feat: 添加种子数据初始化功能，重构多个处理程序以简化错误响应和用户验证

2025-12-02 10:33:19 +08:00
parent bdd2be5dc5
commit 10fdcd916b
30 changed files with 1291 additions and 1778 deletions
--- a/internal/service/user_service.go
+++ b/internal/service/user_service.go
@@ -4,7 +4,10 @@ import (
 	"carrotskin/internal/model"
 	"carrotskin/internal/repository"
 	"carrotskin/pkg/auth"
+	"carrotskin/pkg/redis"
+	"context"
 	"errors"
+	"fmt"
 	"strings"
 	"time"
 )
@@ -37,7 +40,12 @@ func RegisterUser(jwtService *auth.JWTService, username, password, email, avatar

 	// 确定头像URL：优先使用用户提供的头像，否则使用默认头像
 	avatarURL := avatar
-	if avatarURL == "" {
+	if avatarURL != "" {
+		// 验证用户提供的头像 URL 是否来自允许的域名
+		if err := ValidateAvatarURL(avatarURL); err != nil {
+			return nil, "", err
+		}
+	} else {
 		avatarURL = getDefaultAvatar()
 	}

@@ -49,8 +57,7 @@ func RegisterUser(jwtService *auth.JWTService, username, password, email, avatar
 		Avatar:   avatarURL,
 		Role:     "user",
 		Status:   1,
-		Points:   0, // 初始积分可以从配置读取
-		// Properties 字段使用 datatypes.JSON，默认为 nil，数据库会存储 NULL
+		Points:   0,
 	}

 	if err := repository.CreateUser(user); err != nil {
@@ -63,22 +70,34 @@ func RegisterUser(jwtService *auth.JWTService, username, password, email, avatar
 		return nil, "", errors.New("生成Token失败")
 	}

-	// TODO: 添加注册奖励积分
-
 	return user, token, nil
 }

 // LoginUser 用户登录（支持用户名或邮箱登录）
 func LoginUser(jwtService *auth.JWTService, usernameOrEmail, password, ipAddress, userAgent string) (*model.User, string, error) {
+	return LoginUserWithRateLimit(nil, jwtService, usernameOrEmail, password, ipAddress, userAgent)
+}
+
+// LoginUserWithRateLimit 用户登录（带频率限制）
+func LoginUserWithRateLimit(redisClient *redis.Client, jwtService *auth.JWTService, usernameOrEmail, password, ipAddress, userAgent string) (*model.User, string, error) {
+	ctx := context.Background()
+
+	// 检查账号是否被锁定（基于用户名/邮箱和IP）
+	if redisClient != nil {
+		identifier := usernameOrEmail + ":" + ipAddress
+		locked, ttl, err := CheckLoginLocked(ctx, redisClient, identifier)
+		if err == nil && locked {
+			return nil, "", fmt.Errorf("登录尝试次数过多，请在 %d 分钟后重试", int(ttl.Minutes())+1)
+		}
+	}
+
 	// 查找用户：判断是用户名还是邮箱
 	var user *model.User
 	var err error

 	if strings.Contains(usernameOrEmail, "@") {
-		// 包含@符号，认为是邮箱
 		user, err = repository.FindUserByEmail(usernameOrEmail)
 	} else {
-		// 否则认为是用户名
 		user, err = repository.FindUserByUsername(usernameOrEmail)
 	}

@@ -86,7 +105,16 @@ func LoginUser(jwtService *auth.JWTService, usernameOrEmail, password, ipAddress
 		return nil, "", err
 	}
 	if user == nil {
-		// 记录失败日志
+		// 记录失败尝试
+		if redisClient != nil {
+			identifier := usernameOrEmail + ":" + ipAddress
+			count, _ := RecordLoginFailure(ctx, redisClient, identifier)
+			remaining := MaxLoginAttempts - count
+			if remaining > 0 {
+				logFailedLogin(0, ipAddress, userAgent, "用户不存在")
+				return nil, "", fmt.Errorf("用户名/邮箱或密码错误，还剩 %d 次尝试机会", remaining)
+			}
+		}
 		logFailedLogin(0, ipAddress, userAgent, "用户不存在")
 		return nil, "", errors.New("用户名/邮箱或密码错误")
 	}
@@ -99,10 +127,26 @@ func LoginUser(jwtService *auth.JWTService, usernameOrEmail, password, ipAddress

 	// 验证密码
 	if !auth.CheckPassword(user.Password, password) {
+		// 记录失败尝试
+		if redisClient != nil {
+			identifier := usernameOrEmail + ":" + ipAddress
+			count, _ := RecordLoginFailure(ctx, redisClient, identifier)
+			remaining := MaxLoginAttempts - count
+			if remaining > 0 {
+				logFailedLogin(user.ID, ipAddress, userAgent, "密码错误")
+				return nil, "", fmt.Errorf("用户名/邮箱或密码错误，还剩 %d 次尝试机会", remaining)
+			}
+		}
 		logFailedLogin(user.ID, ipAddress, userAgent, "密码错误")
 		return nil, "", errors.New("用户名/邮箱或密码错误")
 	}

