init: 初始化项目

2026-03-10 16:26:48 +08:00
commit 57e0ef2cf6
79 changed files with 8943 additions and 0 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -0,0 +1,131 @@
+package auth
+
+import (
+	"errors"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// Claims JWT 声明
+type Claims struct {
+	UserID   string `json:"userId"`
+	Username string `json:"username"`
+	Role     string `json:"role"`
+	jwt.RegisteredClaims
+}
+
+// TokenPair 访问令牌和刷新令牌
+type TokenPair struct {
+	AccessToken  string `json:"accessToken"`
+	RefreshToken string `json:"refreshToken"`
+	ExpiresIn    int64  `json:"expiresIn"` // 秒
+}
+
+// JWTService JWT 服务
+type JWTService struct {
+	secret               string
+	accessTokenDuration  time.Duration
+	refreshTokenDuration time.Duration
+}
+
+// NewJWTService 创建 JWT 服务
+func NewJWTService(secret string, accessTokenDuration, refreshTokenDuration time.Duration) *JWTService {
+	return &JWTService{
+		secret:               secret,
+		accessTokenDuration:  accessTokenDuration,
+		refreshTokenDuration: refreshTokenDuration,
+	}
+}
+
+// GenerateTokenPair 生成访问令牌和刷新令牌
+func (s *JWTService) GenerateTokenPair(userID, username, role string) (*TokenPair, error) {
+	// 生成访问令牌
+	accessToken, err := s.generateToken(userID, username, role, s.accessTokenDuration)
+	if err != nil {
+		return nil, err
+	}
+
+	// 生成刷新令牌（更长的过期时间，不包含敏感信息）
+	refreshToken, err := s.generateToken(userID, "", "", s.refreshTokenDuration)
+	if err != nil {
+		return nil, err
+	}
+
+	return &TokenPair{
+		AccessToken:  accessToken,
+		RefreshToken: refreshToken,
+		ExpiresIn:    int64(s.accessTokenDuration.Seconds()),
+	}, nil
+}
+
+// generateToken 生成 token
+func (s *JWTService) generateToken(userID, username, role string, duration time.Duration) (string, error) {
+	now := time.Now()
+	claims := Claims{
+		UserID:   userID,
+		Username: username,
+		Role:     role,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(duration)),
+			IssuedAt:  jwt.NewNumericDate(now),
+			NotBefore: jwt.NewNumericDate(now),
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString([]byte(s.secret))
+}
+
+// ParseToken 解析 token
+func (s *JWTService) ParseToken(tokenString string) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
+		// 验证签名算法
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, errors.New("unexpected signing method")
+		}
+		return []byte(s.secret), nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	if claims, ok := token.Claims.(*Claims); ok && token.Valid {
+		return claims, nil
+	}
+
+	return nil, errors.New("invalid token")
+}
+
+// ValidateToken 验证 token 是否有效
+func (s *JWTService) ValidateToken(tokenString string) (*Claims, error) {
+	claims, err := s.ParseToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	// 检查是否过期
+	if time.Now().Unix() > claims.ExpiresAt.Unix() {
+		return nil, errors.New("token expired")
+	}
+
+	return claims, nil
+}
+
+// RefreshAccessToken 使用刷新令牌生成新的访问令牌
+func (s *JWTService) RefreshAccessToken(refreshToken string, user *User) (*TokenPair, error) {
+	// 验证刷新令牌
+	claims, err := s.ValidateToken(refreshToken)
+	if err != nil {
+		return nil, errors.New("invalid refresh token")
+	}
+
+	// 确保刷新令牌属于该用户
+	if claims.UserID != user.ID {
+		return nil, errors.New("token does not match user")
+	}
+
+	// 生成新的 token 对
+	return s.GenerateTokenPair(user.ID, user.Username, user.Role)
+}
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@@ -0,0 +1,104 @@
+package auth
+
+import (
+	"nebula/internal/api/response"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// JWTMiddleware JWT 认证中间件
+func JWTMiddleware(jwtService *JWTService) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			response.Fail(c, 401, "missing authorization header")
+			c.Abort()
+			return
+		}
+
+		// 解析 Bearer token
+		parts := strings.SplitN(authHeader, " ", 2)
+		if len(parts) != 2 || parts[0] != "Bearer" {
