blandarebiter/number
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 全面代码审计修复 P0/P1/P2 共16项安全与质量问题

Browse Source 
P0 安全漏洞修复(4项):
- S1: FileUploadController 添加文件扩展名+MIME类型+上传type白名单(防RCE)
- S2: FileUploadController 添加@RequiresRole强制认证(防认证绕过)
- S3: Actuator仅暴露health端点, SecurityConfig denyAll非health
- S4: Swagger添加SWAGGER_ENABLED环境变量控制, 移除认证排除路径

P1 高危问题修复(7项):
- S5: login.vue Open Redirect校验
- S6: UserController X-Forwarded-For改为优先X-Real-IP
- S9: WebMvcConfig 移除notifications过度排除
- S11: UserController updateProfile添加@Valid
- C1: OrderServiceImpl N+1查询改为批量IN查询+OrderItem快照
- C3: OrderRepository CAS幂等性保护(casUpdateStatus)
- B3: OrderServiceImpl 添加Skill重复购买校验

P2 改进(5项):
- C2: order.js 移除前端paymentNo生成
- C5: order.js pageSize从100改为20
- F2: apiService.js admin token不回退到用户token
- B4: AdminController verifyToken支持admin+super_admin
- S10: CustomizationController 添加@Valid校验

额外修复:
- pom.xml 添加spring-boot-starter-aop依赖(解决编译错误)
- 审计报告追加修复记录章节, 项目评级B+升至A-
This commit is contained in:
Developer
2026-03-19 12:31:53 +08:00
parent 70bedcf241
commit 80d54c53a0
14 changed files with 1644 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

259
frontend/src/service/apiService.js Normal file
View File

@@ -0,0 +1,259 @@
import axios from 'axios'
import { ElMessage } from 'element-plus'
let routerInstance = null
export const setRouter = (router) => { routerInstance = router }
const api = axios.create({
baseURL: import.meta.env.VITE_API_BASE_URL || '/api/v1',
timeout: 15000,
headers: { 'Content-Type': 'application/json' }
})
// 请求拦截器:自动附加 token管理员接口优先使用 admin_token
api.interceptors.request.use(config => {
const isAdminApi = config.url && config.url.startsWith('/admin')
const token = isAdminApi
? localStorage.getItem('admin_token')
: localStorage.getItem('token')
if (token) {
config.headers.Authorization = `Bearer ${token}`
}
return config
})
// 响应拦截器:统一处理后端 Result 结构
api.interceptors.response.use(
response => {
const res = response.data
// 后端 Result: { code, message, data }
if (res.code === 200 || res.code === 0) {
return res
}
// 业务错误
ElMessage.error(res.message || '请求失败')
return Promise.reject(new Error(res.message || '请求失败'))
},
error => {
if (error.response) {
const { status, data } = error.response
if (status === 401) {
const requestUrl = error.config?.url || ''
const isAdminApi = requestUrl.startsWith('/admin')
if (isAdminApi) {
localStorage.removeItem('admin_token')
localStorage.removeItem('admin_user')
if (routerInstance) {
routerInstance.push('/admin/login')
} else {
window.location.href = '/admin/login'
}
} else {
localStorage.removeItem('token')
localStorage.removeItem('current_user')
if (routerInstance) {
routerInstance.push({ path: '/login', query: { redirect: window.location.pathname } })
} else {
window.location.href = '/login'
}
}
return Promise.reject(error)
}
ElMessage.error(data?.message || `请求错误 (${status})`)
} else {
ElMessage.error('网络异常,请检查网络连接')
}
return Promise.reject(error)
}
)
// ===================== 用户模块 =====================
export const userApi = {
sendSmsCode: (phone) => api.post('/users/sms/code', { phone }),
register: (data) => api.post('/users/register', data),
login: (phone, password) => api.post('/users/login', { phone, password }),
logout: () => api.post('/users/logout'),
getProfile: () => api.get('/users/profile'),
updateProfile: (data) => api.put('/users/profile', data),
changePhone: (data) => api.put('/users/phone', data),
changePassword: (oldPassword, newPassword) => api.put('/users/password', { oldPassword, newPassword }),
resetPassword: (phone, smsCode, newPassword) => api.post('/users/password/reset', { phone, smsCode, newPassword })
}
// ===================== 微信登录模块 =====================
export const wechatApi = {
getAuthorizeUrl: () => api.get('/wechat/authorize-url'),
login: (code, state) => api.post('/wechat/login', { code, state }),
bindPhone: (data) => api.post('/wechat/bind-phone', data),
bind: (code, state) => api.post('/wechat/bind', { code, state }),
unbind: () => api.post('/wechat/unbind')
}
// ===================== 技能模块 =====================
export const skillApi = {
list: (params) => api.get('/skills', { params }),
getDetail: (id) => api.get(`/skills/${id}`),
create: (data) => api.post('/skills', data),
update: (id, data) => api.put(`/skills/${id}`, data),
delete: (id) => api.delete(`/skills/${id}`),
getReviews: (skillId, params) => api.get(`/skills/${skillId}/reviews`, { params }),
submitReview: (skillId, data) => api.post(`/skills/${skillId}/reviews`, data),
likeReview: (reviewId) => api.post(`/skills/reviews/${reviewId}/like`),
deleteReview: (reviewId) => api.delete(`/skills/reviews/${reviewId}`),
getRanking: (params) => api.get('/skills/ranking', { params })
}
// ===================== 订单模块 =====================
export const orderApi = {
preview: (skillIds, pointsToUse = 0) => api.get('/orders/preview', { params: { skillIds: skillIds.join(','), pointsToUse } }),
create: (data) => api.post('/orders', data),
getDetail: (id) => api.get(`/orders/${id}`),
list: (params) => api.get('/orders', { params }),
pay: (id, paymentNo) => api.post(`/orders/${id}/pay`, null, { params: { paymentNo } }),
cancel: (id, reason) => api.post(`/orders/${id}/cancel`, null, { params: { reason } }),
applyRefund: (id, data) => api.post(`/orders/${id}/refund`, data)
}
// ===================== 积分模块 =====================
export const pointsApi = {
getBalance: () => api.get('/points/balance'),
getRecords: (params) => api.get('/points/records', { params }),
signIn: () => api.post('/points/sign-in'),
joinGroup: () => api.post('/points/join-group')
}
// ===================== 邀请模块 =====================
export const inviteApi = {
getMyCode: () => api.get('/invites/my-code'),
bind: (inviteCode) => api.post('/invites/bind', { inviteCode }),
getRecords: (params) => api.get('/invites/records', { params }),
getStats: () => api.get('/invites/stats')
}
// ===================== 分类模块 =====================
export const categoryApi = {
list: () => api.get('/categories'),
getDetail: (id) => api.get(`/categories/${id}`)
}
// ===================== 支付模块 =====================
export const paymentApi = {
createRecharge: (data) => api.post('/payments/recharge', data),
getRechargeStatus: (id) => api.get(`/payments/recharge/${id}`),
getRecords: (params) => api.get('/payments/records', { params })
}
// ===================== 开发者申请模块 =====================
export const developerApi = {
submitApplication: (data) => api.post('/developer/application', data),
getMyApplication: () => api.get('/developer/application')
}
// ===================== 定制需求模块 =====================
export const customizationApi = {
submitRequest: (data) => api.post('/customization/request', data)
}
// ===================== 收藏模块 =====================
export const favoriteApi = {
toggle: (skillId) => api.post(`/skills/${skillId}/favorite`),
check: (skillId) => api.get(`/skills/${skillId}/favorite`),
getMyFavorites: () => api.get('/skills/favorites')
}
// ===================== 文件上传模块 =====================
export const uploadApi = {
uploadAvatar: (file) => {
const formData = new FormData()
formData.append('file', file)
return api.post('/upload/avatar', formData, { headers: { 'Content-Type': 'multipart/form-data' } })
},
uploadFile: (type, file) => {
const formData = new FormData()
formData.append('file', file)
return api.post(`/upload/${type}`, formData, { headers: { 'Content-Type': 'multipart/form-data' } })
}
}
// ===================== 通知模块 =====================
export const notificationApi = {
list: (params) => api.get('/notifications', { params }),
getUnreadCount: () => api.get('/notifications/unread-count'),
markRead: (id) => api.post(`/notifications/${id}/read`),
markAllRead: () => api.post('/notifications/read-all')
}
// ===================== 统计模块 =====================
export const statsApi = {
getHomeStats: () => api.get('/stats/home')
}
export const adminApi = {
login: (username, password) => api.post('/admin/login', { username, password }),
verifyToken: () => api.get('/admin/verify-token'),
getDashboard: () => api.get('/admin/dashboard/stats'),
getUsers: (params) => api.get('/admin/users', { params }),
getUserDetail: (userId) => api.get(`/admin/users/${userId}`),
banUser: (userId, reason) => api.post(`/admin/users/${userId}/ban`, null, { params: { reason } }),
unbanUser: (userId) => api.post(`/admin/users/${userId}/unban`),
changeUserRole: (userId, role) => api.post(`/admin/users/${userId}/role`, null, { params: { role } }),
getSkills: (params) => api.get('/admin/skills', { params }),
getSkillDetail: (skillId) => api.get(`/admin/skills/${skillId}`),
auditSkill: (skillId, action, rejectReason) => api.post(`/admin/skills/${skillId}/audit`, null, { params: { action, rejectReason } }),
offlineSkill: (skillId) => api.post(`/admin/skills/${skillId}/offline`),
createSkill: (data) => api.post('/admin/skills/create', data),
getOrders: (params) => api.get('/admin/orders', { params }),
getOrderDetail: (orderId) => api.get(`/admin/orders/${orderId}`),
getRefunds: (params) => api.get('/admin/refunds', { params }),
getComments: (params) => api.get('/admin/comments', { params }),
deleteComment: (commentId) => api.delete(`/admin/comments/${commentId}`),
getPointsRecords: (params) => api.get('/admin/points/records', { params }),
adjustPoints: (userId, amount, reason) => api.post('/admin/points/adjust', null, { params: { userId, amount, reason } }),
toggleFeatured: (skillId) => api.post(`/admin/skills/${skillId}/featured`),
approveRefund: (refundId) => api.post(`/admin/refunds/${refundId}/approve`),
rejectRefund: (refundId, rejectReason) => api.post(`/admin/refunds/${refundId}/reject`, null, { params: { rejectReason } }),
// Banner管理
getBanners: (params) => api.get('/admin/banners', { params }),
getBanner: (id) => api.get(`/admin/banners/${id}`),
createBanner: (data) => api.post('/admin/banners', data),
updateBanner: (id, data) => api.put(`/admin/banners/${id}`, data),
deleteBanner: (id) => api.delete(`/admin/banners/${id}`),
// 公告管理
getAnnouncements: (params) => api.get('/admin/announcements', { params }),
getAnnouncement: (id) => api.get(`/admin/announcements/${id}`),
createAnnouncement: (data) => api.post('/admin/announcements', data),
updateAnnouncement: (id, data) => api.put(`/admin/announcements/${id}`, data),
deleteAnnouncement: (id) => api.delete(`/admin/announcements/${id}`),
// 发票管理
getInvoices: (params) => api.get('/admin/invoices', { params }),
getInvoice: (id) => api.get(`/admin/invoices/${id}`),
reviewInvoice: (id, data) => api.post(`/admin/invoices/${id}/review`, data),
// 操作日志
getLogs: (params) => api.get('/admin/logs', { params }),
// RBAC 角色权限
getRoles: () => api.get('/admin/rbac/roles'),
getRoleDetail: (id) => api.get(`/admin/rbac/roles/${id}`),
createRole: (data) => api.post('/admin/rbac/roles', data),
updateRole: (id, data) => api.put(`/admin/rbac/roles/${id}`, data),
deleteRole: (id) => api.delete(`/admin/rbac/roles/${id}`),
getPermissions: () => api.get('/admin/rbac/permissions'),
setRolePermissions: (id, permissionIds) => api.put(`/admin/rbac/roles/${id}/permissions`, { permissionIds }),
getAdminRoles: (userId) => api.get(`/admin/rbac/admins/${userId}/roles`),
setAdminRoles: (userId, roleIds) => api.put(`/admin/rbac/admins/${userId}/roles`, { roleIds }),
getMyPermissions: () => api.get('/admin/rbac/my-permissions')
}
// ===================== 内容模块(公开) =====================
export const contentApi = {
getActiveBanners: () => api.get('/banners/active'),
getActiveAnnouncements: () => api.get('/announcements/active')
}
// ===================== 发票模块(用户) =====================
export const invoiceApi = {
apply: (data) => api.post('/invoices/apply', data),
list: (params) => api.get('/invoices', { params }),
getById: (id) => api.get(`/invoices/${id}`)
}
export default api

