feat: 品牌重命名 Sub2API -> TianShuAPI

- 前端: 所有界面显示、i18n 文本、组件中的品牌名称
- 后端: 服务层、设置默认值、邮件模板、安装向导
- 数据库: 迁移脚本注释
- 保持功能完全一致，仅更改品牌名称

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

backend/internal/handler/admin/antigravity_oauth_handler.go

@@ -1,67 +1,67 @@
-package admin
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-	"github.com/gin-gonic/gin"
-)
-
-type AntigravityOAuthHandler struct {
-	antigravityOAuthService *service.AntigravityOAuthService
-}
-
-func NewAntigravityOAuthHandler(antigravityOAuthService *service.AntigravityOAuthService) *AntigravityOAuthHandler {
-	return &AntigravityOAuthHandler{antigravityOAuthService: antigravityOAuthService}
-}
-
-type AntigravityGenerateAuthURLRequest struct {
-	ProxyID *int64 `json:"proxy_id"`
-}
-
-// GenerateAuthURL generates Google OAuth authorization URL
-// POST /api/v1/admin/antigravity/oauth/auth-url
-func (h *AntigravityOAuthHandler) GenerateAuthURL(c *gin.Context) {
-	var req AntigravityGenerateAuthURLRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "请求无效: "+err.Error())
-		return
-	}
-
-	result, err := h.antigravityOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID)
-	if err != nil {
-		response.InternalError(c, "生成授权链接失败: "+err.Error())
-		return
-	}
-
-	response.Success(c, result)
-}
-
-type AntigravityExchangeCodeRequest struct {
-	SessionID string `json:"session_id" binding:"required"`
-	State     string `json:"state" binding:"required"`
-	Code      string `json:"code" binding:"required"`
-	ProxyID   *int64 `json:"proxy_id"`
-}
-
-// ExchangeCode 用 authorization code 交换 token
-// POST /api/v1/admin/antigravity/oauth/exchange-code
-func (h *AntigravityOAuthHandler) ExchangeCode(c *gin.Context) {
-	var req AntigravityExchangeCodeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "请求无效: "+err.Error())
-		return
-	}
-
-	tokenInfo, err := h.antigravityOAuthService.ExchangeCode(c.Request.Context(), &service.AntigravityExchangeCodeInput{
-		SessionID: req.SessionID,
-		State:     req.State,
-		Code:      req.Code,
-		ProxyID:   req.ProxyID,
-	})
-	if err != nil {
-		response.BadRequest(c, "Token 交换失败: "+err.Error())
-		return
-	}
-
-	response.Success(c, tokenInfo)
-}
+package admin
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/gin-gonic/gin"
+)
+
+type AntigravityOAuthHandler struct {
+	antigravityOAuthService *service.AntigravityOAuthService
+}
+
+func NewAntigravityOAuthHandler(antigravityOAuthService *service.AntigravityOAuthService) *AntigravityOAuthHandler {
+	return &AntigravityOAuthHandler{antigravityOAuthService: antigravityOAuthService}
+}
+
+type AntigravityGenerateAuthURLRequest struct {
+	ProxyID *int64 `json:"proxy_id"`
+}
+
+// GenerateAuthURL generates Google OAuth authorization URL
+// POST /api/v1/admin/antigravity/oauth/auth-url
+func (h *AntigravityOAuthHandler) GenerateAuthURL(c *gin.Context) {
+	var req AntigravityGenerateAuthURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "请求无效: "+err.Error())
+		return
+	}
+
+	result, err := h.antigravityOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID)
+	if err != nil {
+		response.InternalError(c, "生成授权链接失败: "+err.Error())
+		return
+	}
+
+	response.Success(c, result)
+}
+
+type AntigravityExchangeCodeRequest struct {
+	SessionID string `json:"session_id" binding:"required"`
+	State     string `json:"state" binding:"required"`
+	Code      string `json:"code" binding:"required"`
+	ProxyID   *int64 `json:"proxy_id"`
+}
+
+// ExchangeCode 用 authorization code 交换 token
+// POST /api/v1/admin/antigravity/oauth/exchange-code
+func (h *AntigravityOAuthHandler) ExchangeCode(c *gin.Context) {
+	var req AntigravityExchangeCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "请求无效: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.antigravityOAuthService.ExchangeCode(c.Request.Context(), &service.AntigravityExchangeCodeInput{
+		SessionID: req.SessionID,
+		State:     req.State,
+		Code:      req.Code,
+		ProxyID:   req.ProxyID,
+	})
+	if err != nil {
+		response.BadRequest(c, "Token 交换失败: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}

backend/internal/handler/admin/dashboard_handler.go

@@ -1,302 +1,302 @@
-package admin
-
-import (
-	"strconv"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// DashboardHandler handles admin dashboard statistics
-type DashboardHandler struct {
-	dashboardService *service.DashboardService
-	startTime        time.Time // Server start time for uptime calculation
-}
-
-// NewDashboardHandler creates a new admin dashboard handler
-func NewDashboardHandler(dashboardService *service.DashboardService) *DashboardHandler {
-	return &DashboardHandler{
-		dashboardService: dashboardService,
-		startTime:        time.Now(),
-	}
-}
-
-// parseTimeRange parses start_date, end_date query parameters
-func parseTimeRange(c *gin.Context) (time.Time, time.Time) {
-	now := timezone.Now()
-	startDate := c.Query("start_date")
-	endDate := c.Query("end_date")
-
-	var startTime, endTime time.Time
-
-	if startDate != "" {
-		if t, err := timezone.ParseInLocation("2006-01-02", startDate); err == nil {
-			startTime = t
-		} else {
-			startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
-		}
-	} else {
-		startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
-	}
-
-	if endDate != "" {
-		if t, err := timezone.ParseInLocation("2006-01-02", endDate); err == nil {
-			endTime = t.Add(24 * time.Hour) // Include the end date
-		} else {
-			endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
-		}
-	} else {
-		endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
-	}
-
-	return startTime, endTime
-}
-
-// GetStats handles getting dashboard statistics
-// GET /api/v1/admin/dashboard/stats
-func (h *DashboardHandler) GetStats(c *gin.Context) {
-	stats, err := h.dashboardService.GetDashboardStats(c.Request.Context())
-	if err != nil {
-		response.Error(c, 500, "Failed to get dashboard statistics")
-		return
-	}
-
-	// Calculate uptime in seconds
-	uptime := int64(time.Since(h.startTime).Seconds())
-
-	response.Success(c, gin.H{
-		// 用户统计
-		"total_users":     stats.TotalUsers,
-		"today_new_users": stats.TodayNewUsers,
-		"active_users":    stats.ActiveUsers,
-
-		// API Key 统计
-		"total_api_keys":  stats.TotalApiKeys,
-		"active_api_keys": stats.ActiveApiKeys,
-
-		// 账户统计
-		"total_accounts":     stats.TotalAccounts,
-		"normal_accounts":    stats.NormalAccounts,
-		"error_accounts":     stats.ErrorAccounts,
-		"ratelimit_accounts": stats.RateLimitAccounts,
-		"overload_accounts":  stats.OverloadAccounts,
-
-		// 累计 Token 使用统计
-		"total_requests":              stats.TotalRequests,
-		"total_input_tokens":          stats.TotalInputTokens,
-		"total_output_tokens":         stats.TotalOutputTokens,
-		"total_cache_creation_tokens": stats.TotalCacheCreationTokens,
-		"total_cache_read_tokens":     stats.TotalCacheReadTokens,
-		"total_tokens":                stats.TotalTokens,
-		"total_cost":                  stats.TotalCost,       // 标准计费
-		"total_actual_cost":           stats.TotalActualCost, // 实际扣除
-
-		// 今日 Token 使用统计
-		"today_requests":              stats.TodayRequests,
-		"today_input_tokens":          stats.TodayInputTokens,
-		"today_output_tokens":         stats.TodayOutputTokens,
-		"today_cache_creation_tokens": stats.TodayCacheCreationTokens,
-		"today_cache_read_tokens":     stats.TodayCacheReadTokens,
-		"today_tokens":                stats.TodayTokens,
-		"today_cost":                  stats.TodayCost,       // 今日标准计费
-		"today_actual_cost":           stats.TodayActualCost, // 今日实际扣除
-
-		// 系统运行统计
-		"average_duration_ms": stats.AverageDurationMs,
-		"uptime":              uptime,
-
-		// 性能指标
-		"rpm": stats.Rpm,
-		"tpm": stats.Tpm,
-	})
-}
-
-// GetRealtimeMetrics handles getting real-time system metrics
-// GET /api/v1/admin/dashboard/realtime
-func (h *DashboardHandler) GetRealtimeMetrics(c *gin.Context) {
-	// Return mock data for now
-	response.Success(c, gin.H{
-		"active_requests":       0,
-		"requests_per_minute":   0,
-		"average_response_time": 0,
-		"error_rate":            0.0,
-	})
-}
-
-// GetUsageTrend handles getting usage trend data
-// GET /api/v1/admin/dashboard/trend
-// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), user_id, api_key_id
-func (h *DashboardHandler) GetUsageTrend(c *gin.Context) {
-	startTime, endTime := parseTimeRange(c)
-	granularity := c.DefaultQuery("granularity", "day")
-
-	// Parse optional filter params
-	var userID, apiKeyID int64
-	if userIDStr := c.Query("user_id"); userIDStr != "" {
-		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
-			userID = id
-		}
-	}
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		if id, err := strconv.ParseInt(apiKeyIDStr, 10, 64); err == nil {
-			apiKeyID = id
-		}
-	}
-
-	trend, err := h.dashboardService.GetUsageTrendWithFilters(c.Request.Context(), startTime, endTime, granularity, userID, apiKeyID)
-	if err != nil {
-		response.Error(c, 500, "Failed to get usage trend")
-		return
-	}
-
-	response.Success(c, gin.H{
-		"trend":       trend,
-		"start_date":  startTime.Format("2006-01-02"),
-		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-		"granularity": granularity,
-	})
-}
-
-// GetModelStats handles getting model usage statistics
-// GET /api/v1/admin/dashboard/models
-// Query params: start_date, end_date (YYYY-MM-DD), user_id, api_key_id
-func (h *DashboardHandler) GetModelStats(c *gin.Context) {
-	startTime, endTime := parseTimeRange(c)
-
-	// Parse optional filter params
-	var userID, apiKeyID int64
-	if userIDStr := c.Query("user_id"); userIDStr != "" {
-		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
-			userID = id
-		}
-	}
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		if id, err := strconv.ParseInt(apiKeyIDStr, 10, 64); err == nil {
-			apiKeyID = id
-		}
-	}
-
-	stats, err := h.dashboardService.GetModelStatsWithFilters(c.Request.Context(), startTime, endTime, userID, apiKeyID)
-	if err != nil {
-		response.Error(c, 500, "Failed to get model statistics")
-		return
-	}
-
-	response.Success(c, gin.H{
-		"models":     stats,
-		"start_date": startTime.Format("2006-01-02"),
-		"end_date":   endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-	})
-}
-
-// GetApiKeyUsageTrend handles getting API key usage trend data
-// GET /api/v1/admin/dashboard/api-keys-trend
-// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 5)
-func (h *DashboardHandler) GetApiKeyUsageTrend(c *gin.Context) {
-	startTime, endTime := parseTimeRange(c)
-	granularity := c.DefaultQuery("granularity", "day")
-	limitStr := c.DefaultQuery("limit", "5")
-	limit, err := strconv.Atoi(limitStr)
-	if err != nil || limit <= 0 {
-		limit = 5
-	}
-
-	trend, err := h.dashboardService.GetApiKeyUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
-	if err != nil {
-		response.Error(c, 500, "Failed to get API key usage trend")
-		return
-	}
-
-	response.Success(c, gin.H{
-		"trend":       trend,
-		"start_date":  startTime.Format("2006-01-02"),
-		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-		"granularity": granularity,
-	})
-}
-
-// GetUserUsageTrend handles getting user usage trend data
-// GET /api/v1/admin/dashboard/users-trend
-// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 12)
-func (h *DashboardHandler) GetUserUsageTrend(c *gin.Context) {
-	startTime, endTime := parseTimeRange(c)
-	granularity := c.DefaultQuery("granularity", "day")
-	limitStr := c.DefaultQuery("limit", "12")
-	limit, err := strconv.Atoi(limitStr)
-	if err != nil || limit <= 0 {
-		limit = 12
-	}
-
-	trend, err := h.dashboardService.GetUserUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
-	if err != nil {
-		response.Error(c, 500, "Failed to get user usage trend")
-		return
-	}
-
-	response.Success(c, gin.H{
-		"trend":       trend,
-		"start_date":  startTime.Format("2006-01-02"),
-		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-		"granularity": granularity,
-	})
-}
-
-// BatchUsersUsageRequest represents the request body for batch user usage stats
-type BatchUsersUsageRequest struct {
-	UserIDs []int64 `json:"user_ids" binding:"required"`
-}
-
-// GetBatchUsersUsage handles getting usage stats for multiple users
-// POST /api/v1/admin/dashboard/users-usage
-func (h *DashboardHandler) GetBatchUsersUsage(c *gin.Context) {
-	var req BatchUsersUsageRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if len(req.UserIDs) == 0 {
-		response.Success(c, gin.H{"stats": map[string]any{}})
-		return
-	}
-
-	stats, err := h.dashboardService.GetBatchUserUsageStats(c.Request.Context(), req.UserIDs)
-	if err != nil {
-		response.Error(c, 500, "Failed to get user usage stats")
-		return
-	}
-
-	response.Success(c, gin.H{"stats": stats})
-}
-
-// BatchApiKeysUsageRequest represents the request body for batch api key usage stats
-type BatchApiKeysUsageRequest struct {
-	ApiKeyIDs []int64 `json:"api_key_ids" binding:"required"`
-}
-
-// GetBatchApiKeysUsage handles getting usage stats for multiple API keys
-// POST /api/v1/admin/dashboard/api-keys-usage
-func (h *DashboardHandler) GetBatchApiKeysUsage(c *gin.Context) {
-	var req BatchApiKeysUsageRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if len(req.ApiKeyIDs) == 0 {
-		response.Success(c, gin.H{"stats": map[string]any{}})
-		return
-	}
-
-	stats, err := h.dashboardService.GetBatchApiKeyUsageStats(c.Request.Context(), req.ApiKeyIDs)
-	if err != nil {
-		response.Error(c, 500, "Failed to get API key usage stats")
-		return
-	}
-
-	response.Success(c, gin.H{"stats": stats})
-}
+package admin
+
+import (
+	"strconv"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// DashboardHandler handles admin dashboard statistics
+type DashboardHandler struct {
+	dashboardService *service.DashboardService
+	startTime        time.Time // Server start time for uptime calculation
+}
+
+// NewDashboardHandler creates a new admin dashboard handler
+func NewDashboardHandler(dashboardService *service.DashboardService) *DashboardHandler {
+	return &DashboardHandler{
+		dashboardService: dashboardService,
+		startTime:        time.Now(),
+	}
+}
+
+// parseTimeRange parses start_date, end_date query parameters
+func parseTimeRange(c *gin.Context) (time.Time, time.Time) {
+	now := timezone.Now()
+	startDate := c.Query("start_date")
+	endDate := c.Query("end_date")
+
+	var startTime, endTime time.Time
+
+	if startDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", startDate); err == nil {
+			startTime = t
+		} else {
+			startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+		}
+	} else {
+		startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+	}
+
+	if endDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", endDate); err == nil {
+			endTime = t.Add(24 * time.Hour) // Include the end date
+		} else {
+			endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+		}
+	} else {
+		endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+	}
+
+	return startTime, endTime
+}
+
+// GetStats handles getting dashboard statistics
+// GET /api/v1/admin/dashboard/stats
+func (h *DashboardHandler) GetStats(c *gin.Context) {
+	stats, err := h.dashboardService.GetDashboardStats(c.Request.Context())
+	if err != nil {
+		response.Error(c, 500, "Failed to get dashboard statistics")
+		return
+	}
+
+	// Calculate uptime in seconds
+	uptime := int64(time.Since(h.startTime).Seconds())
+
+	response.Success(c, gin.H{
+		// 用户统计
+		"total_users":     stats.TotalUsers,
+		"today_new_users": stats.TodayNewUsers,
+		"active_users":    stats.ActiveUsers,
+
+		// API Key 统计
+		"total_api_keys":  stats.TotalApiKeys,
+		"active_api_keys": stats.ActiveApiKeys,
+
+		// 账户统计
+		"total_accounts":     stats.TotalAccounts,
+		"normal_accounts":    stats.NormalAccounts,
+		"error_accounts":     stats.ErrorAccounts,
+		"ratelimit_accounts": stats.RateLimitAccounts,
+		"overload_accounts":  stats.OverloadAccounts,
+
+		// 累计 Token 使用统计
+		"total_requests":              stats.TotalRequests,
+		"total_input_tokens":          stats.TotalInputTokens,
+		"total_output_tokens":         stats.TotalOutputTokens,
+		"total_cache_creation_tokens": stats.TotalCacheCreationTokens,
+		"total_cache_read_tokens":     stats.TotalCacheReadTokens,
+		"total_tokens":                stats.TotalTokens,
+		"total_cost":                  stats.TotalCost,       // 标准计费
+		"total_actual_cost":           stats.TotalActualCost, // 实际扣除
+
+		// 今日 Token 使用统计
+		"today_requests":              stats.TodayRequests,
+		"today_input_tokens":          stats.TodayInputTokens,
+		"today_output_tokens":         stats.TodayOutputTokens,
+		"today_cache_creation_tokens": stats.TodayCacheCreationTokens,
+		"today_cache_read_tokens":     stats.TodayCacheReadTokens,
+		"today_tokens":                stats.TodayTokens,
+		"today_cost":                  stats.TodayCost,       // 今日标准计费
+		"today_actual_cost":           stats.TodayActualCost, // 今日实际扣除
+
+		// 系统运行统计
+		"average_duration_ms": stats.AverageDurationMs,
+		"uptime":              uptime,
+
+		// 性能指标
+		"rpm": stats.Rpm,
+		"tpm": stats.Tpm,
+	})
+}
+
+// GetRealtimeMetrics handles getting real-time system metrics
+// GET /api/v1/admin/dashboard/realtime
+func (h *DashboardHandler) GetRealtimeMetrics(c *gin.Context) {
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"active_requests":       0,
+		"requests_per_minute":   0,
+		"average_response_time": 0,
+		"error_rate":            0.0,
+	})
+}
+
+// GetUsageTrend handles getting usage trend data
+// GET /api/v1/admin/dashboard/trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), user_id, api_key_id
+func (h *DashboardHandler) GetUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+
+	// Parse optional filter params
+	var userID, apiKeyID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
+			userID = id
+		}
+	}
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		if id, err := strconv.ParseInt(apiKeyIDStr, 10, 64); err == nil {
+			apiKeyID = id
+		}
+	}
+
+	trend, err := h.dashboardService.GetUsageTrendWithFilters(c.Request.Context(), startTime, endTime, granularity, userID, apiKeyID)
+	if err != nil {
+		response.Error(c, 500, "Failed to get usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// GetModelStats handles getting model usage statistics
+// GET /api/v1/admin/dashboard/models
+// Query params: start_date, end_date (YYYY-MM-DD), user_id, api_key_id
+func (h *DashboardHandler) GetModelStats(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+
+	// Parse optional filter params
+	var userID, apiKeyID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
+			userID = id
+		}
+	}
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		if id, err := strconv.ParseInt(apiKeyIDStr, 10, 64); err == nil {
+			apiKeyID = id
+		}
+	}
+
+	stats, err := h.dashboardService.GetModelStatsWithFilters(c.Request.Context(), startTime, endTime, userID, apiKeyID)
+	if err != nil {
+		response.Error(c, 500, "Failed to get model statistics")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"models":     stats,
+		"start_date": startTime.Format("2006-01-02"),
+		"end_date":   endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+	})
+}
+
+// GetApiKeyUsageTrend handles getting API key usage trend data
+// GET /api/v1/admin/dashboard/api-keys-trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 5)
+func (h *DashboardHandler) GetApiKeyUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+	limitStr := c.DefaultQuery("limit", "5")
+	limit, err := strconv.Atoi(limitStr)
+	if err != nil || limit <= 0 {
+		limit = 5
+	}
+
+	trend, err := h.dashboardService.GetApiKeyUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
+	if err != nil {
+		response.Error(c, 500, "Failed to get API key usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// GetUserUsageTrend handles getting user usage trend data
+// GET /api/v1/admin/dashboard/users-trend
+// Query params: start_date, end_date (YYYY-MM-DD), granularity (day/hour), limit (default 12)
+func (h *DashboardHandler) GetUserUsageTrend(c *gin.Context) {
+	startTime, endTime := parseTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+	limitStr := c.DefaultQuery("limit", "12")
+	limit, err := strconv.Atoi(limitStr)
+	if err != nil || limit <= 0 {
+		limit = 12
+	}
+
+	trend, err := h.dashboardService.GetUserUsageTrend(c.Request.Context(), startTime, endTime, granularity, limit)
+	if err != nil {
+		response.Error(c, 500, "Failed to get user usage trend")
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// BatchUsersUsageRequest represents the request body for batch user usage stats
+type BatchUsersUsageRequest struct {
+	UserIDs []int64 `json:"user_ids" binding:"required"`
+}
+
+// GetBatchUsersUsage handles getting usage stats for multiple users
+// POST /api/v1/admin/dashboard/users-usage
+func (h *DashboardHandler) GetBatchUsersUsage(c *gin.Context) {
+	var req BatchUsersUsageRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.UserIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]any{}})
+		return
+	}
+
+	stats, err := h.dashboardService.GetBatchUserUsageStats(c.Request.Context(), req.UserIDs)
+	if err != nil {
+		response.Error(c, 500, "Failed to get user usage stats")
+		return
+	}
+
+	response.Success(c, gin.H{"stats": stats})
+}
+
+// BatchApiKeysUsageRequest represents the request body for batch api key usage stats
+type BatchApiKeysUsageRequest struct {
+	ApiKeyIDs []int64 `json:"api_key_ids" binding:"required"`
+}
+
+// GetBatchApiKeysUsage handles getting usage stats for multiple API keys
+// POST /api/v1/admin/dashboard/api-keys-usage
+func (h *DashboardHandler) GetBatchApiKeysUsage(c *gin.Context) {
+	var req BatchApiKeysUsageRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.ApiKeyIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]any{}})
+		return
+	}
+
+	stats, err := h.dashboardService.GetBatchApiKeyUsageStats(c.Request.Context(), req.ApiKeyIDs)
+	if err != nil {
+		response.Error(c, 500, "Failed to get API key usage stats")
+		return
+	}
+
+	response.Success(c, gin.H{"stats": stats})
+}

backend/internal/handler/admin/gemini_oauth_handler.go

@@ -1,135 +1,135 @@
-package admin
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-type GeminiOAuthHandler struct {
-	geminiOAuthService *service.GeminiOAuthService
-}
-
-func NewGeminiOAuthHandler(geminiOAuthService *service.GeminiOAuthService) *GeminiOAuthHandler {
-	return &GeminiOAuthHandler{geminiOAuthService: geminiOAuthService}
-}
-
-// GET /api/v1/admin/gemini/oauth/capabilities
-func (h *GeminiOAuthHandler) GetCapabilities(c *gin.Context) {
-	cfg := h.geminiOAuthService.GetOAuthConfig()
-	response.Success(c, cfg)
-}
-
-type GeminiGenerateAuthURLRequest struct {
-	ProxyID   *int64 `json:"proxy_id"`
-	ProjectID string `json:"project_id"`
-	// OAuth 类型: "code_assist" (需要 project_id) 或 "ai_studio" (不需要 project_id)
-	// 默认为 "code_assist" 以保持向后兼容
-	OAuthType string `json:"oauth_type"`
-}
-
-// GenerateAuthURL generates Google OAuth authorization URL for Gemini.
-// POST /api/v1/admin/gemini/oauth/auth-url
-func (h *GeminiOAuthHandler) GenerateAuthURL(c *gin.Context) {
-	var req GeminiGenerateAuthURLRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// 默认使用 code_assist 以保持向后兼容
-	oauthType := strings.TrimSpace(req.OAuthType)
-	if oauthType == "" {
-		oauthType = "code_assist"
-	}
-	if oauthType != "code_assist" && oauthType != "google_one" && oauthType != "ai_studio" {
-		response.BadRequest(c, "Invalid oauth_type: must be 'code_assist', 'google_one', or 'ai_studio'")
-		return
-	}
-
-	// Always pass the "hosted" callback URI; the OAuth service may override it depending on
-	// oauth_type and whether the built-in Gemini CLI OAuth client is used.
-	redirectURI := deriveGeminiRedirectURI(c)
-	result, err := h.geminiOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID, redirectURI, req.ProjectID, oauthType)
-	if err != nil {
-		msg := err.Error()
-		// Treat missing/invalid OAuth client configuration as a user/config error.
-		if strings.Contains(msg, "OAuth client not configured") || strings.Contains(msg, "requires your own OAuth Client") {
-			response.BadRequest(c, "Failed to generate auth URL: "+msg)
-			return
-		}
-		response.InternalError(c, "Failed to generate auth URL: "+msg)
-		return
-	}
-
-	response.Success(c, result)
-}
-
-type GeminiExchangeCodeRequest struct {
-	SessionID string `json:"session_id" binding:"required"`
-	State     string `json:"state" binding:"required"`
-	Code      string `json:"code" binding:"required"`
-	ProxyID   *int64 `json:"proxy_id"`
-	// OAuth 类型: "code_assist" 或 "ai_studio"，需要与 GenerateAuthURL 时的类型一致
-	OAuthType string `json:"oauth_type"`
-}
-
-// ExchangeCode exchanges authorization code for tokens.
-// POST /api/v1/admin/gemini/oauth/exchange-code
-func (h *GeminiOAuthHandler) ExchangeCode(c *gin.Context) {
-	var req GeminiExchangeCodeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// 默认使用 code_assist 以保持向后兼容
-	oauthType := strings.TrimSpace(req.OAuthType)
-	if oauthType == "" {
-		oauthType = "code_assist"
-	}
-	if oauthType != "code_assist" && oauthType != "google_one" && oauthType != "ai_studio" {
-		response.BadRequest(c, "Invalid oauth_type: must be 'code_assist', 'google_one', or 'ai_studio'")
-		return
-	}
-
-	tokenInfo, err := h.geminiOAuthService.ExchangeCode(c.Request.Context(), &service.GeminiExchangeCodeInput{
-		SessionID: req.SessionID,
-		State:     req.State,
-		Code:      req.Code,
-		ProxyID:   req.ProxyID,
-		OAuthType: oauthType,
-	})
-	if err != nil {
-		response.BadRequest(c, "Failed to exchange code: "+err.Error())
-		return
-	}
-
-	response.Success(c, tokenInfo)
-}
-
-func deriveGeminiRedirectURI(c *gin.Context) string {
-	origin := strings.TrimSpace(c.GetHeader("Origin"))
-	if origin != "" {
-		return strings.TrimRight(origin, "/") + "/auth/callback"
-	}
-
-	scheme := "http"
-	if c.Request.TLS != nil {
-		scheme = "https"
-	}
-	if xfProto := strings.TrimSpace(c.GetHeader("X-Forwarded-Proto")); xfProto != "" {
-		scheme = strings.TrimSpace(strings.Split(xfProto, ",")[0])
-	}
-
-	host := strings.TrimSpace(c.Request.Host)
-	if xfHost := strings.TrimSpace(c.GetHeader("X-Forwarded-Host")); xfHost != "" {
-		host = strings.TrimSpace(strings.Split(xfHost, ",")[0])
-	}
-
-	return fmt.Sprintf("%s://%s/auth/callback", scheme, host)
-}
+package admin
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+type GeminiOAuthHandler struct {
+	geminiOAuthService *service.GeminiOAuthService
+}
+
+func NewGeminiOAuthHandler(geminiOAuthService *service.GeminiOAuthService) *GeminiOAuthHandler {
+	return &GeminiOAuthHandler{geminiOAuthService: geminiOAuthService}
+}
+
+// GET /api/v1/admin/gemini/oauth/capabilities
+func (h *GeminiOAuthHandler) GetCapabilities(c *gin.Context) {
+	cfg := h.geminiOAuthService.GetOAuthConfig()
+	response.Success(c, cfg)
+}
+
+type GeminiGenerateAuthURLRequest struct {
+	ProxyID   *int64 `json:"proxy_id"`
+	ProjectID string `json:"project_id"`
+	// OAuth 类型: "code_assist" (需要 project_id) 或 "ai_studio" (不需要 project_id)
+	// 默认为 "code_assist" 以保持向后兼容
+	OAuthType string `json:"oauth_type"`
+}
+
+// GenerateAuthURL generates Google OAuth authorization URL for Gemini.
+// POST /api/v1/admin/gemini/oauth/auth-url
+func (h *GeminiOAuthHandler) GenerateAuthURL(c *gin.Context) {
+	var req GeminiGenerateAuthURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 默认使用 code_assist 以保持向后兼容
+	oauthType := strings.TrimSpace(req.OAuthType)
+	if oauthType == "" {
+		oauthType = "code_assist"
+	}
+	if oauthType != "code_assist" && oauthType != "google_one" && oauthType != "ai_studio" {
+		response.BadRequest(c, "Invalid oauth_type: must be 'code_assist', 'google_one', or 'ai_studio'")
+		return
+	}
+
+	// Always pass the "hosted" callback URI; the OAuth service may override it depending on
+	// oauth_type and whether the built-in Gemini CLI OAuth client is used.
+	redirectURI := deriveGeminiRedirectURI(c)
+	result, err := h.geminiOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID, redirectURI, req.ProjectID, oauthType)
+	if err != nil {
+		msg := err.Error()
+		// Treat missing/invalid OAuth client configuration as a user/config error.
+		if strings.Contains(msg, "OAuth client not configured") || strings.Contains(msg, "requires your own OAuth Client") {
+			response.BadRequest(c, "Failed to generate auth URL: "+msg)
+			return
+		}
+		response.InternalError(c, "Failed to generate auth URL: "+msg)
+		return
+	}
+
+	response.Success(c, result)
+}
+
+type GeminiExchangeCodeRequest struct {
+	SessionID string `json:"session_id" binding:"required"`
+	State     string `json:"state" binding:"required"`
+	Code      string `json:"code" binding:"required"`
+	ProxyID   *int64 `json:"proxy_id"`
+	// OAuth 类型: "code_assist" 或 "ai_studio"，需要与 GenerateAuthURL 时的类型一致
+	OAuthType string `json:"oauth_type"`
+}
+
+// ExchangeCode exchanges authorization code for tokens.
+// POST /api/v1/admin/gemini/oauth/exchange-code
+func (h *GeminiOAuthHandler) ExchangeCode(c *gin.Context) {
+	var req GeminiExchangeCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 默认使用 code_assist 以保持向后兼容
+	oauthType := strings.TrimSpace(req.OAuthType)
+	if oauthType == "" {
+		oauthType = "code_assist"
+	}
+	if oauthType != "code_assist" && oauthType != "google_one" && oauthType != "ai_studio" {
+		response.BadRequest(c, "Invalid oauth_type: must be 'code_assist', 'google_one', or 'ai_studio'")
+		return
+	}
+
+	tokenInfo, err := h.geminiOAuthService.ExchangeCode(c.Request.Context(), &service.GeminiExchangeCodeInput{
+		SessionID: req.SessionID,
+		State:     req.State,
+		Code:      req.Code,
+		ProxyID:   req.ProxyID,
+		OAuthType: oauthType,
+	})
+	if err != nil {
+		response.BadRequest(c, "Failed to exchange code: "+err.Error())
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+func deriveGeminiRedirectURI(c *gin.Context) string {
+	origin := strings.TrimSpace(c.GetHeader("Origin"))
+	if origin != "" {
+		return strings.TrimRight(origin, "/") + "/auth/callback"
+	}
+
+	scheme := "http"
+	if c.Request.TLS != nil {
+		scheme = "https"
+	}
+	if xfProto := strings.TrimSpace(c.GetHeader("X-Forwarded-Proto")); xfProto != "" {
+		scheme = strings.TrimSpace(strings.Split(xfProto, ",")[0])
+	}
+
+	host := strings.TrimSpace(c.Request.Host)
+	if xfHost := strings.TrimSpace(c.GetHeader("X-Forwarded-Host")); xfHost != "" {
+		host = strings.TrimSpace(strings.Split(xfHost, ",")[0])
+	}
+
+	return fmt.Sprintf("%s://%s/auth/callback", scheme, host)
+}

backend/internal/handler/admin/group_handler.go

@@ -1,245 +1,245 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// GroupHandler handles admin group management
-type GroupHandler struct {
-	adminService service.AdminService
-}
-
-// NewGroupHandler creates a new admin group handler
-func NewGroupHandler(adminService service.AdminService) *GroupHandler {
-	return &GroupHandler{
-		adminService: adminService,
-	}
-}
-
-// CreateGroupRequest represents create group request
-type CreateGroupRequest struct {
-	Name             string   `json:"name" binding:"required"`
-	Description      string   `json:"description"`
-	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini antigravity"`
-	RateMultiplier   float64  `json:"rate_multiplier"`
-	IsExclusive      bool     `json:"is_exclusive"`
-	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
-	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
-	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
-	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
-}
-
-// UpdateGroupRequest represents update group request
-type UpdateGroupRequest struct {
-	Name             string   `json:"name"`
-	Description      string   `json:"description"`
-	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini antigravity"`
-	RateMultiplier   *float64 `json:"rate_multiplier"`
-	IsExclusive      *bool    `json:"is_exclusive"`
-	Status           string   `json:"status" binding:"omitempty,oneof=active inactive"`
-	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
-	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
-	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
-	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
-}
-
-// List handles listing all groups with pagination
-// GET /api/v1/admin/groups
-func (h *GroupHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-	platform := c.Query("platform")
-	status := c.Query("status")
-	isExclusiveStr := c.Query("is_exclusive")
-
-	var isExclusive *bool
-	if isExclusiveStr != "" {
-		val := isExclusiveStr == "true"
-		isExclusive = &val
-	}
-
-	groups, total, err := h.adminService.ListGroups(c.Request.Context(), page, pageSize, platform, status, isExclusive)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	outGroups := make([]dto.Group, 0, len(groups))
-	for i := range groups {
-		outGroups = append(outGroups, *dto.GroupFromService(&groups[i]))
-	}
-	response.Paginated(c, outGroups, total, page, pageSize)
-}
-
-// GetAll handles getting all active groups without pagination
-// GET /api/v1/admin/groups/all
-func (h *GroupHandler) GetAll(c *gin.Context) {
-	platform := c.Query("platform")
-
-	var groups []service.Group
-	var err error
-
-	if platform != "" {
-		groups, err = h.adminService.GetAllGroupsByPlatform(c.Request.Context(), platform)
-	} else {
-		groups, err = h.adminService.GetAllGroups(c.Request.Context())
-	}
-
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	outGroups := make([]dto.Group, 0, len(groups))
-	for i := range groups {
-		outGroups = append(outGroups, *dto.GroupFromService(&groups[i]))
-	}
-	response.Success(c, outGroups)
-}
-
-// GetByID handles getting a group by ID
-// GET /api/v1/admin/groups/:id
-func (h *GroupHandler) GetByID(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	group, err := h.adminService.GetGroup(c.Request.Context(), groupID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.GroupFromService(group))
-}
-
-// Create handles creating a new group
-// POST /api/v1/admin/groups
-func (h *GroupHandler) Create(c *gin.Context) {
-	var req CreateGroupRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	group, err := h.adminService.CreateGroup(c.Request.Context(), &service.CreateGroupInput{
-		Name:             req.Name,
-		Description:      req.Description,
-		Platform:         req.Platform,
-		RateMultiplier:   req.RateMultiplier,
-		IsExclusive:      req.IsExclusive,
-		SubscriptionType: req.SubscriptionType,
-		DailyLimitUSD:    req.DailyLimitUSD,
-		WeeklyLimitUSD:   req.WeeklyLimitUSD,
-		MonthlyLimitUSD:  req.MonthlyLimitUSD,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.GroupFromService(group))
-}
-
-// Update handles updating a group
-// PUT /api/v1/admin/groups/:id
-func (h *GroupHandler) Update(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	var req UpdateGroupRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	group, err := h.adminService.UpdateGroup(c.Request.Context(), groupID, &service.UpdateGroupInput{
-		Name:             req.Name,
-		Description:      req.Description,
-		Platform:         req.Platform,
-		RateMultiplier:   req.RateMultiplier,
-		IsExclusive:      req.IsExclusive,
-		Status:           req.Status,
-		SubscriptionType: req.SubscriptionType,
-		DailyLimitUSD:    req.DailyLimitUSD,
-		WeeklyLimitUSD:   req.WeeklyLimitUSD,
-		MonthlyLimitUSD:  req.MonthlyLimitUSD,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.GroupFromService(group))
-}
-
-// Delete handles deleting a group
-// DELETE /api/v1/admin/groups/:id
-func (h *GroupHandler) Delete(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	err = h.adminService.DeleteGroup(c.Request.Context(), groupID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Group deleted successfully"})
-}
-
-// GetStats handles getting group statistics
-// GET /api/v1/admin/groups/:id/stats
-func (h *GroupHandler) GetStats(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	// Return mock data for now
-	response.Success(c, gin.H{
-		"total_api_keys":  0,
-		"active_api_keys": 0,
-		"total_requests":  0,
-		"total_cost":      0.0,
-	})
-	_ = groupID // TODO: implement actual stats
-}
-
-// GetGroupAPIKeys handles getting API keys in a group
-// GET /api/v1/admin/groups/:id/api-keys
-func (h *GroupHandler) GetGroupAPIKeys(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-
-	keys, total, err := h.adminService.GetGroupAPIKeys(c.Request.Context(), groupID, page, pageSize)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	outKeys := make([]dto.ApiKey, 0, len(keys))
-	for i := range keys {
-		outKeys = append(outKeys, *dto.ApiKeyFromService(&keys[i]))
-	}
-	response.Paginated(c, outKeys, total, page, pageSize)
-}
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// GroupHandler handles admin group management
+type GroupHandler struct {
+	adminService service.AdminService
+}
+
+// NewGroupHandler creates a new admin group handler
+func NewGroupHandler(adminService service.AdminService) *GroupHandler {
+	return &GroupHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateGroupRequest represents create group request
+type CreateGroupRequest struct {
+	Name             string   `json:"name" binding:"required"`
+	Description      string   `json:"description"`
+	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini antigravity"`
+	RateMultiplier   float64  `json:"rate_multiplier"`
+	IsExclusive      bool     `json:"is_exclusive"`
+	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
+	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
+	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
+	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
+}
+
+// UpdateGroupRequest represents update group request
+type UpdateGroupRequest struct {
+	Name             string   `json:"name"`
+	Description      string   `json:"description"`
+	Platform         string   `json:"platform" binding:"omitempty,oneof=anthropic openai gemini antigravity"`
+	RateMultiplier   *float64 `json:"rate_multiplier"`
+	IsExclusive      *bool    `json:"is_exclusive"`
+	Status           string   `json:"status" binding:"omitempty,oneof=active inactive"`
+	SubscriptionType string   `json:"subscription_type" binding:"omitempty,oneof=standard subscription"`
+	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
+	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
+	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
+}
+
+// List handles listing all groups with pagination
+// GET /api/v1/admin/groups
+func (h *GroupHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	platform := c.Query("platform")
+	status := c.Query("status")
+	isExclusiveStr := c.Query("is_exclusive")
+
+	var isExclusive *bool
+	if isExclusiveStr != "" {
+		val := isExclusiveStr == "true"
+		isExclusive = &val
+	}
+
+	groups, total, err := h.adminService.ListGroups(c.Request.Context(), page, pageSize, platform, status, isExclusive)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	outGroups := make([]dto.Group, 0, len(groups))
+	for i := range groups {
+		outGroups = append(outGroups, *dto.GroupFromService(&groups[i]))
+	}
+	response.Paginated(c, outGroups, total, page, pageSize)
+}
+
+// GetAll handles getting all active groups without pagination
+// GET /api/v1/admin/groups/all
+func (h *GroupHandler) GetAll(c *gin.Context) {
+	platform := c.Query("platform")
+
+	var groups []service.Group
+	var err error
+
+	if platform != "" {
+		groups, err = h.adminService.GetAllGroupsByPlatform(c.Request.Context(), platform)
+	} else {
+		groups, err = h.adminService.GetAllGroups(c.Request.Context())
+	}
+
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	outGroups := make([]dto.Group, 0, len(groups))
+	for i := range groups {
+		outGroups = append(outGroups, *dto.GroupFromService(&groups[i]))
+	}
+	response.Success(c, outGroups)
+}
+
+// GetByID handles getting a group by ID
+// GET /api/v1/admin/groups/:id
+func (h *GroupHandler) GetByID(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	group, err := h.adminService.GetGroup(c.Request.Context(), groupID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.GroupFromService(group))
+}
+
+// Create handles creating a new group
+// POST /api/v1/admin/groups
+func (h *GroupHandler) Create(c *gin.Context) {
+	var req CreateGroupRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	group, err := h.adminService.CreateGroup(c.Request.Context(), &service.CreateGroupInput{
+		Name:             req.Name,
+		Description:      req.Description,
+		Platform:         req.Platform,
+		RateMultiplier:   req.RateMultiplier,
+		IsExclusive:      req.IsExclusive,
+		SubscriptionType: req.SubscriptionType,
+		DailyLimitUSD:    req.DailyLimitUSD,
+		WeeklyLimitUSD:   req.WeeklyLimitUSD,
+		MonthlyLimitUSD:  req.MonthlyLimitUSD,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.GroupFromService(group))
+}
+
+// Update handles updating a group
+// PUT /api/v1/admin/groups/:id
+func (h *GroupHandler) Update(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	var req UpdateGroupRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	group, err := h.adminService.UpdateGroup(c.Request.Context(), groupID, &service.UpdateGroupInput{
+		Name:             req.Name,
+		Description:      req.Description,
+		Platform:         req.Platform,
+		RateMultiplier:   req.RateMultiplier,
+		IsExclusive:      req.IsExclusive,
+		Status:           req.Status,
+		SubscriptionType: req.SubscriptionType,
+		DailyLimitUSD:    req.DailyLimitUSD,
+		WeeklyLimitUSD:   req.WeeklyLimitUSD,
+		MonthlyLimitUSD:  req.MonthlyLimitUSD,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.GroupFromService(group))
+}
+
+// Delete handles deleting a group
+// DELETE /api/v1/admin/groups/:id
+func (h *GroupHandler) Delete(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	err = h.adminService.DeleteGroup(c.Request.Context(), groupID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Group deleted successfully"})
+}
+
+// GetStats handles getting group statistics
+// GET /api/v1/admin/groups/:id/stats
+func (h *GroupHandler) GetStats(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"total_api_keys":  0,
+		"active_api_keys": 0,
+		"total_requests":  0,
+		"total_cost":      0.0,
+	})
+	_ = groupID // TODO: implement actual stats
+}
+
+// GetGroupAPIKeys handles getting API keys in a group
+// GET /api/v1/admin/groups/:id/api-keys
+func (h *GroupHandler) GetGroupAPIKeys(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	keys, total, err := h.adminService.GetGroupAPIKeys(c.Request.Context(), groupID, page, pageSize)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	outKeys := make([]dto.ApiKey, 0, len(keys))
+	for i := range keys {
+		outKeys = append(outKeys, *dto.ApiKeyFromService(&keys[i]))
+	}
+	response.Paginated(c, outKeys, total, page, pageSize)
+}

