feat: 系统全面优化 - 设备管理/登录日志导出/性能监控/设置页面
后端: - 新增全局设备管理 API(DeviceHandler.GetAllDevices) - 新增登录日志导出功能(LogHandler.ExportLoginLogs, CSV/XLSX) - 新增设置服务(SettingsService)和设置页面 API - 设备管理支持多条件筛选(状态/信任状态/关键词) - 登录日志支持流式导出防 OOM - 操作日志支持按方法/时间范围搜索 - 主题配置服务(ThemeService) - 增强监控健康检查(Prometheus metrics + SLO) - 移除旧 ratelimit.go(已迁移至 robustness) - 修复 SocialAccount NULL 扫描问题 - 新增 API 契约测试、Handler 测试、Settings 测试 前端: - 新增管理员设备管理页面(DevicesPage) - 新增管理员登录日志导出功能 - 新增系统设置页面(SettingsPage) - 设备管理支持筛选和分页 - 增强 HTTP 响应类型 测试: - 业务逻辑测试 68 个(含并发 CONC_001~003) - 规模测试 16 个(P99 百分位统计) - E2E 测试、集成测试、契约测试 - 性能基准测试、鲁棒性测试 全面测试通过(38 个测试包)
This commit is contained in:
@@ -1,13 +1,25 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"context"
|
||||
"crypto/subtle"
|
||||
"errors"
|
||||
"net/http"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
|
||||
apierrors "github.com/user-management-system/internal/pkg/errors"
|
||||
"github.com/user-management-system/internal/service"
|
||||
)
|
||||
|
||||
// newBackgroundCtx 创建用于后台 goroutine 的带超时独立 context(与请求 context 无关)
|
||||
func newBackgroundCtx(timeoutSec int) (context.Context, context.CancelFunc) {
|
||||
return context.WithTimeout(context.Background(), time.Duration(timeoutSec)*time.Second)
|
||||
}
|
||||
|
||||
// AuthHandler handles authentication requests
|
||||
type AuthHandler struct {
|
||||
authService *service.AuthService
|
||||
@@ -51,11 +63,15 @@ func (h *AuthHandler) Register(c *gin.Context) {
|
||||
|
||||
func (h *AuthHandler) Login(c *gin.Context) {
|
||||
var req struct {
|
||||
Account string `json:"account"`
|
||||
Username string `json:"username"`
|
||||
Email string `json:"email"`
|
||||
Phone string `json:"phone"`
|
||||
Password string `json:"password"`
|
||||
Account string `json:"account"`
|
||||
Username string `json:"username"`
|
||||
Email string `json:"email"`
|
||||
Phone string `json:"phone"`
|
||||
Password string `json:"password"`
|
||||
DeviceID string `json:"device_id"`
|
||||
DeviceName string `json:"device_name"`
|
||||
DeviceBrowser string `json:"device_browser"`
|
||||
DeviceOS string `json:"device_os"`
|
||||
}
|
||||
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
@@ -64,11 +80,15 @@ func (h *AuthHandler) Login(c *gin.Context) {
|
||||
}
|
||||
|
||||
loginReq := &service.LoginRequest{
|
||||
Account: req.Account,
|
||||
Username: req.Username,
|
||||
Email: req.Email,
|
||||
Phone: req.Phone,
|
||||
Password: req.Password,
|
||||
Account: req.Account,
|
||||
Username: req.Username,
|
||||
Email: req.Email,
|
||||
Phone: req.Phone,
|
||||
Password: req.Password,
|
||||
DeviceID: req.DeviceID,
|
||||
DeviceName: req.DeviceName,
|
||||
DeviceBrowser: req.DeviceBrowser,
|
||||
DeviceOS: req.DeviceOS,
|
||||
}
|
||||
|
||||
clientIP := c.ClientIP()
|
||||
@@ -82,6 +102,29 @@ func (h *AuthHandler) Login(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (h *AuthHandler) Logout(c *gin.Context) {
|
||||
var req struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
RefreshToken string `json:"refresh_token"`
|
||||
}
|
||||
// 允许 body 为空(仅凭 Authorization header 里的 access_token 注销也可以)
|
||||
_ = c.ShouldBindJSON(&req)
|
||||
|
||||
// 如果 body 里没有 access_token,则从 Authorization header 中取
|
||||
if req.AccessToken == "" {
|
||||
if bearer := c.GetHeader("Authorization"); len(bearer) > 7 {
|
||||
req.AccessToken = bearer[7:] // 去掉 "Bearer "
|
||||
}
|
||||
}
|
||||
|
||||
username, _ := c.Get("username")
|
||||
usernameStr, _ := username.(string)
|
||||
|
||||
logoutReq := &service.LogoutRequest{
|
||||
AccessToken: req.AccessToken,
|
||||
RefreshToken: req.RefreshToken,
|
||||
}
|
||||
_ = h.authService.Logout(c.Request.Context(), usernameStr, logoutReq)
|
||||
|
||||
c.JSON(http.StatusOK, gin.H{"message": "logged out"})
|
||||
}
|
