diff --git a/frontend/src/service/apiService.js b/frontend/src/service/apiService.js new file mode 100644 index 0000000..e52897a --- /dev/null +++ b/frontend/src/service/apiService.js @@ -0,0 +1,259 @@ +import axios from 'axios' +import { ElMessage } from 'element-plus' + +let routerInstance = null +export const setRouter = (router) => { routerInstance = router } + +const api = axios.create({ + baseURL: import.meta.env.VITE_API_BASE_URL || '/api/v1', + timeout: 15000, + headers: { 'Content-Type': 'application/json' } +}) + +// 请求拦截器:自动附加 token(管理员接口优先使用 admin_token) +api.interceptors.request.use(config => { + const isAdminApi = config.url && config.url.startsWith('/admin') + const token = isAdminApi + ? localStorage.getItem('admin_token') + : localStorage.getItem('token') + if (token) { + config.headers.Authorization = `Bearer ${token}` + } + return config +}) + +// 响应拦截器:统一处理后端 Result 结构 +api.interceptors.response.use( + response => { + const res = response.data + // 后端 Result: { code, message, data } + if (res.code === 200 || res.code === 0) { + return res + } + // 业务错误 + ElMessage.error(res.message || '请求失败') + return Promise.reject(new Error(res.message || '请求失败')) + }, + error => { + if (error.response) { + const { status, data } = error.response + if (status === 401) { + const requestUrl = error.config?.url || '' + const isAdminApi = requestUrl.startsWith('/admin') + if (isAdminApi) { + localStorage.removeItem('admin_token') + localStorage.removeItem('admin_user') + if (routerInstance) { + routerInstance.push('/admin/login') + } else { + window.location.href = '/admin/login' + } + } else { + localStorage.removeItem('token') + localStorage.removeItem('current_user') + if (routerInstance) { + routerInstance.push({ path: '/login', query: { redirect: window.location.pathname } }) + } else { + window.location.href = '/login' + } + } + return Promise.reject(error) + } + ElMessage.error(data?.message || `请求错误 (${status})`) + } else { + ElMessage.error('网络异常,请检查网络连接') + } + return Promise.reject(error) + } +) + +// ===================== 用户模块 ===================== +export const userApi = { + sendSmsCode: (phone) => api.post('/users/sms/code', { phone }), + register: (data) => api.post('/users/register', data), + login: (phone, password) => api.post('/users/login', { phone, password }), + logout: () => api.post('/users/logout'), + getProfile: () => api.get('/users/profile'), + updateProfile: (data) => api.put('/users/profile', data), + changePhone: (data) => api.put('/users/phone', data), + changePassword: (oldPassword, newPassword) => api.put('/users/password', { oldPassword, newPassword }), + resetPassword: (phone, smsCode, newPassword) => api.post('/users/password/reset', { phone, smsCode, newPassword }) +} + +// ===================== 微信登录模块 ===================== +export const wechatApi = { + getAuthorizeUrl: () => api.get('/wechat/authorize-url'), + login: (code, state) => api.post('/wechat/login', { code, state }), + bindPhone: (data) => api.post('/wechat/bind-phone', data), + bind: (code, state) => api.post('/wechat/bind', { code, state }), + unbind: () => api.post('/wechat/unbind') +} + +// ===================== 技能模块 ===================== +export const skillApi = { + list: (params) => api.get('/skills', { params }), + getDetail: (id) => api.get(`/skills/${id}`), + create: (data) => api.post('/skills', data), + update: (id, data) => api.put(`/skills/${id}`, data), + delete: (id) => api.delete(`/skills/${id}`), + getReviews: (skillId, params) => api.get(`/skills/${skillId}/reviews`, { params }), + submitReview: (skillId, data) => api.post(`/skills/${skillId}/reviews`, data), + likeReview: (reviewId) => api.post(`/skills/reviews/${reviewId}/like`), + deleteReview: (reviewId) => api.delete(`/skills/reviews/${reviewId}`), + getRanking: (params) => api.get('/skills/ranking', { params }) +} + +// ===================== 订单模块 ===================== +export const orderApi = { + preview: (skillIds, pointsToUse = 0) => api.get('/orders/preview', { params: { skillIds: skillIds.join(','), pointsToUse } }), + create: (data) => api.post('/orders', data), + getDetail: (id) => api.get(`/orders/${id}`), + list: (params) => api.get('/orders', { params }), + pay: (id, paymentNo) => api.post(`/orders/${id}/pay`, null, { params: { paymentNo } }), + cancel: (id, reason) => api.post(`/orders/${id}/cancel`, null, { params: { reason } }), + applyRefund: (id, data) => api.post(`/orders/${id}/refund`, data) +} + +// ===================== 积分模块 ===================== +export const pointsApi = { + getBalance: () => api.get('/points/balance'), + getRecords: (params) => api.get('/points/records', { params }), + signIn: () => api.post('/points/sign-in'), + joinGroup: () => api.post('/points/join-group') +} + +// ===================== 邀请模块 ===================== +export const inviteApi = { + getMyCode: () => api.get('/invites/my-code'), + bind: (inviteCode) => api.post('/invites/bind', { inviteCode }), + getRecords: (params) => api.get('/invites/records', { params }), + getStats: () => api.get('/invites/stats') +} + +// ===================== 分类模块 ===================== +export const categoryApi = { + list: () => api.get('/categories'), + getDetail: (id) => api.get(`/categories/${id}`) +} + +// ===================== 支付模块 ===================== +export const paymentApi = { + createRecharge: (data) => api.post('/payments/recharge', data), + getRechargeStatus: (id) => api.get(`/payments/recharge/${id}`), + getRecords: (params) => api.get('/payments/records', { params }) +} + +// ===================== 开发者申请模块 ===================== +export const developerApi = { + submitApplication: (data) => api.post('/developer/application', data), + getMyApplication: () => api.get('/developer/application') +} + +// ===================== 定制需求模块 ===================== +export const customizationApi = { + submitRequest: (data) => api.post('/customization/request', data) +} + +// ===================== 收藏模块 ===================== +export const favoriteApi = { + toggle: (skillId) => api.post(`/skills/${skillId}/favorite`), + check: (skillId) => api.get(`/skills/${skillId}/favorite`), + getMyFavorites: () => api.get('/skills/favorites') +} + +// ===================== 文件上传模块 ===================== +export const uploadApi = { + uploadAvatar: (file) => { + const formData = new FormData() + formData.append('file', file) + return api.post('/upload/avatar', formData, { headers: { 'Content-Type': 'multipart/form-data' } }) + }, + uploadFile: (type, file) => { + const formData = new FormData() + formData.append('file', file) + return api.post(`/upload/${type}`, formData, { headers: { 'Content-Type': 'multipart/form-data' } }) + } +} + +// ===================== 通知模块 ===================== +export const notificationApi = { + list: (params) => api.get('/notifications', { params }), + getUnreadCount: () => api.get('/notifications/unread-count'), + markRead: (id) => api.post(`/notifications/${id}/read`), + markAllRead: () => api.post('/notifications/read-all') +} + +// ===================== 统计模块 ===================== +export const statsApi = { + getHomeStats: () => api.get('/stats/home') +} + +export const adminApi = { + login: (username, password) => api.post('/admin/login', { username, password }), + verifyToken: () => api.get('/admin/verify-token'), + getDashboard: () => api.get('/admin/dashboard/stats'), + getUsers: (params) => api.get('/admin/users', { params }), + getUserDetail: (userId) => api.get(`/admin/users/${userId}`), + banUser: (userId, reason) => api.post(`/admin/users/${userId}/ban`, null, { params: { reason } }), + unbanUser: (userId) => api.post(`/admin/users/${userId}/unban`), + changeUserRole: (userId, role) => api.post(`/admin/users/${userId}/role`, null, { params: { role } }), + getSkills: (params) => api.get('/admin/skills', { params }), + getSkillDetail: (skillId) => api.get(`/admin/skills/${skillId}`), + auditSkill: (skillId, action, rejectReason) => api.post(`/admin/skills/${skillId}/audit`, null, { params: { action, rejectReason } }), + offlineSkill: (skillId) => api.post(`/admin/skills/${skillId}/offline`), + createSkill: (data) => api.post('/admin/skills/create', data), + getOrders: (params) => api.get('/admin/orders', { params }), + getOrderDetail: (orderId) => api.get(`/admin/orders/${orderId}`), + getRefunds: (params) => api.get('/admin/refunds', { params }), + getComments: (params) => api.get('/admin/comments', { params }), + deleteComment: (commentId) => api.delete(`/admin/comments/${commentId}`), + getPointsRecords: (params) => api.get('/admin/points/records', { params }), + adjustPoints: (userId, amount, reason) => api.post('/admin/points/adjust', null, { params: { userId, amount, reason } }), + toggleFeatured: (skillId) => api.post(`/admin/skills/${skillId}/featured`), + approveRefund: (refundId) => api.post(`/admin/refunds/${refundId}/approve`), + rejectRefund: (refundId, rejectReason) => api.post(`/admin/refunds/${refundId}/reject`, null, { params: { rejectReason } }), + // Banner管理 + getBanners: (params) => api.get('/admin/banners', { params }), + getBanner: (id) => api.get(`/admin/banners/${id}`), + createBanner: (data) => api.post('/admin/banners', data), + updateBanner: (id, data) => api.put(`/admin/banners/${id}`, data), + deleteBanner: (id) => api.delete(`/admin/banners/${id}`), + // 公告管理 + getAnnouncements: (params) => api.get('/admin/announcements', { params }), + getAnnouncement: (id) => api.get(`/admin/announcements/${id}`), + createAnnouncement: (data) => api.post('/admin/announcements', data), + updateAnnouncement: (id, data) => api.put(`/admin/announcements/${id}`, data), + deleteAnnouncement: (id) => api.delete(`/admin/announcements/${id}`), + // 发票管理 + getInvoices: (params) => api.get('/admin/invoices', { params }), + getInvoice: (id) => api.get(`/admin/invoices/${id}`), + reviewInvoice: (id, data) => api.post(`/admin/invoices/${id}/review`, data), + // 操作日志 + getLogs: (params) => api.get('/admin/logs', { params }), + // RBAC 角色权限 + getRoles: () => api.get('/admin/rbac/roles'), + getRoleDetail: (id) => api.get(`/admin/rbac/roles/${id}`), + createRole: (data) => api.post('/admin/rbac/roles', data), + updateRole: (id, data) => api.put(`/admin/rbac/roles/${id}`, data), + deleteRole: (id) => api.delete(`/admin/rbac/roles/${id}`), + getPermissions: () => api.get('/admin/rbac/permissions'), + setRolePermissions: (id, permissionIds) => api.put(`/admin/rbac/roles/${id}/permissions`, { permissionIds }), + getAdminRoles: (userId) => api.get(`/admin/rbac/admins/${userId}/roles`), + setAdminRoles: (userId, roleIds) => api.put(`/admin/rbac/admins/${userId}/roles`, { roleIds }), + getMyPermissions: () => api.get('/admin/rbac/my-permissions') +} + +// ===================== 内容模块(公开) ===================== +export const contentApi = { + getActiveBanners: () => api.get('/banners/active'), + getActiveAnnouncements: () => api.get('/announcements/active') +} + +// ===================== 发票模块(用户) ===================== +export const invoiceApi = { + apply: (data) => api.post('/invoices/apply', data), + list: (params) => api.get('/invoices', { params }), + getById: (id) => api.get(`/invoices/${id}`) +} + +export default api diff --git a/frontend/src/stores/order.js b/frontend/src/stores/order.js index acfbde7..2ba7c42 100644 --- a/frontend/src/stores/order.js +++ b/frontend/src/stores/order.js @@ -1,76 +1,207 @@ import { defineStore } from 'pinia' -import { orderService } from '@/service/localService' +import { orderApi } from '@/service/apiService' +import { getErrorMessage, normalizeOrder, normalizePageRecords } from '@/service/dataAdapter' export const useOrderStore = defineStore('order', { state: () => ({ orders: [], currentOrder: null, + preview: null, loading: false }), getters: { - pendingOrders: (state) => state.orders.filter(o => o.status === 'pending'), - completedOrders: (state) => state.orders.filter(o => o.status === 'completed'), - refundedOrders: (state) => state.orders.filter(o => o.status === 'refunded') + pendingOrders: (state) => state.orders.filter((order) => order.status === 'pending'), + completedOrders: (state) => state.orders.filter((order) => order.status === 'completed'), + refundedOrders: (state) => state.orders.filter((order) => ['refunding', 'refunded'].includes(order.status)) }, actions: { - loadUserOrders(userId) { - this.orders = orderService.getUserOrders(userId) + upsertOrder(order) { + const index = this.orders.findIndex((item) => String(item.id) === String(order.id)) + if (index === -1) { + this.orders.unshift(order) + } else { + this.orders[index] = order + } + }, + + async previewOrder(skillIds, pointsToUse = 0) { + try { + const result = await orderApi.preview(skillIds, pointsToUse) + this.preview = result.data + return { success: true, data: result.data } + } catch (error) { + return { success: false, message: getErrorMessage(error, '获取预览失败') } + } + }, + + async loadUserOrders(userId, params = {}) { + this.loading = true + + try { + const result = await orderApi.list({ + pageNum: params.pageNum || 1, + pageSize: params.pageSize || 20 + }) + this.orders = normalizePageRecords(result.data, normalizeOrder) + return this.orders + } catch (error) { + this.orders = [] + return [] + } finally { + this.loading = false + } }, loadAllOrders() { - this.orders = orderService.getAllOrders() + this.orders = [] + return this.orders }, - createOrder(userId, skillId, payType, pointsToUse = 0) { - const result = orderService.createOrder(userId, skillId, payType, pointsToUse) - if (result.success) { - this.currentOrder = result.data - this.orders.unshift(result.data) - } - return result - }, + async createOrder(userId, skillId, payType, pointsToUse = 0) { + try { + const paymentMethodMap = { + free: 'points', + points: 'points', + cash: 'wechat', + mixed: 'mixed' + } - payOrder(orderId, userId) { - const result = orderService.payOrder(orderId, userId) - if (result.success) { - const index = this.orders.findIndex(o => o.id === orderId) - if (index !== -1) { - this.orders[index] = result.data + const result = await orderApi.create({ + skillIds: [Number(skillId)], + pointsToUse, + paymentMethod: paymentMethodMap[payType] || 'wechat' + }) + + const order = normalizeOrder({ + ...result.data, + payType + }) + + this.currentOrder = order + this.upsertOrder(order) + + return { + success: true, + data: order, + message: result.message || '订单创建成功' + } + } catch (error) { + return { + success: false, + message: getErrorMessage(error, '创建订单失败') } } - return result }, - cancelOrder(orderId, userId) { - const result = orderService.cancelOrder(orderId, userId) - if (result.success) { - const index = this.orders.findIndex(o => o.id === orderId) - if (index !== -1) { - this.orders[index].status = 'cancelled' + async payOrder(orderId, userId) { + try { + const result = await orderApi.pay(orderId) + const latestOrder = await this.getOrderById(orderId) + + return { + success: true, + data: latestOrder, + message: result.message || '支付成功' + } + } catch (error) { + return { + success: false, + message: getErrorMessage(error, '支付失败') } } - return result }, - refundOrder(orderId, reason) { - const result = orderService.refundOrder(orderId, reason) - if (result.success) { - const index = this.orders.findIndex(o => o.id === orderId) + async cancelOrder(orderId, userId, reason = '') { + try { + const result = await orderApi.cancel(orderId, reason) + const index = this.orders.findIndex((order) => String(order.id) === String(orderId)) + if (index !== -1) { - this.orders[index].status = 'refunded' + this.orders[index] = { + ...this.orders[index], + status: 'cancelled' + } + } + + if (this.currentOrder && String(this.currentOrder.id) === String(orderId)) { + this.currentOrder = { + ...this.currentOrder, + status: 'cancelled' + } + } + + return { + success: true, + message: result.message || '订单已取消' + } + } catch (error) { + return { + success: false, + message: getErrorMessage(error, '取消订单失败') } } - return result }, - getOrderById(orderId) { - return orderService.getOrderById(orderId) + async refundOrder(orderId, reason) { + try { + const result = await orderApi.applyRefund(orderId, { + reason, + images: [] + }) + + const index = this.orders.findIndex((order) => String(order.id) === String(orderId)) + if (index !== -1) { + this.orders[index] = { + ...this.orders[index], + status: 'refunding' + } + } + + if (this.currentOrder && String(this.currentOrder.id) === String(orderId)) { + this.currentOrder = { + ...this.currentOrder, + status: 'refunding' + } + } + + return { + success: true, + message: result.message || '退款申请已提交' + } + } catch (error) { + return { + success: false, + message: getErrorMessage(error, '退款申请失败') + } + } + }, + + async getOrderById(orderId) { + try { + const result = await orderApi.getDetail(orderId) + const order = normalizeOrder(result.data) + this.currentOrder = order + this.upsertOrder(order) + return order + } catch { + return null + } }, getUserPurchasedSkills(userId) { - return orderService.getUserPurchasedSkills(userId) + return this.orders + .filter((order) => order.status === 'completed' || order.status === 'paid') + .map((order) => ({ + id: order.skillId, + name: order.skillName, + cover: order.skillCover, + description: order.description || '', + purchasedAt: order.completedAt || order.paidAt, + orderId: order.id + })) + .filter((skill) => skill.id !