backend/internal/repository/claude_usage_service.go

package repository

import (
	"context"
	"encoding/json"
	"fmt"
	"io"
	"net/http"
	"time"

	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
	"github.com/Wei-Shaw/sub2api/internal/pkg/httpclient"
	"github.com/Wei-Shaw/sub2api/internal/service"
)

const defaultClaudeUsageURL = "https://api.anthropic.com/api/oauth/usage"

// 默认 User-Agent，与用户抓包的请求一致
const defaultUsageUserAgent = "claude-code/2.1.7"

type claudeUsageService struct {
	usageURL          string
	allowPrivateHosts bool
	httpUpstream      service.HTTPUpstream
}

// NewClaudeUsageFetcher 创建 Claude 用量获取服务
// httpUpstream: 可选，如果提供则支持 TLS 指纹伪装
func NewClaudeUsageFetcher(httpUpstream service.HTTPUpstream) service.ClaudeUsageFetcher {
	return &claudeUsageService{
		usageURL:     defaultClaudeUsageURL,
		httpUpstream: httpUpstream,
	}
}

// FetchUsage 简单版本，不支持 TLS 指纹（向后兼容）
func (s *claudeUsageService) FetchUsage(ctx context.Context, accessToken, proxyURL string) (*service.ClaudeUsageResponse, error) {
	return s.FetchUsageWithOptions(ctx, &service.ClaudeUsageFetchOptions{
		AccessToken: accessToken,
		ProxyURL:    proxyURL,
	})
}

// FetchUsageWithOptions 完整版本，支持 TLS 指纹和自定义 User-Agent
func (s *claudeUsageService) FetchUsageWithOptions(ctx context.Context, opts *service.ClaudeUsageFetchOptions) (*service.ClaudeUsageResponse, error) {
	if opts == nil {
		return nil, fmt.Errorf("options is nil")
	}

	// 创建请求
	req, err := http.NewRequestWithContext(ctx, "GET", s.usageURL, nil)
	if err != nil {
		return nil, fmt.Errorf("create request failed: %w", err)
	}

	// 设置请求头（与抓包一致，但不设置 Accept-Encoding，让 Go 自动处理压缩）
	req.Header.Set("Accept", "application/json, text/plain, */*")
	req.Header.Set("Content-Type", "application/json")
	req.Header.Set("Authorization", "Bearer "+opts.AccessToken)
	req.Header.Set("anthropic-beta", "oauth-2025-04-20")

	// 设置 User-Agent（优先使用缓存的 Fingerprint，否则使用默认值）
	userAgent := defaultUsageUserAgent
	if opts.Fingerprint != nil && opts.Fingerprint.UserAgent != "" {
		userAgent = opts.Fingerprint.UserAgent
	}
	req.Header.Set("User-Agent", userAgent)

	var resp *http.Response

	// 如果启用 TLS 指纹且有 HTTPUpstream，使用 DoWithTLS
	if opts.EnableTLSFingerprint && s.httpUpstream != nil {
		// accountConcurrency 传 0 使用默认连接池配置，usage 请求不需要特殊的并发设置
		resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, true)
		if err != nil {
			return nil, fmt.Errorf("request with TLS fingerprint failed: %w", err)
		}
	} else {
		// 不启用 TLS 指纹，使用普通 HTTP 客户端
		client, err := httpclient.GetClient(httpclient.Options{
			ProxyURL:           opts.ProxyURL,
			Timeout:            30 * time.Second,
			ValidateResolvedIP: true,
			AllowPrivateHosts:  s.allowPrivateHosts,
		})
		if err != nil {
			return nil, fmt.Errorf("create http client failed: %w", err)
		}

		resp, err = client.Do(req)
		if err != nil {
			return nil, fmt.Errorf("request failed: %w", err)
		}
	}
	defer func() { _ = resp.Body.Close() }()

	if resp.StatusCode != http.StatusOK {
		body, _ := io.ReadAll(resp.Body)
		msg := fmt.Sprintf("API returned status %d: %s", resp.StatusCode, string(body))
		return nil, infraerrors.New(http.StatusInternalServerError, "UPSTREAM_ERROR", msg)
	}

	var usageResp service.ClaudeUsageResponse
	if err := json.NewDecoder(resp.Body).Decode(&usageResp); err != nil {
		return nil, fmt.Errorf("decode response failed: %w", err)
	}

	return &usageResp, nil
}
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								package repository
 								import (
 									"context"
 									"encoding/json"
 									"fmt"
 									"io"
 									"net/http"
 									"time"
-												fix: include upstream error details in usage API error response

When FetchUsageWithOptions receives a non-200 response from the
Anthropic API (e.g. 429 Rate Limited, 401 Unauthorized), the error
was wrapped with fmt.Errorf which infraerrors.FromError cannot
recognize, causing a generic "internal error" message with no details.