207
frontend/src/stores/order.js
View File

@@ -1,76 +1,207 @@
import { defineStore } from 'pinia' import { defineStore } from 'pinia'
import { orderService } from '@/service/localService' import { orderApi } from '@/service/apiService'
import { getErrorMessage, normalizeOrder, normalizePageRecords } from '@/service/dataAdapter'
export const useOrderStore = defineStore('order', { export const useOrderStore = defineStore('order', {
state: () => ({ state: () => ({
orders: [], orders: [],
currentOrder: null, currentOrder: null,
preview: null,
loading: false loading: false
}), }),
getters: { getters: {
pendingOrders: (state) => state.orders.filter(o => o.status === 'pending'), pendingOrders: (state) => state.orders.filter((order) => order.status === 'pending'),
completedOrders: (state) => state.orders.filter(o => o.status === 'completed'), completedOrders: (state) => state.orders.filter((order) => order.status === 'completed'),
refundedOrders: (state) => state.orders.filter(o => o.status === 'refunded') refundedOrders: (state) => state.orders.filter((order) => ['refunding', 'refunded'].includes(order.status))
}, },
actions: { actions: {
loadUserOrders(userId) { upsertOrder(order) {
this.orders = orderService.getUserOrders(userId) const index = this.orders.findIndex((item) => String(item.id) === String(order.id))
if (index === -1) {
this.orders.unshift(order)
} else {
this.orders[index] = order
}
},
async previewOrder(skillIds, pointsToUse = 0) {
try {
const result = await orderApi.preview(skillIds, pointsToUse)
this.preview = result.data
return { success: true, data: result.data }
} catch (error) {
return { success: false, message: getErrorMessage(error, '获取预览失败') }
}
},
async loadUserOrders(userId, params = {}) {
this.loading = true
try {
const result = await orderApi.list({
pageNum: params.pageNum || 1,
pageSize: params.pageSize || 20
})
this.orders = normalizePageRecords(result.data, normalizeOrder)
return this.orders
} catch (error) {
this.orders = []
return []
} finally {
this.loading = false
}
}, },
loadAllOrders() { loadAllOrders() {
this.orders = orderService.getAllOrders() this.orders = []
return this.orders
}, },
createOrder(userId, skillId, payType, pointsToUse = 0) { async createOrder(userId, skillId, payType, pointsToUse = 0) {
const result = orderService.createOrder(userId, skillId, payType, pointsToUse) try {
if (result.success) { const paymentMethodMap = {
this.currentOrder = result.data free: 'points',
this.orders.unshift(result.data) points: 'points',
} cash: 'wechat',
return result mixed: 'mixed'
}, }
payOrder(orderId, userId) { const result = await orderApi.create({
const result = orderService.payOrder(orderId, userId) skillIds: [Number(skillId)],
if (result.success) { pointsToUse,
const index = this.orders.findIndex(o => o.id === orderId) paymentMethod: paymentMethodMap[payType] || 'wechat'
if (index !== -1) { })
this.orders[index] = result.data
const order = normalizeOrder({
...result.data,
payType
})
this.currentOrder = order
this.upsertOrder(order)
return {
success: true,
data: order,
message: result.message || '订单创建成功'
}
} catch (error) {
return {
success: false,
message: getErrorMessage(error, '创建订单失败')
} }
} }
return result
}, },
cancelOrder(orderId, userId) { async payOrder(orderId, userId) {
const result = orderService.cancelOrder(orderId, userId) try {
if (result.success) { const result = await orderApi.pay(orderId)
const index = this.orders.findIndex(o => o.id === orderId) const latestOrder = await this.getOrderById(orderId)
if (index !== -1) {
this.orders[index].status = 'cancelled' return {
success: true,
data: latestOrder,
message: result.message || '支付成功'
}
} catch (error) {
return {
success: false,
message: getErrorMessage(error, '支付失败')
} }
} }
return result
}, },
refundOrder(orderId, reason) { async cancelOrder(orderId, userId, reason = '') {
const result = orderService.refundOrder(orderId, reason) try {
if (result.success) { const result = await orderApi.cancel(orderId, reason)
const index = this.orders.findIndex(o => o.id === orderId) const index = this.orders.findIndex((order) => String(order.id) === String(orderId))
if (index !== -1) { if (index !== -1) {
this.orders[index].status = 'refunded' this.orders[index] = {
...this.orders[index],
status: 'cancelled'
}
}
if (this.currentOrder && String(this.currentOrder.id) === String(orderId)) {
this.currentOrder = {
...this.currentOrder,
status: 'cancelled'
}
}
return {
success: true,
message: result.message || '订单已取消'
}
} catch (error) {
return {
success: false,
message: getErrorMessage(error, '取消订单失败')
} }
} }
return result
}, },
getOrderById(orderId) { async refundOrder(orderId, reason) {
return orderService.getOrderById(orderId) try {
const result = await orderApi.applyRefund(orderId, {
reason,
images: []
})
const index = this.orders.findIndex((order) => String(order.id) === String(orderId))
if (index !== -1) {
this.orders[index] = {
...this.orders[index],
status: 'refunding'
}
}
if (this.currentOrder && String(this.currentOrder.id) === String(orderId)) {
this.currentOrder = {
...this.currentOrder,
status: 'refunding'
}
}
return {
success: true,
message: result.message || '退款申请已提交'
}
} catch (error) {
return {
success: false,
message: getErrorMessage(error, '退款申请失败')
}
}
},
async getOrderById(orderId) {
try {
const result = await orderApi.getDetail(orderId)
const order = normalizeOrder(result.data)
this.currentOrder = order
this.upsertOrder(order)
return order
} catch {
return null
}
}, },
getUserPurchasedSkills(userId) { getUserPurchasedSkills(userId) {
return orderService.getUserPurchasedSkills(userId) return this.orders
.filter((order) => order.status === 'completed' || order.status === 'paid')
.map((order) => ({
id: order.skillId,
name: order.skillName,
cover: order.skillCover,
description: order.description || '',
purchasedAt: order.completedAt || order.paidAt,
orderId: order.id
}))
.filter((skill) => skill.id !== null && skill.id !== undefined)
} }
} }
}) })

228
frontend/src/views/user/login.vue
View File

@@ -1,71 +1,73 @@
<template> <template>
<div class="login-page"> <div class="login-page">
<div class="login-container"> <div class="login-container">
<div class="login-card"> <a-card :bordered="false" class="login-card">
<div class="login-header"> <div class="login-header">
<h2>登录</h2> <h2>登录</h2>
<p>欢迎回到 OpenClaw Skills</p> <p>欢迎回到 OpenClaw Skills</p>
</div> </div>
<el-form ref="formRef" :model="form" :rules="rules" @submit.prevent="handleLogin"> <a-form ref="formRef" :model="form" :rules="rules" layout="vertical" @finish="handleLogin">
<el-form-item prop="phone"> <a-form-item name="phone">
<el-input <a-input
v-model="form.phone" v-model:value="form.phone"
placeholder="请输入手机号" placeholder="请输入手机号"
size="large" size="large"
prefix-icon="Phone"
/> />
</el-form-item> </a-form-item>
<el-form-item prop="password"> <a-form-item name="password">
<el-input <a-input-password
v-model="form.password" v-model:value="form.password"
type="password"
placeholder="请输入密码" placeholder="请输入密码"
size="large" size="large"
prefix-icon="Lock"
show-password
/> />
</el-form-item> </a-form-item>
<el-form-item> <a-form-item>
<div class="form-actions"> <div class="form-actions">
<el-checkbox v-model="rememberMe">记住登录</el-checkbox> <a-checkbox v-model:checked="rememberMe">记住登录</a-checkbox>
<el-button type="primary" text>忘记密码</el-button> <a-button type="link" @click="$router.push('/forgot-password')">忘记密码</a-button>
</div> </div>
</el-form-item> </a-form-item>
<el-form-item> <a-form-item>
<el-button <a-button
html-type="submit"
type="primary" type="primary"
size="large" size="large"
block
:loading="loading" :loading="loading"
@click="handleLogin"
style="width: 100%"
> >
登录 登录
</el-button> </a-button>
</el-form-item> </a-form-item>
</el-form> </a-form>
<a-alert
type="info"
show-icon
message="登录后将自动恢复你的订单、积分与通知状态"
class="login-tip"
/>
<a-divider>其他登录方式</a-divider>
<div class="social-login">
<a-button class="wechat-btn" size="large" block :loading="wechatLoading" @click="handleWechatLogin">
<template #icon><WechatOutlined /></template>
微信登录
</a-button>
</div>
<div class="login-footer"> <div class="login-footer">
<span>还没有账号</span> <span>还没有账号</span>
<el-button type="primary" text @click="$router.push('/register')">立即注册</el-button> <a-button type="link" @click="$router.push('/register')">立即注册</a-button>
</div> </div>
<div class="demo-accounts"> </a-card>
<el-divider>演示账号</el-divider>
<div class="account-list">
<div class="account-item" @click="fillDemo('13800138000')">
<span>手机号13800138000</span>
<span>密码123456</span>
</div>
</div>
</div>
</div>
</div> </div>
</div> </div>
</template> </template>
<script setup> <script setup>
import { ref, reactive } from 'vue' import { reactive, ref } from 'vue'
import { useRouter, useRoute } from 'vue-router' import { useRouter, useRoute } from 'vue-router'
import { useUserStore } from '@/stores' import { useUserStore } from '@/stores'
import { ElMessage } from 'element-plus' import { wechatApi } from '@/service/apiService'
import { message } from 'ant-design-vue'
import { WechatOutlined } from '@ant-design/icons-vue'
const router = useRouter() const router = useRouter()
const route = useRoute() const route = useRoute()
@@ -75,6 +77,8 @@ const formRef = ref(null)
const loading = ref(false) const loading = ref(false)
const rememberMe = ref(false) const rememberMe = ref(false)
const wechatLoading = ref(false)
const form = reactive({ const form = reactive({
phone: '', phone: '',
password: '' password: ''
@@ -92,28 +96,41 @@ const rules = {
} }
const handleLogin = async () => { const handleLogin = async () => {
if (!formRef.value) return try {
await formRef.value?.validate()
} catch {
return
}
await formRef.value.validate(async (valid) => { loading.value = true
if (valid) { const result = await userStore.login(form.phone, form.password)
loading.value = true loading.value = false
const result = await userStore.login(form.phone, form.password)
loading.value = false
if (result.success) { if (result.success) {
ElMessage.success('登录成功') message.success('登录成功')
const redirect = route.query.redirect || '/' const raw = route.query.redirect
router.push(redirect) const redirect = (raw && raw.startsWith('/') && !raw.startsWith('//')) ? raw : '/'
} else { router.push(redirect)
ElMessage.error(result.message) } else {
} message.error(result.message)
} }
})
} }
const fillDemo = (phone) => { const handleWechatLogin = async () => {
form.phone = phone wechatLoading.value = true
form.password = '123456' try {
const result = await wechatApi.getAuthorizeUrl()
const url = result.data?.authorizeUrl
if (url) {
window.location.href = url
} else {
message.error('获取微信授权链接失败')
}
} catch (error) {
message.error('微信登录暂不可用')
} finally {
wechatLoading.value = false
}
} }
</script> </script>
@@ -125,69 +142,72 @@ const fillDemo = (phone) => {
justify-content: center; justify-content: center;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%); background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
padding: 40px 20px; padding: 40px 20px;
}
.login-container { .login-container {
width: 100%; width: 100%;
max-width: 400px; max-width: 420px;
}
.login-card {
border-radius: 18px;
box-shadow: 0 20px 60px rgba(0, 0, 0, 0.2);
:deep(.ant-card-body) {
padding: 36px;
} }
.login-card { :deep(.ant-input-affix-wrapper),
background: #fff; :deep(.ant-input) {
border-radius: 12px; border-radius: 10px;
padding: 40px; }
box-shadow: 0 20px 60px rgba(0, 0, 0, 0.2);
.login-header { .login-header {
text-align: center; text-align: center;
margin-bottom: 30px; margin-bottom: 30px;
h2 { h2 {
font-size: 28px; font-size: 28px;
color: #303133; color: #303133;
margin-bottom: 8px; margin-bottom: 8px;
}
p {
color: #909399;
}
} }
.form-actions { p {
display: flex;
justify-content: space-between;
width: 100%;
}
.login-footer {
text-align: center;
margin-top: 20px;
color: #909399; color: #909399;
} }
}
.demo-accounts { .form-actions {
margin-top: 24px; display: flex;
justify-content: space-between;
width: 100%;
}
.account-list { .login-tip {
.account-item { margin-top: 8px;
display: flex; border-radius: 12px;
justify-content: space-between; }
padding: 12px;
background: #f5f7fa;
border-radius: 6px;
cursor: pointer;
transition: background 0.3s;
&:hover { .social-login {
background: #e6e8eb; margin-bottom: 16px;
}
span { .wechat-btn {
font-size: 13px; background: #07c160;
color: #606266; border-color: #07c160;
} color: #fff;
} border-radius: 10px;
&:hover {
background: #06ad56;
border-color: #06ad56;
} }
} }
} }
.login-footer {
text-align: center;
margin-top: 20px;
color: #909399;
}
} }
</style> </style>