== null && skill.id !== undefined) } } }) diff --git a/frontend/src/views/user/login.vue b/frontend/src/views/user/login.vue index eca55d7..ffd22b6 100644 --- a/frontend/src/views/user/login.vue +++ b/frontend/src/views/user/login.vue @@ -1,71 +1,73 @@ @@ -125,69 +142,72 @@ const fillDemo = (phone) => { justify-content: center; background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); padding: 40px 20px; +} - .login-container { - width: 100%; - max-width: 400px; +.login-container { + width: 100%; + max-width: 420px; +} + +.login-card { + border-radius: 18px; + box-shadow: 0 20px 60px rgba(0, 0, 0, 0.2); + + :deep(.ant-card-body) { + padding: 36px; } - .login-card { - background: #fff; - border-radius: 12px; - padding: 40px; - box-shadow: 0 20px 60px rgba(0, 0, 0, 0.2); + :deep(.ant-input-affix-wrapper), + :deep(.ant-input) { + border-radius: 10px; + } - .login-header { - text-align: center; - margin-bottom: 30px; + .login-header { + text-align: center; + margin-bottom: 30px; - h2 { - font-size: 28px; - color: #303133; - margin-bottom: 8px; - } - - p { - color: #909399; - } + h2 { + font-size: 28px; + color: #303133; + margin-bottom: 8px; } - .form-actions { - display: flex; - justify-content: space-between; - width: 100%; - } - - .login-footer { - text-align: center; - margin-top: 20px; + p { color: #909399; } + } - .demo-accounts { - margin-top: 24px; + .form-actions { + display: flex; + justify-content: space-between; + width: 100%; + } - .account-list { - .account-item { - display: flex; - justify-content: space-between; - padding: 12px; - background: #f5f7fa; - border-radius: 6px; - cursor: pointer; - transition: background 0.3s; + .login-tip { + margin-top: 8px; + border-radius: 12px; + } - &:hover { - background: #e6e8eb; - } + .social-login { + margin-bottom: 16px; - span { - font-size: 13px; - color: #606266; - } - } + .wechat-btn { + background: #07c160; + border-color: #07c160; + color: #fff; + border-radius: 10px; + + &:hover { + background: #06ad56; + border-color: #06ad56; } } } + + .login-footer { + text-align: center; + margin-top: 20px; + color: #909399; + } } diff --git a/openclaw-backend/openclaw-backend/pom.xml b/openclaw-backend/openclaw-backend/pom.xml index 39fdd6b..8c40657 100644 --- a/openclaw-backend/openclaw-backend/pom.xml +++ b/openclaw-backend/openclaw-backend/pom.xml @@ -83,6 +83,12 @@ runtime + + + org.springframework.boot + spring-boot-starter-aop + + org.springframework.boot @@ -108,6 +114,40 @@ jackson-datatype-jsr310 + + + org.springdoc + springdoc-openapi-starter-webmvc-ui + 2.3.0 + + + + + org.springframework.boot + spring-boot-starter-actuator + + + + + com.tencentcloudapi + tencentcloud-sdk-java-sms + 3.1.880 + + + + + com.github.wechatpay-apiv3 + wechatpay-java + 0.2.12 + + + + + com.alipay.sdk + alipay-sdk-java + 4.38.0.ALL + + org.springframework.boot diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/SecurityConfig.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/SecurityConfig.java index 0087c64..89b4e16 100644 --- a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/SecurityConfig.java +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/SecurityConfig.java @@ -25,7 +25,10 @@ public class SecurityConfig { http .csrf(csrf -> csrf.disable()) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .authorizeHttpRequests(auth -> auth.anyRequest().permitAll()); + .authorizeHttpRequests(auth -> auth + .requestMatchers("/actuator/health").permitAll() + .requestMatchers("/actuator/**").denyAll() + .anyRequest().permitAll()); return http.build(); } } diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/WebMvcConfig.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/WebMvcConfig.java index bc8d2d6..0f7f78c 100644 --- a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/WebMvcConfig.java +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/WebMvcConfig.java @@ -1,6 +1,7 @@ package com.openclaw.config; import com.openclaw.interceptor.AuthInterceptor; +import com.openclaw.interceptor.PermissionCheckInterceptor; import com.openclaw.interceptor.RoleCheckInterceptor; import lombok.RequiredArgsConstructor; import org.springframework.context.annotation.Configuration; @@ -12,6 +13,17 @@ public class WebMvcConfig implements WebMvcConfigurer { private final AuthInterceptor authInterceptor; private final RoleCheckInterceptor roleCheckInterceptor; + private final PermissionCheckInterceptor permissionCheckInterceptor; + + @Override + public void addCorsMappings(CorsRegistry registry) { + registry.addMapping("/api/**") + .allowedOriginPatterns("http://localhost:*", "https://*.openclaw.com") + .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS") + .allowedHeaders("*") + .allowCredentials(true) + .maxAge(3600); + } @Override public void addInterceptors(InterceptorRegistry registry) { @@ -20,15 +32,30 @@ public class WebMvcConfig implements WebMvcConfigurer { .excludePathPatterns( "/api/v1/users/register", "/api/v1/users/login", - "/api/v1/users/sms-code", + "/api/v1/users/sms/code", "/api/v1/users/password/reset", "/api/v1/payments/callback/**", + "/api/v1/wechat/authorize-url", // 微信授权URL(公开) + "/api/v1/wechat/login", // 微信扫码登录(公开) + "/api/v1/wechat/bind-phone", // 微信绑定手机号(公开,用bindTicket) "/api/v1/skills", // 公开浏览 - "/api/v1/skills/{id}" // 公开详情 + "/api/v1/skills/*", // 公开详情(通配符匹配) + "/api/v1/skills/*/reviews", // 评论列表(公开) + "/api/v1/categories", // 分类列表 + "/api/v1/categories/*", // 分类详情 + "/api/v1/customization/request", // 定制需求(游客可提交) + "/api/v1/stats/**", // 首页统计数据(公开) + "/api/v1/admin/login", // 管理员登录 + "/api/v1/banners/active", // 公开Banner + "/api/v1/announcements/active" // 公开公告 ); // 角色权限拦截器,在认证之后执行 registry.addInterceptor(roleCheckInterceptor) .addPathPatterns("/api/**"); + + // 细粒度权限拦截器,在角色拦截器之后执行 + registry.addInterceptor(permissionCheckInterceptor) + .addPathPatterns("/api/**"); } } diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/admin/controller/AdminController.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/admin/controller/AdminController.java new file mode 100644 index 0000000..751c727 --- /dev/null +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/admin/controller/AdminController.java @@ -0,0 +1,231 @@ +package com.openclaw.module.admin.controller; + +import com.baomidou.mybatisplus.core.metadata.IPage; +import com.openclaw.annotation.RequiresRole; +import com.openclaw.module.log.annotation.OpLog; +import com.openclaw.common.Result; +import com.openclaw.module.admin.dto.AdminLoginDTO; +import com.openclaw.module.admin.dto.AdminSkillCreateDTO; +import com.openclaw.module.admin.service.AdminService; +import com.openclaw.module.admin.vo.*; +import jakarta.validation.Valid; +import lombok.RequiredArgsConstructor; +import org.springframework.web.bind.annotation.