backend/internal/handler/admin/openai_oauth_handler.go

@@ -1,229 +1,229 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// OpenAIOAuthHandler handles OpenAI OAuth-related operations
-type OpenAIOAuthHandler struct {
-	openaiOAuthService *service.OpenAIOAuthService
-	adminService       service.AdminService
-}
-
-// NewOpenAIOAuthHandler creates a new OpenAI OAuth handler
-func NewOpenAIOAuthHandler(openaiOAuthService *service.OpenAIOAuthService, adminService service.AdminService) *OpenAIOAuthHandler {
-	return &OpenAIOAuthHandler{
-		openaiOAuthService: openaiOAuthService,
-		adminService:       adminService,
-	}
-}
-
-// OpenAIGenerateAuthURLRequest represents the request for generating OpenAI auth URL
-type OpenAIGenerateAuthURLRequest struct {
-	ProxyID     *int64 `json:"proxy_id"`
-	RedirectURI string `json:"redirect_uri"`
-}
-
-// GenerateAuthURL generates OpenAI OAuth authorization URL
-// POST /api/v1/admin/openai/generate-auth-url
-func (h *OpenAIOAuthHandler) GenerateAuthURL(c *gin.Context) {
-	var req OpenAIGenerateAuthURLRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		// Allow empty body
-		req = OpenAIGenerateAuthURLRequest{}
-	}
-
-	result, err := h.openaiOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID, req.RedirectURI)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, result)
-}
-
-// OpenAIExchangeCodeRequest represents the request for exchanging OpenAI auth code
-type OpenAIExchangeCodeRequest struct {
-	SessionID   string `json:"session_id" binding:"required"`
-	Code        string `json:"code" binding:"required"`
-	RedirectURI string `json:"redirect_uri"`
-	ProxyID     *int64 `json:"proxy_id"`
-}
-
-// ExchangeCode exchanges OpenAI authorization code for tokens
-// POST /api/v1/admin/openai/exchange-code
-func (h *OpenAIOAuthHandler) ExchangeCode(c *gin.Context) {
-	var req OpenAIExchangeCodeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	tokenInfo, err := h.openaiOAuthService.ExchangeCode(c.Request.Context(), &service.OpenAIExchangeCodeInput{
-		SessionID:   req.SessionID,
-		Code:        req.Code,
-		RedirectURI: req.RedirectURI,
-		ProxyID:     req.ProxyID,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, tokenInfo)
-}
-
-// OpenAIRefreshTokenRequest represents the request for refreshing OpenAI token
-type OpenAIRefreshTokenRequest struct {
-	RefreshToken string `json:"refresh_token" binding:"required"`
-	ProxyID      *int64 `json:"proxy_id"`
-}
-
-// RefreshToken refreshes an OpenAI OAuth token
-// POST /api/v1/admin/openai/refresh-token
-func (h *OpenAIOAuthHandler) RefreshToken(c *gin.Context) {
-	var req OpenAIRefreshTokenRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	var proxyURL string
-	if req.ProxyID != nil {
-		proxy, err := h.adminService.GetProxy(c.Request.Context(), *req.ProxyID)
-		if err == nil && proxy != nil {
-			proxyURL = proxy.URL()
-		}
-	}
-
-	tokenInfo, err := h.openaiOAuthService.RefreshToken(c.Request.Context(), req.RefreshToken, proxyURL)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, tokenInfo)
-}
-
-// RefreshAccountToken refreshes token for a specific OpenAI account
-// POST /api/v1/admin/openai/accounts/:id/refresh
-func (h *OpenAIOAuthHandler) RefreshAccountToken(c *gin.Context) {
-	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid account ID")
-		return
-	}
-
-	// Get account
-	account, err := h.adminService.GetAccount(c.Request.Context(), accountID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Ensure account is OpenAI platform
-	if !account.IsOpenAI() {
-		response.BadRequest(c, "Account is not an OpenAI account")
-		return
-	}
-
-	// Only refresh OAuth-based accounts
-	if !account.IsOAuth() {
-		response.BadRequest(c, "Cannot refresh non-OAuth account credentials")
-		return
-	}
-
-	// Use OpenAI OAuth service to refresh token
-	tokenInfo, err := h.openaiOAuthService.RefreshAccountToken(c.Request.Context(), account)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Build new credentials from token info
-	newCredentials := h.openaiOAuthService.BuildAccountCredentials(tokenInfo)
-
-	// Preserve non-token settings from existing credentials
-	for k, v := range account.Credentials {
-		if _, exists := newCredentials[k]; !exists {
-			newCredentials[k] = v
-		}
-	}
-
-	updatedAccount, err := h.adminService.UpdateAccount(c.Request.Context(), accountID, &service.UpdateAccountInput{
-		Credentials: newCredentials,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.AccountFromService(updatedAccount))
-}
-
-// CreateAccountFromOAuth creates a new OpenAI OAuth account from token info
-// POST /api/v1/admin/openai/create-from-oauth
-func (h *OpenAIOAuthHandler) CreateAccountFromOAuth(c *gin.Context) {
-	var req struct {
-		SessionID   string  `json:"session_id" binding:"required"`
-		Code        string  `json:"code" binding:"required"`
-		RedirectURI string  `json:"redirect_uri"`
-		ProxyID     *int64  `json:"proxy_id"`
-		Name        string  `json:"name"`
-		Concurrency int     `json:"concurrency"`
-		Priority    int     `json:"priority"`
-		GroupIDs    []int64 `json:"group_ids"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Exchange code for tokens
-	tokenInfo, err := h.openaiOAuthService.ExchangeCode(c.Request.Context(), &service.OpenAIExchangeCodeInput{
-		SessionID:   req.SessionID,
-		Code:        req.Code,
-		RedirectURI: req.RedirectURI,
-		ProxyID:     req.ProxyID,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Build credentials from token info
-	credentials := h.openaiOAuthService.BuildAccountCredentials(tokenInfo)
-
-	// Use email as default name if not provided
-	name := req.Name
-	if name == "" && tokenInfo.Email != "" {
-		name = tokenInfo.Email
-	}
-	if name == "" {
-		name = "OpenAI OAuth Account"
-	}
-
-	// Create account
-	account, err := h.adminService.CreateAccount(c.Request.Context(), &service.CreateAccountInput{
-		Name:        name,
-		Platform:    "openai",
-		Type:        "oauth",
-		Credentials: credentials,
-		ProxyID:     req.ProxyID,
-		Concurrency: req.Concurrency,
-		Priority:    req.Priority,
-		GroupIDs:    req.GroupIDs,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.AccountFromService(account))
-}
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// OpenAIOAuthHandler handles OpenAI OAuth-related operations
+type OpenAIOAuthHandler struct {
+	openaiOAuthService *service.OpenAIOAuthService
+	adminService       service.AdminService
+}
+
+// NewOpenAIOAuthHandler creates a new OpenAI OAuth handler
+func NewOpenAIOAuthHandler(openaiOAuthService *service.OpenAIOAuthService, adminService service.AdminService) *OpenAIOAuthHandler {
+	return &OpenAIOAuthHandler{
+		openaiOAuthService: openaiOAuthService,
+		adminService:       adminService,
+	}
+}
+
+// OpenAIGenerateAuthURLRequest represents the request for generating OpenAI auth URL
+type OpenAIGenerateAuthURLRequest struct {
+	ProxyID     *int64 `json:"proxy_id"`
+	RedirectURI string `json:"redirect_uri"`
+}
+
+// GenerateAuthURL generates OpenAI OAuth authorization URL
+// POST /api/v1/admin/openai/generate-auth-url
+func (h *OpenAIOAuthHandler) GenerateAuthURL(c *gin.Context) {
+	var req OpenAIGenerateAuthURLRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		// Allow empty body
+		req = OpenAIGenerateAuthURLRequest{}
+	}
+
+	result, err := h.openaiOAuthService.GenerateAuthURL(c.Request.Context(), req.ProxyID, req.RedirectURI)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// OpenAIExchangeCodeRequest represents the request for exchanging OpenAI auth code
+type OpenAIExchangeCodeRequest struct {
+	SessionID   string `json:"session_id" binding:"required"`
+	Code        string `json:"code" binding:"required"`
+	RedirectURI string `json:"redirect_uri"`
+	ProxyID     *int64 `json:"proxy_id"`
+}
+
+// ExchangeCode exchanges OpenAI authorization code for tokens
+// POST /api/v1/admin/openai/exchange-code
+func (h *OpenAIOAuthHandler) ExchangeCode(c *gin.Context) {
+	var req OpenAIExchangeCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	tokenInfo, err := h.openaiOAuthService.ExchangeCode(c.Request.Context(), &service.OpenAIExchangeCodeInput{
+		SessionID:   req.SessionID,
+		Code:        req.Code,
+		RedirectURI: req.RedirectURI,
+		ProxyID:     req.ProxyID,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// OpenAIRefreshTokenRequest represents the request for refreshing OpenAI token
+type OpenAIRefreshTokenRequest struct {
+	RefreshToken string `json:"refresh_token" binding:"required"`
+	ProxyID      *int64 `json:"proxy_id"`
+}
+
+// RefreshToken refreshes an OpenAI OAuth token
+// POST /api/v1/admin/openai/refresh-token
+func (h *OpenAIOAuthHandler) RefreshToken(c *gin.Context) {
+	var req OpenAIRefreshTokenRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	var proxyURL string
+	if req.ProxyID != nil {
+		proxy, err := h.adminService.GetProxy(c.Request.Context(), *req.ProxyID)
+		if err == nil && proxy != nil {
+			proxyURL = proxy.URL()
+		}
+	}
+
+	tokenInfo, err := h.openaiOAuthService.RefreshToken(c.Request.Context(), req.RefreshToken, proxyURL)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, tokenInfo)
+}
+
+// RefreshAccountToken refreshes token for a specific OpenAI account
+// POST /api/v1/admin/openai/accounts/:id/refresh
+func (h *OpenAIOAuthHandler) RefreshAccountToken(c *gin.Context) {
+	accountID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid account ID")
+		return
+	}
+
+	// Get account
+	account, err := h.adminService.GetAccount(c.Request.Context(), accountID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Ensure account is OpenAI platform
+	if !account.IsOpenAI() {
+		response.BadRequest(c, "Account is not an OpenAI account")
+		return
+	}
+
+	// Only refresh OAuth-based accounts
+	if !account.IsOAuth() {
+		response.BadRequest(c, "Cannot refresh non-OAuth account credentials")
+		return
+	}
+
+	// Use OpenAI OAuth service to refresh token
+	tokenInfo, err := h.openaiOAuthService.RefreshAccountToken(c.Request.Context(), account)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Build new credentials from token info
+	newCredentials := h.openaiOAuthService.BuildAccountCredentials(tokenInfo)
+
+	// Preserve non-token settings from existing credentials
+	for k, v := range account.Credentials {
+		if _, exists := newCredentials[k]; !exists {
+			newCredentials[k] = v
+		}
+	}
+
+	updatedAccount, err := h.adminService.UpdateAccount(c.Request.Context(), accountID, &service.UpdateAccountInput{
+		Credentials: newCredentials,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.AccountFromService(updatedAccount))
+}
+
+// CreateAccountFromOAuth creates a new OpenAI OAuth account from token info
+// POST /api/v1/admin/openai/create-from-oauth
+func (h *OpenAIOAuthHandler) CreateAccountFromOAuth(c *gin.Context) {
+	var req struct {
+		SessionID   string  `json:"session_id" binding:"required"`
+		Code        string  `json:"code" binding:"required"`
+		RedirectURI string  `json:"redirect_uri"`
+		ProxyID     *int64  `json:"proxy_id"`
+		Name        string  `json:"name"`
+		Concurrency int     `json:"concurrency"`
+		Priority    int     `json:"priority"`
+		GroupIDs    []int64 `json:"group_ids"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Exchange code for tokens
+	tokenInfo, err := h.openaiOAuthService.ExchangeCode(c.Request.Context(), &service.OpenAIExchangeCodeInput{
+		SessionID:   req.SessionID,
+		Code:        req.Code,
+		RedirectURI: req.RedirectURI,
+		ProxyID:     req.ProxyID,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Build credentials from token info
+	credentials := h.openaiOAuthService.BuildAccountCredentials(tokenInfo)
+
+	// Use email as default name if not provided
+	name := req.Name
+	if name == "" && tokenInfo.Email != "" {
+		name = tokenInfo.Email
+	}
+	if name == "" {
+		name = "OpenAI OAuth Account"
+	}
+
+	// Create account
+	account, err := h.adminService.CreateAccount(c.Request.Context(), &service.CreateAccountInput{
+		Name:        name,
+		Platform:    "openai",
+		Type:        "oauth",
+		Credentials: credentials,
+		ProxyID:     req.ProxyID,
+		Concurrency: req.Concurrency,
+		Priority:    req.Priority,
+		GroupIDs:    req.GroupIDs,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.AccountFromService(account))
+}

backend/internal/handler/admin/proxy_handler.go

@@ -1,323 +1,323 @@
-package admin
-
-import (
-	"strconv"
-	"strings"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// ProxyHandler handles admin proxy management
-type ProxyHandler struct {
-	adminService service.AdminService
-}
-
-// NewProxyHandler creates a new admin proxy handler
-func NewProxyHandler(adminService service.AdminService) *ProxyHandler {
-	return &ProxyHandler{
-		adminService: adminService,
-	}
-}
-
-// CreateProxyRequest represents create proxy request
-type CreateProxyRequest struct {
-	Name     string `json:"name" binding:"required"`
-	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
-	Host     string `json:"host" binding:"required"`
-	Port     int    `json:"port" binding:"required,min=1,max=65535"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
-
-// UpdateProxyRequest represents update proxy request
-type UpdateProxyRequest struct {
-	Name     string `json:"name"`
-	Protocol string `json:"protocol" binding:"omitempty,oneof=http https socks5"`
-	Host     string `json:"host"`
-	Port     int    `json:"port" binding:"omitempty,min=1,max=65535"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-	Status   string `json:"status" binding:"omitempty,oneof=active inactive"`
-}
-
-// List handles listing all proxies with pagination
-// GET /api/v1/admin/proxies
-func (h *ProxyHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-	protocol := c.Query("protocol")
-	status := c.Query("status")
-	search := c.Query("search")
-
-	proxies, total, err := h.adminService.ListProxies(c.Request.Context(), page, pageSize, protocol, status, search)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.Proxy, 0, len(proxies))
-	for i := range proxies {
-		out = append(out, *dto.ProxyFromService(&proxies[i]))
-	}
-	response.Paginated(c, out, total, page, pageSize)
-}
-
-// GetAll handles getting all active proxies without pagination
-// GET /api/v1/admin/proxies/all
-// Optional query param: with_count=true to include account count per proxy
-func (h *ProxyHandler) GetAll(c *gin.Context) {
-	withCount := c.Query("with_count") == "true"
-
-	if withCount {
-		proxies, err := h.adminService.GetAllProxiesWithAccountCount(c.Request.Context())
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-		out := make([]dto.ProxyWithAccountCount, 0, len(proxies))
-		for i := range proxies {
-			out = append(out, *dto.ProxyWithAccountCountFromService(&proxies[i]))
-		}
-		response.Success(c, out)
-		return
-	}
-
-	proxies, err := h.adminService.GetAllProxies(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.Proxy, 0, len(proxies))
-	for i := range proxies {
-		out = append(out, *dto.ProxyFromService(&proxies[i]))
-	}
-	response.Success(c, out)
-}
-
-// GetByID handles getting a proxy by ID
-// GET /api/v1/admin/proxies/:id
-func (h *ProxyHandler) GetByID(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	proxy, err := h.adminService.GetProxy(c.Request.Context(), proxyID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.ProxyFromService(proxy))
-}
-
-// Create handles creating a new proxy
-// POST /api/v1/admin/proxies
-func (h *ProxyHandler) Create(c *gin.Context) {
-	var req CreateProxyRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	proxy, err := h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
-		Name:     strings.TrimSpace(req.Name),
-		Protocol: strings.TrimSpace(req.Protocol),
-		Host:     strings.TrimSpace(req.Host),
-		Port:     req.Port,
-		Username: strings.TrimSpace(req.Username),
-		Password: strings.TrimSpace(req.Password),
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.ProxyFromService(proxy))
-}
-
-// Update handles updating a proxy
-// PUT /api/v1/admin/proxies/:id
-func (h *ProxyHandler) Update(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	var req UpdateProxyRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	proxy, err := h.adminService.UpdateProxy(c.Request.Context(), proxyID, &service.UpdateProxyInput{
-		Name:     strings.TrimSpace(req.Name),
-		Protocol: strings.TrimSpace(req.Protocol),
-		Host:     strings.TrimSpace(req.Host),
-		Port:     req.Port,
-		Username: strings.TrimSpace(req.Username),
-		Password: strings.TrimSpace(req.Password),
-		Status:   strings.TrimSpace(req.Status),
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.ProxyFromService(proxy))
-}
-
-// Delete handles deleting a proxy
-// DELETE /api/v1/admin/proxies/:id
-func (h *ProxyHandler) Delete(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	err = h.adminService.DeleteProxy(c.Request.Context(), proxyID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Proxy deleted successfully"})
-}
-
-// Test handles testing proxy connectivity
-// POST /api/v1/admin/proxies/:id/test
-func (h *ProxyHandler) Test(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	result, err := h.adminService.TestProxy(c.Request.Context(), proxyID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, result)
-}
-
-// GetStats handles getting proxy statistics
-// GET /api/v1/admin/proxies/:id/stats
-func (h *ProxyHandler) GetStats(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	// Return mock data for now
-	_ = proxyID
-	response.Success(c, gin.H{
-		"total_accounts":  0,
-		"active_accounts": 0,
-		"total_requests":  0,
-		"success_rate":    100.0,
-		"average_latency": 0,
-	})
-}
-
-// GetProxyAccounts handles getting accounts using a proxy
-// GET /api/v1/admin/proxies/:id/accounts
-func (h *ProxyHandler) GetProxyAccounts(c *gin.Context) {
-	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid proxy ID")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-
-	accounts, total, err := h.adminService.GetProxyAccounts(c.Request.Context(), proxyID, page, pageSize)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.Account, 0, len(accounts))
-	for i := range accounts {
-		out = append(out, *dto.AccountFromService(&accounts[i]))
-	}
-	response.Paginated(c, out, total, page, pageSize)
-}
-
-// BatchCreateProxyItem represents a single proxy in batch create request
-type BatchCreateProxyItem struct {
-	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
-	Host     string `json:"host" binding:"required"`
-	Port     int    `json:"port" binding:"required,min=1,max=65535"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
-
-// BatchCreateRequest represents batch create proxies request
-type BatchCreateRequest struct {
-	Proxies []BatchCreateProxyItem `json:"proxies" binding:"required,min=1"`
-}
-
-// BatchCreate handles batch creating proxies
-// POST /api/v1/admin/proxies/batch
-func (h *ProxyHandler) BatchCreate(c *gin.Context) {
-	var req BatchCreateRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	created := 0
-	skipped := 0
-
-	for _, item := range req.Proxies {
-		// Trim all string fields
-		host := strings.TrimSpace(item.Host)
-		protocol := strings.TrimSpace(item.Protocol)
-		username := strings.TrimSpace(item.Username)
-		password := strings.TrimSpace(item.Password)
-
-		// Check for duplicates (same host, port, username, password)
-		exists, err := h.adminService.CheckProxyExists(c.Request.Context(), host, item.Port, username, password)
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-
-		if exists {
-			skipped++
-			continue
-		}
-
-		// Create proxy with default name
-		_, err = h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
-			Name:     "default",
-			Protocol: protocol,
-			Host:     host,
-			Port:     item.Port,
-			Username: username,
-			Password: password,
-		})
-		if err != nil {
-			// If creation fails due to duplicate, count as skipped
-			skipped++
-			continue
-		}
-
-		created++
-	}
-
-	response.Success(c, gin.H{
-		"created": created,
-		"skipped": skipped,
-	})
-}
+package admin
+
+import (
+	"strconv"
+	"strings"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// ProxyHandler handles admin proxy management
+type ProxyHandler struct {
+	adminService service.AdminService
+}
+
+// NewProxyHandler creates a new admin proxy handler
+func NewProxyHandler(adminService service.AdminService) *ProxyHandler {
+	return &ProxyHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateProxyRequest represents create proxy request
+type CreateProxyRequest struct {
+	Name     string `json:"name" binding:"required"`
+	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
+	Host     string `json:"host" binding:"required"`
+	Port     int    `json:"port" binding:"required,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+// UpdateProxyRequest represents update proxy request
+type UpdateProxyRequest struct {
+	Name     string `json:"name"`
+	Protocol string `json:"protocol" binding:"omitempty,oneof=http https socks5"`
+	Host     string `json:"host"`
+	Port     int    `json:"port" binding:"omitempty,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Status   string `json:"status" binding:"omitempty,oneof=active inactive"`
+}
+
+// List handles listing all proxies with pagination
+// GET /api/v1/admin/proxies
+func (h *ProxyHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	protocol := c.Query("protocol")
+	status := c.Query("status")
+	search := c.Query("search")
+
+	proxies, total, err := h.adminService.ListProxies(c.Request.Context(), page, pageSize, protocol, status, search)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.Proxy, 0, len(proxies))
+	for i := range proxies {
+		out = append(out, *dto.ProxyFromService(&proxies[i]))
+	}
+	response.Paginated(c, out, total, page, pageSize)
+}
+
+// GetAll handles getting all active proxies without pagination
+// GET /api/v1/admin/proxies/all
+// Optional query param: with_count=true to include account count per proxy
+func (h *ProxyHandler) GetAll(c *gin.Context) {
+	withCount := c.Query("with_count") == "true"
+
+	if withCount {
+		proxies, err := h.adminService.GetAllProxiesWithAccountCount(c.Request.Context())
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+		out := make([]dto.ProxyWithAccountCount, 0, len(proxies))
+		for i := range proxies {
+			out = append(out, *dto.ProxyWithAccountCountFromService(&proxies[i]))
+		}
+		response.Success(c, out)
+		return
+	}
+
+	proxies, err := h.adminService.GetAllProxies(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.Proxy, 0, len(proxies))
+	for i := range proxies {
+		out = append(out, *dto.ProxyFromService(&proxies[i]))
+	}
+	response.Success(c, out)
+}
+
+// GetByID handles getting a proxy by ID
+// GET /api/v1/admin/proxies/:id
+func (h *ProxyHandler) GetByID(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	proxy, err := h.adminService.GetProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.ProxyFromService(proxy))
+}
+
+// Create handles creating a new proxy
+// POST /api/v1/admin/proxies
+func (h *ProxyHandler) Create(c *gin.Context) {
+	var req CreateProxyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	proxy, err := h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
+		Name:     strings.TrimSpace(req.Name),
+		Protocol: strings.TrimSpace(req.Protocol),
+		Host:     strings.TrimSpace(req.Host),
+		Port:     req.Port,
+		Username: strings.TrimSpace(req.Username),
+		Password: strings.TrimSpace(req.Password),
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.ProxyFromService(proxy))
+}
+
+// Update handles updating a proxy
+// PUT /api/v1/admin/proxies/:id
+func (h *ProxyHandler) Update(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	var req UpdateProxyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	proxy, err := h.adminService.UpdateProxy(c.Request.Context(), proxyID, &service.UpdateProxyInput{
+		Name:     strings.TrimSpace(req.Name),
+		Protocol: strings.TrimSpace(req.Protocol),
+		Host:     strings.TrimSpace(req.Host),
+		Port:     req.Port,
+		Username: strings.TrimSpace(req.Username),
+		Password: strings.TrimSpace(req.Password),
+		Status:   strings.TrimSpace(req.Status),
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.ProxyFromService(proxy))
+}
+
+// Delete handles deleting a proxy
+// DELETE /api/v1/admin/proxies/:id
+func (h *ProxyHandler) Delete(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	err = h.adminService.DeleteProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Proxy deleted successfully"})
+}
+
+// Test handles testing proxy connectivity
+// POST /api/v1/admin/proxies/:id/test
+func (h *ProxyHandler) Test(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	result, err := h.adminService.TestProxy(c.Request.Context(), proxyID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, result)
+}
+
+// GetStats handles getting proxy statistics
+// GET /api/v1/admin/proxies/:id/stats
+func (h *ProxyHandler) GetStats(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	// Return mock data for now
+	_ = proxyID
+	response.Success(c, gin.H{
+		"total_accounts":  0,
+		"active_accounts": 0,
+		"total_requests":  0,
+		"success_rate":    100.0,
+		"average_latency": 0,
+	})
+}
+
+// GetProxyAccounts handles getting accounts using a proxy
+// GET /api/v1/admin/proxies/:id/accounts
+func (h *ProxyHandler) GetProxyAccounts(c *gin.Context) {
+	proxyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid proxy ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	accounts, total, err := h.adminService.GetProxyAccounts(c.Request.Context(), proxyID, page, pageSize)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.Account, 0, len(accounts))
+	for i := range accounts {
+		out = append(out, *dto.AccountFromService(&accounts[i]))
+	}
+	response.Paginated(c, out, total, page, pageSize)
+}
+
+// BatchCreateProxyItem represents a single proxy in batch create request
+type BatchCreateProxyItem struct {
+	Protocol string `json:"protocol" binding:"required,oneof=http https socks5"`
+	Host     string `json:"host" binding:"required"`
+	Port     int    `json:"port" binding:"required,min=1,max=65535"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+// BatchCreateRequest represents batch create proxies request
+type BatchCreateRequest struct {
+	Proxies []BatchCreateProxyItem `json:"proxies" binding:"required,min=1"`
+}
+
+// BatchCreate handles batch creating proxies
+// POST /api/v1/admin/proxies/batch
+func (h *ProxyHandler) BatchCreate(c *gin.Context) {
+	var req BatchCreateRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	created := 0
+	skipped := 0
+
+	for _, item := range req.Proxies {
+		// Trim all string fields
+		host := strings.TrimSpace(item.Host)
+		protocol := strings.TrimSpace(item.Protocol)
+		username := strings.TrimSpace(item.Username)
+		password := strings.TrimSpace(item.Password)
+
+		// Check for duplicates (same host, port, username, password)
+		exists, err := h.adminService.CheckProxyExists(c.Request.Context(), host, item.Port, username, password)
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+
+		if exists {
+			skipped++
+			continue
+		}
+
+		// Create proxy with default name
+		_, err = h.adminService.CreateProxy(c.Request.Context(), &service.CreateProxyInput{
+			Name:     "default",
+			Protocol: protocol,
+			Host:     host,
+			Port:     item.Port,
+			Username: username,
+			Password: password,
+		})
+		if err != nil {
+			// If creation fails due to duplicate, count as skipped
+			skipped++
+			continue
+		}
+
+		created++
+	}
+
+	response.Success(c, gin.H{
+		"created": created,
+		"skipped": skipped,
+	})
+}

backend/internal/handler/admin/redeem_handler.go

@@ -1,238 +1,238 @@
-package admin
-
-import (
-	"bytes"
-	"encoding/csv"
-	"fmt"
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// RedeemHandler handles admin redeem code management
-type RedeemHandler struct {
-	adminService service.AdminService
-}
-
-// NewRedeemHandler creates a new admin redeem handler
-func NewRedeemHandler(adminService service.AdminService) *RedeemHandler {
-	return &RedeemHandler{
-		adminService: adminService,
-	}
-}
-
-// GenerateRedeemCodesRequest represents generate redeem codes request
-type GenerateRedeemCodesRequest struct {
-	Count        int     `json:"count" binding:"required,min=1,max=100"`
-	Type         string  `json:"type" binding:"required,oneof=balance concurrency subscription"`
-	Value        float64 `json:"value" binding:"min=0"`
-	GroupID      *int64  `json:"group_id"`                                    // 订阅类型必填
-	ValidityDays int     `json:"validity_days" binding:"omitempty,max=36500"` // 订阅类型使用，默认30天，最大100年
-}
-
-// List handles listing all redeem codes with pagination
-// GET /api/v1/admin/redeem-codes
-func (h *RedeemHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-	codeType := c.Query("type")
-	status := c.Query("status")
-	search := c.Query("search")
-
-	codes, total, err := h.adminService.ListRedeemCodes(c.Request.Context(), page, pageSize, codeType, status, search)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.RedeemCode, 0, len(codes))
-	for i := range codes {
-		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
-	}
-	response.Paginated(c, out, total, page, pageSize)
-}
-
-// GetByID handles getting a redeem code by ID
-// GET /api/v1/admin/redeem-codes/:id
-func (h *RedeemHandler) GetByID(c *gin.Context) {
-	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid redeem code ID")
-		return
-	}
-
-	code, err := h.adminService.GetRedeemCode(c.Request.Context(), codeID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.RedeemCodeFromService(code))
-}
-
-// Generate handles generating new redeem codes
-// POST /api/v1/admin/redeem-codes/generate
-func (h *RedeemHandler) Generate(c *gin.Context) {
-	var req GenerateRedeemCodesRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	codes, err := h.adminService.GenerateRedeemCodes(c.Request.Context(), &service.GenerateRedeemCodesInput{
-		Count:        req.Count,
-		Type:         req.Type,
-		Value:        req.Value,
-		GroupID:      req.GroupID,
-		ValidityDays: req.ValidityDays,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.RedeemCode, 0, len(codes))
-	for i := range codes {
-		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
-	}
-	response.Success(c, out)
-}
-
-// Delete handles deleting a redeem code
-// DELETE /api/v1/admin/redeem-codes/:id
-func (h *RedeemHandler) Delete(c *gin.Context) {
-	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid redeem code ID")
-		return
-	}
-
-	err = h.adminService.DeleteRedeemCode(c.Request.Context(), codeID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Redeem code deleted successfully"})
-}
-
-// BatchDelete handles batch deleting redeem codes
-// POST /api/v1/admin/redeem-codes/batch-delete
-func (h *RedeemHandler) BatchDelete(c *gin.Context) {
-	var req struct {
-		IDs []int64 `json:"ids" binding:"required,min=1"`
-	}
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	deleted, err := h.adminService.BatchDeleteRedeemCodes(c.Request.Context(), req.IDs)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{
-		"deleted": deleted,
-		"message": "Redeem codes deleted successfully",
-	})
-}
-
-// Expire handles expiring a redeem code
-// POST /api/v1/admin/redeem-codes/:id/expire
-func (h *RedeemHandler) Expire(c *gin.Context) {
-	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid redeem code ID")
-		return
-	}
-
-	code, err := h.adminService.ExpireRedeemCode(c.Request.Context(), codeID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.RedeemCodeFromService(code))
-}
-
-// GetStats handles getting redeem code statistics
-// GET /api/v1/admin/redeem-codes/stats
-func (h *RedeemHandler) GetStats(c *gin.Context) {
-	// Return mock data for now
-	response.Success(c, gin.H{
-		"total_codes":             0,
-		"active_codes":            0,
-		"used_codes":              0,
-		"expired_codes":           0,
-		"total_value_distributed": 0.0,
-		"by_type": gin.H{
-			"balance":     0,
-			"concurrency": 0,
-			"trial":       0,
-		},
-	})
-}
-
-// Export handles exporting redeem codes to CSV
-// GET /api/v1/admin/redeem-codes/export
-func (h *RedeemHandler) Export(c *gin.Context) {
-	codeType := c.Query("type")
-	status := c.Query("status")
-
-	// Get all codes without pagination (use large page size)
-	codes, _, err := h.adminService.ListRedeemCodes(c.Request.Context(), 1, 10000, codeType, status, "")
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Create CSV buffer
-	var buf bytes.Buffer
-	writer := csv.NewWriter(&buf)
-
-	// Write header
-	if err := writer.Write([]string{"id", "code", "type", "value", "status", "used_by", "used_at", "created_at"}); err != nil {
-		response.InternalError(c, "Failed to export redeem codes: "+err.Error())
-		return
-	}
-
-	// Write data rows
-	for _, code := range codes {
-		usedBy := ""
-		if code.UsedBy != nil {
-			usedBy = fmt.Sprintf("%d", *code.UsedBy)
-		}
-		usedAt := ""
-		if code.UsedAt != nil {
-			usedAt = code.UsedAt.Format("2006-01-02 15:04:05")
-		}
-		if err := writer.Write([]string{
-			fmt.Sprintf("%d", code.ID),
-			code.Code,
-			code.Type,
-			fmt.Sprintf("%.2f", code.Value),
-			code.Status,
-			usedBy,
-			usedAt,
-			code.CreatedAt.Format("2006-01-02 15:04:05"),
-		}); err != nil {
-			response.InternalError(c, "Failed to export redeem codes: "+err.Error())
-			return
-		}
-	}
-
-	writer.Flush()
-	if err := writer.Error(); err != nil {
-		response.InternalError(c, "Failed to export redeem codes: "+err.Error())
-		return
-	}
-
-	c.Header("Content-Type", "text/csv")
-	c.Header("Content-Disposition", "attachment; filename=redeem_codes.csv")
-	c.Data(200, "text/csv", buf.Bytes())
-}
+package admin
+
+import (
+	"bytes"
+	"encoding/csv"
+	"fmt"
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// RedeemHandler handles admin redeem code management
+type RedeemHandler struct {
+	adminService service.AdminService
+}
+
+// NewRedeemHandler creates a new admin redeem handler
+func NewRedeemHandler(adminService service.AdminService) *RedeemHandler {
+	return &RedeemHandler{
+		adminService: adminService,
+	}
+}
+
+// GenerateRedeemCodesRequest represents generate redeem codes request
+type GenerateRedeemCodesRequest struct {
+	Count        int     `json:"count" binding:"required,min=1,max=100"`
+	Type         string  `json:"type" binding:"required,oneof=balance concurrency subscription"`
+	Value        float64 `json:"value" binding:"min=0"`
+	GroupID      *int64  `json:"group_id"`                                    // 订阅类型必填
+	ValidityDays int     `json:"validity_days" binding:"omitempty,max=36500"` // 订阅类型使用，默认30天，最大100年
+}
+
+// List handles listing all redeem codes with pagination
+// GET /api/v1/admin/redeem-codes
+func (h *RedeemHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+	codeType := c.Query("type")
+	status := c.Query("status")
+	search := c.Query("search")
+
+	codes, total, err := h.adminService.ListRedeemCodes(c.Request.Context(), page, pageSize, codeType, status, search)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.RedeemCode, 0, len(codes))
+	for i := range codes {
+		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
+	}
+	response.Paginated(c, out, total, page, pageSize)
+}
+
+// GetByID handles getting a redeem code by ID
+// GET /api/v1/admin/redeem-codes/:id
+func (h *RedeemHandler) GetByID(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	code, err := h.adminService.GetRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.RedeemCodeFromService(code))
+}
+
+// Generate handles generating new redeem codes
+// POST /api/v1/admin/redeem-codes/generate
+func (h *RedeemHandler) Generate(c *gin.Context) {
+	var req GenerateRedeemCodesRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	codes, err := h.adminService.GenerateRedeemCodes(c.Request.Context(), &service.GenerateRedeemCodesInput{
+		Count:        req.Count,
+		Type:         req.Type,
+		Value:        req.Value,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.RedeemCode, 0, len(codes))
+	for i := range codes {
+		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
+	}
+	response.Success(c, out)
+}
+
+// Delete handles deleting a redeem code
+// DELETE /api/v1/admin/redeem-codes/:id
+func (h *RedeemHandler) Delete(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	err = h.adminService.DeleteRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Redeem code deleted successfully"})
+}
+
+// BatchDelete handles batch deleting redeem codes
+// POST /api/v1/admin/redeem-codes/batch-delete
+func (h *RedeemHandler) BatchDelete(c *gin.Context) {
+	var req struct {
+		IDs []int64 `json:"ids" binding:"required,min=1"`
+	}
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	deleted, err := h.adminService.BatchDeleteRedeemCodes(c.Request.Context(), req.IDs)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{
+		"deleted": deleted,
+		"message": "Redeem codes deleted successfully",
+	})
+}
+
+// Expire handles expiring a redeem code
+// POST /api/v1/admin/redeem-codes/:id/expire
+func (h *RedeemHandler) Expire(c *gin.Context) {
+	codeID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid redeem code ID")
+		return
+	}
+
+	code, err := h.adminService.ExpireRedeemCode(c.Request.Context(), codeID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.RedeemCodeFromService(code))
+}
+
+// GetStats handles getting redeem code statistics
+// GET /api/v1/admin/redeem-codes/stats
+func (h *RedeemHandler) GetStats(c *gin.Context) {
+	// Return mock data for now
+	response.Success(c, gin.H{
+		"total_codes":             0,
+		"active_codes":            0,
+		"used_codes":              0,
+		"expired_codes":           0,
+		"total_value_distributed": 0.0,
+		"by_type": gin.H{
+			"balance":     0,
+			"concurrency": 0,
+			"trial":       0,
+		},
+	})
+}
+
+// Export handles exporting redeem codes to CSV
+// GET /api/v1/admin/redeem-codes/export
+func (h *RedeemHandler) Export(c *gin.Context) {
+	codeType := c.Query("type")
+	status := c.Query("status")
+
+	// Get all codes without pagination (use large page size)
+	codes, _, err := h.adminService.ListRedeemCodes(c.Request.Context(), 1, 10000, codeType, status, "")
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Create CSV buffer
+	var buf bytes.Buffer
+	writer := csv.NewWriter(&buf)
+
+	// Write header
+	if err := writer.Write([]string{"id", "code", "type", "value", "status", "used_by", "used_at", "created_at"}); err != nil {
+		response.InternalError(c, "Failed to export redeem codes: "+err.Error())
+		return
+	}
+
+	// Write data rows
+	for _, code := range codes {
+		usedBy := ""
+		if code.UsedBy != nil {
+			usedBy = fmt.Sprintf("%d", *code.UsedBy)
+		}
+		usedAt := ""
+		if code.UsedAt != nil {
+			usedAt = code.UsedAt.Format("2006-01-02 15:04:05")
+		}
+		if err := writer.Write([]string{
+			fmt.Sprintf("%d", code.ID),
+			code.Code,
+			code.Type,
+			fmt.Sprintf("%.2f", code.Value),
+			code.Status,
+			usedBy,
+			usedAt,
+			code.CreatedAt.Format("2006-01-02 15:04:05"),
+		}); err != nil {
+			response.InternalError(c, "Failed to export redeem codes: "+err.Error())
+			return
+		}
+	}
+
+	writer.Flush()
+	if err := writer.Error(); err != nil {
+		response.InternalError(c, "Failed to export redeem codes: "+err.Error())
+		return
+	}
+
+	c.Header("Content-Type", "text/csv")
+	c.Header("Content-Disposition", "attachment; filename=redeem_codes.csv")
+	c.Data(200, "text/csv", buf.Bytes())
+}

