,
+
+		// API Key 统计
+		"total_api_keys":  stats.TotalApiKeys,
+		"active_api_keys": stats.ActiveApiKeys,
+
+		// 账户统计
+		"total_accounts":     stats.TotalAccounts,
+		"normal_accounts":    stats.NormalAccounts,
+		"error_accounts":     stats.ErrorAccounts,
+		"ratelimit_accounts": stats.RateLimitAccounts,
+		"overload_accounts":  stats.OverloadAccounts,
+
+		// 累计 Token 使用统计
+		"total_requests":              stats.TotalRequests,
+		"total_input_tokens":          stats.TotalInputTokens,
+		"total_output_tokens":         stats.TotalOutputTokens,
+		"total_cache_creation_tokens": stats.TotalCacheCreationTokens,
+		"total_cache_read_tokens":     stats.TotalCacheReadTokens,
+		"total_tokens":                stats.TotalTokens,
+		"total_cost":                  stats.TotalCost,       // 标准计费
+		"total_actual_cost":           stats.TotalActualCost, // 实际扣除
+
+		// 今日 Token 使用统计
+		"today_requests":              stats.TodayRequests,
+		"today_input_tokens":          stats.TodayInputTokens,
+		"today_output_tokens":         stats.TodayOutputTokens,
+		"today_cache_creation_tokens": stats.TodayCacheCreationTokens,
+		"today_cache_read_tokens":     stats.TodayCacheReadTokens,
+		"today_tokens":                stats.TodayTokens,
+		"today_cost":                  stats.TodayCost,       // 今日标准计费
+		"today_actual_cost":           stats.TodayActualCost, // 今日实际扣除
+
+		// 系统运行统计
+		"average_duration_ms": stats.AverageDurationMs,
+		"uptime":              uptime,
+	})
+}
+
+// GetRealtimeMetrics handles getting real-time system metrics
+// GET /api/v1/admin/dashboard/realtime
+func (h *DashboardHandler) GetRealtimeMetrics(c *gin.Context) {
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"active_requests":       0,
+		"requests_per_minute":   0,
+		"average_response_time": 0,
+		"error_rate":            0.0,
+	})
+}
+
+// GetUsageTrend handles getting usage trend data
+// GET /api/v1/admin/dashboard/trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour)
+func (h *DashboardHandler) GetUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+
+	trend, err := h.usageRepo.GetUsageTrend(c.Request.Context(), startTime, endTime, granularity)
+	if err != nil {
+		response.Error(c, 500, "Failed to get usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// GetModelStats handles getting model usage statistics
+// GET /api/v1/admin/dashboard/models
+// Query params: start_date, end_date (YYYY-MM-DD)
+func (h *DashboardHandler) GetModelStats(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+
+	stats, err := h.usageRepo.GetModelStats(c.Request.Context(), startTime, endTime)
+	if err != nil {
+		response.Error(c, 500, "Failed to get model statistics")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"models":     stats,
+		"start_date": startTime.Format("2006-01-02"),
+		"end_date":   endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+	})
+}
+
+// GetApiKeyUsageTrend handles getting API key usage trend data
+// GET /api/v1/admin/dashboard/api-keys-trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 5)
+func (h *DashboardHandler) GetApiKeyUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+	limitStr := c.DefaultQuery("limit", "5")
+	limit, err := strconv.Atoi(limitStr)
+	if err != nil || limit <= 0 {
+		limit = 5
+	}
+
+	trend, err := h.usageRepo.GetApiKeyUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
+	if err != nil {
+		response.Error(c, 500, "Failed to get API key usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// GetUserUsageTrend handles getting user usage trend data
+// GET /api/v1/admin/dashboard/users-trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 12)
+func (h *DashboardHandler) GetUserUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+	limitStr := c.DefaultQuery("limit", "12")
+	limit, err := strconv.Atoi(limitStr)
+	if err != nil || limit <= 0 {
+		limit = 12
+	}
+
+	trend, err := h.usageRepo.GetUserUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
+	if err != nil {
+		response.Error(c, 500, "Failed to get user usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// BatchUsersUsageRequest represents the request body for batch user usage stats
+type BatchUsersUsageRequest struct {
+	UserIDs []int64 `json:"user_ids" binding:"required"`
+}
+
+// GetBatchUsersUsage handles getting usage stats for multiple users
+// POST /api/v1/admin/dashboard/users-usage
+func (h *DashboardHandler) GetBatchUsersUsage(c *gin.Context) {
+	var req BatchUsersUsageRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.UserIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]interface{}{}})
+		return
+	}
+
+	stats, err := h.usageRepo.GetBatchUserUsageStats(c.Request.Context(), req.UserIDs)
+	if err != nil {
+		response.Error(c, 500, "Failed to get user usage stats")
+		return
+	}
+
+	response.Success(c, gin.H{"stats": stats})
+}
+
+// BatchApiKeysUsageRequest represents the request body for batch api key usage stats
+type BatchApiKeysUsageRequest struct {
+	ApiKeyIDs []int64 `json:"api_key_ids" binding:"required"`
+}
+
+// GetBatchApiKeysUsage handles getting usage stats for multiple API keys
+// POST /api/v1/admin/dashboard/api-keys-usage
+func (h *DashboardHandler) GetBatchApiKeysUsage(c *gin.Context) {
+	var req BatchApiKeysUsageRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.ApiKeyIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]interface{}{}})
+		return
+	}
+
+	stats, err := h.usageRepo.GetBatchApiKeyUsageStats(c.Request.Context(), req.ApiKeyIDs)
+	if err != nil {
+		response.Error(c, 500, "Failed to get API key usage stats")
+		return
+	}
+
+	response.Success(c, gin.H{"stats": stats})
+}
--- a/backend/internal/handler/admin/group_handler.go
+++ b/backend/internal/handler/admin/group_handler.go
@@ -0,0 +1,233 @@
+package admin
+
+import (
+	"strconv"
+
+	"sub2api/internal/model"
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// GroupHandler handles admin group management
+type GroupHandler struct {
+	adminService service.AdminService
+}
+
+// NewGroupHandler creates a new admin group handler
+func NewGroupHandler(adminService service.AdminService) *GroupHandler {
+	return &GroupHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateGroupRequest represents create group request
+type CreateGroupRequest struct {
+	Name             string   `json:"name" binding:"required"`
+	Description      string   `json:"description"`
+	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini"`
+	RateMultiplier   float64  `json:"rate_multiplier"`