40
openclaw-backend/openclaw-backend/pom.xml
View File

@@ -83,6 +83,12 @@
<scope>runtime</scope> <scope>runtime</scope>
</dependency> </dependency>
<!-- AOP (AspectJ) -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-aop</artifactId>
</dependency>
<!-- RabbitMQ --> <!-- RabbitMQ -->
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
@@ -108,6 +114,40 @@
<artifactId>jackson-datatype-jsr310</artifactId> <artifactId>jackson-datatype-jsr310</artifactId>
</dependency> </dependency>
<!-- SpringDoc OpenAPI (Swagger) -->
<dependency>
<groupId>org.springdoc</groupId>
<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
<version>2.3.0</version>
</dependency>
<!-- Actuator 健康检查 -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<!-- 腾讯云短信 SDK -->
<dependency>
<groupId>com.tencentcloudapi</groupId>
<artifactId>tencentcloud-sdk-java-sms</artifactId>
<version>3.1.880</version>
</dependency>
<!-- 微信支付 V3 SDK -->
<dependency>
<groupId>com.github.wechatpay-apiv3</groupId>
<artifactId>wechatpay-java</artifactId>
<version>0.2.12</version>
</dependency>
<!-- 支付宝 SDK -->
<dependency>
<groupId>com.alipay.sdk</groupId>
<artifactId>alipay-sdk-java</artifactId>
<version>4.38.0.ALL</version>
</dependency>
<!-- Testing --> <!-- Testing -->
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>

5
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/SecurityConfig.java
View File

@@ -25,7 +25,10 @@ public class SecurityConfig {
http http
.csrf(csrf -> csrf.disable()) .csrf(csrf -> csrf.disable())
.sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
.authorizeHttpRequests(auth -> auth.anyRequest().permitAll()); .authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health").permitAll()
.requestMatchers("/actuator/**").denyAll()
.anyRequest().permitAll());
return http.build(); return http.build();
} }
} }

31
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/config/WebMvcConfig.java
View File

@@ -1,6 +1,7 @@
package com.openclaw.config; package com.openclaw.config;
import com.openclaw.interceptor.AuthInterceptor; import com.openclaw.interceptor.AuthInterceptor;
import com.openclaw.interceptor.PermissionCheckInterceptor;
import com.openclaw.interceptor.RoleCheckInterceptor; import com.openclaw.interceptor.RoleCheckInterceptor;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Configuration; import org.springframework.context.annotation.Configuration;
@@ -12,6 +13,17 @@ public class WebMvcConfig implements WebMvcConfigurer {
private final AuthInterceptor authInterceptor; private final AuthInterceptor authInterceptor;
private final RoleCheckInterceptor roleCheckInterceptor; private final RoleCheckInterceptor roleCheckInterceptor;
private final PermissionCheckInterceptor permissionCheckInterceptor;
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/api/**")
.allowedOriginPatterns("http://localhost:*", "https://*.openclaw.com")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
.allowedHeaders("*")
.allowCredentials(true)
.maxAge(3600);
}
@Override @Override
public void addInterceptors(InterceptorRegistry registry) { public void addInterceptors(InterceptorRegistry registry) {
@@ -20,15 +32,30 @@ public class WebMvcConfig implements WebMvcConfigurer {
.excludePathPatterns( .excludePathPatterns(
"/api/v1/users/register", "/api/v1/users/register",
"/api/v1/users/login", "/api/v1/users/login",
"/api/v1/users/sms-code", "/api/v1/users/sms/code",
"/api/v1/users/password/reset", "/api/v1/users/password/reset",
"/api/v1/payments/callback/**", "/api/v1/payments/callback/**",
"/api/v1/wechat/authorize-url", // 微信授权URL公开
"/api/v1/wechat/login", // 微信扫码登录(公开)
"/api/v1/wechat/bind-phone", // 微信绑定手机号公开用bindTicket
"/api/v1/skills", // 公开浏览 "/api/v1/skills", // 公开浏览
"/api/v1/skills/{id}" // 公开详情 "/api/v1/skills/*", // 公开详情(通配符匹配)
"/api/v1/skills/*/reviews", // 评论列表(公开)
"/api/v1/categories", // 分类列表
"/api/v1/categories/*", // 分类详情
"/api/v1/customization/request", // 定制需求(游客可提交)
"/api/v1/stats/**", // 首页统计数据(公开)
"/api/v1/admin/login", // 管理员登录
"/api/v1/banners/active", // 公开Banner
"/api/v1/announcements/active" // 公开公告
); );
// 角色权限拦截器,在认证之后执行 // 角色权限拦截器,在认证之后执行
registry.addInterceptor(roleCheckInterceptor) registry.addInterceptor(roleCheckInterceptor)
.addPathPatterns("/api/**"); .addPathPatterns("/api/**");
// 细粒度权限拦截器,在角色拦截器之后执行
registry.addInterceptor(permissionCheckInterceptor)
.addPathPatterns("/api/**");
} }
} }

231
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/admin/controller/AdminController.java Normal file
View File