backend/internal/handler/admin/setting_handler.go

@@ -1,374 +1,374 @@
-package admin
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// SettingHandler 系统设置处理器
-type SettingHandler struct {
-	settingService   *service.SettingService
-	emailService     *service.EmailService
-	turnstileService *service.TurnstileService
-}
-
-// NewSettingHandler 创建系统设置处理器
-func NewSettingHandler(settingService *service.SettingService, emailService *service.EmailService, turnstileService *service.TurnstileService) *SettingHandler {
-	return &SettingHandler{
-		settingService:   settingService,
-		emailService:     emailService,
-		turnstileService: turnstileService,
-	}
-}
-
-// GetSettings 获取所有系统设置
-// GET /api/v1/admin/settings
-func (h *SettingHandler) GetSettings(c *gin.Context) {
-	settings, err := h.settingService.GetAllSettings(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.SystemSettings{
-		RegistrationEnabled: settings.RegistrationEnabled,
-		EmailVerifyEnabled:  settings.EmailVerifyEnabled,
-		SmtpHost:            settings.SmtpHost,
-		SmtpPort:            settings.SmtpPort,
-		SmtpUsername:        settings.SmtpUsername,
-		SmtpPassword:        settings.SmtpPassword,
-		SmtpFrom:            settings.SmtpFrom,
-		SmtpFromName:        settings.SmtpFromName,
-		SmtpUseTLS:          settings.SmtpUseTLS,
-		TurnstileEnabled:    settings.TurnstileEnabled,
-		TurnstileSiteKey:    settings.TurnstileSiteKey,
-		TurnstileSecretKey:  settings.TurnstileSecretKey,
-		SiteName:            settings.SiteName,
-		SiteLogo:            settings.SiteLogo,
-		SiteSubtitle:        settings.SiteSubtitle,
-		ApiBaseUrl:          settings.ApiBaseUrl,
-		ContactInfo:         settings.ContactInfo,
-		DocUrl:              settings.DocUrl,
-		DefaultConcurrency:  settings.DefaultConcurrency,
-		DefaultBalance:      settings.DefaultBalance,
-	})
-}
-
-// UpdateSettingsRequest 更新设置请求
-type UpdateSettingsRequest struct {
-	// 注册设置
-	RegistrationEnabled bool `json:"registration_enabled"`
-	EmailVerifyEnabled  bool `json:"email_verify_enabled"`
-
-	// 邮件服务设置
-	SmtpHost     string `json:"smtp_host"`
-	SmtpPort     int    `json:"smtp_port"`
-	SmtpUsername string `json:"smtp_username"`
-	SmtpPassword string `json:"smtp_password"`
-	SmtpFrom     string `json:"smtp_from_email"`
-	SmtpFromName string `json:"smtp_from_name"`
-	SmtpUseTLS   bool   `json:"smtp_use_tls"`
-
-	// Cloudflare Turnstile 设置
-	TurnstileEnabled   bool   `json:"turnstile_enabled"`
-	TurnstileSiteKey   string `json:"turnstile_site_key"`
-	TurnstileSecretKey string `json:"turnstile_secret_key"`
-
-	// OEM设置
-	SiteName     string `json:"site_name"`
-	SiteLogo     string `json:"site_logo"`
-	SiteSubtitle string `json:"site_subtitle"`
-	ApiBaseUrl   string `json:"api_base_url"`
-	ContactInfo  string `json:"contact_info"`
-	DocUrl       string `json:"doc_url"`
-
-	// 默认配置
-	DefaultConcurrency int     `json:"default_concurrency"`
-	DefaultBalance     float64 `json:"default_balance"`
-}
-
-// UpdateSettings 更新系统设置
-// PUT /api/v1/admin/settings
-func (h *SettingHandler) UpdateSettings(c *gin.Context) {
-	var req UpdateSettingsRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// 验证参数
-	if req.DefaultConcurrency < 1 {
-		req.DefaultConcurrency = 1
-	}
-	if req.DefaultBalance < 0 {
-		req.DefaultBalance = 0
-	}
-	if req.SmtpPort <= 0 {
-		req.SmtpPort = 587
-	}
-
-	// Turnstile 参数验证
-	if req.TurnstileEnabled {
-		// 检查必填字段
-		if req.TurnstileSiteKey == "" {
-			response.BadRequest(c, "Turnstile Site Key is required when enabled")
-			return
-		}
-		if req.TurnstileSecretKey == "" {
-			response.BadRequest(c, "Turnstile Secret Key is required when enabled")
-			return
-		}
-
-		// 获取当前设置，检查参数是否有变化
-		currentSettings, err := h.settingService.GetAllSettings(c.Request.Context())
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-
-		// 当 site_key 或 secret_key 任一变化时验证（避免配置错误导致无法登录）
-		siteKeyChanged := currentSettings.TurnstileSiteKey != req.TurnstileSiteKey
-		secretKeyChanged := currentSettings.TurnstileSecretKey != req.TurnstileSecretKey
-		if siteKeyChanged || secretKeyChanged {
-			if err := h.turnstileService.ValidateSecretKey(c.Request.Context(), req.TurnstileSecretKey); err != nil {
-				response.ErrorFrom(c, err)
-				return
-			}
-		}
-	}
-
-	settings := &service.SystemSettings{
-		RegistrationEnabled: req.RegistrationEnabled,
-		EmailVerifyEnabled:  req.EmailVerifyEnabled,
-		SmtpHost:            req.SmtpHost,
-		SmtpPort:            req.SmtpPort,
-		SmtpUsername:        req.SmtpUsername,
-		SmtpPassword:        req.SmtpPassword,
-		SmtpFrom:            req.SmtpFrom,
-		SmtpFromName:        req.SmtpFromName,
-		SmtpUseTLS:          req.SmtpUseTLS,
-		TurnstileEnabled:    req.TurnstileEnabled,
-		TurnstileSiteKey:    req.TurnstileSiteKey,
-		TurnstileSecretKey:  req.TurnstileSecretKey,
-		SiteName:            req.SiteName,
-		SiteLogo:            req.SiteLogo,
-		SiteSubtitle:        req.SiteSubtitle,
-		ApiBaseUrl:          req.ApiBaseUrl,
-		ContactInfo:         req.ContactInfo,
-		DocUrl:              req.DocUrl,
-		DefaultConcurrency:  req.DefaultConcurrency,
-		DefaultBalance:      req.DefaultBalance,
-	}
-
-	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// 重新获取设置返回
-	updatedSettings, err := h.settingService.GetAllSettings(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.SystemSettings{
-		RegistrationEnabled: updatedSettings.RegistrationEnabled,
-		EmailVerifyEnabled:  updatedSettings.EmailVerifyEnabled,
-		SmtpHost:            updatedSettings.SmtpHost,
-		SmtpPort:            updatedSettings.SmtpPort,
-		SmtpUsername:        updatedSettings.SmtpUsername,
-		SmtpPassword:        updatedSettings.SmtpPassword,
-		SmtpFrom:            updatedSettings.SmtpFrom,
-		SmtpFromName:        updatedSettings.SmtpFromName,
-		SmtpUseTLS:          updatedSettings.SmtpUseTLS,
-		TurnstileEnabled:    updatedSettings.TurnstileEnabled,
-		TurnstileSiteKey:    updatedSettings.TurnstileSiteKey,
-		TurnstileSecretKey:  updatedSettings.TurnstileSecretKey,
-		SiteName:            updatedSettings.SiteName,
-		SiteLogo:            updatedSettings.SiteLogo,
-		SiteSubtitle:        updatedSettings.SiteSubtitle,
-		ApiBaseUrl:          updatedSettings.ApiBaseUrl,
-		ContactInfo:         updatedSettings.ContactInfo,
-		DocUrl:              updatedSettings.DocUrl,
-		DefaultConcurrency:  updatedSettings.DefaultConcurrency,
-		DefaultBalance:      updatedSettings.DefaultBalance,
-	})
-}
-
-// TestSmtpRequest 测试SMTP连接请求
-type TestSmtpRequest struct {
-	SmtpHost     string `json:"smtp_host" binding:"required"`
-	SmtpPort     int    `json:"smtp_port"`
-	SmtpUsername string `json:"smtp_username"`
-	SmtpPassword string `json:"smtp_password"`
-	SmtpUseTLS   bool   `json:"smtp_use_tls"`
-}
-
-// TestSmtpConnection 测试SMTP连接
-// POST /api/v1/admin/settings/test-smtp
-func (h *SettingHandler) TestSmtpConnection(c *gin.Context) {
-	var req TestSmtpRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if req.SmtpPort <= 0 {
-		req.SmtpPort = 587
-	}
-
-	// 如果未提供密码，从数据库获取已保存的密码
-	password := req.SmtpPassword
-	if password == "" {
-		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
-		if err == nil && savedConfig != nil {
-			password = savedConfig.Password
-		}
-	}
-
-	config := &service.SmtpConfig{
-		Host:     req.SmtpHost,
-		Port:     req.SmtpPort,
-		Username: req.SmtpUsername,
-		Password: password,
-		UseTLS:   req.SmtpUseTLS,
-	}
-
-	err := h.emailService.TestSmtpConnectionWithConfig(config)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "SMTP connection successful"})
-}
-
-// SendTestEmailRequest 发送测试邮件请求
-type SendTestEmailRequest struct {
-	Email        string `json:"email" binding:"required,email"`
-	SmtpHost     string `json:"smtp_host" binding:"required"`
-	SmtpPort     int    `json:"smtp_port"`
-	SmtpUsername string `json:"smtp_username"`
-	SmtpPassword string `json:"smtp_password"`
-	SmtpFrom     string `json:"smtp_from_email"`
-	SmtpFromName string `json:"smtp_from_name"`
-	SmtpUseTLS   bool   `json:"smtp_use_tls"`
-}
-
-// SendTestEmail 发送测试邮件
-// POST /api/v1/admin/settings/send-test-email
-func (h *SettingHandler) SendTestEmail(c *gin.Context) {
-	var req SendTestEmailRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if req.SmtpPort <= 0 {
-		req.SmtpPort = 587
-	}
-
-	// 如果未提供密码，从数据库获取已保存的密码
-	password := req.SmtpPassword
-	if password == "" {
-		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
-		if err == nil && savedConfig != nil {
-			password = savedConfig.Password
-		}
-	}
-
-	config := &service.SmtpConfig{
-		Host:     req.SmtpHost,
-		Port:     req.SmtpPort,
-		Username: req.SmtpUsername,
-		Password: password,
-		From:     req.SmtpFrom,
-		FromName: req.SmtpFromName,
-		UseTLS:   req.SmtpUseTLS,
-	}
-
-	siteName := h.settingService.GetSiteName(c.Request.Context())
-	subject := "[" + siteName + "] Test Email"
-	body := `
-<!DOCTYPE html>
-<html>
-<head>
-    <meta charset="UTF-8">
-    <style>
-        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
-        .container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
-        .header { background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 30px; text-align: center; }
-        .content { padding: 40px 30px; text-align: center; }
-        .success { color: #10b981; font-size: 48px; margin-bottom: 20px; }
-        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
-    </style>
-</head>
-<body>
-    <div class="container">
-        <div class="header">
-            <h1>` + siteName + `</h1>
-        </div>
-        <div class="content">
-            <div class="success">✓</div>
-            <h2>Email Configuration Successful!</h2>
-            <p>This is a test email to verify your SMTP settings are working correctly.</p>
-        </div>
-        <div class="footer">
-            <p>This is an automated test message.</p>
-        </div>
-    </div>
-</body>
-</html>
-`
-
-	if err := h.emailService.SendEmailWithConfig(config, req.Email, subject, body); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Test email sent successfully"})
-}
-
-// GetAdminApiKey 获取管理员 API Key 状态
-// GET /api/v1/admin/settings/admin-api-key
-func (h *SettingHandler) GetAdminApiKey(c *gin.Context) {
-	maskedKey, exists, err := h.settingService.GetAdminApiKeyStatus(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{
-		"exists":     exists,
-		"masked_key": maskedKey,
-	})
-}
-
-// RegenerateAdminApiKey 生成/重新生成管理员 API Key
-// POST /api/v1/admin/settings/admin-api-key/regenerate
-func (h *SettingHandler) RegenerateAdminApiKey(c *gin.Context) {
-	key, err := h.settingService.GenerateAdminApiKey(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{
-		"key": key, // 完整 key 只在生成时返回一次
-	})
-}
-
-// DeleteAdminApiKey 删除管理员 API Key
-// DELETE /api/v1/admin/settings/admin-api-key
-func (h *SettingHandler) DeleteAdminApiKey(c *gin.Context) {
-	if err := h.settingService.DeleteAdminApiKey(c.Request.Context()); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Admin API key deleted"})
-}
+package admin
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SettingHandler 系统设置处理器
+type SettingHandler struct {
+	settingService   *service.SettingService
+	emailService     *service.EmailService
+	turnstileService *service.TurnstileService
+}
+
+// NewSettingHandler 创建系统设置处理器
+func NewSettingHandler(settingService *service.SettingService, emailService *service.EmailService, turnstileService *service.TurnstileService) *SettingHandler {
+	return &SettingHandler{
+		settingService:   settingService,
+		emailService:     emailService,
+		turnstileService: turnstileService,
+	}
+}
+
+// GetSettings 获取所有系统设置
+// GET /api/v1/admin/settings
+func (h *SettingHandler) GetSettings(c *gin.Context) {
+	settings, err := h.settingService.GetAllSettings(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.SystemSettings{
+		RegistrationEnabled: settings.RegistrationEnabled,
+		EmailVerifyEnabled:  settings.EmailVerifyEnabled,
+		SmtpHost:            settings.SmtpHost,
+		SmtpPort:            settings.SmtpPort,
+		SmtpUsername:        settings.SmtpUsername,
+		SmtpPassword:        settings.SmtpPassword,
+		SmtpFrom:            settings.SmtpFrom,
+		SmtpFromName:        settings.SmtpFromName,
+		SmtpUseTLS:          settings.SmtpUseTLS,
+		TurnstileEnabled:    settings.TurnstileEnabled,
+		TurnstileSiteKey:    settings.TurnstileSiteKey,
+		TurnstileSecretKey:  settings.TurnstileSecretKey,
+		SiteName:            settings.SiteName,
+		SiteLogo:            settings.SiteLogo,
+		SiteSubtitle:        settings.SiteSubtitle,
+		ApiBaseUrl:          settings.ApiBaseUrl,
+		ContactInfo:         settings.ContactInfo,
+		DocUrl:              settings.DocUrl,
+		DefaultConcurrency:  settings.DefaultConcurrency,
+		DefaultBalance:      settings.DefaultBalance,
+	})
+}
+
+// UpdateSettingsRequest 更新设置请求
+type UpdateSettingsRequest struct {
+	// 注册设置
+	RegistrationEnabled bool `json:"registration_enabled"`
+	EmailVerifyEnabled  bool `json:"email_verify_enabled"`
+
+	// 邮件服务设置
+	SmtpHost     string `json:"smtp_host"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpFrom     string `json:"smtp_from_email"`
+	SmtpFromName string `json:"smtp_from_name"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+
+	// Cloudflare Turnstile 设置
+	TurnstileEnabled   bool   `json:"turnstile_enabled"`
+	TurnstileSiteKey   string `json:"turnstile_site_key"`
+	TurnstileSecretKey string `json:"turnstile_secret_key"`
+
+	// OEM设置
+	SiteName     string `json:"site_name"`
+	SiteLogo     string `json:"site_logo"`
+	SiteSubtitle string `json:"site_subtitle"`
+	ApiBaseUrl   string `json:"api_base_url"`
+	ContactInfo  string `json:"contact_info"`
+	DocUrl       string `json:"doc_url"`
+
+	// 默认配置
+	DefaultConcurrency int     `json:"default_concurrency"`
+	DefaultBalance     float64 `json:"default_balance"`
+}
+
+// UpdateSettings 更新系统设置
+// PUT /api/v1/admin/settings
+func (h *SettingHandler) UpdateSettings(c *gin.Context) {
+	var req UpdateSettingsRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 验证参数
+	if req.DefaultConcurrency < 1 {
+		req.DefaultConcurrency = 1
+	}
+	if req.DefaultBalance < 0 {
+		req.DefaultBalance = 0
+	}
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	// Turnstile 参数验证
+	if req.TurnstileEnabled {
+		// 检查必填字段
+		if req.TurnstileSiteKey == "" {
+			response.BadRequest(c, "Turnstile Site Key is required when enabled")
+			return
+		}
+		if req.TurnstileSecretKey == "" {
+			response.BadRequest(c, "Turnstile Secret Key is required when enabled")
+			return
+		}
+
+		// 获取当前设置，检查参数是否有变化
+		currentSettings, err := h.settingService.GetAllSettings(c.Request.Context())
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+
+		// 当 site_key 或 secret_key 任一变化时验证（避免配置错误导致无法登录）
+		siteKeyChanged := currentSettings.TurnstileSiteKey != req.TurnstileSiteKey
+		secretKeyChanged := currentSettings.TurnstileSecretKey != req.TurnstileSecretKey
+		if siteKeyChanged || secretKeyChanged {
+			if err := h.turnstileService.ValidateSecretKey(c.Request.Context(), req.TurnstileSecretKey); err != nil {
+				response.ErrorFrom(c, err)
+				return
+			}
+		}
+	}
+
+	settings := &service.SystemSettings{
+		RegistrationEnabled: req.RegistrationEnabled,
+		EmailVerifyEnabled:  req.EmailVerifyEnabled,
+		SmtpHost:            req.SmtpHost,
+		SmtpPort:            req.SmtpPort,
+		SmtpUsername:        req.SmtpUsername,
+		SmtpPassword:        req.SmtpPassword,
+		SmtpFrom:            req.SmtpFrom,
+		SmtpFromName:        req.SmtpFromName,
+		SmtpUseTLS:          req.SmtpUseTLS,
+		TurnstileEnabled:    req.TurnstileEnabled,
+		TurnstileSiteKey:    req.TurnstileSiteKey,
+		TurnstileSecretKey:  req.TurnstileSecretKey,
+		SiteName:            req.SiteName,
+		SiteLogo:            req.SiteLogo,
+		SiteSubtitle:        req.SiteSubtitle,
+		ApiBaseUrl:          req.ApiBaseUrl,
+		ContactInfo:         req.ContactInfo,
+		DocUrl:              req.DocUrl,
+		DefaultConcurrency:  req.DefaultConcurrency,
+		DefaultBalance:      req.DefaultBalance,
+	}
+
+	if err := h.settingService.UpdateSettings(c.Request.Context(), settings); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// 重新获取设置返回
+	updatedSettings, err := h.settingService.GetAllSettings(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.SystemSettings{
+		RegistrationEnabled: updatedSettings.RegistrationEnabled,
+		EmailVerifyEnabled:  updatedSettings.EmailVerifyEnabled,
+		SmtpHost:            updatedSettings.SmtpHost,
+		SmtpPort:            updatedSettings.SmtpPort,
+		SmtpUsername:        updatedSettings.SmtpUsername,
+		SmtpPassword:        updatedSettings.SmtpPassword,
+		SmtpFrom:            updatedSettings.SmtpFrom,
+		SmtpFromName:        updatedSettings.SmtpFromName,
+		SmtpUseTLS:          updatedSettings.SmtpUseTLS,
+		TurnstileEnabled:    updatedSettings.TurnstileEnabled,
+		TurnstileSiteKey:    updatedSettings.TurnstileSiteKey,
+		TurnstileSecretKey:  updatedSettings.TurnstileSecretKey,
+		SiteName:            updatedSettings.SiteName,
+		SiteLogo:            updatedSettings.SiteLogo,
+		SiteSubtitle:        updatedSettings.SiteSubtitle,
+		ApiBaseUrl:          updatedSettings.ApiBaseUrl,
+		ContactInfo:         updatedSettings.ContactInfo,
+		DocUrl:              updatedSettings.DocUrl,
+		DefaultConcurrency:  updatedSettings.DefaultConcurrency,
+		DefaultBalance:      updatedSettings.DefaultBalance,
+	})
+}
+
+// TestSmtpRequest 测试SMTP连接请求
+type TestSmtpRequest struct {
+	SmtpHost     string `json:"smtp_host" binding:"required"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+}
+
+// TestSmtpConnection 测试SMTP连接
+// POST /api/v1/admin/settings/test-smtp
+func (h *SettingHandler) TestSmtpConnection(c *gin.Context) {
+	var req TestSmtpRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	// 如果未提供密码，从数据库获取已保存的密码
+	password := req.SmtpPassword
+	if password == "" {
+		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
+		if err == nil && savedConfig != nil {
+			password = savedConfig.Password
+		}
+	}
+
+	config := &service.SmtpConfig{
+		Host:     req.SmtpHost,
+		Port:     req.SmtpPort,
+		Username: req.SmtpUsername,
+		Password: password,
+		UseTLS:   req.SmtpUseTLS,
+	}
+
+	err := h.emailService.TestSmtpConnectionWithConfig(config)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "SMTP connection successful"})
+}
+
+// SendTestEmailRequest 发送测试邮件请求
+type SendTestEmailRequest struct {
+	Email        string `json:"email" binding:"required,email"`
+	SmtpHost     string `json:"smtp_host" binding:"required"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password"`
+	SmtpFrom     string `json:"smtp_from_email"`
+	SmtpFromName string `json:"smtp_from_name"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+}
+
+// SendTestEmail 发送测试邮件
+// POST /api/v1/admin/settings/send-test-email
+func (h *SettingHandler) SendTestEmail(c *gin.Context) {
+	var req SendTestEmailRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if req.SmtpPort <= 0 {
+		req.SmtpPort = 587
+	}
+
+	// 如果未提供密码，从数据库获取已保存的密码
+	password := req.SmtpPassword
+	if password == "" {
+		savedConfig, err := h.emailService.GetSmtpConfig(c.Request.Context())
+		if err == nil && savedConfig != nil {
+			password = savedConfig.Password
+		}
+	}
+
+	config := &service.SmtpConfig{
+		Host:     req.SmtpHost,
+		Port:     req.SmtpPort,
+		Username: req.SmtpUsername,
+		Password: password,
+		From:     req.SmtpFrom,
+		FromName: req.SmtpFromName,
+		UseTLS:   req.SmtpUseTLS,
+	}
+
+	siteName := h.settingService.GetSiteName(c.Request.Context())
+	subject := "[" + siteName + "] Test Email"
+	body := `
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="UTF-8">
+    <style>
+        body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; margin: 0; padding: 20px; }
+        .container { max-width: 600px; margin: 0 auto; background-color: #ffffff; border-radius: 8px; overflow: hidden; box-shadow: 0 2px 8px rgba(0,0,0,0.1); }
+        .header { background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); color: white; padding: 30px; text-align: center; }
+        .content { padding: 40px 30px; text-align: center; }
+        .success { color: #10b981; font-size: 48px; margin-bottom: 20px; }
+        .footer { background-color: #f8f9fa; padding: 20px; text-align: center; color: #999; font-size: 12px; }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>` + siteName + `</h1>
+        </div>
+        <div class="content">
+            <div class="success">✓</div>
+            <h2>Email Configuration Successful!</h2>
+            <p>This is a test email to verify your SMTP settings are working correctly.</p>
+        </div>
+        <div class="footer">
+            <p>This is an automated test message.</p>
+        </div>
+    </div>
+</body>
+</html>
+`
+
+	if err := h.emailService.SendEmailWithConfig(config, req.Email, subject, body); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Test email sent successfully"})
+}
+
+// GetAdminApiKey 获取管理员 API Key 状态
+// GET /api/v1/admin/settings/admin-api-key
+func (h *SettingHandler) GetAdminApiKey(c *gin.Context) {
+	maskedKey, exists, err := h.settingService.GetAdminApiKeyStatus(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{
+		"exists":     exists,
+		"masked_key": maskedKey,
+	})
+}
+
+// RegenerateAdminApiKey 生成/重新生成管理员 API Key
+// POST /api/v1/admin/settings/admin-api-key/regenerate
+func (h *SettingHandler) RegenerateAdminApiKey(c *gin.Context) {
+	key, err := h.settingService.GenerateAdminApiKey(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{
+		"key": key, // 完整 key 只在生成时返回一次
+	})
+}
+
+// DeleteAdminApiKey 删除管理员 API Key
+// DELETE /api/v1/admin/settings/admin-api-key
+func (h *SettingHandler) DeleteAdminApiKey(c *gin.Context) {
+	if err := h.settingService.DeleteAdminApiKey(c.Request.Context()); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Admin API key deleted"})
+}

backend/internal/handler/admin/subscription_handler.go

@@ -1,278 +1,278 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// toResponsePagination converts pagination.PaginationResult to response.PaginationResult
-func toResponsePagination(p *pagination.PaginationResult) *response.PaginationResult {
-	if p == nil {
-		return nil
-	}
-	return &response.PaginationResult{
-		Total:    p.Total,
-		Page:     p.Page,
-		PageSize: p.PageSize,
-		Pages:    p.Pages,
-	}
-}
-
-// SubscriptionHandler handles admin subscription management
-type SubscriptionHandler struct {
-	subscriptionService *service.SubscriptionService
-}
-
-// NewSubscriptionHandler creates a new admin subscription handler
-func NewSubscriptionHandler(subscriptionService *service.SubscriptionService) *SubscriptionHandler {
-	return &SubscriptionHandler{
-		subscriptionService: subscriptionService,
-	}
-}
-
-// AssignSubscriptionRequest represents assign subscription request
-type AssignSubscriptionRequest struct {
-	UserID       int64  `json:"user_id" binding:"required"`
-	GroupID      int64  `json:"group_id" binding:"required"`
-	ValidityDays int    `json:"validity_days" binding:"omitempty,max=36500"` // max 100 years
-	Notes        string `json:"notes"`
-}
-
-// BulkAssignSubscriptionRequest represents bulk assign subscription request
-type BulkAssignSubscriptionRequest struct {
-	UserIDs      []int64 `json:"user_ids" binding:"required,min=1"`
-	GroupID      int64   `json:"group_id" binding:"required"`
-	ValidityDays int     `json:"validity_days" binding:"omitempty,max=36500"` // max 100 years
-	Notes        string  `json:"notes"`
-}
-
-// ExtendSubscriptionRequest represents extend subscription request
-type ExtendSubscriptionRequest struct {
-	Days int `json:"days" binding:"required,min=1,max=36500"` // max 100 years
-}
-
-// List handles listing all subscriptions with pagination and filters
-// GET /api/v1/admin/subscriptions
-func (h *SubscriptionHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-
-	// Parse optional filters
-	var userID, groupID *int64
-	if userIDStr := c.Query("user_id"); userIDStr != "" {
-		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
-			userID = &id
-		}
-	}
-	if groupIDStr := c.Query("group_id"); groupIDStr != "" {
-		if id, err := strconv.ParseInt(groupIDStr, 10, 64); err == nil {
-			groupID = &id
-		}
-	}
-	status := c.Query("status")
-
-	subscriptions, pagination, err := h.subscriptionService.List(c.Request.Context(), page, pageSize, userID, groupID, status)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UserSubscription, 0, len(subscriptions))
-	for i := range subscriptions {
-		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
-	}
-	response.PaginatedWithResult(c, out, toResponsePagination(pagination))
-}
-
-// GetByID handles getting a subscription by ID
-// GET /api/v1/admin/subscriptions/:id
-func (h *SubscriptionHandler) GetByID(c *gin.Context) {
-	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid subscription ID")
-		return
-	}
-
-	subscription, err := h.subscriptionService.GetByID(c.Request.Context(), subscriptionID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserSubscriptionFromService(subscription))
-}
-
-// GetProgress handles getting subscription usage progress
-// GET /api/v1/admin/subscriptions/:id/progress
-func (h *SubscriptionHandler) GetProgress(c *gin.Context) {
-	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid subscription ID")
-		return
-	}
-
-	progress, err := h.subscriptionService.GetSubscriptionProgress(c.Request.Context(), subscriptionID)
-	if err != nil {
-		response.NotFound(c, "Subscription not found")
-		return
-	}
-
-	response.Success(c, progress)
-}
-
-// Assign handles assigning a subscription to a user
-// POST /api/v1/admin/subscriptions/assign
-func (h *SubscriptionHandler) Assign(c *gin.Context) {
-	var req AssignSubscriptionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Get admin user ID from context
-	adminID := getAdminIDFromContext(c)
-
-	subscription, err := h.subscriptionService.AssignSubscription(c.Request.Context(), &service.AssignSubscriptionInput{
-		UserID:       req.UserID,
-		GroupID:      req.GroupID,
-		ValidityDays: req.ValidityDays,
-		AssignedBy:   adminID,
-		Notes:        req.Notes,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserSubscriptionFromService(subscription))
-}
-
-// BulkAssign handles bulk assigning subscriptions to multiple users
-// POST /api/v1/admin/subscriptions/bulk-assign
-func (h *SubscriptionHandler) BulkAssign(c *gin.Context) {
-	var req BulkAssignSubscriptionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Get admin user ID from context
-	adminID := getAdminIDFromContext(c)
-
-	result, err := h.subscriptionService.BulkAssignSubscription(c.Request.Context(), &service.BulkAssignSubscriptionInput{
-		UserIDs:      req.UserIDs,
-		GroupID:      req.GroupID,
-		ValidityDays: req.ValidityDays,
-		AssignedBy:   adminID,
-		Notes:        req.Notes,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.BulkAssignResultFromService(result))
-}
-
-// Extend handles extending a subscription
-// POST /api/v1/admin/subscriptions/:id/extend
-func (h *SubscriptionHandler) Extend(c *gin.Context) {
-	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid subscription ID")
-		return
-	}
-
-	var req ExtendSubscriptionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	subscription, err := h.subscriptionService.ExtendSubscription(c.Request.Context(), subscriptionID, req.Days)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserSubscriptionFromService(subscription))
-}
-
-// Revoke handles revoking a subscription
-// DELETE /api/v1/admin/subscriptions/:id
-func (h *SubscriptionHandler) Revoke(c *gin.Context) {
-	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid subscription ID")
-		return
-	}
-
-	err = h.subscriptionService.RevokeSubscription(c.Request.Context(), subscriptionID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Subscription revoked successfully"})
-}
-
-// ListByGroup handles listing subscriptions for a specific group
-// GET /api/v1/admin/groups/:id/subscriptions
-func (h *SubscriptionHandler) ListByGroup(c *gin.Context) {
-	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid group ID")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-
-	subscriptions, pagination, err := h.subscriptionService.ListGroupSubscriptions(c.Request.Context(), groupID, page, pageSize)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UserSubscription, 0, len(subscriptions))
-	for i := range subscriptions {
-		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
-	}
-	response.PaginatedWithResult(c, out, toResponsePagination(pagination))
-}
-
-// ListByUser handles listing subscriptions for a specific user
-// GET /api/v1/admin/users/:id/subscriptions
-func (h *SubscriptionHandler) ListByUser(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	subscriptions, err := h.subscriptionService.ListUserSubscriptions(c.Request.Context(), userID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UserSubscription, 0, len(subscriptions))
-	for i := range subscriptions {
-		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
-	}
-	response.Success(c, out)
-}
-
-// Helper function to get admin ID from context
-func getAdminIDFromContext(c *gin.Context) int64 {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		return 0
-	}
-	return subject.UserID
-}
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// toResponsePagination converts pagination.PaginationResult to response.PaginationResult
+func toResponsePagination(p *pagination.PaginationResult) *response.PaginationResult {
+	if p == nil {
+		return nil
+	}
+	return &response.PaginationResult{
+		Total:    p.Total,
+		Page:     p.Page,
+		PageSize: p.PageSize,
+		Pages:    p.Pages,
+	}
+}
+
+// SubscriptionHandler handles admin subscription management
+type SubscriptionHandler struct {
+	subscriptionService *service.SubscriptionService
+}
+
+// NewSubscriptionHandler creates a new admin subscription handler
+func NewSubscriptionHandler(subscriptionService *service.SubscriptionService) *SubscriptionHandler {
+	return &SubscriptionHandler{
+		subscriptionService: subscriptionService,
+	}
+}
+
+// AssignSubscriptionRequest represents assign subscription request
+type AssignSubscriptionRequest struct {
+	UserID       int64  `json:"user_id" binding:"required"`
+	GroupID      int64  `json:"group_id" binding:"required"`
+	ValidityDays int    `json:"validity_days" binding:"omitempty,max=36500"` // max 100 years
+	Notes        string `json:"notes"`
+}
+
+// BulkAssignSubscriptionRequest represents bulk assign subscription request
+type BulkAssignSubscriptionRequest struct {
+	UserIDs      []int64 `json:"user_ids" binding:"required,min=1"`
+	GroupID      int64   `json:"group_id" binding:"required"`
+	ValidityDays int     `json:"validity_days" binding:"omitempty,max=36500"` // max 100 years
+	Notes        string  `json:"notes"`
+}
+
+// ExtendSubscriptionRequest represents extend subscription request
+type ExtendSubscriptionRequest struct {
+	Days int `json:"days" binding:"required,min=1,max=36500"` // max 100 years
+}
+
+// List handles listing all subscriptions with pagination and filters
+// GET /api/v1/admin/subscriptions
+func (h *SubscriptionHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+
+	// Parse optional filters
+	var userID, groupID *int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		if id, err := strconv.ParseInt(userIDStr, 10, 64); err == nil {
+			userID = &id
+		}
+	}
+	if groupIDStr := c.Query("group_id"); groupIDStr != "" {
+		if id, err := strconv.ParseInt(groupIDStr, 10, 64); err == nil {
+			groupID = &id
+		}
+	}
+	status := c.Query("status")
+
+	subscriptions, pagination, err := h.subscriptionService.List(c.Request.Context(), page, pageSize, userID, groupID, status)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UserSubscription, 0, len(subscriptions))
+	for i := range subscriptions {
+		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
+	}
+	response.PaginatedWithResult(c, out, toResponsePagination(pagination))
+}
+
+// GetByID handles getting a subscription by ID
+// GET /api/v1/admin/subscriptions/:id
+func (h *SubscriptionHandler) GetByID(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	subscription, err := h.subscriptionService.GetByID(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserSubscriptionFromService(subscription))
+}
+
+// GetProgress handles getting subscription usage progress
+// GET /api/v1/admin/subscriptions/:id/progress
+func (h *SubscriptionHandler) GetProgress(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	progress, err := h.subscriptionService.GetSubscriptionProgress(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.NotFound(c, "Subscription not found")
+		return
+	}
+
+	response.Success(c, progress)
+}
+
+// Assign handles assigning a subscription to a user
+// POST /api/v1/admin/subscriptions/assign
+func (h *SubscriptionHandler) Assign(c *gin.Context) {
+	var req AssignSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Get admin user ID from context
+	adminID := getAdminIDFromContext(c)
+
+	subscription, err := h.subscriptionService.AssignSubscription(c.Request.Context(), &service.AssignSubscriptionInput{
+		UserID:       req.UserID,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+		AssignedBy:   adminID,
+		Notes:        req.Notes,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserSubscriptionFromService(subscription))
+}
+
+// BulkAssign handles bulk assigning subscriptions to multiple users
+// POST /api/v1/admin/subscriptions/bulk-assign
+func (h *SubscriptionHandler) BulkAssign(c *gin.Context) {
+	var req BulkAssignSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Get admin user ID from context
+	adminID := getAdminIDFromContext(c)
+
+	result, err := h.subscriptionService.BulkAssignSubscription(c.Request.Context(), &service.BulkAssignSubscriptionInput{
+		UserIDs:      req.UserIDs,
+		GroupID:      req.GroupID,
+		ValidityDays: req.ValidityDays,
+		AssignedBy:   adminID,
+		Notes:        req.Notes,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.BulkAssignResultFromService(result))
+}
+
+// Extend handles extending a subscription
+// POST /api/v1/admin/subscriptions/:id/extend
+func (h *SubscriptionHandler) Extend(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	var req ExtendSubscriptionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	subscription, err := h.subscriptionService.ExtendSubscription(c.Request.Context(), subscriptionID, req.Days)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserSubscriptionFromService(subscription))
+}
+
+// Revoke handles revoking a subscription
+// DELETE /api/v1/admin/subscriptions/:id
+func (h *SubscriptionHandler) Revoke(c *gin.Context) {
+	subscriptionID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid subscription ID")
+		return
+	}
+
+	err = h.subscriptionService.RevokeSubscription(c.Request.Context(), subscriptionID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Subscription revoked successfully"})
+}
+
+// ListByGroup handles listing subscriptions for a specific group
+// GET /api/v1/admin/groups/:id/subscriptions
+func (h *SubscriptionHandler) ListByGroup(c *gin.Context) {
+	groupID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid group ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	subscriptions, pagination, err := h.subscriptionService.ListGroupSubscriptions(c.Request.Context(), groupID, page, pageSize)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UserSubscription, 0, len(subscriptions))
+	for i := range subscriptions {
+		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
+	}
+	response.PaginatedWithResult(c, out, toResponsePagination(pagination))
+}
+
+// ListByUser handles listing subscriptions for a specific user
+// GET /api/v1/admin/users/:id/subscriptions
+func (h *SubscriptionHandler) ListByUser(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	subscriptions, err := h.subscriptionService.ListUserSubscriptions(c.Request.Context(), userID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UserSubscription, 0, len(subscriptions))
+	for i := range subscriptions {
+		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
+	}
+	response.Success(c, out)
+}
+
+// Helper function to get admin ID from context
+func getAdminIDFromContext(c *gin.Context) int64 {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		return 0
+	}
+	return subject.UserID
+}

backend/internal/handler/admin/system_handler.go

@@ -1,87 +1,87 @@
-package admin
-
-import (
-	"net/http"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/sysutil"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// SystemHandler handles system-related operations
-type SystemHandler struct {
-	updateSvc *service.UpdateService
-}
-
-// NewSystemHandler creates a new SystemHandler
-func NewSystemHandler(updateSvc *service.UpdateService) *SystemHandler {
-	return &SystemHandler{
-		updateSvc: updateSvc,
-	}
-}
-
-// GetVersion returns the current version
-// GET /api/v1/admin/system/version
-func (h *SystemHandler) GetVersion(c *gin.Context) {
-	info, _ := h.updateSvc.CheckUpdate(c.Request.Context(), false)
-	response.Success(c, gin.H{
-		"version": info.CurrentVersion,
-	})
-}
-
-// CheckUpdates checks for available updates
-// GET /api/v1/admin/system/check-updates
-func (h *SystemHandler) CheckUpdates(c *gin.Context) {
-	force := c.Query("force") == "true"
-	info, err := h.updateSvc.CheckUpdate(c.Request.Context(), force)
-	if err != nil {
-		response.Error(c, http.StatusInternalServerError, err.Error())
-		return
-	}
-	response.Success(c, info)
-}
-
-// PerformUpdate downloads and applies the update
-// POST /api/v1/admin/system/update
-func (h *SystemHandler) PerformUpdate(c *gin.Context) {
-	if err := h.updateSvc.PerformUpdate(c.Request.Context()); err != nil {
-		response.Error(c, http.StatusInternalServerError, err.Error())
-		return
-	}
-	response.Success(c, gin.H{
-		"message":      "Update completed. Please restart the service.",
-		"need_restart": true,
-	})
-}
-
-// Rollback restores the previous version
-// POST /api/v1/admin/system/rollback
-func (h *SystemHandler) Rollback(c *gin.Context) {
-	if err := h.updateSvc.Rollback(); err != nil {
-		response.Error(c, http.StatusInternalServerError, err.Error())
-		return
-	}
-	response.Success(c, gin.H{
-		"message":      "Rollback completed. Please restart the service.",
-		"need_restart": true,
-	})
-}
-
-// RestartService restarts the systemd service
-// POST /api/v1/admin/system/restart
-func (h *SystemHandler) RestartService(c *gin.Context) {
-	// Schedule service restart in background after sending response
-	// This ensures the client receives the success response before the service restarts
-	go func() {
-		// Wait a moment to ensure the response is sent
-		time.Sleep(500 * time.Millisecond)
-		sysutil.RestartServiceAsync()
-	}()
-
-	response.Success(c, gin.H{
-		"message": "Service restart initiated",
-	})
-}
+package admin
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/sysutil"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SystemHandler handles system-related operations
+type SystemHandler struct {
+	updateSvc *service.UpdateService
+}
+
+// NewSystemHandler creates a new SystemHandler
+func NewSystemHandler(updateSvc *service.UpdateService) *SystemHandler {
+	return &SystemHandler{
+		updateSvc: updateSvc,
+	}
+}
+
+// GetVersion returns the current version
+// GET /api/v1/admin/system/version
+func (h *SystemHandler) GetVersion(c *gin.Context) {
+	info, _ := h.updateSvc.CheckUpdate(c.Request.Context(), false)
+	response.Success(c, gin.H{
+		"version": info.CurrentVersion,
+	})
+}
+
+// CheckUpdates checks for available updates
+// GET /api/v1/admin/system/check-updates
+func (h *SystemHandler) CheckUpdates(c *gin.Context) {
+	force := c.Query("force") == "true"
+	info, err := h.updateSvc.CheckUpdate(c.Request.Context(), force)
+	if err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, info)
+}
+
+// PerformUpdate downloads and applies the update
+// POST /api/v1/admin/system/update
+func (h *SystemHandler) PerformUpdate(c *gin.Context) {
+	if err := h.updateSvc.PerformUpdate(c.Request.Context()); err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, gin.H{
+		"message":      "Update completed. Please restart the service.",
+		"need_restart": true,
+	})
+}
+
+// Rollback restores the previous version
+// POST /api/v1/admin/system/rollback
+func (h *SystemHandler) Rollback(c *gin.Context) {
+	if err := h.updateSvc.Rollback(); err != nil {
+		response.Error(c, http.StatusInternalServerError, err.Error())
+		return
+	}
+	response.Success(c, gin.H{
+		"message":      "Rollback completed. Please restart the service.",
+		"need_restart": true,
+	})
+}
+
+// RestartService restarts the systemd service
+// POST /api/v1/admin/system/restart
+func (h *SystemHandler) RestartService(c *gin.Context) {
+	// Schedule service restart in background after sending response
+	// This ensures the client receives the success response before the service restarts
+	go func() {
+		// Wait a moment to ensure the response is sent
+		time.Sleep(500 * time.Millisecond)
+		sysutil.RestartServiceAsync()
+	}()
+
+	response.Success(c, gin.H{
+		"message": "Service restart initiated",
+	})
+}

backend/internal/handler/admin/usage_handler.go

@@ -1,311 +1,311 @@
-package admin
-
-import (
-	"strconv"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/usagestats"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// UsageHandler handles admin usage-related requests
-type UsageHandler struct {
-	usageService  *service.UsageService
-	apiKeyService *service.ApiKeyService
-	adminService  service.AdminService
-}
-
-// NewUsageHandler creates a new admin usage handler
-func NewUsageHandler(
-	usageService *service.UsageService,
-	apiKeyService *service.ApiKeyService,
-	adminService service.AdminService,
-) *UsageHandler {
-	return &UsageHandler{
-		usageService:  usageService,
-		apiKeyService: apiKeyService,
-		adminService:  adminService,
-	}
-}
-
-// List handles listing all usage records with filters
-// GET /api/v1/admin/usage
-func (h *UsageHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-
-	// Parse filters
-	var userID, apiKeyID, accountID, groupID int64
-	if userIDStr := c.Query("user_id"); userIDStr != "" {
-		id, err := strconv.ParseInt(userIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid user_id")
-			return
-		}
-		userID = id
-	}
-
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid api_key_id")
-			return
-		}
-		apiKeyID = id
-	}
-
-	if accountIDStr := c.Query("account_id"); accountIDStr != "" {
-		id, err := strconv.ParseInt(accountIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid account_id")
-			return
-		}
-		accountID = id
-	}
-
-	if groupIDStr := c.Query("group_id"); groupIDStr != "" {
-		id, err := strconv.ParseInt(groupIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid group_id")
-			return
-		}
-		groupID = id
-	}
-
-	model := c.Query("model")
-
-	var stream *bool
-	if streamStr := c.Query("stream"); streamStr != "" {
-		val, err := strconv.ParseBool(streamStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid stream value, use true or false")
-			return
-		}
-		stream = &val
-	}
-
-	var billingType *int8
-	if billingTypeStr := c.Query("billing_type"); billingTypeStr != "" {
-		val, err := strconv.ParseInt(billingTypeStr, 10, 8)
-		if err != nil {
-			response.BadRequest(c, "Invalid billing_type")
-			return
-		}
-		bt := int8(val)
-		billingType = &bt
-	}
-
-	// Parse date range
-	var startTime, endTime *time.Time
-	if startDateStr := c.Query("start_date"); startDateStr != "" {
-		t, err := timezone.ParseInLocation("2006-01-02", startDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
-			return
-		}
-		startTime = &t
-	}
-
-	if endDateStr := c.Query("end_date"); endDateStr != "" {
-		t, err := timezone.ParseInLocation("2006-01-02", endDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
-			return
-		}
-		// Set end time to end of day
-		t = t.Add(24*time.Hour - time.Nanosecond)
-		endTime = &t
-	}
-
-	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
-	filters := usagestats.UsageLogFilters{
-		UserID:      userID,
-		ApiKeyID:    apiKeyID,
-		AccountID:   accountID,
-		GroupID:     groupID,
-		Model:       model,
-		Stream:      stream,
-		BillingType: billingType,
-		StartTime:   startTime,
-		EndTime:     endTime,
-	}
-
-	records, result, err := h.usageService.ListWithFilters(c.Request.Context(), params, filters)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UsageLog, 0, len(records))
-	for i := range records {
-		out = append(out, *dto.UsageLogFromService(&records[i]))
-	}
-	response.Paginated(c, out, result.Total, page, pageSize)
-}
-
-// Stats handles getting usage statistics with filters
-// GET /api/v1/admin/usage/stats
-func (h *UsageHandler) Stats(c *gin.Context) {
-	// Parse filters
-	var userID, apiKeyID int64
-	if userIDStr := c.Query("user_id"); userIDStr != "" {
-		id, err := strconv.ParseInt(userIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid user_id")
-			return
-		}
-		userID = id
-	}
-
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid api_key_id")
-			return
-		}
-		apiKeyID = id
-	}
-
-	// Parse date range
-	now := timezone.Now()
-	var startTime, endTime time.Time
-
-	startDateStr := c.Query("start_date")
-	endDateStr := c.Query("end_date")
-
-	if startDateStr != "" && endDateStr != "" {
-		var err error
-		startTime, err = timezone.ParseInLocation("2006-01-02", startDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
-			return
-		}
-		endTime, err = timezone.ParseInLocation("2006-01-02", endDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
-			return
-		}
-		endTime = endTime.Add(24*time.Hour - time.Nanosecond)
-	} else {
-		period := c.DefaultQuery("period", "today")
-		switch period {
-		case "today":
-			startTime = timezone.StartOfDay(now)
-		case "week":
-			startTime = now.AddDate(0, 0, -7)
-		case "month":
-			startTime = now.AddDate(0, -1, 0)
-		default:
-			startTime = timezone.StartOfDay(now)
-		}
-		endTime = now
-	}
-
-	if apiKeyID > 0 {
-		stats, err := h.usageService.GetStatsByApiKey(c.Request.Context(), apiKeyID, startTime, endTime)
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-		response.Success(c, stats)
-		return
-	}
-
-	if userID > 0 {
-		stats, err := h.usageService.GetStatsByUser(c.Request.Context(), userID, startTime, endTime)
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-		response.Success(c, stats)
-		return
-	}
-
-	// Get global stats
-	stats, err := h.usageService.GetGlobalStats(c.Request.Context(), startTime, endTime)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, stats)
-}
-
-// SearchUsers handles searching users by email keyword
-// GET /api/v1/admin/usage/search-users
-func (h *UsageHandler) SearchUsers(c *gin.Context) {
-	keyword := c.Query("q")
-	if keyword == "" {
-		response.Success(c, []any{})
-		return
-	}
-
-	// Limit to 30 results
-	users, _, err := h.adminService.ListUsers(c.Request.Context(), 1, 30, service.UserListFilters{Search: keyword})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Return simplified user list (only id and email)
-	type SimpleUser struct {
-		ID    int64  `json:"id"`
-		Email string `json:"email"`
-	}
-
-	result := make([]SimpleUser, len(users))
-	for i, u := range users {
-		result[i] = SimpleUser{
-			ID:    u.ID,
-			Email: u.Email,
-		}
-	}
-
-	response.Success(c, result)
-}
-
-// SearchApiKeys handles searching API keys by user
-// GET /api/v1/admin/usage/search-api-keys
-func (h *UsageHandler) SearchApiKeys(c *gin.Context) {
-	userIDStr := c.Query("user_id")
-	keyword := c.Query("q")
-
-	var userID int64
-	if userIDStr != "" {
-		id, err := strconv.ParseInt(userIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid user_id")
-			return
-		}
-		userID = id
-	}
-
-	keys, err := h.apiKeyService.SearchApiKeys(c.Request.Context(), userID, keyword, 30)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Return simplified API key list (only id and name)
-	type SimpleApiKey struct {
-		ID     int64  `json:"id"`
-		Name   string `json:"name"`
-		UserID int64  `json:"user_id"`
-	}
-
-	result := make([]SimpleApiKey, len(keys))
-	for i, k := range keys {
-		result[i] = SimpleApiKey{
-			ID:     k.ID,
-			Name:   k.Name,
-			UserID: k.UserID,
-		}
-	}
-
-	response.Success(c, result)
-}
+package admin
+
+import (
+	"strconv"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/usagestats"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UsageHandler handles admin usage-related requests
+type UsageHandler struct {
+	usageService  *service.UsageService
+	apiKeyService *service.ApiKeyService
+	adminService  service.AdminService
+}
+
+// NewUsageHandler creates a new admin usage handler
+func NewUsageHandler(
+	usageService *service.UsageService,
+	apiKeyService *service.ApiKeyService,
+	adminService service.AdminService,
+) *UsageHandler {
+	return &UsageHandler{
+		usageService:  usageService,
+		apiKeyService: apiKeyService,
+		adminService:  adminService,
+	}
+}
+
+// List handles listing all usage records with filters
+// GET /api/v1/admin/usage
+func (h *UsageHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+
+	// Parse filters
+	var userID, apiKeyID, accountID, groupID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+		apiKeyID = id
+	}
+
+	if accountIDStr := c.Query("account_id"); accountIDStr != "" {
+		id, err := strconv.ParseInt(accountIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid account_id")
+			return
+		}
+		accountID = id
+	}
+
+	if groupIDStr := c.Query("group_id"); groupIDStr != "" {
+		id, err := strconv.ParseInt(groupIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid group_id")
+			return
+		}
+		groupID = id
+	}
+
+	model := c.Query("model")
+
+	var stream *bool
+	if streamStr := c.Query("stream"); streamStr != "" {
+		val, err := strconv.ParseBool(streamStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid stream value, use true or false")
+			return
+		}
+		stream = &val
+	}
+
+	var billingType *int8
+	if billingTypeStr := c.Query("billing_type"); billingTypeStr != "" {
+		val, err := strconv.ParseInt(billingTypeStr, 10, 8)
+		if err != nil {
+			response.BadRequest(c, "Invalid billing_type")
+			return
+		}
+		bt := int8(val)
+		billingType = &bt
+	}
+
+	// Parse date range
+	var startTime, endTime *time.Time
+	if startDateStr := c.Query("start_date"); startDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		startTime = &t
+	}
+
+	if endDateStr := c.Query("end_date"); endDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		// Set end time to end of day
+		t = t.Add(24*time.Hour - time.Nanosecond)
+		endTime = &t
+	}
+
+	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
+	filters := usagestats.UsageLogFilters{
+		UserID:      userID,
+		ApiKeyID:    apiKeyID,
+		AccountID:   accountID,
+		GroupID:     groupID,
+		Model:       model,
+		Stream:      stream,
+		BillingType: billingType,
+		StartTime:   startTime,
+		EndTime:     endTime,
+	}
+
+	records, result, err := h.usageService.ListWithFilters(c.Request.Context(), params, filters)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UsageLog, 0, len(records))
+	for i := range records {
+		out = append(out, *dto.UsageLogFromService(&records[i]))
+	}
+	response.Paginated(c, out, result.Total, page, pageSize)
+}
+
+// Stats handles getting usage statistics with filters
+// GET /api/v1/admin/usage/stats
+func (h *UsageHandler) Stats(c *gin.Context) {
+	// Parse filters
+	var userID, apiKeyID int64
+	if userIDStr := c.Query("user_id"); userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+		apiKeyID = id
+	}
+
+	// Parse date range
+	now := timezone.Now()
+	var startTime, endTime time.Time
+
+	startDateStr := c.Query("start_date")
+	endDateStr := c.Query("end_date")
+
+	if startDateStr != "" && endDateStr != "" {
+		var err error
+		startTime, err = timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		endTime, err = timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		endTime = endTime.Add(24*time.Hour - time.Nanosecond)
+	} else {
+		period := c.DefaultQuery("period", "today")
+		switch period {
+		case "today":
+			startTime = timezone.StartOfDay(now)
+		case "week":
+			startTime = now.AddDate(0, 0, -7)
+		case "month":
+			startTime = now.AddDate(0, -1, 0)
+		default:
+			startTime = timezone.StartOfDay(now)
+		}
+		endTime = now
+	}
+
+	if apiKeyID > 0 {
+		stats, err := h.usageService.GetStatsByApiKey(c.Request.Context(), apiKeyID, startTime, endTime)
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+		response.Success(c, stats)
+		return
+	}
+
+	if userID > 0 {
+		stats, err := h.usageService.GetStatsByUser(c.Request.Context(), userID, startTime, endTime)
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+		response.Success(c, stats)
+		return
+	}
+
+	// Get global stats
+	stats, err := h.usageService.GetGlobalStats(c.Request.Context(), startTime, endTime)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, stats)
+}
+
+// SearchUsers handles searching users by email keyword
+// GET /api/v1/admin/usage/search-users
+func (h *UsageHandler) SearchUsers(c *gin.Context) {
+	keyword := c.Query("q")
+	if keyword == "" {
+		response.Success(c, []any{})
+		return
+	}
+
+	// Limit to 30 results
+	users, _, err := h.adminService.ListUsers(c.Request.Context(), 1, 30, service.UserListFilters{Search: keyword})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Return simplified user list (only id and email)
+	type SimpleUser struct {
+		ID    int64  `json:"id"`
+		Email string `json:"email"`
+	}
+
+	result := make([]SimpleUser, len(users))
+	for i, u := range users {
+		result[i] = SimpleUser{
+			ID:    u.ID,
+			Email: u.Email,
+		}
+	}
+
+	response.Success(c, result)
+}
+
+// SearchApiKeys handles searching API keys by user
+// GET /api/v1/admin/usage/search-api-keys
+func (h *UsageHandler) SearchApiKeys(c *gin.Context) {
+	userIDStr := c.Query("user_id")
+	keyword := c.Query("q")
+
+	var userID int64
+	if userIDStr != "" {
+		id, err := strconv.ParseInt(userIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid user_id")
+			return
+		}
+		userID = id
+	}
+
+	keys, err := h.apiKeyService.SearchApiKeys(c.Request.Context(), userID, keyword, 30)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Return simplified API key list (only id and name)
+	type SimpleApiKey struct {
+		ID     int64  `json:"id"`
+		Name   string `json:"name"`
+		UserID int64  `json:"user_id"`
+	}
+
+	result := make([]SimpleApiKey, len(keys))
+	for i, k := range keys {
+		result[i] = SimpleApiKey{
+			ID:     k.ID,
+			Name:   k.Name,
+			UserID: k.UserID,
+		}
+	}
+
+	response.Success(c, result)
+}

