2025-12-18 13:50:39 +08:00
|
|
|
|
package service
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"context"
|
|
|
|
|
|
"crypto/rand"
|
|
|
|
|
|
"encoding/hex"
|
|
|
|
|
|
"fmt"
|
2026-02-22 22:07:17 +08:00
|
|
|
|
"strconv"
|
2026-03-11 13:53:19 +08:00
|
|
|
|
"strings"
|
2026-02-22 22:07:17 +08:00
|
|
|
|
"sync"
|
2025-12-25 17:15:01 +08:00
|
|
|
|
"time"
|
|
|
|
|
|
|
2025-12-24 21:07:21 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/config"
|
2025-12-31 23:42:01 +08:00
|
|
|
|
infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
|
2026-01-09 21:59:32 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/ip"
|
2025-12-24 21:07:21 +08:00
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/pagination"
|
|
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/timezone"
|
2026-01-10 22:23:51 +08:00
|
|
|
|
"github.com/dgraph-io/ristretto"
|
|
|
|
|
|
"golang.org/x/sync/singleflight"
|
2025-12-18 13:50:39 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
var (
|
2026-02-03 20:49:58 +08:00
|
|
|
|
ErrAPIKeyNotFound = infraerrors.NotFound("API_KEY_NOT_FOUND", "api key not found")
|
|
|
|
|
|
ErrGroupNotAllowed = infraerrors.Forbidden("GROUP_NOT_ALLOWED", "user is not allowed to bind this group")
|
|
|
|
|
|
ErrAPIKeyExists = infraerrors.Conflict("API_KEY_EXISTS", "api key already exists")
|
|
|
|
|
|
ErrAPIKeyTooShort = infraerrors.BadRequest("API_KEY_TOO_SHORT", "api key must be at least 16 characters")
|
|
|
|
|
|
ErrAPIKeyInvalidChars = infraerrors.BadRequest("API_KEY_INVALID_CHARS", "api key can only contain letters, numbers, underscores, and hyphens")
|
|
|
|
|
|
ErrAPIKeyRateLimited = infraerrors.TooManyRequests("API_KEY_RATE_LIMITED", "too many failed attempts, please try again later")
|
|
|
|
|
|
ErrInvalidIPPattern = infraerrors.BadRequest("INVALID_IP_PATTERN", "invalid IP or CIDR pattern")
|
2026-02-03 19:01:49 +08:00
|
|
|
|
// ErrAPIKeyExpired = infraerrors.Forbidden("API_KEY_EXPIRED", "api key has expired")
|
2026-02-03 20:49:58 +08:00
|
|
|
|
ErrAPIKeyExpired = infraerrors.Forbidden("API_KEY_EXPIRED", "api key 已过期")
|
2026-02-03 19:01:49 +08:00
|
|
|
|
// ErrAPIKeyQuotaExhausted = infraerrors.TooManyRequests("API_KEY_QUOTA_EXHAUSTED", "api key quota exhausted")
|
|
|
|
|
|
ErrAPIKeyQuotaExhausted = infraerrors.TooManyRequests("API_KEY_QUOTA_EXHAUSTED", "api key 额度已用完")
|
2026-03-03 15:01:10 +08:00
|
|
|
|
|
|
|
|
|
|
// Rate limit errors
|
|
|
|
|
|
ErrAPIKeyRateLimit5hExceeded = infraerrors.TooManyRequests("API_KEY_RATE_5H_EXCEEDED", "api key 5小时限额已用完")
|
|
|
|
|
|
ErrAPIKeyRateLimit1dExceeded = infraerrors.TooManyRequests("API_KEY_RATE_1D_EXCEEDED", "api key 日限额已用完")
|
|
|
|
|
|
ErrAPIKeyRateLimit7dExceeded = infraerrors.TooManyRequests("API_KEY_RATE_7D_EXCEEDED", "api key 7天限额已用完")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
2025-12-19 23:39:28 +08:00
|
|
|
|
apiKeyMaxErrorsPerHour = 20
|
2026-02-22 22:07:17 +08:00
|
|
|
|
apiKeyLastUsedMinTouch = 30 * time.Second
|
2026-02-23 12:45:37 +08:00
|
|
|
|
// DB 写失败后的短退避,避免请求路径持续同步重试造成写风暴与高延迟。
|
|
|
|
|
|
apiKeyLastUsedFailBackoff = 5 * time.Second
|
2025-12-18 13:50:39 +08:00
|
|
|
|
)
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
type APIKeyRepository interface {
|
|
|
|
|
|
Create(ctx context.Context, key *APIKey) error
|
|
|
|
|
|
GetByID(ctx context.Context, id int64) (*APIKey, error)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
// GetKeyAndOwnerID 仅获取 API Key 的 key 与所有者 ID,用于删除等轻量场景
|
|
|
|
|
|
GetKeyAndOwnerID(ctx context.Context, id int64) (string, int64, error)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
GetByKey(ctx context.Context, key string) (*APIKey, error)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
// GetByKeyForAuth 认证专用查询,返回最小字段集
|
|
|
|
|
|
GetByKeyForAuth(ctx context.Context, key string) (*APIKey, error)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
Update(ctx context.Context, key *APIKey) error
|
2025-12-25 17:15:01 +08:00
|
|
|
|
Delete(ctx context.Context, id int64) error
|
|
|
|
|
|
|
2026-03-04 11:29:31 +08:00
|
|
|
|
ListByUserID(ctx context.Context, userID int64, params pagination.PaginationParams, filters APIKeyListFilters) ([]APIKey, *pagination.PaginationResult, error)
|
2025-12-27 16:03:57 +08:00
|
|
|
|
VerifyOwnership(ctx context.Context, userID int64, apiKeyIDs []int64) ([]int64, error)
|
2025-12-25 17:15:01 +08:00
|
|
|
|
CountByUserID(ctx context.Context, userID int64) (int64, error)
|
|
|
|
|
|
ExistsByKey(ctx context.Context, key string) (bool, error)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
ListByGroupID(ctx context.Context, groupID int64, params pagination.PaginationParams) ([]APIKey, *pagination.PaginationResult, error)
|
|
|
|
|
|
SearchAPIKeys(ctx context.Context, userID int64, keyword string, limit int) ([]APIKey, error)
|
2025-12-25 17:15:01 +08:00
|
|
|
|
ClearGroupIDByGroupID(ctx context.Context, groupID int64) (int64, error)
|
|
|
|
|
|
CountByGroupID(ctx context.Context, groupID int64) (int64, error)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
ListKeysByUserID(ctx context.Context, userID int64) ([]string, error)
|
|
|
|
|
|
ListKeysByGroupID(ctx context.Context, groupID int64) ([]string, error)
|
2026-02-03 19:01:49 +08:00
|
|
|
|
|
|
|
|
|
|
// Quota methods
|
|
|
|
|
|
IncrementQuotaUsed(ctx context.Context, id int64, amount float64) (float64, error)
|
2026-02-22 22:07:17 +08:00
|
|
|
|
UpdateLastUsed(ctx context.Context, id int64, usedAt time.Time) error
|
2026-03-03 15:01:10 +08:00
|
|
|
|
|
|
|
|
|
|
// Rate limit methods
|
|
|
|
|
|
IncrementRateLimitUsage(ctx context.Context, id int64, cost float64) error
|
|
|
|
|
|
ResetRateLimitWindows(ctx context.Context, id int64) error
|
|
|
|
|
|
GetRateLimitData(ctx context.Context, id int64) (*APIKeyRateLimitData, error)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// APIKeyRateLimitData holds rate limit usage and window state for an API key.