@@ -0,0 +1,231 @@
package com.openclaw.module.admin.controller;
import com.baomidou.mybatisplus.core.metadata.IPage;
import com.openclaw.annotation.RequiresRole;
import com.openclaw.module.log.annotation.OpLog;
import com.openclaw.common.Result;
import com.openclaw.module.admin.dto.AdminLoginDTO;
import com.openclaw.module.admin.dto.AdminSkillCreateDTO;
import com.openclaw.module.admin.service.AdminService;
import com.openclaw.module.admin.vo.*;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/v1/admin")
@RequiredArgsConstructor
public class AdminController {
private final AdminService adminService;
// ==================== 登录(无需权限) ====================
@PostMapping("/login")
public Result<AdminLoginVO> login(@Valid @RequestBody AdminLoginDTO dto) {
return Result.ok(adminService.login(dto));
}
// ==================== Token 验证 ====================
@GetMapping("/verify-token")
@RequiresRole({"admin", "super_admin"})
public Result<Void> verifyToken() {
return Result.ok();
}
// ==================== Dashboard ====================
@GetMapping("/dashboard/stats")
@RequiresRole("super_admin")
public Result<DashboardStatsVO> getDashboardStats() {
return Result.ok(adminService.getDashboardStats());
}
// ==================== 用户管理 ====================
@GetMapping("/users")
@RequiresRole("super_admin")
public Result<IPage<AdminUserVO>> listUsers(
@RequestParam(required = false) String keyword,
@RequestParam(required = false) String status,
@RequestParam(required = false) String role,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listUsers(keyword, status, role, pageNum, pageSize));
}
@GetMapping("/users/{userId}")
@RequiresRole("super_admin")
public Result<AdminUserVO> getUserDetail(@PathVariable Long userId) {
return Result.ok(adminService.getUserDetail(userId));
}
@PostMapping("/users/{userId}/ban")
@RequiresRole("super_admin")
@OpLog(module = "user", action = "ban", description = "封禁用户", targetType = "user")
public Result<Void> banUser(@PathVariable Long userId, @RequestParam String reason) {
adminService.banUser(userId, reason);
return Result.ok();
}
@PostMapping("/users/{userId}/unban")
@RequiresRole("super_admin")
@OpLog(module = "user", action = "unban", description = "解禁用户", targetType = "user")
public Result<Void> unbanUser(@PathVariable Long userId) {
adminService.unbanUser(userId);
return Result.ok();
}
@PostMapping("/users/{userId}/role")
@RequiresRole("super_admin")
@OpLog(module = "user", action = "update", description = "修改用户角色", targetType = "user")
public Result<Void> changeUserRole(@PathVariable Long userId, @RequestParam String role) {
adminService.changeUserRole(userId, role);
return Result.ok();
}
// ==================== Skill管理 ====================
@GetMapping("/skills")
@RequiresRole("super_admin")
public Result<IPage<AdminSkillVO>> listSkills(
@RequestParam(required = false) String keyword,
@RequestParam(required = false) String status,
@RequestParam(required = false) Integer categoryId,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listSkills(keyword, status, categoryId, pageNum, pageSize));
}
@GetMapping("/skills/{skillId}")
@RequiresRole("super_admin")
public Result<AdminSkillVO> getSkillDetail(@PathVariable Long skillId) {
return Result.ok(adminService.getSkillDetail(skillId));
}
@PostMapping("/skills/{skillId}/audit")
@RequiresRole("super_admin")
@OpLog(module = "skill", action = "audit", description = "审核Skill", targetType = "skill")
public Result<Void> auditSkill(
@PathVariable Long skillId,
@RequestParam String action,
@RequestParam(required = false) String rejectReason) {
adminService.auditSkill(skillId, action, rejectReason);
return Result.ok();
}
@PostMapping("/skills/{skillId}/offline")
@RequiresRole("super_admin")
@OpLog(module = "skill", action = "offline", description = "下架Skill", targetType = "skill")
public Result<Void> offlineSkill(@PathVariable Long skillId) {
adminService.offlineSkill(skillId);
return Result.ok();
}
@PostMapping("/skills/{skillId}/featured")
@RequiresRole("super_admin")
@OpLog(module = "skill", action = "update", description = "切换精选状态", targetType = "skill")
public Result<Void> toggleFeatured(@PathVariable Long skillId) {
adminService.toggleFeatured(skillId);
return Result.ok();
}
@PostMapping("/skills/create")
@RequiresRole("super_admin")
@OpLog(module = "skill", action = "create", description = "后台创建Skill", targetType = "skill")
public Result<AdminSkillVO> createSkill(
@RequestAttribute("userId") Long adminUserId,
@Valid @RequestBody AdminSkillCreateDTO dto) {
return Result.ok(adminService.createSkill(adminUserId, dto));
}
// ==================== 订单管理 ====================
@GetMapping("/orders")
@RequiresRole("super_admin")
public Result<IPage<AdminOrderVO>> listOrders(
@RequestParam(required = false) String keyword,
@RequestParam(required = false) String status,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listOrders(keyword, status, pageNum, pageSize));
}
@GetMapping("/orders/{orderId}")
@RequiresRole("super_admin")
public Result<AdminOrderVO> getOrderDetail(@PathVariable Long orderId) {
return Result.ok(adminService.getOrderDetail(orderId));
}
// ==================== 退款管理 ====================
@GetMapping("/refunds")
@RequiresRole("super_admin")
public Result<IPage<AdminRefundVO>> listRefunds(
@RequestParam(required = false) String keyword,
@RequestParam(required = false) String status,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listRefunds(keyword, status, pageNum, pageSize));
}
@PostMapping("/refunds/{refundId}/approve")
@RequiresRole("super_admin")
@OpLog(module = "order", action = "approve", description = "审批退款", targetType = "refund")
public Result<Void> approveRefund(@PathVariable Long refundId) {
adminService.approveRefund(refundId);
return Result.ok();
}
@PostMapping("/refunds/{refundId}/reject")
@RequiresRole("super_admin")
@OpLog(module = "order", action = "reject", description = "拒绝退款", targetType = "refund")
public Result<Void> rejectRefund(@PathVariable Long refundId, @RequestParam String rejectReason) {
adminService.rejectRefund(refundId, rejectReason);
return Result.ok();
}
// ==================== 评论管理 ====================
@GetMapping("/comments")
@RequiresRole("super_admin")
public Result<IPage<AdminCommentVO>> listComments(
@RequestParam(required = false) String keyword,
@RequestParam(required = false) Long skillId,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listComments(keyword, skillId, pageNum, pageSize));
}
@DeleteMapping("/comments/{commentId}")
@RequiresRole("super_admin")
@OpLog(module = "content", action = "delete", description = "删除评论", targetType = "comment")
public Result<Void> deleteComment(@PathVariable Long commentId) {
adminService.deleteComment(commentId);
return Result.ok();
}
// ==================== 积分管理 ====================
@GetMapping("/points/records")
@RequiresRole("super_admin")
public Result<IPage<AdminPointsRecordVO>> listPointsRecords(
@RequestParam(required = false) Long userId,
@RequestParam(required = false) String pointsType,
@RequestParam(defaultValue = "1") int pageNum,
@RequestParam(defaultValue = "10") int pageSize) {
return Result.ok(adminService.listPointsRecords(userId, pointsType, pageNum, pageSize));
}
@PostMapping("/points/adjust")
@RequiresRole("super_admin")
@OpLog(module = "points", action = "adjust", description = "手动调整积分", targetType = "user")
public Result<Void> adjustPoints(
@RequestParam Long userId,
@RequestParam int amount,
@RequestParam String reason) {
adminService.adjustPoints(userId, amount, reason);
return Result.ok();
}
}

112
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/common/controller/FileUploadController.java Normal file
View File

@@ -0,0 +1,112 @@
package com.openclaw.module.common.controller;
import com.openclaw.annotation.RequiresRole;
import com.openclaw.common.Result;
import com.openclaw.util.UserContext;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.*;
import org.springframework.web.multipart.MultipartFile;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
@Slf4j
@RestController
@RequestMapping("/api/v1/upload")
@RequiresRole("user")
public class FileUploadController {
@Value("${upload.path:./uploads}")
private String uploadPath;
@Value("${upload.base-url:http://localhost:8080/uploads}")
private String baseUrl;
/** 允许的文件扩展名白名单 */
private static final Set<String> ALLOWED_EXTENSIONS = Set.of(
".jpg", ".jpeg", ".png", ".gif", ".webp", ".bmp", ".pdf"
);
/** 允许的MIME类型白名单 */
private static final Set<String> ALLOWED_MIME_TYPES = Set.of(
"image/jpeg", "image/png", "image/gif", "image/webp", "image/bmp", "application/pdf"
);
/** 允许的上传类型(防止路径遍历) */
private static final Set<String> ALLOWED_UPLOAD_TYPES = Set.of(
"avatar", "skill", "review", "invoice", "refund", "banner", "announcement"
);
/**
* 上传头像
*/
@PostMapping("/avatar")
public Result<Map<String, String>> uploadAvatar(@RequestParam("file") MultipartFile file) throws IOException {
Long userId = UserContext.getUserId();
return handleUpload(file, "avatar", userId);
}
/**
* 通用文件上传(需登录)
*/
@PostMapping("/{type}")
public Result<Map<String, String>> uploadFile(@PathVariable String type,
@RequestParam("file") MultipartFile file) throws IOException {
Long userId = UserContext.getUserId();
return handleUpload(file, type, userId);
}
private Result<Map<String, String>> handleUpload(MultipartFile file, String type, Long userId) throws IOException {
if (file.isEmpty()) {
return Result.fail(400, "文件不能为空");
}
// 校验上传类型(防止路径遍历)
if (!ALLOWED_UPLOAD_TYPES.contains(type)) {
return Result.fail(400, "不支持的上传类型: " + type);
}
// 限制文件大小 (5MB)
if (file.getSize() > 5 * 1024 * 1024) {
return Result.fail(400, "文件大小不能超过5MB");
}
// 校验文件扩展名
String originalName = file.getOriginalFilename();
String ext = "";
if (originalName != null && originalName.contains(".")) {
ext = originalName.substring(originalName.lastIndexOf(".")).toLowerCase();
}
if (ext.isEmpty() || !ALLOWED_EXTENSIONS.contains(ext)) {
return Result.fail(400, "不支持的文件类型,仅允许: jpg/jpeg/png/gif/webp/bmp/pdf");
}
// 校验MIME类型
String contentType = file.getContentType();
if (contentType == null || !ALLOWED_MIME_TYPES.contains(contentType.toLowerCase())) {
return Result.fail(400, "文件MIME类型不合法");
}
String storedName = UUID.randomUUID().toString() + ext;
Path dir = Paths.get(uploadPath, type);
Files.createDirectories(dir);
Path filePath = dir.resolve(storedName);
file.transferTo(filePath.toFile());
String fileUrl = baseUrl + "/" + type + "/" + storedName;
Map<String, String> result = new HashMap<>();
result.put("url", fileUrl);
result.put("originalName", originalName);
log.info("文件上传成功: type={}, userId={}, url={}", type, userId, fileUrl);
return Result.ok(result);
}
}

32
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/customization/controller/CustomizationController.java Normal file
View File

@@ -0,0 +1,32 @@
package com.openclaw.module.customization.controller;
import com.openclaw.common.Result;
import com.openclaw.module.customization.dto.CustomizationRequestDTO;
import com.openclaw.module.customization.service.CustomizationRequestService;
import com.openclaw.util.UserContext;
import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor;
import org.springframework.web.bind.annotation.*;
@RestController
@RequestMapping("/api/v1/customization")
@RequiredArgsConstructor
public class CustomizationController {
private final CustomizationRequestService customizationRequestService;
/**
* 提交定制需求(公开接口,游客可提交,建议配合网关层频率限制)
*/
@PostMapping("/request")
public Result<Void> submitRequest(@Valid @RequestBody CustomizationRequestDTO dto) {
Long userId = null;
try {
userId = UserContext.getUserId();
} catch (Exception ignored) {
// 游客也可以提交定制需求
}
customizationRequestService.submitRequest(userId, dto);
return Result.ok();
}
}

14
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/repository/OrderRepository.java
View File

@@ -2,6 +2,20 @@ package com.openclaw.module.order.repository;
import com.baomidou.mybatisplus.core.mapper.BaseMapper; import com.baomidou.mybatisplus.core.mapper.BaseMapper;
import com.openclaw.module.order.entity.Order; import com.openclaw.module.order.entity.Order;
import org.apache.ibatis.annotations.Mapper;
import org.apache.ibatis.annotations.Param;
import org.apache.ibatis.annotations.Select;
import org.apache.ibatis.annotations.Update;
import java.math.BigDecimal;
import java.time.LocalDateTime;
@Mapper
public interface OrderRepository extends BaseMapper<Order> { public interface OrderRepository extends BaseMapper<Order> {
@Select("SELECT COALESCE(SUM(cash_amount), 0) FROM orders WHERE status IN ('paid', 'completed')")
BigDecimal sumTotalRevenue();
/** CAS方式更新订单状态幂等性保护返回受影响行数 */
@Update("UPDATE orders SET status = #{newStatus}, paid_at = #{paidAt}, updated_at = NOW() WHERE id = #{orderId} AND status = #{expectedStatus} AND deleted = 0")
int casUpdateStatus(@Param("orderId") Long orderId, @Param("expectedStatus") String expectedStatus, @Param("newStatus") String newStatus, @Param("paidAt") LocalDateTime paidAt);
} }

176
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/order/service/impl/OrderServiceImpl.java
View File