backend/internal/handler/admin/user_attribute_handler.go

@@ -1,342 +1,342 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// UserAttributeHandler handles user attribute management
-type UserAttributeHandler struct {
-	attrService *service.UserAttributeService
-}
-
-// NewUserAttributeHandler creates a new handler
-func NewUserAttributeHandler(attrService *service.UserAttributeService) *UserAttributeHandler {
-	return &UserAttributeHandler{attrService: attrService}
-}
-
-// --- Request/Response DTOs ---
-
-// CreateAttributeDefinitionRequest represents create attribute definition request
-type CreateAttributeDefinitionRequest struct {
-	Key         string                          `json:"key" binding:"required,min=1,max=100"`
-	Name        string                          `json:"name" binding:"required,min=1,max=255"`
-	Description string                          `json:"description"`
-	Type        string                          `json:"type" binding:"required"`
-	Options     []service.UserAttributeOption   `json:"options"`
-	Required    bool                            `json:"required"`
-	Validation  service.UserAttributeValidation `json:"validation"`
-	Placeholder string                          `json:"placeholder"`
-	Enabled     bool                            `json:"enabled"`
-}
-
-// UpdateAttributeDefinitionRequest represents update attribute definition request
-type UpdateAttributeDefinitionRequest struct {
-	Name        *string                          `json:"name"`
-	Description *string                          `json:"description"`
-	Type        *string                          `json:"type"`
-	Options     *[]service.UserAttributeOption   `json:"options"`
-	Required    *bool                            `json:"required"`
-	Validation  *service.UserAttributeValidation `json:"validation"`
-	Placeholder *string                          `json:"placeholder"`
-	Enabled     *bool                            `json:"enabled"`
-}
-
-// ReorderRequest represents reorder attribute definitions request
-type ReorderRequest struct {
-	IDs []int64 `json:"ids" binding:"required"`
-}
-
-// UpdateUserAttributesRequest represents update user attributes request
-type UpdateUserAttributesRequest struct {
-	Values map[int64]string `json:"values" binding:"required"`
-}
-
-// BatchGetUserAttributesRequest represents batch get user attributes request
-type BatchGetUserAttributesRequest struct {
-	UserIDs []int64 `json:"user_ids" binding:"required"`
-}
-
-// BatchUserAttributesResponse represents batch user attributes response
-type BatchUserAttributesResponse struct {
-	// Map of userID -> map of attributeID -> value
-	Attributes map[int64]map[int64]string `json:"attributes"`
-}
-
-// AttributeDefinitionResponse represents attribute definition response
-type AttributeDefinitionResponse struct {
-	ID           int64                           `json:"id"`
-	Key          string                          `json:"key"`
-	Name         string                          `json:"name"`
-	Description  string                          `json:"description"`
-	Type         string                          `json:"type"`
-	Options      []service.UserAttributeOption   `json:"options"`
-	Required     bool                            `json:"required"`
-	Validation   service.UserAttributeValidation `json:"validation"`
-	Placeholder  string                          `json:"placeholder"`
-	DisplayOrder int                             `json:"display_order"`
-	Enabled      bool                            `json:"enabled"`
-	CreatedAt    string                          `json:"created_at"`
-	UpdatedAt    string                          `json:"updated_at"`
-}
-
-// AttributeValueResponse represents attribute value response
-type AttributeValueResponse struct {
-	ID          int64  `json:"id"`
-	UserID      int64  `json:"user_id"`
-	AttributeID int64  `json:"attribute_id"`
-	Value       string `json:"value"`
-	CreatedAt   string `json:"created_at"`
-	UpdatedAt   string `json:"updated_at"`
-}
-
-// --- Helpers ---
-
-func defToResponse(def *service.UserAttributeDefinition) *AttributeDefinitionResponse {
-	return &AttributeDefinitionResponse{
-		ID:           def.ID,
-		Key:          def.Key,
-		Name:         def.Name,
-		Description:  def.Description,
-		Type:         string(def.Type),
-		Options:      def.Options,
-		Required:     def.Required,
-		Validation:   def.Validation,
-		Placeholder:  def.Placeholder,
-		DisplayOrder: def.DisplayOrder,
-		Enabled:      def.Enabled,
-		CreatedAt:    def.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
-		UpdatedAt:    def.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
-	}
-}
-
-func valueToResponse(val *service.UserAttributeValue) *AttributeValueResponse {
-	return &AttributeValueResponse{
-		ID:          val.ID,
-		UserID:      val.UserID,
-		AttributeID: val.AttributeID,
-		Value:       val.Value,
-		CreatedAt:   val.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
-		UpdatedAt:   val.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
-	}
-}
-
-// --- Handlers ---
-
-// ListDefinitions lists all attribute definitions
-// GET /admin/user-attributes
-func (h *UserAttributeHandler) ListDefinitions(c *gin.Context) {
-	enabledOnly := c.Query("enabled") == "true"
-
-	defs, err := h.attrService.ListDefinitions(c.Request.Context(), enabledOnly)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]*AttributeDefinitionResponse, 0, len(defs))
-	for i := range defs {
-		out = append(out, defToResponse(&defs[i]))
-	}
-
-	response.Success(c, out)
-}
-
-// CreateDefinition creates a new attribute definition
-// POST /admin/user-attributes
-func (h *UserAttributeHandler) CreateDefinition(c *gin.Context) {
-	var req CreateAttributeDefinitionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	def, err := h.attrService.CreateDefinition(c.Request.Context(), service.CreateAttributeDefinitionInput{
-		Key:         req.Key,
-		Name:        req.Name,
-		Description: req.Description,
-		Type:        service.UserAttributeType(req.Type),
-		Options:     req.Options,
-		Required:    req.Required,
-		Validation:  req.Validation,
-		Placeholder: req.Placeholder,
-		Enabled:     req.Enabled,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, defToResponse(def))
-}
-
-// UpdateDefinition updates an attribute definition
-// PUT /admin/user-attributes/:id
-func (h *UserAttributeHandler) UpdateDefinition(c *gin.Context) {
-	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid attribute ID")
-		return
-	}
-
-	var req UpdateAttributeDefinitionRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	input := service.UpdateAttributeDefinitionInput{
-		Name:        req.Name,
-		Description: req.Description,
-		Options:     req.Options,
-		Required:    req.Required,
-		Validation:  req.Validation,
-		Placeholder: req.Placeholder,
-		Enabled:     req.Enabled,
-	}
-	if req.Type != nil {
-		t := service.UserAttributeType(*req.Type)
-		input.Type = &t
-	}
-
-	def, err := h.attrService.UpdateDefinition(c.Request.Context(), id, input)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, defToResponse(def))
-}
-
-// DeleteDefinition deletes an attribute definition
-// DELETE /admin/user-attributes/:id
-func (h *UserAttributeHandler) DeleteDefinition(c *gin.Context) {
-	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid attribute ID")
-		return
-	}
-
-	if err := h.attrService.DeleteDefinition(c.Request.Context(), id); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Attribute definition deleted successfully"})
-}
-
-// ReorderDefinitions reorders attribute definitions
-// PUT /admin/user-attributes/reorder
-func (h *UserAttributeHandler) ReorderDefinitions(c *gin.Context) {
-	var req ReorderRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Convert IDs array to orders map (position in array = display_order)
-	orders := make(map[int64]int, len(req.IDs))
-	for i, id := range req.IDs {
-		orders[id] = i
-	}
-
-	if err := h.attrService.ReorderDefinitions(c.Request.Context(), orders); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Reorder successful"})
-}
-
-// GetUserAttributes gets a user's attribute values
-// GET /admin/users/:id/attributes
-func (h *UserAttributeHandler) GetUserAttributes(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	values, err := h.attrService.GetUserAttributes(c.Request.Context(), userID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]*AttributeValueResponse, 0, len(values))
-	for i := range values {
-		out = append(out, valueToResponse(&values[i]))
-	}
-
-	response.Success(c, out)
-}
-
-// UpdateUserAttributes updates a user's attribute values
-// PUT /admin/users/:id/attributes
-func (h *UserAttributeHandler) UpdateUserAttributes(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	var req UpdateUserAttributesRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	inputs := make([]service.UpdateUserAttributeInput, 0, len(req.Values))
-	for attrID, value := range req.Values {
-		inputs = append(inputs, service.UpdateUserAttributeInput{
-			AttributeID: attrID,
-			Value:       value,
-		})
-	}
-
-	if err := h.attrService.UpdateUserAttributes(c.Request.Context(), userID, inputs); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// Return updated values
-	values, err := h.attrService.GetUserAttributes(c.Request.Context(), userID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]*AttributeValueResponse, 0, len(values))
-	for i := range values {
-		out = append(out, valueToResponse(&values[i]))
-	}
-
-	response.Success(c, out)
-}
-
-// GetBatchUserAttributes gets attribute values for multiple users
-// POST /admin/user-attributes/batch
-func (h *UserAttributeHandler) GetBatchUserAttributes(c *gin.Context) {
-	var req BatchGetUserAttributesRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if len(req.UserIDs) == 0 {
-		response.Success(c, BatchUserAttributesResponse{Attributes: map[int64]map[int64]string{}})
-		return
-	}
-
-	attrs, err := h.attrService.GetBatchUserAttributes(c.Request.Context(), req.UserIDs)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, BatchUserAttributesResponse{Attributes: attrs})
-}
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UserAttributeHandler handles user attribute management
+type UserAttributeHandler struct {
+	attrService *service.UserAttributeService
+}
+
+// NewUserAttributeHandler creates a new handler
+func NewUserAttributeHandler(attrService *service.UserAttributeService) *UserAttributeHandler {
+	return &UserAttributeHandler{attrService: attrService}
+}
+
+// --- Request/Response DTOs ---
+
+// CreateAttributeDefinitionRequest represents create attribute definition request
+type CreateAttributeDefinitionRequest struct {
+	Key         string                          `json:"key" binding:"required,min=1,max=100"`
+	Name        string                          `json:"name" binding:"required,min=1,max=255"`
+	Description string                          `json:"description"`
+	Type        string                          `json:"type" binding:"required"`
+	Options     []service.UserAttributeOption   `json:"options"`
+	Required    bool                            `json:"required"`
+	Validation  service.UserAttributeValidation `json:"validation"`
+	Placeholder string                          `json:"placeholder"`
+	Enabled     bool                            `json:"enabled"`
+}
+
+// UpdateAttributeDefinitionRequest represents update attribute definition request
+type UpdateAttributeDefinitionRequest struct {
+	Name        *string                          `json:"name"`
+	Description *string                          `json:"description"`
+	Type        *string                          `json:"type"`
+	Options     *[]service.UserAttributeOption   `json:"options"`
+	Required    *bool                            `json:"required"`
+	Validation  *service.UserAttributeValidation `json:"validation"`
+	Placeholder *string                          `json:"placeholder"`
+	Enabled     *bool                            `json:"enabled"`
+}
+
+// ReorderRequest represents reorder attribute definitions request
+type ReorderRequest struct {
+	IDs []int64 `json:"ids" binding:"required"`
+}
+
+// UpdateUserAttributesRequest represents update user attributes request
+type UpdateUserAttributesRequest struct {
+	Values map[int64]string `json:"values" binding:"required"`
+}
+
+// BatchGetUserAttributesRequest represents batch get user attributes request
+type BatchGetUserAttributesRequest struct {
+	UserIDs []int64 `json:"user_ids" binding:"required"`
+}
+
+// BatchUserAttributesResponse represents batch user attributes response
+type BatchUserAttributesResponse struct {
+	// Map of userID -> map of attributeID -> value
+	Attributes map[int64]map[int64]string `json:"attributes"`
+}
+
+// AttributeDefinitionResponse represents attribute definition response
+type AttributeDefinitionResponse struct {
+	ID           int64                           `json:"id"`
+	Key          string                          `json:"key"`
+	Name         string                          `json:"name"`
+	Description  string                          `json:"description"`
+	Type         string                          `json:"type"`
+	Options      []service.UserAttributeOption   `json:"options"`
+	Required     bool                            `json:"required"`
+	Validation   service.UserAttributeValidation `json:"validation"`
+	Placeholder  string                          `json:"placeholder"`
+	DisplayOrder int                             `json:"display_order"`
+	Enabled      bool                            `json:"enabled"`
+	CreatedAt    string                          `json:"created_at"`
+	UpdatedAt    string                          `json:"updated_at"`
+}
+
+// AttributeValueResponse represents attribute value response
+type AttributeValueResponse struct {
+	ID          int64  `json:"id"`
+	UserID      int64  `json:"user_id"`
+	AttributeID int64  `json:"attribute_id"`
+	Value       string `json:"value"`
+	CreatedAt   string `json:"created_at"`
+	UpdatedAt   string `json:"updated_at"`
+}
+
+// --- Helpers ---
+
+func defToResponse(def *service.UserAttributeDefinition) *AttributeDefinitionResponse {
+	return &AttributeDefinitionResponse{
+		ID:           def.ID,
+		Key:          def.Key,
+		Name:         def.Name,
+		Description:  def.Description,
+		Type:         string(def.Type),
+		Options:      def.Options,
+		Required:     def.Required,
+		Validation:   def.Validation,
+		Placeholder:  def.Placeholder,
+		DisplayOrder: def.DisplayOrder,
+		Enabled:      def.Enabled,
+		CreatedAt:    def.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		UpdatedAt:    def.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
+	}
+}
+
+func valueToResponse(val *service.UserAttributeValue) *AttributeValueResponse {
+	return &AttributeValueResponse{
+		ID:          val.ID,
+		UserID:      val.UserID,
+		AttributeID: val.AttributeID,
+		Value:       val.Value,
+		CreatedAt:   val.CreatedAt.Format("2006-01-02T15:04:05Z07:00"),
+		UpdatedAt:   val.UpdatedAt.Format("2006-01-02T15:04:05Z07:00"),
+	}
+}
+
+// --- Handlers ---
+
+// ListDefinitions lists all attribute definitions
+// GET /admin/user-attributes
+func (h *UserAttributeHandler) ListDefinitions(c *gin.Context) {
+	enabledOnly := c.Query("enabled") == "true"
+
+	defs, err := h.attrService.ListDefinitions(c.Request.Context(), enabledOnly)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]*AttributeDefinitionResponse, 0, len(defs))
+	for i := range defs {
+		out = append(out, defToResponse(&defs[i]))
+	}
+
+	response.Success(c, out)
+}
+
+// CreateDefinition creates a new attribute definition
+// POST /admin/user-attributes
+func (h *UserAttributeHandler) CreateDefinition(c *gin.Context) {
+	var req CreateAttributeDefinitionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	def, err := h.attrService.CreateDefinition(c.Request.Context(), service.CreateAttributeDefinitionInput{
+		Key:         req.Key,
+		Name:        req.Name,
+		Description: req.Description,
+		Type:        service.UserAttributeType(req.Type),
+		Options:     req.Options,
+		Required:    req.Required,
+		Validation:  req.Validation,
+		Placeholder: req.Placeholder,
+		Enabled:     req.Enabled,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, defToResponse(def))
+}
+
+// UpdateDefinition updates an attribute definition
+// PUT /admin/user-attributes/:id
+func (h *UserAttributeHandler) UpdateDefinition(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid attribute ID")
+		return
+	}
+
+	var req UpdateAttributeDefinitionRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	input := service.UpdateAttributeDefinitionInput{
+		Name:        req.Name,
+		Description: req.Description,
+		Options:     req.Options,
+		Required:    req.Required,
+		Validation:  req.Validation,
+		Placeholder: req.Placeholder,
+		Enabled:     req.Enabled,
+	}
+	if req.Type != nil {
+		t := service.UserAttributeType(*req.Type)
+		input.Type = &t
+	}
+
+	def, err := h.attrService.UpdateDefinition(c.Request.Context(), id, input)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, defToResponse(def))
+}
+
+// DeleteDefinition deletes an attribute definition
+// DELETE /admin/user-attributes/:id
+func (h *UserAttributeHandler) DeleteDefinition(c *gin.Context) {
+	id, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid attribute ID")
+		return
+	}
+
+	if err := h.attrService.DeleteDefinition(c.Request.Context(), id); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Attribute definition deleted successfully"})
+}
+
+// ReorderDefinitions reorders attribute definitions
+// PUT /admin/user-attributes/reorder
+func (h *UserAttributeHandler) ReorderDefinitions(c *gin.Context) {
+	var req ReorderRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Convert IDs array to orders map (position in array = display_order)
+	orders := make(map[int64]int, len(req.IDs))
+	for i, id := range req.IDs {
+		orders[id] = i
+	}
+
+	if err := h.attrService.ReorderDefinitions(c.Request.Context(), orders); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Reorder successful"})
+}
+
+// GetUserAttributes gets a user's attribute values
+// GET /admin/users/:id/attributes
+func (h *UserAttributeHandler) GetUserAttributes(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	values, err := h.attrService.GetUserAttributes(c.Request.Context(), userID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]*AttributeValueResponse, 0, len(values))
+	for i := range values {
+		out = append(out, valueToResponse(&values[i]))
+	}
+
+	response.Success(c, out)
+}
+
+// UpdateUserAttributes updates a user's attribute values
+// PUT /admin/users/:id/attributes
+func (h *UserAttributeHandler) UpdateUserAttributes(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	var req UpdateUserAttributesRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	inputs := make([]service.UpdateUserAttributeInput, 0, len(req.Values))
+	for attrID, value := range req.Values {
+		inputs = append(inputs, service.UpdateUserAttributeInput{
+			AttributeID: attrID,
+			Value:       value,
+		})
+	}
+
+	if err := h.attrService.UpdateUserAttributes(c.Request.Context(), userID, inputs); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// Return updated values
+	values, err := h.attrService.GetUserAttributes(c.Request.Context(), userID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]*AttributeValueResponse, 0, len(values))
+	for i := range values {
+		out = append(out, valueToResponse(&values[i]))
+	}
+
+	response.Success(c, out)
+}
+
+// GetBatchUserAttributes gets attribute values for multiple users
+// POST /admin/user-attributes/batch
+func (h *UserAttributeHandler) GetBatchUserAttributes(c *gin.Context) {
+	var req BatchGetUserAttributesRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.UserIDs) == 0 {
+		response.Success(c, BatchUserAttributesResponse{Attributes: map[int64]map[int64]string{}})
+		return
+	}
+
+	attrs, err := h.attrService.GetBatchUserAttributes(c.Request.Context(), req.UserIDs)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, BatchUserAttributesResponse{Attributes: attrs})
+}

backend/internal/handler/admin/user_handler.go

@@ -1,271 +1,271 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// UserHandler handles admin user management
-type UserHandler struct {
-	adminService service.AdminService
-}
-
-// NewUserHandler creates a new admin user handler
-func NewUserHandler(adminService service.AdminService) *UserHandler {
-	return &UserHandler{
-		adminService: adminService,
-	}
-}
-
-// CreateUserRequest represents admin create user request
-type CreateUserRequest struct {
-	Email         string  `json:"email" binding:"required,email"`
-	Password      string  `json:"password" binding:"required,min=6"`
-	Username      string  `json:"username"`
-	Notes         string  `json:"notes"`
-	Balance       float64 `json:"balance"`
-	Concurrency   int     `json:"concurrency"`
-	AllowedGroups []int64 `json:"allowed_groups"`
-}
-
-// UpdateUserRequest represents admin update user request
-// 使用指针类型来区分"未提供"和"设置为0"
-type UpdateUserRequest struct {
-	Email         string   `json:"email" binding:"omitempty,email"`
-	Password      string   `json:"password" binding:"omitempty,min=6"`
-	Username      *string  `json:"username"`
-	Notes         *string  `json:"notes"`
-	Balance       *float64 `json:"balance"`
-	Concurrency   *int     `json:"concurrency"`
-	Status        string   `json:"status" binding:"omitempty,oneof=active disabled"`
-	AllowedGroups *[]int64 `json:"allowed_groups"`
-}
-
-// UpdateBalanceRequest represents balance update request
-type UpdateBalanceRequest struct {
-	Balance   float64 `json:"balance" binding:"required,gt=0"`
-	Operation string  `json:"operation" binding:"required,oneof=set add subtract"`
-	Notes     string  `json:"notes"`
-}
-
-// List handles listing all users with pagination
-// GET /api/v1/admin/users
-// Query params:
-//   - status: filter by user status
-//   - role: filter by user role
-//   - search: search in email, username
-//   - attr[{id}]: filter by custom attribute value, e.g. attr[1]=company
-func (h *UserHandler) List(c *gin.Context) {
-	page, pageSize := response.ParsePagination(c)
-
-	filters := service.UserListFilters{
-		Status:     c.Query("status"),
-		Role:       c.Query("role"),
-		Search:     c.Query("search"),
-		Attributes: parseAttributeFilters(c),
-	}
-
-	users, total, err := h.adminService.ListUsers(c.Request.Context(), page, pageSize, filters)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.User, 0, len(users))
-	for i := range users {
-		out = append(out, *dto.UserFromService(&users[i]))
-	}
-	response.Paginated(c, out, total, page, pageSize)
-}
-
-// parseAttributeFilters extracts attribute filters from query params
-// Format: attr[{attributeID}]=value, e.g. attr[1]=company&attr[2]=developer
-func parseAttributeFilters(c *gin.Context) map[int64]string {
-	result := make(map[int64]string)
-
-	// Get all query params and look for attr[*] pattern
-	for key, values := range c.Request.URL.Query() {
-		if len(values) == 0 || values[0] == "" {
-			continue
-		}
-		// Check if key matches pattern attr[{id}]
-		if len(key) > 5 && key[:5] == "attr[" && key[len(key)-1] == ']' {
-			idStr := key[5 : len(key)-1]
-			id, err := strconv.ParseInt(idStr, 10, 64)
-			if err == nil && id > 0 {
-				result[id] = values[0]
-			}
-		}
-	}
-
-	return result
-}
-
-// GetByID handles getting a user by ID
-// GET /api/v1/admin/users/:id
-func (h *UserHandler) GetByID(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	user, err := h.adminService.GetUser(c.Request.Context(), userID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserFromService(user))
-}
-
-// Create handles creating a new user
-// POST /api/v1/admin/users
-func (h *UserHandler) Create(c *gin.Context) {
-	var req CreateUserRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	user, err := h.adminService.CreateUser(c.Request.Context(), &service.CreateUserInput{
-		Email:         req.Email,
-		Password:      req.Password,
-		Username:      req.Username,
-		Notes:         req.Notes,
-		Balance:       req.Balance,
-		Concurrency:   req.Concurrency,
-		AllowedGroups: req.AllowedGroups,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserFromService(user))
-}
-
-// Update handles updating a user
-// PUT /api/v1/admin/users/:id
-func (h *UserHandler) Update(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	var req UpdateUserRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// 使用指针类型直接传递，nil 表示未提供该字段
-	user, err := h.adminService.UpdateUser(c.Request.Context(), userID, &service.UpdateUserInput{
-		Email:         req.Email,
-		Password:      req.Password,
-		Username:      req.Username,
-		Notes:         req.Notes,
-		Balance:       req.Balance,
-		Concurrency:   req.Concurrency,
-		Status:        req.Status,
-		AllowedGroups: req.AllowedGroups,
-	})
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserFromService(user))
-}
-
-// Delete handles deleting a user
-// DELETE /api/v1/admin/users/:id
-func (h *UserHandler) Delete(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	err = h.adminService.DeleteUser(c.Request.Context(), userID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "User deleted successfully"})
-}
-
-// UpdateBalance handles updating user balance
-// POST /api/v1/admin/users/:id/balance
-func (h *UserHandler) UpdateBalance(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	var req UpdateBalanceRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	user, err := h.adminService.UpdateUserBalance(c.Request.Context(), userID, req.Balance, req.Operation, req.Notes)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.UserFromService(user))
-}
-
-// GetUserAPIKeys handles getting user's API keys
-// GET /api/v1/admin/users/:id/api-keys
-func (h *UserHandler) GetUserAPIKeys(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-
-	keys, total, err := h.adminService.GetUserAPIKeys(c.Request.Context(), userID, page, pageSize)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.ApiKey, 0, len(keys))
-	for i := range keys {
-		out = append(out, *dto.ApiKeyFromService(&keys[i]))
-	}
-	response.Paginated(c, out, total, page, pageSize)
-}
-
-// GetUserUsage handles getting user's usage statistics
-// GET /api/v1/admin/users/:id/usage
-func (h *UserHandler) GetUserUsage(c *gin.Context) {
-	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid user ID")
-		return
-	}
-
-	period := c.DefaultQuery("period", "month")
-
-	stats, err := h.adminService.GetUserUsageStats(c.Request.Context(), userID, period)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, stats)
-}
+package admin
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UserHandler handles admin user management
+type UserHandler struct {
+	adminService service.AdminService
+}
+
+// NewUserHandler creates a new admin user handler
+func NewUserHandler(adminService service.AdminService) *UserHandler {
+	return &UserHandler{
+		adminService: adminService,
+	}
+}
+
+// CreateUserRequest represents admin create user request
+type CreateUserRequest struct {
+	Email         string  `json:"email" binding:"required,email"`
+	Password      string  `json:"password" binding:"required,min=6"`
+	Username      string  `json:"username"`
+	Notes         string  `json:"notes"`
+	Balance       float64 `json:"balance"`
+	Concurrency   int     `json:"concurrency"`
+	AllowedGroups []int64 `json:"allowed_groups"`
+}
+
+// UpdateUserRequest represents admin update user request
+// 使用指针类型来区分"未提供"和"设置为0"
+type UpdateUserRequest struct {
+	Email         string   `json:"email" binding:"omitempty,email"`
+	Password      string   `json:"password" binding:"omitempty,min=6"`
+	Username      *string  `json:"username"`
+	Notes         *string  `json:"notes"`
+	Balance       *float64 `json:"balance"`
+	Concurrency   *int     `json:"concurrency"`
+	Status        string   `json:"status" binding:"omitempty,oneof=active disabled"`
+	AllowedGroups *[]int64 `json:"allowed_groups"`
+}
+
+// UpdateBalanceRequest represents balance update request
+type UpdateBalanceRequest struct {
+	Balance   float64 `json:"balance" binding:"required,gt=0"`
+	Operation string  `json:"operation" binding:"required,oneof=set add subtract"`
+	Notes     string  `json:"notes"`
+}
+
+// List handles listing all users with pagination
+// GET /api/v1/admin/users
+// Query params:
+//   - status: filter by user status
+//   - role: filter by user role
+//   - search: search in email, username
+//   - attr[{id}]: filter by custom attribute value, e.g. attr[1]=company
+func (h *UserHandler) List(c *gin.Context) {
+	page, pageSize := response.ParsePagination(c)
+
+	filters := service.UserListFilters{
+		Status:     c.Query("status"),
+		Role:       c.Query("role"),
+		Search:     c.Query("search"),
+		Attributes: parseAttributeFilters(c),
+	}
+
+	users, total, err := h.adminService.ListUsers(c.Request.Context(), page, pageSize, filters)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.User, 0, len(users))
+	for i := range users {
+		out = append(out, *dto.UserFromService(&users[i]))
+	}
+	response.Paginated(c, out, total, page, pageSize)
+}
+
+// parseAttributeFilters extracts attribute filters from query params
+// Format: attr[{attributeID}]=value, e.g. attr[1]=company&attr[2]=developer
+func parseAttributeFilters(c *gin.Context) map[int64]string {
+	result := make(map[int64]string)
+
+	// Get all query params and look for attr[*] pattern
+	for key, values := range c.Request.URL.Query() {
+		if len(values) == 0 || values[0] == "" {
+			continue
+		}
+		// Check if key matches pattern attr[{id}]
+		if len(key) > 5 && key[:5] == "attr[" && key[len(key)-1] == ']' {
+			idStr := key[5 : len(key)-1]
+			id, err := strconv.ParseInt(idStr, 10, 64)
+			if err == nil && id > 0 {
+				result[id] = values[0]
+			}
+		}
+	}
+
+	return result
+}
+
+// GetByID handles getting a user by ID
+// GET /api/v1/admin/users/:id
+func (h *UserHandler) GetByID(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	user, err := h.adminService.GetUser(c.Request.Context(), userID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(user))
+}
+
+// Create handles creating a new user
+// POST /api/v1/admin/users
+func (h *UserHandler) Create(c *gin.Context) {
+	var req CreateUserRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	user, err := h.adminService.CreateUser(c.Request.Context(), &service.CreateUserInput{
+		Email:         req.Email,
+		Password:      req.Password,
+		Username:      req.Username,
+		Notes:         req.Notes,
+		Balance:       req.Balance,
+		Concurrency:   req.Concurrency,
+		AllowedGroups: req.AllowedGroups,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(user))
+}
+
+// Update handles updating a user
+// PUT /api/v1/admin/users/:id
+func (h *UserHandler) Update(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	var req UpdateUserRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// 使用指针类型直接传递，nil 表示未提供该字段
+	user, err := h.adminService.UpdateUser(c.Request.Context(), userID, &service.UpdateUserInput{
+		Email:         req.Email,
+		Password:      req.Password,
+		Username:      req.Username,
+		Notes:         req.Notes,
+		Balance:       req.Balance,
+		Concurrency:   req.Concurrency,
+		Status:        req.Status,
+		AllowedGroups: req.AllowedGroups,
+	})
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(user))
+}
+
+// Delete handles deleting a user
+// DELETE /api/v1/admin/users/:id
+func (h *UserHandler) Delete(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	err = h.adminService.DeleteUser(c.Request.Context(), userID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "User deleted successfully"})
+}
+
+// UpdateBalance handles updating user balance
+// POST /api/v1/admin/users/:id/balance
+func (h *UserHandler) UpdateBalance(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	var req UpdateBalanceRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	user, err := h.adminService.UpdateUserBalance(c.Request.Context(), userID, req.Balance, req.Operation, req.Notes)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.UserFromService(user))
+}
+
+// GetUserAPIKeys handles getting user's API keys
+// GET /api/v1/admin/users/:id/api-keys
+func (h *UserHandler) GetUserAPIKeys(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	keys, total, err := h.adminService.GetUserAPIKeys(c.Request.Context(), userID, page, pageSize)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.ApiKey, 0, len(keys))
+	for i := range keys {
+		out = append(out, *dto.ApiKeyFromService(&keys[i]))
+	}
+	response.Paginated(c, out, total, page, pageSize)
+}
+
+// GetUserUsage handles getting user's usage statistics
+// GET /api/v1/admin/users/:id/usage
+func (h *UserHandler) GetUserUsage(c *gin.Context) {
+	userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid user ID")
+		return
+	}
+
+	period := c.DefaultQuery("period", "month")
+
+	stats, err := h.adminService.GetUserUsageStats(c.Request.Context(), userID, period)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, stats)
+}

backend/internal/handler/api_key_handler.go

@@ -1,208 +1,208 @@
-package handler
-
-import (
-	"strconv"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// APIKeyHandler handles API key-related requests
-type APIKeyHandler struct {
-	apiKeyService *service.ApiKeyService
-}
-
-// NewAPIKeyHandler creates a new APIKeyHandler
-func NewAPIKeyHandler(apiKeyService *service.ApiKeyService) *APIKeyHandler {
-	return &APIKeyHandler{
-		apiKeyService: apiKeyService,
-	}
-}
-
-// CreateAPIKeyRequest represents the create API key request payload
-type CreateAPIKeyRequest struct {
-	Name      string  `json:"name" binding:"required"`
-	GroupID   *int64  `json:"group_id"`   // nullable
-	CustomKey *string `json:"custom_key"` // 可选的自定义key
-}
-
-// UpdateAPIKeyRequest represents the update API key request payload
-type UpdateAPIKeyRequest struct {
-	Name    string `json:"name"`
-	GroupID *int64 `json:"group_id"`
-	Status  string `json:"status" binding:"omitempty,oneof=active inactive"`
-}
-
-// List handles listing user's API keys with pagination
-// GET /api/v1/api-keys
-func (h *APIKeyHandler) List(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
-
-	keys, result, err := h.apiKeyService.List(c.Request.Context(), subject.UserID, params)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.ApiKey, 0, len(keys))
-	for i := range keys {
-		out = append(out, *dto.ApiKeyFromService(&keys[i]))
-	}
-	response.Paginated(c, out, result.Total, page, pageSize)
-}
-
-// GetByID handles getting a single API key
-// GET /api/v1/api-keys/:id
-func (h *APIKeyHandler) GetByID(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid key ID")
-		return
-	}
-
-	key, err := h.apiKeyService.GetByID(c.Request.Context(), keyID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// 验证所有权
-	if key.UserID != subject.UserID {
-		response.Forbidden(c, "Not authorized to access this key")
-		return
-	}
-
-	response.Success(c, dto.ApiKeyFromService(key))
-}
-
-// Create handles creating a new API key
-// POST /api/v1/api-keys
-func (h *APIKeyHandler) Create(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var req CreateAPIKeyRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	svcReq := service.CreateApiKeyRequest{
-		Name:      req.Name,
-		GroupID:   req.GroupID,
-		CustomKey: req.CustomKey,
-	}
-	key, err := h.apiKeyService.Create(c.Request.Context(), subject.UserID, svcReq)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.ApiKeyFromService(key))
-}
-
-// Update handles updating an API key
-// PUT /api/v1/api-keys/:id
-func (h *APIKeyHandler) Update(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid key ID")
-		return
-	}
-
-	var req UpdateAPIKeyRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	svcReq := service.UpdateApiKeyRequest{}
-	if req.Name != "" {
-		svcReq.Name = &req.Name
-	}
-	svcReq.GroupID = req.GroupID
-	if req.Status != "" {
-		svcReq.Status = &req.Status
-	}
-
-	key, err := h.apiKeyService.Update(c.Request.Context(), keyID, subject.UserID, svcReq)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.ApiKeyFromService(key))
-}
-
-// Delete handles deleting an API key
-// DELETE /api/v1/api-keys/:id
-func (h *APIKeyHandler) Delete(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid key ID")
-		return
-	}
-
-	err = h.apiKeyService.Delete(c.Request.Context(), keyID, subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "API key deleted successfully"})
-}
-
-// GetAvailableGroups 获取用户可以绑定的分组列表
-// GET /api/v1/groups/available
-func (h *APIKeyHandler) GetAvailableGroups(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	groups, err := h.apiKeyService.GetAvailableGroups(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.Group, 0, len(groups))
-	for i := range groups {
-		out = append(out, *dto.GroupFromService(&groups[i]))
-	}
-	response.Success(c, out)
-}
+package handler
+
+import (
+	"strconv"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// APIKeyHandler handles API key-related requests
+type APIKeyHandler struct {
+	apiKeyService *service.ApiKeyService
+}
+
+// NewAPIKeyHandler creates a new APIKeyHandler
+func NewAPIKeyHandler(apiKeyService *service.ApiKeyService) *APIKeyHandler {
+	return &APIKeyHandler{
+		apiKeyService: apiKeyService,
+	}
+}
+
+// CreateAPIKeyRequest represents the create API key request payload
+type CreateAPIKeyRequest struct {
+	Name      string  `json:"name" binding:"required"`
+	GroupID   *int64  `json:"group_id"`   // nullable
+	CustomKey *string `json:"custom_key"` // 可选的自定义key
+}
+
+// UpdateAPIKeyRequest represents the update API key request payload
+type UpdateAPIKeyRequest struct {
+	Name    string `json:"name"`
+	GroupID *int64 `json:"group_id"`
+	Status  string `json:"status" binding:"omitempty,oneof=active inactive"`
+}
+
+// List handles listing user's API keys with pagination
+// GET /api/v1/api-keys
+func (h *APIKeyHandler) List(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
+
+	keys, result, err := h.apiKeyService.List(c.Request.Context(), subject.UserID, params)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.ApiKey, 0, len(keys))
+	for i := range keys {
+		out = append(out, *dto.ApiKeyFromService(&keys[i]))
+	}
+	response.Paginated(c, out, result.Total, page, pageSize)
+}
+
+// GetByID handles getting a single API key
+// GET /api/v1/api-keys/:id
+func (h *APIKeyHandler) GetByID(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid key ID")
+		return
+	}
+
+	key, err := h.apiKeyService.GetByID(c.Request.Context(), keyID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// 验证所有权
+	if key.UserID != subject.UserID {
+		response.Forbidden(c, "Not authorized to access this key")
+		return
+	}
+
+	response.Success(c, dto.ApiKeyFromService(key))
+}
+
+// Create handles creating a new API key
+// POST /api/v1/api-keys
+func (h *APIKeyHandler) Create(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req CreateAPIKeyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	svcReq := service.CreateApiKeyRequest{
+		Name:      req.Name,
+		GroupID:   req.GroupID,
+		CustomKey: req.CustomKey,
+	}
+	key, err := h.apiKeyService.Create(c.Request.Context(), subject.UserID, svcReq)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.ApiKeyFromService(key))
+}
+
+// Update handles updating an API key
+// PUT /api/v1/api-keys/:id
+func (h *APIKeyHandler) Update(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid key ID")
+		return
+	}
+
+	var req UpdateAPIKeyRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	svcReq := service.UpdateApiKeyRequest{}
+	if req.Name != "" {
+		svcReq.Name = &req.Name
+	}
+	svcReq.GroupID = req.GroupID
+	if req.Status != "" {
+		svcReq.Status = &req.Status
+	}
+
+	key, err := h.apiKeyService.Update(c.Request.Context(), keyID, subject.UserID, svcReq)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.ApiKeyFromService(key))
+}
+
+// Delete handles deleting an API key
+// DELETE /api/v1/api-keys/:id
+func (h *APIKeyHandler) Delete(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	keyID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid key ID")
+		return
+	}
+
+	err = h.apiKeyService.Delete(c.Request.Context(), keyID, subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "API key deleted successfully"})
+}
+
+// GetAvailableGroups 获取用户可以绑定的分组列表
+// GET /api/v1/groups/available
+func (h *APIKeyHandler) GetAvailableGroups(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	groups, err := h.apiKeyService.GetAvailableGroups(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.Group, 0, len(groups))
+	for i := range groups {
+		out = append(out, *dto.GroupFromService(&groups[i]))
+	}
+	response.Success(c, out)
+}

backend/internal/handler/auth_handler.go

@@ -1,174 +1,174 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/config"
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// AuthHandler handles authentication-related requests
-type AuthHandler struct {
-	cfg         *config.Config
-	authService *service.AuthService
-	userService *service.UserService
-}
-
-// NewAuthHandler creates a new AuthHandler
-func NewAuthHandler(cfg *config.Config, authService *service.AuthService, userService *service.UserService) *AuthHandler {
-	return &AuthHandler{
-		cfg:         cfg,
-		authService: authService,
-		userService: userService,
-	}
-}
-
-// RegisterRequest represents the registration request payload
-type RegisterRequest struct {
-	Email          string `json:"email" binding:"required,email"`
-	Password       string `json:"password" binding:"required,min=6"`
-	VerifyCode     string `json:"verify_code"`
-	TurnstileToken string `json:"turnstile_token"`
-}
-
-// SendVerifyCodeRequest 发送验证码请求
-type SendVerifyCodeRequest struct {
-	Email          string `json:"email" binding:"required,email"`
-	TurnstileToken string `json:"turnstile_token"`
-}
-
-// SendVerifyCodeResponse 发送验证码响应
-type SendVerifyCodeResponse struct {
-	Message   string `json:"message"`
-	Countdown int    `json:"countdown"` // 倒计时秒数
-}
-
-// LoginRequest represents the login request payload
-type LoginRequest struct {
-	Email          string `json:"email" binding:"required,email"`
-	Password       string `json:"password" binding:"required"`
-	TurnstileToken string `json:"turnstile_token"`
-}
-
-// AuthResponse 认证响应格式（匹配前端期望）
-type AuthResponse struct {
-	AccessToken string    `json:"access_token"`
-	TokenType   string    `json:"token_type"`
-	User        *dto.User `json:"user"`
-}
-
-// Register handles user registration
-// POST /api/v1/auth/register
-func (h *AuthHandler) Register(c *gin.Context) {
-	var req RegisterRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Turnstile 验证（当提供了邮箱验证码时跳过，因为发送验证码时已验证过）
-	if req.VerifyCode == "" {
-		if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-	}
-
-	token, user, err := h.authService.RegisterWithVerification(c.Request.Context(), req.Email, req.Password, req.VerifyCode)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, AuthResponse{
-		AccessToken: token,
-		TokenType:   "Bearer",
-		User:        dto.UserFromService(user),
-	})
-}
-
-// SendVerifyCode 发送邮箱验证码
-// POST /api/v1/auth/send-verify-code
-func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
-	var req SendVerifyCodeRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, SendVerifyCodeResponse{
-		Message:   "Verification code sent successfully",
-		Countdown: result.Countdown,
-	})
-}
-
-// Login handles user login
-// POST /api/v1/auth/login
-func (h *AuthHandler) Login(c *gin.Context) {
-	var req LoginRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	token, user, err := h.authService.Login(c.Request.Context(), req.Email, req.Password)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, AuthResponse{
-		AccessToken: token,
-		TokenType:   "Bearer",
-		User:        dto.UserFromService(user),
-	})
-}
-
-// GetCurrentUser handles getting current authenticated user
-// GET /api/v1/auth/me
-func (h *AuthHandler) GetCurrentUser(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	user, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	type UserResponse struct {
-		*dto.User
-		RunMode string `json:"run_mode"`
-	}
-
-	runMode := config.RunModeStandard
-	if h.cfg != nil {
-		runMode = h.cfg.RunMode
-	}
-
-	response.Success(c, UserResponse{User: dto.UserFromService(user), RunMode: runMode})
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/config"
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// AuthHandler handles authentication-related requests
+type AuthHandler struct {
+	cfg         *config.Config
+	authService *service.AuthService
+	userService *service.UserService
+}
+
+// NewAuthHandler creates a new AuthHandler
+func NewAuthHandler(cfg *config.Config, authService *service.AuthService, userService *service.UserService) *AuthHandler {
+	return &AuthHandler{
+		cfg:         cfg,
+		authService: authService,
+		userService: userService,
+	}
+}
+
+// RegisterRequest represents the registration request payload
+type RegisterRequest struct {
+	Email          string `json:"email" binding:"required,email"`
+	Password       string `json:"password" binding:"required,min=6"`
+	VerifyCode     string `json:"verify_code"`
+	TurnstileToken string `json:"turnstile_token"`
+}
+
+// SendVerifyCodeRequest 发送验证码请求
+type SendVerifyCodeRequest struct {
+	Email          string `json:"email" binding:"required,email"`
+	TurnstileToken string `json:"turnstile_token"`
+}
+
+// SendVerifyCodeResponse 发送验证码响应
+type SendVerifyCodeResponse struct {
+	Message   string `json:"message"`
+	Countdown int    `json:"countdown"` // 倒计时秒数
+}
+
+// LoginRequest represents the login request payload
+type LoginRequest struct {
+	Email          string `json:"email" binding:"required,email"`
+	Password       string `json:"password" binding:"required"`
+	TurnstileToken string `json:"turnstile_token"`
+}
+
+// AuthResponse 认证响应格式（匹配前端期望）
+type AuthResponse struct {
+	AccessToken string    `json:"access_token"`
+	TokenType   string    `json:"token_type"`
+	User        *dto.User `json:"user"`
+}
+
+// Register handles user registration
+// POST /api/v1/auth/register
+func (h *AuthHandler) Register(c *gin.Context) {
+	var req RegisterRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Turnstile 验证（当提供了邮箱验证码时跳过，因为发送验证码时已验证过）
+	if req.VerifyCode == "" {
+		if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+	}
+
+	token, user, err := h.authService.RegisterWithVerification(c.Request.Context(), req.Email, req.Password, req.VerifyCode)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, AuthResponse{
+		AccessToken: token,
+		TokenType:   "Bearer",
+		User:        dto.UserFromService(user),
+	})
+}
+
+// SendVerifyCode 发送邮箱验证码
+// POST /api/v1/auth/send-verify-code
+func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
+	var req SendVerifyCodeRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Turnstile 验证
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, SendVerifyCodeResponse{
+		Message:   "Verification code sent successfully",
+		Countdown: result.Countdown,
+	})
+}
+
+// Login handles user login
+// POST /api/v1/auth/login
+func (h *AuthHandler) Login(c *gin.Context) {
+	var req LoginRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	// Turnstile 验证
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, c.ClientIP()); err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	token, user, err := h.authService.Login(c.Request.Context(), req.Email, req.Password)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, AuthResponse{
+		AccessToken: token,
+		TokenType:   "Bearer",
+		User:        dto.UserFromService(user),
+	})
+}
+
+// GetCurrentUser handles getting current authenticated user
+// GET /api/v1/auth/me
+func (h *AuthHandler) GetCurrentUser(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	user, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	type UserResponse struct {
+		*dto.User
+		RunMode string `json:"run_mode"`
+	}
+
+	runMode := config.RunModeStandard
+	if h.cfg != nil {
+		runMode = h.cfg.RunMode
+	}
+
+	response.Success(c, UserResponse{User: dto.UserFromService(user), RunMode: runMode})
+}