Replace fmt.Errorf with infraerrors.New(500, "UPSTREAM_ERROR", msg)
so the upstream error details (status code + body) are included in
the 500 response message. The HTTP status remains 500 to avoid
interfering with frontend auth routing (e.g. 401 would trigger
JWT expiry redirect).

											
										
										
											2026-03-05 19:37:38 +08:00
+									infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
-												perf(后端): 完成性能优化与连接池配置

新增 DB/Redis 连接池配置与校验，并补充单测

网关请求体大小限制与 413 处理

HTTP/req 客户端池化并调整上游连接池默认值

并发槽位改为 ZSET+Lua 与指数退避

用量统计改 SQL 聚合并新增索引迁移

计费缓存写入改工作池并补测试/基准

测试: 在 backend/ 下运行 go test ./...

											
										
										
											2025-12-31 08:50:12 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/pkg/httpclient"
-												refactor: 重命名 go module

											
										
										
											2025-12-24 21:07:21 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/service"
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								)
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+								const defaultClaudeUsageURL = "https://api.anthropic.com/api/oauth/usage"
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+								// 默认 User-Agent，与用户抓包的请求一致
 								const defaultUsageUserAgent = "claude-code/2.1.7"
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+								type claudeUsageService struct {
-												fix(安全): 修复上游校验与 URL 清理问题

增加请求阶段 DNS 解析校验，阻断重绑定到私网
补充默认透传 WWW-Authenticate 头，保留认证挑战
前端相对 URL 过滤拒绝 // 协议相对路径

测试: go test ./internal/repository -run TestGitHubReleaseServiceSuite
测试: go test ./internal/repository -run TestTurnstileServiceSuite
测试: go test ./internal/repository -run TestProxyProbeServiceSuite
测试: go test ./internal/repository -run TestClaudeUsageServiceSuite

											
										
										
											2026-01-03 10:52:24 +08:00
+									usageURL          string
 									allowPrivateHosts bool
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+									httpUpstream      service.HTTPUpstream
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+								}
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+								// NewClaudeUsageFetcher 创建 Claude 用量获取服务
 								// httpUpstream: 可选，如果提供则支持 TLS 指纹伪装
 								func NewClaudeUsageFetcher(httpUpstream service.HTTPUpstream) service.ClaudeUsageFetcher {
 									return &claudeUsageService{
 										usageURL:     defaultClaudeUsageURL,
 										httpUpstream: httpUpstream,
 									}
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								}
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+								// FetchUsage 简单版本，不支持 TLS 指纹（向后兼容）
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								func (s *claudeUsageService) FetchUsage(ctx context.Context, accessToken, proxyURL string) (*service.ClaudeUsageResponse, error) {
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+									return s.FetchUsageWithOptions(ctx, &service.ClaudeUsageFetchOptions{
 										AccessToken: accessToken,
 										ProxyURL:    proxyURL,
-												perf(后端): 完成性能优化与连接池配置

新增 DB/Redis 连接池配置与校验，并补充单测

网关请求体大小限制与 413 处理

HTTP/req 客户端池化并调整上游连接池默认值

并发槽位改为 ZSET+Lua 与指数退避

用量统计改 SQL 聚合并新增索引迁移

计费缓存写入改工作池并补测试/基准

测试: 在 backend/ 下运行 go test ./...

											
										
										
											2025-12-31 08:50:12 +08:00
+									})
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+								}
 								// FetchUsageWithOptions 完整版本，支持 TLS 指纹和自定义 User-Agent
 								func (s *claudeUsageService) FetchUsageWithOptions(ctx context.Context, opts *service.ClaudeUsageFetchOptions) (*service.ClaudeUsageResponse, error) {
 									if opts == nil {
 										return nil, fmt.Errorf("options is nil")
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									}
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+									// 创建请求
-												test: 增加 repository 测试

											
										