|
|
|
|
|
|
type APIKeyRateLimitData struct {
|
|
|
|
|
|
Usage5h float64
|
|
|
|
|
|
Usage1d float64
|
|
|
|
|
|
Usage7d float64
|
|
|
|
|
|
Window5hStart *time.Time
|
|
|
|
|
|
Window1dStart *time.Time
|
|
|
|
|
|
Window7dStart *time.Time
|
2025-12-25 17:15:01 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-07 09:59:40 +08:00
|
|
|
|
// EffectiveUsage5h returns the 5h window usage, or 0 if the window has expired.
|
|
|
|
|
|
func (d *APIKeyRateLimitData) EffectiveUsage5h() float64 {
|
|
|
|
|
|
if IsWindowExpired(d.Window5hStart, RateLimitWindow5h) {
|
|
|
|
|
|
return 0
|
|
|
|
|
|
}
|
|
|
|
|
|
return d.Usage5h
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// EffectiveUsage1d returns the 1d window usage, or 0 if the window has expired.
|
|
|
|
|
|
func (d *APIKeyRateLimitData) EffectiveUsage1d() float64 {
|
|
|
|
|
|
if IsWindowExpired(d.Window1dStart, RateLimitWindow1d) {
|
|
|
|
|
|
return 0
|
|
|
|
|
|
}
|
|
|
|
|
|
return d.Usage1d
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// EffectiveUsage7d returns the 7d window usage, or 0 if the window has expired.
|
|
|
|
|
|
func (d *APIKeyRateLimitData) EffectiveUsage7d() float64 {
|
|
|
|
|
|
if IsWindowExpired(d.Window7dStart, RateLimitWindow7d) {
|
|
|
|
|
|
return 0
|
|
|
|
|
|
}
|
|
|
|
|
|
return d.Usage7d
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-11 13:53:19 +08:00
|
|
|
|
// APIKeyQuotaUsageState captures the latest quota fields after an atomic quota update.
|
|
|
|
|
|
// It is intentionally small so repositories can return it from a single SQL statement.
|
|
|
|
|
|
type APIKeyQuotaUsageState struct {
|
|
|
|
|
|
QuotaUsed float64
|
|
|
|
|
|
Quota float64
|
|
|
|
|
|
Key string
|
|
|
|
|
|
Status string
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// APIKeyCache defines cache operations for API key service
|
|
|
|
|
|
type APIKeyCache interface {
|
2025-12-25 17:15:01 +08:00
|
|
|
|
GetCreateAttemptCount(ctx context.Context, userID int64) (int, error)
|
|
|
|
|
|
IncrementCreateAttemptCount(ctx context.Context, userID int64) error
|
|
|
|
|
|
DeleteCreateAttemptCount(ctx context.Context, userID int64) error
|
|
|
|
|
|
|
|
|
|
|
|
IncrementDailyUsage(ctx context.Context, apiKey string) error
|
|
|
|
|
|
SetDailyUsageExpiry(ctx context.Context, apiKey string, ttl time.Duration) error
|
2026-01-10 22:23:51 +08:00
|
|
|
|
|
|
|
|
|
|
GetAuthCache(ctx context.Context, key string) (*APIKeyAuthCacheEntry, error)
|
|
|
|
|
|
SetAuthCache(ctx context.Context, key string, entry *APIKeyAuthCacheEntry, ttl time.Duration) error
|
|
|
|
|
|
DeleteAuthCache(ctx context.Context, key string) error
|
2026-01-18 22:13:47 +08:00
|
|
|
|
|
|
|
|
|
|
// Pub/Sub for L1 cache invalidation across instances
|
|
|
|
|
|
PublishAuthCacheInvalidation(ctx context.Context, cacheKey string) error
|
|
|
|
|
|
SubscribeAuthCacheInvalidation(ctx context.Context, handler func(cacheKey string)) error
|
2026-01-10 22:23:51 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// APIKeyAuthCacheInvalidator 提供认证缓存失效能力
|
|
|
|
|
|
type APIKeyAuthCacheInvalidator interface {
|
|
|
|
|
|
InvalidateAuthCacheByKey(ctx context.Context, key string)
|
|
|
|
|
|
InvalidateAuthCacheByUserID(ctx context.Context, userID int64)
|
|
|
|
|
|
InvalidateAuthCacheByGroupID(ctx context.Context, groupID int64)
|
2025-12-25 17:15:01 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// CreateAPIKeyRequest 创建API Key请求
|
|
|
|
|
|
type CreateAPIKeyRequest struct {
|
2026-01-09 21:59:32 +08:00
|
|
|
|
Name string `json:"name"`
|
|
|
|
|
|
GroupID *int64 `json:"group_id"`
|
|
|
|
|
|
CustomKey *string `json:"custom_key"` // 可选的自定义key
|
|
|
|
|
|
IPWhitelist []string `json:"ip_whitelist"` // IP 白名单
|
|
|
|
|
|
IPBlacklist []string `json:"ip_blacklist"` // IP 黑名单
|
2026-02-03 19:01:49 +08:00
|
|
|
|
|
|
|
|
|
|
// Quota fields
|
2026-02-03 20:49:58 +08:00
|
|
|
|
Quota float64 `json:"quota"` // Quota limit in USD (0 = unlimited)