backend/internal/handler/dto/mappers.go

@@ -1,309 +1,309 @@
-package dto
-
-import "github.com/Wei-Shaw/sub2api/internal/service"
-
-func UserFromServiceShallow(u *service.User) *User {
-	if u == nil {
-		return nil
-	}
-	return &User{
-		ID:            u.ID,
-		Email:         u.Email,
-		Username:      u.Username,
-		Notes:         u.Notes,
-		Role:          u.Role,
-		Balance:       u.Balance,
-		Concurrency:   u.Concurrency,
-		Status:        u.Status,
-		AllowedGroups: u.AllowedGroups,
-		CreatedAt:     u.CreatedAt,
-		UpdatedAt:     u.UpdatedAt,
-	}
-}
-
-func UserFromService(u *service.User) *User {
-	if u == nil {
-		return nil
-	}
-	out := UserFromServiceShallow(u)
-	if len(u.ApiKeys) > 0 {
-		out.ApiKeys = make([]ApiKey, 0, len(u.ApiKeys))
-		for i := range u.ApiKeys {
-			k := u.ApiKeys[i]
-			out.ApiKeys = append(out.ApiKeys, *ApiKeyFromService(&k))
-		}
-	}
-	if len(u.Subscriptions) > 0 {
-		out.Subscriptions = make([]UserSubscription, 0, len(u.Subscriptions))
-		for i := range u.Subscriptions {
-			s := u.Subscriptions[i]
-			out.Subscriptions = append(out.Subscriptions, *UserSubscriptionFromService(&s))
-		}
-	}
-	return out
-}
-
-func ApiKeyFromService(k *service.ApiKey) *ApiKey {
-	if k == nil {
-		return nil
-	}
-	return &ApiKey{
-		ID:        k.ID,
-		UserID:    k.UserID,
-		Key:       k.Key,
-		Name:      k.Name,
-		GroupID:   k.GroupID,
-		Status:    k.Status,
-		CreatedAt: k.CreatedAt,
-		UpdatedAt: k.UpdatedAt,
-		User:      UserFromServiceShallow(k.User),
-		Group:     GroupFromServiceShallow(k.Group),
-	}
-}
-
-func GroupFromServiceShallow(g *service.Group) *Group {
-	if g == nil {
-		return nil
-	}
-	return &Group{
-		ID:               g.ID,
-		Name:             g.Name,
-		Description:      g.Description,
-		Platform:         g.Platform,
-		RateMultiplier:   g.RateMultiplier,
-		IsExclusive:      g.IsExclusive,
-		Status:           g.Status,
-		SubscriptionType: g.SubscriptionType,
-		DailyLimitUSD:    g.DailyLimitUSD,
-		WeeklyLimitUSD:   g.WeeklyLimitUSD,
-		MonthlyLimitUSD:  g.MonthlyLimitUSD,
-		CreatedAt:        g.CreatedAt,
-		UpdatedAt:        g.UpdatedAt,
-		AccountCount:     g.AccountCount,
-	}
-}
-
-func GroupFromService(g *service.Group) *Group {
-	if g == nil {
-		return nil
-	}
-	out := GroupFromServiceShallow(g)
-	if len(g.AccountGroups) > 0 {
-		out.AccountGroups = make([]AccountGroup, 0, len(g.AccountGroups))
-		for i := range g.AccountGroups {
-			ag := g.AccountGroups[i]
-			out.AccountGroups = append(out.AccountGroups, *AccountGroupFromService(&ag))
-		}
-	}
-	return out
-}
-
-func AccountFromServiceShallow(a *service.Account) *Account {
-	if a == nil {
-		return nil
-	}
-	return &Account{
-		ID:                  a.ID,
-		Name:                a.Name,
-		Platform:            a.Platform,
-		Type:                a.Type,
-		Credentials:         a.Credentials,
-		Extra:               a.Extra,
-		ProxyID:             a.ProxyID,
-		Concurrency:         a.Concurrency,
-		Priority:            a.Priority,
-		Status:              a.Status,
-		ErrorMessage:        a.ErrorMessage,
-		LastUsedAt:          a.LastUsedAt,
-		CreatedAt:           a.CreatedAt,
-		UpdatedAt:           a.UpdatedAt,
-		Schedulable:         a.Schedulable,
-		RateLimitedAt:       a.RateLimitedAt,
-		RateLimitResetAt:    a.RateLimitResetAt,
-		OverloadUntil:       a.OverloadUntil,
-		SessionWindowStart:  a.SessionWindowStart,
-		SessionWindowEnd:    a.SessionWindowEnd,
-		SessionWindowStatus: a.SessionWindowStatus,
-		GroupIDs:            a.GroupIDs,
-	}
-}
-
-func AccountFromService(a *service.Account) *Account {
-	if a == nil {
-		return nil
-	}
-	out := AccountFromServiceShallow(a)
-	out.Proxy = ProxyFromService(a.Proxy)
-	if len(a.AccountGroups) > 0 {
-		out.AccountGroups = make([]AccountGroup, 0, len(a.AccountGroups))
-		for i := range a.AccountGroups {
-			ag := a.AccountGroups[i]
-			out.AccountGroups = append(out.AccountGroups, *AccountGroupFromService(&ag))
-		}
-	}
-	if len(a.Groups) > 0 {
-		out.Groups = make([]*Group, 0, len(a.Groups))
-		for _, g := range a.Groups {
-			out.Groups = append(out.Groups, GroupFromServiceShallow(g))
-		}
-	}
-	return out
-}
-
-func AccountGroupFromService(ag *service.AccountGroup) *AccountGroup {
-	if ag == nil {
-		return nil
-	}
-	return &AccountGroup{
-		AccountID: ag.AccountID,
-		GroupID:   ag.GroupID,
-		Priority:  ag.Priority,
-		CreatedAt: ag.CreatedAt,
-		Account:   AccountFromServiceShallow(ag.Account),
-		Group:     GroupFromServiceShallow(ag.Group),
-	}
-}
-
-func ProxyFromService(p *service.Proxy) *Proxy {
-	if p == nil {
-		return nil
-	}
-	return &Proxy{
-		ID:        p.ID,
-		Name:      p.Name,
-		Protocol:  p.Protocol,
-		Host:      p.Host,
-		Port:      p.Port,
-		Username:  p.Username,
-		Password:  p.Password,
-		Status:    p.Status,
-		CreatedAt: p.CreatedAt,
-		UpdatedAt: p.UpdatedAt,
-	}
-}
-
-func ProxyWithAccountCountFromService(p *service.ProxyWithAccountCount) *ProxyWithAccountCount {
-	if p == nil {
-		return nil
-	}
-	return &ProxyWithAccountCount{
-		Proxy:        *ProxyFromService(&p.Proxy),
-		AccountCount: p.AccountCount,
-	}
-}
-
-func RedeemCodeFromService(rc *service.RedeemCode) *RedeemCode {
-	if rc == nil {
-		return nil
-	}
-	return &RedeemCode{
-		ID:           rc.ID,
-		Code:         rc.Code,
-		Type:         rc.Type,
-		Value:        rc.Value,
-		Status:       rc.Status,
-		UsedBy:       rc.UsedBy,
-		UsedAt:       rc.UsedAt,
-		Notes:        rc.Notes,
-		CreatedAt:    rc.CreatedAt,
-		GroupID:      rc.GroupID,
-		ValidityDays: rc.ValidityDays,
-		User:         UserFromServiceShallow(rc.User),
-		Group:        GroupFromServiceShallow(rc.Group),
-	}
-}
-
-func UsageLogFromService(l *service.UsageLog) *UsageLog {
-	if l == nil {
-		return nil
-	}
-	return &UsageLog{
-		ID:                    l.ID,
-		UserID:                l.UserID,
-		ApiKeyID:              l.ApiKeyID,
-		AccountID:             l.AccountID,
-		RequestID:             l.RequestID,
-		Model:                 l.Model,
-		GroupID:               l.GroupID,
-		SubscriptionID:        l.SubscriptionID,
-		InputTokens:           l.InputTokens,
-		OutputTokens:          l.OutputTokens,
-		CacheCreationTokens:   l.CacheCreationTokens,
-		CacheReadTokens:       l.CacheReadTokens,
-		CacheCreation5mTokens: l.CacheCreation5mTokens,
-		CacheCreation1hTokens: l.CacheCreation1hTokens,
-		InputCost:             l.InputCost,
-		OutputCost:            l.OutputCost,
-		CacheCreationCost:     l.CacheCreationCost,
-		CacheReadCost:         l.CacheReadCost,
-		TotalCost:             l.TotalCost,
-		ActualCost:            l.ActualCost,
-		RateMultiplier:        l.RateMultiplier,
-		BillingType:           l.BillingType,
-		Stream:                l.Stream,
-		DurationMs:            l.DurationMs,
-		FirstTokenMs:          l.FirstTokenMs,
-		CreatedAt:             l.CreatedAt,
-		User:                  UserFromServiceShallow(l.User),
-		ApiKey:                ApiKeyFromService(l.ApiKey),
-		Account:               AccountFromService(l.Account),
-		Group:                 GroupFromServiceShallow(l.Group),
-		Subscription:          UserSubscriptionFromService(l.Subscription),
-	}
-}
-
-func SettingFromService(s *service.Setting) *Setting {
-	if s == nil {
-		return nil
-	}
-	return &Setting{
-		ID:        s.ID,
-		Key:       s.Key,
-		Value:     s.Value,
-		UpdatedAt: s.UpdatedAt,
-	}
-}
-
-func UserSubscriptionFromService(sub *service.UserSubscription) *UserSubscription {
-	if sub == nil {
-		return nil
-	}
-	return &UserSubscription{
-		ID:                 sub.ID,
-		UserID:             sub.UserID,
-		GroupID:            sub.GroupID,
-		StartsAt:           sub.StartsAt,
-		ExpiresAt:          sub.ExpiresAt,
-		Status:             sub.Status,
-		DailyWindowStart:   sub.DailyWindowStart,
-		WeeklyWindowStart:  sub.WeeklyWindowStart,
-		MonthlyWindowStart: sub.MonthlyWindowStart,
-		DailyUsageUSD:      sub.DailyUsageUSD,
-		WeeklyUsageUSD:     sub.WeeklyUsageUSD,
-		MonthlyUsageUSD:    sub.MonthlyUsageUSD,
-		AssignedBy:         sub.AssignedBy,
-		AssignedAt:         sub.AssignedAt,
-		Notes:              sub.Notes,
-		CreatedAt:          sub.CreatedAt,
-		UpdatedAt:          sub.UpdatedAt,
-		User:               UserFromServiceShallow(sub.User),
-		Group:              GroupFromServiceShallow(sub.Group),
-		AssignedByUser:     UserFromServiceShallow(sub.AssignedByUser),
-	}
-}
-
-func BulkAssignResultFromService(r *service.BulkAssignResult) *BulkAssignResult {
-	if r == nil {
-		return nil
-	}
-	subs := make([]UserSubscription, 0, len(r.Subscriptions))
-	for i := range r.Subscriptions {
-		subs = append(subs, *UserSubscriptionFromService(&r.Subscriptions[i]))
-	}
-	return &BulkAssignResult{
-		SuccessCount:  r.SuccessCount,
-		FailedCount:   r.FailedCount,
-		Subscriptions: subs,
-		Errors:        r.Errors,
-	}
-}
+package dto
+
+import "github.com/Wei-Shaw/sub2api/internal/service"
+
+func UserFromServiceShallow(u *service.User) *User {
+	if u == nil {
+		return nil
+	}
+	return &User{
+		ID:            u.ID,
+		Email:         u.Email,
+		Username:      u.Username,
+		Notes:         u.Notes,
+		Role:          u.Role,
+		Balance:       u.Balance,
+		Concurrency:   u.Concurrency,
+		Status:        u.Status,
+		AllowedGroups: u.AllowedGroups,
+		CreatedAt:     u.CreatedAt,
+		UpdatedAt:     u.UpdatedAt,
+	}
+}
+
+func UserFromService(u *service.User) *User {
+	if u == nil {
+		return nil
+	}
+	out := UserFromServiceShallow(u)
+	if len(u.ApiKeys) > 0 {
+		out.ApiKeys = make([]ApiKey, 0, len(u.ApiKeys))
+		for i := range u.ApiKeys {
+			k := u.ApiKeys[i]
+			out.ApiKeys = append(out.ApiKeys, *ApiKeyFromService(&k))
+		}
+	}
+	if len(u.Subscriptions) > 0 {
+		out.Subscriptions = make([]UserSubscription, 0, len(u.Subscriptions))
+		for i := range u.Subscriptions {
+			s := u.Subscriptions[i]
+			out.Subscriptions = append(out.Subscriptions, *UserSubscriptionFromService(&s))
+		}
+	}
+	return out
+}
+
+func ApiKeyFromService(k *service.ApiKey) *ApiKey {
+	if k == nil {
+		return nil
+	}
+	return &ApiKey{
+		ID:        k.ID,
+		UserID:    k.UserID,
+		Key:       k.Key,
+		Name:      k.Name,
+		GroupID:   k.GroupID,
+		Status:    k.Status,
+		CreatedAt: k.CreatedAt,
+		UpdatedAt: k.UpdatedAt,
+		User:      UserFromServiceShallow(k.User),
+		Group:     GroupFromServiceShallow(k.Group),
+	}
+}
+
+func GroupFromServiceShallow(g *service.Group) *Group {
+	if g == nil {
+		return nil
+	}
+	return &Group{
+		ID:               g.ID,
+		Name:             g.Name,
+		Description:      g.Description,
+		Platform:         g.Platform,
+		RateMultiplier:   g.RateMultiplier,
+		IsExclusive:      g.IsExclusive,
+		Status:           g.Status,
+		SubscriptionType: g.SubscriptionType,
+		DailyLimitUSD:    g.DailyLimitUSD,
+		WeeklyLimitUSD:   g.WeeklyLimitUSD,
+		MonthlyLimitUSD:  g.MonthlyLimitUSD,
+		CreatedAt:        g.CreatedAt,
+		UpdatedAt:        g.UpdatedAt,
+		AccountCount:     g.AccountCount,
+	}
+}
+
+func GroupFromService(g *service.Group) *Group {
+	if g == nil {
+		return nil
+	}
+	out := GroupFromServiceShallow(g)
+	if len(g.AccountGroups) > 0 {
+		out.AccountGroups = make([]AccountGroup, 0, len(g.AccountGroups))
+		for i := range g.AccountGroups {
+			ag := g.AccountGroups[i]
+			out.AccountGroups = append(out.AccountGroups, *AccountGroupFromService(&ag))
+		}
+	}
+	return out
+}
+
+func AccountFromServiceShallow(a *service.Account) *Account {
+	if a == nil {
+		return nil
+	}
+	return &Account{
+		ID:                  a.ID,
+		Name:                a.Name,
+		Platform:            a.Platform,
+		Type:                a.Type,
+		Credentials:         a.Credentials,
+		Extra:               a.Extra,
+		ProxyID:             a.ProxyID,
+		Concurrency:         a.Concurrency,
+		Priority:            a.Priority,
+		Status:              a.Status,
+		ErrorMessage:        a.ErrorMessage,
+		LastUsedAt:          a.LastUsedAt,
+		CreatedAt:           a.CreatedAt,
+		UpdatedAt:           a.UpdatedAt,
+		Schedulable:         a.Schedulable,
+		RateLimitedAt:       a.RateLimitedAt,
+		RateLimitResetAt:    a.RateLimitResetAt,
+		OverloadUntil:       a.OverloadUntil,
+		SessionWindowStart:  a.SessionWindowStart,
+		SessionWindowEnd:    a.SessionWindowEnd,
+		SessionWindowStatus: a.SessionWindowStatus,
+		GroupIDs:            a.GroupIDs,
+	}
+}
+
+func AccountFromService(a *service.Account) *Account {
+	if a == nil {
+		return nil
+	}
+	out := AccountFromServiceShallow(a)
+	out.Proxy = ProxyFromService(a.Proxy)
+	if len(a.AccountGroups) > 0 {
+		out.AccountGroups = make([]AccountGroup, 0, len(a.AccountGroups))
+		for i := range a.AccountGroups {
+			ag := a.AccountGroups[i]
+			out.AccountGroups = append(out.AccountGroups, *AccountGroupFromService(&ag))
+		}
+	}
+	if len(a.Groups) > 0 {
+		out.Groups = make([]*Group, 0, len(a.Groups))
+		for _, g := range a.Groups {
+			out.Groups = append(out.Groups, GroupFromServiceShallow(g))
+		}
+	}
+	return out
+}
+
+func AccountGroupFromService(ag *service.AccountGroup) *AccountGroup {
+	if ag == nil {
+		return nil
+	}
+	return &AccountGroup{
+		AccountID: ag.AccountID,
+		GroupID:   ag.GroupID,
+		Priority:  ag.Priority,
+		CreatedAt: ag.CreatedAt,
+		Account:   AccountFromServiceShallow(ag.Account),
+		Group:     GroupFromServiceShallow(ag.Group),
+	}
+}
+
+func ProxyFromService(p *service.Proxy) *Proxy {
+	if p == nil {
+		return nil
+	}
+	return &Proxy{
+		ID:        p.ID,
+		Name:      p.Name,
+		Protocol:  p.Protocol,
+		Host:      p.Host,
+		Port:      p.Port,
+		Username:  p.Username,
+		Password:  p.Password,
+		Status:    p.Status,
+		CreatedAt: p.CreatedAt,
+		UpdatedAt: p.UpdatedAt,
+	}
+}
+
+func ProxyWithAccountCountFromService(p *service.ProxyWithAccountCount) *ProxyWithAccountCount {
+	if p == nil {
+		return nil
+	}
+	return &ProxyWithAccountCount{
+		Proxy:        *ProxyFromService(&p.Proxy),
+		AccountCount: p.AccountCount,
+	}
+}
+
+func RedeemCodeFromService(rc *service.RedeemCode) *RedeemCode {
+	if rc == nil {
+		return nil
+	}
+	return &RedeemCode{
+		ID:           rc.ID,
+		Code:         rc.Code,
+		Type:         rc.Type,
+		Value:        rc.Value,
+		Status:       rc.Status,
+		UsedBy:       rc.UsedBy,
+		UsedAt:       rc.UsedAt,
+		Notes:        rc.Notes,
+		CreatedAt:    rc.CreatedAt,
+		GroupID:      rc.GroupID,
+		ValidityDays: rc.ValidityDays,
+		User:         UserFromServiceShallow(rc.User),
+		Group:        GroupFromServiceShallow(rc.Group),
+	}
+}
+
+func UsageLogFromService(l *service.UsageLog) *UsageLog {
+	if l == nil {
+		return nil
+	}
+	return &UsageLog{
+		ID:                    l.ID,
+		UserID:                l.UserID,
+		ApiKeyID:              l.ApiKeyID,
+		AccountID:             l.AccountID,
+		RequestID:             l.RequestID,
+		Model:                 l.Model,
+		GroupID:               l.GroupID,
+		SubscriptionID:        l.SubscriptionID,
+		InputTokens:           l.InputTokens,
+		OutputTokens:          l.OutputTokens,
+		CacheCreationTokens:   l.CacheCreationTokens,
+		CacheReadTokens:       l.CacheReadTokens,
+		CacheCreation5mTokens: l.CacheCreation5mTokens,
+		CacheCreation1hTokens: l.CacheCreation1hTokens,
+		InputCost:             l.InputCost,
+		OutputCost:            l.OutputCost,
+		CacheCreationCost:     l.CacheCreationCost,
+		CacheReadCost:         l.CacheReadCost,
+		TotalCost:             l.TotalCost,
+		ActualCost:            l.ActualCost,
+		RateMultiplier:        l.RateMultiplier,
+		BillingType:           l.BillingType,
+		Stream:                l.Stream,
+		DurationMs:            l.DurationMs,
+		FirstTokenMs:          l.FirstTokenMs,
+		CreatedAt:             l.CreatedAt,
+		User:                  UserFromServiceShallow(l.User),
+		ApiKey:                ApiKeyFromService(l.ApiKey),
+		Account:               AccountFromService(l.Account),
+		Group:                 GroupFromServiceShallow(l.Group),
+		Subscription:          UserSubscriptionFromService(l.Subscription),
+	}
+}
+
+func SettingFromService(s *service.Setting) *Setting {
+	if s == nil {
+		return nil
+	}
+	return &Setting{
+		ID:        s.ID,
+		Key:       s.Key,
+		Value:     s.Value,
+		UpdatedAt: s.UpdatedAt,
+	}
+}
+
+func UserSubscriptionFromService(sub *service.UserSubscription) *UserSubscription {
+	if sub == nil {
+		return nil
+	}
+	return &UserSubscription{
+		ID:                 sub.ID,
+		UserID:             sub.UserID,
+		GroupID:            sub.GroupID,
+		StartsAt:           sub.StartsAt,
+		ExpiresAt:          sub.ExpiresAt,
+		Status:             sub.Status,
+		DailyWindowStart:   sub.DailyWindowStart,
+		WeeklyWindowStart:  sub.WeeklyWindowStart,
+		MonthlyWindowStart: sub.MonthlyWindowStart,
+		DailyUsageUSD:      sub.DailyUsageUSD,
+		WeeklyUsageUSD:     sub.WeeklyUsageUSD,
+		MonthlyUsageUSD:    sub.MonthlyUsageUSD,
+		AssignedBy:         sub.AssignedBy,
+		AssignedAt:         sub.AssignedAt,
+		Notes:              sub.Notes,
+		CreatedAt:          sub.CreatedAt,
+		UpdatedAt:          sub.UpdatedAt,
+		User:               UserFromServiceShallow(sub.User),
+		Group:              GroupFromServiceShallow(sub.Group),
+		AssignedByUser:     UserFromServiceShallow(sub.AssignedByUser),
+	}
+}
+
+func BulkAssignResultFromService(r *service.BulkAssignResult) *BulkAssignResult {
+	if r == nil {
+		return nil
+	}
+	subs := make([]UserSubscription, 0, len(r.Subscriptions))
+	for i := range r.Subscriptions {
+		subs = append(subs, *UserSubscriptionFromService(&r.Subscriptions[i]))
+	}
+	return &BulkAssignResult{
+		SuccessCount:  r.SuccessCount,
+		FailedCount:   r.FailedCount,
+		Subscriptions: subs,
+		Errors:        r.Errors,
+	}
+}

backend/internal/handler/dto/settings.go

@@ -1,43 +1,43 @@
-package dto
-
-// SystemSettings represents the admin settings API response payload.
-type SystemSettings struct {
-	RegistrationEnabled bool `json:"registration_enabled"`
-	EmailVerifyEnabled  bool `json:"email_verify_enabled"`
-
-	SmtpHost     string `json:"smtp_host"`
-	SmtpPort     int    `json:"smtp_port"`
-	SmtpUsername string `json:"smtp_username"`
-	SmtpPassword string `json:"smtp_password,omitempty"`
-	SmtpFrom     string `json:"smtp_from_email"`
-	SmtpFromName string `json:"smtp_from_name"`
-	SmtpUseTLS   bool   `json:"smtp_use_tls"`
-
-	TurnstileEnabled   bool   `json:"turnstile_enabled"`
-	TurnstileSiteKey   string `json:"turnstile_site_key"`
-	TurnstileSecretKey string `json:"turnstile_secret_key,omitempty"`
-
-	SiteName     string `json:"site_name"`
-	SiteLogo     string `json:"site_logo"`
-	SiteSubtitle string `json:"site_subtitle"`
-	ApiBaseUrl   string `json:"api_base_url"`
-	ContactInfo  string `json:"contact_info"`
-	DocUrl       string `json:"doc_url"`
-
-	DefaultConcurrency int     `json:"default_concurrency"`
-	DefaultBalance     float64 `json:"default_balance"`
-}
-
-type PublicSettings struct {
-	RegistrationEnabled bool   `json:"registration_enabled"`
-	EmailVerifyEnabled  bool   `json:"email_verify_enabled"`
-	TurnstileEnabled    bool   `json:"turnstile_enabled"`
-	TurnstileSiteKey    string `json:"turnstile_site_key"`
-	SiteName            string `json:"site_name"`
-	SiteLogo            string `json:"site_logo"`
-	SiteSubtitle        string `json:"site_subtitle"`
-	ApiBaseUrl          string `json:"api_base_url"`
-	ContactInfo         string `json:"contact_info"`
-	DocUrl              string `json:"doc_url"`
-	Version             string `json:"version"`
-}
+package dto
+
+// SystemSettings represents the admin settings API response payload.
+type SystemSettings struct {
+	RegistrationEnabled bool `json:"registration_enabled"`
+	EmailVerifyEnabled  bool `json:"email_verify_enabled"`
+
+	SmtpHost     string `json:"smtp_host"`
+	SmtpPort     int    `json:"smtp_port"`
+	SmtpUsername string `json:"smtp_username"`
+	SmtpPassword string `json:"smtp_password,omitempty"`
+	SmtpFrom     string `json:"smtp_from_email"`
+	SmtpFromName string `json:"smtp_from_name"`
+	SmtpUseTLS   bool   `json:"smtp_use_tls"`
+
+	TurnstileEnabled   bool   `json:"turnstile_enabled"`
+	TurnstileSiteKey   string `json:"turnstile_site_key"`
+	TurnstileSecretKey string `json:"turnstile_secret_key,omitempty"`
+
+	SiteName     string `json:"site_name"`
+	SiteLogo     string `json:"site_logo"`
+	SiteSubtitle string `json:"site_subtitle"`
+	ApiBaseUrl   string `json:"api_base_url"`
+	ContactInfo  string `json:"contact_info"`
+	DocUrl       string `json:"doc_url"`
+
+	DefaultConcurrency int     `json:"default_concurrency"`
+	DefaultBalance     float64 `json:"default_balance"`
+}
+
+type PublicSettings struct {
+	RegistrationEnabled bool   `json:"registration_enabled"`
+	EmailVerifyEnabled  bool   `json:"email_verify_enabled"`
+	TurnstileEnabled    bool   `json:"turnstile_enabled"`
+	TurnstileSiteKey    string `json:"turnstile_site_key"`
+	SiteName            string `json:"site_name"`
+	SiteLogo            string `json:"site_logo"`
+	SiteSubtitle        string `json:"site_subtitle"`
+	ApiBaseUrl          string `json:"api_base_url"`
+	ContactInfo         string `json:"contact_info"`
+	DocUrl              string `json:"doc_url"`
+	Version             string `json:"version"`
+}

backend/internal/handler/dto/types.go

@@ -1,218 +1,218 @@
-package dto
-
-import "time"
-
-type User struct {
-	ID            int64     `json:"id"`
-	Email         string    `json:"email"`
-	Username      string    `json:"username"`
-	Notes         string    `json:"notes"`
-	Role          string    `json:"role"`
-	Balance       float64   `json:"balance"`
-	Concurrency   int       `json:"concurrency"`
-	Status        string    `json:"status"`
-	AllowedGroups []int64   `json:"allowed_groups"`
-	CreatedAt     time.Time `json:"created_at"`
-	UpdatedAt     time.Time `json:"updated_at"`
-
-	ApiKeys       []ApiKey           `json:"api_keys,omitempty"`
-	Subscriptions []UserSubscription `json:"subscriptions,omitempty"`
-}
-
-type ApiKey struct {
-	ID        int64     `json:"id"`
-	UserID    int64     `json:"user_id"`
-	Key       string    `json:"key"`
-	Name      string    `json:"name"`
-	GroupID   *int64    `json:"group_id"`
-	Status    string    `json:"status"`
-	CreatedAt time.Time `json:"created_at"`
-	UpdatedAt time.Time `json:"updated_at"`
-
-	User  *User  `json:"user,omitempty"`
-	Group *Group `json:"group,omitempty"`
-}
-
-type Group struct {
-	ID             int64   `json:"id"`
-	Name           string  `json:"name"`
-	Description    string  `json:"description"`
-	Platform       string  `json:"platform"`
-	RateMultiplier float64 `json:"rate_multiplier"`
-	IsExclusive    bool    `json:"is_exclusive"`
-	Status         string  `json:"status"`
-
-	SubscriptionType string   `json:"subscription_type"`
-	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
-	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
-	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
-
-	CreatedAt time.Time `json:"created_at"`
-	UpdatedAt time.Time `json:"updated_at"`
-
-	AccountGroups []AccountGroup `json:"account_groups,omitempty"`
-	AccountCount  int64          `json:"account_count,omitempty"`
-}
-
-type Account struct {
-	ID           int64          `json:"id"`
-	Name         string         `json:"name"`
-	Platform     string         `json:"platform"`
-	Type         string         `json:"type"`
-	Credentials  map[string]any `json:"credentials"`
-	Extra        map[string]any `json:"extra"`
-	ProxyID      *int64         `json:"proxy_id"`
-	Concurrency  int            `json:"concurrency"`
-	Priority     int            `json:"priority"`
-	Status       string         `json:"status"`
-	ErrorMessage string         `json:"error_message"`
-	LastUsedAt   *time.Time     `json:"last_used_at"`
-	CreatedAt    time.Time      `json:"created_at"`
-	UpdatedAt    time.Time      `json:"updated_at"`
-
-	Schedulable bool `json:"schedulable"`
-
-	RateLimitedAt    *time.Time `json:"rate_limited_at"`
-	RateLimitResetAt *time.Time `json:"rate_limit_reset_at"`
-	OverloadUntil    *time.Time `json:"overload_until"`
-
-	SessionWindowStart  *time.Time `json:"session_window_start"`
-	SessionWindowEnd    *time.Time `json:"session_window_end"`
-	SessionWindowStatus string     `json:"session_window_status"`
-
-	Proxy         *Proxy         `json:"proxy,omitempty"`
-	AccountGroups []AccountGroup `json:"account_groups,omitempty"`
-
-	GroupIDs []int64  `json:"group_ids,omitempty"`
-	Groups   []*Group `json:"groups,omitempty"`
-}
-
-type AccountGroup struct {
-	AccountID int64     `json:"account_id"`
-	GroupID   int64     `json:"group_id"`
-	Priority  int       `json:"priority"`
-	CreatedAt time.Time `json:"created_at"`
-
-	Account *Account `json:"account,omitempty"`
-	Group   *Group   `json:"group,omitempty"`
-}
-
-type Proxy struct {
-	ID        int64     `json:"id"`
-	Name      string    `json:"name"`
-	Protocol  string    `json:"protocol"`
-	Host      string    `json:"host"`
-	Port      int       `json:"port"`
-	Username  string    `json:"username"`
-	Password  string    `json:"-"`
-	Status    string    `json:"status"`
-	CreatedAt time.Time `json:"created_at"`
-	UpdatedAt time.Time `json:"updated_at"`
-}
-
-type ProxyWithAccountCount struct {
-	Proxy
-	AccountCount int64 `json:"account_count"`
-}
-
-type RedeemCode struct {
-	ID        int64      `json:"id"`
-	Code      string     `json:"code"`
-	Type      string     `json:"type"`
-	Value     float64    `json:"value"`
-	Status    string     `json:"status"`
-	UsedBy    *int64     `json:"used_by"`
-	UsedAt    *time.Time `json:"used_at"`
-	Notes     string     `json:"notes"`
-	CreatedAt time.Time  `json:"created_at"`
-
-	GroupID      *int64 `json:"group_id"`
-	ValidityDays int    `json:"validity_days"`
-
-	User  *User  `json:"user,omitempty"`
-	Group *Group `json:"group,omitempty"`
-}
-
-type UsageLog struct {
-	ID        int64  `json:"id"`
-	UserID    int64  `json:"user_id"`
-	ApiKeyID  int64  `json:"api_key_id"`
-	AccountID int64  `json:"account_id"`
-	RequestID string `json:"request_id"`
-	Model     string `json:"model"`
-
-	GroupID        *int64 `json:"group_id"`
-	SubscriptionID *int64 `json:"subscription_id"`
-
-	InputTokens         int `json:"input_tokens"`
-	OutputTokens        int `json:"output_tokens"`
-	CacheCreationTokens int `json:"cache_creation_tokens"`
-	CacheReadTokens     int `json:"cache_read_tokens"`
-
-	CacheCreation5mTokens int `json:"cache_creation_5m_tokens"`
-	CacheCreation1hTokens int `json:"cache_creation_1h_tokens"`
-
-	InputCost         float64 `json:"input_cost"`
-	OutputCost        float64 `json:"output_cost"`
-	CacheCreationCost float64 `json:"cache_creation_cost"`
-	CacheReadCost     float64 `json:"cache_read_cost"`
-	TotalCost         float64 `json:"total_cost"`
-	ActualCost        float64 `json:"actual_cost"`
-	RateMultiplier    float64 `json:"rate_multiplier"`
-
-	BillingType  int8 `json:"billing_type"`
-	Stream       bool `json:"stream"`
-	DurationMs   *int `json:"duration_ms"`
-	FirstTokenMs *int `json:"first_token_ms"`
-
-	CreatedAt time.Time `json:"created_at"`
-
-	User         *User             `json:"user,omitempty"`
-	ApiKey       *ApiKey           `json:"api_key,omitempty"`
-	Account      *Account          `json:"account,omitempty"`
-	Group        *Group            `json:"group,omitempty"`
-	Subscription *UserSubscription `json:"subscription,omitempty"`
-}
-
-type Setting struct {
-	ID        int64     `json:"id"`
-	Key       string    `json:"key"`
-	Value     string    `json:"value"`
-	UpdatedAt time.Time `json:"updated_at"`
-}
-
-type UserSubscription struct {
-	ID      int64 `json:"id"`
-	UserID  int64 `json:"user_id"`
-	GroupID int64 `json:"group_id"`
-
-	StartsAt  time.Time `json:"starts_at"`
-	ExpiresAt time.Time `json:"expires_at"`
-	Status    string    `json:"status"`
-
-	DailyWindowStart   *time.Time `json:"daily_window_start"`
-	WeeklyWindowStart  *time.Time `json:"weekly_window_start"`
-	MonthlyWindowStart *time.Time `json:"monthly_window_start"`
-
-	DailyUsageUSD   float64 `json:"daily_usage_usd"`
-	WeeklyUsageUSD  float64 `json:"weekly_usage_usd"`
-	MonthlyUsageUSD float64 `json:"monthly_usage_usd"`
-
-	AssignedBy *int64    `json:"assigned_by"`
-	AssignedAt time.Time `json:"assigned_at"`
-	Notes      string    `json:"notes"`
-
-	CreatedAt time.Time `json:"created_at"`
-	UpdatedAt time.Time `json:"updated_at"`
-
-	User           *User  `json:"user,omitempty"`
-	Group          *Group `json:"group,omitempty"`
-	AssignedByUser *User  `json:"assigned_by_user,omitempty"`
-}
-
-type BulkAssignResult struct {
-	SuccessCount  int                `json:"success_count"`
-	FailedCount   int                `json:"failed_count"`
-	Subscriptions []UserSubscription `json:"subscriptions"`
-	Errors        []string           `json:"errors"`
-}
+package dto
+
+import "time"
+
+type User struct {
+	ID            int64     `json:"id"`
+	Email         string    `json:"email"`
+	Username      string    `json:"username"`
+	Notes         string    `json:"notes"`
+	Role          string    `json:"role"`
+	Balance       float64   `json:"balance"`
+	Concurrency   int       `json:"concurrency"`
+	Status        string    `json:"status"`
+	AllowedGroups []int64   `json:"allowed_groups"`
+	CreatedAt     time.Time `json:"created_at"`
+	UpdatedAt     time.Time `json:"updated_at"`
+
+	ApiKeys       []ApiKey           `json:"api_keys,omitempty"`
+	Subscriptions []UserSubscription `json:"subscriptions,omitempty"`
+}
+
+type ApiKey struct {
+	ID        int64     `json:"id"`
+	UserID    int64     `json:"user_id"`
+	Key       string    `json:"key"`
+	Name      string    `json:"name"`
+	GroupID   *int64    `json:"group_id"`
+	Status    string    `json:"status"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+
+	User  *User  `json:"user,omitempty"`
+	Group *Group `json:"group,omitempty"`
+}
+
+type Group struct {
+	ID             int64   `json:"id"`
+	Name           string  `json:"name"`
+	Description    string  `json:"description"`
+	Platform       string  `json:"platform"`
+	RateMultiplier float64 `json:"rate_multiplier"`
+	IsExclusive    bool    `json:"is_exclusive"`
+	Status         string  `json:"status"`
+
+	SubscriptionType string   `json:"subscription_type"`
+	DailyLimitUSD    *float64 `json:"daily_limit_usd"`
+	WeeklyLimitUSD   *float64 `json:"weekly_limit_usd"`
+	MonthlyLimitUSD  *float64 `json:"monthly_limit_usd"`
+
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+
+	AccountGroups []AccountGroup `json:"account_groups,omitempty"`
+	AccountCount  int64          `json:"account_count,omitempty"`
+}
+
+type Account struct {
+	ID           int64          `json:"id"`
+	Name         string         `json:"name"`
+	Platform     string         `json:"platform"`
+	Type         string         `json:"type"`
+	Credentials  map[string]any `json:"credentials"`
+	Extra        map[string]any `json:"extra"`
+	ProxyID      *int64         `json:"proxy_id"`
+	Concurrency  int            `json:"concurrency"`
+	Priority     int            `json:"priority"`
+	Status       string         `json:"status"`
+	ErrorMessage string         `json:"error_message"`
+	LastUsedAt   *time.Time     `json:"last_used_at"`
+	CreatedAt    time.Time      `json:"created_at"`
+	UpdatedAt    time.Time      `json:"updated_at"`
+
+	Schedulable bool `json:"schedulable"`
+
+	RateLimitedAt    *time.Time `json:"rate_limited_at"`
+	RateLimitResetAt *time.Time `json:"rate_limit_reset_at"`
+	OverloadUntil    *time.Time `json:"overload_until"`
+
+	SessionWindowStart  *time.Time `json:"session_window_start"`
+	SessionWindowEnd    *time.Time `json:"session_window_end"`
+	SessionWindowStatus string     `json:"session_window_status"`
+
+	Proxy         *Proxy         `json:"proxy,omitempty"`
+	AccountGroups []AccountGroup `json:"account_groups,omitempty"`
+
+	GroupIDs []int64  `json:"group_ids,omitempty"`
+	Groups   []*Group `json:"groups,omitempty"`
+}
+
+type AccountGroup struct {
+	AccountID int64     `json:"account_id"`
+	GroupID   int64     `json:"group_id"`
+	Priority  int       `json:"priority"`
+	CreatedAt time.Time `json:"created_at"`
+
+	Account *Account `json:"account,omitempty"`
+	Group   *Group   `json:"group,omitempty"`
+}
+
+type Proxy struct {
+	ID        int64     `json:"id"`
+	Name      string    `json:"name"`
+	Protocol  string    `json:"protocol"`
+	Host      string    `json:"host"`
+	Port      int       `json:"port"`
+	Username  string    `json:"username"`
+	Password  string    `json:"-"`
+	Status    string    `json:"status"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+type ProxyWithAccountCount struct {
+	Proxy
+	AccountCount int64 `json:"account_count"`
+}
+
+type RedeemCode struct {
+	ID        int64      `json:"id"`
+	Code      string     `json:"code"`
+	Type      string     `json:"type"`
+	Value     float64    `json:"value"`
+	Status    string     `json:"status"`
+	UsedBy    *int64     `json:"used_by"`
+	UsedAt    *time.Time `json:"used_at"`
+	Notes     string     `json:"notes"`
+	CreatedAt time.Time  `json:"created_at"`
+
+	GroupID      *int64 `json:"group_id"`
+	ValidityDays int    `json:"validity_days"`
+
+	User  *User  `json:"user,omitempty"`
+	Group *Group `json:"group,omitempty"`
+}
+
+type UsageLog struct {
+	ID        int64  `json:"id"`
+	UserID    int64  `json:"user_id"`
+	ApiKeyID  int64  `json:"api_key_id"`
+	AccountID int64  `json:"account_id"`
+	RequestID string `json:"request_id"`
+	Model     string `json:"model"`
+
+	GroupID        *int64 `json:"group_id"`
+	SubscriptionID *int64 `json:"subscription_id"`
+
+	InputTokens         int `json:"input_tokens"`
+	OutputTokens        int `json:"output_tokens"`
+	CacheCreationTokens int `json:"cache_creation_tokens"`
+	CacheReadTokens     int `json:"cache_read_tokens"`
+
+	CacheCreation5mTokens int `json:"cache_creation_5m_tokens"`
+	CacheCreation1hTokens int `json:"cache_creation_1h_tokens"`
+
+	InputCost         float64 `json:"input_cost"`
+	OutputCost        float64 `json:"output_cost"`
+	CacheCreationCost float64 `json:"cache_creation_cost"`
+	CacheReadCost     float64 `json:"cache_read_cost"`
+	TotalCost         float64 `json:"total_cost"`
+	ActualCost        float64 `json:"actual_cost"`
+	RateMultiplier    float64 `json:"rate_multiplier"`
+
+	BillingType  int8 `json:"billing_type"`
+	Stream       bool `json:"stream"`
+	DurationMs   *int `json:"duration_ms"`
+	FirstTokenMs *int `json:"first_token_ms"`
+
+	CreatedAt time.Time `json:"created_at"`
+
+	User         *User             `json:"user,omitempty"`
+	ApiKey       *ApiKey           `json:"api_key,omitempty"`
+	Account      *Account          `json:"account,omitempty"`
+	Group        *Group            `json:"group,omitempty"`
+	Subscription *UserSubscription `json:"subscription,omitempty"`
+}
+
+type Setting struct {
+	ID        int64     `json:"id"`
+	Key       string    `json:"key"`
+	Value     string    `json:"value"`
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+type UserSubscription struct {
+	ID      int64 `json:"id"`
+	UserID  int64 `json:"user_id"`
+	GroupID int64 `json:"group_id"`
+
+	StartsAt  time.Time `json:"starts_at"`
+	ExpiresAt time.Time `json:"expires_at"`
+	Status    string    `json:"status"`
+
+	DailyWindowStart   *time.Time `json:"daily_window_start"`
+	WeeklyWindowStart  *time.Time `json:"weekly_window_start"`
+	MonthlyWindowStart *time.Time `json:"monthly_window_start"`
+
+	DailyUsageUSD   float64 `json:"daily_usage_usd"`
+	WeeklyUsageUSD  float64 `json:"weekly_usage_usd"`
+	MonthlyUsageUSD float64 `json:"monthly_usage_usd"`
+
+	AssignedBy *int64    `json:"assigned_by"`
+	AssignedAt time.Time `json:"assigned_at"`
+	Notes      string    `json:"notes"`
+
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+
+	User           *User  `json:"user,omitempty"`
+	Group          *Group `json:"group,omitempty"`
+	AssignedByUser *User  `json:"assigned_by_user,omitempty"`
+}
+
+type BulkAssignResult struct {
+	SuccessCount  int                `json:"success_count"`
+	FailedCount   int                `json:"failed_count"`
+	Subscriptions []UserSubscription `json:"subscriptions"`
+	Errors        []string           `json:"errors"`
+}