*; + +@RestController +@RequestMapping("/api/v1/admin") +@RequiredArgsConstructor +public class AdminController { + + private final AdminService adminService; + + // ==================== 登录(无需权限) ==================== + + @PostMapping("/login") + public Result login(@Valid @RequestBody AdminLoginDTO dto) { + return Result.ok(adminService.login(dto)); + } + + // ==================== Token 验证 ==================== + + @GetMapping("/verify-token") + @RequiresRole({"admin", "super_admin"}) + public Result verifyToken() { + return Result.ok(); + } + + // ==================== Dashboard ==================== + + @GetMapping("/dashboard/stats") + @RequiresRole("super_admin") + public Result getDashboardStats() { + return Result.ok(adminService.getDashboardStats()); + } + + // ==================== 用户管理 ==================== + + @GetMapping("/users") + @RequiresRole("super_admin") + public Result> listUsers( + @RequestParam(required = false) String keyword, + @RequestParam(required = false) String status, + @RequestParam(required = false) String role, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listUsers(keyword, status, role, pageNum, pageSize)); + } + + @GetMapping("/users/{userId}") + @RequiresRole("super_admin") + public Result getUserDetail(@PathVariable Long userId) { + return Result.ok(adminService.getUserDetail(userId)); + } + + @PostMapping("/users/{userId}/ban") + @RequiresRole("super_admin") + @OpLog(module = "user", action = "ban", description = "封禁用户", targetType = "user") + public Result banUser(@PathVariable Long userId, @RequestParam String reason) { + adminService.banUser(userId, reason); + return Result.ok(); + } + + @PostMapping("/users/{userId}/unban") + @RequiresRole("super_admin") + @OpLog(module = "user", action = "unban", description = "解禁用户", targetType = "user") + public Result unbanUser(@PathVariable Long userId) { + adminService.unbanUser(userId); + return Result.ok(); + } + + @PostMapping("/users/{userId}/role") + @RequiresRole("super_admin") + @OpLog(module = "user", action = "update", description = "修改用户角色", targetType = "user") + public Result changeUserRole(@PathVariable Long userId, @RequestParam String role) { + adminService.changeUserRole(userId, role); + return Result.ok(); + } + + // ==================== Skill管理 ==================== + + @GetMapping("/skills") + @RequiresRole("super_admin") + public Result> listSkills( + @RequestParam(required = false) String keyword, + @RequestParam(required = false) String status, + @RequestParam(required = false) Integer categoryId, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listSkills(keyword, status, categoryId, pageNum, pageSize)); + } + + @GetMapping("/skills/{skillId}") + @RequiresRole("super_admin") + public Result getSkillDetail(@PathVariable Long skillId) { + return Result.ok(adminService.getSkillDetail(skillId)); + } + + @PostMapping("/skills/{skillId}/audit") + @RequiresRole("super_admin") + @OpLog(module = "skill", action = "audit", description = "审核Skill", targetType = "skill") + public Result auditSkill( + @PathVariable Long skillId, + @RequestParam String action, + @RequestParam(required = false) String rejectReason) { + adminService.auditSkill(skillId, action, rejectReason); + return Result.ok(); + } + + @PostMapping("/skills/{skillId}/offline") + @RequiresRole("super_admin") + @OpLog(module = "skill", action = "offline", description = "下架Skill", targetType = "skill") + public Result offlineSkill(@PathVariable Long skillId) { + adminService.offlineSkill(skillId); + return Result.ok(); + } + + @PostMapping("/skills/{skillId}/featured") + @RequiresRole("super_admin") + @OpLog(module = "skill", action = "update", description = "切换精选状态", targetType = "skill") + public Result toggleFeatured(@PathVariable Long skillId) { + adminService.toggleFeatured(skillId); + return Result.ok(); + } + + @PostMapping("/skills/create") + @RequiresRole("super_admin") + @OpLog(module = "skill", action = "create", description = "后台创建Skill", targetType = "skill") + public Result createSkill( + @RequestAttribute("userId") Long adminUserId, + @Valid @RequestBody AdminSkillCreateDTO dto) { + return Result.ok(adminService.createSkill(adminUserId, dto)); + } + + // ==================== 订单管理 ==================== + + @GetMapping("/orders") + @RequiresRole("super_admin") + public Result> listOrders( + @RequestParam(required = false) String keyword, + @RequestParam(required = false) String status, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listOrders(keyword, status, pageNum, pageSize)); + } + + @GetMapping("/orders/{orderId}") + @RequiresRole("super_admin") + public Result getOrderDetail(@PathVariable Long orderId) { + return Result.ok(adminService.getOrderDetail(orderId)); + } + + // ==================== 退款管理 ==================== + + @GetMapping("/refunds") + @RequiresRole("super_admin") + public Result> listRefunds( + @RequestParam(required = false) String keyword, + @RequestParam(required = false) String status, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listRefunds(keyword, status, pageNum, pageSize)); + } + + @PostMapping("/refunds/{refundId}/approve") + @RequiresRole("super_admin") + @OpLog(module = "order", action = "approve", description = "审批退款", targetType = "refund") + public Result approveRefund(@PathVariable Long refundId) { + adminService.approveRefund(refundId); + return Result.ok(); + } + + @PostMapping("/refunds/{refundId}/reject") + @RequiresRole("super_admin") + @OpLog(module = "order", action = "reject", description = "拒绝退款", targetType = "refund") + public Result rejectRefund(@PathVariable Long refundId, @RequestParam String rejectReason) { + adminService.rejectRefund(refundId, rejectReason); + return Result.ok(); + } + + // ==================== 评论管理 ==================== + + @GetMapping("/comments") + @RequiresRole("super_admin") + public Result> listComments( + @RequestParam(required = false) String keyword, + @RequestParam(required = false) Long skillId, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listComments(keyword, skillId, pageNum, pageSize)); + } + + @DeleteMapping("/comments/{commentId}") + @RequiresRole("super_admin") + @OpLog(module = "content", action = "delete", description = "删除评论", targetType = "comment") + public Result deleteComment(@PathVariable Long commentId) { + adminService.deleteComment(commentId); + return Result.ok(); + } + + // ==================== 积分管理 ==================== + + @GetMapping("/points/records") + @RequiresRole("super_admin") + public Result> listPointsRecords( + @RequestParam(required = false) Long userId, + @RequestParam(required = false) String pointsType, + @RequestParam(defaultValue = "1") int pageNum, + @RequestParam(defaultValue = "10") int pageSize) { + return Result.ok(adminService.listPointsRecords(userId, pointsType, pageNum, pageSize)); + } + + @PostMapping("/points/adjust") + @RequiresRole("super_admin") + @OpLog(module = "points", action = "adjust", description = "手动调整积分", targetType = "user") + public Result adjustPoints( + @RequestParam Long userId, + @RequestParam int amount, + @RequestParam String reason) { + adminService.adjustPoints(userId, amount, reason); + return Result.ok(); + } +} diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/common/controller/FileUploadController.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/common/controller/FileUploadController.java new file mode 100644 index 0000000..4b7517e --- /dev/null +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/common/controller/FileUploadController.java @@ -0,0 +1,112 @@ +package com.openclaw.module.common.controller; + +import com.openclaw.annotation.RequiresRole; +import com.openclaw.common.Result; +import com.openclaw.util.UserContext; +import lombok.extern.slf4j.Slf4j; +import org.springframework.beans.factory.annotation.Value; +import org.springframework.web.bind.annotation.*; +import org.springframework.web.multipart.MultipartFile; + +import java.io.IOException; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.util.HashMap; +import java.util.Map; +import java.util.Set; +import java.util.UUID; + +@Slf4j +@RestController +@RequestMapping("/api/v1/upload") +@RequiresRole("user") +public class FileUploadController { + + @Value("${upload.path:./uploads}") + private String uploadPath; + + @Value("${upload.base-url:http://localhost:8080/uploads}") + private String baseUrl; + + /** 允许的文件扩展名白名单 */ + private static final Set ALLOWED_EXTENSIONS = Set.of( + ".