|
2026-02-03 19:01:49 +08:00
|
|
|
|
ExpiresInDays *int `json:"expires_in_days"` // Days until expiry (nil = never expires)
|
2026-03-03 15:01:10 +08:00
|
|
|
|
|
|
|
|
|
|
// Rate limit fields (0 = unlimited)
|
|
|
|
|
|
RateLimit5h float64 `json:"rate_limit_5h"`
|
|
|
|
|
|
RateLimit1d float64 `json:"rate_limit_1d"`
|
|
|
|
|
|
RateLimit7d float64 `json:"rate_limit_7d"`
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// UpdateAPIKeyRequest 更新API Key请求
|
|
|
|
|
|
type UpdateAPIKeyRequest struct {
|
2026-01-09 21:59:32 +08:00
|
|
|
|
Name *string `json:"name"`
|
|
|
|
|
|
GroupID *int64 `json:"group_id"`
|
|
|
|
|
|
Status *string `json:"status"`
|
|
|
|
|
|
IPWhitelist []string `json:"ip_whitelist"` // IP 白名单(空数组清空)
|
|
|
|
|
|
IPBlacklist []string `json:"ip_blacklist"` // IP 黑名单(空数组清空)
|
2026-02-03 19:01:49 +08:00
|
|
|
|
|
|
|
|
|
|
// Quota fields
|
2026-02-03 20:49:58 +08:00
|
|
|
|
Quota *float64 `json:"quota"` // Quota limit in USD (nil = no change, 0 = unlimited)
|
|
|
|
|
|
ExpiresAt *time.Time `json:"expires_at"` // Expiration time (nil = no change)
|
|
|
|
|
|
ClearExpiration bool `json:"-"` // Clear expiration (internal use)
|
|
|
|
|
|
ResetQuota *bool `json:"reset_quota"` // Reset quota_used to 0
|
2026-03-03 15:01:10 +08:00
|
|
|
|
|
|
|
|
|
|
// Rate limit fields (nil = no change, 0 = unlimited)
|
2026-03-03 15:25:44 +08:00
|
|
|
|
RateLimit5h *float64 `json:"rate_limit_5h"`
|
|
|
|
|
|
RateLimit1d *float64 `json:"rate_limit_1d"`
|
|
|
|
|
|
RateLimit7d *float64 `json:"rate_limit_7d"`
|
|
|
|
|
|
ResetRateLimitUsage *bool `json:"reset_rate_limit_usage"` // Reset all usage counters to 0
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// APIKeyService API Key服务
|
2026-03-03 15:01:10 +08:00
|
|
|
|
// RateLimitCacheInvalidator invalidates rate limit cache entries on manual reset.
|
|
|
|
|
|
type RateLimitCacheInvalidator interface {
|
|
|
|
|
|
InvalidateAPIKeyRateLimit(ctx context.Context, keyID int64) error
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
type APIKeyService struct {
|
2026-03-03 15:25:44 +08:00
|
|
|
|
apiKeyRepo APIKeyRepository
|
|
|
|
|
|
userRepo UserRepository
|
|
|
|
|
|
groupRepo GroupRepository
|
|
|
|
|
|
userSubRepo UserSubscriptionRepository
|
|
|
|
|
|
userGroupRateRepo UserGroupRateRepository
|
|
|
|
|
|
cache APIKeyCache
|
|
|
|
|
|
rateLimitCacheInvalid RateLimitCacheInvalidator // optional: invalidate Redis rate limit cache
|
|
|
|
|
|
cfg *config.Config
|
|
|
|
|
|
authCacheL1 *ristretto.Cache
|
|
|
|
|
|
authCfg apiKeyAuthCacheConfig
|
|
|
|
|
|
authGroup singleflight.Group
|
|
|
|
|
|
lastUsedTouchL1 sync.Map // keyID -> nextAllowedAt(time.Time)
|
|
|
|
|
|
lastUsedTouchSF singleflight.Group
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// NewAPIKeyService 创建API Key服务实例
|
|
|
|
|
|
func NewAPIKeyService(
|
|
|
|
|
|
apiKeyRepo APIKeyRepository,
|
2025-12-25 17:15:01 +08:00
|
|
|
|
userRepo UserRepository,
|
|
|
|
|
|
groupRepo GroupRepository,
|
|
|
|
|
|
userSubRepo UserSubscriptionRepository,
|
2026-02-05 16:00:34 +08:00
|
|
|
|
userGroupRateRepo UserGroupRateRepository,
|
2026-01-04 19:27:53 +08:00
|
|
|
|
cache APIKeyCache,
|
2025-12-18 13:50:39 +08:00
|
|
|
|
cfg *config.Config,
|
2026-01-04 19:27:53 +08:00
|
|
|
|
) *APIKeyService {
|
2026-01-10 22:23:51 +08:00
|
|
|
|
svc := &APIKeyService{
|
2026-02-05 16:00:34 +08:00
|
|
|
|
apiKeyRepo: apiKeyRepo,
|
|
|
|
|
|
userRepo: userRepo,
|
|
|
|
|
|
groupRepo: groupRepo,
|
|
|
|
|
|
userSubRepo: userSubRepo,
|
|
|
|
|
|
userGroupRateRepo: userGroupRateRepo,
|
|
|
|
|
|
cache: cache,
|
|
|
|
|
|
cfg: cfg,
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
2026-01-10 22:23:51 +08:00
|
|
|
|
svc.initAuthCache(cfg)
|
|
|
|
|
|
return svc
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 15:01:10 +08:00
|
|
|
|
// SetRateLimitCacheInvalidator sets the optional rate limit cache invalidator.