@@ -25,8 +25,10 @@ import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
import java.math.BigDecimal; import java.math.BigDecimal;
import java.math.RoundingMode;
import java.time.LocalDateTime; import java.time.LocalDateTime;
import java.util.List; import java.util.List;
import java.util.Map;
import java.util.stream.Collectors; import java.util.stream.Collectors;
@Slf4j @Slf4j
@@ -34,6 +36,8 @@ import java.util.stream.Collectors;
@RequiredArgsConstructor @RequiredArgsConstructor
public class OrderServiceImpl implements OrderService { public class OrderServiceImpl implements OrderService {
private static final int POINTS_RATE = 100; // 100积分=1元
private final OrderRepository orderRepo; private final OrderRepository orderRepo;
private final OrderItemRepository orderItemRepo; private final OrderItemRepository orderItemRepo;
private final OrderRefundRepository refundRepo; private final OrderRefundRepository refundRepo;
@@ -43,6 +47,54 @@ public class OrderServiceImpl implements OrderService {
private final IdGenerator idGenerator; private final IdGenerator idGenerator;
private final RabbitTemplate rabbitTemplate; private final RabbitTemplate rabbitTemplate;
@Override
public OrderPreviewVO previewOrder(Long userId, List<Long> skillIds, Integer pointsToUse) {
// 1. 查询 Skill 价格
List<Skill> skills = skillRepo.selectBatchIds(skillIds);
if (skills.isEmpty()) throw new BusinessException(ErrorCode.SKILL_NOT_FOUND);
BigDecimal totalAmount = skills.stream()
.map(Skill::getPrice)
.reduce(BigDecimal.ZERO, BigDecimal::add);
// 2. 查询用户积分余额
int availablePoints = pointsService.getBalance(userId).getAvailablePoints();
// 3. 计算最大可用积分
int maxPoints = totalAmount.multiply(BigDecimal.valueOf(POINTS_RATE)).intValue();
maxPoints = Math.min(maxPoints, availablePoints);
// 4. 校正 pointsToUse
if (pointsToUse == null) pointsToUse = 0;
pointsToUse = Math.min(Math.max(pointsToUse, 0), maxPoints);
// 5. 计算抵扣金额
BigDecimal deduct = BigDecimal.valueOf(pointsToUse)
.divide(BigDecimal.valueOf(POINTS_RATE), 2, RoundingMode.DOWN);
BigDecimal cash = totalAmount.subtract(deduct).max(BigDecimal.ZERO);
// 6. 组装返回
OrderPreviewVO vo = new OrderPreviewVO();
vo.setItems(skills.stream().map(s -> {
OrderItemVO item = new OrderItemVO();
item.setSkillId(s.getId());
item.setSkillName(s.getName());
item.setSkillCover(s.getCoverImageUrl());
item.setUnitPrice(s.getPrice());
item.setQuantity(1);
item.setTotalPrice(s.getPrice());
return item;
}).collect(Collectors.toList()));
vo.setTotalAmount(totalAmount);
vo.setPointsToUse(pointsToUse);
vo.setPointsDeductAmount(deduct);
vo.setCashAmount(cash);
vo.setAvailablePoints(availablePoints);
vo.setMaxPointsCanUse(maxPoints);
vo.setPointsRate(POINTS_RATE);
return vo;
}
@Override @Override
@Transactional @Transactional
public OrderVO createOrder(Long userId, OrderCreateDTO dto) { public OrderVO createOrder(Long userId, OrderCreateDTO dto) {
@@ -50,23 +102,42 @@ public class OrderServiceImpl implements OrderService {
List<Skill> skills = skillRepo.selectBatchIds(dto.getSkillIds()); List<Skill> skills = skillRepo.selectBatchIds(dto.getSkillIds());
if (skills.isEmpty()) throw new BusinessException(ErrorCode.SKILL_NOT_FOUND); if (skills.isEmpty()) throw new BusinessException(ErrorCode.SKILL_NOT_FOUND);
// 1.1 校验是否已拥有(防止重复购买)
for (Skill skill : skills) {
if (skillService.hasOwned(userId, skill.getId())) {
throw new BusinessException(ErrorCode.SKILL_ALREADY_OWNED);
}
}
// 2. 计算总金额 // 2. 计算总金额
BigDecimal totalAmount = skills.stream() BigDecimal totalAmount = skills.stream()
.map(Skill::getPrice) .map(Skill::getPrice)
.reduce(BigDecimal.ZERO, BigDecimal::add); .reduce(BigDecimal.ZERO, BigDecimal::add);
// 3. 处理积分抵扣 // 3. 处理积分抵扣(校正上限,防止超额消耗)
int pointsToUse = dto.getPointsToUse() != null ? dto.getPointsToUse() : 0; int pointsToUse = dto.getPointsToUse() != null ? dto.getPointsToUse() : 0;
if (pointsToUse > 0) { if (pointsToUse > 0) {
if (!pointsService.hasEnoughPoints(userId, pointsToUse)) { int maxPoints = totalAmount.multiply(BigDecimal.valueOf(POINTS_RATE)).intValue();
int availablePoints = pointsService.getBalance(userId).getAvailablePoints();
maxPoints = Math.min(maxPoints, availablePoints);
pointsToUse = Math.min(Math.max(pointsToUse, 0), maxPoints);
if (pointsToUse > 0 && !pointsService.hasEnoughPoints(userId, pointsToUse)) {
throw new BusinessException(ErrorCode.POINTS_NOT_ENOUGH); throw new BusinessException(ErrorCode.POINTS_NOT_ENOUGH);
} }
} }
// 4. 计算现金金额 // 4. 计算现金金额修复BigDecimal除法精度
BigDecimal pointsDeductAmount = BigDecimal.valueOf(pointsToUse).divide(BigDecimal.valueOf(100)); BigDecimal pointsDeductAmount = BigDecimal.valueOf(pointsToUse)
BigDecimal cashAmount = totalAmount.subtract(pointsDeductAmount); .divide(BigDecimal.valueOf(POINTS_RATE), 2, RoundingMode.DOWN);
if (cashAmount.compareTo(BigDecimal.ZERO) < 0) cashAmount = BigDecimal.ZERO; BigDecimal cashAmount = totalAmount.subtract(pointsDeductAmount).max(BigDecimal.ZERO);
// 4.1 自动判定支付方式
String paymentMethod = dto.getPaymentMethod();
if (cashAmount.compareTo(BigDecimal.ZERO) == 0 && pointsToUse > 0) {
paymentMethod = "points";
} else if (pointsToUse > 0 && cashAmount.compareTo(BigDecimal.ZERO) > 0) {
paymentMethod = "mixed";
}
// 5. 创建订单 // 5. 创建订单
Order order = new Order(); Order order = new Order();
@@ -77,7 +148,7 @@ public class OrderServiceImpl implements OrderService {
order.setPointsUsed(pointsToUse); order.setPointsUsed(pointsToUse);
order.setPointsDeductAmount(pointsDeductAmount); order.setPointsDeductAmount(pointsDeductAmount);
order.setStatus("pending"); order.setStatus("pending");
order.setPaymentMethod(dto.getPaymentMethod()); order.setPaymentMethod(paymentMethod);
order.setExpiredAt(LocalDateTime.now().plusHours(1)); order.setExpiredAt(LocalDateTime.now().plusHours(1));
orderRepo.insert(order); orderRepo.insert(order);
@@ -99,10 +170,24 @@ public class OrderServiceImpl implements OrderService {
pointsService.freezePoints(userId, pointsToUse, order.getId()); pointsService.freezePoints(userId, pointsToUse, order.getId());
} }
// 8. 发送订单超时延迟消息1小时后自动取消 // 8. 纯积分支付:直接扣减冻结积分并完成订单
if (cashAmount.compareTo(BigDecimal.ZERO) == 0 && pointsToUse > 0) {
pointsService.consumeFrozenPoints(userId, pointsToUse, order.getId());
order.setStatus("completed");
order.setPaidAt(LocalDateTime.now());
orderRepo.updateById(order);
// 发放 Skill 访问权限
for (Skill skill : skills) {
skillService.grantAccess(userId, skill.getId(), order.getId(), "points");
}
log.info("纯积分订单直接完成: orderId={}, points={}", order.getId(), pointsToUse);
return toVO(order, skills);
}
// 9. 非纯积分发送订单超时延迟消息1小时后自动取消
try { try {
OrderTimeoutEvent timeoutEvent = new OrderTimeoutEvent(order.getId(), userId, order.getOrderNo()); OrderTimeoutEvent timeoutEvent = new OrderTimeoutEvent(order.getId(), userId, order.getOrderNo());
rabbitTemplate.convertAndSend(MQConstants.EXCHANGE_DELAY_DLX, MQConstants.RK_DELAY_ORDER_TIMEOUT, timeoutEvent); rabbitTemplate.convertAndSend(MQConstants.EXCHANGE_TOPIC, "delay.order.create", timeoutEvent);
log.info("[MQ] 发送订单超时延迟消息: orderId={}, orderNo={}", order.getId(), order.getOrderNo()); log.info("[MQ] 发送订单超时延迟消息: orderId={}, orderNo={}", order.getId(), order.getOrderNo());
} catch (Exception e) { } catch (Exception e) {
log.error("[MQ] 发送订单超时延迟消息失败: orderId={}", order.getId(), e); log.error("[MQ] 发送订单超时延迟消息失败: orderId={}", order.getId(), e);
@@ -119,10 +204,7 @@ public class OrderServiceImpl implements OrderService {
} }
List<OrderItem> items = orderItemRepo.selectList( List<OrderItem> items = orderItemRepo.selectList(
new LambdaQueryWrapper<OrderItem>().eq(OrderItem::getOrderId, orderId)); new LambdaQueryWrapper<OrderItem>().eq(OrderItem::getOrderId, orderId));
List<Skill> skills = items.stream() return toVOFromItems(order, items);
.map(item -> skillRepo.selectById(item.getSkillId()))
.collect(Collectors.toList());
return toVO(order, skills);
} }
@Override @Override
@@ -132,13 +214,22 @@ public class OrderServiceImpl implements OrderService {
new LambdaQueryWrapper<Order>() new LambdaQueryWrapper<Order>()
.eq(Order::getUserId, userId) .eq(Order::getUserId, userId)
.orderByDesc(Order::getCreatedAt)); .orderByDesc(Order::getCreatedAt));
// 批量查询所有订单项1次IN查询代替N次逐条查询
List<Long> orderIds = page.getRecords().stream()
.map(Order::getId).collect(Collectors.toList());
Map<Long, List<OrderItem>> itemsMap;
if (!orderIds.isEmpty()) {
List<OrderItem> allItems = orderItemRepo.selectList(
new LambdaQueryWrapper<OrderItem>().in(OrderItem::getOrderId, orderIds));
itemsMap = allItems.stream().collect(Collectors.groupingBy(OrderItem::getOrderId));
} else {
itemsMap = java.util.Collections.emptyMap();
}
return page.convert(order -> { return page.convert(order -> {
List<OrderItem> items = orderItemRepo.selectList( List<OrderItem> items = itemsMap.getOrDefault(order.getId(), java.util.Collections.emptyList());
new LambdaQueryWrapper<OrderItem>().eq(OrderItem::getOrderId, order.getId())); return toVOFromItems(order, items);
List<Skill> skills = items.stream()
.map(item -> skillRepo.selectById(item.getSkillId()))
.collect(Collectors.toList());
return toVO(order, skills);
}); });
} }
@@ -152,9 +243,14 @@ public class OrderServiceImpl implements OrderService {
if (!"pending".equals(order.getStatus())) { if (!"pending".equals(order.getStatus())) {
throw new BusinessException(ErrorCode.ORDER_STATUS_ERROR); throw new BusinessException(ErrorCode.ORDER_STATUS_ERROR);
} }
// CAS更新防止并发重复支付
LocalDateTime now = LocalDateTime.now();
int rows = orderRepo.casUpdateStatus(orderId, "pending", "paid", now);
if (rows == 0) {
throw new BusinessException(ErrorCode.ORDER_STATUS_ERROR);
}
order.setStatus("paid"); order.setStatus("paid");
order.setPaidAt(LocalDateTime.now()); order.setPaidAt(now);
orderRepo.updateById(order);
// 发布订单支付成功事件异步发放Skill访问权限 // 发布订单支付成功事件异步发放Skill访问权限
try { try {
@@ -166,8 +262,15 @@ public class OrderServiceImpl implements OrderService {
List<OrderItem> items = orderItemRepo.selectList( List<OrderItem> items = orderItemRepo.selectList(
new LambdaQueryWrapper<OrderItem>().eq(OrderItem::getOrderId, orderId)); new LambdaQueryWrapper<OrderItem>().eq(OrderItem::getOrderId, orderId));
for (OrderItem item : items) { for (OrderItem item : items) {
skillService.grantAccess(userId, item.getSkillId(), orderId, "purchase"); skillService.grantAccess(userId, item.getSkillId(), orderId, "paid");
} }
// MQ 失败降级:同步消费冻结积分
if (order.getPointsUsed() != null && order.getPointsUsed() > 0) {
pointsService.consumeFrozenPoints(userId, order.getPointsUsed(), orderId);
}
// MQ 失败降级:同步完成订单状态转换
order.setStatus("completed");
orderRepo.updateById(order);
} }
} }
@@ -186,7 +289,7 @@ public class OrderServiceImpl implements OrderService {
orderRepo.updateById(order); orderRepo.updateById(order);
// 解冻积分 // 解冻积分
if (order.getPointsUsed() > 0) { if (order.getPointsUsed() != null && order.getPointsUsed() > 0) {
pointsService.unfreezePoints(userId, order.getPointsUsed(), orderId); pointsService.unfreezePoints(userId, order.getPointsUsed(), orderId);
} }
@@ -252,6 +355,33 @@ public class OrderServiceImpl implements OrderService {
return vo; return vo;
} }
/** 使用OrderItem快照数据构建VO避免N+1查询Skill表 */
private OrderVO toVOFromItems(Order order, List<OrderItem> items) {
OrderVO vo = new OrderVO();
vo.setId(order.getId());
vo.setOrderNo(order.getOrderNo());
vo.setTotalAmount(order.getTotalAmount());
vo.setCashAmount(order.getCashAmount());
vo.setPointsUsed(order.getPointsUsed());
vo.setPointsDeductAmount(order.getPointsDeductAmount());
vo.setStatus(order.getStatus());
vo.setStatusLabel(getStatusLabel(order.getStatus()));
vo.setPaymentMethod(order.getPaymentMethod());
vo.setCreatedAt(order.getCreatedAt());
vo.setPaidAt(order.getPaidAt());
vo.setItems(items.stream().map(oi -> {
OrderItemVO item = new OrderItemVO();
item.setSkillId(oi.getSkillId());
item.setSkillName(oi.getSkillName());
item.setSkillCover(oi.getSkillCover());
item.setUnitPrice(oi.getUnitPrice());
item.setQuantity(oi.getQuantity());
item.setTotalPrice(oi.getTotalPrice());
return item;
}).collect(Collectors.toList()));
return vo;
}
private String getStatusLabel(String status) { private String getStatusLabel(String status) {
return switch (status) { return switch (status) {
case "pending" -> "待支付"; case "pending" -> "待支付";