+	IsExclusive      bool     `json:"is_exclusive"`
+	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
+	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
+	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
+	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
+}
+
+// UpdateGroupRequest represents update group request
+type UpdateGroupRequest struct {
+	Name             string   `json:"name"`
+	Description      string   `json:"description"`
+	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini"`
+	RateMultiplier   *float64 `json:"rate_multiplier"`
+	IsExclusive      *bool    `json:"is_exclusive"`
+	Status           string   `json:"status" binding:"omitempty,oneof=active inactive"`
+	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
+	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
+	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
+	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
+}
+
+// List handles listing all groups with pagination
+// GET /api/v1/admin/groups
+func (h *GroupHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	platform := c.Query("platform")
+	status := c.Query("status")
+	isExclusiveStr := c.Query("is_exclusive")
+
+	var isExclusive *bool
+	if isExclusiveStr != "" {
+		val := isExclusiveStr == "true"
+		isExclusive = &val
+	}
+
+	groups, total, err := h.adminService.ListGroups(c.Request.Context(), page, pageSize, platform, status, isExclusive)
+	if err != nil {
+		response.InternalError(c, "Failed to list groups: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, groups, total, page, pageSize)
+}
+
+// GetAll handles getting all active groups without pagination
+// GET /api/v1/admin/groups/all
+func (h *GroupHandler) GetAll(c *gin.Context) {
+	platform := c.Query("platform")
+
+	var groups []model.Group
+	var err error
+
+	if platform != "" {
+		groups, err = h.adminService.GetAllGroupsByPlatform(c.Request.Context(), platform)
+	} else {
+		groups, err = h.adminService.GetAllGroups(c.Request.Context())
+	}
+
+	if err != nil {
+		response.InternalError(c, "Failed to get groups: "+err.Error())
+		return
+	}
+
+	response.Success(c, groups)
+}
+
+// GetByID handles getting a group by ID
+// GET /api/v1/admin/groups/:id
+func (h *GroupHandler) GetByID(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	group, err := h.adminService.GetGroup(c.Request.Context(), groupID)
+	if err != nil {
+		response.NotFound(c, "Group not found")
+		return
+	}
+
+	response.Success(c, group)
+}
+
+// Create handles creating a new group
+// POST /api/v1/admin/groups
+func (h *GroupHandler) Create(c *gin.Context) {
+	var req CreateGroupRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	group, err := h.adminService.CreateGroup(c.Request.Context(), &service.CreateGroupInput{
+		Name:             req.Name,
+		Description:      req.Description,
+		Platform:         req.Platform,
+		RateMultiplier:   req.RateMultiplier,
+		IsExclusive:      req.IsExclusive,
+		SubscriptionType: req.SubscriptionType,
+		DailyLimitUSD:    req.DailyLimitUSD,
+		WeeklyLimitUSD:   req.WeeklyLimitUSD,
+		MonthlyLimitUSD:  req.MonthlyLimitUSD,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to create group: "+err.Error())
+		return
+	}
+
+	response.Success(c, group)
+}
+
+// Update handles updating a group
+// PUT /api/v1/admin/groups/:id
+func (h *GroupHandler) Update(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	var req UpdateGroupRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	group, err := h.adminService.UpdateGroup(c.Request.Context(), groupID, &service.UpdateGroupInput{
+		Name:             req.Name,
+		Description:      req.Description,
+		Platform:         req.Platform,
+		RateMultiplier:   req.RateMultiplier,
+		IsExclusive:      req.IsExclusive,
+		Status:           req.Status,
+		SubscriptionType: req.SubscriptionType,
+		DailyLimitUSD:    req.DailyLimitUSD,
+		WeeklyLimitUSD:   req.WeeklyLimitUSD,
+		MonthlyLimitUSD:  req.MonthlyLimitUSD,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to update group: "+err.Error())
+		return
+	}
+
+	response.Success(c, group)
+}
+
+// Delete handles deleting a group
+// DELETE /api/v1/admin/groups/:id
+func (h *GroupHandler) Delete(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	err = h.adminService.DeleteGroup(c.Request.Context(), groupID)
+	if err != nil {
+		response.InternalError(c, "Failed to delete group: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Group deleted successfully"})
+}
+
+// GetStats handles getting group statistics
+// GET /api/v1/admin/groups/:id/stats
+func (h *GroupHandler) GetStats(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"total_api_keys":  0,
+		"active_api_keys": 0,
+		"total_requests":  0,
+		"total_cost":      0.0,
+	})
+	_ = groupID // TODO: implement actual stats
+}
+
+// GetGroupAPIKeys handles getting API keys in a group
+// GET /api/v1/admin/groups/:id/api-keys
+func (h *GroupHandler) GetGroupAPIKeys(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	keys, total, err := h.adminService.GetGroupAPIKeys(c.Request.Context(), groupID, page, pageSize)
+	if err != nil {
+		response.InternalError(c, "Failed to get group API keys: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, keys, total, page, pageSize)
+}
--- a/backend/internal/handler/admin/proxy_handler.go
+++ b/backend/internal/handler/admin/proxy_handler.go
@@ -0,0 +1,300 @@
+package admin
+
+import (
+	"strconv"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// ProxyHandler handles admin proxy management
+type ProxyHandler struct {
+	adminService service.AdminService
+}
+
+// NewProxyHandler creates a new admin proxy handler
+func NewProxyHandler(adminService service.AdminService) *ProxyHandler {
+	return &ProxyHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateProxyRequest represents create proxy request
+type CreateProxyRequest struct {
+	Name     string `json:"name" binding:"required"`
+	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
+	Host     string `json:"host" binding:"required"`
+	Port     int    `json:"port" binding:"required,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+// UpdateProxyRequest represents update proxy request
+type UpdateProxyRequest struct {
+	Name     string `json:"name"`
+	Protocol string `json:"protocol" binding:"omitempty,oneof=http https socks5"`
+	Host     string `json:"host"`
+	Port     int    `json:"port" binding:"omitempty,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Status   string `json:"status" binding:"omitempty,oneof=active inactive"`
