7c3d5cadd5
根据 Codex 代码审查报告,修复所有 P0 和 P1 优先级问题。 ## P0 紧急修复 ### 1. 修复集成测试编译错误 - 更新 group_repo_integration_test.go 中所有 ListWithFilters 调用 - 添加缺失的 search 参数(传入空字符串) - 修复 4 处旧签名调用,避免 CI 编译失败 ### 2. 添加统一的 search 参数输入验证 为所有 admin handler 添加一致的输入验证逻辑: - group_handler.go: 添加 TrimSpace + 长度限制 - proxy_handler.go: 添加 TrimSpace + 长度限制 - redeem_handler.go: 添加 TrimSpace + 长度限制 - user_handler.go: 添加 TrimSpace + 长度限制 验证规则: - TrimSpace() 去除首尾空格 - 最大长度 100 字符(防止 DoS 攻击) - 超长输入自动截断 ## P1 改进 ### 3. 补充 search 功能的单元测试 新增 admin_service_group_test.go 中的测试: - TestAdminService_ListGroups_WithSearch - search 参数正常传递到 repository 层 - search 为空字符串时的行为 - search 与其他过滤条件组合使用 新增 admin_service_search_test.go 文件: - 为其他 admin API 添加 search 测试覆盖 - 统一的测试模式和断言 ### 4. 补充 search 功能的集成测试 新增 group_repo_integration_test.go 测试场景: - TestListWithFilters_Search - 搜索 name 字段匹配 - 搜索 description 字段匹配 - 搜索不存在内容(返回空) - 大小写不敏感测试 - 特殊字符转义测试(%、_) - 与其他过滤条件组合 ## 测试结果 - ✅ 编译检查通过 - ✅ 单元测试全部通过 (3/3) - ✅ 集成测试编译通过 - ✅ 所有 service 测试通过 ## 影响范围 修改文件: 8 个 代码变更: +234 行 / -8 行 ## 相关 Issue 解决代码审查中的安全性和稳定性问题: - 防止 DoS 攻击(超长搜索字符串) - 修复测试编译错误(CI 阻塞问题) - 提升测试覆盖率
280 lines
7.6 KiB
Go
280 lines
7.6 KiB
Go
package admin
|
||
|
||
import (
|
||
"strconv"
|
||
"strings"
|
||
|
||
"github.com/Wei-Shaw/sub2api/internal/handler/dto"
|
||
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
||
"github.com/Wei-Shaw/sub2api/internal/service"
|
||
|
||
"github.com/gin-gonic/gin"
|
||
)
|
||
|
||
// UserHandler handles admin user management
|
||
type UserHandler struct {
|
||
adminService service.AdminService
|
||
}
|
||
|
||
// NewUserHandler creates a new admin user handler
|
||
func NewUserHandler(adminService service.AdminService) *UserHandler {
|
||
return &UserHandler{
|
||
adminService: adminService,
|
||
}
|
||
}
|
||
|
||
// CreateUserRequest represents admin create user request
|
||
type CreateUserRequest struct {
|
||
Email string `json:"email" binding:"required,email"`
|
||
Password string `json:"password" binding:"required,min=6"`
|
||
Username string `json:"username"`
|
||
Notes string `json:"notes"`
|
||
Balance float64 `json:"balance"`
|
||
Concurrency int `json:"concurrency"`
|
||
AllowedGroups []int64 `json:"allowed_groups"`
|
||
}
|
||
|
||
// UpdateUserRequest represents admin update user request
|
||
// 使用指针类型来区分"未提供"和"设置为0"
|
||
type UpdateUserRequest struct {
|
||
Email string `json:"email" binding:"omitempty,email"`
|
||
Password string `json:"password" binding:"omitempty,min=6"`
|
||
Username *string `json:"username"`
|
||
Notes *string `json:"notes"`
|
||
Balance *float64 `json:"balance"`
|
||
Concurrency *int `json:"concurrency"`
|
||
Status string `json:"status" binding:"omitempty,oneof=active disabled"`
|
||
AllowedGroups *[]int64 `json:"allowed_groups"`
|
||
}
|
||
|
||
// UpdateBalanceRequest represents balance update request
|
||
type UpdateBalanceRequest struct {
|
||
Balance float64 `json:"balance" binding:"required,gt=0"`
|
||
Operation string `json:"operation" binding:"required,oneof=set add subtract"`
|
||
Notes string `json:"notes"`
|
||
}
|
||
|
||
// List handles listing all users with pagination
|
||
// GET /api/v1/admin/users
|
||
// Query params:
|
||
// - status: filter by user status
|
||
// - role: filter by user role
|
||
// - search: search in email, username
|
||
// - attr[{id}]: filter by custom attribute value, e.g. attr[1]=company
|
||
func (h *UserHandler) List(c *gin.Context) {
|
||
page, pageSize := response.ParsePagination(c)
|
||
|
||
search := c.Query("search")
|
||
// 标准化和验证 search 参数
|
||
search = strings.TrimSpace(search)
|
||
if len(search) > 100 {
|
||
search = search[:100]
|
||
}
|
||
|
||
filters := service.UserListFilters{
|
||
Status: c.Query("status"),
|
||
Role: c.Query("role"),
|
||
Search: search,
|
||
Attributes: parseAttributeFilters(c),
|
||
}
|
||
|
||
users, total, err := h.adminService.ListUsers(c.Request.Context(), page, pageSize, filters)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
out := make([]dto.User, 0, len(users))
|
||
for i := range users {
|
||
out = append(out, *dto.UserFromService(&users[i]))
|
||
}
|
||
response.Paginated(c, out, total, page, pageSize)
|
||
}
|
||
|
||
// parseAttributeFilters extracts attribute filters from query params
|
||