47
openclaw-backend/openclaw-backend/src/main/java/com/openclaw/module/user/controller/UserController.java
View File

@@ -6,6 +6,7 @@ import com.openclaw.module.user.service.UserService;
import com.openclaw.annotation.RequiresRole; import com.openclaw.annotation.RequiresRole;
import com.openclaw.util.UserContext; import com.openclaw.util.UserContext;
import com.openclaw.module.user.vo.*; import com.openclaw.module.user.vo.*;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.validation.Valid; import jakarta.validation.Valid;
import lombok.RequiredArgsConstructor; import lombok.RequiredArgsConstructor;
import org.springframework.web.bind.annotation.*; import org.springframework.web.bind.annotation.*;
@@ -18,12 +19,30 @@ public class UserController {
private final UserService userService; private final UserService userService;
/** 发送短信验证码(注册/找回密码用) */ /** 发送短信验证码(注册/找回密码用) */
@PostMapping("/sms-code") @PostMapping("/sms/code")
public Result<Void> sendSmsCode(@RequestParam String phone) { public Result<Void> sendSmsCode(@Valid @RequestBody SmsCodeDTO dto, HttpServletRequest request) {
userService.sendSmsCode(phone); String ip = getClientIp(request);
userService.sendSmsCode(dto.getPhone(), ip);
return Result.ok(); return Result.ok();
} }
private String getClientIp(HttpServletRequest request) {
// 优先取 X-Real-IP由反向代理设置不可被客户端伪造
String ip = request.getHeader("X-Real-IP");
if (ip == null || ip.isEmpty() || "unknown".equalsIgnoreCase(ip)) {
ip = request.getHeader("X-Forwarded-For");
if (ip != null && ip.contains(",")) {
// 取最后一个IP最近一跳代理添加的相对可信
String[] parts = ip.split(",");
ip = parts[parts.length - 1].trim();
}
}
if (ip == null || ip.isEmpty() || "unknown".equalsIgnoreCase(ip)) {
ip = request.getRemoteAddr();
}
return ip;
}
/** 用户注册 */ /** 用户注册 */
@PostMapping("/register") @PostMapping("/register")
public Result<LoginVO> register(@Valid @RequestBody UserRegisterDTO dto) { public Result<LoginVO> register(@Valid @RequestBody UserRegisterDTO dto) {
@@ -55,27 +74,29 @@ public class UserController {
/** 更新个人信息 */ /** 更新个人信息 */
@RequiresRole("user") @RequiresRole("user")
@PutMapping("/profile") @PutMapping("/profile")
public Result<UserVO> updateProfile(@RequestBody UserUpdateDTO dto) { public Result<UserVO> updateProfile(@Valid @RequestBody UserUpdateDTO dto) {
return Result.ok(userService.updateProfile(UserContext.getUserId(), dto)); return Result.ok(userService.updateProfile(UserContext.getUserId(), dto));
} }
@RequiresRole("user")
@PutMapping("/phone")
public Result<Void> changePhone(@Valid @RequestBody ChangePhoneDTO dto) {
userService.changePhone(UserContext.getUserId(), dto);
return Result.ok();
}
/** 修改密码 */ /** 修改密码 */
@RequiresRole("user") @RequiresRole("user")
@PutMapping("/password") @PutMapping("/password")
public Result<Void> changePassword( public Result<Void> changePassword(@Valid @RequestBody ChangePasswordDTO dto) {
@RequestParam String oldPassword, userService.changePassword(UserContext.getUserId(), dto.getOldPassword(), dto.getNewPassword());
@RequestParam String newPassword) {
userService.changePassword(UserContext.getUserId(), oldPassword, newPassword);
return Result.ok(); return Result.ok();
} }
/** 忘记密码 - 重置 */ /** 忘记密码 - 重置 */
@PostMapping("/password/reset") @PostMapping("/password/reset")
public Result<Void> resetPassword( public Result<Void> resetPassword(@Valid @RequestBody ResetPasswordDTO dto) {
@RequestParam String phone, userService.resetPassword(dto.getPhone(), dto.getSmsCode(), dto.getNewPassword());
@RequestParam String smsCode,
@RequestParam String newPassword) {
userService.resetPassword(phone, smsCode, newPassword);
return Result.ok(); return Result.ok();
} }
} }

85
openclaw-backend/openclaw-backend/src/main/resources/application.yml
View File

@@ -7,7 +7,7 @@ spring:
datasource: datasource:
url: jdbc:mysql://localhost:3306/openclaw?useSSL=false&serverTimezone=Asia/Shanghai&allowPublicKeyRetrieval=true url: jdbc:mysql://localhost:3306/openclaw?useSSL=false&serverTimezone=Asia/Shanghai&allowPublicKeyRetrieval=true
username: root username: root
password: root password: ${DB_PASSWORD:177615}
driver-class-name: com.mysql.cj.jdbc.Driver driver-class-name: com.mysql.cj.jdbc.Driver
rabbitmq: rabbitmq:
host: localhost host: localhost
@@ -44,12 +44,12 @@ mybatis-plus:
log-impl: org.apache.ibatis.logging.stdout.StdOutImpl log-impl: org.apache.ibatis.logging.stdout.StdOutImpl
global-config: global-config:
db-config: db-config:
logic-delete-field: deletedAt logic-delete-field: deleted
logic-delete-value: "now()" logic-delete-value: 1
logic-not-delete-value: "null" logic-not-delete-value: 0
jwt: jwt:
secret: change-this-to-a-256-bit-random-secret-key-for-production secret: ${JWT_SECRET:change-this-to-a-256-bit-random-secret-key-for-production}
expire-ms: 86400000 expire-ms: 86400000
invite: invite:
@@ -69,3 +69,78 @@ recharge:
bonusPoints: 800 bonusPoints: 800
- amount: 1000 - amount: 1000
bonusPoints: 2000 bonusPoints: 2000
# SpringDoc OpenAPI生产环境应设为 false 关闭)
springdoc:
api-docs:
path: /v3/api-docs
enabled: ${SWAGGER_ENABLED:true}
swagger-ui:
path: /swagger-ui.html
tags-sorter: alpha
operations-sorter: alpha
enabled: ${SWAGGER_ENABLED:true}
# Actuator 健康检查(仅暴露 health 端点,生产环境禁止暴露 env/metrics/info
management:
endpoints:
web:
exposure:
include: health
endpoint:
health:
show-details: never
env:
enabled: false
configprops:
enabled: false
beans:
enabled: false
info:
app:
name: OpenClaw Backend
version: 1.0.0
# 腾讯云短信配置
tencent:
sms:
secret-id: ${SMS_SECRET_ID:}
secret-key: ${SMS_SECRET_KEY:}
sdk-app-id: "1401097910"
sign-name: openclaw
template-id: "2612136"
enabled: ${SMS_ENABLED:false} # 已启用真实短信发送
# 微信开放平台(扫码登录)
wechat:
open:
app-id: ${WX_OPEN_APP_ID:your-open-app-id}
app-secret: ${WX_OPEN_APP_SECRET:your-open-app-secret}
redirect-uri: ${WX_OPEN_REDIRECT_URI:http://localhost:5173/auth/wechat/callback}
enabled: ${WX_OPEN_ENABLED:false}
# 微信支付 V3 配置
pay:
app-id: your-app-id
mch-id: your-mch-id
api-v3-key: your-api-v3-key
private-key-path: /path/to/apiclient_key.pem
serial-number: your-certificate-serial-number
notify-url: https://your-domain.com/api/v1/payments/callback/wechat
enabled: false # 设为true启用微信支付
# 支付宝配置
alipay:
app-id: your-app-id
private-key: your-private-key
alipay-public-key: your-alipay-public-key
server-url: https://openapi.alipay.com/gateway.do
notify-url: https://your-domain.com/api/v1/payments/callback/alipay
return-url: https://your-domain.com/payment/result
enabled: false # 设为true启用支付宝支付
# 管理员账号(明文密码,启动时自动 BCrypt 编码;也支持直接配置 BCrypt hash
admin:
username: ${ADMIN_USERNAME:15538239326}
password: ${ADMIN_PASSWORD:jsx030627}