|
|
|
|
|
|
// Called after construction (e.g. in wire) to avoid circular dependencies.
|
|
|
|
|
|
func (s *APIKeyService) SetRateLimitCacheInvalidator(inv RateLimitCacheInvalidator) {
|
|
|
|
|
|
s.rateLimitCacheInvalid = inv
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-02-28 15:01:20 +08:00
|
|
|
|
func (s *APIKeyService) compileAPIKeyIPRules(apiKey *APIKey) {
|
|
|
|
|
|
if apiKey == nil {
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
apiKey.CompiledIPWhitelist = ip.CompileIPRules(apiKey.IPWhitelist)
|
|
|
|
|
|
apiKey.CompiledIPBlacklist = ip.CompileIPRules(apiKey.IPBlacklist)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// GenerateKey 生成随机API Key
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) GenerateKey() (string, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 生成32字节随机数据
|
|
|
|
|
|
bytes := make([]byte, 32)
|
|
|
|
|
|
if _, err := rand.Read(bytes); err != nil {
|
|
|
|
|
|
return "", fmt.Errorf("generate random bytes: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 转换为十六进制字符串并添加前缀
|
2026-01-04 19:27:53 +08:00
|
|
|
|
prefix := s.cfg.Default.APIKeyPrefix
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if prefix == "" {
|
|
|
|
|
|
prefix = "sk-"
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key := prefix + hex.EncodeToString(bytes)
|
|
|
|
|
|
return key, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ValidateCustomKey 验证自定义API Key格式
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) ValidateCustomKey(key string) error {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 检查长度
|
|
|
|
|
|
if len(key) < 16 {
|
2026-01-04 19:27:53 +08:00
|
|
|
|
return ErrAPIKeyTooShort
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查字符:只允许字母、数字、下划线、连字符
|
|
|
|
|
|
for _, c := range key {
|
2025-12-20 15:29:52 +08:00
|
|
|
|
if (c >= 'a' && c <= 'z') ||
|
|
|
|
|
|
(c >= 'A' && c <= 'Z') ||
|
|
|
|
|
|
(c >= '0' && c <= '9') ||
|
|
|
|
|
|
c == '_' || c == '-' {
|
|
|
|
|
|
continue
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
2026-01-04 19:27:53 +08:00
|
|
|
|
return ErrAPIKeyInvalidChars
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// checkAPIKeyRateLimit 检查用户创建自定义Key的错误次数是否超限
|
|
|
|
|
|
func (s *APIKeyService) checkAPIKeyRateLimit(ctx context.Context, userID int64) error {
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if s.cache == nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-19 23:39:28 +08:00
|
|
|
|
count, err := s.cache.GetCreateAttemptCount(ctx, userID)
|
2025-12-26 16:33:20 +08:00
|
|
|
|
if err != nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// Redis 出错时不阻止用户操作
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if count >= apiKeyMaxErrorsPerHour {
|
2026-01-04 19:27:53 +08:00
|
|
|
|
return ErrAPIKeyRateLimited
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
// incrementAPIKeyErrorCount 增加用户创建自定义Key的错误计数
|
|
|
|
|
|
func (s *APIKeyService) incrementAPIKeyErrorCount(ctx context.Context, userID int64) {
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if s.cache == nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-19 23:39:28 +08:00
|
|
|
|
_ = s.cache.IncrementCreateAttemptCount(ctx, userID)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// canUserBindGroup 检查用户是否可以绑定指定分组
|
|
|
|
|
|
// 对于订阅类型分组:检查用户是否有有效订阅
|
|
|
|
|
|
// 对于标准类型分组:使用原有的 AllowedGroups 和 IsExclusive 逻辑
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) canUserBindGroup(ctx context.Context, user *User, group *Group) bool {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 订阅类型分组:需要有效订阅
|
|
|
|
|
|
if group.IsSubscriptionType() {
|
|
|
|
|
|
_, err := s.userSubRepo.GetActiveByUserIDAndGroupID(ctx, user.ID, group.ID)
|
|
|
|
|
|
return err == nil // 有有效订阅则允许
|
|
|
|
|
|
}
|
|
|
|
|
|
// 标准类型分组:使用原有逻辑
|
|
|
|
|
|
return user.CanBindGroup(group.ID, group.IsExclusive)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Create 创建API Key
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) Create(ctx context.Context, userID int64, req CreateAPIKeyRequest) (*APIKey, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 验证用户存在
|
|
|
|
|
|
user, err := s.userRepo.GetByID(ctx, userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get user: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-09 21:59:32 +08:00
|
|
|
|
// 验证 IP 白名单格式
|
|
|
|
|
|
if len(req.IPWhitelist) > 0 {
|
|
|
|
|
|
if invalid := ip.ValidateIPPatterns(req.IPWhitelist); len(invalid) > 0 {
|
|
|
|
|
|
return nil, fmt.Errorf("%w: %v", ErrInvalidIPPattern, invalid)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证 IP 黑名单格式
|
|
|
|
|
|
if len(req.IPBlacklist) > 0 {
|
|
|
|
|
|
if invalid := ip.ValidateIPPatterns(req.IPBlacklist); len(invalid) > 0 {
|
|
|
|
|
|
return nil, fmt.Errorf("%w: %v", ErrInvalidIPPattern, invalid)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 验证分组权限(如果指定了分组)
|
|
|
|
|
|
if req.GroupID != nil {
|
|
|
|
|
|
group, err := s.groupRepo.GetByID(ctx, *req.GroupID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get group: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查用户是否可以绑定该分组
|
|
|
|
|
|
if !s.canUserBindGroup(ctx, user, group) {
|
|
|
|
|
|
return nil, ErrGroupNotAllowed
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var key string
|
|
|
|
|
|
|
|
|
|
|
|