+}
+
+// List handles listing all proxies with pagination
+// GET /api/v1/admin/proxies
+func (h *ProxyHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	protocol := c.Query("protocol")
+	status := c.Query("status")
+	search := c.Query("search")
+
+	proxies, total, err := h.adminService.ListProxies(c.Request.Context(), page, pageSize, protocol, status, search)
+	if err != nil {
+		response.InternalError(c, "Failed to list proxies: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, proxies, total, page, pageSize)
+}
+
+// GetAll handles getting all active proxies without pagination
+// GET /api/v1/admin/proxies/all
+// Optional query param: with_count=true to include account count per proxy
+func (h *ProxyHandler) GetAll(c *gin.Context) {
+	withCount := c.Query("with_count") == "true"
+
+	if withCount {
+		proxies, err := h.adminService.GetAllProxiesWithAccountCount(c.Request.Context())
+		if err != nil {
+			response.InternalError(c, "Failed to get proxies: "+err.Error())
+			return
+		}
+		response.Success(c, proxies)
+		return
+	}
+
+	proxies, err := h.adminService.GetAllProxies(c.Request.Context())
+	if err != nil {
+		response.InternalError(c, "Failed to get proxies: "+err.Error())
+		return
+	}
+
+	response.Success(c, proxies)
+}
+
+// GetByID handles getting a proxy by ID
+// GET /api/v1/admin/proxies/:id
+func (h *ProxyHandler) GetByID(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	proxy, err := h.adminService.GetProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.NotFound(c, "Proxy not found")
+		return
+	}
+
+	response.Success(c, proxy)
+}
+
+// Create handles creating a new proxy
+// POST /api/v1/admin/proxies
+func (h *ProxyHandler) Create(c *gin.Context) {
+	var req CreateProxyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	proxy, err := h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
+		Name:     req.Name,
+		Protocol: req.Protocol,
+		Host:     req.Host,
+		Port:     req.Port,
+		Username: req.Username,
+		Password: req.Password,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to create proxy: "+err.Error())
+		return
+	}
+
+	response.Success(c, proxy)
+}
+
+// Update handles updating a proxy
+// PUT /api/v1/admin/proxies/:id
+func (h *ProxyHandler) Update(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	var req UpdateProxyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	proxy, err := h.adminService.UpdateProxy(c.Request.Context(), proxyID, &service.UpdateProxyInput{
+		Name:     req.Name,
+		Protocol: req.Protocol,
+		Host:     req.Host,
+		Port:     req.Port,
+		Username: req.Username,
+		Password: req.Password,
+		Status:   req.Status,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to update proxy: "+err.Error())
+		return
+	}
+
+	response.Success(c, proxy)
+}
+
+// Delete handles deleting a proxy
+// DELETE /api/v1/admin/proxies/:id
+func (h *ProxyHandler) Delete(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	err = h.adminService.DeleteProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.InternalError(c, "Failed to delete proxy: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Proxy deleted successfully"})
+}
+
+// Test handles testing proxy connectivity
+// POST /api/v1/admin/proxies/:id/test
+func (h *ProxyHandler) Test(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	result, err := h.adminService.TestProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.InternalError(c, "Failed to test proxy: "+err.Error())
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// GetStats handles getting proxy statistics
+// GET /api/v1/admin/proxies/:id/stats
+func (h *ProxyHandler) GetStats(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	// Return mock data for now
+	_ = proxyID
+	response.Success(c, gin.H{
+		"total_accounts":  0,
+		"active_accounts": 0,
+		"total_requests":  0,
+		"success_rate":    100.0,
+		"average_latency": 0,
+	})
+}
+
+// GetProxyAccounts handles getting accounts using a proxy
+// GET /api/v1/admin/proxies/:id/accounts
+func (h *ProxyHandler) GetProxyAccounts(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	accounts, total, err := h.adminService.GetProxyAccounts(c.Request.Context(), proxyID, page, pageSize)
+	if err != nil {
+		response.InternalError(c, "Failed to get proxy accounts: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, accounts, total, page, pageSize)
+}
+
+
+// BatchCreateProxyItem represents a single proxy in batch create request
+type BatchCreateProxyItem struct {
+	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
+	Host     string `json:"host" binding:"required"`
+	Port     int    `json:"port" binding:"required,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+// BatchCreateRequest represents batch create proxies request
+type BatchCreateRequest struct {
+	Proxies []BatchCreateProxyItem `json:"proxies" binding:"required,min=1"`
+}
+
+// BatchCreate handles batch creating proxies
+// POST /api/v1/admin/proxies/batch
+func (h *ProxyHandler) BatchCreate(c *gin.Context) {
+	var req BatchCreateRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	created := 0
+	skipped := 0
+
+	for _, item := range req.Proxies {
+		// Check for duplicates (same host, port, username, password)
+		exists, err := h.adminService.CheckProxyExists(c.Request.Context(), item.Host, item.Port, item.Username, item.Password)
+		if err != nil {
+			response.InternalError(c, "Failed to check proxy existence: "+err.Error())
+			return
+		}
+
+		if exists {
+			skipped++
+			continue
+		}
+
+		// Create proxy with default name
+		_, err = h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
+			Name:     "default",
+			Protocol: item.Protocol,
+			Host:     item.Host,
+			Port:     item.Port,
+			Username: item.Username,
+			Password: item.Password,
+		})
+		if err != nil {
+			// If creation fails due to duplicate, count as skipped
+			skipped++
+			continue
+		}
+
+		created++
+	}
+
+	response.Success(c, gin.H{
+		"created": created,
+		"skipped": skipped,
+	})
+}
--- a/backend/internal/handler/admin/redeem_handler.go
+++ b/backend/internal/handler/admin/redeem_handler.go
@@ -0,0 +1,219 @@
+package admin
+
+import (
+	"bytes"
+	"encoding/csv"
+	"fmt"
+	"strconv"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// RedeemHandler handles admin redeem code management
+type RedeemHandler struct {
+	adminService service.AdminService
+}
+
+// NewRedeemHandler creates a new admin redeem handler
