refactor: 调整项目结构为单向依赖

backend/internal/server/middleware/admin_auth.go

@@ -5,7 +5,6 @@ import (
 	"errors"
 	"strings"
 
-	"github.com/Wei-Shaw/sub2api/internal/model"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
@@ -84,7 +83,11 @@ func validateAdminApiKey(
 		return false
 	}
 
-	c.Set(string(ContextKeyUser), admin)
+	c.Set(string(ContextKeyUser), AuthSubject{
+		UserID:      admin.ID,
+		Concurrency: admin.Concurrency,
+	})
+	c.Set(string(ContextKeyUserRole), admin.Role)
 	c.Set("auth_method", "admin_api_key")
 	return true
 }
@@ -121,12 +124,16 @@ func validateJWTForAdmin(
 	}
 
 	// 检查管理员权限
-	if user.Role != model.RoleAdmin {
+	if !user.IsAdmin() {
 		AbortWithError(c, 403, "FORBIDDEN", "Admin access required")
 		return false
 	}
 
-	c.Set(string(ContextKeyUser), user)
+	c.Set(string(ContextKeyUser), AuthSubject{
+		UserID:      user.ID,
+		Concurrency: user.Concurrency,
+	})
+	c.Set(string(ContextKeyUserRole), user.Role)
 	c.Set("auth_method", "jwt")
 
 	return true

backend/internal/server/middleware/admin_only.go

@@ -1,7 +1,7 @@
 package middleware
 
 import (
-	"github.com/Wei-Shaw/sub2api/internal/model"
+	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
 )
@@ -10,15 +10,14 @@ import (
 // 必须在JWTAuth中间件之后使用
 func AdminOnly() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// 从上下文获取用户
-		user, exists := GetUserFromContext(c)
-		if !exists {
+		role, ok := GetUserRoleFromContext(c)
+		if !ok {
 			AbortWithError(c, 401, "UNAUTHORIZED", "User not found in context")
 			return
 		}
 
 		// 检查是否为管理员
-		if user.Role != model.RoleAdmin {
+		if role != service.RoleAdmin {
 			AbortWithError(c, 403, "FORBIDDEN", "Admin access required")
 			return
 		}

backend/internal/server/middleware/api_key_auth.go

@@ -5,11 +5,9 @@ import (
 	"log"
 	"strings"
 
-	"github.com/Wei-Shaw/sub2api/internal/model"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
-	"gorm.io/gorm"
 )
 
 // NewApiKeyAuthMiddleware 创建 API Key 认证中间件
@@ -46,7 +44,7 @@ func apiKeyAuthWithSubscription(apiKeyService *service.ApiKeyService, subscripti
 		// 从数据库验证API key
 		apiKey, err := apiKeyService.GetByKey(c.Request.Context(), apiKeyString)
 		if err != nil {
-			if errors.Is(err, gorm.ErrRecordNotFound) {
+			if errors.Is(err, service.ErrApiKeyNotFound) {
 				AbortWithError(c, 401, "INVALID_API_KEY", "Invalid API key")
 				return
 			}
@@ -121,28 +119,32 @@ func apiKeyAuthWithSubscription(apiKeyService *service.ApiKeyService, subscripti
 
 		// 将API key和用户信息存入上下文
 		c.Set(string(ContextKeyApiKey), apiKey)
-		c.Set(string(ContextKeyUser), apiKey.User)
+		c.Set(string(ContextKeyUser), AuthSubject{
+			UserID:      apiKey.User.ID,
+			Concurrency: apiKey.User.Concurrency,
+		})
+		c.Set(string(ContextKeyUserRole), apiKey.User.Role)
 
 		c.Next()
 	}
 }
 
 // GetApiKeyFromContext 从上下文中获取API key
-func GetApiKeyFromContext(c *gin.Context) (*model.ApiKey, bool) {
+func GetApiKeyFromContext(c *gin.Context) (*service.ApiKey, bool) {
 	value, exists := c.Get(string(ContextKeyApiKey))
 	if !exists {
 		return nil, false
 	}
-	apiKey, ok := value.(*model.ApiKey)
+	apiKey, ok := value.(*service.ApiKey)
 	return apiKey, ok
 }
 
 // GetSubscriptionFromContext 从上下文中获取订阅信息
-func GetSubscriptionFromContext(c *gin.Context) (*model.UserSubscription, bool) {
+func GetSubscriptionFromContext(c *gin.Context) (*service.UserSubscription, bool) {
 	value, exists := c.Get(string(ContextKeySubscription))
 	if !exists {
 		return nil, false
 	}
-	subscription, ok := value.(*model.UserSubscription)
+	subscription, ok := value.(*service.UserSubscription)
 	return subscription, ok
 }

backend/internal/server/middleware/auth_subject.go

@@ -0,0 +1,28 @@
+package middleware
+
+import "github.com/gin-gonic/gin"
+
+// AuthSubject is the minimal authenticated identity stored in gin context.
+// Decision: {UserID int64, Concurrency int}
+type AuthSubject struct {
+	UserID      int64
+	Concurrency int
+}
+
+func GetAuthSubjectFromContext(c *gin.Context) (AuthSubject, bool) {
+	value, exists := c.Get(string(ContextKeyUser))
+	if !exists {
+		return AuthSubject{}, false
+	}
+	subject, ok := value.(AuthSubject)
+	return subject, ok
+}
+
+func GetUserRoleFromContext(c *gin.Context) (string, bool) {
+	value, exists := c.Get(string(ContextKeyUserRole))
+	if !exists {
+		return "", false
+	}
+	role, ok := value.(string)
+	return role, ok
+}

backend/internal/server/middleware/jwt_auth.go

@@ -4,7 +4,6 @@ import (
 	"errors"
 	"strings"
 
-	"github.com/Wei-Shaw/sub2api/internal/model"
 	"github.com/Wei-Shaw/sub2api/internal/service"
 
 	"github.com/gin-gonic/gin"
@@ -62,19 +61,14 @@ func jwtAuth(authService *service.AuthService, userService *service.UserService)
 			return
 		}
 
-		// 将用户信息存入上下文
-		c.Set(string(ContextKeyUser), user)
+		c.Set(string(ContextKeyUser), AuthSubject{
+			UserID:      user.ID,
+			Concurrency: user.Concurrency,
+		})
+		c.Set(string(ContextKeyUserRole), user.Role)
 
 		c.Next()
 	}
 }
 
-// GetUserFromContext 从上下文中获取用户
-func GetUserFromContext(c *gin.Context) (*model.User, bool) {
-	value, exists := c.Get(string(ContextKeyUser))
-	if !exists {
-		return nil, false
-	}
-	user, ok := value.(*model.User)
-	return user, ok
-}
+// Deprecated: prefer GetAuthSubjectFromContext in auth_subject.go.

backend/internal/server/middleware/middleware.go

@@ -8,6 +8,8 @@ type ContextKey string
 const (
 	// ContextKeyUser 用户上下文键
 	ContextKeyUser ContextKey = "user"
+	// ContextKeyUserRole 当前用户角色（string）
+	ContextKeyUserRole ContextKey = "user_role"
 	// ContextKeyApiKey API密钥上下文键
 	ContextKeyApiKey ContextKey = "api_key"
 	// ContextKeySubscription 订阅上下文键