refactor(server): decouple services and improve architecture
All checks were successful
Build Backend / build (push) Successful in 4m55s
Build Backend / build-docker (push) Successful in 10m34s

- Introduce interfaces for all major services (JWT, PostAI, Comment, Message, Notification, QRCodeLogin, Upload, Vote, etc.) to support dependency inversion.
- Move query parameters from `internal/dto` to a new `internal/query` package to separate request payloads from data transfer objects.
- Refactor `internal/router` to use embedded `RouterDeps` for cleaner dependency management.
- Decouple handlers from repositories by injecting services instead of direct repository access, ensuring proper layering.
- Improve database initialization by moving it from `internal/model` to `internal/database`.
- Optimize message decryption by implementing a more efficient `BatchDecrypt` method in `MessageEncryptor` using a worker pool.
- Enhance error handling and security by implementing fail-fast checks for encryption key length during startup.
- Clean up unused code, including the `avatar` package and several unused DTOs.
This commit is contained in:
2026-06-15 03:41:59 +08:00
parent 9951043034
commit d9aa4b46c3
78 changed files with 2156 additions and 1640 deletions

View File

@@ -139,31 +139,70 @@ func (e *MessageEncryptor) GetKeyVersion() int {
return e.keyVersion
}
// RotateKey 密钥轮换(用于密钥升级)
// 新密钥必须也是32字节
func (e *MessageEncryptor) RotateKey(newKey string, newVersion int) error {
keyBytes := []byte(newKey)
if len(keyBytes) != 32 {
return ErrInvalidKey
// BatchDecrypt 批量解密多条密文,返回与输入等长的明文字节切片数组。
// 并发度由 workers 指定(<=0 时按密文数量自适应)。
// 解密失败或空密文的位置返回 nil调用方可据此判断。
// 这是 Decrypt 的无锁读优化版AEAD 的 Open 不修改内部状态,
// 但仍走 RLock 以兼容未来可能的密钥轮换语义。
func (e *MessageEncryptor) BatchDecrypt(ciphertexts []string, workers int) [][]byte {
results := make([][]byte, len(ciphertexts))
if e == nil || len(ciphertexts) == 0 {
return results
}
block, err := aes.NewCipher(keyBytes)
if err != nil {
return err
// 自适应并发度:与历史实现保持一致
if workers <= 0 {
switch {
case len(ciphertexts) < 20:
workers = 2
case len(ciphertexts) > 100:
workers = 8
default:
workers = 4
}
}
if workers > len(ciphertexts) {
workers = len(ciphertexts)
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return err
// 预取一次 AEAD避免 worker 内重复进入 RLock
e.mu.RLock()
gcm := e.gcm
nonceSize := e.gcm.NonceSize()
e.mu.RUnlock()
jobs := make(chan int, len(ciphertexts))
var wg sync.WaitGroup
for w := 0; w < workers; w++ {
wg.Add(1)
go func() {
defer wg.Done()
for i := range jobs {
ct := ciphertexts[i]
if ct == "" {
continue
}
raw, err := base64.StdEncoding.DecodeString(ct)
if err != nil || len(raw) < nonceSize {
continue
}
nonce := raw[:nonceSize]
actual := raw[nonceSize:]
plaintext, err := gcm.Open(nil, nonce, actual, nil)
if err != nil {
continue
}
results[i] = plaintext
}
}()
}
e.mu.Lock()
defer e.mu.Unlock()
for i := range ciphertexts {
jobs <- i
}
close(jobs)
wg.Wait()
e.key = keyBytes
e.gcm = gcm
e.keyVersion = newVersion
return nil
return results
}