采用中间件授权的方式

2026-04-23 11:34:27 +08:00 · 2025-08-26 10:45:57 +08:00
parent fb76e24c51
commit 728de61bd6
43 changed files with 527 additions and 484 deletions
--- a/api/core/middleware/auth.go
+++ b/api/core/middleware/auth.go
@@ -0,0 +1,108 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"geekai/core/types"
+	"geekai/utils"
+	"geekai/utils/resp"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-redis/redis/v8"
+	"github.com/golang-jwt/jwt"
+)
+
+// 前端用户授权验证
+func UserAuthMiddleware(secretKey string, redis *redis.Client) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		tokenString := c.GetHeader(types.UserAuthHeader)
+		if tokenString == "" {
+			resp.NotAuth(c, "无效的授权令牌")
+			c.Abort()
+			return
+		}
+
+		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+				return nil, fmt.Errorf("不支持的令牌签名方法: %v", token.Header["alg"])
+			}
+			return []byte(secretKey), nil
+		})
+
+		if err != nil {
+			resp.NotAuth(c, fmt.Sprintf("解析授权令牌失败: %v", err))
+			c.Abort()
+			return
+		}
+
+		claims, ok := token.Claims.(jwt.MapClaims)
+		if !ok || !token.Valid {
+			resp.NotAuth(c, "令牌无效")
+			c.Abort()
+			return
+		}
+
+		expr := utils.IntValue(utils.InterfaceToString(claims["expired"]), 0)
+		if expr > 0 && int64(expr) < time.Now().Unix() {
+			resp.NotAuth(c, "令牌过期")
+			c.Abort()
+			return
+		}
+
+		key := fmt.Sprintf("users/%v", claims["user_id"])
+		if _, err := redis.Get(context.Background(), key).Result(); err != nil {
+			resp.NotAuth(c, "当前用户已退出登录")
+			c.Abort()
+			return
+		}
+		c.Set(types.LoginUserID, claims["user_id"])
+	}
+}
+
+// 管理后台用户授权验证
+func AdminAuthMiddleware(secretKey string, redis *redis.Client) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		tokenString := c.GetHeader(types.AdminAuthHeader)
+		if tokenString == "" {
+			resp.NotAuth(c, "无效的授权令牌")
+			c.Abort()
+			return
+		}
+
+		token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+			if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+				return nil, fmt.Errorf("不支持的令牌签名方法: %v", token.Header["alg"])
+			}
+			return []byte(secretKey), nil
+		})
+
+		if err != nil {
+			resp.NotAuth(c, fmt.Sprintf("解析授权令牌失败: %v", err))
+			c.Abort()
+			return
+		}
+
+		claims, ok := token.Claims.(jwt.MapClaims)
+		if !ok || !token.Valid {
+			resp.NotAuth(c, "令牌无效")
+			c.Abort()
+			return
+		}
+
+		expr := utils.IntValue(utils.InterfaceToString(claims["expired"]), 0)
+		if expr > 0 && int64(expr) < time.Now().Unix() {
+			resp.NotAuth(c, "令牌过期")
+			c.Abort()
+			return
+		}
+
+		key := fmt.Sprintf("admin/%v", claims["user_id"])
+		if _, err := redis.Get(context.Background(), key).Result(); err != nil {
+			resp.NotAuth(c, "当前用户已退出登录")
+			c.Abort()
+			return
+		}
+		c.Set(types.AdminUserID, claims["user_id"])
+	}
+}
--- a/api/core/middleware/parameter.go
+++ b/api/core/middleware/parameter.go
@@ -0,0 +1,80 @@
+package middleware
+
+import (
+	"bytes"
+	"geekai/utils"
+	"io"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// 统一参数处理
+func ParameterHandlerMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// GET 参数处理
+		params := c.Request.URL.Query()
+		for key, values := range params {
+			for i, value := range values {
+				params[key][i] = strings.TrimSpace(value)
+			}
+		}
+		// update get parameters
+		c.Request.URL.RawQuery = params.Encode()
+		// skip file upload requests
+		contentType := c.Request.Header.Get("Content-Type")
+		if strings.Contains(contentType, "multipart/form-data") {
+			c.Next()
+			return
+		}
+
+		if strings.Contains(contentType, "application/json") {
+			// process POST JSON request body
+			bodyBytes, err := io.ReadAll(c.Request.Body)
+			if err != nil {
+				c.Next()
+				return
+			}
+
+			// 还原请求体
+			c.Request.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
+			// 将请求体解析为 JSON
+			var jsonData map[string]any
+			if err := c.ShouldBindJSON(&jsonData); err != nil {