// Format: attr[{attributeID}]=value, e.g. attr[1]=company&attr[2]=developer
|
||
func parseAttributeFilters(c *gin.Context) map[int64]string {
|
||
result := make(map[int64]string)
|
||
|
||
// Get all query params and look for attr[*] pattern
|
||
for key, values := range c.Request.URL.Query() {
|
||
if len(values) == 0 || values[0] == "" {
|
||
continue
|
||
}
|
||
// Check if key matches pattern attr[{id}]
|
||
if len(key) > 5 && key[:5] == "attr[" && key[len(key)-1] == ']' {
|
||
idStr := key[5 : len(key)-1]
|
||
id, err := strconv.ParseInt(idStr, 10, 64)
|
||
if err == nil && id > 0 {
|
||
result[id] = values[0]
|
||
}
|
||
}
|
||
}
|
||
|
||
return result
|
||
}
|
||
|
||
// GetByID handles getting a user by ID
|
||
// GET /api/v1/admin/users/:id
|
||
func (h *UserHandler) GetByID(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.GetUser(c.Request.Context(), userID)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromService(user))
|
||
}
|
||
|
||
// Create handles creating a new user
|
||
// POST /api/v1/admin/users
|
||
func (h *UserHandler) Create(c *gin.Context) {
|
||
var req CreateUserRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.CreateUser(c.Request.Context(), &service.CreateUserInput{
|
||
Email: req.Email,
|
||
Password: req.Password,
|
||
Username: req.Username,
|
||
Notes: req.Notes,
|
||
Balance: req.Balance,
|
||
Concurrency: req.Concurrency,
|
||
AllowedGroups: req.AllowedGroups,
|
||
})
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromService(user))
|
||
}
|
||
|
||
// Update handles updating a user
|
||
// PUT /api/v1/admin/users/:id
|
||
func (h *UserHandler) Update(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
var req UpdateUserRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
// 使用指针类型直接传递,nil 表示未提供该字段
|
||
user, err := h.adminService.UpdateUser(c.Request.Context(), userID, &service.UpdateUserInput{
|
||
Email: req.Email,
|
||
Password: req.Password,
|
||
Username: req.Username,
|
||
Notes: req.Notes,
|
||
Balance: req.Balance,
|
||
Concurrency: req.Concurrency,
|
||
Status: req.Status,
|
||
AllowedGroups: req.AllowedGroups,
|
||
})
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromService(user))
|
||
}
|
||
|
||
// Delete handles deleting a user
|
||
// DELETE /api/v1/admin/users/:id
|
||
func (h *UserHandler) Delete(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
err = h.adminService.DeleteUser(c.Request.Context(), userID)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, gin.H{"message": "User deleted successfully"})
|
||
}
|
||
|
||
// UpdateBalance handles updating user balance
|
||
// POST /api/v1/admin/users/:id/balance
|
||
func (h *UserHandler) UpdateBalance(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
var req UpdateBalanceRequest
|
||
if err := c.ShouldBindJSON(&req); err != nil {
|
||
response.BadRequest(c, "Invalid request: "+err.Error())
|
||
return
|
||
}
|
||
|
||
user, err := h.adminService.UpdateUserBalance(c.Request.Context(), userID, req.Balance, req.Operation, req.Notes)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, dto.UserFromService(user))
|
||
}
|
||
|
||
// GetUserAPIKeys handles getting user's API keys
|
||
// GET /api/v1/admin/users/:id/api-keys
|
||
func (h *UserHandler) GetUserAPIKeys(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
page, pageSize := response.ParsePagination(c)
|
||
|
||
keys, total, err := h.adminService.GetUserAPIKeys(c.Request.Context(), userID, page, pageSize)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
out := make([]dto.APIKey, 0, len(keys))
|
||
for i := range keys {
|
||
out = append(out, *dto.APIKeyFromService(&keys[i]))
|
||
}
|
||
response.Paginated(c, out, total, page, pageSize)
|
||
}
|
||
|
||
// GetUserUsage handles getting user's usage statistics
|
||
// GET /api/v1/admin/users/:id/usage
|
||
func (h *UserHandler) GetUserUsage(c *gin.Context) {
|
||
userID, err := strconv.ParseInt(c.Param("id"), 10, 64)
|
||
if err != nil {
|
||
response.BadRequest(c, "Invalid user ID")
|
||
return
|
||
}
|
||
|
||
period := c.DefaultQuery("period", "month")
|
||
|
||
stats, err := h.adminService.GetUserUsageStats(c.Request.Context(), userID, period)
|
||
if err != nil {
|
||
response.ErrorFrom(c, err)
|
||
return
|
||
}
|
||
|
||
response.Success(c, stats)
|
||
}
|