+func NewRedeemHandler(adminService service.AdminService) *RedeemHandler {
+	return &RedeemHandler{
+		adminService: adminService,
+	}
+}
+
+// GenerateRedeemCodesRequest represents generate redeem codes request
+type GenerateRedeemCodesRequest struct {
+	Count        int     `json:"count" binding:"required,min=1,max=100"`
+	Type         string  `json:"type" binding:"required,oneof=balance concurrency subscription"`
+	Value        float64 `json:"value" binding:"min=0"`
+	GroupID      *int64  `json:"group_id"`      // 订阅类型必填
+	ValidityDays int     `json:"validity_days"` // 订阅类型使用，默认30天
+}
+
+// List handles listing all redeem codes with pagination
+// GET /api/v1/admin/redeem-codes
+func (h *RedeemHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	codeType := c.Query("type")
+	status := c.Query("status")
+	search := c.Query("search")
+
+	codes, total, err := h.adminService.ListRedeemCodes(c.Request.Context(), page, pageSize, codeType, status, search)
+	if err != nil {
+		response.InternalError(c, "Failed to list redeem codes: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, codes, total, page, pageSize)
+}
+
+// GetByID handles getting a redeem code by ID
+// GET /api/v1/admin/redeem-codes/:id
+func (h *RedeemHandler) GetByID(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	code, err := h.adminService.GetRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.NotFound(c, "Redeem code not found")
+		return
+	}
+
+	response.Success(c, code)
+}
+
+// Generate handles generating new redeem codes
+// POST /api/v1/admin/redeem-codes/generate
+func (h *RedeemHandler) Generate(c *gin.Context) {
+	var req GenerateRedeemCodesRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	codes, err := h.adminService.GenerateRedeemCodes(c.Request.Context(), &service.GenerateRedeemCodesInput{
+		Count:        req.Count,
+		Type:         req.Type,
+		Value:        req.Value,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to generate redeem codes: "+err.Error())
+		return
+	}
+
+	response.Success(c, codes)
+}
+
+// Delete handles deleting a redeem code
+// DELETE /api/v1/admin/redeem-codes/:id
+func (h *RedeemHandler) Delete(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	err = h.adminService.DeleteRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.InternalError(c, "Failed to delete redeem code: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Redeem code deleted successfully"})
+}
+
+// BatchDelete handles batch deleting redeem codes
+// POST /api/v1/admin/redeem-codes/batch-delete
+func (h *RedeemHandler) BatchDelete(c *gin.Context) {
+	var req struct {
+		IDs []int64 `json:"ids" binding:"required,min=1"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	deleted, err := h.adminService.BatchDeleteRedeemCodes(c.Request.Context(), req.IDs)
+	if err != nil {
+		response.InternalError(c, "Failed to batch delete redeem codes: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{
+		"deleted": deleted,
+		"message": "Redeem codes deleted successfully",
+	})
+}
+
+// Expire handles expiring a redeem code
+// POST /api/v1/admin/redeem-codes/:id/expire
+func (h *RedeemHandler) Expire(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	code, err := h.adminService.ExpireRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.InternalError(c, "Failed to expire redeem code: "+err.Error())
+		return
+	}
+
+	response.Success(c, code)
+}
+
+// GetStats handles getting redeem code statistics
+// GET /api/v1/admin/redeem-codes/stats
+func (h *RedeemHandler) GetStats(c *gin.Context) {
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"total_codes":            0,
+		"active_codes":           0,
+		"used_codes":             0,
+		"expired_codes":          0,
+		"total_value_distributed": 0.0,
+		"by_type": gin.H{
+			"balance":     0,
+			"concurrency": 0,
+			"trial":       0,
+		},
+	})
+}
+
+// Export handles exporting redeem codes to CSV
+// GET /api/v1/admin/redeem-codes/export
+func (h *RedeemHandler) Export(c *gin.Context) {
+	codeType := c.Query("type")
+	status := c.Query("status")
+
+	// Get all codes without pagination (use large page size)
+	codes, _, err := h.adminService.ListRedeemCodes(c.Request.Context(), 1, 10000, codeType, status, "")
+	if err != nil {
+		response.InternalError(c, "Failed to export redeem codes: "+err.Error())
+		return
+	}
+
+	// Create CSV buffer
+	var buf bytes.Buffer
+	writer := csv.NewWriter(&buf)
+
+	// Write header
+	writer.Write([]string{"id", "code", "type", "value", "status", "used_by", "used_at", "created_at"})
+
+	// Write data rows
+	for _, code := range codes {
+		usedBy := ""
+		if code.UsedBy != nil {
+			usedBy = fmt.Sprintf("%d", *code.UsedBy)
+		}
+		usedAt := ""
+		if code.UsedAt != nil {
+			usedAt = code.UsedAt.Format("2006-01-02 15:04:05")
+		}
+		writer.Write([]string{
+			fmt.Sprintf("%d", code.ID),
+			code.Code,
+			code.Type,
+			fmt.Sprintf("%.2f", code.Value),
+			code.Status,
+			usedBy,
+			usedAt,
+			code.CreatedAt.Format("2006-01-02 15:04:05"),
+		})
+	}
+
+	writer.Flush()
+
+	c.Header("Content-Type", "text/csv")
+	c.Header("Content-Disposition", "attachment; filename=redeem_codes.csv")
+	c.Data(200, "text/csv", buf.Bytes())
+}
--- a/backend/internal/handler/admin/setting_handler.go
+++ b/backend/internal/handler/admin/setting_handler.go
@@ -0,0 +1,258 @@
+package admin
+
+import (
+	"sub2api/internal/model"
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SettingHandler 系统设置处理器
+type SettingHandler struct {
+	settingService *service.SettingService
+	emailService   *service.EmailService
+}
+
+// NewSettingHandler 创建系统设置处理器
+func NewSettingHandler(settingService *service.SettingService, emailService *service.EmailService) *SettingHandler {
+	return &SettingHandler{
+		settingService: settingService,
+		emailService:   emailService,
+	}
+}
+
+// GetSettings 获取所有系统设置
+// GET /api/v1/admin/settings
+func (h *SettingHandler) GetSettings(c *gin.Context) {
+	settings, err := h.settingService.GetAllSettings(c.Request.Context())
+	if err != nil {
+		response.InternalError(c, "Failed to get settings: "+err.Error())
+		return
+	}
+
+	response.Success(c, settings)
+}
+
+// UpdateSettingsRequest 更新设置请求
+type UpdateSettingsRequest struct {
+	// 注册设置
+	RegistrationEnabled bool `json:"registration_enabled"`
+	EmailVerifyEnabled  bool `json:"email_verify_enabled"`
+
+	// 邮件服务设置
+	SmtpHost     string `json:"smtp_host"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpFrom     string `json:"smtp_from_email"`