// 判断是否使用自定义Key
|
|
|
|
|
|
if req.CustomKey != nil && *req.CustomKey != "" {
|
|
|
|
|
|
// 检查限流(仅对自定义key进行限流)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
if err := s.checkAPIKeyRateLimit(ctx, userID); err != nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证自定义Key格式
|
|
|
|
|
|
if err := s.ValidateCustomKey(*req.CustomKey); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查Key是否已存在
|
|
|
|
|
|
exists, err := s.apiKeyRepo.ExistsByKey(ctx, *req.CustomKey)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("check key exists: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
if exists {
|
2026-01-03 06:37:08 -08:00
|
|
|
|
// Key已存在,增加错误计数
|
2026-01-04 19:27:53 +08:00
|
|
|
|
s.incrementAPIKeyErrorCount(ctx, userID)
|
|
|
|
|
|
return nil, ErrAPIKeyExists
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
key = *req.CustomKey
|
|
|
|
|
|
} else {
|
|
|
|
|
|
// 生成随机API Key
|
|
|
|
|
|
var err error
|
|
|
|
|
|
key, err = s.GenerateKey()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("generate key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 创建API Key记录
|
2026-01-04 19:27:53 +08:00
|
|
|
|
apiKey := &APIKey{
|
2026-01-09 21:59:32 +08:00
|
|
|
|
UserID: userID,
|
|
|
|
|
|
Key: key,
|
|
|
|
|
|
Name: req.Name,
|
|
|
|
|
|
GroupID: req.GroupID,
|
|
|
|
|
|
Status: StatusActive,
|
|
|
|
|
|
IPWhitelist: req.IPWhitelist,
|
|
|
|
|
|
IPBlacklist: req.IPBlacklist,
|
2026-02-03 19:01:49 +08:00
|
|
|
|
Quota: req.Quota,
|
|
|
|
|
|
QuotaUsed: 0,
|
2026-03-03 15:01:10 +08:00
|
|
|
|
RateLimit5h: req.RateLimit5h,
|
|
|
|
|
|
RateLimit1d: req.RateLimit1d,
|
|
|
|
|
|
RateLimit7d: req.RateLimit7d,
|
2026-02-03 19:01:49 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Set expiration time if specified
|
|
|
|
|
|
if req.ExpiresInDays != nil && *req.ExpiresInDays > 0 {
|
|
|
|
|
|
expiresAt := time.Now().AddDate(0, 0, *req.ExpiresInDays)
|
|
|
|
|
|
apiKey.ExpiresAt = &expiresAt
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err := s.apiKeyRepo.Create(ctx, apiKey); err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("create api key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-10 22:23:51 +08:00
|
|
|
|
s.InvalidateAuthCacheByKey(ctx, apiKey.Key)
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// List 获取用户的API Key列表
|
2026-03-04 11:29:31 +08:00
|
|
|
|
func (s *APIKeyService) List(ctx context.Context, userID int64, params pagination.PaginationParams, filters APIKeyListFilters) ([]APIKey, *pagination.PaginationResult, error) {
|
|
|
|
|
|
keys, pagination, err := s.apiKeyRepo.ListByUserID(ctx, userID, params, filters)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, nil, fmt.Errorf("list api keys: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return keys, pagination, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) VerifyOwnership(ctx context.Context, userID int64, apiKeyIDs []int64) ([]int64, error) {
|
2025-12-27 16:03:57 +08:00
|
|
|
|
if len(apiKeyIDs) == 0 {
|
|
|
|
|
|
return []int64{}, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
validIDs, err := s.apiKeyRepo.VerifyOwnership(ctx, userID, apiKeyIDs)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("verify api key ownership: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return validIDs, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// GetByID 根据ID获取API Key
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) GetByID(ctx context.Context, id int64) (*APIKey, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
apiKey, err := s.apiKeyRepo.GetByID(ctx, id)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetByKey 根据Key字符串获取API Key(用于认证)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) GetByKey(ctx context.Context, key string) (*APIKey, error) {
|
2026-01-10 22:23:51 +08:00
|
|
|
|
cacheKey := s.authCacheKey(key)
|
|
|
|
|
|
|
|
|
|
|
|
if entry, ok := s.getAuthCacheEntry(ctx, cacheKey); ok {
|
|
|
|
|
|
if apiKey, used, err := s.applyAuthCacheEntry(key, entry); used {
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-10 22:23:51 +08:00
|
|
|
|
if s.authCfg.singleflight {
|
|
|
|
|
|
value, err, _ := s.authGroup.Do(cacheKey, func() (any, error) {
|
|
|
|
|
|
return s.loadAuthCacheEntry(ctx, key, cacheKey)
|
|
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
entry, _ := value.(*APIKeyAuthCacheEntry)
|
|
|
|
|
|
if apiKey, used, err := s.applyAuthCacheEntry(key, entry); used {
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
entry, err := s.loadAuthCacheEntry(ctx, key, cacheKey)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
if apiKey, used, err := s.applyAuthCacheEntry(key, entry); used {
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-10 22:23:51 +08:00
|
|
|
|
apiKey, err := s.apiKeyRepo.GetByKeyForAuth(ctx, key)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
apiKey.Key = key
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Update 更新API Key
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) Update(ctx context.Context, id int64, userID int64, req UpdateAPIKeyRequest) (*APIKey, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
apiKey, err := s.apiKeyRepo.GetByID(ctx, id)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证所有权
|
|
|
|
|
|
if apiKey.UserID != userID {
|
|
|
|
|
|