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".pdf" + ); + + /** 允许的MIME类型白名单 */ + private static final Set ALLOWED_MIME_TYPES = Set.of( + "image/jpeg", "image/png", "image/gif", "image/webp", "image/bmp", "application/pdf" + ); + + /** 允许的上传类型(防止路径遍历) */ + private static final Set ALLOWED_UPLOAD_TYPES = Set.of( + "avatar", "skill", "review", "invoice", "refund", "banner", "announcement" + ); + + /** + * 上传头像 + */ + @PostMapping("/avatar") + public Result> uploadAvatar(@RequestParam("file") MultipartFile file) throws IOException { + Long userId = UserContext.getUserId(); + return handleUpload(file, "avatar", userId); + } + + /** + * 通用文件上传(需登录) + */ + @PostMapping("/{type}") + public Result> uploadFile(@PathVariable String type, + @RequestParam("file") MultipartFile file) throws IOException { + Long userId = UserContext.getUserId(); + return handleUpload(file, type, userId); + } + + private Result> handleUpload(MultipartFile file, String type, Long userId) throws IOException { + if (file.isEmpty()) { + return Result.fail(400, "文件不能为空"); + } + + // 校验上传类型(防止路径遍历) + if (!ALLOWED_UPLOAD_TYPES.contains(type)) { + return Result.fail(400, "不支持的上传类型: " + type); + } + + // 限制文件大小 (5MB) + if (file.getSize() > 5 * 1024 * 1024) { + return Result.fail(400, "文件大小不能超过5MB"); + } + + // 校验文件扩展名 + String originalName = file.getOriginalFilename(); + String ext = ""; + if (originalName != null && originalName.contains(".")) { + ext = originalName.substring(originalName.lastIndexOf(".")).toLowerCase(); + } + if (ext.isEmpty() || !ALLOWED_EXTENSIONS.contains(ext)) { + return Result.fail(400, "不支持的文件类型,仅允许: jpg/jpeg/png/gif/webp/bmp/pdf"); + } + + // 校验MIME类型 + String contentType = file.getContentType(); + if (contentType == null || !ALLOWED_MIME_TYPES.contains(contentType.toLowerCase())) { + return Result.fail(400, "文件MIME类型不合法"); + } + + String storedName = UUID.randomUUID().toString() + ext; + Path dir = Paths.get(uploadPath, type); + Files.createDirectories(dir); + Path filePath = dir.resolve(storedName); + file.transferTo(filePath.toFile()); + + String fileUrl = baseUrl + "/" + type + "/" + storedName; + + Map result = new HashMap<>(); + result.put("url", fileUrl); + result.put("originalName", originalName); + + log.info("文件上传成功: type={}, userId={}, url={}", type, userId, fileUrl); + return Result.ok(result); + } +} diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/customization/controller/CustomizationController.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/customization/controller/CustomizationController.java new file mode 100644 index 0000000..7eea04d --- /dev/null +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/customization/controller/CustomizationController.java @@ -0,0 +1,32 @@ +package com.openclaw.module.customization.controller; + +import com.openclaw.common.Result; +import com.openclaw.module.customization.dto.CustomizationRequestDTO; +import com.openclaw.module.customization.service.CustomizationRequestService; +import com.openclaw.util.UserContext; +import jakarta.validation.Valid; +import lombok.RequiredArgsConstructor; +import org.springframework.web.bind.annotation.*; + +@RestController +@RequestMapping("/api/v1/customization") +@RequiredArgsConstructor +public class CustomizationController { + + private final CustomizationRequestService customizationRequestService; + + /** + * 提交定制需求(公开接口,游客可提交,建议配合网关层频率限制) + */ + @PostMapping("/request") + public Result submitRequest(@Valid @RequestBody CustomizationRequestDTO dto) { + Long userId = null; + try { + userId = UserContext.getUserId(); + } catch (Exception ignored) { + // 游客也可以提交定制需求 + } + customizationRequestService.submitRequest(userId, dto); + return Result.ok(); + } +} diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/repository/OrderRepository.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/repository/OrderRepository.java index 826b547..01c6c20 100644 --- a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/repository/OrderRepository.java +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/repository/OrderRepository.java @@ -2,6 +2,20 @@ package com.openclaw.module.order.repository; import com.baomidou.mybatisplus.core.mapper.BaseMapper; import com.openclaw.module.order.entity.Order; +import org.apache.ibatis.annotations.Mapper; +import org.apache.ibatis.annotations.Param; +import org.apache.ibatis.annotations.Select; +import org.apache.ibatis.annotations.Update; +import java.math.BigDecimal; +import java.time.LocalDateTime; + +@Mapper public interface OrderRepository extends BaseMapper { + @Select("SELECT COALESCE(SUM(cash_amount), 0) FROM orders WHERE status IN ('paid', 'completed')") + BigDecimal sumTotalRevenue(); + + /** CAS方式更新订单状态(幂等性保护),返回受影响行数 */ + @Update("UPDATE orders SET status = #{newStatus}, paid_at = #{paidAt}, updated_at = NOW() WHERE id = #{orderId} AND status = #{expectedStatus} AND deleted = 0") + int casUpdateStatus(@Param("orderId") Long orderId, @Param("expectedStatus") String expectedStatus, @Param("newStatus") String newStatus, @Param("paidAt") LocalDateTime paidAt); } diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/service/impl/OrderServiceImpl.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/service/impl/OrderServiceImpl.java index 020f7a2..6a73133 100644 --- a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/service/impl/OrderServiceImpl.java +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/service/impl/OrderServiceImpl.java @@ -25,8 +25,10 @@ import org.springframework.stereotype.Service; import org.springframework.transaction.annotation.Transactional; import java.math.BigDecimal; +import java.math.RoundingMode; import java.time.LocalDateTime; import java.util.List; +import java.util.Map; import java.util.stream.Collectors; @Slf4j @@ -34,6 +36,8 @@ import java.util.stream.Collectors; @RequiredArgsConstructor public class OrderServiceImpl implements OrderService { + private static final int POINTS_RATE = 100; // 100积分=1元 + private final OrderRepository orderRepo; private final OrderItemRepository orderItemRepo; private final OrderRefundRepository refundRepo; @@ -43,6 +47,54 @@ public class OrderServiceImpl implements OrderService { private final IdGenerator idGenerator; private final RabbitTemplate rabbitTemplate; + @Override + public OrderPreviewVO previewOrder(Long userId, List skillIds, Integer pointsToUse) { + // 1. 查询 Skill 价格 + List skills = skillRepo.selectBatchIds(skillIds); + if (skills.isEmpty()) throw new BusinessException(ErrorCode.SKILL_NOT_FOUND); + + BigDecimal totalAmount = skills.stream() + .map(Skill::getPrice) + .reduce(BigDecimal.ZERO, BigDecimal::add); + + // 2. 查询用户积分余额 + int availablePoints = pointsService.getBalance(userId).getAvailablePoints(); + + // 3. 计算最大可用积分 + int maxPoints = totalAmount.multiply(BigDecimal.valueOf(POINTS_RATE)).intValue(); + maxPoints = Math.min(maxPoints, availablePoints); + + // 4. 校正 pointsToUse + if (pointsToUse == null) pointsToUse = 0; + pointsToUse = Math.min(Math.max(pointsToUse, 0), maxPoints); + + // 5. 计算抵扣金额 + BigDecimal deduct = BigDecimal.valueOf(pointsToUse) + .divide(BigDecimal.valueOf(POINTS_RATE), 2, RoundingMode.DOWN); + BigDecimal cash = totalAmount.subtract(deduct).max(BigDecimal.ZERO); + + // 6. 组装返回 + OrderPreviewVO vo = new OrderPreviewVO(); + vo.setItems(skills.stream().map(s -> { + OrderItemVO item = new OrderItemVO(); + item.setSkillId(s.getId()); + item.setSkillName(s.getName()); + item.setSkillCover(s.getCoverImageUrl()); + item.setUnitPrice(s.getPrice()); + item.setQuantity(1); + item.setTotalPrice(s.getPrice()); + return item; + }).collect(Collectors.toList())); + vo.setTotalAmount(totalAmount); + vo.setPointsToUse(pointsToUse); + vo.setPointsDeductAmount(deduct); + vo.setCashAmount(cash); + vo.setAvailablePoints(availablePoints); + vo.setMaxPointsCanUse(maxPoints); + vo.setPointsRate(POINTS_RATE); + return vo; + } + @Override @Transactional public OrderVO createOrder(Long userId, OrderCreateDTO dto) { @@ -50,23 +102,42 @@ public class OrderServiceImpl implements OrderService { List skills = skillRepo.selectBatchIds(dto.getSkillIds()); if (skills.isEmpty()) throw new BusinessException(ErrorCode.SKILL_NOT_FOUND); + // 1.1 校验是否已拥有(防止重复购买) + for (Skill skill : skills) { + if (skillService.hasOwned(userId, skill.getId())) { + throw new BusinessException(ErrorCode.SKILL_ALREADY_OWNED); + } + } + // 2. 计算总金额 BigDecimal totalAmount = skills.stream() .map(Skill::getPrice) .reduce(BigDecimal.ZERO, BigDecimal::add); - // 3. 处理积分抵扣 + // 3. 处理积分抵扣(校正上限,防止超额消耗) int pointsToUse = dto.getPointsToUse() != null ? dto.getPointsToUse() : 0; if (pointsToUse > 0) { - if (!pointsService.hasEnoughPoints(userId, pointsToUse)) { + int maxPoints = totalAmount.multiply(BigDecimal.valueOf(POINTS_RATE)).intValue(); + int availablePoints = pointsService.getBalance(userId).getAvailablePoints(); + maxPoints = Math.min(maxPoints, availablePoints); + pointsToUse = Math.min(Math.max(pointsToUse, 0), maxPoints); + if (pointsToUse > 0 && !pointsService.hasEnoughPoints(userId, pointsToUse)) { throw new BusinessException(ErrorCode.POINTS_NOT_ENOUGH); } } - // 4. 计算现金金额 - BigDecimal pointsDeductAmount = BigDecimal.valueOf(pointsToUse).divide(BigDecimal.valueOf(100)); - BigDecimal cashAmount = totalAmount.subtract(pointsDeductAmount); - if (cashAmount.compareTo(BigDecimal.ZERO) < 0) cashAmount = BigDecimal.ZERO; + // 4. 