+	SmtpFromName string `json:"smtp_from_name"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+
+	// Cloudflare Turnstile 设置
+	TurnstileEnabled   bool   `json:"turnstile_enabled"`
+	TurnstileSiteKey   string `json:"turnstile_site_key"`
+	TurnstileSecretKey string `json:"turnstile_secret_key"`
+
+	// OEM设置
+	SiteName     string `json:"site_name"`
+	SiteLogo     string `json:"site_logo"`
+	SiteSubtitle string `json:"site_subtitle"`
+	ApiBaseUrl   string `json:"api_base_url"`
+	ContactInfo  string `json:"contact_info"`
+
+	// 默认配置
+	DefaultConcurrency int     `json:"default_concurrency"`
+	DefaultBalance     float64 `json:"default_balance"`
+}
+
+// UpdateSettings 更新系统设置
+// PUT /api/v1/admin/settings
+func (h *SettingHandler) UpdateSettings(c *gin.Context) {
+	var req UpdateSettingsRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 验证参数
+	if req.DefaultConcurrency < 1 {
+		req.DefaultConcurrency = 1
+	}
+	if req.DefaultBalance < 0 {
+		req.DefaultBalance = 0
+	}
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	settings := &model.SystemSettings{
+		RegistrationEnabled: req.RegistrationEnabled,
+		EmailVerifyEnabled:  req.EmailVerifyEnabled,
+		SmtpHost:            req.SmtpHost,
+		SmtpPort:            req.SmtpPort,
+		SmtpUsername:        req.SmtpUsername,
+		SmtpPassword:        req.SmtpPassword,
+		SmtpFrom:            req.SmtpFrom,
+		SmtpFromName:        req.SmtpFromName,
+		SmtpUseTLS:          req.SmtpUseTLS,
+		TurnstileEnabled:    req.TurnstileEnabled,
+		TurnstileSiteKey:    req.TurnstileSiteKey,
+		TurnstileSecretKey:  req.TurnstileSecretKey,
+		SiteName:            req.SiteName,
+		SiteLogo:            req.SiteLogo,
+		SiteSubtitle:        req.SiteSubtitle,
+		ApiBaseUrl:          req.ApiBaseUrl,
+		ContactInfo:         req.ContactInfo,
+		DefaultConcurrency:  req.DefaultConcurrency,
+		DefaultBalance:      req.DefaultBalance,
+	}
+
+	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
+		response.InternalError(c, "Failed to update settings: "+err.Error())
+		return
+	}
+
+	// 重新获取设置返回
+	updatedSettings, err := h.settingService.GetAllSettings(c.Request.Context())
+	if err != nil {
+		response.InternalError(c, "Failed to get updated settings: "+err.Error())
+		return
+	}
+
+	response.Success(c, updatedSettings)
+}
+
+// TestSmtpRequest 测试SMTP连接请求
+type TestSmtpRequest struct {
+	SmtpHost     string `json:"smtp_host" binding:"required"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+}
+
+// TestSmtpConnection 测试SMTP连接
+// POST /api/v1/admin/settings/test-smtp
+func (h *SettingHandler) TestSmtpConnection(c *gin.Context) {
+	var req TestSmtpRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	// 如果未提供密码，从数据库获取已保存的密码
+	password := req.SmtpPassword
+	if password == "" {
+		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
+		if err == nil && savedConfig != nil {
+			password = savedConfig.Password
+		}
+	}
+
+	config := &service.SmtpConfig{
+		Host:     req.SmtpHost,
+		Port:     req.SmtpPort,
+		Username: req.SmtpUsername,
+		Password: password,
+		UseTLS:   req.SmtpUseTLS,
+	}
+
+	err := h.emailService.TestSmtpConnectionWithConfig(config)
+	if err != nil {
+		response.BadRequest(c, "SMTP connection test failed: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "SMTP connection successful"})
+}
+
+// SendTestEmailRequest 发送测试邮件请求
+type SendTestEmailRequest struct {
+	Email        string `json:"email" binding:"required,email"`
+	SmtpHost     string `json:"smtp_host" binding:"required"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpFrom     string `json:"smtp_from_email"`
+	SmtpFromName string `json:"smtp_from_name"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+}
+
+// SendTestEmail 发送测试邮件
+// POST /api/v1/admin/settings/send-test-email
+func (h *SettingHandler) SendTestEmail(c *gin.Context) {
+	var req SendTestEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	// 如果未提供密码，从数据库获取已保存的密码
+	password := req.SmtpPassword
+	if password == "" {
+		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
+		if err == nil && savedConfig != nil {
+			password = savedConfig.Password
+		}
+	}
+
+	config := &service.SmtpConfig{
+		Host:     req.SmtpHost,
+		Port:     req.SmtpPort,
+		Username: req.SmtpUsername,
+		Password: password,
+		From:     req.SmtpFrom,
+		FromName: req.SmtpFromName,
+		UseTLS:   req.SmtpUseTLS,
+	}
+
+	siteName := h.settingService.GetSiteName(c.Request.Context())
+	subject := "[" + siteName + "] Test Email"
+	body := `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
+        .container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
+        .header { background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 30px; text-align: center; }
+        .content { padding: 40px 30px; text-align: center; }
+        .success { color: #10b981; font-size: 48px; margin-bottom: 20px; }
+        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>` + siteName + `</h1>
+        </div>
+        <div class="content">
+            <div class="success">✓</div>
+            <h2>Email Configuration Successful!</h2>
+            <p>This is a test email to verify your SMTP settings are working correctly.</p>
+        </div>
+        <div class="footer">
+            <p>This is an automated test message.</p>
+        </div>
+    </div>
+</body>
+</html>
+`
+
+	if err := h.emailService.SendEmailWithConfig(config, req.Email, subject, body); err != nil {
+		response.BadRequest(c, "Failed to send test email: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Test email sent successfully"})
+}
--- a/backend/internal/handler/admin/subscription_handler.go
+++ b/backend/internal/handler/admin/subscription_handler.go
@@ -0,0 +1,266 @@
+package admin
+
+import (
+	"strconv"
+
+	"sub2api/internal/model"
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/repository"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// toResponsePagination converts repository.PaginationResult to response.PaginationResult
+func toResponsePagination(p *repository.PaginationResult) *response.PaginationResult {
+	if p == nil {
+		return nil
+	}
+	return &response.PaginationResult{
+		Total:    p.Total,
+		Page:     p.Page,
+		PageSize: p.PageSize,
+		Pages:    p.Pages,
+	}
+}
+
+// SubscriptionHandler handles admin subscription management
+type SubscriptionHandler struct {
+	subscriptionService *service.SubscriptionService
+}
+
+// NewSubscriptionHandler creates a new admin subscription handler
+func NewSubscriptionHandler(subscriptionService *service.SubscriptionService) *SubscriptionHandler {