backend/internal/handler/gateway_helper.go

@@ -1,263 +1,263 @@
-package handler
-
-import (
-	"context"
-	"fmt"
-	"math/rand"
-	"net/http"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// 并发槽位等待相关常量
-//
-// 性能优化说明：
-// 原实现使用固定间隔（100ms）轮询并发槽位，存在以下问题：
-// 1. 高并发时频繁轮询增加 Redis 压力
-// 2. 固定间隔可能导致多个请求同时重试（惊群效应）
-//
-// 新实现使用指数退避 + 抖动算法：
-// 1. 初始退避 100ms，每次乘以 1.5，最大 2s
-// 2. 添加 ±20% 的随机抖动，分散重试时间点
-// 3. 减少 Redis 压力，避免惊群效应
-const (
-	// maxConcurrencyWait 等待并发槽位的最大时间
-	maxConcurrencyWait = 30 * time.Second
-	// pingInterval 流式响应等待时发送 ping 的间隔
-	pingInterval = 15 * time.Second
-	// initialBackoff 初始退避时间
-	initialBackoff = 100 * time.Millisecond
-	// backoffMultiplier 退避时间乘数（指数退避）
-	backoffMultiplier = 1.5
-	// maxBackoff 最大退避时间
-	maxBackoff = 2 * time.Second
-)
-
-// SSEPingFormat defines the format of SSE ping events for different platforms
-type SSEPingFormat string
-
-const (
-	// SSEPingFormatClaude is the Claude/Anthropic SSE ping format
-	SSEPingFormatClaude SSEPingFormat = "data: {\"type\": \"ping\"}\n\n"
-	// SSEPingFormatNone indicates no ping should be sent (e.g., OpenAI has no ping spec)
-	SSEPingFormatNone SSEPingFormat = ""
-)
-
-// ConcurrencyError represents a concurrency limit error with context
-type ConcurrencyError struct {
-	SlotType  string
-	IsTimeout bool
-}
-
-func (e *ConcurrencyError) Error() string {
-	if e.IsTimeout {
-		return fmt.Sprintf("timeout waiting for %s concurrency slot", e.SlotType)
-	}
-	return fmt.Sprintf("%s concurrency limit reached", e.SlotType)
-}
-
-// ConcurrencyHelper provides common concurrency slot management for gateway handlers
-type ConcurrencyHelper struct {
-	concurrencyService *service.ConcurrencyService
-	pingFormat         SSEPingFormat
-}
-
-// NewConcurrencyHelper creates a new ConcurrencyHelper
-func NewConcurrencyHelper(concurrencyService *service.ConcurrencyService, pingFormat SSEPingFormat) *ConcurrencyHelper {
-	return &ConcurrencyHelper{
-		concurrencyService: concurrencyService,
-		pingFormat:         pingFormat,
-	}
-}
-
-// IncrementWaitCount increments the wait count for a user
-func (h *ConcurrencyHelper) IncrementWaitCount(ctx context.Context, userID int64, maxWait int) (bool, error) {
-	return h.concurrencyService.IncrementWaitCount(ctx, userID, maxWait)
-}
-
-// DecrementWaitCount decrements the wait count for a user
-func (h *ConcurrencyHelper) DecrementWaitCount(ctx context.Context, userID int64) {
-	h.concurrencyService.DecrementWaitCount(ctx, userID)
-}
-
-// IncrementAccountWaitCount increments the wait count for an account
-func (h *ConcurrencyHelper) IncrementAccountWaitCount(ctx context.Context, accountID int64, maxWait int) (bool, error) {
-	return h.concurrencyService.IncrementAccountWaitCount(ctx, accountID, maxWait)
-}
-
-// DecrementAccountWaitCount decrements the wait count for an account
-func (h *ConcurrencyHelper) DecrementAccountWaitCount(ctx context.Context, accountID int64) {
-	h.concurrencyService.DecrementAccountWaitCount(ctx, accountID)
-}
-
-// AcquireUserSlotWithWait acquires a user concurrency slot, waiting if necessary.
-// For streaming requests, sends ping events during the wait.
-// streamStarted is updated if streaming response has begun.
-func (h *ConcurrencyHelper) AcquireUserSlotWithWait(c *gin.Context, userID int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
-	ctx := c.Request.Context()
-
-	// Try to acquire immediately
-	result, err := h.concurrencyService.AcquireUserSlot(ctx, userID, maxConcurrency)
-	if err != nil {
-		return nil, err
-	}
-
-	if result.Acquired {
-		return result.ReleaseFunc, nil
-	}
-
-	// Need to wait - handle streaming ping if needed
-	return h.waitForSlotWithPing(c, "user", userID, maxConcurrency, isStream, streamStarted)
-}
-
-// AcquireAccountSlotWithWait acquires an account concurrency slot, waiting if necessary.
-// For streaming requests, sends ping events during the wait.
-// streamStarted is updated if streaming response has begun.
-func (h *ConcurrencyHelper) AcquireAccountSlotWithWait(c *gin.Context, accountID int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
-	ctx := c.Request.Context()
-
-	// Try to acquire immediately
-	result, err := h.concurrencyService.AcquireAccountSlot(ctx, accountID, maxConcurrency)
-	if err != nil {
-		return nil, err
-	}
-
-	if result.Acquired {
-		return result.ReleaseFunc, nil
-	}
-
-	// Need to wait - handle streaming ping if needed
-	return h.waitForSlotWithPing(c, "account", accountID, maxConcurrency, isStream, streamStarted)
-}
-
-// waitForSlotWithPing waits for a concurrency slot, sending ping events for streaming requests.
-// streamStarted pointer is updated when streaming begins (for proper error handling by caller).
-func (h *ConcurrencyHelper) waitForSlotWithPing(c *gin.Context, slotType string, id int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
-	return h.waitForSlotWithPingTimeout(c, slotType, id, maxConcurrency, maxConcurrencyWait, isStream, streamStarted)
-}
-
-// waitForSlotWithPingTimeout waits for a concurrency slot with a custom timeout.
-func (h *ConcurrencyHelper) waitForSlotWithPingTimeout(c *gin.Context, slotType string, id int64, maxConcurrency int, timeout time.Duration, isStream bool, streamStarted *bool) (func(), error) {
-	ctx, cancel := context.WithTimeout(c.Request.Context(), timeout)
-	defer cancel()
-
-	// Try immediate acquire first (avoid unnecessary wait)
-	var result *service.AcquireResult
-	var err error
-	if slotType == "user" {
-		result, err = h.concurrencyService.AcquireUserSlot(ctx, id, maxConcurrency)
-	} else {
-		result, err = h.concurrencyService.AcquireAccountSlot(ctx, id, maxConcurrency)
-	}
-	if err != nil {
-		return nil, err
-	}
-	if result.Acquired {
-		return result.ReleaseFunc, nil
-	}
-
-	// Determine if ping is needed (streaming + ping format defined)
-	needPing := isStream && h.pingFormat != ""
-
-	var flusher http.Flusher
-	if needPing {
-		var ok bool
-		flusher, ok = c.Writer.(http.Flusher)
-		if !ok {
-			return nil, fmt.Errorf("streaming not supported")
-		}
-	}
-
-	// Only create ping ticker if ping is needed
-	var pingCh <-chan time.Time
-	if needPing {
-		pingTicker := time.NewTicker(pingInterval)
-		defer pingTicker.Stop()
-		pingCh = pingTicker.C
-	}
-
-	backoff := initialBackoff
-	timer := time.NewTimer(backoff)
-	defer timer.Stop()
-	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
-
-	for {
-		select {
-		case <-ctx.Done():
-			return nil, &ConcurrencyError{
-				SlotType:  slotType,
-				IsTimeout: true,
-			}
-
-		case <-pingCh:
-			// Send ping to keep connection alive
-			if !*streamStarted {
-				c.Header("Content-Type", "text/event-stream")
-				c.Header("Cache-Control", "no-cache")
-				c.Header("Connection", "keep-alive")
-				c.Header("X-Accel-Buffering", "no")
-				*streamStarted = true
-			}
-			if _, err := fmt.Fprint(c.Writer, string(h.pingFormat)); err != nil {
-				return nil, err
-			}
-			flusher.Flush()
-
-		case <-timer.C:
-			// Try to acquire slot
-			var result *service.AcquireResult
-			var err error
-
-			if slotType == "user" {
-				result, err = h.concurrencyService.AcquireUserSlot(ctx, id, maxConcurrency)
-			} else {
-				result, err = h.concurrencyService.AcquireAccountSlot(ctx, id, maxConcurrency)
-			}
-
-			if err != nil {
-				return nil, err
-			}
-
-			if result.Acquired {
-				return result.ReleaseFunc, nil
-			}
-			backoff = nextBackoff(backoff, rng)
-			timer.Reset(backoff)
-		}
-	}
-}
-
-// AcquireAccountSlotWithWaitTimeout acquires an account slot with a custom timeout (keeps SSE ping).
-func (h *ConcurrencyHelper) AcquireAccountSlotWithWaitTimeout(c *gin.Context, accountID int64, maxConcurrency int, timeout time.Duration, isStream bool, streamStarted *bool) (func(), error) {
-	return h.waitForSlotWithPingTimeout(c, "account", accountID, maxConcurrency, timeout, isStream, streamStarted)
-}
-
-// nextBackoff 计算下一次退避时间
-// 性能优化：使用指数退避 + 随机抖动，避免惊群效应
-// current: 当前退避时间
-// rng: 随机数生成器（可为 nil，此时不添加抖动）
-// 返回值：下一次退避时间（100ms ~ 2s 之间）
-func nextBackoff(current time.Duration, rng *rand.Rand) time.Duration {
-	// 指数退避：当前时间 * 1.5
-	next := time.Duration(float64(current) * backoffMultiplier)
-	if next > maxBackoff {
-		next = maxBackoff
-	}
-	if rng == nil {
-		return next
-	}
-	// 添加 ±20% 的随机抖动（jitter 范围 0.8 ~ 1.2）
-	// 抖动可以分散多个请求的重试时间点，避免同时冲击 Redis
-	jitter := 0.8 + rng.Float64()*0.4
-	jittered := time.Duration(float64(next) * jitter)
-	if jittered < initialBackoff {
-		return initialBackoff
-	}
-	if jittered > maxBackoff {
-		return maxBackoff
-	}
-	return jittered
-}
+package handler
+
+import (
+	"context"
+	"fmt"
+	"math/rand"
+	"net/http"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// 并发槽位等待相关常量
+//
+// 性能优化说明：
+// 原实现使用固定间隔（100ms）轮询并发槽位，存在以下问题：
+// 1. 高并发时频繁轮询增加 Redis 压力
+// 2. 固定间隔可能导致多个请求同时重试（惊群效应）
+//
+// 新实现使用指数退避 + 抖动算法：
+// 1. 初始退避 100ms，每次乘以 1.5，最大 2s
+// 2. 添加 ±20% 的随机抖动，分散重试时间点
+// 3. 减少 Redis 压力，避免惊群效应
+const (
+	// maxConcurrencyWait 等待并发槽位的最大时间
+	maxConcurrencyWait = 30 * time.Second
+	// pingInterval 流式响应等待时发送 ping 的间隔
+	pingInterval = 15 * time.Second
+	// initialBackoff 初始退避时间
+	initialBackoff = 100 * time.Millisecond
+	// backoffMultiplier 退避时间乘数（指数退避）
+	backoffMultiplier = 1.5
+	// maxBackoff 最大退避时间
+	maxBackoff = 2 * time.Second
+)
+
+// SSEPingFormat defines the format of SSE ping events for different platforms
+type SSEPingFormat string
+
+const (
+	// SSEPingFormatClaude is the Claude/Anthropic SSE ping format
+	SSEPingFormatClaude SSEPingFormat = "data: {\"type\": \"ping\"}\n\n"
+	// SSEPingFormatNone indicates no ping should be sent (e.g., OpenAI has no ping spec)
+	SSEPingFormatNone SSEPingFormat = ""
+)
+
+// ConcurrencyError represents a concurrency limit error with context
+type ConcurrencyError struct {
+	SlotType  string
+	IsTimeout bool
+}
+
+func (e *ConcurrencyError) Error() string {
+	if e.IsTimeout {
+		return fmt.Sprintf("timeout waiting for %s concurrency slot", e.SlotType)
+	}
+	return fmt.Sprintf("%s concurrency limit reached", e.SlotType)
+}
+
+// ConcurrencyHelper provides common concurrency slot management for gateway handlers
+type ConcurrencyHelper struct {
+	concurrencyService *service.ConcurrencyService
+	pingFormat         SSEPingFormat
+}
+
+// NewConcurrencyHelper creates a new ConcurrencyHelper
+func NewConcurrencyHelper(concurrencyService *service.ConcurrencyService, pingFormat SSEPingFormat) *ConcurrencyHelper {
+	return &ConcurrencyHelper{
+		concurrencyService: concurrencyService,
+		pingFormat:         pingFormat,
+	}
+}
+
+// IncrementWaitCount increments the wait count for a user
+func (h *ConcurrencyHelper) IncrementWaitCount(ctx context.Context, userID int64, maxWait int) (bool, error) {
+	return h.concurrencyService.IncrementWaitCount(ctx, userID, maxWait)
+}
+
+// DecrementWaitCount decrements the wait count for a user
+func (h *ConcurrencyHelper) DecrementWaitCount(ctx context.Context, userID int64) {
+	h.concurrencyService.DecrementWaitCount(ctx, userID)
+}
+
+// IncrementAccountWaitCount increments the wait count for an account
+func (h *ConcurrencyHelper) IncrementAccountWaitCount(ctx context.Context, accountID int64, maxWait int) (bool, error) {
+	return h.concurrencyService.IncrementAccountWaitCount(ctx, accountID, maxWait)
+}
+
+// DecrementAccountWaitCount decrements the wait count for an account
+func (h *ConcurrencyHelper) DecrementAccountWaitCount(ctx context.Context, accountID int64) {
+	h.concurrencyService.DecrementAccountWaitCount(ctx, accountID)
+}
+
+// AcquireUserSlotWithWait acquires a user concurrency slot, waiting if necessary.
+// For streaming requests, sends ping events during the wait.
+// streamStarted is updated if streaming response has begun.
+func (h *ConcurrencyHelper) AcquireUserSlotWithWait(c *gin.Context, userID int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
+	ctx := c.Request.Context()
+
+	// Try to acquire immediately
+	result, err := h.concurrencyService.AcquireUserSlot(ctx, userID, maxConcurrency)
+	if err != nil {
+		return nil, err
+	}
+
+	if result.Acquired {
+		return result.ReleaseFunc, nil
+	}
+
+	// Need to wait - handle streaming ping if needed
+	return h.waitForSlotWithPing(c, "user", userID, maxConcurrency, isStream, streamStarted)
+}
+
+// AcquireAccountSlotWithWait acquires an account concurrency slot, waiting if necessary.
+// For streaming requests, sends ping events during the wait.
+// streamStarted is updated if streaming response has begun.
+func (h *ConcurrencyHelper) AcquireAccountSlotWithWait(c *gin.Context, accountID int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
+	ctx := c.Request.Context()
+
+	// Try to acquire immediately
+	result, err := h.concurrencyService.AcquireAccountSlot(ctx, accountID, maxConcurrency)
+	if err != nil {
+		return nil, err
+	}
+
+	if result.Acquired {
+		return result.ReleaseFunc, nil
+	}
+
+	// Need to wait - handle streaming ping if needed
+	return h.waitForSlotWithPing(c, "account", accountID, maxConcurrency, isStream, streamStarted)
+}
+
+// waitForSlotWithPing waits for a concurrency slot, sending ping events for streaming requests.
+// streamStarted pointer is updated when streaming begins (for proper error handling by caller).
+func (h *ConcurrencyHelper) waitForSlotWithPing(c *gin.Context, slotType string, id int64, maxConcurrency int, isStream bool, streamStarted *bool) (func(), error) {
+	return h.waitForSlotWithPingTimeout(c, slotType, id, maxConcurrency, maxConcurrencyWait, isStream, streamStarted)
+}
+
+// waitForSlotWithPingTimeout waits for a concurrency slot with a custom timeout.
+func (h *ConcurrencyHelper) waitForSlotWithPingTimeout(c *gin.Context, slotType string, id int64, maxConcurrency int, timeout time.Duration, isStream bool, streamStarted *bool) (func(), error) {
+	ctx, cancel := context.WithTimeout(c.Request.Context(), timeout)
+	defer cancel()
+
+	// Try immediate acquire first (avoid unnecessary wait)
+	var result *service.AcquireResult
+	var err error
+	if slotType == "user" {
+		result, err = h.concurrencyService.AcquireUserSlot(ctx, id, maxConcurrency)
+	} else {
+		result, err = h.concurrencyService.AcquireAccountSlot(ctx, id, maxConcurrency)
+	}
+	if err != nil {
+		return nil, err
+	}
+	if result.Acquired {
+		return result.ReleaseFunc, nil
+	}
+
+	// Determine if ping is needed (streaming + ping format defined)
+	needPing := isStream && h.pingFormat != ""
+
+	var flusher http.Flusher
+	if needPing {
+		var ok bool
+		flusher, ok = c.Writer.(http.Flusher)
+		if !ok {
+			return nil, fmt.Errorf("streaming not supported")
+		}
+	}
+
+	// Only create ping ticker if ping is needed
+	var pingCh <-chan time.Time
+	if needPing {
+		pingTicker := time.NewTicker(pingInterval)
+		defer pingTicker.Stop()
+		pingCh = pingTicker.C
+	}
+
+	backoff := initialBackoff
+	timer := time.NewTimer(backoff)
+	defer timer.Stop()
+	rng := rand.New(rand.NewSource(time.Now().UnixNano()))
+
+	for {
+		select {
+		case <-ctx.Done():
+			return nil, &ConcurrencyError{
+				SlotType:  slotType,
+				IsTimeout: true,
+			}
+
+		case <-pingCh:
+			// Send ping to keep connection alive
+			if !*streamStarted {
+				c.Header("Content-Type", "text/event-stream")
+				c.Header("Cache-Control", "no-cache")
+				c.Header("Connection", "keep-alive")
+				c.Header("X-Accel-Buffering", "no")
+				*streamStarted = true
+			}
+			if _, err := fmt.Fprint(c.Writer, string(h.pingFormat)); err != nil {
+				return nil, err
+			}
+			flusher.Flush()
+
+		case <-timer.C:
+			// Try to acquire slot
+			var result *service.AcquireResult
+			var err error
+
+			if slotType == "user" {
+				result, err = h.concurrencyService.AcquireUserSlot(ctx, id, maxConcurrency)
+			} else {
+				result, err = h.concurrencyService.AcquireAccountSlot(ctx, id, maxConcurrency)
+			}
+
+			if err != nil {
+				return nil, err
+			}
+
+			if result.Acquired {
+				return result.ReleaseFunc, nil
+			}
+			backoff = nextBackoff(backoff, rng)
+			timer.Reset(backoff)
+		}
+	}
+}
+
+// AcquireAccountSlotWithWaitTimeout acquires an account slot with a custom timeout (keeps SSE ping).
+func (h *ConcurrencyHelper) AcquireAccountSlotWithWaitTimeout(c *gin.Context, accountID int64, maxConcurrency int, timeout time.Duration, isStream bool, streamStarted *bool) (func(), error) {
+	return h.waitForSlotWithPingTimeout(c, "account", accountID, maxConcurrency, timeout, isStream, streamStarted)
+}
+
+// nextBackoff 计算下一次退避时间
+// 性能优化：使用指数退避 + 随机抖动，避免惊群效应
+// current: 当前退避时间
+// rng: 随机数生成器（可为 nil，此时不添加抖动）
+// 返回值：下一次退避时间（100ms ~ 2s 之间）
+func nextBackoff(current time.Duration, rng *rand.Rand) time.Duration {
+	// 指数退避：当前时间 * 1.5
+	next := time.Duration(float64(current) * backoffMultiplier)
+	if next > maxBackoff {
+		next = maxBackoff
+	}
+	if rng == nil {
+		return next
+	}
+	// 添加 ±20% 的随机抖动（jitter 范围 0.8 ~ 1.2）
+	// 抖动可以分散多个请求的重试时间点，避免同时冲击 Redis
+	jitter := 0.8 + rng.Float64()*0.4
+	jittered := time.Duration(float64(next) * jitter)
+	if jittered < initialBackoff {
+		return initialBackoff
+	}
+	if jittered > maxBackoff {
+		return maxBackoff
+	}
+	return jittered
+}

backend/internal/handler/gemini_v1beta_handler.go

@@ -1,407 +1,407 @@
-package handler
-
-import (
-	"context"
-	"errors"
-	"io"
-	"log"
-	"net/http"
-	"strings"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/antigravity"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/gemini"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/googleapi"
-	"github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// GeminiV1BetaListModels proxies:
-// GET /v1beta/models
-func (h *GatewayHandler) GeminiV1BetaListModels(c *gin.Context) {
-	apiKey, ok := middleware.GetApiKeyFromContext(c)
-	if !ok || apiKey == nil {
-		googleError(c, http.StatusUnauthorized, "Invalid API key")
-		return
-	}
-	// 检查平台：优先使用强制平台（/antigravity 路由），否则要求 gemini 分组
-	forcePlatform, hasForcePlatform := middleware.GetForcePlatformFromContext(c)
-	if !hasForcePlatform && (apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini) {
-		googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
-		return
-	}
-
-	// 强制 antigravity 模式：返回 antigravity 支持的模型列表
-	if forcePlatform == service.PlatformAntigravity {
-		c.JSON(http.StatusOK, antigravity.FallbackGeminiModelsList())
-		return
-	}
-
-	account, err := h.geminiCompatService.SelectAccountForAIStudioEndpoints(c.Request.Context(), apiKey.GroupID)
-	if err != nil {
-		// 没有 gemini 账户，检查是否有 antigravity 账户可用
-		hasAntigravity, _ := h.geminiCompatService.HasAntigravityAccounts(c.Request.Context(), apiKey.GroupID)
-		if hasAntigravity {
-			// antigravity 账户使用静态模型列表
-			c.JSON(http.StatusOK, gemini.FallbackModelsList())
-			return
-		}
-		googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
-		return
-	}
-
-	res, err := h.geminiCompatService.ForwardAIStudioGET(c.Request.Context(), account, "/v1beta/models")
-	if err != nil {
-		googleError(c, http.StatusBadGateway, err.Error())
-		return
-	}
-	if shouldFallbackGeminiModels(res) {
-		c.JSON(http.StatusOK, gemini.FallbackModelsList())
-		return
-	}
-	writeUpstreamResponse(c, res)
-}
-
-// GeminiV1BetaGetModel proxies:
-// GET /v1beta/models/{model}
-func (h *GatewayHandler) GeminiV1BetaGetModel(c *gin.Context) {
-	apiKey, ok := middleware.GetApiKeyFromContext(c)
-	if !ok || apiKey == nil {
-		googleError(c, http.StatusUnauthorized, "Invalid API key")
-		return
-	}
-	// 检查平台：优先使用强制平台（/antigravity 路由），否则要求 gemini 分组
-	forcePlatform, hasForcePlatform := middleware.GetForcePlatformFromContext(c)
-	if !hasForcePlatform && (apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini) {
-		googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
-		return
-	}
-
-	modelName := strings.TrimSpace(c.Param("model"))
-	if modelName == "" {
-		googleError(c, http.StatusBadRequest, "Missing model in URL")
-		return
-	}
-
-	// 强制 antigravity 模式：返回 antigravity 模型信息
-	if forcePlatform == service.PlatformAntigravity {
-		c.JSON(http.StatusOK, antigravity.FallbackGeminiModel(modelName))
-		return
-	}
-
-	account, err := h.geminiCompatService.SelectAccountForAIStudioEndpoints(c.Request.Context(), apiKey.GroupID)
-	if err != nil {
-		// 没有 gemini 账户，检查是否有 antigravity 账户可用
-		hasAntigravity, _ := h.geminiCompatService.HasAntigravityAccounts(c.Request.Context(), apiKey.GroupID)
-		if hasAntigravity {
-			// antigravity 账户使用静态模型信息
-			c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
-			return
-		}
-		googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
-		return
-	}
-
-	res, err := h.geminiCompatService.ForwardAIStudioGET(c.Request.Context(), account, "/v1beta/models/"+modelName)
-	if err != nil {
-		googleError(c, http.StatusBadGateway, err.Error())
-		return
-	}
-	if shouldFallbackGeminiModels(res) {
-		c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
-		return
-	}
-	writeUpstreamResponse(c, res)
-}
-
-// GeminiV1BetaModels proxies Gemini native REST endpoints like:
-// POST /v1beta/models/{model}:generateContent
-// POST /v1beta/models/{model}:streamGenerateContent?alt=sse
-func (h *GatewayHandler) GeminiV1BetaModels(c *gin.Context) {
-	apiKey, ok := middleware.GetApiKeyFromContext(c)
-	if !ok || apiKey == nil {
-		googleError(c, http.StatusUnauthorized, "Invalid API key")
-		return
-	}
-	authSubject, ok := middleware.GetAuthSubjectFromContext(c)
-	if !ok {
-		googleError(c, http.StatusInternalServerError, "User context not found")
-		return
-	}
-
-	// 检查平台：优先使用强制平台（/antigravity 路由，中间件已设置 request.Context），否则要求 gemini 分组
-	if !middleware.HasForcePlatform(c) {
-		if apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini {
-			googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
-			return
-		}
-	}
-
-	modelName, action, err := parseGeminiModelAction(strings.TrimPrefix(c.Param("modelAction"), "/"))
-	if err != nil {
-		googleError(c, http.StatusNotFound, err.Error())
-		return
-	}
-
-	stream := action == "streamGenerateContent"
-
-	body, err := io.ReadAll(c.Request.Body)
-	if err != nil {
-		if maxErr, ok := extractMaxBytesError(err); ok {
-			googleError(c, http.StatusRequestEntityTooLarge, buildBodyTooLargeMessage(maxErr.Limit))
-			return
-		}
-		googleError(c, http.StatusBadRequest, "Failed to read request body")
-		return
-	}
-	if len(body) == 0 {
-		googleError(c, http.StatusBadRequest, "Request body is empty")
-		return
-	}
-
-	// Get subscription (may be nil)
-	subscription, _ := middleware.GetSubscriptionFromContext(c)
-
-	// For Gemini native API, do not send Claude-style ping frames.
-	geminiConcurrency := NewConcurrencyHelper(h.concurrencyHelper.concurrencyService, SSEPingFormatNone)
-
-	// 0) wait queue check
-	maxWait := service.CalculateMaxWait(authSubject.Concurrency)
-	canWait, err := geminiConcurrency.IncrementWaitCount(c.Request.Context(), authSubject.UserID, maxWait)
-	if err != nil {
-		log.Printf("Increment wait count failed: %v", err)
-	} else if !canWait {
-		googleError(c, http.StatusTooManyRequests, "Too many pending requests, please retry later")
-		return
-	}
-	defer geminiConcurrency.DecrementWaitCount(c.Request.Context(), authSubject.UserID)
-
-	// 1) user concurrency slot
-	streamStarted := false
-	userReleaseFunc, err := geminiConcurrency.AcquireUserSlotWithWait(c, authSubject.UserID, authSubject.Concurrency, stream, &streamStarted)
-	if err != nil {
-		googleError(c, http.StatusTooManyRequests, err.Error())
-		return
-	}
-	if userReleaseFunc != nil {
-		defer userReleaseFunc()
-	}
-
-	// 2) billing eligibility check (after wait)
-	if err := h.billingCacheService.CheckBillingEligibility(c.Request.Context(), apiKey.User, apiKey, apiKey.Group, subscription); err != nil {
-		googleError(c, http.StatusForbidden, err.Error())
-		return
-	}
-
-	// 3) select account (sticky session based on request body)
-	parsedReq, _ := service.ParseGatewayRequest(body)
-	sessionHash := h.gatewayService.GenerateSessionHash(parsedReq)
-	sessionKey := sessionHash
-	if sessionHash != "" {
-		sessionKey = "gemini:" + sessionHash
-	}
-	const maxAccountSwitches = 3
-	switchCount := 0
-	failedAccountIDs := make(map[int64]struct{})
-	lastFailoverStatus := 0
-
-	for {
-		selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), apiKey.GroupID, sessionKey, modelName, failedAccountIDs)
-		if err != nil {
-			if len(failedAccountIDs) == 0 {
-				googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
-				return
-			}
-			handleGeminiFailoverExhausted(c, lastFailoverStatus)
-			return
-		}
-		account := selection.Account
-
-		// 4) account concurrency slot
-		accountReleaseFunc := selection.ReleaseFunc
-		var accountWaitRelease func()
-		if !selection.Acquired {
-			if selection.WaitPlan == nil {
-				googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts")
-				return
-			}
-			canWait, err := geminiConcurrency.IncrementAccountWaitCount(c.Request.Context(), account.ID, selection.WaitPlan.MaxWaiting)
-			if err != nil {
-				log.Printf("Increment account wait count failed: %v", err)
-			} else if !canWait {
-				log.Printf("Account wait queue full: account=%d", account.ID)
-				googleError(c, http.StatusTooManyRequests, "Too many pending requests, please retry later")
-				return
-			} else {
-				// Only set release function if increment succeeded
-				accountWaitRelease = func() {
-					geminiConcurrency.DecrementAccountWaitCount(c.Request.Context(), account.ID)
-				}
-			}
-
-			accountReleaseFunc, err = geminiConcurrency.AcquireAccountSlotWithWaitTimeout(
-				c,
-				account.ID,
-				selection.WaitPlan.MaxConcurrency,
-				selection.WaitPlan.Timeout,
-				stream,
-				&streamStarted,
-			)
-			if err != nil {
-				if accountWaitRelease != nil {
-					accountWaitRelease()
-				}
-				googleError(c, http.StatusTooManyRequests, err.Error())
-				return
-			}
-			if err := h.gatewayService.BindStickySession(c.Request.Context(), sessionKey, account.ID); err != nil {
-				log.Printf("Bind sticky session failed: %v", err)
-			}
-		}
-
-		// 5) forward (根据平台分流)
-		var result *service.ForwardResult
-		if account.Platform == service.PlatformAntigravity {
-			result, err = h.antigravityGatewayService.ForwardGemini(c.Request.Context(), c, account, modelName, action, stream, body)
-		} else {
-			result, err = h.geminiCompatService.ForwardNative(c.Request.Context(), c, account, modelName, action, stream, body)
-		}
-		if accountReleaseFunc != nil {
-			accountReleaseFunc()
-		}
-		if accountWaitRelease != nil {
-			accountWaitRelease()
-		}
-		if err != nil {
-			var failoverErr *service.UpstreamFailoverError
-			if errors.As(err, &failoverErr) {
-				failedAccountIDs[account.ID] = struct{}{}
-				if switchCount >= maxAccountSwitches {
-					lastFailoverStatus = failoverErr.StatusCode
-					handleGeminiFailoverExhausted(c, lastFailoverStatus)
-					return
-				}
-				lastFailoverStatus = failoverErr.StatusCode
-				switchCount++
-				log.Printf("Gemini account %d: upstream error %d, switching account %d/%d", account.ID, failoverErr.StatusCode, switchCount, maxAccountSwitches)
-				continue
-			}
-			// ForwardNative already wrote the response
-			log.Printf("Gemini native forward failed: %v", err)
-			return
-		}
-
-		// 6) record usage async
-		go func(result *service.ForwardResult, usedAccount *service.Account) {
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-			if err := h.gatewayService.RecordUsage(ctx, &service.RecordUsageInput{
-				Result:       result,
-				ApiKey:       apiKey,
-				User:         apiKey.User,
-				Account:      usedAccount,
-				Subscription: subscription,
-			}); err != nil {
-				log.Printf("Record usage failed: %v", err)
-			}
-		}(result, account)
-		return
-	}
-}
-
-func parseGeminiModelAction(rest string) (model string, action string, err error) {
-	rest = strings.TrimSpace(rest)
-	if rest == "" {
-		return "", "", &pathParseError{"missing path"}
-	}
-
-	// Standard: {model}:{action}
-	if i := strings.Index(rest, ":"); i > 0 && i < len(rest)-1 {
-		return rest[:i], rest[i+1:], nil
-	}
-
-	// Fallback: {model}/{action}
-	if i := strings.Index(rest, "/"); i > 0 && i < len(rest)-1 {
-		return rest[:i], rest[i+1:], nil
-	}
-
-	return "", "", &pathParseError{"invalid model action path"}
-}
-
-func handleGeminiFailoverExhausted(c *gin.Context, statusCode int) {
-	status, message := mapGeminiUpstreamError(statusCode)
-	googleError(c, status, message)
-}
-
-func mapGeminiUpstreamError(statusCode int) (int, string) {
-	switch statusCode {
-	case 401:
-		return http.StatusBadGateway, "Upstream authentication failed, please contact administrator"
-	case 403:
-		return http.StatusBadGateway, "Upstream access forbidden, please contact administrator"
-	case 429:
-		return http.StatusTooManyRequests, "Upstream rate limit exceeded, please retry later"
-	case 529:
-		return http.StatusServiceUnavailable, "Upstream service overloaded, please retry later"
-	case 500, 502, 503, 504:
-		return http.StatusBadGateway, "Upstream service temporarily unavailable"
-	default:
-		return http.StatusBadGateway, "Upstream request failed"
-	}
-}
-
-type pathParseError struct{ msg string }
-
-func (e *pathParseError) Error() string { return e.msg }
-
-func googleError(c *gin.Context, status int, message string) {
-	c.JSON(status, gin.H{
-		"error": gin.H{
-			"code":    status,
-			"message": message,
-			"status":  googleapi.HTTPStatusToGoogleStatus(status),
-		},
-	})
-}
-
-func writeUpstreamResponse(c *gin.Context, res *service.UpstreamHTTPResult) {
-	if res == nil {
-		googleError(c, http.StatusBadGateway, "Empty upstream response")
-		return
-	}
-	for k, vv := range res.Headers {
-		// Avoid overriding content-length and hop-by-hop headers.
-		if strings.EqualFold(k, "Content-Length") || strings.EqualFold(k, "Transfer-Encoding") || strings.EqualFold(k, "Connection") {
-			continue
-		}
-		for _, v := range vv {
-			c.Writer.Header().Add(k, v)
-		}
-	}
-	contentType := res.Headers.Get("Content-Type")
-	if contentType == "" {
-		contentType = "application/json"
-	}
-	c.Data(res.StatusCode, contentType, res.Body)
-}
-
-func shouldFallbackGeminiModels(res *service.UpstreamHTTPResult) bool {
-	if res == nil {
-		return true
-	}
-	if res.StatusCode != http.StatusUnauthorized && res.StatusCode != http.StatusForbidden {
-		return false
-	}
-	if strings.Contains(strings.ToLower(res.Headers.Get("Www-Authenticate")), "insufficient_scope") {
-		return true
-	}
-	if strings.Contains(strings.ToLower(string(res.Body)), "insufficient authentication scopes") {
-		return true
-	}
-	if strings.Contains(strings.ToLower(string(res.Body)), "access_token_scope_insufficient") {
-		return true
-	}
-	return false
-}
+package handler
+
+import (
+	"context"
+	"errors"
+	"io"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/antigravity"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/gemini"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/googleapi"
+	"github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// GeminiV1BetaListModels proxies:
+// GET /v1beta/models
+func (h *GatewayHandler) GeminiV1BetaListModels(c *gin.Context) {
+	apiKey, ok := middleware.GetApiKeyFromContext(c)
+	if !ok || apiKey == nil {
+		googleError(c, http.StatusUnauthorized, "Invalid API key")
+		return
+	}
+	// 检查平台：优先使用强制平台（/antigravity 路由），否则要求 gemini 分组
+	forcePlatform, hasForcePlatform := middleware.GetForcePlatformFromContext(c)
+	if !hasForcePlatform && (apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini) {
+		googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
+		return
+	}
+
+	// 强制 antigravity 模式：返回 antigravity 支持的模型列表
+	if forcePlatform == service.PlatformAntigravity {
+		c.JSON(http.StatusOK, antigravity.FallbackGeminiModelsList())
+		return
+	}
+
+	account, err := h.geminiCompatService.SelectAccountForAIStudioEndpoints(c.Request.Context(), apiKey.GroupID)
+	if err != nil {
+		// 没有 gemini 账户，检查是否有 antigravity 账户可用
+		hasAntigravity, _ := h.geminiCompatService.HasAntigravityAccounts(c.Request.Context(), apiKey.GroupID)
+		if hasAntigravity {
+			// antigravity 账户使用静态模型列表
+			c.JSON(http.StatusOK, gemini.FallbackModelsList())
+			return
+		}
+		googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
+		return
+	}
+
+	res, err := h.geminiCompatService.ForwardAIStudioGET(c.Request.Context(), account, "/v1beta/models")
+	if err != nil {
+		googleError(c, http.StatusBadGateway, err.Error())
+		return
+	}
+	if shouldFallbackGeminiModels(res) {
+		c.JSON(http.StatusOK, gemini.FallbackModelsList())
+		return
+	}
+	writeUpstreamResponse(c, res)
+}
+
+// GeminiV1BetaGetModel proxies:
+// GET /v1beta/models/{model}
+func (h *GatewayHandler) GeminiV1BetaGetModel(c *gin.Context) {
+	apiKey, ok := middleware.GetApiKeyFromContext(c)
+	if !ok || apiKey == nil {
+		googleError(c, http.StatusUnauthorized, "Invalid API key")
+		return
+	}
+	// 检查平台：优先使用强制平台（/antigravity 路由），否则要求 gemini 分组
+	forcePlatform, hasForcePlatform := middleware.GetForcePlatformFromContext(c)
+	if !hasForcePlatform && (apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini) {
+		googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
+		return
+	}
+
+	modelName := strings.TrimSpace(c.Param("model"))
+	if modelName == "" {
+		googleError(c, http.StatusBadRequest, "Missing model in URL")
+		return
+	}
+
+	// 强制 antigravity 模式：返回 antigravity 模型信息
+	if forcePlatform == service.PlatformAntigravity {
+		c.JSON(http.StatusOK, antigravity.FallbackGeminiModel(modelName))
+		return
+	}
+
+	account, err := h.geminiCompatService.SelectAccountForAIStudioEndpoints(c.Request.Context(), apiKey.GroupID)
+	if err != nil {
+		// 没有 gemini 账户，检查是否有 antigravity 账户可用
+		hasAntigravity, _ := h.geminiCompatService.HasAntigravityAccounts(c.Request.Context(), apiKey.GroupID)
+		if hasAntigravity {
+			// antigravity 账户使用静态模型信息
+			c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
+			return
+		}
+		googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
+		return
+	}
+
+	res, err := h.geminiCompatService.ForwardAIStudioGET(c.Request.Context(), account, "/v1beta/models/"+modelName)
+	if err != nil {
+		googleError(c, http.StatusBadGateway, err.Error())
+		return
+	}
+	if shouldFallbackGeminiModels(res) {
+		c.JSON(http.StatusOK, gemini.FallbackModel(modelName))
+		return
+	}
+	writeUpstreamResponse(c, res)
+}
+
+// GeminiV1BetaModels proxies Gemini native REST endpoints like:
+// POST /v1beta/models/{model}:generateContent
+// POST /v1beta/models/{model}:streamGenerateContent?alt=sse
+func (h *GatewayHandler) GeminiV1BetaModels(c *gin.Context) {
+	apiKey, ok := middleware.GetApiKeyFromContext(c)
+	if !ok || apiKey == nil {
+		googleError(c, http.StatusUnauthorized, "Invalid API key")
+		return
+	}
+	authSubject, ok := middleware.GetAuthSubjectFromContext(c)
+	if !ok {
+		googleError(c, http.StatusInternalServerError, "User context not found")
+		return
+	}
+
+	// 检查平台：优先使用强制平台（/antigravity 路由，中间件已设置 request.Context），否则要求 gemini 分组
+	if !middleware.HasForcePlatform(c) {
+		if apiKey.Group == nil || apiKey.Group.Platform != service.PlatformGemini {
+			googleError(c, http.StatusBadRequest, "API key group platform is not gemini")
+			return
+		}
+	}
+
+	modelName, action, err := parseGeminiModelAction(strings.TrimPrefix(c.Param("modelAction"), "/"))
+	if err != nil {
+		googleError(c, http.StatusNotFound, err.Error())
+		return
+	}
+
+	stream := action == "streamGenerateContent"
+
+	body, err := io.ReadAll(c.Request.Body)
+	if err != nil {
+		if maxErr, ok := extractMaxBytesError(err); ok {
+			googleError(c, http.StatusRequestEntityTooLarge, buildBodyTooLargeMessage(maxErr.Limit))
+			return
+		}
+		googleError(c, http.StatusBadRequest, "Failed to read request body")
+		return
+	}
+	if len(body) == 0 {
+		googleError(c, http.StatusBadRequest, "Request body is empty")
+		return
+	}
+
+	// Get subscription (may be nil)
+	subscription, _ := middleware.GetSubscriptionFromContext(c)
+
+	// For Gemini native API, do not send Claude-style ping frames.
+	geminiConcurrency := NewConcurrencyHelper(h.concurrencyHelper.concurrencyService, SSEPingFormatNone)
+
+	// 0) wait queue check
+	maxWait := service.CalculateMaxWait(authSubject.Concurrency)
+	canWait, err := geminiConcurrency.IncrementWaitCount(c.Request.Context(), authSubject.UserID, maxWait)
+	if err != nil {
+		log.Printf("Increment wait count failed: %v", err)
+	} else if !canWait {
+		googleError(c, http.StatusTooManyRequests, "Too many pending requests, please retry later")
+		return
+	}
+	defer geminiConcurrency.DecrementWaitCount(c.Request.Context(), authSubject.UserID)
+
+	// 1) user concurrency slot
+	streamStarted := false
+	userReleaseFunc, err := geminiConcurrency.AcquireUserSlotWithWait(c, authSubject.UserID, authSubject.Concurrency, stream, &streamStarted)
+	if err != nil {
+		googleError(c, http.StatusTooManyRequests, err.Error())
+		return
+	}
+	if userReleaseFunc != nil {
+		defer userReleaseFunc()
+	}
+
+	// 2) billing eligibility check (after wait)
+	if err := h.billingCacheService.CheckBillingEligibility(c.Request.Context(), apiKey.User, apiKey, apiKey.Group, subscription); err != nil {
+		googleError(c, http.StatusForbidden, err.Error())
+		return
+	}
+
+	// 3) select account (sticky session based on request body)
+	parsedReq, _ := service.ParseGatewayRequest(body)
+	sessionHash := h.gatewayService.GenerateSessionHash(parsedReq)
+	sessionKey := sessionHash
+	if sessionHash != "" {
+		sessionKey = "gemini:" + sessionHash
+	}
+	const maxAccountSwitches = 3
+	switchCount := 0
+	failedAccountIDs := make(map[int64]struct{})
+	lastFailoverStatus := 0
+
+	for {
+		selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), apiKey.GroupID, sessionKey, modelName, failedAccountIDs)
+		if err != nil {
+			if len(failedAccountIDs) == 0 {
+				googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts: "+err.Error())
+				return
+			}
+			handleGeminiFailoverExhausted(c, lastFailoverStatus)
+			return
+		}
+		account := selection.Account
+
+		// 4) account concurrency slot
+		accountReleaseFunc := selection.ReleaseFunc
+		var accountWaitRelease func()
+		if !selection.Acquired {
+			if selection.WaitPlan == nil {
+				googleError(c, http.StatusServiceUnavailable, "No available Gemini accounts")
+				return
+			}
+			canWait, err := geminiConcurrency.IncrementAccountWaitCount(c.Request.Context(), account.ID, selection.WaitPlan.MaxWaiting)
+			if err != nil {
+				log.Printf("Increment account wait count failed: %v", err)
+			} else if !canWait {
+				log.Printf("Account wait queue full: account=%d", account.ID)
+				googleError(c, http.StatusTooManyRequests, "Too many pending requests, please retry later")
+				return
+			} else {
+				// Only set release function if increment succeeded
+				accountWaitRelease = func() {
+					geminiConcurrency.DecrementAccountWaitCount(c.Request.Context(), account.ID)
+				}
+			}
+
+			accountReleaseFunc, err = geminiConcurrency.AcquireAccountSlotWithWaitTimeout(
+				c,
+				account.ID,
+				selection.WaitPlan.MaxConcurrency,
+				selection.WaitPlan.Timeout,
+				stream,
+				&streamStarted,
+			)
+			if err != nil {
+				if accountWaitRelease != nil {
+					accountWaitRelease()
+				}
+				googleError(c, http.StatusTooManyRequests, err.Error())
+				return
+			}
+			if err := h.gatewayService.BindStickySession(c.Request.Context(), sessionKey, account.ID); err != nil {
+				log.Printf("Bind sticky session failed: %v", err)
+			}
+		}
+
+		// 5) forward (根据平台分流)
+		var result *service.ForwardResult
+		if account.Platform == service.PlatformAntigravity {
+			result, err = h.antigravityGatewayService.ForwardGemini(c.Request.Context(), c, account, modelName, action, stream, body)
+		} else {
+			result, err = h.geminiCompatService.ForwardNative(c.Request.Context(), c, account, modelName, action, stream, body)
+		}
+		if accountReleaseFunc != nil {
+			accountReleaseFunc()
+		}
+		if accountWaitRelease != nil {
+			accountWaitRelease()
+		}
+		if err != nil {
+			var failoverErr *service.UpstreamFailoverError
+			if errors.As(err, &failoverErr) {
+				failedAccountIDs[account.ID] = struct{}{}
+				if switchCount >= maxAccountSwitches {
+					lastFailoverStatus = failoverErr.StatusCode
+					handleGeminiFailoverExhausted(c, lastFailoverStatus)
+					return
+				}
+				lastFailoverStatus = failoverErr.StatusCode
+				switchCount++
+				log.Printf("Gemini account %d: upstream error %d, switching account %d/%d", account.ID, failoverErr.StatusCode, switchCount, maxAccountSwitches)
+				continue
+			}
+			// ForwardNative already wrote the response
+			log.Printf("Gemini native forward failed: %v", err)
+			return
+		}
+
+		// 6) record usage async
+		go func(result *service.ForwardResult, usedAccount *service.Account) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			if err := h.gatewayService.RecordUsage(ctx, &service.RecordUsageInput{
+				Result:       result,
+				ApiKey:       apiKey,
+				User:         apiKey.User,
+				Account:      usedAccount,
+				Subscription: subscription,
+			}); err != nil {
+				log.Printf("Record usage failed: %v", err)
+			}
+		}(result, account)
+		return
+	}
+}
+
+func parseGeminiModelAction(rest string) (model string, action string, err error) {
+	rest = strings.TrimSpace(rest)
+	if rest == "" {
+		return "", "", &pathParseError{"missing path"}
+	}
+
+	// Standard: {model}:{action}
+	if i := strings.Index(rest, ":"); i > 0 && i < len(rest)-1 {
+		return rest[:i], rest[i+1:], nil
+	}
+
+	// Fallback: {model}/{action}
+	if i := strings.Index(rest, "/"); i > 0 && i < len(rest)-1 {
+		return rest[:i], rest[i+1:], nil
+	}
+
+	return "", "", &pathParseError{"invalid model action path"}
+}
+
+func handleGeminiFailoverExhausted(c *gin.Context, statusCode int) {
+	status, message := mapGeminiUpstreamError(statusCode)
+	googleError(c, status, message)
+}
+
+func mapGeminiUpstreamError(statusCode int) (int, string) {
+	switch statusCode {
+	case 401:
+		return http.StatusBadGateway, "Upstream authentication failed, please contact administrator"
+	case 403:
+		return http.StatusBadGateway, "Upstream access forbidden, please contact administrator"
+	case 429:
+		return http.StatusTooManyRequests, "Upstream rate limit exceeded, please retry later"
+	case 529:
+		return http.StatusServiceUnavailable, "Upstream service overloaded, please retry later"
+	case 500, 502, 503, 504:
+		return http.StatusBadGateway, "Upstream service temporarily unavailable"
+	default:
+		return http.StatusBadGateway, "Upstream request failed"
+	}
+}
+
+type pathParseError struct{ msg string }
+
+func (e *pathParseError) Error() string { return e.msg }
+
+func googleError(c *gin.Context, status int, message string) {
+	c.JSON(status, gin.H{
+		"error": gin.H{
+			"code":    status,
+			"message": message,
+			"status":  googleapi.HTTPStatusToGoogleStatus(status),
+		},
+	})
+}
+
+func writeUpstreamResponse(c *gin.Context, res *service.UpstreamHTTPResult) {
+	if res == nil {
+		googleError(c, http.StatusBadGateway, "Empty upstream response")
+		return
+	}
+	for k, vv := range res.Headers {
+		// Avoid overriding content-length and hop-by-hop headers.
+		if strings.EqualFold(k, "Content-Length") || strings.EqualFold(k, "Transfer-Encoding") || strings.EqualFold(k, "Connection") {
+			continue
+		}
+		for _, v := range vv {
+			c.Writer.Header().Add(k, v)
+		}
+	}
+	contentType := res.Headers.Get("Content-Type")
+	if contentType == "" {
+		contentType = "application/json"
+	}
+	c.Data(res.StatusCode, contentType, res.Body)
+}
+
+func shouldFallbackGeminiModels(res *service.UpstreamHTTPResult) bool {
+	if res == nil {
+		return true
+	}
+	if res.StatusCode != http.StatusUnauthorized && res.StatusCode != http.StatusForbidden {
+		return false
+	}
+	if strings.Contains(strings.ToLower(res.Headers.Get("Www-Authenticate")), "insufficient_scope") {
+		return true
+	}
+	if strings.Contains(strings.ToLower(string(res.Body)), "insufficient authentication scopes") {
+		return true
+	}
+	if strings.Contains(strings.ToLower(string(res.Body)), "access_token_scope_insufficient") {
+		return true
+	}
+	return false
+}