return nil, ErrInsufficientPerms
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-09 21:59:32 +08:00
|
|
|
|
// 验证 IP 白名单格式
|
|
|
|
|
|
if len(req.IPWhitelist) > 0 {
|
|
|
|
|
|
if invalid := ip.ValidateIPPatterns(req.IPWhitelist); len(invalid) > 0 {
|
|
|
|
|
|
return nil, fmt.Errorf("%w: %v", ErrInvalidIPPattern, invalid)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证 IP 黑名单格式
|
|
|
|
|
|
if len(req.IPBlacklist) > 0 {
|
|
|
|
|
|
if invalid := ip.ValidateIPPatterns(req.IPBlacklist); len(invalid) > 0 {
|
|
|
|
|
|
return nil, fmt.Errorf("%w: %v", ErrInvalidIPPattern, invalid)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 更新字段
|
|
|
|
|
|
if req.Name != nil {
|
|
|
|
|
|
apiKey.Name = *req.Name
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if req.GroupID != nil {
|
|
|
|
|
|
// 验证分组权限
|
|
|
|
|
|
user, err := s.userRepo.GetByID(ctx, userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get user: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
group, err := s.groupRepo.GetByID(ctx, *req.GroupID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get group: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if !s.canUserBindGroup(ctx, user, group) {
|
|
|
|
|
|
return nil, ErrGroupNotAllowed
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
apiKey.GroupID = req.GroupID
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if req.Status != nil {
|
|
|
|
|
|
apiKey.Status = *req.Status
|
|
|
|
|
|
// 如果状态改变,清除Redis缓存
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if s.cache != nil {
|
|
|
|
|
|
_ = s.cache.DeleteCreateAttemptCount(ctx, apiKey.UserID)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-02-03 19:01:49 +08:00
|
|
|
|
// Update quota fields
|
|
|
|
|
|
if req.Quota != nil {
|
|
|
|
|
|
apiKey.Quota = *req.Quota
|
|
|
|
|
|
// If quota is increased and status was quota_exhausted, reactivate
|
|
|
|
|
|
if apiKey.Status == StatusAPIKeyQuotaExhausted && *req.Quota > apiKey.QuotaUsed {
|
|
|
|
|
|
apiKey.Status = StatusActive
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.ResetQuota != nil && *req.ResetQuota {
|
|
|
|
|
|
apiKey.QuotaUsed = 0
|
|
|
|
|
|
// If resetting quota and status was quota_exhausted, reactivate
|
|
|
|
|
|
if apiKey.Status == StatusAPIKeyQuotaExhausted {
|
|
|
|
|
|
apiKey.Status = StatusActive
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.ClearExpiration {
|
|
|
|
|
|
apiKey.ExpiresAt = nil
|
|
|
|
|
|
// If clearing expiry and status was expired, reactivate
|
|
|
|
|
|
if apiKey.Status == StatusAPIKeyExpired {
|
|
|
|
|
|
apiKey.Status = StatusActive
|
|
|
|
|
|
}
|
|
|
|
|
|
} else if req.ExpiresAt != nil {
|
|
|
|
|
|
apiKey.ExpiresAt = req.ExpiresAt
|
|
|
|
|
|
// If extending expiry and status was expired, reactivate
|
|
|
|
|
|
if apiKey.Status == StatusAPIKeyExpired && time.Now().Before(*req.ExpiresAt) {
|
|
|
|
|
|
apiKey.Status = StatusActive
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-09 21:59:32 +08:00
|
|
|
|
// 更新 IP 限制(空数组会清空设置)
|
|
|
|
|
|
apiKey.IPWhitelist = req.IPWhitelist
|
|
|
|
|
|
apiKey.IPBlacklist = req.IPBlacklist
|
|
|
|
|
|
|
2026-03-03 15:01:10 +08:00
|
|
|
|
// Update rate limit configuration
|
|
|
|
|
|
if req.RateLimit5h != nil {
|
|
|
|
|
|
apiKey.RateLimit5h = *req.RateLimit5h
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.RateLimit1d != nil {
|
|
|
|
|
|
apiKey.RateLimit1d = *req.RateLimit1d
|
|
|
|
|
|
}
|
|
|
|
|
|
if req.RateLimit7d != nil {
|
|
|
|
|
|
apiKey.RateLimit7d = *req.RateLimit7d
|
|
|
|
|
|
}
|
|
|
|
|
|
resetRateLimit := req.ResetRateLimitUsage != nil && *req.ResetRateLimitUsage
|
|
|
|
|
|
if resetRateLimit {
|
|
|
|
|
|
apiKey.Usage5h = 0
|
|
|
|
|
|
apiKey.Usage1d = 0
|
|
|
|
|
|
apiKey.Usage7d = 0
|
|
|
|
|
|
apiKey.Window5hStart = nil
|
|
|
|
|
|
apiKey.Window1dStart = nil
|
|
|
|
|
|
apiKey.Window7dStart = nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if err := s.apiKeyRepo.Update(ctx, apiKey); err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("update api key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-10 22:23:51 +08:00
|
|
|
|
s.InvalidateAuthCacheByKey(ctx, apiKey.Key)
|
2026-02-28 15:01:20 +08:00
|
|
|
|
s.compileAPIKeyIPRules(apiKey)
|
2026-01-10 22:23:51 +08:00
|
|
|
|
|
2026-03-03 15:01:10 +08:00
|
|
|
|
// Invalidate Redis rate limit cache so reset takes effect immediately
|
|
|
|
|
|
if resetRateLimit && s.rateLimitCacheInvalid != nil {
|
|
|
|
|
|
_ = s.rateLimitCacheInvalid.InvalidateAPIKeyRateLimit(ctx, apiKey.ID)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return apiKey, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Delete 删除API Key
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) Delete(ctx context.Context, id int64, userID int64) error {
|
2026-01-10 22:23:51 +08:00
|
|
|
|
key, ownerID, err := s.apiKeyRepo.GetKeyAndOwnerID(ctx, id)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return fmt.Errorf("get api key: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-29 14:06:38 +08:00
|
|
|
|
// 验证当前用户是否为该 API Key 的所有者
|
|
|
|
|
|
if ownerID != userID {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return ErrInsufficientPerms
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-01-10 22:23:51 +08:00
|
|
|
|
// 清除Redis缓存(使用 userID 而非 apiKey.UserID)
