2588fa6a8f
基于 backend-code-audit 审计报告,修复剩余 P0/P1/P2 共 34 项问题: P0 生产 Bug: - 修复 time.Since(time.Now()) 计时逻辑错误 (P0-03) - generateRandomID 改用 crypto/rand 替代固定索引 (P0-04) - IncrementQuotaUsed 重写为 Ent 原子操作消除 TOCTOU 竞态 (P0-05) 安全加固: - gateway/openai handler 错误响应替换为泛化消息,防止内部信息泄露 (P1-14) - usage_log_repo dateFormat 参数改用白名单映射,防止 SQL 注入 (P1-16) - 默认配置安全加固:sslmode=prefer、response_headers=true、mode=release (P1-18/19, P2-15) 性能优化: - gateway handler 循环内 defer 替换为显式 releaseWait 闭包 (P1-02) - group_repo/promo_code_repo Count 前 Clone 查询避免状态污染 (P1-03) - usage_log_repo 四个查询添加 LIMIT 10000 防止 OOM (P1-07) - GetBatchUsageStats 添加时间范围参数,默认最近 30 天 (P1-10) - ip.go CIDR 预编译为包级变量 (P1-11) - BatchUpdateCredentials 重构为先验证后更新 (P1-13) 缓存一致性: - billing_cache 添加 jitteredTTL 防止缓存雪崩 (P2-10) - DeductUserBalance/UpdateSubscriptionUsage 错误传播修复 (P2-12) - UserService.UpdateBalance 成功后异步失效 billingCache (P2-13) 代码质量: - search 截断改为按 rune 处理,支持多字节字符 (P2-01) - TLS Handshake 改为 HandshakeContext 支持 context 取消 (P2-07) - CORS 预检添加 Access-Control-Max-Age: 86400 (P2-16) 测试覆盖: - 新增 user_service_test.go(UpdateBalance 缓存失效 6 个用例) - 新增 batch_update_credentials_test.go(fail-fast + 类型验证 7 个用例) - 新增 response_transformer_test.go、ip_test.go、usage_log_repo_unit_test.go、search_truncate_test.go - 集成测试:IncrementQuotaUsed 并发测试、billing_cache 错误传播测试 - config_test.go 补充 server.mode/sslmode 默认值断言 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
325 lines
9.1 KiB
Go
325 lines
9.1 KiB
Go
package admin
|
||
|
||
import (
|
||
"strconv"
|
||
"strings"
|
||
|
||
"github.com/Wei-Shaw/sub2api/internal/handler/dto"
|
||
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
||
"github.com/Wei-Shaw/sub2api/internal/service"
|
||
|
||
"github.com/gin-gonic/gin"
|
||
)
|
||
|
||
// UserHandler handles admin user management
|
||
type UserHandler struct {
|
||
adminService service.AdminService
|
||
}
|
||
|
||
// NewUserHandler creates a new admin user handler
|
||
func NewUserHandler(adminService service.AdminService) *UserHandler {
|
||
return &UserHandler{
|
||
adminService: adminService,
|
||
}
|
||
}
|
||
|
||
// CreateUserRequest represents admin create user request
|
||
type CreateUserRequest struct {
|
||
Email string `json:"email" binding:"required,email"`
|
||
Password string `json:"password" binding:"required,min=6"`
|
||
Username string `json:"username"`
|
||
Notes string `json:"notes"`
|
||
Balance float64 `json:"balance"`
|
||
Concurrency int `json:"concurrency"`
|
||
AllowedGroups []int64 `json:"allowed_groups"`
|
||
}
|
||
|
||
// UpdateUserRequest represents admin update user request
|
||
// 使用指针类型来区分"未提供"和"设置为0"
|
||
type UpdateUserRequest struct {
|
||
Email string `json:"email" binding:"omitempty,email"`
|
||
Password string `json:"password" binding:"omitempty,min=6"`
|
||
Username *string `json:"username"`
|
||
Notes *string `json:"notes"`
|
||
Balance *float64 `json:"balance"`
|
||
Concurrency *int `json:"concurrency"`
|
||
Status string `json:"status" binding:"omitempty,oneof=active disabled"`
|
||
AllowedGroups *[]int64 `json:"allowed_groups"`
|
||
// GroupRates 用户专属分组倍率配置
|
||
// map[groupID]*rate,nil 表示删除该分组的专属倍率
|
||
GroupRates map[int64]*float64 `json:"group_rates"`
|
||
}
|
||
|
||
// UpdateBalanceRequest represents balance update request
|
||
type UpdateBalanceRequest struct {
|
||
Balance float64 `json:"balance" binding:"required,gt=0"`