+			response.Fail(c, 401, "invalid authorization header format")
+			c.Abort()
+			return
+		}
+
+		tokenString := parts[1]
+
+		// 验证 token
+		claims, err := jwtService.ValidateToken(tokenString)
+		if err != nil {
+			response.Fail(c, 401, "invalid or expired token")
+			c.Abort()
+			return
+		}
+
+		// 将用户信息保存到上下文
+		c.Set("user_id", claims.UserID)
+		c.Set("username", claims.Username)
+		c.Set("role", claims.Role)
+
+		c.Next()
+	}
+}
+
+// OptionalJWTMiddleware 可选的 JWT 中间件（token 无效不报错）
+func OptionalJWTMiddleware(jwtService *JWTService) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader != "" {
+			parts := strings.SplitN(authHeader, " ", 2)
+			if len(parts) == 2 && parts[0] == "Bearer" {
+				tokenString := parts[1]
+				if claims, err := jwtService.ValidateToken(tokenString); err == nil {
+					c.Set("user_id", claims.UserID)
+					c.Set("username", claims.Username)
+					c.Set("role", claims.Role)
+				}
+			}
+		}
+		c.Next()
+	}
+}
+
+// AdminMiddleware 管理员权限中间件（需要先使用 JWTMiddleware）
+func AdminMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		role, exists := c.Get("role")
+		if !exists || role != "admin" {
+			response.Fail(c, 403, "admin access required")
+			c.Abort()
+			return
+		}
+		c.Next()
+	}
+}
+
+// GetCurrentUserID 从上下文获取当前用户 ID
+func GetCurrentUserID(c *gin.Context) (string, bool) {
+	userID, exists := c.Get("user_id")
+	if !exists {
+		return "", false
+	}
+	return userID.(string), true
+}
+
+// GetCurrentUsername 从上下文获取当前用户名
+func GetCurrentUsername(c *gin.Context) (string, bool) {
+	username, exists := c.Get("username")
+	if !exists {
+		return "", false
+	}
+	return username.(string), true
+}
+
+// GetCurrentUserRole 从上下文获取当前用户角色
+func GetCurrentUserRole(c *gin.Context) (string, bool) {
+	role, exists := c.Get("role")
+	if !exists {
+		return "", false
+	}
+	return role.(string), true
+}
--- a/internal/auth/model.go
+++ b/internal/auth/model.go
@@ -0,0 +1,29 @@
+package auth
+
+import (
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+type User struct {
+	ID        string    `gorm:"primaryKey" json:"id"`
+	Username  string    `gorm:"uniqueIndex;not null" json:"username"`
+	Email     string    `gorm:"uniqueIndex;not null" json:"email"`
+	Password  string    `gorm:"not null" json:"-"`          // 不在 JSON 中返回
+	Role      string    `gorm:"default:'user'" json:"role"` // user, admin
+	CreatedAt time.Time `json:"createdAt"`
+	UpdatedAt time.Time `json:"updatedAt"`
+}
+
+// HashPassword 加密密码
+func HashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	return string(bytes), err
+}
+
+// CheckPassword 验证密码
+func (u *User) CheckPassword(password string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(u.Password), []byte(password))
+	return err == nil
+}
--- a/internal/auth/service.go
+++ b/internal/auth/service.go
@@ -0,0 +1,209 @@
+package auth
+
+import (
+	"errors"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+type AuthService struct {
+	db            *gorm.DB
+	jwtService    *JWTService
+	adminUsername string
+	adminPassword string
+}
+
+func NewAuthService(db *gorm.DB, jwtService *JWTService, adminUsername, adminPassword string) *AuthService {
+	return &AuthService{
+		db:            db,
+		jwtService:    jwtService,
+		adminUsername: adminUsername,
+		adminPassword: adminPassword,
+	}
+}
+
+// RegisterRequest 注册请求
+type RegisterRequest struct {
+	Username string `json:"username" binding:"required,min=3,max=20"`
+	Email    string `json:"email" binding:"required,email"`
+	Password string `json:"password" binding:"required,min=6"`
+}
+
+// LoginRequest 登录请求
+type LoginRequest struct {
+	Username string `json:"username" binding:"required"`
+	Password string `json:"password" binding:"required"`
+}
+
+// RefreshTokenRequest 刷新令牌请求
+type RefreshTokenRequest struct {
+	RefreshToken string `json:"refreshToken" binding:"required"`
+}
+
+// Register 用户注册