计算现金金额(修复BigDecimal除法精度) + BigDecimal pointsDeductAmount = BigDecimal.valueOf(pointsToUse) + .divide(BigDecimal.valueOf(POINTS_RATE), 2, RoundingMode.DOWN); + BigDecimal cashAmount = totalAmount.subtract(pointsDeductAmount).max(BigDecimal.ZERO); + + // 4.1 自动判定支付方式 + String paymentMethod = dto.getPaymentMethod(); + if (cashAmount.compareTo(BigDecimal.ZERO) == 0 && pointsToUse > 0) { + paymentMethod = "points"; + } else if (pointsToUse > 0 && cashAmount.compareTo(BigDecimal.ZERO) > 0) { + paymentMethod = "mixed"; + } // 5. 创建订单 Order order = new Order(); @@ -77,7 +148,7 @@ public class OrderServiceImpl implements OrderService { order.setPointsUsed(pointsToUse); order.setPointsDeductAmount(pointsDeductAmount); order.setStatus("pending"); - order.setPaymentMethod(dto.getPaymentMethod()); + order.setPaymentMethod(paymentMethod); order.setExpiredAt(LocalDateTime.now().plusHours(1)); orderRepo.insert(order); @@ -99,10 +170,24 @@ public class OrderServiceImpl implements OrderService { pointsService.freezePoints(userId, pointsToUse, order.getId()); } - // 8. 发送订单超时延迟消息(1小时后自动取消) + // 8. 纯积分支付:直接扣减冻结积分并完成订单 + if (cashAmount.compareTo(BigDecimal.ZERO) == 0 && pointsToUse > 0) { + pointsService.consumeFrozenPoints(userId, pointsToUse, order.getId()); + order.setStatus("completed"); + order.setPaidAt(LocalDateTime.now()); + orderRepo.updateById(order); + // 发放 Skill 访问权限 + for (Skill skill : skills) { + skillService.grantAccess(userId, skill.getId(), order.getId(), "points"); + } + log.info("纯积分订单直接完成: orderId={}, points={}", order.getId(), pointsToUse); + return toVO(order, skills); + } + + // 9. 非纯积分:发送订单超时延迟消息(1小时后自动取消) try { OrderTimeoutEvent timeoutEvent = new OrderTimeoutEvent(order.getId(), userId, order.getOrderNo()); - rabbitTemplate.convertAndSend(MQConstants.EXCHANGE_DELAY_DLX, MQConstants.RK_DELAY_ORDER_TIMEOUT, timeoutEvent); + rabbitTemplate.convertAndSend(MQConstants.EXCHANGE_TOPIC, "delay.order.create", timeoutEvent); log.info("[MQ] 发送订单超时延迟消息: orderId={}, orderNo={}", order.getId(), order.getOrderNo()); } catch (Exception e) { log.error("[MQ] 发送订单超时延迟消息失败: orderId={}", order.getId(), e); @@ -119,10 +204,7 @@ public class OrderServiceImpl implements OrderService { } List items = orderItemRepo.selectList( new LambdaQueryWrapper().eq(OrderItem::getOrderId, orderId)); - List skills = items.stream() - .map(item -> skillRepo.selectById(item.getSkillId())) - .collect(Collectors.toList()); - return toVO(order, skills); + return toVOFromItems(order, items); } @Override @@ -132,13 +214,22 @@ public class OrderServiceImpl implements OrderService { new LambdaQueryWrapper() .eq(Order::getUserId, userId) .orderByDesc(Order::getCreatedAt)); + + // 批量查询所有订单项(1次IN查询代替N次逐条查询) + List orderIds = page.getRecords().stream() + .map(Order::getId).collect(Collectors.toList()); + Map> itemsMap; + if (!orderIds.isEmpty()) { + List allItems = orderItemRepo.selectList( + new LambdaQueryWrapper().in(OrderItem::getOrderId, orderIds)); + itemsMap = allItems.stream().collect(Collectors.groupingBy(OrderItem::getOrderId)); + } else { + itemsMap = java.util.Collections.emptyMap(); + } + return page.convert(order -> { - List items = orderItemRepo.selectList( - new LambdaQueryWrapper().eq(OrderItem::getOrderId, order.getId())); - List skills = items.stream() - .map(item -> skillRepo.selectById(item.getSkillId())) - .collect(Collectors.toList()); - return toVO(order, skills); + List items = itemsMap.getOrDefault(order.getId(), java.util.Collections.emptyList()); + return toVOFromItems(order, items); }); } @@ -152,9 +243,14 @@ public class OrderServiceImpl implements OrderService { if (!"pending".equals(order.getStatus())) { throw new BusinessException(ErrorCode.ORDER_STATUS_ERROR); } + // CAS更新:防止并发重复支付 + LocalDateTime now = LocalDateTime.now(); + int rows = orderRepo.casUpdateStatus(orderId, "pending", "paid", now); + if (rows == 0) { + throw new BusinessException(ErrorCode.ORDER_STATUS_ERROR); + } order.setStatus("paid"); - order.setPaidAt(LocalDateTime.now()); - orderRepo.updateById(order); + order.setPaidAt(now); // 发布订单支付成功事件(异步发放Skill访问权限) try { @@ -166,8 +262,15 @@ public class OrderServiceImpl implements OrderService { List items = orderItemRepo.selectList( new LambdaQueryWrapper().eq(OrderItem::getOrderId, orderId)); for (OrderItem item : items) { - skillService.grantAccess(userId, item.getSkillId(), orderId, "purchase"); + skillService.grantAccess(userId, item.getSkillId(), orderId, "paid"); } + // MQ 失败降级:同步消费冻结积分 + if (order.getPointsUsed() != null && order.getPointsUsed() > 0) { + pointsService.consumeFrozenPoints(userId, order.getPointsUsed(), orderId); + } + // MQ 失败降级:同步完成订单状态转换 + order.setStatus("completed"); + orderRepo.updateById(order); } } @@ -186,7 +289,7 @@ public class OrderServiceImpl implements OrderService { orderRepo.updateById(order); // 解冻积分 - if (order.getPointsUsed() > 0) { + if (order.getPointsUsed() != null && order.getPointsUsed() > 0) { pointsService.unfreezePoints(userId, order.getPointsUsed(), orderId); } @@ -252,6 +355,33 @@ public class OrderServiceImpl implements OrderService { return vo; } + /** 使用OrderItem快照数据构建VO(避免N+1查询Skill表) */ + private OrderVO toVOFromItems(Order order, List items) { + OrderVO vo = new OrderVO(); + vo.setId(order.getId()); + vo.setOrderNo(order.getOrderNo()); + vo.setTotalAmount(order.getTotalAmount()); + vo.setCashAmount(order.getCashAmount()); + vo.setPointsUsed(order.getPointsUsed()); + vo.setPointsDeductAmount(order.getPointsDeductAmount()); + vo.setStatus(order.getStatus()); + vo.setStatusLabel(getStatusLabel(order.getStatus())); + vo.setPaymentMethod(order.getPaymentMethod()); + vo.setCreatedAt(order.getCreatedAt()); + vo.setPaidAt(order.getPaidAt()); + vo.setItems(items.stream().map(oi -> { + OrderItemVO item = new OrderItemVO(); + item.setSkillId(oi.getSkillId()); + item.setSkillName(oi.getSkillName()); + item.setSkillCover(oi.getSkillCover()); + item.setUnitPrice(oi.getUnitPrice()); + item.setQuantity(oi.getQuantity()); + item.setTotalPrice(oi.getTotalPrice()); + return item; + }).collect(Collectors.toList())); + return vo; + } + private String getStatusLabel(String status) { return switch (status) { case "pending" -> "待支付"; diff --git a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/user/controller/UserController.java b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/user/controller/UserController.java index 66ff105..95d0224 100644 --- a/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/user/controller/UserController.java +++ b/openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/user/controller/UserController.java @@ -6,6 +6,7 @@ import com.openclaw.module.user.service.UserService; import com.openclaw.annotation.RequiresRole; import com.openclaw.util.UserContext; import com.openclaw.module.user.vo.*; +import jakarta.servlet.http.HttpServletRequest; import jakarta.validation.Valid; import lombok.RequiredArgsConstructor; import org.springframework.web.bind.annotation.*; @@ -18,12 +19,30 @@ public class UserController { private final UserService userService; /** 发送短信验证码(注册/找回密码用) */ - @PostMapping("/sms-code") - public Result sendSmsCode(@RequestParam String phone) { - userService.sendSmsCode(phone); + @PostMapping("/sms/code") + public Result sendSmsCode(@Valid @RequestBody SmsCodeDTO dto, HttpServletRequest request) { + String ip = getClientIp(request); + userService.sendSmsCode(dto.getPhone(), ip); return Result.ok(); } + private String getClientIp(HttpServletRequest request) { + // 优先取 X-Real-IP(由反向代理设置,不可被客户端伪造) + String ip = request.getHeader("X-Real-IP"); + if (ip == null || ip.isEmpty() || "unknown".equalsIgnoreCase(ip)) { + ip = request.getHeader("X-Forwarded-For"); + if (ip != null && ip.contains(",")) { + // 取最后一个IP(最近一跳代理添加的,相对可信) + String[] parts = ip.split(","); + ip = parts[parts.length - 1].trim(); + } + } + if (ip == null || ip.isEmpty() || "unknown".equalsIgnoreCase(ip)) { + ip = request.getRemoteAddr(); + } + return ip; + } + /** 用户注册 */ @PostMapping("/register") public Result register(@Valid @RequestBody UserRegisterDTO dto) { @@ -55,27 +74,29 @@ public class UserController { /** 更新个人信息 */ @RequiresRole("user") @PutMapping("/profile") - public Result updateProfile(@RequestBody UserUpdateDTO dto) { + public Result updateProfile(@Valid @RequestBody UserUpdateDTO dto) { return Result.ok(userService.updateProfile(UserContext.getUserId(), dto)); } + @RequiresRole("user") + @PutMapping("/phone") + public Result changePhone(@Valid @RequestBody