+	return &SubscriptionHandler{
+		subscriptionService: subscriptionService,
+	}
+}
+
+// AssignSubscriptionRequest represents assign subscription request
+type AssignSubscriptionRequest struct {
+	UserID       int64  `json:"user_id" binding:"required"`
+	GroupID      int64  `json:"group_id" binding:"required"`
+	ValidityDays int    `json:"validity_days"`
+	Notes        string `json:"notes"`
+}
+
+// BulkAssignSubscriptionRequest represents bulk assign subscription request
+type BulkAssignSubscriptionRequest struct {
+	UserIDs      []int64 `json:"user_ids" binding:"required,min=1"`
+	GroupID      int64   `json:"group_id" binding:"required"`
+	ValidityDays int     `json:"validity_days"`
+	Notes        string  `json:"notes"`
+}
+
+// ExtendSubscriptionRequest represents extend subscription request
+type ExtendSubscriptionRequest struct {
+	Days int `json:"days" binding:"required,min=1"`
+}
+
+// List handles listing all subscriptions with pagination and filters
+// GET /api/v1/admin/subscriptions
+func (h *SubscriptionHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+
+	// Parse optional filters
+	var userID, groupID *int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
+			userID = &id
+		}
+	}
+	if groupIDStr := c.Query("group_id"); groupIDStr != "" {
+		if id, err := strconv.ParseInt(groupIDStr, 10, 64); err == nil {
+			groupID = &id
+		}
+	}
+	status := c.Query("status")
+
+	subscriptions, pagination, err := h.subscriptionService.List(c.Request.Context(), page, pageSize, userID, groupID, status)
+	if err != nil {
+		response.InternalError(c, "Failed to list subscriptions: "+err.Error())
+		return
+	}
+
+	response.PaginatedWithResult(c, subscriptions, toResponsePagination(pagination))
+}
+
+// GetByID handles getting a subscription by ID
+// GET /api/v1/admin/subscriptions/:id
+func (h *SubscriptionHandler) GetByID(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	subscription, err := h.subscriptionService.GetByID(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.NotFound(c, "Subscription not found")
+		return
+	}
+
+	response.Success(c, subscription)
+}
+
+// GetProgress handles getting subscription usage progress
+// GET /api/v1/admin/subscriptions/:id/progress
+func (h *SubscriptionHandler) GetProgress(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	progress, err := h.subscriptionService.GetSubscriptionProgress(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.NotFound(c, "Subscription not found")
+		return
+	}
+
+	response.Success(c, progress)
+}
+
+// Assign handles assigning a subscription to a user
+// POST /api/v1/admin/subscriptions/assign
+func (h *SubscriptionHandler) Assign(c *gin.Context) {
+	var req AssignSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Get admin user ID from context
+	adminID := getAdminIDFromContext(c)
+
+	subscription, err := h.subscriptionService.AssignSubscription(c.Request.Context(), &service.AssignSubscriptionInput{
+		UserID:       req.UserID,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+		AssignedBy:   adminID,
+		Notes:        req.Notes,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to assign subscription: "+err.Error())
+		return
+	}
+
+	response.Success(c, subscription)
+}
+
+// BulkAssign handles bulk assigning subscriptions to multiple users
+// POST /api/v1/admin/subscriptions/bulk-assign
+func (h *SubscriptionHandler) BulkAssign(c *gin.Context) {
+	var req BulkAssignSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Get admin user ID from context
+	adminID := getAdminIDFromContext(c)
+
+	result, err := h.subscriptionService.BulkAssignSubscription(c.Request.Context(), &service.BulkAssignSubscriptionInput{
+		UserIDs:      req.UserIDs,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+		AssignedBy:   adminID,
+		Notes:        req.Notes,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to bulk assign subscriptions: "+err.Error())
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// Extend handles extending a subscription
+// POST /api/v1/admin/subscriptions/:id/extend
+func (h *SubscriptionHandler) Extend(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	var req ExtendSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	subscription, err := h.subscriptionService.ExtendSubscription(c.Request.Context(), subscriptionID, req.Days)
+	if err != nil {
+		response.InternalError(c, "Failed to extend subscription: "+err.Error())
+		return
+	}
+
+	response.Success(c, subscription)
+}
+
+// Revoke handles revoking a subscription
+// DELETE /api/v1/admin/subscriptions/:id
+func (h *SubscriptionHandler) Revoke(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	err = h.subscriptionService.RevokeSubscription(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.InternalError(c, "Failed to revoke subscription: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Subscription revoked successfully"})
+}
+
+// ListByGroup handles listing subscriptions for a specific group
+// GET /api/v1/admin/groups/:id/subscriptions
+func (h *SubscriptionHandler) ListByGroup(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	subscriptions, pagination, err := h.subscriptionService.ListGroupSubscriptions(c.Request.Context(), groupID, page, pageSize)
+	if err != nil {
+		response.InternalError(c, "Failed to list group subscriptions: "+err.Error())
+		return
+	}
+
+	response.PaginatedWithResult(c, subscriptions, toResponsePagination(pagination))
+}
+
+// ListByUser handles listing subscriptions for a specific user
+// GET /api/v1/admin/users/:id/subscriptions
+func (h *SubscriptionHandler) ListByUser(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	subscriptions, err := h.subscriptionService.ListUserSubscriptions(c.Request.Context(), userID)
+	if err != nil {
+		response.InternalError(c, "Failed to list user subscriptions: "+err.Error())
+		return
+	}
+
+	response.Success(c, subscriptions)
+}
+
+// Helper function to get admin ID from context
+func getAdminIDFromContext(c *gin.Context) int64 {
+	if user, exists := c.Get("user"); exists {
+		if u, ok := user.(*model.User); ok && u != nil {
+			return u.ID
+		}
+	}
+	return 0
+}
--- a/backend/internal/handler/admin/system_handler.go
+++ b/backend/internal/handler/admin/system_handler.go
@@ -0,0 +1,82 @@
+package admin
+
+import (
+	"net/http"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+	"github.com/redis/go-redis/v9"
+)
+
+// SystemHandler handles system-related operations
+type SystemHandler struct {