										
											2025-12-25 10:52:56 +08:00
+									req, err := http.NewRequestWithContext(ctx, "GET", s.usageURL, nil)
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									if err != nil {
 										return nil, fmt.Errorf("create request failed: %w", err)
 									}
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+									// 设置请求头（与抓包一致，但不设置 Accept-Encoding，让 Go 自动处理压缩）
 									req.Header.Set("Accept", "application/json, text/plain, */*")
 									req.Header.Set("Content-Type", "application/json")
 									req.Header.Set("Authorization", "Bearer "+opts.AccessToken)
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									req.Header.Set("anthropic-beta", "oauth-2025-04-20")
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+									// 设置 User-Agent（优先使用缓存的 Fingerprint，否则使用默认值）
 									userAgent := defaultUsageUserAgent
 									if opts.Fingerprint != nil && opts.Fingerprint.UserAgent != "" {
 										userAgent = opts.Fingerprint.UserAgent
 									}
 									req.Header.Set("User-Agent", userAgent)
 									var resp *http.Response
 									// 如果启用 TLS 指纹且有 HTTPUpstream，使用 DoWithTLS
 									if opts.EnableTLSFingerprint && s.httpUpstream != nil {
 										// accountConcurrency 传 0 使用默认连接池配置，usage 请求不需要特殊的并发设置
 										resp, err = s.httpUpstream.DoWithTLS(req, opts.ProxyURL, opts.AccountID, 0, true)
 										if err != nil {
 											return nil, fmt.Errorf("request with TLS fingerprint failed: %w", err)
 										}
 									} else {
 										// 不启用 TLS 指纹，使用普通 HTTP 客户端
 										client, err := httpclient.GetClient(httpclient.Options{
 											ProxyURL:           opts.ProxyURL,
 											Timeout:            30 * time.Second,
 											ValidateResolvedIP: true,
 											AllowPrivateHosts:  s.allowPrivateHosts,
 										})
 										if err != nil {
-												feat(proxy): 集中代理 URL 验证并实现全局 fail-fast

提取 proxyurl.Parse() 公共包，将分散在 6 处的代理 URL 验证逻辑
统一收敛，确保无效代理配置在创建时立即失败，永不静默回退直连。

主要变更：
- 新增 proxyurl 包：统一 TrimSpace → url.Parse → Host 校验 → Scheme 白名单
- socks5:// 自动升级为 socks5h://，防止 DNS 泄漏（大小写不敏感）
- antigravity: http.ProxyURL → proxyutil.ConfigureTransportProxy 支持 SOCKS5
- openai_oauth: 删除 newOpenAIOAuthHTTPClient，收编至 httpclient.GetClient
- 移除未使用的 ProxyStrict 字段（fail-fast 已是全局默认行为）
- 补充 15 个 proxyurl 测试 + pricing/usage fail-fast 测试

											
										
										
											2026-03-02 15:53:26 +08:00
+											return nil, fmt.Errorf("create http client failed: %w", err)
-												feat: usage接口支持TLS指纹和缓存User-Agent

											
										
										
											2026-01-19 17:06:16 +08:00
+										}
 										resp, err = client.Do(req)
 										if err != nil {
 											return nil, fmt.Errorf("request failed: %w", err)
 										}
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									}
-												ci(backend): 添加 github actions (#10)

## 变更内容

### CI/CD
- 添加 GitHub Actions 工作流（test + golangci-lint）
- 添加 golangci-lint 配置，启用 errcheck/govet/staticcheck/unused/depguard
- 通过 depguard 强制 service 层不能直接导入 repository

### 错误处理修复
- 修复 CSV 写入、SSE 流式输出、随机数生成等未处理的错误
- GenerateRedeemCode() 现在返回 error

### 资源泄露修复
- 统一使用 defer func() { _ = xxx.Close() }() 模式

### 代码清理
- 移除未使用的常量
- 简化 nil map 检查
- 统一代码格式
											
										
										
											2025-12-20 15:29:52 +08:00
+									defer func() { _ = resp.Body.Close() }()
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
 									if resp.StatusCode != http.StatusOK {
 										body, _ := io.ReadAll(resp.Body)
-												fix: include upstream error details in usage API error response

When FetchUsageWithOptions receives a non-200 response from the
Anthropic API (e.g. 429 Rate Limited, 401 Unauthorized), the error
was wrapped with fmt.Errorf which infraerrors.FromError cannot
recognize, causing a generic "internal error" message with no details.

Replace fmt.Errorf with infraerrors.New(500, "UPSTREAM_ERROR", msg)
so the upstream error details (status code + body) are included in
the 500 response message. The HTTP status remains 500 to avoid
interfering with frontend auth routing (e.g. 401 would trigger
JWT expiry redirect).

											
										
										
											2026-03-05 19:37:38 +08:00
+										msg := fmt.Sprintf("API returned status %d: %s", resp.StatusCode, string(body))
 										return nil, infraerrors.New(http.StatusInternalServerError, "UPSTREAM_ERROR", msg)
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									}
 									var usageResp service.ClaudeUsageResponse
 									if err := json.NewDecoder(resp.Body).Decode(&usageResp); err != nil {
 										return nil, fmt.Errorf("decode response failed: %w", err)
 									}
 									return &usageResp, nil
 								}