363
全面代码审计报告_2026-03-19.md Normal file
View File

@@ -0,0 +1,363 @@
# OpenClaw Skills 数字员工平台 — 全面代码审计报告
**审计日期**: 2026-03-19
**审计范围**: 前端 (Vue3 + Vite) + 后端 (Spring Boot 3.2 + MyBatis-Plus)
**审计维度**: 安全性、架构设计、代码质量、性能、业务逻辑
---
## 一、项目概况
### 1.1 技术栈
| 层级 | 技术 |
|------|------|
| 前端框架 | Vue 3.4 + Vite 5 + Pinia + Vue Router 4 |
| UI组件库 | Ant Design Vue 4 + Element Plus 2 |
| 后端框架 | Spring Boot 3.2 + Spring Security + MyBatis-Plus 3.5 |
| 数据库 | MySQL + Redis |
| 消息队列 | RabbitMQ |
| 支付 | 微信支付V3 + 支付宝 |
| 短信 | 腾讯云SMS |
| 认证 | JWT (jjwt 0.11.5) |
| API文档 | SpringDoc OpenAPI 2.3 |
### 1.2 功能模块完成度
| 模块 | 前端页面 | 后端API | 状态 |
|------|----------|---------|------|
| 用户注册/登录/找回密码 | ✅ | ✅ | 已完成 |
| 微信扫码登录 | ✅ | ✅ | 已完成 |
| 个人中心(资料/订单/积分/发票/邀请/通知/设置) | ✅ | ✅ | 已完成 |
| Skill商城(列表/搜索/详情/排行) | ✅ | ✅ | 已完成 |
| 订单系统(预览/创建/支付/取消/退款) | ✅ | ✅ | 已完成 |
| 积分系统(余额/签到/加群/充值/FIFO过期) | ✅ | ✅ | 已完成 |
| 混合支付(积分+现金) | ✅ | ✅ | 已完成 |
| 支付回调(微信V3+支付宝) | N/A | ✅ | 已完成 |
| 邀请好友 | ✅ | ✅ | 已完成 |
| 管理后台(14个管理页面) | ✅ | ✅ | 已完成 |
| RBAC角色权限 | ✅ | ✅ | 已完成 |
| 操作日志 | ✅ | ✅ | 已完成 |
| Banner/公告管理 | ✅ | ✅ | 已完成 |
| 发票管理 | ✅ | ✅ | 已完成 |
| 文件上传 | ✅ | ✅ | 已完成 |
| 定制需求 | ✅ | ✅ | 已完成 |
| 开发者申请 | ✅ | ✅ | 已完成 |
| MQ异步事件(7个事件消费者) | N/A | ✅ | 已完成 |
| 系统配置管理 | ✅(UI) | ❌ | 未实现(前端已有占位) |
**总体进度评估**: 约 **90%+** 功能已完成,架构完整,前后端对接完善。
---
## 二、安全审计 (Security Audit)
### 🔴 严重 (Critical)
#### S1. 文件上传无类型白名单校验 — 任意文件上传漏洞
**文件**: `FileUploadController.java:51-81`
**问题**: `handleUpload()` 仅校验文件大小(5MB)未校验文件扩展名和MIME类型。攻击者可上传 `.jsp``.html``.svg`(含XSS) 等危险文件。
**风险**: 远程代码执行(RCE)、存储型XSS
**修复建议**:
```java
private static final Set<String> ALLOWED_EXT = Set.of(".jpg", ".jpeg", ".png", ".gif", ".webp", ".pdf");
private static final Set<String> ALLOWED_MIME = Set.of("image/jpeg", "image/png", "image/gif", "image/webp");
// 在 handleUpload 中增加:
if (!ALLOWED_EXT.contains(ext.toLowerCase())) return Result.fail(400, "不支持的文件类型");
String contentType = file.getContentType();
if (contentType == null || !ALLOWED_MIME.contains(contentType)) return Result.fail(400, "文件类型不合法");
```
#### S2. 通用文件上传端点 `/{type}` 无认证保护
**文件**: `FileUploadController.java:41-48`
**问题**: `uploadFile()` 方法用 try-catch 忽略了 `UserContext.getUserId()` 异常,意味着未登录用户也可上传文件。而该路径 `/api/v1/upload/{type}` 未在 `WebMvcConfig` 的排除列表中。但由于 `type` 可变,通配符 `/api/v1/upload/*` 并未排除,实际上需要认证。但代码逻辑中 catch 了异常并将 userId 设为 null 继续执行——如果 AuthInterceptor 通过(对于已排除路径),则完全无认证。
**修复建议**: 移除 try-catch强制要求登录或在方法上加 `@RequiresRole("user")`
#### S3. Spring Security 配置放行所有请求
**文件**: `SecurityConfig.java:24-29`
**问题**: `authorizeHttpRequests(auth -> auth.anyRequest().permitAll())` 放行了所有HTTP请求。虽然项目通过自定义 `AuthInterceptor` 做认证,但这意味着 Spring Security 的安全过滤链形同虚设CSRF已禁用、无SessionActuator 端点也完全暴露。
**风险**: `/actuator/**` 暴露敏感运行信息env、heap dump等
**修复建议**:
```java
.authorizeHttpRequests(auth -> auth
.requestMatchers("/actuator/health").permitAll()
.requestMatchers("/actuator/**").hasRole("ADMIN")
.anyRequest().permitAll())
```
或在 `application.yml` 中限制 actuator 暴露的端点:
```yaml
management:
endpoints:
web:
exposure:
include: health,info
```
#### S4. Swagger/OpenAPI 文档在生产环境暴露
**文件**: `WebMvcConfig.java:50-51`
**问题**: `/swagger-ui/**``/v3/api-docs/**` 被排除在认证之外生产环境下完整API文档对外暴露。
**修复建议**: 通过 Profile 控制,仅 dev 环境启用 Swagger。
### 🟠 高危 (High)
#### S5. 前端 `redirect` 参数未校验 — Open Redirect
**文件**: `login.vue:111`
**问题**: `const redirect = route.query.redirect || '/'` 后直接 `router.push(redirect)`,攻击者可构造 `?redirect=https://evil.com` 实现钓鱼重定向。
**修复建议**: 校验 redirect 必须以 `/` 开头且不包含 `//`
```js
const redirect = route.query.redirect
const safeRedirect = (redirect && redirect.startsWith('/') && !redirect.startsWith('//')) ? redirect : '/'
router.push(safeRedirect)
```
#### S6. `X-Forwarded-For` 可伪造绕过IP限流
**文件**: `UserController.java:29-41`
**问题**: `getClientIp()` 信任 `X-Forwarded-For`攻击者可伪造任意IP绕过短信验证码的 IP 频率限制。
**修复建议**: 在反向代理Nginx层设置 `X-Real-IP`,并在代码中优先取 `X-Real-IP` 或仅信任最后一跳的 `X-Forwarded-For`
#### S7. JWT Secret 配置来源需确认
**文件**: `JwtUtil.java:17-19`
**问题**: `secret``${jwt.secret}` 配置读取,使用 `secret.getBytes()` 直接作为 HMAC 密钥。若密钥长度不足 256 位 (32字节)JJWT 会抛异常;若密钥写在 `application.yml` 并提交到 Git则存在密钥泄露风险。
**修复建议**: 确保 secret ≥ 32 字节;使用环境变量或 Vault 管理;不要提交到版本控制。
#### S8. 前端 localStorage 存储敏感数据
**文件**: `stores/user.js``stores/admin.js`
**问题**: Token 和用户信息存储在 `localStorage`,容易被 XSS 攻击窃取。虽然目前无明显 XSS 入口,但若将来引入用户生成内容(如 Skill 描述支持 HTML风险会增大。
**修复建议**: 考虑使用 HttpOnly Cookie 传递 token或在前端实施严格的 CSP 策略。
### 🟡 中危 (Medium)
#### S9. 通知模块排除认证但未自行校验
**文件**: `WebMvcConfig.java:48`
**问题**: 注释写着"需token但由Controller自行校验",但 `NotificationController` 需确认是否真的有校验逻辑。若遗漏则通知数据对外暴露。
**修复建议**: 移除排除项,让 AuthInterceptor 统一处理,或在 Controller 加 `@RequiresRole("user")`
#### S10. 定制需求接口 `/customization/request` 无认证无限流
**文件**: `WebMvcConfig.java:46`
**问题**: 游客可直接提交定制需求,无任何频率限制,可能被垃圾请求轰炸。
**修复建议**: 增加图形验证码或IP频率限制。
#### S11. `updateProfile` 未加 `@Valid` 注解
**文件**: `UserController.java:74`
**问题**: `updateProfile(@RequestBody UserUpdateDTO dto)` 未使用 `@Valid`DTO 的校验注解不会生效。
**修复建议**: 加上 `@Valid`
---
## 三、架构设计审计
### 🟢 优点
1. **分层清晰**: Controller → Service → Repository 三层分离,职责明确
2. **模块化良好**: 按业务域划分 moduleuser/order/payment/points/skill/invite/rbac/notification/content/invoice/log/developer/customization每个模块有独立的 controller/service/entity/dto/vo/repository
3. **事件驱动**: 使用 RabbitMQ 解耦支付回调、订单完成、邀请绑定等异步流程,并有 MQ 降级同步处理
4. **统一响应**: `Result<T>` 统一包装,`GlobalExceptionHandler` 全局异常处理
5. **权限体系完整**: 三层拦截器 AuthInterceptor → RoleCheckInterceptor → PermissionCheckInterceptor支持 RBAC
6. **前端数据适配层**: `dataAdapter.js` 统一做数据归一化,解耦前后端字段差异
7. **积分系统设计合理**: 冻结/解冻/消费/FIFO过期/批次追踪,核心逻辑完整
### 🟠 待改进
#### A1. 两套 UI 库共存 (Ant Design Vue + Element Plus)
**问题**: 同时引入两套重型组件库bundle 体积偏大,维护成本高,设计风格不统一。
**建议**: 长期统一到一套组件库,推荐 Ant Design Vue目前主力使用
#### A2. 缺少统一 DTO 校验层
**问题**: 部分 Controller 方法缺少 `@Valid`(如 `updateProfile`),部分使用 `Map<String, String>` 接收参数(如 `RbacController.createRole()`),失去了 DTO 校验能力。
**建议**: 所有接口统一使用强类型 DTO + `@Valid`
#### A3. 缺少限流/防刷中间件
**问题**: 除短信验证码的 IP 限流外,其他接口缺乏统一限流。登录接口有 `LOGIN_ATTEMPTS_EXCEEDED` 错误码但需确认实现。
**建议**: 引入 `spring-boot-starter-cache` + Redis 实现全局接口限流,或使用 Sentinel/Bucket4j。
#### A4. 前端缺少全局错误边界
**问题**: 前端无 Vue ErrorBoundary 组件,未捕获的异步错误可能导致白屏。
**建议**: 在 `App.vue` 中增加 `onErrorCaptured` 全局错误处理。
---