+	updateSvc *service.UpdateService
+}
+
+// NewSystemHandler creates a new SystemHandler
+func NewSystemHandler(rdb *redis.Client, version, buildType string) *SystemHandler {
+	return &SystemHandler{
+		updateSvc: service.NewUpdateService(rdb, version, buildType),
+	}
+}
+
+// GetVersion returns the current version
+// GET /api/v1/admin/system/version
+func (h *SystemHandler) GetVersion(c *gin.Context) {
+	info, _ := h.updateSvc.CheckUpdate(c.Request.Context(), false)
+	response.Success(c, gin.H{
+		"version": info.CurrentVersion,
+	})
+}
+
+// CheckUpdates checks for available updates
+// GET /api/v1/admin/system/check-updates
+func (h *SystemHandler) CheckUpdates(c *gin.Context) {
+	force := c.Query("force") == "true"
+	info, err := h.updateSvc.CheckUpdate(c.Request.Context(), force)
+	if err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, info)
+}
+
+// PerformUpdate downloads and applies the update
+// POST /api/v1/admin/system/update
+func (h *SystemHandler) PerformUpdate(c *gin.Context) {
+	if err := h.updateSvc.PerformUpdate(c.Request.Context()); err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, gin.H{
+		"message":      "Update completed. Please restart the service.",
+		"need_restart": true,
+	})
+}
+
+// Rollback restores the previous version
+// POST /api/v1/admin/system/rollback
+func (h *SystemHandler) Rollback(c *gin.Context) {
+	if err := h.updateSvc.Rollback(); err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, gin.H{
+		"message":      "Rollback completed. Please restart the service.",
+		"need_restart": true,
+	})
+}
+
+// RestartService restarts the systemd service
+// POST /api/v1/admin/system/restart
+func (h *SystemHandler) RestartService(c *gin.Context) {
+	if err := h.updateSvc.RestartService(); err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, gin.H{
+		"message": "Service restart initiated",
+	})
+}
--- a/backend/internal/handler/admin/usage_handler.go
+++ b/backend/internal/handler/admin/usage_handler.go
@@ -0,0 +1,262 @@
+package admin
+
+import (
+	"strconv"
+	"time"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/pkg/timezone"
+	"sub2api/internal/repository"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UsageHandler handles admin usage-related requests
+type UsageHandler struct {
+	usageRepo     *repository.UsageLogRepository
+	apiKeyRepo    *repository.ApiKeyRepository
+	usageService  *service.UsageService
+	adminService  service.AdminService
+}
+
+// NewUsageHandler creates a new admin usage handler
+func NewUsageHandler(
+	usageRepo *repository.UsageLogRepository,
+	apiKeyRepo *repository.ApiKeyRepository,
+	usageService *service.UsageService,
+	adminService service.AdminService,
+) *UsageHandler {
+	return &UsageHandler{
+		usageRepo:    usageRepo,
+		apiKeyRepo:   apiKeyRepo,
+		usageService: usageService,
+		adminService: adminService,
+	}
+}
+
+// List handles listing all usage records with filters
+// GET /api/v1/admin/usage
+func (h *UsageHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+
+	// Parse filters
+	var userID, apiKeyID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+		apiKeyID = id
+	}
+
+	// Parse date range
+	var startTime, endTime *time.Time
+	if startDateStr := c.Query("start_date"); startDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		startTime = &t
+	}
+
+	if endDateStr := c.Query("end_date"); endDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		// Set end time to end of day
+		t = t.Add(24*time.Hour - time.Nanosecond)
+		endTime = &t
+	}
+
+	params := repository.PaginationParams{Page: page, PageSize: pageSize}
+	filters := repository.UsageLogFilters{
+		UserID:    userID,
+		ApiKeyID:  apiKeyID,
+		StartTime: startTime,
+		EndTime:   endTime,
+	}
+
+	records, result, err := h.usageRepo.ListWithFilters(c.Request.Context(), params, filters)
+	if err != nil {
+		response.InternalError(c, "Failed to list usage records: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, records, result.Total, page, pageSize)
+}
+
+// Stats handles getting usage statistics with filters
+// GET /api/v1/admin/usage/stats
+func (h *UsageHandler) Stats(c *gin.Context) {
+	// Parse filters
+	var userID, apiKeyID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+		apiKeyID = id
+	}
+
+	// Parse date range
+	now := timezone.Now()
+	var startTime, endTime time.Time
+
+	startDateStr := c.Query("start_date")
+	endDateStr := c.Query("end_date")
+
+	if startDateStr != "" && endDateStr != "" {
+		var err error
+		startTime, err = timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		endTime, err = timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		endTime = endTime.Add(24*time.Hour - time.Nanosecond)
+	} else {
+		period := c.DefaultQuery("period", "today")
+		switch period {
+		case "today":
+			startTime = timezone.StartOfDay(now)
+		case "week":
+			startTime = now.AddDate(0, 0, -7)
+		case "month":
+			startTime = now.AddDate(0, -1, 0)
+		default:
+			startTime = timezone.StartOfDay(now)
+		}
+		endTime = now
+	}
+
+	if apiKeyID > 0 {
+		stats, err := h.usageService.GetStatsByApiKey(c.Request.Context(), apiKeyID, startTime, endTime)
+		if err != nil {
+			response.InternalError(c, "Failed to get usage statistics: "+err.Error())
+			return
+		}
+		response.Success(c, stats)
+		return
+	}
+
+	if userID > 0 {
+		stats, err := h.usageService.GetStatsByUser(c.Request.Context(), userID, startTime, endTime)
+		if err != nil {
+			response.InternalError(c, "Failed to get usage statistics: "+err.Error())
+			return
+		}
+		response.Success(c, stats)
+		return
+	}
+
+	// Get global stats
+	stats, err := h.usageRepo.GetGlobalStats(c.Request.Context(), startTime, endTime)
+	if err != nil {
+		response.InternalError(c, "Failed to get usage statistics: "+err.Error())
+		return
+	}
+
+	response.Success(c, stats)
+}
+
+// SearchUsers handles searching users by email keyword
+// GET /api/v1/admin/usage/search-users
+func (h *UsageHandler) SearchUsers(c *gin.Context) {
+	keyword := c.Query("q")
+	if keyword == "" {
+		response.Success(c, []interface{}{})
+		return
+	}
+
+	// Limit to 30 results
+	users, _, err := h.adminService.ListUsers(c.Request.Context(), 1, 30, "", "", keyword)
+	if err != nil {
+		response.InternalError(c, "Failed to search users: "+err.Error())
+		return
+	}
+
+	// Return simplified user list (only id and email)
+	type SimpleUser struct {
+		ID    int64  `json:"id"`
+		Email string `json:"email"`
+	}
+
+	result := make([]SimpleUser, len(users))
+	for i, u := range users {