backend/internal/handler/gemini_v1beta_handler_test.go

@@ -1,143 +1,143 @@
-//go:build unit
-
-package handler
-
-import (
-	"testing"
-
-	"github.com/Wei-Shaw/sub2api/internal/service"
-	"github.com/stretchr/testify/require"
-)
-
-// TestGeminiV1BetaHandler_PlatformRoutingInvariant 文档化并验证 Handler 层的平台路由逻辑不变量
-// 该测试确保 gemini 和 antigravity 平台的路由逻辑符合预期
-func TestGeminiV1BetaHandler_PlatformRoutingInvariant(t *testing.T) {
-	tests := []struct {
-		name            string
-		platform        string
-		expectedService string
-		description     string
-	}{
-		{
-			name:            "Gemini平台使用ForwardNative",
-			platform:        service.PlatformGemini,
-			expectedService: "GeminiMessagesCompatService.ForwardNative",
-			description:     "Gemini OAuth 账户直接调用 Google API",
-		},
-		{
-			name:            "Antigravity平台使用ForwardGemini",
-			platform:        service.PlatformAntigravity,
-			expectedService: "AntigravityGatewayService.ForwardGemini",
-			description:     "Antigravity 账户通过 CRS 中转，支持 Gemini 协议",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// 模拟 GeminiV1BetaModels 中的路由决策 (lines 199-205 in gemini_v1beta_handler.go)
-			var routedService string
-			if tt.platform == service.PlatformAntigravity {
-				routedService = "AntigravityGatewayService.ForwardGemini"
-			} else {
-				routedService = "GeminiMessagesCompatService.ForwardNative"
-			}
-
-			require.Equal(t, tt.expectedService, routedService,
-				"平台 %s 应该路由到 %s: %s",
-				tt.platform, tt.expectedService, tt.description)
-		})
-	}
-}
-
-// TestGeminiV1BetaHandler_ListModelsAntigravityFallback 验证 ListModels 的 antigravity 降级逻辑
-// 当没有 gemini 账户但有 antigravity 账户时，应返回静态模型列表
-func TestGeminiV1BetaHandler_ListModelsAntigravityFallback(t *testing.T) {
-	tests := []struct {
-		name             string
-		hasGeminiAccount bool
-		hasAntigravity   bool
-		expectedBehavior string
-	}{
-		{
-			name:             "有Gemini账户-调用ForwardAIStudioGET",
-			hasGeminiAccount: true,
-			hasAntigravity:   false,
-			expectedBehavior: "forward_to_upstream",
-		},
-		{
-			name:             "无Gemini有Antigravity-返回静态列表",
-			hasGeminiAccount: false,
-			hasAntigravity:   true,
-			expectedBehavior: "static_fallback",
-		},
-		{
-			name:             "无任何账户-返回503",
-			hasGeminiAccount: false,
-			hasAntigravity:   false,
-			expectedBehavior: "service_unavailable",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// 模拟 GeminiV1BetaListModels 的逻辑 (lines 33-44 in gemini_v1beta_handler.go)
-			var behavior string
-
-			if tt.hasGeminiAccount {
-				behavior = "forward_to_upstream"
-			} else if tt.hasAntigravity {
-				behavior = "static_fallback"
-			} else {
-				behavior = "service_unavailable"
-			}
-
-			require.Equal(t, tt.expectedBehavior, behavior)
-		})
-	}
-}
-
-// TestGeminiV1BetaHandler_GetModelAntigravityFallback 验证 GetModel 的 antigravity 降级逻辑
-func TestGeminiV1BetaHandler_GetModelAntigravityFallback(t *testing.T) {
-	tests := []struct {
-		name             string
-		hasGeminiAccount bool
-		hasAntigravity   bool
-		expectedBehavior string
-	}{
-		{
-			name:             "有Gemini账户-调用ForwardAIStudioGET",
-			hasGeminiAccount: true,
-			hasAntigravity:   false,
-			expectedBehavior: "forward_to_upstream",
-		},
-		{
-			name:             "无Gemini有Antigravity-返回静态模型信息",
-			hasGeminiAccount: false,
-			hasAntigravity:   true,
-			expectedBehavior: "static_model_info",
-		},
-		{
-			name:             "无任何账户-返回503",
-			hasGeminiAccount: false,
-			hasAntigravity:   false,
-			expectedBehavior: "service_unavailable",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			// 模拟 GeminiV1BetaGetModel 的逻辑 (lines 77-87 in gemini_v1beta_handler.go)
-			var behavior string
-
-			if tt.hasGeminiAccount {
-				behavior = "forward_to_upstream"
-			} else if tt.hasAntigravity {
-				behavior = "static_model_info"
-			} else {
-				behavior = "service_unavailable"
-			}
-
-			require.Equal(t, tt.expectedBehavior, behavior)
-		})
-	}
-}
+//go:build unit
+
+package handler
+
+import (
+	"testing"
+
+	"github.com/Wei-Shaw/sub2api/internal/service"
+	"github.com/stretchr/testify/require"
+)
+
+// TestGeminiV1BetaHandler_PlatformRoutingInvariant 文档化并验证 Handler 层的平台路由逻辑不变量
+// 该测试确保 gemini 和 antigravity 平台的路由逻辑符合预期
+func TestGeminiV1BetaHandler_PlatformRoutingInvariant(t *testing.T) {
+	tests := []struct {
+		name            string
+		platform        string
+		expectedService string
+		description     string
+	}{
+		{
+			name:            "Gemini平台使用ForwardNative",
+			platform:        service.PlatformGemini,
+			expectedService: "GeminiMessagesCompatService.ForwardNative",
+			description:     "Gemini OAuth 账户直接调用 Google API",
+		},
+		{
+			name:            "Antigravity平台使用ForwardGemini",
+			platform:        service.PlatformAntigravity,
+			expectedService: "AntigravityGatewayService.ForwardGemini",
+			description:     "Antigravity 账户通过 CRS 中转，支持 Gemini 协议",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// 模拟 GeminiV1BetaModels 中的路由决策 (lines 199-205 in gemini_v1beta_handler.go)
+			var routedService string
+			if tt.platform == service.PlatformAntigravity {
+				routedService = "AntigravityGatewayService.ForwardGemini"
+			} else {
+				routedService = "GeminiMessagesCompatService.ForwardNative"
+			}
+
+			require.Equal(t, tt.expectedService, routedService,
+				"平台 %s 应该路由到 %s: %s",
+				tt.platform, tt.expectedService, tt.description)
+		})
+	}
+}
+
+// TestGeminiV1BetaHandler_ListModelsAntigravityFallback 验证 ListModels 的 antigravity 降级逻辑
+// 当没有 gemini 账户但有 antigravity 账户时，应返回静态模型列表
+func TestGeminiV1BetaHandler_ListModelsAntigravityFallback(t *testing.T) {
+	tests := []struct {
+		name             string
+		hasGeminiAccount bool
+		hasAntigravity   bool
+		expectedBehavior string
+	}{
+		{
+			name:             "有Gemini账户-调用ForwardAIStudioGET",
+			hasGeminiAccount: true,
+			hasAntigravity:   false,
+			expectedBehavior: "forward_to_upstream",
+		},
+		{
+			name:             "无Gemini有Antigravity-返回静态列表",
+			hasGeminiAccount: false,
+			hasAntigravity:   true,
+			expectedBehavior: "static_fallback",
+		},
+		{
+			name:             "无任何账户-返回503",
+			hasGeminiAccount: false,
+			hasAntigravity:   false,
+			expectedBehavior: "service_unavailable",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// 模拟 GeminiV1BetaListModels 的逻辑 (lines 33-44 in gemini_v1beta_handler.go)
+			var behavior string
+
+			if tt.hasGeminiAccount {
+				behavior = "forward_to_upstream"
+			} else if tt.hasAntigravity {
+				behavior = "static_fallback"
+			} else {
+				behavior = "service_unavailable"
+			}
+
+			require.Equal(t, tt.expectedBehavior, behavior)
+		})
+	}
+}
+
+// TestGeminiV1BetaHandler_GetModelAntigravityFallback 验证 GetModel 的 antigravity 降级逻辑
+func TestGeminiV1BetaHandler_GetModelAntigravityFallback(t *testing.T) {
+	tests := []struct {
+		name             string
+		hasGeminiAccount bool
+		hasAntigravity   bool
+		expectedBehavior string
+	}{
+		{
+			name:             "有Gemini账户-调用ForwardAIStudioGET",
+			hasGeminiAccount: true,
+			hasAntigravity:   false,
+			expectedBehavior: "forward_to_upstream",
+		},
+		{
+			name:             "无Gemini有Antigravity-返回静态模型信息",
+			hasGeminiAccount: false,
+			hasAntigravity:   true,
+			expectedBehavior: "static_model_info",
+		},
+		{
+			name:             "无任何账户-返回503",
+			hasGeminiAccount: false,
+			hasAntigravity:   false,
+			expectedBehavior: "service_unavailable",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// 模拟 GeminiV1BetaGetModel 的逻辑 (lines 77-87 in gemini_v1beta_handler.go)
+			var behavior string
+
+			if tt.hasGeminiAccount {
+				behavior = "forward_to_upstream"
+			} else if tt.hasAntigravity {
+				behavior = "static_model_info"
+			} else {
+				behavior = "service_unavailable"
+			}
+
+			require.Equal(t, tt.expectedBehavior, behavior)
+		})
+	}
+}

backend/internal/handler/handler.go

@@ -1,44 +1,44 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/admin"
-)
-
-// AdminHandlers contains all admin-related HTTP handlers
-type AdminHandlers struct {
-	Dashboard        *admin.DashboardHandler
-	User             *admin.UserHandler
-	Group            *admin.GroupHandler
-	Account          *admin.AccountHandler
-	OAuth            *admin.OAuthHandler
-	OpenAIOAuth      *admin.OpenAIOAuthHandler
-	GeminiOAuth      *admin.GeminiOAuthHandler
-	AntigravityOAuth *admin.AntigravityOAuthHandler
-	Proxy            *admin.ProxyHandler
-	Redeem           *admin.RedeemHandler
-	Setting          *admin.SettingHandler
-	System           *admin.SystemHandler
-	Subscription     *admin.SubscriptionHandler
-	Usage            *admin.UsageHandler
-	UserAttribute    *admin.UserAttributeHandler
-}
-
-// Handlers contains all HTTP handlers
-type Handlers struct {
-	Auth          *AuthHandler
-	User          *UserHandler
-	APIKey        *APIKeyHandler
-	Usage         *UsageHandler
-	Redeem        *RedeemHandler
-	Subscription  *SubscriptionHandler
-	Admin         *AdminHandlers
-	Gateway       *GatewayHandler
-	OpenAIGateway *OpenAIGatewayHandler
-	Setting       *SettingHandler
-}
-
-// BuildInfo contains build-time information
-type BuildInfo struct {
-	Version   string
-	BuildType string // "source" for manual builds, "release" for CI builds
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/admin"
+)
+
+// AdminHandlers contains all admin-related HTTP handlers
+type AdminHandlers struct {
+	Dashboard        *admin.DashboardHandler
+	User             *admin.UserHandler
+	Group            *admin.GroupHandler
+	Account          *admin.AccountHandler
+	OAuth            *admin.OAuthHandler
+	OpenAIOAuth      *admin.OpenAIOAuthHandler
+	GeminiOAuth      *admin.GeminiOAuthHandler
+	AntigravityOAuth *admin.AntigravityOAuthHandler
+	Proxy            *admin.ProxyHandler
+	Redeem           *admin.RedeemHandler
+	Setting          *admin.SettingHandler
+	System           *admin.SystemHandler
+	Subscription     *admin.SubscriptionHandler
+	Usage            *admin.UsageHandler
+	UserAttribute    *admin.UserAttributeHandler
+}
+
+// Handlers contains all HTTP handlers
+type Handlers struct {
+	Auth          *AuthHandler
+	User          *UserHandler
+	APIKey        *APIKeyHandler
+	Usage         *UsageHandler
+	Redeem        *RedeemHandler
+	Subscription  *SubscriptionHandler
+	Admin         *AdminHandlers
+	Gateway       *GatewayHandler
+	OpenAIGateway *OpenAIGatewayHandler
+	Setting       *SettingHandler
+}
+
+// BuildInfo contains build-time information
+type BuildInfo struct {
+	Version   string
+	BuildType string // "source" for manual builds, "release" for CI builds
+}

backend/internal/handler/openai_gateway_handler.go

@@ -1,306 +1,306 @@
-package handler
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/pkg/openai"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// OpenAIGatewayHandler handles OpenAI API gateway requests
-type OpenAIGatewayHandler struct {
-	gatewayService      *service.OpenAIGatewayService
-	billingCacheService *service.BillingCacheService
-	concurrencyHelper   *ConcurrencyHelper
-}
-
-// NewOpenAIGatewayHandler creates a new OpenAIGatewayHandler
-func NewOpenAIGatewayHandler(
-	gatewayService *service.OpenAIGatewayService,
-	concurrencyService *service.ConcurrencyService,
-	billingCacheService *service.BillingCacheService,
-) *OpenAIGatewayHandler {
-	return &OpenAIGatewayHandler{
-		gatewayService:      gatewayService,
-		billingCacheService: billingCacheService,
-		concurrencyHelper:   NewConcurrencyHelper(concurrencyService, SSEPingFormatNone),
-	}
-}
-
-// Responses handles OpenAI Responses API endpoint
-// POST /openai/v1/responses
-func (h *OpenAIGatewayHandler) Responses(c *gin.Context) {
-	// Get apiKey and user from context (set by ApiKeyAuth middleware)
-	apiKey, ok := middleware2.GetApiKeyFromContext(c)
-	if !ok {
-		h.errorResponse(c, http.StatusUnauthorized, "authentication_error", "Invalid API key")
-		return
-	}
-
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		h.errorResponse(c, http.StatusInternalServerError, "api_error", "User context not found")
-		return
-	}
-
-	// Read request body
-	body, err := io.ReadAll(c.Request.Body)
-	if err != nil {
-		if maxErr, ok := extractMaxBytesError(err); ok {
-			h.errorResponse(c, http.StatusRequestEntityTooLarge, "invalid_request_error", buildBodyTooLargeMessage(maxErr.Limit))
-			return
-		}
-		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Failed to read request body")
-		return
-	}
-
-	if len(body) == 0 {
-		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Request body is empty")
-		return
-	}
-
-	// Parse request body to map for potential modification
-	var reqBody map[string]any
-	if err := json.Unmarshal(body, &reqBody); err != nil {
-		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Failed to parse request body")
-		return
-	}
-
-	// Extract model and stream
-	reqModel, _ := reqBody["model"].(string)
-	reqStream, _ := reqBody["stream"].(bool)
-
-	// 验证 model 必填
-	if reqModel == "" {
-		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "model is required")
-		return
-	}
-
-	// For non-Codex CLI requests, set default instructions
-	userAgent := c.GetHeader("User-Agent")
-	if !openai.IsCodexCLIRequest(userAgent) {
-		reqBody["instructions"] = openai.DefaultInstructions
-		// Re-serialize body
-		body, err = json.Marshal(reqBody)
-		if err != nil {
-			h.errorResponse(c, http.StatusInternalServerError, "api_error", "Failed to process request")
-			return
-		}
-	}
-
-	// Track if we've started streaming (for error handling)
-	streamStarted := false
-
-	// Get subscription info (may be nil)
-	subscription, _ := middleware2.GetSubscriptionFromContext(c)
-
-	// 0. Check if wait queue is full
-	maxWait := service.CalculateMaxWait(subject.Concurrency)
-	canWait, err := h.concurrencyHelper.IncrementWaitCount(c.Request.Context(), subject.UserID, maxWait)
-	if err != nil {
-		log.Printf("Increment wait count failed: %v", err)
-		// On error, allow request to proceed
-	} else if !canWait {
-		h.errorResponse(c, http.StatusTooManyRequests, "rate_limit_error", "Too many pending requests, please retry later")
-		return
-	}
-	// Ensure wait count is decremented when function exits
-	defer h.concurrencyHelper.DecrementWaitCount(c.Request.Context(), subject.UserID)
-
-	// 1. First acquire user concurrency slot
-	userReleaseFunc, err := h.concurrencyHelper.AcquireUserSlotWithWait(c, subject.UserID, subject.Concurrency, reqStream, &streamStarted)
-	if err != nil {
-		log.Printf("User concurrency acquire failed: %v", err)
-		h.handleConcurrencyError(c, err, "user", streamStarted)
-		return
-	}
-	if userReleaseFunc != nil {
-		defer userReleaseFunc()
-	}
-
-	// 2. Re-check billing eligibility after wait
-	if err := h.billingCacheService.CheckBillingEligibility(c.Request.Context(), apiKey.User, apiKey, apiKey.Group, subscription); err != nil {
-		log.Printf("Billing eligibility check failed after wait: %v", err)
-		h.handleStreamingAwareError(c, http.StatusForbidden, "billing_error", err.Error(), streamStarted)
-		return
-	}
-
-	// Generate session hash (from header for OpenAI)
-	sessionHash := h.gatewayService.GenerateSessionHash(c)
-
-	const maxAccountSwitches = 3
-	switchCount := 0
-	failedAccountIDs := make(map[int64]struct{})
-	lastFailoverStatus := 0
-
-	for {
-		// Select account supporting the requested model
-		log.Printf("[OpenAI Handler] Selecting account: groupID=%v model=%s", apiKey.GroupID, reqModel)
-		selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), apiKey.GroupID, sessionHash, reqModel, failedAccountIDs)
-		if err != nil {
-			log.Printf("[OpenAI Handler] SelectAccount failed: %v", err)
-			if len(failedAccountIDs) == 0 {
-				h.handleStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "No available accounts: "+err.Error(), streamStarted)
-				return
-			}
-			h.handleFailoverExhausted(c, lastFailoverStatus, streamStarted)
-			return
-		}
-		account := selection.Account
-		log.Printf("[OpenAI Handler] Selected account: id=%d name=%s", account.ID, account.Name)
-
-		// 3. Acquire account concurrency slot
-		accountReleaseFunc := selection.ReleaseFunc
-		var accountWaitRelease func()
-		if !selection.Acquired {
-			if selection.WaitPlan == nil {
-				h.handleStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "No available accounts", streamStarted)
-				return
-			}
-			canWait, err := h.concurrencyHelper.IncrementAccountWaitCount(c.Request.Context(), account.ID, selection.WaitPlan.MaxWaiting)
-			if err != nil {
-				log.Printf("Increment account wait count failed: %v", err)
-			} else if !canWait {
-				log.Printf("Account wait queue full: account=%d", account.ID)
-				h.handleStreamingAwareError(c, http.StatusTooManyRequests, "rate_limit_error", "Too many pending requests, please retry later", streamStarted)
-				return
-			} else {
-				// Only set release function if increment succeeded
-				accountWaitRelease = func() {
-					h.concurrencyHelper.DecrementAccountWaitCount(c.Request.Context(), account.ID)
-				}
-			}
-
-			accountReleaseFunc, err = h.concurrencyHelper.AcquireAccountSlotWithWaitTimeout(
-				c,
-				account.ID,
-				selection.WaitPlan.MaxConcurrency,
-				selection.WaitPlan.Timeout,
-				reqStream,
-				&streamStarted,
-			)
-			if err != nil {
-				if accountWaitRelease != nil {
-					accountWaitRelease()
-				}
-				log.Printf("Account concurrency acquire failed: %v", err)
-				h.handleConcurrencyError(c, err, "account", streamStarted)
-				return
-			}
-			if err := h.gatewayService.BindStickySession(c.Request.Context(), sessionHash, account.ID); err != nil {
-				log.Printf("Bind sticky session failed: %v", err)
-			}
-		}
-
-		// Forward request
-		result, err := h.gatewayService.Forward(c.Request.Context(), c, account, body)
-		if accountReleaseFunc != nil {
-			accountReleaseFunc()
-		}
-		if accountWaitRelease != nil {
-			accountWaitRelease()
-		}
-		if err != nil {
-			var failoverErr *service.UpstreamFailoverError
-			if errors.As(err, &failoverErr) {
-				failedAccountIDs[account.ID] = struct{}{}
-				if switchCount >= maxAccountSwitches {
-					lastFailoverStatus = failoverErr.StatusCode
-					h.handleFailoverExhausted(c, lastFailoverStatus, streamStarted)
-					return
-				}
-				lastFailoverStatus = failoverErr.StatusCode
-				switchCount++
-				log.Printf("Account %d: upstream error %d, switching account %d/%d", account.ID, failoverErr.StatusCode, switchCount, maxAccountSwitches)
-				continue
-			}
-			// Error response already handled in Forward, just log
-			log.Printf("Forward request failed: %v", err)
-			return
-		}
-
-		// Async record usage
-		go func(result *service.OpenAIForwardResult, usedAccount *service.Account) {
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			defer cancel()
-			if err := h.gatewayService.RecordUsage(ctx, &service.OpenAIRecordUsageInput{
-				Result:       result,
-				ApiKey:       apiKey,
-				User:         apiKey.User,
-				Account:      usedAccount,
-				Subscription: subscription,
-			}); err != nil {
-				log.Printf("Record usage failed: %v", err)
-			}
-		}(result, account)
-		return
-	}
-}
-
-// handleConcurrencyError handles concurrency-related errors with proper 429 response
-func (h *OpenAIGatewayHandler) handleConcurrencyError(c *gin.Context, err error, slotType string, streamStarted bool) {
-	h.handleStreamingAwareError(c, http.StatusTooManyRequests, "rate_limit_error",
-		fmt.Sprintf("Concurrency limit exceeded for %s, please retry later", slotType), streamStarted)
-}
-
-func (h *OpenAIGatewayHandler) handleFailoverExhausted(c *gin.Context, statusCode int, streamStarted bool) {
-	status, errType, errMsg := h.mapUpstreamError(statusCode)
-	h.handleStreamingAwareError(c, status, errType, errMsg, streamStarted)
-}
-
-func (h *OpenAIGatewayHandler) mapUpstreamError(statusCode int) (int, string, string) {
-	switch statusCode {
-	case 401:
-		return http.StatusBadGateway, "upstream_error", "Upstream authentication failed, please contact administrator"
-	case 403:
-		return http.StatusBadGateway, "upstream_error", "Upstream access forbidden, please contact administrator"
-	case 429:
-		return http.StatusTooManyRequests, "rate_limit_error", "Upstream rate limit exceeded, please retry later"
-	case 529:
-		return http.StatusServiceUnavailable, "upstream_error", "Upstream service overloaded, please retry later"
-	case 500, 502, 503, 504:
-		return http.StatusBadGateway, "upstream_error", "Upstream service temporarily unavailable"
-	default:
-		return http.StatusBadGateway, "upstream_error", "Upstream request failed"
-	}
-}
-
-// handleStreamingAwareError handles errors that may occur after streaming has started
-func (h *OpenAIGatewayHandler) handleStreamingAwareError(c *gin.Context, status int, errType, message string, streamStarted bool) {
-	if streamStarted {
-		// Stream already started, send error as SSE event then close
-		flusher, ok := c.Writer.(http.Flusher)
-		if ok {
-			// Send error event in OpenAI SSE format
-			errorEvent := fmt.Sprintf(`event: error`+"\n"+`data: {"error": {"type": "%s", "message": "%s"}}`+"\n\n", errType, message)
-			if _, err := fmt.Fprint(c.Writer, errorEvent); err != nil {
-				_ = c.Error(err)
-			}
-			flusher.Flush()
-		}
-		return
-	}
-
-	// Normal case: return JSON response with proper status code
-	h.errorResponse(c, status, errType, message)
-}
-
-// errorResponse returns OpenAI API format error response
-func (h *OpenAIGatewayHandler) errorResponse(c *gin.Context, status int, errType, message string) {
-	c.JSON(status, gin.H{
-		"error": gin.H{
-			"type":    errType,
-			"message": message,
-		},
-	})
-}
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/pkg/openai"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// OpenAIGatewayHandler handles OpenAI API gateway requests
+type OpenAIGatewayHandler struct {
+	gatewayService      *service.OpenAIGatewayService
+	billingCacheService *service.BillingCacheService
+	concurrencyHelper   *ConcurrencyHelper
+}
+
+// NewOpenAIGatewayHandler creates a new OpenAIGatewayHandler
+func NewOpenAIGatewayHandler(
+	gatewayService *service.OpenAIGatewayService,
+	concurrencyService *service.ConcurrencyService,
+	billingCacheService *service.BillingCacheService,
+) *OpenAIGatewayHandler {
+	return &OpenAIGatewayHandler{
+		gatewayService:      gatewayService,
+		billingCacheService: billingCacheService,
+		concurrencyHelper:   NewConcurrencyHelper(concurrencyService, SSEPingFormatNone),
+	}
+}
+
+// Responses handles OpenAI Responses API endpoint
+// POST /openai/v1/responses
+func (h *OpenAIGatewayHandler) Responses(c *gin.Context) {
+	// Get apiKey and user from context (set by ApiKeyAuth middleware)
+	apiKey, ok := middleware2.GetApiKeyFromContext(c)
+	if !ok {
+		h.errorResponse(c, http.StatusUnauthorized, "authentication_error", "Invalid API key")
+		return
+	}
+
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		h.errorResponse(c, http.StatusInternalServerError, "api_error", "User context not found")
+		return
+	}
+
+	// Read request body
+	body, err := io.ReadAll(c.Request.Body)
+	if err != nil {
+		if maxErr, ok := extractMaxBytesError(err); ok {
+			h.errorResponse(c, http.StatusRequestEntityTooLarge, "invalid_request_error", buildBodyTooLargeMessage(maxErr.Limit))
+			return
+		}
+		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Failed to read request body")
+		return
+	}
+
+	if len(body) == 0 {
+		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Request body is empty")
+		return
+	}
+
+	// Parse request body to map for potential modification
+	var reqBody map[string]any
+	if err := json.Unmarshal(body, &reqBody); err != nil {
+		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "Failed to parse request body")
+		return
+	}
+
+	// Extract model and stream
+	reqModel, _ := reqBody["model"].(string)
+	reqStream, _ := reqBody["stream"].(bool)
+
+	// 验证 model 必填
+	if reqModel == "" {
+		h.errorResponse(c, http.StatusBadRequest, "invalid_request_error", "model is required")
+		return
+	}
+
+	// For non-Codex CLI requests, set default instructions
+	userAgent := c.GetHeader("User-Agent")
+	if !openai.IsCodexCLIRequest(userAgent) {
+		reqBody["instructions"] = openai.DefaultInstructions
+		// Re-serialize body
+		body, err = json.Marshal(reqBody)
+		if err != nil {
+			h.errorResponse(c, http.StatusInternalServerError, "api_error", "Failed to process request")
+			return
+		}
+	}
+
+	// Track if we've started streaming (for error handling)
+	streamStarted := false
+
+	// Get subscription info (may be nil)
+	subscription, _ := middleware2.GetSubscriptionFromContext(c)
+
+	// 0. Check if wait queue is full
+	maxWait := service.CalculateMaxWait(subject.Concurrency)
+	canWait, err := h.concurrencyHelper.IncrementWaitCount(c.Request.Context(), subject.UserID, maxWait)
+	if err != nil {
+		log.Printf("Increment wait count failed: %v", err)
+		// On error, allow request to proceed
+	} else if !canWait {
+		h.errorResponse(c, http.StatusTooManyRequests, "rate_limit_error", "Too many pending requests, please retry later")
+		return
+	}
+	// Ensure wait count is decremented when function exits
+	defer h.concurrencyHelper.DecrementWaitCount(c.Request.Context(), subject.UserID)
+
+	// 1. First acquire user concurrency slot
+	userReleaseFunc, err := h.concurrencyHelper.AcquireUserSlotWithWait(c, subject.UserID, subject.Concurrency, reqStream, &streamStarted)
+	if err != nil {
+		log.Printf("User concurrency acquire failed: %v", err)
+		h.handleConcurrencyError(c, err, "user", streamStarted)
+		return
+	}
+	if userReleaseFunc != nil {
+		defer userReleaseFunc()
+	}
+
+	// 2. Re-check billing eligibility after wait
+	if err := h.billingCacheService.CheckBillingEligibility(c.Request.Context(), apiKey.User, apiKey, apiKey.Group, subscription); err != nil {
+		log.Printf("Billing eligibility check failed after wait: %v", err)
+		h.handleStreamingAwareError(c, http.StatusForbidden, "billing_error", err.Error(), streamStarted)
+		return
+	}
+
+	// Generate session hash (from header for OpenAI)
+	sessionHash := h.gatewayService.GenerateSessionHash(c)
+
+	const maxAccountSwitches = 3
+	switchCount := 0
+	failedAccountIDs := make(map[int64]struct{})
+	lastFailoverStatus := 0
+
+	for {
+		// Select account supporting the requested model
+		log.Printf("[OpenAI Handler] Selecting account: groupID=%v model=%s", apiKey.GroupID, reqModel)
+		selection, err := h.gatewayService.SelectAccountWithLoadAwareness(c.Request.Context(), apiKey.GroupID, sessionHash, reqModel, failedAccountIDs)
+		if err != nil {
+			log.Printf("[OpenAI Handler] SelectAccount failed: %v", err)
+			if len(failedAccountIDs) == 0 {
+				h.handleStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "No available accounts: "+err.Error(), streamStarted)
+				return
+			}
+			h.handleFailoverExhausted(c, lastFailoverStatus, streamStarted)
+			return
+		}
+		account := selection.Account
+		log.Printf("[OpenAI Handler] Selected account: id=%d name=%s", account.ID, account.Name)
+
+		// 3. Acquire account concurrency slot
+		accountReleaseFunc := selection.ReleaseFunc
+		var accountWaitRelease func()
+		if !selection.Acquired {
+			if selection.WaitPlan == nil {
+				h.handleStreamingAwareError(c, http.StatusServiceUnavailable, "api_error", "No available accounts", streamStarted)
+				return
+			}
+			canWait, err := h.concurrencyHelper.IncrementAccountWaitCount(c.Request.Context(), account.ID, selection.WaitPlan.MaxWaiting)
+			if err != nil {
+				log.Printf("Increment account wait count failed: %v", err)
+			} else if !canWait {
+				log.Printf("Account wait queue full: account=%d", account.ID)
+				h.handleStreamingAwareError(c, http.StatusTooManyRequests, "rate_limit_error", "Too many pending requests, please retry later", streamStarted)
+				return
+			} else {
+				// Only set release function if increment succeeded
+				accountWaitRelease = func() {
+					h.concurrencyHelper.DecrementAccountWaitCount(c.Request.Context(), account.ID)
+				}
+			}
+
+			accountReleaseFunc, err = h.concurrencyHelper.AcquireAccountSlotWithWaitTimeout(
+				c,
+				account.ID,
+				selection.WaitPlan.MaxConcurrency,
+				selection.WaitPlan.Timeout,
+				reqStream,
+				&streamStarted,
+			)
+			if err != nil {
+				if accountWaitRelease != nil {
+					accountWaitRelease()
+				}
+				log.Printf("Account concurrency acquire failed: %v", err)
+				h.handleConcurrencyError(c, err, "account", streamStarted)
+				return
+			}
+			if err := h.gatewayService.BindStickySession(c.Request.Context(), sessionHash, account.ID); err != nil {
+				log.Printf("Bind sticky session failed: %v", err)
+			}
+		}
+
+		// Forward request
+		result, err := h.gatewayService.Forward(c.Request.Context(), c, account, body)
+		if accountReleaseFunc != nil {
+			accountReleaseFunc()
+		}
+		if accountWaitRelease != nil {
+			accountWaitRelease()
+		}
+		if err != nil {
+			var failoverErr *service.UpstreamFailoverError
+			if errors.As(err, &failoverErr) {
+				failedAccountIDs[account.ID] = struct{}{}
+				if switchCount >= maxAccountSwitches {
+					lastFailoverStatus = failoverErr.StatusCode
+					h.handleFailoverExhausted(c, lastFailoverStatus, streamStarted)
+					return
+				}
+				lastFailoverStatus = failoverErr.StatusCode
+				switchCount++
+				log.Printf("Account %d: upstream error %d, switching account %d/%d", account.ID, failoverErr.StatusCode, switchCount, maxAccountSwitches)
+				continue
+			}
+			// Error response already handled in Forward, just log
+			log.Printf("Forward request failed: %v", err)
+			return
+		}
+
+		// Async record usage
+		go func(result *service.OpenAIForwardResult, usedAccount *service.Account) {
+			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+			defer cancel()
+			if err := h.gatewayService.RecordUsage(ctx, &service.OpenAIRecordUsageInput{
+				Result:       result,
+				ApiKey:       apiKey,
+				User:         apiKey.User,
+				Account:      usedAccount,
+				Subscription: subscription,
+			}); err != nil {
+				log.Printf("Record usage failed: %v", err)
+			}
+		}(result, account)
+		return
+	}
+}
+
+// handleConcurrencyError handles concurrency-related errors with proper 429 response
+func (h *OpenAIGatewayHandler) handleConcurrencyError(c *gin.Context, err error, slotType string, streamStarted bool) {
+	h.handleStreamingAwareError(c, http.StatusTooManyRequests, "rate_limit_error",
+		fmt.Sprintf("Concurrency limit exceeded for %s, please retry later", slotType), streamStarted)
+}
+
+func (h *OpenAIGatewayHandler) handleFailoverExhausted(c *gin.Context, statusCode int, streamStarted bool) {
+	status, errType, errMsg := h.mapUpstreamError(statusCode)
+	h.handleStreamingAwareError(c, status, errType, errMsg, streamStarted)
+}
+
+func (h *OpenAIGatewayHandler) mapUpstreamError(statusCode int) (int, string, string) {
+	switch statusCode {
+	case 401:
+		return http.StatusBadGateway, "upstream_error", "Upstream authentication failed, please contact administrator"
+	case 403:
+		return http.StatusBadGateway, "upstream_error", "Upstream access forbidden, please contact administrator"
+	case 429:
+		return http.StatusTooManyRequests, "rate_limit_error", "Upstream rate limit exceeded, please retry later"
+	case 529:
+		return http.StatusServiceUnavailable, "upstream_error", "Upstream service overloaded, please retry later"
+	case 500, 502, 503, 504:
+		return http.StatusBadGateway, "upstream_error", "Upstream service temporarily unavailable"
+	default:
+		return http.StatusBadGateway, "upstream_error", "Upstream request failed"
+	}
+}
+
+// handleStreamingAwareError handles errors that may occur after streaming has started
+func (h *OpenAIGatewayHandler) handleStreamingAwareError(c *gin.Context, status int, errType, message string, streamStarted bool) {
+	if streamStarted {
+		// Stream already started, send error as SSE event then close
+		flusher, ok := c.Writer.(http.Flusher)
+		if ok {
+			// Send error event in OpenAI SSE format
+			errorEvent := fmt.Sprintf(`event: error`+"\n"+`data: {"error": {"type": "%s", "message": "%s"}}`+"\n\n", errType, message)
+			if _, err := fmt.Fprint(c.Writer, errorEvent); err != nil {
+				_ = c.Error(err)
+			}
+			flusher.Flush()
+		}
+		return
+	}
+
+	// Normal case: return JSON response with proper status code
+	h.errorResponse(c, status, errType, message)
+}
+
+// errorResponse returns OpenAI API format error response
+func (h *OpenAIGatewayHandler) errorResponse(c *gin.Context, status int, errType, message string) {
+	c.JSON(status, gin.H{
+		"error": gin.H{
+			"type":    errType,
+			"message": message,
+		},
+	})
+}

backend/internal/handler/redeem_handler.go

@@ -1,85 +1,85 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// RedeemHandler handles redeem code-related requests
-type RedeemHandler struct {
-	redeemService *service.RedeemService
-}
-
-// NewRedeemHandler creates a new RedeemHandler
-func NewRedeemHandler(redeemService *service.RedeemService) *RedeemHandler {
-	return &RedeemHandler{
-		redeemService: redeemService,
-	}
-}
-
-// RedeemRequest represents the redeem code request payload
-type RedeemRequest struct {
-	Code string `json:"code" binding:"required"`
-}
-
-// RedeemResponse represents the redeem response
-type RedeemResponse struct {
-	Message        string   `json:"message"`
-	Type           string   `json:"type"`
-	Value          float64  `json:"value"`
-	NewBalance     *float64 `json:"new_balance,omitempty"`
-	NewConcurrency *int     `json:"new_concurrency,omitempty"`
-}
-
-// Redeem handles redeeming a code
-// POST /api/v1/redeem
-func (h *RedeemHandler) Redeem(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var req RedeemRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	result, err := h.redeemService.Redeem(c.Request.Context(), subject.UserID, req.Code)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.RedeemCodeFromService(result))
-}
-
-// GetHistory returns the user's redemption history
-// GET /api/v1/redeem/history
-func (h *RedeemHandler) GetHistory(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	// Default limit is 25
-	limit := 25
-
-	codes, err := h.redeemService.GetUserHistory(c.Request.Context(), subject.UserID, limit)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.RedeemCode, 0, len(codes))
-	for i := range codes {
-		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
-	}
-	response.Success(c, out)
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// RedeemHandler handles redeem code-related requests
+type RedeemHandler struct {
+	redeemService *service.RedeemService
+}
+
+// NewRedeemHandler creates a new RedeemHandler
+func NewRedeemHandler(redeemService *service.RedeemService) *RedeemHandler {
+	return &RedeemHandler{
+		redeemService: redeemService,
+	}
+}
+
+// RedeemRequest represents the redeem code request payload
+type RedeemRequest struct {
+	Code string `json:"code" binding:"required"`
+}
+
+// RedeemResponse represents the redeem response
+type RedeemResponse struct {
+	Message        string   `json:"message"`
+	Type           string   `json:"type"`
+	Value          float64  `json:"value"`
+	NewBalance     *float64 `json:"new_balance,omitempty"`
+	NewConcurrency *int     `json:"new_concurrency,omitempty"`
+}
+
+// Redeem handles redeeming a code
+// POST /api/v1/redeem
+func (h *RedeemHandler) Redeem(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req RedeemRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	result, err := h.redeemService.Redeem(c.Request.Context(), subject.UserID, req.Code)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.RedeemCodeFromService(result))
+}
+
+// GetHistory returns the user's redemption history
+// GET /api/v1/redeem/history
+func (h *RedeemHandler) GetHistory(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	// Default limit is 25
+	limit := 25
+
+	codes, err := h.redeemService.GetUserHistory(c.Request.Context(), subject.UserID, limit)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.RedeemCode, 0, len(codes))
+	for i := range codes {
+		out = append(out, *dto.RedeemCodeFromService(&codes[i]))
+	}
+	response.Success(c, out)
+}

backend/internal/handler/request_body_limit.go

@@ -1,27 +1,27 @@
-package handler
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-)
-
-func extractMaxBytesError(err error) (*http.MaxBytesError, bool) {
-	var maxErr *http.MaxBytesError
-	if errors.As(err, &maxErr) {
-		return maxErr, true
-	}
-	return nil, false
-}
-
-func formatBodyLimit(limit int64) string {
-	const mb = 1024 * 1024
-	if limit >= mb {
-		return fmt.Sprintf("%dMB", limit/mb)
-	}
-	return fmt.Sprintf("%dB", limit)
-}
-
-func buildBodyTooLargeMessage(limit int64) string {
-	return fmt.Sprintf("Request body too large, limit is %s", formatBodyLimit(limit))
-}
+package handler
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+)
+
+func extractMaxBytesError(err error) (*http.MaxBytesError, bool) {
+	var maxErr *http.MaxBytesError
+	if errors.As(err, &maxErr) {
+		return maxErr, true
+	}
+	return nil, false
+}
+
+func formatBodyLimit(limit int64) string {
+	const mb = 1024 * 1024
+	if limit >= mb {
+		return fmt.Sprintf("%dMB", limit/mb)
+	}
+	return fmt.Sprintf("%dB", limit)
+}
+
+func buildBodyTooLargeMessage(limit int64) string {
+	return fmt.Sprintf("Request body too large, limit is %s", formatBodyLimit(limit))
+}

backend/internal/handler/request_body_limit_test.go

@@ -1,45 +1,45 @@
-package handler
-
-import (
-	"bytes"
-	"io"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	"github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/gin-gonic/gin"
-	"github.com/stretchr/testify/require"
-)
-
-func TestRequestBodyLimitTooLarge(t *testing.T) {
-	gin.SetMode(gin.TestMode)
-
-	limit := int64(16)
-	router := gin.New()
-	router.Use(middleware.RequestBodyLimit(limit))
-	router.POST("/test", func(c *gin.Context) {
-		_, err := io.ReadAll(c.Request.Body)
-		if err != nil {
-			if maxErr, ok := extractMaxBytesError(err); ok {
-				c.JSON(http.StatusRequestEntityTooLarge, gin.H{
-					"error": buildBodyTooLargeMessage(maxErr.Limit),
-				})
-				return
-			}
-			c.JSON(http.StatusBadRequest, gin.H{
-				"error": "read_failed",
-			})
-			return
-		}
-		c.JSON(http.StatusOK, gin.H{"ok": true})
-	})
-
-	payload := bytes.Repeat([]byte("a"), int(limit+1))
-	req := httptest.NewRequest(http.MethodPost, "/test", bytes.NewReader(payload))
-	recorder := httptest.NewRecorder()
-	router.ServeHTTP(recorder, req)
-
-	require.Equal(t, http.StatusRequestEntityTooLarge, recorder.Code)
-	require.Contains(t, recorder.Body.String(), buildBodyTooLargeMessage(limit))
-}
+package handler
+
+import (
+	"bytes"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/gin-gonic/gin"
+	"github.com/stretchr/testify/require"
+)
+
+func TestRequestBodyLimitTooLarge(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	limit := int64(16)
+	router := gin.New()
+	router.Use(middleware.RequestBodyLimit(limit))
+	router.POST("/test", func(c *gin.Context) {
+		_, err := io.ReadAll(c.Request.Body)
+		if err != nil {
+			if maxErr, ok := extractMaxBytesError(err); ok {
+				c.JSON(http.StatusRequestEntityTooLarge, gin.H{
+					"error": buildBodyTooLargeMessage(maxErr.Limit),
+				})
+				return
+			}
+			c.JSON(http.StatusBadRequest, gin.H{
+				"error": "read_failed",
+			})
+			return
+		}
+		c.JSON(http.StatusOK, gin.H{"ok": true})
+	})
+
+	payload := bytes.Repeat([]byte("a"), int(limit+1))
+	req := httptest.NewRequest(http.MethodPost, "/test", bytes.NewReader(payload))
+	recorder := httptest.NewRecorder()
+	router.ServeHTTP(recorder, req)
+
+	require.Equal(t, http.StatusRequestEntityTooLarge, recorder.Code)
+	require.Contains(t, recorder.Body.String(), buildBodyTooLargeMessage(limit))
+}