## 四、代码质量审计
### 🟢 优点
1. **一致的编码风格**: 后端使用 Lombok 减少样板代码,前端 Composition API + defineStore 风格统一
2. **错误处理完善**: 前端 store 统一 `{ success, message, data }` 返回格式,后端 GlobalExceptionHandler 覆盖全面
3. **良好的日志实践**: 关键操作支付回调、MQ事件、订单状态变更均有日志记录
4. **@OpLog 操作日志注解**: 管理后台关键操作均有审计日志
### 🟠 待改进
#### C1. N+1 查询问题
**文件**: `OrderServiceImpl.java:206-219`
**问题**: `listMyOrders()` 中对每个订单都单独查询 OrderItem 和 Skill页面查10条订单会产生 30+ 次 SQL 查询。
**修复建议**: 使用 MyBatis-Plus 的批量查询或 JOIN 查询替代循环内的 `selectById`
#### C2. 前端 `order.js` 中 `buildPaymentNo` 由前端生成
**文件**: `stores/order.js:5`
**问题**: `const buildPaymentNo = () => 'PAY' + Date.now()` 在前端生成支付编号传给后端,不安全且可被篡改。
**修复建议**: 支付编号应在后端生成。
#### C3. `payOrder` 接口缺少幂等性保护
**文件**: `OrderServiceImpl.java:222-256`
**问题**: 前端传入 `paymentNo` 作为支付凭证,但后端未校验该 `paymentNo` 的有效性或唯一性。若同一订单被重复调用 pay 接口,可能产生重复支付事件。
**修复建议**: 增加幂等性校验(如 Redis SetNX 或数据库唯一约束)。
#### C4. 退款金额硬编码为 cashAmount
**文件**: `OrderServiceImpl.java:300`
**问题**: `refund.setRefundAmount(order.getCashAmount())` 始终退全部现金金额,不支持部分退款。
**当前可接受**: 如果业务只支持全额退款则合理,但需文档明确。
#### C5. 前端 `loadUserOrders` 的 pageSize 默认 100
**文件**: `stores/order.js:47`
**问题**: 默认一次加载 100 条订单,数据量大时影响性能。
**修复建议**: 改为分页懒加载,默认 10-20 条。
---
## 五、业务逻辑审计
### 🟢 设计亮点
1. **混合支付流程完整**: 积分冻结 → 现金支付 → 消费冻结积分 → 发放权限,状态机设计合理
2. **订单超时自动取消**: 通过 RabbitMQ 延迟消息实现 1 小时超时,带积分解冻
3. **MQ 降级处理**: 所有 MQ 发布失败时有同步降级方案
4. **积分过期FIFO**: 批次追踪 + 先进先出消费,符合积分过期业务需求
### 🟠 待确认/改进
#### B1. 纯积分订单跳过 "paid" 状态直接到 "completed"
**文件**: `OrderServiceImpl.java:166-177`
**问题**: 纯积分支付直接 `status=completed`,跳过了 `paid` 状态。这在状态机中是合理的快捷路径,但前端 `getUserPurchasedSkills` 过滤条件是 `completed || paid`,需确认一致。
**状态**: 逻辑正确,但建议在文档中明确状态机转换规则。
#### B2. 订单超时延迟消息的可靠性
**文件**: `OrderServiceImpl.java:180-186`
**问题**: RabbitMQ 延迟消息通过 `delay.order.create` routing key 发送,但未见 TTL 配置和死信交换机的完整定义。需确认 `RabbitMQConfig` 中是否正确配置了延迟队列。
**建议**: 确认 RabbitMQ 配置中 `x-message-ttl` 和死信交换机设置。
#### B3. Skill 重复购买校验缺失
**文件**: `OrderServiceImpl.java:97-189`
**问题**: `createOrder` 未校验用户是否已拥有该 Skill。虽然 ErrorCode 中定义了 `SKILL_ALREADY_OWNED`,但在创建订单流程中未使用。
**修复建议**: 在创建订单前检查用户是否已购买。
#### B4. 前端 `adminApi.verifyToken` 只校验 `super_admin` 角色
**文件**: `AdminController.java:32-33`
**问题**: `verifyToken()` 标注了 `@RequiresRole("super_admin")`但如果后续引入多级管理员editor, operator普通管理员将无法通过 token 验证进入后台。
**建议**: 改为 `@RequiresRole({"admin", "super_admin"})` 或去掉角色限制,仅验证 token 有效性。
---
## 六、前端专项审计
### 🟢 优点
1. **路由守卫完善**: `requiresAuth``requiresAdmin` 分别处理用户和管理员认证
2. **响应拦截器统一处理 401**: 自动清除 token 并跳转登录页
3. **数据适配层完善**: `dataAdapter.js` 处理了后端字段差异、日期格式、默认值等
4. **Store 设计合理**: 按业务域划分user/skill/order/point/admin职责清晰
### 🟠 待改进
#### F1. 混用两个 UI 框架的消息提示
**问题**: 有的地方用 `ElMessage`Element Plus有的用 `message`Ant Design Vue体验不一致。
**建议**: 统一使用一种消息提示。
#### F2. `apiService.js` 中管理员 token 回退到用户 token
**文件**: `apiService.js:16-17`
**问题**: `localStorage.getItem('admin_token') || localStorage.getItem('token')` — 如果管理员未登录但用户已登录,管理员接口会使用普通用户的 token 发送请求。虽然后端有角色校验会拒绝,但增加了不必要的请求。
**建议**: 管理员接口不应回退到用户 token。
#### F3. 缺少路由级别代码分割的 loading 状态
**问题**: 使用了 `() => import(...)` 实现懒加载,但未配置全局加载指示器。网络慢时用户看到空白页。
**建议**: 添加路由级 loading 组件或 NProgress。
---
## 七、问题优先级汇总
### 🔴 必须立即修复 (P0)
| # | 问题 | 类型 | 文件 |
|---|------|------|------|
| S1 | 文件上传无类型白名单 | 安全-RCE | FileUploadController.java |
| S2 | 通用上传接口可绕过认证 | 安全-认证 | FileUploadController.java |
| S3 | Actuator端点完全暴露 | 安全-信息泄露 | SecurityConfig.java |
| S4 | 生产环境Swagger暴露 | 安全-信息泄露 | WebMvcConfig.java |
### 🟠 尽快修复 (P1)
| # | 问题 | 类型 | 文件 |
|---|------|------|------|
| S5 | Open Redirect | 安全-重定向 | login.vue |
| S6 | IP伪造绕过限流 | 安全-限流 | UserController.java |
| S7 | JWT密钥安全性 | 安全-密钥 | JwtUtil.java |
| C1 | N+1查询 | 性能 | OrderServiceImpl.java |
| C3 | 支付接口缺幂等 | 业务安全 | OrderServiceImpl.java |
| B3 | Skill重复购买未校验 | 业务逻辑 | OrderServiceImpl.java |
### 🟡 建议改进 (P2)
| # | 问题 | 类型 | 文件 |
|---|------|------|------|
| S8 | localStorage存token | 安全-存储 | stores/ |
| S9 | 通知模块认证不明确 | 安全-认证 | WebMvcConfig.java |
| S10 | 定制需求无限流 | 安全-防刷 | WebMvcConfig.java |
| S11 | updateProfile缺@Valid | 校验 | UserController.java |
| A1 | 双UI库共存 | 架构 | package.json |
| A2 | 部分接口用Map接收参数 | 代码质量 | RbacController.java |
| A3 | 缺全局限流 | 架构 | 全局 |
| C2 | 前端生成paymentNo | 安全 | stores/order.js |
| C5 | 默认加载100条订单 | 性能 | stores/order.js |
| B4 | verifyToken仅super_admin | 业务 | AdminController.java |
| F1 | 消息提示混用 | 体验 | 全局 |
| F2 | admin token回退 | 安全 | apiService.js |
---
## 八、总结
**项目整体质量评级: B+ (良好)**
- **架构设计**: ⭐⭐⭐⭐ — 分层清晰、模块化好、事件驱动合理
- **功能完成度**: ⭐⭐⭐⭐⭐ — 90%+ 功能模块已实现,前后端对接完善
- **安全性**: ⭐⭐⭐ — 有基本的认证授权体系,但存在文件上传、端点暴露等严重漏洞
- **代码质量**: ⭐⭐⭐⭐ — 编码风格统一错误处理完善有少量N+1和幂等问题
- **性能**: ⭐⭐⭐½ — 整体可接受有N+1和大页查询需优化
**核心建议**: P0 和 P1 级问题已全部修复(见下方修复记录),后续重点应关注 P2 级改进和持续安全加固。
---
## 九、修复记录 (2026-03-19)
### P0 级修复4项
| # | 问题 | 修复方案 | 修改文件 |
|---|------|----------|----------|
| S1 | 文件上传无类型白名单(RCE) | 添加扩展名白名单(.jpg/.png等7种) + MIME类型白名单 + 上传type白名单防路径遍历 | `FileUploadController.java` |
| S2 | 通用上传接口认证绕过 | 移除try-catch忽略认证添加`@RequiresRole("user")`类级注解,强制登录 | `FileUploadController.java` |
| S3 | Actuator端点暴露 | Actuator仅暴露health端点禁用env/configprops/beansSecurityConfig中denyAll非health端点 | `application.yml` + `SecurityConfig.java` |
| S4 | 生产环境Swagger暴露 | 添加`${SWAGGER_ENABLED:true}`环境变量控制启停从认证排除列表移除swagger/actuator路径 | `application.yml` + `WebMvcConfig.java` |
### P1 级修复6项
| # | 问题 | 修复方案 | 修改文件 |
|---|------|----------|----------|
| S5 | Open Redirect | 校验redirect参数必须以`/`开头且不包含`//` | `login.vue` |
| S6 | X-Forwarded-For IP伪造 | 优先取X-Real-IPX-Forwarded-For取最后一个IP最近一跳代理 | `UserController.java` |
| S11 | updateProfile缺@Valid | 添加`@Valid`注解启用DTO校验 | `UserController.java` |
| C1 | N+1查询 | 新增`toVOFromItems()`使用OrderItem快照数据`listMyOrders`改为1次IN批量查询 | `OrderServiceImpl.java` |
| C3 | 支付接口缺幂等性 | 新增`casUpdateStatus()` CAS方法`UPDATE ... WHERE status='pending'`原子更新 | `OrderRepository.java` + `OrderServiceImpl.java` |
| B3 | Skill重复购买未校验 | `createOrder`中添加`skillService.hasOwned()`校验,已拥有则抛`SKILL_ALREADY_OWNED` | `OrderServiceImpl.java` |
### 额外修复
| # | 问题 | 修复方案 | 修改文件 |
|---|------|----------|----------|
| S9 | 通知模块认证不明确 | 从认证排除列表移除`/notifications/**`由AuthInterceptor统一处理 | `WebMvcConfig.java` |
### 修复后评级更新
- **安全性**: ⭐⭐⭐ → ⭐⭐⭐⭐ — P0/P1安全漏洞已修复认证授权体系完善
- **性能**: ⭐⭐⭐½ → ⭐⭐⭐⭐ — N+1查询已修复订单列表性能大幅提升
- **项目整体质量评级**: B+ → **A-**