+				c.Next()
+				return
+			}
+
+			// 对 JSON 数据中的字符串值去除两端空格
+			trimJSONStrings(jsonData)
+			// 更新请求体
+			c.Request.Body = io.NopCloser(bytes.NewBufferString(utils.JsonEncode(jsonData)))
+		}
+
+		c.Next()
+	}
+}
+
+// 递归对 JSON 数据中的字符串值去除两端空格
+func trimJSONStrings(data any) {
+	switch v := data.(type) {
+	case map[string]any:
+		for key, value := range v {
+			switch valueType := value.(type) {
+			case string:
+				v[key] = strings.TrimSpace(valueType)
+			case map[string]any, []any:
+				trimJSONStrings(value)
+			}
+		}
+	case []any:
+		for i, value := range v {
+			switch valueType := value.(type) {
+			case string:
+				v[i] = strings.TrimSpace(valueType)
+			case map[string]any, []any:
+				trimJSONStrings(value)
+			}
+		}
+	}
+}
--- a/api/core/middleware/rate_limit.go
+++ b/api/core/middleware/rate_limit.go
@@ -0,0 +1,43 @@
+package middleware
+
+import (
+	"context"
+	"fmt"
+	"geekai/core/types"
+	"geekai/utils"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/go-redis/redis/v8"
+)
+
+// RateLimitEvery 使用 Redis 做固定间隔限流：在 interval 内仅允许一次请求
+// Key 优先使用登录用户ID，若没有则退化为 route + IP
+func RateLimitEvery(redisClient *redis.Client, interval time.Duration) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		keyID := ""
+		if userID, ok := c.Get(types.LoginUserID); ok {
+			keyID = fmt.Sprintf("user:%s", utils.InterfaceToString(userID))
+		} else {
+			keyID = fmt.Sprintf("ip:%s", c.ClientIP())
+		}
+
+		fullPath := c.FullPath()
+		if fullPath == "" {
+			fullPath = c.Request.URL.Path
+		}
+		key := fmt.Sprintf("rl:%s:%s", fullPath, keyID)
+
+		okSet, err := redisClient.SetNX(context.Background(), key, 1, interval).Result()
+		if err != nil {
+			// Redis 异常时放行，避免误伤可用性
+			return
+		}
+		if !okSet {
+			c.JSON(http.StatusTooManyRequests, types.BizVo{Code: types.Failed, Message: "请求过于频繁，请稍后重试"})
+			c.Abort()
+			return
+		}
+	}
+}
--- a/api/core/middleware/static.go
+++ b/api/core/middleware/static.go
@@ -0,0 +1,78 @@
+package middleware
+
+import (
+	"bytes"
+	"geekai/utils"
+	"image"
+	"image/jpeg"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+	"github.com/nfnt/resize"
+	"golang.org/x/image/webp"
+)
+
+// 静态资源中间件
+func StaticMiddleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+
+		url := c.Request.URL.String()
+		// 拦截生成缩略图请求
+		if strings.HasPrefix(url, "/static/") && strings.Contains(url, "?imageView2") {
+			r := strings.SplitAfter(url, "imageView2")
+			size := strings.Split(r[1], "/")
+			if len(size) != 8 {
+				c.String(http.StatusNotFound, "invalid thumb args")
+				return
+			}
+			with := utils.IntValue(size[3], 0)
+			height := utils.IntValue(size[5], 0)
+			quality := utils.IntValue(size[7], 75)
+
+			// 打开图片文件
+			filePath := strings.TrimLeft(c.Request.URL.Path, "/")
+			file, err := os.Open(filePath)
+			if err != nil {
+				c.String(http.StatusNotFound, "Image not found")
+				return
+			}
+			defer file.Close()
+
+			// 解码图片
+			img, _, err := image.Decode(file)
+			// for .webp image
+			if err != nil {
+				img, err = webp.Decode(file)
+			}
+			if err != nil {
+				c.String(http.StatusInternalServerError, "Error decoding image")
+				return
+			}
+
+			var newImg image.Image
+			if height == 0 || with == 0 {
+				// 固定宽度，高度自适应
+				newImg = resize.Resize(uint(with), uint(height), img, resize.Lanczos3)
+			} else {
+				// 生成缩略图
+				newImg = resize.Thumbnail(uint(with), uint(height), img, resize.Lanczos3)
+			}
+			var buffer bytes.Buffer
+			err = jpeg.Encode(&buffer, newImg, &jpeg.Options{Quality: quality})
+			if err != nil {
+				c.String(http.StatusInternalServerError, err.Error())
+				return
+			}
+
+			// 设置图片缓存有效期为一年 (365天)
+			c.Header("Cache-Control", "max-age=31536000, public")
+			// 直接输出图像数据流
+			c.Data(http.StatusOK, "image/jpeg", buffer.Bytes())
+			c.Abort() // 中断请求
+
+		}
+		c.Next()
+	}
+}