+		result[i] = SimpleUser{
+			ID:    u.ID,
+			Email: u.Email,
+		}
+	}
+
+	response.Success(c, result)
+}
+
+// SearchApiKeys handles searching API keys by user
+// GET /api/v1/admin/usage/search-api-keys
+func (h *UsageHandler) SearchApiKeys(c *gin.Context) {
+	userIDStr := c.Query("user_id")
+	keyword := c.Query("q")
+
+	var userID int64
+	if userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	keys, err := h.apiKeyRepo.SearchApiKeys(c.Request.Context(), userID, keyword, 30)
+	if err != nil {
+		response.InternalError(c, "Failed to search API keys: "+err.Error())
+		return
+	}
+
+	// Return simplified API key list (only id and name)
+	type SimpleApiKey struct {
+		ID     int64  `json:"id"`
+		Name   string `json:"name"`
+		UserID int64  `json:"user_id"`
+	}
+
+	result := make([]SimpleApiKey, len(keys))
+	for i, k := range keys {
+		result[i] = SimpleApiKey{
+			ID:     k.ID,
+			Name:   k.Name,
+			UserID: k.UserID,
+		}
+	}
+
+	response.Success(c, result)
+}
--- a/backend/internal/handler/admin/user_handler.go
+++ b/backend/internal/handler/admin/user_handler.go
@@ -0,0 +1,221 @@
+package admin
+
+import (
+	"strconv"
+
+	"sub2api/internal/pkg/response"
+	"sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UserHandler handles admin user management
+type UserHandler struct {
+	adminService service.AdminService
+}
+
+// NewUserHandler creates a new admin user handler
+func NewUserHandler(adminService service.AdminService) *UserHandler {
+	return &UserHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateUserRequest represents admin create user request
+type CreateUserRequest struct {
+	Email         string  `json:"email" binding:"required,email"`
+	Password      string  `json:"password" binding:"required,min=6"`
+	Balance       float64 `json:"balance"`
+	Concurrency   int     `json:"concurrency"`
+	AllowedGroups []int64 `json:"allowed_groups"`
+}
+
+// UpdateUserRequest represents admin update user request
+// 使用指针类型来区分"未提供"和"设置为0"
+type UpdateUserRequest struct {
+	Email         string   `json:"email" binding:"omitempty,email"`
+	Password      string   `json:"password" binding:"omitempty,min=6"`
+	Balance       *float64 `json:"balance"`
+	Concurrency   *int     `json:"concurrency"`
+	Status        string   `json:"status" binding:"omitempty,oneof=active disabled"`
+	AllowedGroups *[]int64 `json:"allowed_groups"`
+}
+
+// UpdateBalanceRequest represents balance update request
+type UpdateBalanceRequest struct {
+	Balance   float64 `json:"balance" binding:"required"`
+	Operation string  `json:"operation" binding:"required,oneof=set add subtract"`
+}
+
+// List handles listing all users with pagination
+// GET /api/v1/admin/users
+func (h *UserHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	status := c.Query("status")
+	role := c.Query("role")
+	search := c.Query("search")
+
+	users, total, err := h.adminService.ListUsers(c.Request.Context(), page, pageSize, status, role, search)
+	if err != nil {
+		response.InternalError(c, "Failed to list users: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, users, total, page, pageSize)
+}
+
+// GetByID handles getting a user by ID
+// GET /api/v1/admin/users/:id
+func (h *UserHandler) GetByID(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	user, err := h.adminService.GetUser(c.Request.Context(), userID)
+	if err != nil {
+		response.NotFound(c, "User not found")
+		return
+	}
+
+	response.Success(c, user)
+}
+
+// Create handles creating a new user
+// POST /api/v1/admin/users
+func (h *UserHandler) Create(c *gin.Context) {
+	var req CreateUserRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	user, err := h.adminService.CreateUser(c.Request.Context(), &service.CreateUserInput{
+		Email:         req.Email,
+		Password:      req.Password,
+		Balance:       req.Balance,
+		Concurrency:   req.Concurrency,
+		AllowedGroups: req.AllowedGroups,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to create user: "+err.Error())
+		return
+	}
+
+	response.Success(c, user)
+}
+
+// Update handles updating a user
+// PUT /api/v1/admin/users/:id
+func (h *UserHandler) Update(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	var req UpdateUserRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 使用指针类型直接传递，nil 表示未提供该字段
+	user, err := h.adminService.UpdateUser(c.Request.Context(), userID, &service.UpdateUserInput{
+		Email:         req.Email,
+		Password:      req.Password,
+		Balance:       req.Balance,
+		Concurrency:   req.Concurrency,
+		Status:        req.Status,
+		AllowedGroups: req.AllowedGroups,
+	})
+	if err != nil {
+		response.InternalError(c, "Failed to update user: "+err.Error())
+		return
+	}
+
+	response.Success(c, user)
+}
+
+// Delete handles deleting a user
+// DELETE /api/v1/admin/users/:id
+func (h *UserHandler) Delete(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	err = h.adminService.DeleteUser(c.Request.Context(), userID)
+	if err != nil {
+		response.InternalError(c, "Failed to delete user: "+err.Error())
+		return
+	}
+
+	response.Success(c, gin.H{"message": "User deleted successfully"})
+}
+
+// UpdateBalance handles updating user balance
+// POST /api/v1/admin/users/:id/balance
+func (h *UserHandler) UpdateBalance(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	var req UpdateBalanceRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	user, err := h.adminService.UpdateUserBalance(c.Request.Context(), userID, req.Balance, req.Operation)
+	if err != nil {
+		response.InternalError(c, "Failed to update balance: "+err.Error())
+		return
+	}
+
+	response.Success(c, user)
+}
+
+// GetUserAPIKeys handles getting user's API keys
+// GET /api/v1/admin/users/:id/api-keys
+func (h *UserHandler) GetUserAPIKeys(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	keys, total, err := h.adminService.GetUserAPIKeys(c.Request.Context(), userID, page, pageSize)
+	if err != nil {
+		response.InternalError(c, "Failed to get user API keys: "+err.Error())
+		return
+	}
+
+	response.Paginated(c, keys, total, page, pageSize)
+}
+
+// GetUserUsage handles getting user's usage statistics
+// GET /api/v1/admin/users/:id/usage
+func (h *UserHandler) GetUserUsage(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	period := c.DefaultQuery("period", "month")
+
+	stats, err := h.adminService.GetUserUsageStats(c.Request.Context(), userID, period)
+	if err != nil {
+		response.InternalError(c, "Failed to get user usage: "+err.Error())
+		return
+	}
+
+	response.Success(c, stats)
+}