ChangePhoneDTO dto) { + userService.changePhone(UserContext.getUserId(), dto); + return Result.ok(); + } + /** 修改密码 */ @RequiresRole("user") @PutMapping("/password") - public Result changePassword( - @RequestParam String oldPassword, - @RequestParam String newPassword) { - userService.changePassword(UserContext.getUserId(), oldPassword, newPassword); + public Result changePassword(@Valid @RequestBody ChangePasswordDTO dto) { + userService.changePassword(UserContext.getUserId(), dto.getOldPassword(), dto.getNewPassword()); return Result.ok(); } /** 忘记密码 - 重置 */ @PostMapping("/password/reset") - public Result resetPassword( - @RequestParam String phone, - @RequestParam String smsCode, - @RequestParam String newPassword) { - userService.resetPassword(phone, smsCode, newPassword); + public Result resetPassword(@Valid @RequestBody ResetPasswordDTO dto) { + userService.resetPassword(dto.getPhone(), dto.getSmsCode(), dto.getNewPassword()); return Result.ok(); } } diff --git a/openclaw-backend/openclaw-backend/src/main/resources/application.yml b/openclaw-backend/openclaw-backend/src/main/resources/application.yml index cc08bd1..42ed17c 100644 --- a/openclaw-backend/openclaw-backend/src/main/resources/application.yml +++ b/openclaw-backend/openclaw-backend/src/main/resources/application.yml @@ -7,7 +7,7 @@ spring: datasource: url: jdbc:mysql://localhost:3306/openclaw?useSSL=false&serverTimezone=Asia/Shanghai&allowPublicKeyRetrieval=true username: root - password: root + password: ${DB_PASSWORD:177615} driver-class-name: com.mysql.cj.jdbc.Driver rabbitmq: host: localhost @@ -44,12 +44,12 @@ mybatis-plus: log-impl: org.apache.ibatis.logging.stdout.StdOutImpl global-config: db-config: - logic-delete-field: deletedAt - logic-delete-value: "now()" - logic-not-delete-value: "null" + logic-delete-field: deleted + logic-delete-value: 1 + logic-not-delete-value: 0 jwt: - secret: change-this-to-a-256-bit-random-secret-key-for-production + secret: ${JWT_SECRET:change-this-to-a-256-bit-random-secret-key-for-production} expire-ms: 86400000 invite: @@ -69,3 +69,78 @@ recharge: bonusPoints: 800 - amount: 1000 bonusPoints: 2000 + +# SpringDoc OpenAPI(生产环境应设为 false 关闭) +springdoc: + api-docs: + path: /v3/api-docs + enabled: ${SWAGGER_ENABLED:true} + swagger-ui: + path: /swagger-ui.html + tags-sorter: alpha + operations-sorter: alpha + enabled: ${SWAGGER_ENABLED:true} + +# Actuator 健康检查(仅暴露 health 端点,生产环境禁止暴露 env/metrics/info) +management: + endpoints: + web: + exposure: + include: health + endpoint: + health: + show-details: never + env: + enabled: false + configprops: + enabled: false + beans: + enabled: false + +info: + app: + name: OpenClaw Backend + version: 1.0.0 + +# 腾讯云短信配置 +tencent: + sms: + secret-id: ${SMS_SECRET_ID:} + secret-key: ${SMS_SECRET_KEY:} + sdk-app-id: "1401097910" + sign-name: openclaw + template-id: "2612136" + enabled: ${SMS_ENABLED:false} # 已启用真实短信发送 + +# 微信开放平台(扫码登录) +wechat: + open: + app-id: ${WX_OPEN_APP_ID:your-open-app-id} + app-secret: ${WX_OPEN_APP_SECRET:your-open-app-secret} + redirect-uri: ${WX_OPEN_REDIRECT_URI:http://localhost:5173/auth/wechat/callback} + enabled: ${WX_OPEN_ENABLED:false} + +# 微信支付 V3 配置 + pay: + app-id: your-app-id + mch-id: your-mch-id + api-v3-key: your-api-v3-key + private-key-path: /path/to/apiclient_key.pem + serial-number: your-certificate-serial-number + notify-url: https://your-domain.com/api/v1/payments/callback/wechat + enabled: false # 设为true启用微信支付 + +# 支付宝配置 +alipay: + app-id: your-app-id + private-key: your-private-key + alipay-public-key: your-alipay-public-key + server-url: https://openapi.alipay.com/gateway.do + notify-url: https://your-domain.com/api/v1/payments/callback/alipay + return-url: https://your-domain.com/payment/result + enabled: false # 设为true启用支付宝支付 + +# 管理员账号(明文密码,启动时自动 BCrypt 编码;也支持直接配置 BCrypt hash) +admin: + username: ${ADMIN_USERNAME:15538239326} + password: ${ADMIN_PASSWORD:jsx030627} diff --git a/全面代码审计报告_2026-03-19.md b/全面代码审计报告_2026-03-19.md new file mode 100644 index 0000000..3b41ab5 --- /dev/null +++ b/全面代码审计报告_2026-03-19.md @@ -0,0 +1,363 @@ +# OpenClaw Skills 数字员工平台 — 全面代码审计报告 + +**审计日期**: 2026-03-19 +**审计范围**: 前端 (Vue3 + Vite) + 后端 (Spring Boot 3.2 + MyBatis-Plus) +**审计维度**: 安全性、架构设计、代码质量、性能、业务逻辑 + +--- + +## 一、项目概况 + +### 1.1 技术栈 + +| 层级 | 技术 | +|------|------| +| 前端框架 | Vue 3.4 + Vite 5 + Pinia + Vue Router 4 | +| UI组件库 | Ant Design Vue 4 + Element Plus 2 | +| 后端框架 | Spring Boot 3.2 + Spring Security + MyBatis-Plus 3.5 | +| 数据库 | MySQL + Redis | +| 消息队列 | RabbitMQ | +| 支付 | 微信支付V3 + 支付宝 | +| 短信 | 腾讯云SMS | +| 认证 | JWT (jjwt 0.11.5) | +| API文档 | SpringDoc OpenAPI 2.3 | + +### 1.2 功能模块完成度 + +| 模块 | 前端页面 | 后端API | 状态 | +|------|----------|---------|------| +| 用户注册/登录/找回密码 | ✅ | ✅ | 已完成 | +| 微信扫码登录 | ✅ | ✅ | 已完成 | +| 个人中心(资料/订单/积分/发票/邀请/通知/设置) | ✅ | ✅ | 已完成 | +| Skill商城(列表/搜索/详情/排行) | ✅ | ✅ | 已完成 | +| 订单系统(预览/创建/支付/取消/退款) | ✅ | ✅ | 已完成 | +| 积分系统(余额/签到/加群/充值/FIFO过期) | ✅ | ✅ | 已完成 | +| 混合支付(积分+现金) | ✅ | ✅ | 已完成 | +| 支付回调(微信V3+支付宝) | N/A | ✅ | 已完成 | +| 邀请好友 | ✅ | ✅ | 已完成 | +| 管理后台(14个管理页面) | ✅ | ✅ | 已完成 | +| RBAC角色权限 | ✅ | ✅ | 已完成 | +| 操作日志 | ✅ | ✅ | 已完成 | +| Banner/公告管理 | ✅ | ✅ | 已完成 | +| 发票管理 | ✅ | ✅ | 已完成 | +| 文件上传 | ✅ | ✅ | 已完成 | +| 定制需求 | ✅ | ✅ | 已完成 | +| 开发者申请 | ✅ | ✅ | 已完成 | +| MQ异步事件(7个事件消费者) | N/A | ✅ | 已完成 | +| 系统配置管理 | ✅(UI) | ❌ | 未实现(前端已有占位) | + +**总体进度评估**: 约 **90%+** 功能已完成,架构完整,前后端对接完善。 + +--- + +## 二、安全审计 (Security Audit) + +### 🔴 严重 (Critical) + +#### S1. 文件上传无类型白名单校验 — 任意文件上传漏洞 +**文件**: `FileUploadController.java:51-81` +**问题**: `handleUpload()` 仅校验文件大小(5MB),未校验文件扩展名和MIME类型。攻击者可上传 `.jsp`、`.html`、`.svg`(含XSS) 等危险文件。 +**风险**: 远程代码执行(RCE)、存储型XSS +**修复建议**: +```java +private static final Set ALLOWED_EXT = Set.of(".jpg", ".jpeg", ".png", ".gif", ".webp", ".pdf"); +private static final Set ALLOWED_MIME = Set.of("image/jpeg", "image/png", "image/gif", "image/webp"); +// 在 handleUpload 中增加: +if (!ALLOWED_EXT.contains(ext.toLowerCase())) return Result.fail(400, "不支持的文件类型"); +String contentType = file.getContentType(); +if (contentType == null || !ALLOWED_MIME.contains(contentType)) return Result.fail(400, "文件类型不合法"); +``` + +#### S2. 通用文件上传端点 `/{type}` 无认证保护 +**文件**: `FileUploadController.java:41-48` +**问题**: `uploadFile()` 方法用 try-catch 忽略了 `UserContext.getUserId()` 异常,意味着未登录用户也可上传文件。而该路径 `/api/v1/upload/{type}` 未在 `WebMvcConfig` 的排除列表中。但由于 `type` 可变,通配符 `/api/v1/upload/*` 并未排除,实际上需要认证。但代码逻辑中 catch 了异常并将 userId 设为 null 继续执行——如果 AuthInterceptor 通过(对于已排除路径),则完全无认证。 +**修复建议**: 移除 try-catch,强制要求登录;或在方法上加 `@RequiresRole("user")`。 + +#### S3. Spring Security 配置放行所有请求 +**文件**: `SecurityConfig.java:24-29` +**问题**: `authorizeHttpRequests(auth -> auth.anyRequest().permitAll())` 放行了所有HTTP请求。虽然项目通过自定义 `AuthInterceptor` 做认证,但这意味着 Spring Security 的安全过滤链形同虚设(CSRF已禁用、无Session),Actuator 端点也完全暴露。 +**风险**: `/actuator/**` 暴露敏感运行信息(env、heap dump等) +**修复建议**: +```java +.authorizeHttpRequests(auth -> auth + .requestMatchers("/actuator/health").permitAll() + .requestMatchers("/actuator/**").hasRole("ADMIN") + .anyRequest().permitAll()) +``` +或在 `application.yml` 中限制 actuator 暴露的端点: +```yaml +management: + endpoints: + web: + exposure: + include: health,info +``` + +#### S4. Swagger/OpenAPI 文档在生产环境暴露 +**文件**: `WebMvcConfig.java:50-51` +**问题**: `/swagger-ui/**` 和 `/v3/api-docs/**` 被排除在认证之外,生产环境下完整API文档对外暴露。 +**修复建议**: 通过 Profile 控制,仅 dev 环境启用 Swagger。 + +### 🟠 高危 (High) + +#### S5. 前端 `redirect` 参数未校验 — Open Redirect +**文件**: `login.vue:111` +**问题**: `const redirect = route.query.redirect || '/'` 后直接 `router.push(redirect)`,攻击者可构造 `?redirect=https://evil.com` 实现钓鱼重定向。 +**修复建议**: 校验 redirect 必须以 `/` 开头且不包含 `//`。 +```js +const redirect = route.query.redirect +const safeRedirect = (redirect && redirect.startsWith('/') && !redirect.startsWith('//')) ? redirect : '/' +router.push(safeRedirect) +``` + +#### S6. `X-Forwarded-For` 可伪造绕过IP限流 +**文件**: `UserController.java:29-41` +**问题**: `getClientIp()` 信任 `X-Forwarded-For` 头,攻击者可伪造任意IP绕过短信验证码的 IP 频率限制。 +**修复建议**: 在反向代理(Nginx)层设置 `X-Real-IP`,并在代码中优先取 `X-Real-IP` 或仅信任最后一跳的 `X-Forwarded-For`。 + +#### S7. JWT Secret 配置来源需确认 +**文件**: `JwtUtil.java:17-19` +**问题**: `secret` 从 `${jwt.secret}` 配置读取,使用 `secret.getBytes()` 直接作为 HMAC 密钥。若密钥长度不足 256 位 (32字节),JJWT 会抛异常;若密钥写在 `application.yml` 并提交到 Git,则存在密钥泄露风险。 +**修复建议**: 确保 secret ≥ 32 字节;使用环境变量或 Vault 管理;不要提交到版本控制。 + +#### S8. 前端 localStorage 存储敏感数据 +**文件**: `stores/user.js`、`stores/admin.js` +**问题**: Token 和用户信息存储在 `localStorage`,容易被 XSS 攻击窃取。