+	// 登录成功，清除失败计数
+	if redisClient != nil {
+		identifier := usernameOrEmail + ":" + ipAddress
+		_ = ClearLoginAttempts(ctx, redisClient, identifier)
+	}
+
 	// 生成JWT Token
 	token, err := jwtService.GenerateToken(user.ID, user.Username, user.Role)
 	if err != nil {
@@ -141,24 +185,20 @@ func UpdateUserAvatar(userID int64, avatarURL string) error {

 // ChangeUserPassword 修改密码
 func ChangeUserPassword(userID int64, oldPassword, newPassword string) error {
-	// 获取用户
 	user, err := repository.FindUserByID(userID)
 	if err != nil {
 		return errors.New("用户不存在")
 	}

-	// 验证旧密码
 	if !auth.CheckPassword(user.Password, oldPassword) {
 		return errors.New("原密码错误")
 	}

-	// 加密新密码
 	hashedPassword, err := auth.HashPassword(newPassword)
 	if err != nil {
 		return errors.New("密码加密失败")
 	}

-	// 更新密码
 	return repository.UpdateUserFields(userID, map[string]interface{}{
 		"password": hashedPassword,
 	})
@@ -166,19 +206,16 @@ func ChangeUserPassword(userID int64, oldPassword, newPassword string) error {

 // ResetUserPassword 重置密码（通过邮箱）
 func ResetUserPassword(email, newPassword string) error {
-	// 查找用户
 	user, err := repository.FindUserByEmail(email)
 	if err != nil {
 		return errors.New("用户不存在")
 	}

-	// 加密新密码
 	hashedPassword, err := auth.HashPassword(newPassword)
 	if err != nil {
 		return errors.New("密码加密失败")
 	}

-	// 更新密码
 	return repository.UpdateUserFields(user.ID, map[string]interface{}{
 		"password": hashedPassword,
 	})
@@ -186,7 +223,6 @@ func ResetUserPassword(email, newPassword string) error {

 // ChangeUserEmail 更换邮箱
 func ChangeUserEmail(userID int64, newEmail string) error {
-	// 检查新邮箱是否已被使用
 	existingUser, err := repository.FindUserByEmail(newEmail)
 	if err != nil {
 		return err
@@ -195,7 +231,6 @@ func ChangeUserEmail(userID int64, newEmail string) error {
 		return errors.New("邮箱已被其他用户使用")
 	}

-	// 更新邮箱
 	return repository.UpdateUserFields(userID, map[string]interface{}{
 		"email": newEmail,
 	})
@@ -228,18 +263,40 @@ func logFailedLogin(userID int64, ipAddress, userAgent, reason string) {

 // getDefaultAvatar 获取默认头像URL
 func getDefaultAvatar() string {
-	// 如果数据库中不存在默认头像配置，返回错误信息
-	const log = "数据库中不存在默认头像配置"
-
-	// 尝试从数据库读取配置
 	config, err := repository.GetSystemConfigByKey("default_avatar")
-	if err != nil || config == nil {
-		return log
+	if err != nil || config == nil || config.Value == "" {
+		return ""
 	}
-
 	return config.Value
 }

+// ValidateAvatarURL 验证头像URL是否合法
+func ValidateAvatarURL(avatarURL string) error {
+	if avatarURL == "" {
+		return nil
+	}
+
+	// 允许的域名列表
+	allowedDomains := []string{
+		"rustfs.example.com",
+		"localhost",
+		"127.0.0.1",
+	}
+
+	for _, domain := range allowedDomains {
+		if strings.Contains(avatarURL, domain) {
+			return nil
+		}
+	}
+
+	if strings.HasPrefix(avatarURL, "/") {
+		return nil
+	}
+
+	return errors.New("头像URL不在允许的域名列表中")
+}
+
+// GetUserByEmail 根据邮箱获取用户
 func GetUserByEmail(email string) (*model.User, error) {
 	user, err := repository.FindUserByEmail(email)
 	if err != nil {
@@ -247,3 +304,31 @@ func GetUserByEmail(email string) (*model.User, error) {
 	}
 	return user, nil
 }
+
+// GetMaxProfilesPerUser 获取每用户最大档案数量配置
+func GetMaxProfilesPerUser() int {
+	config, err := repository.GetSystemConfigByKey("max_profiles_per_user")
+	if err != nil || config == nil {
+		return 5
+	}
+	var value int
+	fmt.Sscanf(config.Value, "%d", &value)
+	if value <= 0 {
+		return 5
+	}
+	return value
+}
+
+// GetMaxTexturesPerUser 获取每用户最大材质数量配置
+func GetMaxTexturesPerUser() int {
+	config, err := repository.GetSystemConfigByKey("max_textures_per_user")
+	if err != nil || config == nil {
+		return 50
+	}
+	var value int
+	fmt.Sscanf(config.Value, "%d", &value)
+	if value <= 0 {
+		return 50
+	}
+	return value
+}