|
||
Operation string `json:"operation" binding:"required,oneof=set add subtract"`
|
||
Notes string `json:"notes"`
|
||
}
|
||
|
||
// List handles listing all users with pagination
|
||
// GET /api/v1/admin/users
|
||
// Query params:
|
||
// - status: filter by user status
|
||
// - role: filter by user role
|
||
// - search: search in email, username
|
||
// - attr[{id}]: filter by custom attribute value, e.g. attr[1]=company
|
||
func (h *UserHandler) List(c *gin.Context) {
|
||
page, pageSize := response.ParsePagination(c)
|
||
|
||
search := c.Query("search")
|
||
// 标准化和验证 search 参数
|
||
search = strings.TrimSpace(search)
|
||
if runes := []rune(search); len(runes) > 100 {
|
||
search = string(runes[:100])
|
||
}
|
||
|
||
filters := service.UserListFilters{
|
||
Status: c.Query("status"),
|
||
Role: c.Query("role"),
|
||
Search: search,
|
||
Attributes: parseAttributeFilters(c),
|
||
}
|
||
|
||
users, total, err := h.adminService.ListUsers(c.Request.Context(), page, pageSize, filters)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
out := make([]dto.AdminUser, 0, len(users))
|
||
for i := range users {
|
||
out = append(out, *dto.UserFromServiceAdmin(&users[i]))
|
||
}
|
||
response.Paginated(c, out, total, page, pageSize)
|
||
}
|
||
|
||
// parseAttributeFilters extracts attribute filters from query params
|
||
// Format: attr[{attributeID}]=value, e.g. attr[1]=company&attr[2]=developer
|
||
func parseAttributeFilters(c *gin.Context) map[int64]string {
|
||
result := make(map[int64]string)
|
||
|
||
// Get all query params and look for attr[*] pattern
|
||
for key, values := range c.Request.URL.Query() {
|
||
if len(values) == 0 || values[0] == "" {
|
||
continue
|
||
}
|
||
// Check if key matches pattern attr[{id}]
|
||
if len(key) > 5 && key[:5] == "attr[" && key[len(key)-1] == ']' {
|
||
idStr := key[5 : len(key)-1]
|
||
id, err := strconv.ParseInt(idStr, 10, 64)
|
||
if err == nil && id > 0 {
|
||
result[id] = values[0]
|
||
}
|
||
}
|
||
}
|
||
|
||
return result
|
||
}
|
||
|
||
// GetByID handles getting a user by ID
|
||
// GET /api/v1/admin/users/:id
|
||
func (h *UserHandler) GetByID(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.GetUser(c.Request.Context(), userID)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromServiceAdmin(user))
|
||
}
|
||
|
||
// Create handles creating a new user
|
||
// POST /api/v1/admin/users
|
||
func (h *UserHandler) Create(c *gin.Context) {
|
||
var req CreateUserRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.CreateUser(c.Request.Context(), &service.CreateUserInput{
|
||
Email: req.Email,
|
||
Password: req.Password,
|
||
Username: req.Username,
|
||
Notes: req.Notes,
|
||
Balance: req.Balance,
|
||
Concurrency: req.Concurrency,
|
||
AllowedGroups: req.AllowedGroups,
|
||
})
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromServiceAdmin(user))
|
||
}
|
||
|
||
// Update handles updating a user
|
||
// PUT /api/v1/admin/users/:id
|
||
func (h *UserHandler) Update(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
var req UpdateUserRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
// 使用指针类型直接传递,nil 表示未提供该字段
|
||
user, err := h.adminService.UpdateUser(c.Request.Context(), userID, &service.UpdateUserInput{
|
||
Email: req.Email,
|
||
Password: req.Password,
|
||