backend/internal/handler/setting_handler.go

@@ -1,47 +1,47 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// SettingHandler 公开设置处理器（无需认证）
-type SettingHandler struct {
-	settingService *service.SettingService
-	version        string
-}
-
-// NewSettingHandler 创建公开设置处理器
-func NewSettingHandler(settingService *service.SettingService, version string) *SettingHandler {
-	return &SettingHandler{
-		settingService: settingService,
-		version:        version,
-	}
-}
-
-// GetPublicSettings 获取公开设置
-// GET /api/v1/settings/public
-func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
-	settings, err := h.settingService.GetPublicSettings(c.Request.Context())
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, dto.PublicSettings{
-		RegistrationEnabled: settings.RegistrationEnabled,
-		EmailVerifyEnabled:  settings.EmailVerifyEnabled,
-		TurnstileEnabled:    settings.TurnstileEnabled,
-		TurnstileSiteKey:    settings.TurnstileSiteKey,
-		SiteName:            settings.SiteName,
-		SiteLogo:            settings.SiteLogo,
-		SiteSubtitle:        settings.SiteSubtitle,
-		ApiBaseUrl:          settings.ApiBaseUrl,
-		ContactInfo:         settings.ContactInfo,
-		DocUrl:              settings.DocUrl,
-		Version:             h.version,
-	})
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SettingHandler 公开设置处理器（无需认证）
+type SettingHandler struct {
+	settingService *service.SettingService
+	version        string
+}
+
+// NewSettingHandler 创建公开设置处理器
+func NewSettingHandler(settingService *service.SettingService, version string) *SettingHandler {
+	return &SettingHandler{
+		settingService: settingService,
+		version:        version,
+	}
+}
+
+// GetPublicSettings 获取公开设置
+// GET /api/v1/settings/public
+func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
+	settings, err := h.settingService.GetPublicSettings(c.Request.Context())
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, dto.PublicSettings{
+		RegistrationEnabled: settings.RegistrationEnabled,
+		EmailVerifyEnabled:  settings.EmailVerifyEnabled,
+		TurnstileEnabled:    settings.TurnstileEnabled,
+		TurnstileSiteKey:    settings.TurnstileSiteKey,
+		SiteName:            settings.SiteName,
+		SiteLogo:            settings.SiteLogo,
+		SiteSubtitle:        settings.SiteSubtitle,
+		ApiBaseUrl:          settings.ApiBaseUrl,
+		ContactInfo:         settings.ContactInfo,
+		DocUrl:              settings.DocUrl,
+		Version:             h.version,
+	})
+}

backend/internal/handler/subscription_handler.go

@@ -1,188 +1,188 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// SubscriptionSummaryItem represents a subscription item in summary
-type SubscriptionSummaryItem struct {
-	ID              int64   `json:"id"`
-	GroupID         int64   `json:"group_id"`
-	GroupName       string  `json:"group_name"`
-	Status          string  `json:"status"`
-	DailyUsedUSD    float64 `json:"daily_used_usd,omitempty"`
-	DailyLimitUSD   float64 `json:"daily_limit_usd,omitempty"`
-	WeeklyUsedUSD   float64 `json:"weekly_used_usd,omitempty"`
-	WeeklyLimitUSD  float64 `json:"weekly_limit_usd,omitempty"`
-	MonthlyUsedUSD  float64 `json:"monthly_used_usd,omitempty"`
-	MonthlyLimitUSD float64 `json:"monthly_limit_usd,omitempty"`
-	ExpiresAt       *string `json:"expires_at,omitempty"`
-}
-
-// SubscriptionProgressInfo represents subscription with progress info
-type SubscriptionProgressInfo struct {
-	Subscription *dto.UserSubscription         `json:"subscription"`
-	Progress     *service.SubscriptionProgress `json:"progress"`
-}
-
-// SubscriptionHandler handles user subscription operations
-type SubscriptionHandler struct {
-	subscriptionService *service.SubscriptionService
-}
-
-// NewSubscriptionHandler creates a new user subscription handler
-func NewSubscriptionHandler(subscriptionService *service.SubscriptionService) *SubscriptionHandler {
-	return &SubscriptionHandler{
-		subscriptionService: subscriptionService,
-	}
-}
-
-// List handles listing current user's subscriptions
-// GET /api/v1/subscriptions
-func (h *SubscriptionHandler) List(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not found in context")
-		return
-	}
-
-	subscriptions, err := h.subscriptionService.ListUserSubscriptions(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UserSubscription, 0, len(subscriptions))
-	for i := range subscriptions {
-		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
-	}
-	response.Success(c, out)
-}
-
-// GetActive handles getting current user's active subscriptions
-// GET /api/v1/subscriptions/active
-func (h *SubscriptionHandler) GetActive(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not found in context")
-		return
-	}
-
-	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UserSubscription, 0, len(subscriptions))
-	for i := range subscriptions {
-		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
-	}
-	response.Success(c, out)
-}
-
-// GetProgress handles getting subscription progress for current user
-// GET /api/v1/subscriptions/progress
-func (h *SubscriptionHandler) GetProgress(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not found in context")
-		return
-	}
-
-	// Get all active subscriptions with progress
-	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	result := make([]SubscriptionProgressInfo, 0, len(subscriptions))
-	for i := range subscriptions {
-		sub := &subscriptions[i]
-		progress, err := h.subscriptionService.GetSubscriptionProgress(c.Request.Context(), sub.ID)
-		if err != nil {
-			// Skip subscriptions with errors
-			continue
-		}
-		result = append(result, SubscriptionProgressInfo{
-			Subscription: dto.UserSubscriptionFromService(sub),
-			Progress:     progress,
-		})
-	}
-
-	response.Success(c, result)
-}
-
-// GetSummary handles getting a summary of current user's subscription status
-// GET /api/v1/subscriptions/summary
-func (h *SubscriptionHandler) GetSummary(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not found in context")
-		return
-	}
-
-	// Get all active subscriptions
-	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	var totalUsed float64
-	items := make([]SubscriptionSummaryItem, 0, len(subscriptions))
-
-	for _, sub := range subscriptions {
-		item := SubscriptionSummaryItem{
-			ID:             sub.ID,
-			GroupID:        sub.GroupID,
-			Status:         sub.Status,
-			DailyUsedUSD:   sub.DailyUsageUSD,
-			WeeklyUsedUSD:  sub.WeeklyUsageUSD,
-			MonthlyUsedUSD: sub.MonthlyUsageUSD,
-		}
-
-		// Add group info if preloaded
-		if sub.Group != nil {
-			item.GroupName = sub.Group.Name
-			if sub.Group.DailyLimitUSD != nil {
-				item.DailyLimitUSD = *sub.Group.DailyLimitUSD
-			}
-			if sub.Group.WeeklyLimitUSD != nil {
-				item.WeeklyLimitUSD = *sub.Group.WeeklyLimitUSD
-			}
-			if sub.Group.MonthlyLimitUSD != nil {
-				item.MonthlyLimitUSD = *sub.Group.MonthlyLimitUSD
-			}
-		}
-
-		// Format expiration time
-		if !sub.ExpiresAt.IsZero() {
-			formatted := sub.ExpiresAt.Format("2006-01-02T15:04:05Z07:00")
-			item.ExpiresAt = &formatted
-		}
-
-		// Track total usage (use monthly as the most comprehensive)
-		totalUsed += sub.MonthlyUsageUSD
-
-		items = append(items, item)
-	}
-
-	summary := struct {
-		ActiveCount   int                       `json:"active_count"`
-		TotalUsedUSD  float64                   `json:"total_used_usd"`
-		Subscriptions []SubscriptionSummaryItem `json:"subscriptions"`
-	}{
-		ActiveCount:   len(subscriptions),
-		TotalUsedUSD:  totalUsed,
-		Subscriptions: items,
-	}
-
-	response.Success(c, summary)
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SubscriptionSummaryItem represents a subscription item in summary
+type SubscriptionSummaryItem struct {
+	ID              int64   `json:"id"`
+	GroupID         int64   `json:"group_id"`
+	GroupName       string  `json:"group_name"`
+	Status          string  `json:"status"`
+	DailyUsedUSD    float64 `json:"daily_used_usd,omitempty"`
+	DailyLimitUSD   float64 `json:"daily_limit_usd,omitempty"`
+	WeeklyUsedUSD   float64 `json:"weekly_used_usd,omitempty"`
+	WeeklyLimitUSD  float64 `json:"weekly_limit_usd,omitempty"`
+	MonthlyUsedUSD  float64 `json:"monthly_used_usd,omitempty"`
+	MonthlyLimitUSD float64 `json:"monthly_limit_usd,omitempty"`
+	ExpiresAt       *string `json:"expires_at,omitempty"`
+}
+
+// SubscriptionProgressInfo represents subscription with progress info
+type SubscriptionProgressInfo struct {
+	Subscription *dto.UserSubscription         `json:"subscription"`
+	Progress     *service.SubscriptionProgress `json:"progress"`
+}
+
+// SubscriptionHandler handles user subscription operations
+type SubscriptionHandler struct {
+	subscriptionService *service.SubscriptionService
+}
+
+// NewSubscriptionHandler creates a new user subscription handler
+func NewSubscriptionHandler(subscriptionService *service.SubscriptionService) *SubscriptionHandler {
+	return &SubscriptionHandler{
+		subscriptionService: subscriptionService,
+	}
+}
+
+// List handles listing current user's subscriptions
+// GET /api/v1/subscriptions
+func (h *SubscriptionHandler) List(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not found in context")
+		return
+	}
+
+	subscriptions, err := h.subscriptionService.ListUserSubscriptions(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UserSubscription, 0, len(subscriptions))
+	for i := range subscriptions {
+		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
+	}
+	response.Success(c, out)
+}
+
+// GetActive handles getting current user's active subscriptions
+// GET /api/v1/subscriptions/active
+func (h *SubscriptionHandler) GetActive(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not found in context")
+		return
+	}
+
+	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UserSubscription, 0, len(subscriptions))
+	for i := range subscriptions {
+		out = append(out, *dto.UserSubscriptionFromService(&subscriptions[i]))
+	}
+	response.Success(c, out)
+}
+
+// GetProgress handles getting subscription progress for current user
+// GET /api/v1/subscriptions/progress
+func (h *SubscriptionHandler) GetProgress(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not found in context")
+		return
+	}
+
+	// Get all active subscriptions with progress
+	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	result := make([]SubscriptionProgressInfo, 0, len(subscriptions))
+	for i := range subscriptions {
+		sub := &subscriptions[i]
+		progress, err := h.subscriptionService.GetSubscriptionProgress(c.Request.Context(), sub.ID)
+		if err != nil {
+			// Skip subscriptions with errors
+			continue
+		}
+		result = append(result, SubscriptionProgressInfo{
+			Subscription: dto.UserSubscriptionFromService(sub),
+			Progress:     progress,
+		})
+	}
+
+	response.Success(c, result)
+}
+
+// GetSummary handles getting a summary of current user's subscription status
+// GET /api/v1/subscriptions/summary
+func (h *SubscriptionHandler) GetSummary(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not found in context")
+		return
+	}
+
+	// Get all active subscriptions
+	subscriptions, err := h.subscriptionService.ListActiveUserSubscriptions(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	var totalUsed float64
+	items := make([]SubscriptionSummaryItem, 0, len(subscriptions))
+
+	for _, sub := range subscriptions {
+		item := SubscriptionSummaryItem{
+			ID:             sub.ID,
+			GroupID:        sub.GroupID,
+			Status:         sub.Status,
+			DailyUsedUSD:   sub.DailyUsageUSD,
+			WeeklyUsedUSD:  sub.WeeklyUsageUSD,
+			MonthlyUsedUSD: sub.MonthlyUsageUSD,
+		}
+
+		// Add group info if preloaded
+		if sub.Group != nil {
+			item.GroupName = sub.Group.Name
+			if sub.Group.DailyLimitUSD != nil {
+				item.DailyLimitUSD = *sub.Group.DailyLimitUSD
+			}
+			if sub.Group.WeeklyLimitUSD != nil {
+				item.WeeklyLimitUSD = *sub.Group.WeeklyLimitUSD
+			}
+			if sub.Group.MonthlyLimitUSD != nil {
+				item.MonthlyLimitUSD = *sub.Group.MonthlyLimitUSD
+			}
+		}
+
+		// Format expiration time
+		if !sub.ExpiresAt.IsZero() {
+			formatted := sub.ExpiresAt.Format("2006-01-02T15:04:05Z07:00")
+			item.ExpiresAt = &formatted
+		}
+
+		// Track total usage (use monthly as the most comprehensive)
+		totalUsed += sub.MonthlyUsageUSD
+
+		items = append(items, item)
+	}
+
+	summary := struct {
+		ActiveCount   int                       `json:"active_count"`
+		TotalUsedUSD  float64                   `json:"total_used_usd"`
+		Subscriptions []SubscriptionSummaryItem `json:"subscriptions"`
+	}{
+		ActiveCount:   len(subscriptions),
+		TotalUsedUSD:  totalUsed,
+		Subscriptions: items,
+	}
+
+	response.Success(c, summary)
+}

backend/internal/handler/usage_handler.go

@@ -1,398 +1,398 @@
-package handler
-
-import (
-	"strconv"
-	"time"
-
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/usagestats"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// UsageHandler handles usage-related requests
-type UsageHandler struct {
-	usageService  *service.UsageService
-	apiKeyService *service.ApiKeyService
-}
-
-// NewUsageHandler creates a new UsageHandler
-func NewUsageHandler(usageService *service.UsageService, apiKeyService *service.ApiKeyService) *UsageHandler {
-	return &UsageHandler{
-		usageService:  usageService,
-		apiKeyService: apiKeyService,
-	}
-}
-
-// List handles listing usage records with pagination
-// GET /api/v1/usage
-func (h *UsageHandler) List(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	page, pageSize := response.ParsePagination(c)
-
-	var apiKeyID int64
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid api_key_id")
-			return
-		}
-
-		// [Security Fix] Verify API Key ownership to prevent horizontal privilege escalation
-		apiKey, err := h.apiKeyService.GetByID(c.Request.Context(), id)
-		if err != nil {
-			response.ErrorFrom(c, err)
-			return
-		}
-		if apiKey.UserID != subject.UserID {
-			response.Forbidden(c, "Not authorized to access this API key's usage records")
-			return
-		}
-
-		apiKeyID = id
-	}
-
-	// Parse additional filters
-	model := c.Query("model")
-
-	var stream *bool
-	if streamStr := c.Query("stream"); streamStr != "" {
-		val, err := strconv.ParseBool(streamStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid stream value, use true or false")
-			return
-		}
-		stream = &val
-	}
-
-	var billingType *int8
-	if billingTypeStr := c.Query("billing_type"); billingTypeStr != "" {
-		val, err := strconv.ParseInt(billingTypeStr, 10, 8)
-		if err != nil {
-			response.BadRequest(c, "Invalid billing_type")
-			return
-		}
-		bt := int8(val)
-		billingType = &bt
-	}
-
-	// Parse date range
-	var startTime, endTime *time.Time
-	if startDateStr := c.Query("start_date"); startDateStr != "" {
-		t, err := timezone.ParseInLocation("2006-01-02", startDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
-			return
-		}
-		startTime = &t
-	}
-
-	if endDateStr := c.Query("end_date"); endDateStr != "" {
-		t, err := timezone.ParseInLocation("2006-01-02", endDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
-			return
-		}
-		// Set end time to end of day
-		t = t.Add(24*time.Hour - time.Nanosecond)
-		endTime = &t
-	}
-
-	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
-	filters := usagestats.UsageLogFilters{
-		UserID:      subject.UserID, // Always filter by current user for security
-		ApiKeyID:    apiKeyID,
-		Model:       model,
-		Stream:      stream,
-		BillingType: billingType,
-		StartTime:   startTime,
-		EndTime:     endTime,
-	}
-
-	records, result, err := h.usageService.ListWithFilters(c.Request.Context(), params, filters)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	out := make([]dto.UsageLog, 0, len(records))
-	for i := range records {
-		out = append(out, *dto.UsageLogFromService(&records[i]))
-	}
-	response.Paginated(c, out, result.Total, page, pageSize)
-}
-
-// GetByID handles getting a single usage record
-// GET /api/v1/usage/:id
-func (h *UsageHandler) GetByID(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	usageID, err := strconv.ParseInt(c.Param("id"), 10, 64)
-	if err != nil {
-		response.BadRequest(c, "Invalid usage ID")
-		return
-	}
-
-	record, err := h.usageService.GetByID(c.Request.Context(), usageID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// 验证所有权
-	if record.UserID != subject.UserID {
-		response.Forbidden(c, "Not authorized to access this record")
-		return
-	}
-
-	response.Success(c, dto.UsageLogFromService(record))
-}
-
-// Stats handles getting usage statistics
-// GET /api/v1/usage/stats
-func (h *UsageHandler) Stats(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var apiKeyID int64
-	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
-		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
-		if err != nil {
-			response.BadRequest(c, "Invalid api_key_id")
-			return
-		}
-
-		// [Security Fix] Verify API Key ownership to prevent horizontal privilege escalation
-		apiKey, err := h.apiKeyService.GetByID(c.Request.Context(), id)
-		if err != nil {
-			response.NotFound(c, "API key not found")
-			return
-		}
-		if apiKey.UserID != subject.UserID {
-			response.Forbidden(c, "Not authorized to access this API key's statistics")
-			return
-		}
-
-		apiKeyID = id
-	}
-
-	// 获取时间范围参数
-	now := timezone.Now()
-	var startTime, endTime time.Time
-
-	// 优先使用 start_date 和 end_date 参数
-	startDateStr := c.Query("start_date")
-	endDateStr := c.Query("end_date")
-
-	if startDateStr != "" && endDateStr != "" {
-		// 使用自定义日期范围
-		var err error
-		startTime, err = timezone.ParseInLocation("2006-01-02", startDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
-			return
-		}
-		endTime, err = timezone.ParseInLocation("2006-01-02", endDateStr)
-		if err != nil {
-			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
-			return
-		}
-		// 设置结束时间为当天结束
-		endTime = endTime.Add(24*time.Hour - time.Nanosecond)
-	} else {
-		// 使用 period 参数
-		period := c.DefaultQuery("period", "today")
-		switch period {
-		case "today":
-			startTime = timezone.StartOfDay(now)
-		case "week":
-			startTime = now.AddDate(0, 0, -7)
-		case "month":
-			startTime = now.AddDate(0, -1, 0)
-		default:
-			startTime = timezone.StartOfDay(now)
-		}
-		endTime = now
-	}
-
-	var stats *service.UsageStats
-	var err error
-	if apiKeyID > 0 {
-		stats, err = h.usageService.GetStatsByApiKey(c.Request.Context(), apiKeyID, startTime, endTime)
-	} else {
-		stats, err = h.usageService.GetStatsByUser(c.Request.Context(), subject.UserID, startTime, endTime)
-	}
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, stats)
-}
-
-// parseUserTimeRange parses start_date, end_date query parameters for user dashboard
-func parseUserTimeRange(c *gin.Context) (time.Time, time.Time) {
-	now := timezone.Now()
-	startDate := c.Query("start_date")
-	endDate := c.Query("end_date")
-
-	var startTime, endTime time.Time
-
-	if startDate != "" {
-		if t, err := timezone.ParseInLocation("2006-01-02", startDate); err == nil {
-			startTime = t
-		} else {
-			startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
-		}
-	} else {
-		startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
-	}
-
-	if endDate != "" {
-		if t, err := timezone.ParseInLocation("2006-01-02", endDate); err == nil {
-			endTime = t.Add(24 * time.Hour) // Include the end date
-		} else {
-			endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
-		}
-	} else {
-		endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
-	}
-
-	return startTime, endTime
-}
-
-// DashboardStats handles getting user dashboard statistics
-// GET /api/v1/usage/dashboard/stats
-func (h *UsageHandler) DashboardStats(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	stats, err := h.usageService.GetUserDashboardStats(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, stats)
-}
-
-// DashboardTrend handles getting user usage trend data
-// GET /api/v1/usage/dashboard/trend
-func (h *UsageHandler) DashboardTrend(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	startTime, endTime := parseUserTimeRange(c)
-	granularity := c.DefaultQuery("granularity", "day")
-
-	trend, err := h.usageService.GetUserUsageTrendByUserID(c.Request.Context(), subject.UserID, startTime, endTime, granularity)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{
-		"trend":       trend,
-		"start_date":  startTime.Format("2006-01-02"),
-		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-		"granularity": granularity,
-	})
-}
-
-// DashboardModels handles getting user model usage statistics
-// GET /api/v1/usage/dashboard/models
-func (h *UsageHandler) DashboardModels(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	startTime, endTime := parseUserTimeRange(c)
-
-	stats, err := h.usageService.GetUserModelStats(c.Request.Context(), subject.UserID, startTime, endTime)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{
-		"models":     stats,
-		"start_date": startTime.Format("2006-01-02"),
-		"end_date":   endTime.Add(-24 * time.Hour).Format("2006-01-02"),
-	})
-}
-
-// BatchApiKeysUsageRequest represents the request for batch API keys usage
-type BatchApiKeysUsageRequest struct {
-	ApiKeyIDs []int64 `json:"api_key_ids" binding:"required"`
-}
-
-// DashboardApiKeysUsage handles getting usage stats for user's own API keys
-// POST /api/v1/usage/dashboard/api-keys-usage
-func (h *UsageHandler) DashboardApiKeysUsage(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var req BatchApiKeysUsageRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	if len(req.ApiKeyIDs) == 0 {
-		response.Success(c, gin.H{"stats": map[string]any{}})
-		return
-	}
-
-	// Limit the number of API key IDs to prevent SQL parameter overflow
-	if len(req.ApiKeyIDs) > 100 {
-		response.BadRequest(c, "Too many API key IDs (maximum 100 allowed)")
-		return
-	}
-
-	validApiKeyIDs, err := h.apiKeyService.VerifyOwnership(c.Request.Context(), subject.UserID, req.ApiKeyIDs)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	if len(validApiKeyIDs) == 0 {
-		response.Success(c, gin.H{"stats": map[string]any{}})
-		return
-	}
-
-	stats, err := h.usageService.GetBatchApiKeyUsageStats(c.Request.Context(), validApiKeyIDs)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"stats": stats})
-}
+package handler
+
+import (
+	"strconv"
+	"time"
+
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/usagestats"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UsageHandler handles usage-related requests
+type UsageHandler struct {
+	usageService  *service.UsageService
+	apiKeyService *service.ApiKeyService
+}
+
+// NewUsageHandler creates a new UsageHandler
+func NewUsageHandler(usageService *service.UsageService, apiKeyService *service.ApiKeyService) *UsageHandler {
+	return &UsageHandler{
+		usageService:  usageService,
+		apiKeyService: apiKeyService,
+	}
+}
+
+// List handles listing usage records with pagination
+// GET /api/v1/usage
+func (h *UsageHandler) List(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	page, pageSize := response.ParsePagination(c)
+
+	var apiKeyID int64
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+
+		// [Security Fix] Verify API Key ownership to prevent horizontal privilege escalation
+		apiKey, err := h.apiKeyService.GetByID(c.Request.Context(), id)
+		if err != nil {
+			response.ErrorFrom(c, err)
+			return
+		}
+		if apiKey.UserID != subject.UserID {
+			response.Forbidden(c, "Not authorized to access this API key's usage records")
+			return
+		}
+
+		apiKeyID = id
+	}
+
+	// Parse additional filters
+	model := c.Query("model")
+
+	var stream *bool
+	if streamStr := c.Query("stream"); streamStr != "" {
+		val, err := strconv.ParseBool(streamStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid stream value, use true or false")
+			return
+		}
+		stream = &val
+	}
+
+	var billingType *int8
+	if billingTypeStr := c.Query("billing_type"); billingTypeStr != "" {
+		val, err := strconv.ParseInt(billingTypeStr, 10, 8)
+		if err != nil {
+			response.BadRequest(c, "Invalid billing_type")
+			return
+		}
+		bt := int8(val)
+		billingType = &bt
+	}
+
+	// Parse date range
+	var startTime, endTime *time.Time
+	if startDateStr := c.Query("start_date"); startDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		startTime = &t
+	}
+
+	if endDateStr := c.Query("end_date"); endDateStr != "" {
+		t, err := timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		// Set end time to end of day
+		t = t.Add(24*time.Hour - time.Nanosecond)
+		endTime = &t
+	}
+
+	params := pagination.PaginationParams{Page: page, PageSize: pageSize}
+	filters := usagestats.UsageLogFilters{
+		UserID:      subject.UserID, // Always filter by current user for security
+		ApiKeyID:    apiKeyID,
+		Model:       model,
+		Stream:      stream,
+		BillingType: billingType,
+		StartTime:   startTime,
+		EndTime:     endTime,
+	}
+
+	records, result, err := h.usageService.ListWithFilters(c.Request.Context(), params, filters)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	out := make([]dto.UsageLog, 0, len(records))
+	for i := range records {
+		out = append(out, *dto.UsageLogFromService(&records[i]))
+	}
+	response.Paginated(c, out, result.Total, page, pageSize)
+}
+
+// GetByID handles getting a single usage record
+// GET /api/v1/usage/:id
+func (h *UsageHandler) GetByID(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	usageID, err := strconv.ParseInt(c.Param("id"), 10, 64)
+	if err != nil {
+		response.BadRequest(c, "Invalid usage ID")
+		return
+	}
+
+	record, err := h.usageService.GetByID(c.Request.Context(), usageID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// 验证所有权
+	if record.UserID != subject.UserID {
+		response.Forbidden(c, "Not authorized to access this record")
+		return
+	}
+
+	response.Success(c, dto.UsageLogFromService(record))
+}
+
+// Stats handles getting usage statistics
+// GET /api/v1/usage/stats
+func (h *UsageHandler) Stats(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var apiKeyID int64
+	if apiKeyIDStr := c.Query("api_key_id"); apiKeyIDStr != "" {
+		id, err := strconv.ParseInt(apiKeyIDStr, 10, 64)
+		if err != nil {
+			response.BadRequest(c, "Invalid api_key_id")
+			return
+		}
+
+		// [Security Fix] Verify API Key ownership to prevent horizontal privilege escalation
+		apiKey, err := h.apiKeyService.GetByID(c.Request.Context(), id)
+		if err != nil {
+			response.NotFound(c, "API key not found")
+			return
+		}
+		if apiKey.UserID != subject.UserID {
+			response.Forbidden(c, "Not authorized to access this API key's statistics")
+			return
+		}
+
+		apiKeyID = id
+	}
+
+	// 获取时间范围参数
+	now := timezone.Now()
+	var startTime, endTime time.Time
+
+	// 优先使用 start_date 和 end_date 参数
+	startDateStr := c.Query("start_date")
+	endDateStr := c.Query("end_date")
+
+	if startDateStr != "" && endDateStr != "" {
+		// 使用自定义日期范围
+		var err error
+		startTime, err = timezone.ParseInLocation("2006-01-02", startDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid start_date format, use YYYY-MM-DD")
+			return
+		}
+		endTime, err = timezone.ParseInLocation("2006-01-02", endDateStr)
+		if err != nil {
+			response.BadRequest(c, "Invalid end_date format, use YYYY-MM-DD")
+			return
+		}
+		// 设置结束时间为当天结束
+		endTime = endTime.Add(24*time.Hour - time.Nanosecond)
+	} else {
+		// 使用 period 参数
+		period := c.DefaultQuery("period", "today")
+		switch period {
+		case "today":
+			startTime = timezone.StartOfDay(now)
+		case "week":
+			startTime = now.AddDate(0, 0, -7)
+		case "month":
+			startTime = now.AddDate(0, -1, 0)
+		default:
+			startTime = timezone.StartOfDay(now)
+		}
+		endTime = now
+	}
+
+	var stats *service.UsageStats
+	var err error
+	if apiKeyID > 0 {
+		stats, err = h.usageService.GetStatsByApiKey(c.Request.Context(), apiKeyID, startTime, endTime)
+	} else {
+		stats, err = h.usageService.GetStatsByUser(c.Request.Context(), subject.UserID, startTime, endTime)
+	}
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, stats)
+}
+
+// parseUserTimeRange parses start_date, end_date query parameters for user dashboard
+func parseUserTimeRange(c *gin.Context) (time.Time, time.Time) {
+	now := timezone.Now()
+	startDate := c.Query("start_date")
+	endDate := c.Query("end_date")
+
+	var startTime, endTime time.Time
+
+	if startDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", startDate); err == nil {
+			startTime = t
+		} else {
+			startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+		}
+	} else {
+		startTime = timezone.StartOfDay(now.AddDate(0, 0, -7))
+	}
+
+	if endDate != "" {
+		if t, err := timezone.ParseInLocation("2006-01-02", endDate); err == nil {
+			endTime = t.Add(24 * time.Hour) // Include the end date
+		} else {
+			endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+		}
+	} else {
+		endTime = timezone.StartOfDay(now.AddDate(0, 0, 1))
+	}
+
+	return startTime, endTime
+}
+
+// DashboardStats handles getting user dashboard statistics
+// GET /api/v1/usage/dashboard/stats
+func (h *UsageHandler) DashboardStats(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	stats, err := h.usageService.GetUserDashboardStats(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, stats)
+}
+
+// DashboardTrend handles getting user usage trend data
+// GET /api/v1/usage/dashboard/trend
+func (h *UsageHandler) DashboardTrend(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	startTime, endTime := parseUserTimeRange(c)
+	granularity := c.DefaultQuery("granularity", "day")
+
+	trend, err := h.usageService.GetUserUsageTrendByUserID(c.Request.Context(), subject.UserID, startTime, endTime, granularity)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{
+		"trend":       trend,
+		"start_date":  startTime.Format("2006-01-02"),
+		"end_date":    endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+		"granularity": granularity,
+	})
+}
+
+// DashboardModels handles getting user model usage statistics
+// GET /api/v1/usage/dashboard/models
+func (h *UsageHandler) DashboardModels(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	startTime, endTime := parseUserTimeRange(c)
+
+	stats, err := h.usageService.GetUserModelStats(c.Request.Context(), subject.UserID, startTime, endTime)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{
+		"models":     stats,
+		"start_date": startTime.Format("2006-01-02"),
+		"end_date":   endTime.Add(-24 * time.Hour).Format("2006-01-02"),
+	})
+}
+
+// BatchApiKeysUsageRequest represents the request for batch API keys usage
+type BatchApiKeysUsageRequest struct {
+	ApiKeyIDs []int64 `json:"api_key_ids" binding:"required"`
+}
+
+// DashboardApiKeysUsage handles getting usage stats for user's own API keys
+// POST /api/v1/usage/dashboard/api-keys-usage
+func (h *UsageHandler) DashboardApiKeysUsage(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req BatchApiKeysUsageRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	if len(req.ApiKeyIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]any{}})
+		return
+	}
+
+	// Limit the number of API key IDs to prevent SQL parameter overflow
+	if len(req.ApiKeyIDs) > 100 {
+		response.BadRequest(c, "Too many API key IDs (maximum 100 allowed)")
+		return
+	}
+
+	validApiKeyIDs, err := h.apiKeyService.VerifyOwnership(c.Request.Context(), subject.UserID, req.ApiKeyIDs)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	if len(validApiKeyIDs) == 0 {
+		response.Success(c, gin.H{"stats": map[string]any{}})
+		return
+	}
+
+	stats, err := h.usageService.GetBatchApiKeyUsageStats(c.Request.Context(), validApiKeyIDs)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"stats": stats})
+}

backend/internal/handler/user_handler.go

@@ -1,112 +1,112 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
-	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
-	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/gin-gonic/gin"
-)
-
-// UserHandler handles user-related requests
-type UserHandler struct {
-	userService *service.UserService
-}
-
-// NewUserHandler creates a new UserHandler
-func NewUserHandler(userService *service.UserService) *UserHandler {
-	return &UserHandler{
-		userService: userService,
-	}
-}
-
-// ChangePasswordRequest represents the change password request payload
-type ChangePasswordRequest struct {
-	OldPassword string `json:"old_password" binding:"required"`
-	NewPassword string `json:"new_password" binding:"required,min=6"`
-}
-
-// UpdateProfileRequest represents the update profile request payload
-type UpdateProfileRequest struct {
-	Username *string `json:"username"`
-}
-
-// GetProfile handles getting user profile
-// GET /api/v1/users/me
-func (h *UserHandler) GetProfile(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	userData, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// 清空notes字段，普通用户不应看到备注
-	userData.Notes = ""
-
-	response.Success(c, dto.UserFromService(userData))
-}
-
-// ChangePassword handles changing user password
-// POST /api/v1/users/me/password
-func (h *UserHandler) ChangePassword(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var req ChangePasswordRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	svcReq := service.ChangePasswordRequest{
-		CurrentPassword: req.OldPassword,
-		NewPassword:     req.NewPassword,
-	}
-	err := h.userService.ChangePassword(c.Request.Context(), subject.UserID, svcReq)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	response.Success(c, gin.H{"message": "Password changed successfully"})
-}
-
-// UpdateProfile handles updating user profile
-// PUT /api/v1/users/me
-func (h *UserHandler) UpdateProfile(c *gin.Context) {
-	subject, ok := middleware2.GetAuthSubjectFromContext(c)
-	if !ok {
-		response.Unauthorized(c, "User not authenticated")
-		return
-	}
-
-	var req UpdateProfileRequest
-	if err := c.ShouldBindJSON(&req); err != nil {
-		response.BadRequest(c, "Invalid request: "+err.Error())
-		return
-	}
-
-	svcReq := service.UpdateProfileRequest{
-		Username: req.Username,
-	}
-	updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
-	if err != nil {
-		response.ErrorFrom(c, err)
-		return
-	}
-
-	// 清空notes字段，普通用户不应看到备注
-	updatedUser.Notes = ""
-
-	response.Success(c, dto.UserFromService(updatedUser))
-}
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/dto"
+	"github.com/Wei-Shaw/sub2api/internal/pkg/response"
+	middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/gin-gonic/gin"
+)
+
+// UserHandler handles user-related requests
+type UserHandler struct {
+	userService *service.UserService
+}
+
+// NewUserHandler creates a new UserHandler
+func NewUserHandler(userService *service.UserService) *UserHandler {
+	return &UserHandler{
+		userService: userService,
+	}
+}
+
+// ChangePasswordRequest represents the change password request payload
+type ChangePasswordRequest struct {
+	OldPassword string `json:"old_password" binding:"required"`
+	NewPassword string `json:"new_password" binding:"required,min=6"`
+}
+
+// UpdateProfileRequest represents the update profile request payload
+type UpdateProfileRequest struct {
+	Username *string `json:"username"`
+}
+
+// GetProfile handles getting user profile
+// GET /api/v1/users/me
+func (h *UserHandler) GetProfile(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	userData, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// 清空notes字段，普通用户不应看到备注
+	userData.Notes = ""
+
+	response.Success(c, dto.UserFromService(userData))
+}
+
+// ChangePassword handles changing user password
+// POST /api/v1/users/me/password
+func (h *UserHandler) ChangePassword(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req ChangePasswordRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	svcReq := service.ChangePasswordRequest{
+		CurrentPassword: req.OldPassword,
+		NewPassword:     req.NewPassword,
+	}
+	err := h.userService.ChangePassword(c.Request.Context(), subject.UserID, svcReq)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	response.Success(c, gin.H{"message": "Password changed successfully"})
+}
+
+// UpdateProfile handles updating user profile
+// PUT /api/v1/users/me
+func (h *UserHandler) UpdateProfile(c *gin.Context) {
+	subject, ok := middleware2.GetAuthSubjectFromContext(c)
+	if !ok {
+		response.Unauthorized(c, "User not authenticated")
+		return
+	}
+
+	var req UpdateProfileRequest
+	if err := c.ShouldBindJSON(&req); err != nil {
+		response.BadRequest(c, "Invalid request: "+err.Error())
+		return
+	}
+
+	svcReq := service.UpdateProfileRequest{
+		Username: req.Username,
+	}
+	updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
+	if err != nil {
+		response.ErrorFrom(c, err)
+		return
+	}
+
+	// 清空notes字段，普通用户不应看到备注
+	updatedUser.Notes = ""
+
+	response.Success(c, dto.UserFromService(updatedUser))
+}

backend/internal/handler/wire.go

@@ -1,117 +1,117 @@
-package handler
-
-import (
-	"github.com/Wei-Shaw/sub2api/internal/handler/admin"
-	"github.com/Wei-Shaw/sub2api/internal/service"
-
-	"github.com/google/wire"
-)
-
-// ProvideAdminHandlers creates the AdminHandlers struct
-func ProvideAdminHandlers(
-	dashboardHandler *admin.DashboardHandler,
-	userHandler *admin.UserHandler,
-	groupHandler *admin.GroupHandler,
-	accountHandler *admin.AccountHandler,
-	oauthHandler *admin.OAuthHandler,
-	openaiOAuthHandler *admin.OpenAIOAuthHandler,
-	geminiOAuthHandler *admin.GeminiOAuthHandler,
-	antigravityOAuthHandler *admin.AntigravityOAuthHandler,
-	proxyHandler *admin.ProxyHandler,
-	redeemHandler *admin.RedeemHandler,
-	settingHandler *admin.SettingHandler,
-	systemHandler *admin.SystemHandler,
-	subscriptionHandler *admin.SubscriptionHandler,
-	usageHandler *admin.UsageHandler,
-	userAttributeHandler *admin.UserAttributeHandler,
-) *AdminHandlers {
-	return &AdminHandlers{
-		Dashboard:        dashboardHandler,
-		User:             userHandler,
-		Group:            groupHandler,
-		Account:          accountHandler,
-		OAuth:            oauthHandler,
-		OpenAIOAuth:      openaiOAuthHandler,
-		GeminiOAuth:      geminiOAuthHandler,
-		AntigravityOAuth: antigravityOAuthHandler,
-		Proxy:            proxyHandler,
-		Redeem:           redeemHandler,
-		Setting:          settingHandler,
-		System:           systemHandler,
-		Subscription:     subscriptionHandler,
-		Usage:            usageHandler,
-		UserAttribute:    userAttributeHandler,
-	}
-}
-
-// ProvideSystemHandler creates admin.SystemHandler with UpdateService
-func ProvideSystemHandler(updateService *service.UpdateService) *admin.SystemHandler {
-	return admin.NewSystemHandler(updateService)
-}
-
-// ProvideSettingHandler creates SettingHandler with version from BuildInfo
-func ProvideSettingHandler(settingService *service.SettingService, buildInfo BuildInfo) *SettingHandler {
-	return NewSettingHandler(settingService, buildInfo.Version)
-}
-
-// ProvideHandlers creates the Handlers struct
-func ProvideHandlers(
-	authHandler *AuthHandler,
-	userHandler *UserHandler,
-	apiKeyHandler *APIKeyHandler,
-	usageHandler *UsageHandler,
-	redeemHandler *RedeemHandler,
-	subscriptionHandler *SubscriptionHandler,
-	adminHandlers *AdminHandlers,
-	gatewayHandler *GatewayHandler,
-	openaiGatewayHandler *OpenAIGatewayHandler,
-	settingHandler *SettingHandler,
-) *Handlers {
-	return &Handlers{
-		Auth:          authHandler,
-		User:          userHandler,
-		APIKey:        apiKeyHandler,
-		Usage:         usageHandler,
-		Redeem:        redeemHandler,
-		Subscription:  subscriptionHandler,
-		Admin:         adminHandlers,
-		Gateway:       gatewayHandler,
-		OpenAIGateway: openaiGatewayHandler,
-		Setting:       settingHandler,
-	}
-}
-
-// ProviderSet is the Wire provider set for all handlers
-var ProviderSet = wire.NewSet(
-	// Top-level handlers
-	NewAuthHandler,
-	NewUserHandler,
-	NewAPIKeyHandler,
-	NewUsageHandler,
-	NewRedeemHandler,
-	NewSubscriptionHandler,
-	NewGatewayHandler,
-	NewOpenAIGatewayHandler,
-	ProvideSettingHandler,
-
-	// Admin handlers
-	admin.NewDashboardHandler,
-	admin.NewUserHandler,
-	admin.NewGroupHandler,
-	admin.NewAccountHandler,
-	admin.NewOAuthHandler,
-	admin.NewOpenAIOAuthHandler,
-	admin.NewGeminiOAuthHandler,
-	admin.NewAntigravityOAuthHandler,
-	admin.NewProxyHandler,
-	admin.NewRedeemHandler,
-	admin.NewSettingHandler,
-	ProvideSystemHandler,
-	admin.NewSubscriptionHandler,
-	admin.NewUsageHandler,
-	admin.NewUserAttributeHandler,
-
-	// AdminHandlers and Handlers constructors
-	ProvideAdminHandlers,
-	ProvideHandlers,
-)
+package handler
+
+import (
+	"github.com/Wei-Shaw/sub2api/internal/handler/admin"
+	"github.com/Wei-Shaw/sub2api/internal/service"
+
+	"github.com/google/wire"
+)
+
+// ProvideAdminHandlers creates the AdminHandlers struct
+func ProvideAdminHandlers(
+	dashboardHandler *admin.DashboardHandler,
+	userHandler *admin.UserHandler,
+	groupHandler *admin.GroupHandler,
+	accountHandler *admin.AccountHandler,
+	oauthHandler *admin.OAuthHandler,
+	openaiOAuthHandler *admin.OpenAIOAuthHandler,
+	geminiOAuthHandler *admin.GeminiOAuthHandler,
+	antigravityOAuthHandler *admin.AntigravityOAuthHandler,
+	proxyHandler *admin.ProxyHandler,
+	redeemHandler *admin.RedeemHandler,
+	settingHandler *admin.SettingHandler,
+	systemHandler *admin.SystemHandler,
+	subscriptionHandler *admin.SubscriptionHandler,
+	usageHandler *admin.UsageHandler,
+	userAttributeHandler *admin.UserAttributeHandler,
+) *AdminHandlers {
+	return &AdminHandlers{
+		Dashboard:        dashboardHandler,
+		User:             userHandler,
+		Group:            groupHandler,
+		Account:          accountHandler,
+		OAuth:            oauthHandler,
+		OpenAIOAuth:      openaiOAuthHandler,
+		GeminiOAuth:      geminiOAuthHandler,
+		AntigravityOAuth: antigravityOAuthHandler,
+		Proxy:            proxyHandler,
+		Redeem:           redeemHandler,
+		Setting:          settingHandler,
+		System:           systemHandler,
+		Subscription:     subscriptionHandler,
+		Usage:            usageHandler,
+		UserAttribute:    userAttributeHandler,
+	}
+}
+
+// ProvideSystemHandler creates admin.SystemHandler with UpdateService
+func ProvideSystemHandler(updateService *service.UpdateService) *admin.SystemHandler {
+	return admin.NewSystemHandler(updateService)
+}
+
+// ProvideSettingHandler creates SettingHandler with version from BuildInfo
+func ProvideSettingHandler(settingService *service.SettingService, buildInfo BuildInfo) *SettingHandler {
+	return NewSettingHandler(settingService, buildInfo.Version)
+}
+
+// ProvideHandlers creates the Handlers struct
+func ProvideHandlers(
+	authHandler *AuthHandler,
+	userHandler *UserHandler,
+	apiKeyHandler *APIKeyHandler,
+	usageHandler *UsageHandler,
+	redeemHandler *RedeemHandler,
+	subscriptionHandler *SubscriptionHandler,
+	adminHandlers *AdminHandlers,
+	gatewayHandler *GatewayHandler,
+	openaiGatewayHandler *OpenAIGatewayHandler,
+	settingHandler *SettingHandler,
+) *Handlers {
+	return &Handlers{
+		Auth:          authHandler,
+		User:          userHandler,
+		APIKey:        apiKeyHandler,
+		Usage:         usageHandler,
+		Redeem:        redeemHandler,
+		Subscription:  subscriptionHandler,
+		Admin:         adminHandlers,
+		Gateway:       gatewayHandler,
+		OpenAIGateway: openaiGatewayHandler,
+		Setting:       settingHandler,
+	}
+}
+
+// ProviderSet is the Wire provider set for all handlers
+var ProviderSet = wire.NewSet(
+	// Top-level handlers
+	NewAuthHandler,
+	NewUserHandler,
+	NewAPIKeyHandler,
+	NewUsageHandler,
+	NewRedeemHandler,
+	NewSubscriptionHandler,
+	NewGatewayHandler,
+	NewOpenAIGatewayHandler,
+	ProvideSettingHandler,
+
+	// Admin handlers
+	admin.NewDashboardHandler,
+	admin.NewUserHandler,
+	admin.NewGroupHandler,
+	admin.NewAccountHandler,
+	admin.NewOAuthHandler,
+	admin.NewOpenAIOAuthHandler,
+	admin.NewGeminiOAuthHandler,
+	admin.NewAntigravityOAuthHandler,
+	admin.NewProxyHandler,
+	admin.NewRedeemHandler,
+	admin.NewSettingHandler,
+	ProvideSystemHandler,
+	admin.NewSubscriptionHandler,
+	admin.NewUsageHandler,
+	admin.NewUserAttributeHandler,
+
+	// AdminHandlers and Handlers constructors
+	ProvideAdminHandlers,
+	ProvideHandlers,
+)