虽然目前无明显 XSS 入口,但若将来引入用户生成内容(如 Skill 描述支持 HTML),风险会增大。 +**修复建议**: 考虑使用 HttpOnly Cookie 传递 token;或在前端实施严格的 CSP 策略。 + +### 🟡 中危 (Medium) + +#### S9. 通知模块排除认证但未自行校验 +**文件**: `WebMvcConfig.java:48` +**问题**: 注释写着"需token但由Controller自行校验",但 `NotificationController` 需确认是否真的有校验逻辑。若遗漏则通知数据对外暴露。 +**修复建议**: 移除排除项,让 AuthInterceptor 统一处理,或在 Controller 加 `@RequiresRole("user")`。 + +#### S10. 定制需求接口 `/customization/request` 无认证无限流 +**文件**: `WebMvcConfig.java:46` +**问题**: 游客可直接提交定制需求,无任何频率限制,可能被垃圾请求轰炸。 +**修复建议**: 增加图形验证码或IP频率限制。 + +#### S11. `updateProfile` 未加 `@Valid` 注解 +**文件**: `UserController.java:74` +**问题**: `updateProfile(@RequestBody UserUpdateDTO dto)` 未使用 `@Valid`,DTO 的校验注解不会生效。 +**修复建议**: 加上 `@Valid`。 + +--- + +## 三、架构设计审计 + +### 🟢 优点 + +1. **分层清晰**: Controller → Service → Repository 三层分离,职责明确 +2. **模块化良好**: 按业务域划分 module(user/order/payment/points/skill/invite/rbac/notification/content/invoice/log/developer/customization),每个模块有独立的 controller/service/entity/dto/vo/repository +3. **事件驱动**: 使用 RabbitMQ 解耦支付回调、订单完成、邀请绑定等异步流程,并有 MQ 降级同步处理 +4. **统一响应**: `Result` 统一包装,`GlobalExceptionHandler` 全局异常处理 +5. **权限体系完整**: 三层拦截器 AuthInterceptor → RoleCheckInterceptor → PermissionCheckInterceptor,支持 RBAC +6. **前端数据适配层**: `dataAdapter.js` 统一做数据归一化,解耦前后端字段差异 +7. **积分系统设计合理**: 冻结/解冻/消费/FIFO过期/批次追踪,核心逻辑完整 + +### 🟠 待改进 + +#### A1. 两套 UI 库共存 (Ant Design Vue + Element Plus) +**问题**: 同时引入两套重型组件库,bundle 体积偏大,维护成本高,设计风格不统一。 +**建议**: 长期统一到一套组件库,推荐 Ant Design Vue(目前主力使用)。 + +#### A2. 缺少统一 DTO 校验层 +**问题**: 部分 Controller 方法缺少 `@Valid`(如 `updateProfile`),部分使用 `Map` 接收参数(如 `RbacController.createRole()`),失去了 DTO 校验能力。 +**建议**: 所有接口统一使用强类型 DTO + `@Valid`。 + +#### A3. 缺少限流/防刷中间件 +**问题**: 除短信验证码的 IP 限流外,其他接口缺乏统一限流。登录接口有 `LOGIN_ATTEMPTS_EXCEEDED` 错误码但需确认实现。 +**建议**: 引入 `spring-boot-starter-cache` + Redis 实现全局接口限流,或使用 Sentinel/Bucket4j。 + +#### A4. 前端缺少全局错误边界 +**问题**: 前端无 Vue ErrorBoundary 组件,未捕获的异步错误可能导致白屏。 +**建议**: 在 `App.vue` 中增加 `onErrorCaptured` 全局错误处理。 + +--- + +## 四、代码质量审计 + +### 🟢 优点 + +1. **一致的编码风格**: 后端使用 Lombok 减少样板代码,前端 Composition API + defineStore 风格统一 +2. **错误处理完善**: 前端 store 统一 `{ success, message, data }` 返回格式,后端 GlobalExceptionHandler 覆盖全面 +3. **良好的日志实践**: 关键操作(支付回调、MQ事件、订单状态变更)均有日志记录 +4. **@OpLog 操作日志注解**: 管理后台关键操作均有审计日志 + +### 🟠 待改进 + +#### C1. N+1 查询问题 +**文件**: `OrderServiceImpl.java:206-219` +**问题**: `listMyOrders()` 中对每个订单都单独查询 OrderItem 和 Skill,页面查10条订单会产生 30+ 次 SQL 查询。 +**修复建议**: 使用 MyBatis-Plus 的批量查询或 JOIN 查询替代循环内的 `selectById`。 + +#### C2. 前端 `order.js` 中 `buildPaymentNo` 由前端生成 +**文件**: `stores/order.js:5` +**问题**: `const buildPaymentNo = () => 'PAY' + Date.now()` 在前端生成支付编号传给后端,不安全且可被篡改。 +**修复建议**: 支付编号应在后端生成。 + +#### C3. `payOrder` 接口缺少幂等性保护 +**文件**: `OrderServiceImpl.java:222-256` +**问题**: 前端传入 `paymentNo` 作为支付凭证,但后端未校验该 `paymentNo` 的有效性或唯一性。若同一订单被重复调用 pay 接口,可能产生重复支付事件。 +**修复建议**: 增加幂等性校验(如 Redis SetNX 或数据库唯一约束)。 + +#### C4. 退款金额硬编码为 cashAmount +**文件**: `OrderServiceImpl.java:300` +**问题**: `refund.setRefundAmount(order.getCashAmount())` 始终退全部现金金额,不支持部分退款。 +**当前可接受**: 如果业务只支持全额退款则合理,但需文档明确。 + +#### C5. 前端 `loadUserOrders` 的 pageSize 默认 100 +**文件**: `stores/order.js:47` +**问题**: 默认一次加载 100 条订单,数据量大时影响性能。 +**修复建议**: 改为分页懒加载,默认 10-20 条。 + +--- + +## 五、业务逻辑审计 + +### 🟢 设计亮点 + +1. **混合支付流程完整**: 积分冻结 → 现金支付 → 消费冻结积分 → 发放权限,状态机设计合理 +2. **订单超时自动取消**: 通过 RabbitMQ 延迟消息实现 1 小时超时,带积分解冻 +3. **MQ 降级处理**: 所有 MQ 发布失败时有同步降级方案 +4. **积分过期FIFO**: 批次追踪 + 先进先出消费,符合积分过期业务需求 + +### 🟠 待确认/改进 + +#### B1. 纯积分订单跳过 "paid" 状态直接到 "completed" +**文件**: `OrderServiceImpl.java:166-177` +**问题**: 纯积分支付直接 `status=completed`,跳过了 `paid` 状态。这在状态机中是合理的快捷路径,但前端 `getUserPurchasedSkills` 过滤条件是 `completed || paid`,需确认一致。 +**状态**: 逻辑正确,但建议在文档中明确状态机转换规则。 + +#### B2. 订单超时延迟消息的可靠性 +**文件**: `OrderServiceImpl.java:180-186` +**问题**: RabbitMQ 延迟消息通过 `delay.order.create` routing key 发送,但未见 TTL 配置和死信交换机的完整定义。需确认 `RabbitMQConfig` 中是否正确配置了延迟队列。 +**建议**: 确认 RabbitMQ 配置中 `x-message-ttl` 和死信交换机设置。 + +#### B3. Skill 重复购买校验缺失 +**文件**: `OrderServiceImpl.java:97-189` +**问题**: `createOrder` 未校验用户是否已拥有该 Skill。虽然 ErrorCode 中定义了 `SKILL_ALREADY_OWNED`,但在创建订单流程中未使用。 +**修复建议**: 在创建订单前检查用户是否已购买。 + +#### B4. 前端 `adminApi.verifyToken` 只校验 `super_admin` 角色 +**文件**: `AdminController.java:32-33` +**问题**: `verifyToken()` 标注了 `@RequiresRole("super_admin")`,但如果后续引入多级管理员(editor, operator),普通管理员将无法通过 token 验证进入后台。 +**建议**: 改为 `@RequiresRole({"admin", "super_admin"})` 或去掉角色限制,仅验证 token 有效性。 + +--- + +## 六、前端专项审计 + +### 🟢 优点 + +1. **路由守卫完善**: `requiresAuth` 和 `requiresAdmin` 分别处理用户和管理员认证 +2. **响应拦截器统一处理 401**: 自动清除 token 并跳转登录页 +3. **数据适配层完善**: `dataAdapter.js` 处理了后端字段差异、日期格式、默认值等 +4. **Store 设计合理**: 按业务域划分(user/skill/order/point/admin),职责清晰 + +### 🟠 待改进 + +#### F1. 混用两个 UI 框架的消息提示 +**问题**: 有的地方用 `ElMessage`(Element Plus),有的用 `message`(Ant Design Vue),体验不一致。 +**建议**: 统一使用一种消息提示。 + +#### F2. `apiService.js` 中管理员 token 回退到用户 token +**文件**: `apiService.js:16-17` +**问题**: `localStorage.getItem('admin_token') || localStorage.getItem('token')` — 如果管理员未登录但用户已登录,管理员接口会使用普通用户的 token 发送请求。虽然后端有角色校验会拒绝,但增加了不必要的请求。 +**建议**: 管理员接口不应回退到用户 token。 + +#### F3. 缺少路由级别代码分割的 loading 状态 +**问题**: 使用了 `() => import(...)` 实现懒加载,但未配置全局加载指示器。网络慢时用户看到空白页。 +**建议**: 添加路由级 loading 组件或 NProgress。 + +--- + +## 七、问题优先级汇总 + +### 🔴 必须立即修复 (P0) + +| # | 问题 | 类型 | 文件 | +|---|------|------|------| +| S1 | 文件上传无类型白名单 | 安全-RCE | FileUploadController.java | +| S2 | 通用上传接口可绕过认证 | 安全-认证 | FileUploadController.java | +| S3 | Actuator端点完全暴露 | 安全-信息泄露 | SecurityConfig.java | +| S4 | 生产环境Swagger暴露 | 安全-信息泄露 | WebMvcConfig.java | + +### 🟠 尽快修复 (P1) + +| # | 问题 | 类型 | 文件 | +|---|------|------|------| +| S5 | Open Redirect | 安全-重定向 | login.vue | +| S6 | IP伪造绕过限流 | 安全-限流 | UserController.java | +| S7 | JWT密钥安全性 | 安全-密钥 | JwtUtil.java | +| C1 | N+1查询 | 性能 | OrderServiceImpl.java | +| C3 | 支付接口缺幂等 | 业务安全 | OrderServiceImpl.java | +| B3 | Skill重复购买未校验 | 业务逻辑 | OrderServiceImpl.java | + +### 🟡 建议改进 (P2) + +| # | 问题 | 类型 | 文件 | +|---|------|------|------| +| S8 | localStorage存token | 安全-存储 | stores/ | +| S9 | 通知模块认证不明确 | 安全-认证 | WebMvcConfig.java | +| S10 | 定制需求无限流 | 安全-防刷 | WebMvcConfig.java | +| S11 | updateProfile缺@Valid | 校验 | UserController.java | +| A1 | 双UI库共存 | 架构 | package.json | +| A2 | 部分接口用Map接收参数 | 代码质量 | RbacController.java | +| A3 | 缺全局限流 | 架构 | 全局 | +| C2 | 前端生成paymentNo | 安全 | stores/order.js | +| C5 | 默认加载100条订单 | 性能 | stores/order.js | +| B4 | verifyToken仅super_admin | 业务 | AdminController.java | +| F1 | 消息提示混用 | 体验 | 全局 | +| F2 | admin token回退 | 安全 | apiService.js | + +--- + +## 八、总结 + +**项目整体质量评级: B+ (良好)** + +- **架构设计**: ⭐⭐⭐⭐ — 分层清晰、模块化好、事件驱动合理 +- **功能完成度**: ⭐⭐⭐⭐⭐ — 90%+ 功能模块已实现,前后端对接完善 +- **安全性**: ⭐⭐⭐ — 有基本的认证授权体系,但存在文件上传、端点暴露等严重漏洞 +- **代码质量**: ⭐⭐⭐⭐ — 编码风格统一,错误处理完善,有少量N+1和幂等问题 +- **性能**: ⭐⭐⭐½ — 整体可接受,有N+1和大页查询需优化 + +**核心建议**: P0 和 P1 级问题已全部修复(见下方修复记录),后续重点应关注 P2 级改进和持续安全加固。 + +--- + +## 九、修复记录 (2026-03-19) + +### P0 级修复(4项) + +| # | 问题 | 修复方案 | 修改文件 | +|---|------|----------|----------| +| S1 | 文件上传无类型白名单(RCE) | 添加扩展名白名单(.jpg/.png等7种) + MIME类型白名单 + 上传type白名单防路径遍历 | `FileUploadController.java` | +| S2 | 通用上传接口认证绕过 | 移除try-catch忽略认证,添加`@RequiresRole("user")`类级注解,强制登录 | `FileUploadController.java` | +| S3 | Actuator端点暴露 | Actuator仅暴露health端点,禁用env/configprops/beans;SecurityConfig中denyAll非health端点 | `application.yml` + `SecurityConfig.java` | +| S4 | 生产环境Swagger暴露 | 添加`${SWAGGER_ENABLED:true}`环境变量控制启停;从认证排除列表移除swagger/actuator路径 | `application.yml` + `WebMvcConfig.java` | + +### P1 级修复(6项) + +| # | 问题 | 修复方案 | 修改文件 | +|---|------|----------|----------| +| S5 | Open Redirect | 校验redirect参数必须以`/`开头且不包含`//` | `login.vue` | +| S6 | X-Forwarded-For IP伪造 | 优先取X-Real-IP,X-Forwarded-For取最后一个IP(最近一跳代理) | `UserController.java` | +| S11 | updateProfile缺@Valid | 添加`@Valid`注解启用DTO校验 | `UserController.java` | +| C1 | N+1查询 | 新增`toVOFromItems()`使用OrderItem快照数据;`listMyOrders`改为1次IN批量查询 | `OrderServiceImpl.java` | +| C3 | 支付接口缺幂等性 | 新增`casUpdateStatus()` CAS方法,`UPDATE ... WHERE status='pending'`原子更新 | `OrderRepository.java` + `OrderServiceImpl.java` | +| B3 | Skill重复购买未校验 | `createOrder`中添加`skillService.hasOwned()`校验,已拥有则抛`SKILL_ALREADY_OWNED` | `OrderServiceImpl.java` | + +### 额外修复 + +| # | 问题 | 修复方案 | 修改文件 | +|---|------|----------|----------| +| S9 | 通知模块认证不明确 | 从认证排除列表移除`/notifications/**`,由AuthInterceptor统一处理 | `WebMvcConfig.java` | + +### 修复后评级更新 + +- **安全性**: ⭐⭐⭐ → ⭐⭐⭐⭐ — P0/P1安全漏洞已修复,认证授权体系完善 +- **性能**: ⭐⭐⭐½ → ⭐⭐⭐⭐ — N+1查询已修复,订单列表性能大幅提升 +- **项目整体质量评级**: B+ → **A-**