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if s.cache != nil {
|
2026-01-10 22:23:51 +08:00
|
|
|
|
_ = s.cache.DeleteCreateAttemptCount(ctx, userID)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
2026-01-10 22:23:51 +08:00
|
|
|
|
s.InvalidateAuthCacheByKey(ctx, key)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
|
|
|
|
|
|
if err := s.apiKeyRepo.Delete(ctx, id); err != nil {
|
|
|
|
|
|
return fmt.Errorf("delete api key: %w", err)
|
|
|
|
|
|
}
|
2026-02-22 22:07:17 +08:00
|
|
|
|
s.lastUsedTouchL1.Delete(id)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// ValidateKey 验证API Key是否有效(用于认证中间件)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) ValidateKey(ctx context.Context, key string) (*APIKey, *User, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 获取API Key
|
|
|
|
|
|
apiKey, err := s.GetByKey(ctx, key)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查API Key状态
|
|
|
|
|
|
if !apiKey.IsActive() {
|
2025-12-25 20:52:47 +08:00
|
|
|
|
return nil, nil, infraerrors.Unauthorized("API_KEY_INACTIVE", "api key is not active")
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 获取用户信息
|
|
|
|
|
|
user, err := s.userRepo.GetByID(ctx, apiKey.UserID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, nil, fmt.Errorf("get user: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 检查用户状态
|
|
|
|
|
|
if !user.IsActive() {
|
|
|
|
|
|
return nil, nil, ErrUserNotActive
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return apiKey, user, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-02-22 22:07:17 +08:00
|
|
|
|
// TouchLastUsed 通过防抖更新 api_keys.last_used_at,减少高频写放大。
|
|
|
|
|
|
// 该操作为尽力而为,不应阻塞主请求链路。
|
|
|
|
|
|
func (s *APIKeyService) TouchLastUsed(ctx context.Context, keyID int64) error {
|
|
|
|
|
|
if keyID <= 0 {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
now := time.Now()
|
|
|
|
|
|
if v, ok := s.lastUsedTouchL1.Load(keyID); ok {
|
2026-02-23 12:45:37 +08:00
|
|
|
|
if nextAllowedAt, ok := v.(time.Time); ok && now.Before(nextAllowedAt) {
|
2026-02-22 22:07:17 +08:00
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
_, err, _ := s.lastUsedTouchSF.Do(strconv.FormatInt(keyID, 10), func() (any, error) {
|
|
|
|
|
|
latest := time.Now()
|
|
|
|
|
|
if v, ok := s.lastUsedTouchL1.Load(keyID); ok {
|
2026-02-23 12:45:37 +08:00
|
|
|
|
if nextAllowedAt, ok := v.(time.Time); ok && latest.Before(nextAllowedAt) {
|
2026-02-22 22:07:17 +08:00
|
|
|
|
return nil, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err := s.apiKeyRepo.UpdateLastUsed(ctx, keyID, latest); err != nil {
|
2026-02-23 12:45:37 +08:00
|
|
|
|
s.lastUsedTouchL1.Store(keyID, latest.Add(apiKeyLastUsedFailBackoff))
|
2026-02-22 22:07:17 +08:00
|
|
|
|
return nil, fmt.Errorf("touch api key last used: %w", err)
|
|
|
|
|
|
}
|
2026-02-23 12:45:37 +08:00
|
|
|
|
s.lastUsedTouchL1.Store(keyID, latest.Add(apiKeyLastUsedMinTouch))
|
2026-02-22 22:07:17 +08:00
|
|
|
|
return nil, nil
|
|
|
|
|
|
})
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// IncrementUsage 增加API Key使用次数(可选:用于统计)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) IncrementUsage(ctx context.Context, keyID int64) error {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 使用Redis计数器
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if s.cache != nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
cacheKey := fmt.Sprintf("apikey:usage:%d:%s", keyID, timezone.Now().Format("2006-01-02"))
|
2025-12-19 23:39:28 +08:00
|
|
|
|
if err := s.cache.IncrementDailyUsage(ctx, cacheKey); err != nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return fmt.Errorf("increment usage: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
// 设置24小时过期
|
2025-12-19 23:39:28 +08:00
|
|
|
|
_ = s.cache.SetDailyUsageExpiry(ctx, cacheKey, 24*time.Hour)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetAvailableGroups 获取用户有权限绑定的分组列表
|
|
|
|
|
|
// 返回用户可以选择的分组:
|
|
|
|
|
|
// - 标准类型分组:公开的(非专属)或用户被明确允许的
|
|
|
|
|
|
// - 订阅类型分组:用户有有效订阅的
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) GetAvailableGroups(ctx context.Context, userID int64) ([]Group, error) {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 获取用户信息
|
|
|
|
|
|
user, err := s.userRepo.GetByID(ctx, userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get user: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 获取所有活跃分组
|
|
|
|
|
|
allGroups, err := s.groupRepo.ListActive(ctx)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("list active groups: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 获取用户的所有有效订阅
|
|
|
|
|
|
activeSubscriptions, err := s.userSubRepo.ListActiveByUserID(ctx, userID)
|
2025-12-25 20:52:47 +08:00
|
|
|
|
if err != nil {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
return nil, fmt.Errorf("list active subscriptions: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 构建订阅分组 ID 集合
|
|
|
|
|
|
subscribedGroupIDs := make(map[int64]bool)
|
|
|
|
|
|
for _, sub := range activeSubscriptions {
|
|
|
|
|
|
subscribedGroupIDs[sub.GroupID] = true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤出用户有权限的分组
|
2025-12-26 15:40:24 +08:00
|
|
|
|
availableGroups := make([]Group, 0)
|
2025-12-18 13:50:39 +08:00
|
|
|
|
for _, group := range allGroups {
|
|
|
|
|
|