Username: req.Username,
|
||
Notes: req.Notes,
|
||
Balance: req.Balance,
|
||
Concurrency: req.Concurrency,
|
||
Status: req.Status,
|
||
AllowedGroups: req.AllowedGroups,
|
||
GroupRates: req.GroupRates,
|
||
})
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromServiceAdmin(user))
|
||
}
|
||
|
||
// Delete handles deleting a user
|
||
// DELETE /api/v1/admin/users/:id
|
||
func (h *UserHandler) Delete(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
err = h.adminService.DeleteUser(c.Request.Context(), userID)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, gin.H{"message": "User deleted successfully"})
|
||
}
|
||
|
||
// UpdateBalance handles updating user balance
|
||
// POST /api/v1/admin/users/:id/balance
|
||
func (h *UserHandler) UpdateBalance(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
var req UpdateBalanceRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.UpdateUserBalance(c.Request.Context(), userID, req.Balance, req.Operation, req.Notes)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromServiceAdmin(user))
|
||
}
|
||
|
||
// GetUserAPIKeys handles getting user's API keys
|
||
// GET /api/v1/admin/users/:id/api-keys
|
||
func (h *UserHandler) GetUserAPIKeys(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
page, pageSize := response.ParsePagination(c)
|
||
|
||
keys, total, err := h.adminService.GetUserAPIKeys(c.Request.Context(), userID, page, pageSize)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
out := make([]dto.APIKey, 0, len(keys))
|
||
for i := range keys {
|
||
out = append(out, *dto.APIKeyFromService(&keys[i]))
|
||
}
|
||
response.Paginated(c, out, total, page, pageSize)
|
||
}
|
||
|
||
// GetUserUsage handles getting user's usage statistics
|
||
// GET /api/v1/admin/users/:id/usage
|
||
func (h *UserHandler) GetUserUsage(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
period := c.DefaultQuery("period", "month")
|
||
|
||
stats, err := h.adminService.GetUserUsageStats(c.Request.Context(), userID, period)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, stats)
|
||
}
|
||
|
||
// GetBalanceHistory handles getting user's balance/concurrency change history
|
||
// GET /api/v1/admin/users/:id/balance-history
|
||
// Query params:
|
||
// - type: filter by record type (balance, admin_balance, concurrency, admin_concurrency, subscription)
|
||
func (h *UserHandler) GetBalanceHistory(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
page, pageSize := response.ParsePagination(c)
|
||
codeType := c.Query("type")
|
||
|
||
codes, total, totalRecharged, err := h.adminService.GetUserBalanceHistory(c.Request.Context(), userID, page, pageSize, codeType)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
// Convert to admin DTO (includes notes field for admin visibility)
|
||
out := make([]dto.AdminRedeemCode, 0, len(codes))
|
||
for i := range codes {
|
||
out = append(out, *dto.RedeemCodeFromServiceAdmin(&codes[i]))
|
||
}
|
||
|
||
// Custom response with total_recharged alongside pagination
|
||
pages := int((total + int64(pageSize) - 1) / int64(pageSize))
|
||
if pages < 1 {
|
||
pages = 1
|
||
}
|
||
response.Success(c, gin.H{
|
||
"items": out,
|
||
"total": total,
|
||
"page": page,
|
||
"page_size": pageSize,
|
||
"pages": pages,
|
||
"total_recharged": totalRecharged,
|
||
})
|
||
}
|