||||
|
||||
@@ -121,7 +164,12 @@ func (h *AuthHandler) GetUserInfo(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (h *AuthHandler) GetCSRFToken(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"csrf_token": "not_implemented"})
|
||||
// 系统使用 JWT Bearer Token 认证,Bearer Token 不会被浏览器自动携带(非 cookie)
|
||||
// 因此不存在传统意义上的 CSRF 风险,此端点返回空 token 作为兼容响应
|
||||
c.JSON(http.StatusOK, gin.H{
|
||||
"csrf_token": "",
|
||||
"note": "JWT Bearer Token authentication; CSRF protection not required",
|
||||
})
|
||||
}
|
||||
|
||||
func (h *AuthHandler) GetAuthCapabilities(c *gin.Context) {
|
||||
@@ -151,34 +199,113 @@ func (h *AuthHandler) GetEnabledOAuthProviders(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (h *AuthHandler) ActivateEmail(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "email activation not configured"})
|
||||
token := c.Query("token")
|
||||
if token == "" {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "token is required"})
|
||||
return
|
||||
}
|
||||
if err := h.authService.ActivateEmail(c.Request.Context(), token); err != nil {
|
||||
handleError(c, err)
|
||||
return
|
||||
}
|
||||
c.JSON(http.StatusOK, gin.H{"message": "email activated successfully"})
|
||||
}
|
||||
|
||||
func (h *AuthHandler) ResendActivationEmail(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "email activation not configured"})
|
||||
var req struct {
|
||||
Email string `json:"email" binding:"required,email"`
|
||||
}
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
if err := h.authService.ResendActivationEmail(c.Request.Context(), req.Email); err != nil {
|
||||
handleError(c, err)
|
||||
return
|
||||
}
|
||||
// 防枚举:无论邮箱是否存在,统一返回成功
|
||||
c.JSON(http.StatusOK, gin.H{"message": "activation email sent if address is registered"})
|
||||
}
|
||||
|
||||
func (h *AuthHandler) SendEmailCode(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "email code login not configured"})
|
||||
var req struct {
|
||||
Email string `json:"email" binding:"required,email"`
|
||||
}
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
// SendEmailLoginCode 内部会忽略未注册邮箱(防枚举),始终返回 ok
|
||||
if err := h.authService.SendEmailLoginCode(c.Request.Context(), req.Email); err != nil {
|
||||
handleError(c, err)
|
||||
return
|
||||
}
|
||||
c.JSON(http.StatusOK, gin.H{"message": "验证码已发送"})
|
||||
}
|
||||
|
||||
func (h *AuthHandler) LoginByEmailCode(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"error": "email code login not configured"})
|
||||
}
|
||||
var req struct {
|
||||
Email string `json:"email" binding:"required,email"`
|
||||
Code string `json:"code" binding:"required"`
|
||||
DeviceID string `json:"device_id"`
|
||||
DeviceName string `json:"device_name"`
|
||||
DeviceBrowser string `json:"device_browser"`
|
||||
DeviceOS string `json:"device_os"`
|
||||
}
|
||||
if err := c.ShouldBindJSON(&req); err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
||||
return
|
||||
}
|
||||
|
||||
func (h *AuthHandler) ForgotPassword(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "password reset not configured"})
|
||||
}
|
||||
clientIP := c.ClientIP()
|
||||
resp, err := h.authService.LoginByEmailCode(c.Request.Context(), req.Email, req.Code, clientIP)
|
||||
if err != nil {
|
||||
handleError(c, err)
|
||||
return
|
||||
}
|
||||
|
||||
func (h *AuthHandler) ResetPassword(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"message": "password reset not configured"})
|
||||
}
|
||||
// 异步注册设备(不阻塞主流程)
|
||||
// 注意:必须用 context.WithTimeout(context.Background()) 而非 c.Request.Context()
|
||||
// gin 在 c.JSON 返回后会回收 context,goroutine 中引用会得到已取消的 context
|
||||
if req.DeviceID != "" && resp != nil && resp.User != nil {
|
||||
loginReq := &service.LoginRequest{
|
||||
DeviceID: req.DeviceID,