if s.canUserBindGroupInternal(user, &group, subscribedGroupIDs) {
|
|
|
|
|
|
availableGroups = append(availableGroups, group)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return availableGroups, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// canUserBindGroupInternal 内部方法,检查用户是否可以绑定分组(使用预加载的订阅数据)
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) canUserBindGroupInternal(user *User, group *Group, subscribedGroupIDs map[int64]bool) bool {
|
2025-12-18 13:50:39 +08:00
|
|
|
|
// 订阅类型分组:需要有效订阅
|
|
|
|
|
|
if group.IsSubscriptionType() {
|
|
|
|
|
|
return subscribedGroupIDs[group.ID]
|
|
|
|
|
|
}
|
|
|
|
|
|
// 标准类型分组:使用原有逻辑
|
|
|
|
|
|
return user.CanBindGroup(group.ID, group.IsExclusive)
|
|
|
|
|
|
}
|
2025-12-24 08:41:31 +08:00
|
|
|
|
|
2026-01-04 19:27:53 +08:00
|
|
|
|
func (s *APIKeyService) SearchAPIKeys(ctx context.Context, userID int64, keyword string, limit int) ([]APIKey, error) {
|
|
|
|
|
|
keys, err := s.apiKeyRepo.SearchAPIKeys(ctx, userID, keyword, limit)
|
2025-12-24 08:41:31 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("search api keys: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return keys, nil
|
|
|
|
|
|
}
|
2026-02-03 19:01:49 +08:00
|
|
|
|
|
2026-02-05 16:00:34 +08:00
|
|
|
|
// GetUserGroupRates 获取用户的专属分组倍率配置
|
|
|
|
|
|
// 返回 map[groupID]rateMultiplier
|
|
|
|
|
|
func (s *APIKeyService) GetUserGroupRates(ctx context.Context, userID int64) (map[int64]float64, error) {
|
|
|
|
|
|
if s.userGroupRateRepo == nil {
|
|
|
|
|
|
return nil, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
rates, err := s.userGroupRateRepo.GetByUserID(ctx, userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("get user group rates: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
return rates, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-02-03 19:01:49 +08:00
|
|
|
|
// CheckAPIKeyQuotaAndExpiry checks if the API key is valid for use (not expired, quota not exhausted)
|
|
|
|
|
|
// Returns nil if valid, error if invalid
|
|
|
|
|
|
func (s *APIKeyService) CheckAPIKeyQuotaAndExpiry(apiKey *APIKey) error {
|
|
|
|
|
|
// Check expiration
|
|
|
|
|
|
if apiKey.IsExpired() {
|
|
|
|
|
|
return ErrAPIKeyExpired
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Check quota
|
|
|
|
|
|
if apiKey.IsQuotaExhausted() {
|
|
|
|
|
|
return ErrAPIKeyQuotaExhausted
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UpdateQuotaUsed updates the quota_used field after a request
|
|
|
|
|
|
// Also checks if quota is exhausted and updates status accordingly
|
|
|
|
|
|
func (s *APIKeyService) UpdateQuotaUsed(ctx context.Context, apiKeyID int64, cost float64) error {
|
|
|
|
|
|
if cost <= 0 {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-11 13:53:19 +08:00
|
|
|
|
type quotaStateReader interface {
|
|
|
|
|
|
IncrementQuotaUsedAndGetState(ctx context.Context, id int64, amount float64) (*APIKeyQuotaUsageState, error)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if repo, ok := s.apiKeyRepo.(quotaStateReader); ok {
|
|
|
|
|
|
state, err := repo.IncrementQuotaUsedAndGetState(ctx, apiKeyID, cost)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return fmt.Errorf("increment quota used: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
if state != nil && state.Status == StatusAPIKeyQuotaExhausted && strings.TrimSpace(state.Key) != "" {
|
|
|
|
|
|
s.InvalidateAuthCacheByKey(ctx, state.Key)
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-02-03 19:01:49 +08:00
|
|
|
|
// Use repository to atomically increment quota_used
|
|
|
|
|
|
newQuotaUsed, err := s.apiKeyRepo.IncrementQuotaUsed(ctx, apiKeyID, cost)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return fmt.Errorf("increment quota used: %w", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Check if quota is now exhausted and update status if needed
|
|
|
|
|
|
apiKey, err := s.apiKeyRepo.GetByID(ctx, apiKeyID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil // Don't fail the request, just log
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// If quota is set and now exhausted, update status
|
|
|
|
|
|
if apiKey.Quota > 0 && newQuotaUsed >= apiKey.Quota {
|
|
|
|
|
|
apiKey.Status = StatusAPIKeyQuotaExhausted
|
|
|
|
|
|
if err := s.apiKeyRepo.Update(ctx, apiKey); err != nil {
|
|
|
|
|
|
return nil // Don't fail the request
|
|
|
|
|
|
}
|
|
|
|
|
|
// Invalidate cache so next request sees the new status
|
|
|
|
|
|
s.InvalidateAuthCacheByKey(ctx, apiKey.Key)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
2026-03-03 15:01:10 +08:00
|
|
|
|
|
2026-03-03 20:59:12 +08:00
|
|
|
|
// GetRateLimitData returns rate limit usage and window state for an API key.
|
|
|
|
|
|
func (s *APIKeyService) GetRateLimitData(ctx context.Context, id int64) (*APIKeyRateLimitData, error) {
|
|
|
|
|
|
return s.apiKeyRepo.GetRateLimitData(ctx, id)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-03 15:01:10 +08:00
|
|
|
|
// UpdateRateLimitUsage atomically increments rate limit usage counters in the DB.
|
|
|
|
|
|
func (s *APIKeyService) UpdateRateLimitUsage(ctx context.Context, apiKeyID int64, cost float64) error {
|
|
|
|
|
|
if cost <= 0 {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.apiKeyRepo.IncrementRateLimitUsage(ctx, apiKeyID, cost)
|
|
|
|
|
|
}
|