+func (s *AuthService) Register(req RegisterRequest) (*User, *TokenPair, error) {
+	// 检查用户名是否已存在
+	var existingUser User
+	err := s.db.Where("username = ?", req.Username).First(&existingUser).Error
+	if err == nil {
+		return nil, nil, errors.New("username already exists")
+	}
+	if !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, nil, err
+	}
+
+	// 检查邮箱是否已存在
+	err = s.db.Where("email = ?", req.Email).First(&existingUser).Error
+	if err == nil {
+		return nil, nil, errors.New("email already exists")
+	}
+	if !errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, nil, err
+	}
+
+	// 加密密码
+	hashedPassword, err := HashPassword(req.Password)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	// 创建用户
+	user := User{
+		ID:       uuid.New().String(),
+		Username: req.Username,
+		Email:    req.Email,
+		Password: hashedPassword,
+		Role:     "user", // 默认角色
+	}
+
+	if err := s.db.Create(&user).Error; err != nil {
+		return nil, nil, err
+	}
+
+	// 生成 token
+	tokens, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, user.Role)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &user, tokens, nil
+}
+
+// Login 用户登录
+func (s *AuthService) Login(req LoginRequest) (*User, *TokenPair, error) {
+	// 1. 先检查是否为配置的管理员账号
+	if req.Username == s.adminUsername && req.Password == s.adminPassword {
+		// 管理员登录成功，创建虚拟用户对象
+		adminUser := &User{
+			ID:       "admin",
+			Username: s.adminUsername,
+			Email:    s.adminUsername + "@admin.local",
+			Role:     "admin",
+		}
+
+		// 生成 token
+		tokens, err := s.jwtService.GenerateTokenPair(adminUser.ID, adminUser.Username, adminUser.Role)
+		if err != nil {
+			return nil, nil, err
+		}
+
+		return adminUser, tokens, nil
+	}
+
+	// 2. 如果不是管理员，查找数据库中的用户
+	var user User
+	err := s.db.Where("username = ? OR email = ?", req.Username, req.Username).First(&user).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, nil, errors.New("invalid username or password")
+		}
+		return nil, nil, err
+	}
+
+	// 验证密码
+	if !user.CheckPassword(req.Password) {
+		return nil, nil, errors.New("invalid username or password")
+	}
+
+	// 生成 token
+	tokens, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, user.Role)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return &user, tokens, nil
+}
+
+// RefreshToken 刷新访问令牌
+func (s *AuthService) RefreshToken(req RefreshTokenRequest) (*TokenPair, error) {
+	// 解析刷新令牌获取用户 ID
+	claims, err := s.jwtService.ParseToken(req.RefreshToken)
+	if err != nil {
+		return nil, errors.New("invalid refresh token")
+	}
+
+	// 获取用户信息
+	var user User
+	err = s.db.First(&user, "id = ?", claims.UserID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("user not found")
+		}
+		return nil, err
+	}
+
+	// 使用刷新令牌生成新的 token 对
+	tokens, err := s.jwtService.RefreshAccessToken(req.RefreshToken, &user)
+	if err != nil {
+		return nil, err
+	}
+
+	return tokens, nil
+}
+
+// GetUserByID 根据 ID 获取用户
+func (s *AuthService) GetUserByID(userID string) (*User, error) {
+	// 特殊处理管理员
+	if userID == "admin" {
+		return &User{
+			ID:       "admin",
+			Username: s.adminUsername,
+			Email:    s.adminUsername + "@admin.local",
+			Role:     "admin",
+		}, nil
+	}
+
+	var user User
+	err := s.db.First(&user, "id = ?", userID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("user not found")
+		}
+		return nil, err
+	}
+	return &user, nil
+}
+
+// ChangePassword 修改密码
+func (s *AuthService) ChangePassword(userID, oldPassword, newPassword string) error {
+	var user User
+	err := s.db.First(&user, "id = ?", userID).Error
+	if err != nil {
+		return errors.New("user not found")
+	}
+
+	// 验证旧密码
+	if !user.CheckPassword(oldPassword) {
+		return errors.New("invalid old password")
+	}
+
+	// 加密新密码
+	hashedPassword, err := HashPassword(newPassword)
+	if err != nil {
+		return err
+	}
+
+	// 更新密码
+	return s.db.Model(&user).Update("password", hashedPassword).Error
+}