|
||||
DeviceName: req.DeviceName,
|
||||
DeviceBrowser: req.DeviceBrowser,
|
||||
DeviceOS: req.DeviceOS,
|
||||
}
|
||||
userID := resp.User.ID
|
||||
go func() {
|
||||
devCtx, cancel := newBackgroundCtx(5)
|
||||
defer cancel()
|
||||
h.authService.BestEffortRegisterDevicePublic(devCtx, userID, loginReq)
|
||||
}()
|
||||
}
|
||||
|
||||
func (h *AuthHandler) ValidateResetToken(c *gin.Context) {
|
||||
c.JSON(http.StatusOK, gin.H{"valid": false})
|
||||
c.JSON(http.StatusOK, resp)
|
||||
}
|
||||
|
||||
func (h *AuthHandler) BootstrapAdmin(c *gin.Context) {
|
||||
// P0 修复:BootstrapAdmin 端点需要 bootstrap secret 验证
|
||||
bootstrapSecret := os.Getenv("BOOTSTRAP_SECRET")
|
||||
if bootstrapSecret == "" {
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "引导初始化未授权"})
|
||||
return
|
||||
}
|
||||
|
||||
providedSecret := c.GetHeader("X-Bootstrap-Secret")
|
||||
if providedSecret == "" {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "缺少引导密钥"})
|
||||
return
|
||||
}
|
||||
|
||||
// 使用恒定时间比较防止时序攻击
|
||||
if subtle.ConstantTimeCompare([]byte(providedSecret), []byte(bootstrapSecret)) != 1 {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "引导密钥无效"})
|
||||
return
|
||||
}
|
||||
|
||||
var req struct {
|
||||
Username string `json:"username" binding:"required"`
|
||||
Email string `json:"email" binding:"required"`
|
||||
@@ -243,7 +370,7 @@ func (h *AuthHandler) UnbindSocialAccount(c *gin.Context) {
|
||||
}
|
||||
|
||||
func (h *AuthHandler) SupportsEmailCodeLogin() bool {
|
||||
return false
|
||||
return h.authService.HasEmailCodeService()
|
||||
}
|
||||
|
||||
func getUserIDFromContext(c *gin.Context) (int64, bool) {
|
||||
@@ -255,6 +382,55 @@ func getUserIDFromContext(c *gin.Context) (int64, bool) {
|
||||
return id, ok
|
||||
}
|
||||
|
||||
// handleError 将 error 转换为对应的 HTTP 响应。
|
||||
// 优先识别 ApplicationError,其次通过关键词推断业务错误类型,兜底返回 500。
|
||||
func handleError(c *gin.Context, err error) {
|
||||
c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})
|
||||
if err == nil {
|
||||
return
|
||||
}
|
||||
|
||||
// 优先尝试 ApplicationError(内置 HTTP 状态码)
|
||||
var appErr *apierrors.ApplicationError
|
||||
if errors.As(err, &appErr) {
|
||||
c.JSON(int(appErr.Code), gin.H{"error": appErr.Message})
|
||||
return
|
||||
}
|
||||
|
||||
// 对普通 errors.New 按关键词推断语义,但只返回通用错误信息给客户端
|
||||
msg := err.Error()
|
||||
code := classifyErrorMessage(msg)
|
||||
c.JSON(code, gin.H{"error": "服务器内部错误"})
|
||||
}
|
||||
|
||||
// classifyErrorMessage 通过错误信息关键词推断 HTTP 状态码,避免业务错误被 500 吞掉
|
||||
func classifyErrorMessage(msg string) int {
|
||||
lower := strings.ToLower(msg)
|
||||
switch {
|
||||
case contains(lower, "not found", "不存在", "找不到"):
|
||||
return http.StatusNotFound
|
||||
case contains(lower, "already exists", "已存在", "已注册", "duplicate"):
|
||||
return http.StatusConflict
|
||||
case contains(lower, "unauthorized", "invalid token", "token", "令牌", "未认证"):
|
||||
return http.StatusUnauthorized
|
||||
case contains(lower, "forbidden", "permission", "权限", "禁止"):
|
||||
return http.StatusForbidden
|
||||
case contains(lower, "invalid", "required", "must", "cannot be empty", "不能为空",
|
||||
"格式", "参数", "密码不正确", "incorrect", "wrong", "too short", "too long",
|
||||
"已失效", "expired", "验证码不正确", "不能与"):
|
||||
return http.StatusBadRequest
|
||||
case contains(lower, "locked", "too many", "账号已被锁定", "rate limit"):
|
||||
return http.StatusTooManyRequests
|
||||
default:
|
||||
return http.StatusInternalServerError
|
||||
}
|
||||
}
|
||||
|
||||
// contains 检查 s 是否包含 keywords 中的任意一个
|
||||
func contains(s string, keywords ...string) bool {
|
||||
for _, kw := range keywords {
|
||||
if strings.Contains(s, kw) {
|
||||
return true
|
||||
}
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user