backend/internal/service/turnstile_service.go

package service

import (
	"context"
	"fmt"

	infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
	"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
)

var (
	ErrTurnstileVerificationFailed = infraerrors.BadRequest("TURNSTILE_VERIFICATION_FAILED", "turnstile verification failed")
	ErrTurnstileNotConfigured      = infraerrors.ServiceUnavailable("TURNSTILE_NOT_CONFIGURED", "turnstile not configured")
	ErrTurnstileInvalidSecretKey   = infraerrors.BadRequest("TURNSTILE_INVALID_SECRET_KEY", "invalid turnstile secret key")
)

// TurnstileVerifier 验证 Turnstile token 的接口
type TurnstileVerifier interface {
	VerifyToken(ctx context.Context, secretKey, token, remoteIP string) (*TurnstileVerifyResponse, error)
}

// TurnstileService Turnstile 验证服务
type TurnstileService struct {
	settingService *SettingService
	verifier       TurnstileVerifier
}

// TurnstileVerifyResponse Cloudflare Turnstile 验证响应
type TurnstileVerifyResponse struct {
	Success     bool     `json:"success"`
	ChallengeTS string   `json:"challenge_ts"`
	Hostname    string   `json:"hostname"`
	ErrorCodes  []string `json:"error-codes"`
	Action      string   `json:"action"`
	CData       string   `json:"cdata"`
}

// NewTurnstileService 创建 Turnstile 服务实例
func NewTurnstileService(settingService *SettingService, verifier TurnstileVerifier) *TurnstileService {
	return &TurnstileService{
		settingService: settingService,
		verifier:       verifier,
	}
}

// VerifyToken 验证 Turnstile token
func (s *TurnstileService) VerifyToken(ctx context.Context, token string, remoteIP string) error {
	// 检查是否启用 Turnstile
	if !s.settingService.IsTurnstileEnabled(ctx) {
		logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Disabled, skipping verification")
		return nil
	}

	// 获取 Secret Key
	secretKey := s.settingService.GetTurnstileSecretKey(ctx)
	if secretKey == "" {
		logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Secret key not configured")
		return ErrTurnstileNotConfigured
	}

	// 如果 token 为空，返回错误
	if token == "" {
		logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Token is empty")
		return ErrTurnstileVerificationFailed
	}

	logger.LegacyPrintf("service.turnstile", "[Turnstile] Verifying token for IP: %s", remoteIP)
	result, err := s.verifier.VerifyToken(ctx, secretKey, token, remoteIP)
	if err != nil {
		logger.LegacyPrintf("service.turnstile", "[Turnstile] Request failed: %v", err)
		return fmt.Errorf("send request: %w", err)
	}

	if !result.Success {
		logger.LegacyPrintf("service.turnstile", "[Turnstile] Verification failed, error codes: %v", result.ErrorCodes)
		return ErrTurnstileVerificationFailed
	}

	logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Verification successful")
	return nil
}

// IsEnabled 检查 Turnstile 是否启用
func (s *TurnstileService) IsEnabled(ctx context.Context) bool {
	return s.settingService.IsTurnstileEnabled(ctx)
}

// ValidateSecretKey 验证 Turnstile Secret Key 是否有效
func (s *TurnstileService) ValidateSecretKey(ctx context.Context, secretKey string) error {
	// 发送一个测试token的验证请求来检查secret_key是否有效
	result, err := s.verifier.VerifyToken(ctx, secretKey, "test-validation", "")
	if err != nil {
		return fmt.Errorf("validate secret key: %w", err)
	}

	// 检查是否有 invalid-input-secret 错误
	for _, code := range result.ErrorCodes {
		if code == "invalid-input-secret" {
			return ErrTurnstileInvalidSecretKey
		}
	}

	// 其他错误（如 invalid-input-response）说明 secret key 是有效的
	return nil
}
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+								package service
 								import (
 									"context"
 									"fmt"
-												refactor: 自定义业务错误

											
										
										
											2025-12-25 20:52:47 +08:00
-												refactor: 移除 infrastructure 目录 (#108)

* refactor: 迁移初始化 db 和 redis 到 repository

* refactor: 迁移 errors 到 pkg
											
										
										
											2025-12-31 23:42:01 +08:00
+									infraerrors "github.com/Wei-Shaw/sub2api/internal/pkg/errors"
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+								)
 								var (
-												refactor: 自定义业务错误

											
										
										
											2025-12-25 20:52:47 +08:00
+									ErrTurnstileVerificationFailed = infraerrors.BadRequest("TURNSTILE_VERIFICATION_FAILED", "turnstile verification failed")
 									ErrTurnstileNotConfigured      = infraerrors.ServiceUnavailable("TURNSTILE_NOT_CONFIGURED", "turnstile not configured")
-												fix(settings): 保存 Turnstile 设置时验证参数有效性

											
										
										
											2025-12-31 21:05:33 +08:00
+									ErrTurnstileInvalidSecretKey   = infraerrors.BadRequest("TURNSTILE_INVALID_SECRET_KEY", "invalid turnstile secret key")
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+								)
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								// TurnstileVerifier 验证 Turnstile token 的接口
 								type TurnstileVerifier interface {
 									VerifyToken(ctx context.Context, secretKey, token, remoteIP string) (*TurnstileVerifyResponse, error)
 								}
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+								// TurnstileService Turnstile 验证服务
 								type TurnstileService struct {
 									settingService *SettingService
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									verifier       TurnstileVerifier
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+								}
 								// TurnstileVerifyResponse Cloudflare Turnstile 验证响应
 								type TurnstileVerifyResponse struct {
 									Success     bool     `json:"success"`
 									ChallengeTS string   `json:"challenge_ts"`
 									Hostname    string   `json:"hostname"`
 									ErrorCodes  []string `json:"error-codes"`
 									Action      string   `json:"action"`
 									CData       string   `json:"cdata"`
 								}
 								// NewTurnstileService 创建 Turnstile 服务实例
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+								func NewTurnstileService(settingService *SettingService, verifier TurnstileVerifier) *TurnstileService {
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+									return &TurnstileService{
 										settingService: settingService,
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+										verifier:       verifier,
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+									}
 								}
 								// VerifyToken 验证 Turnstile token
 								func (s *TurnstileService) VerifyToken(ctx context.Context, token string, remoteIP string) error {
 									// 检查是否启用 Turnstile
 									if !s.settingService.IsTurnstileEnabled(ctx) {
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+										logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Disabled, skipping verification")
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+										return nil
 									}
 									// 获取 Secret Key
 									secretKey := s.settingService.GetTurnstileSecretKey(ctx)
 									if secretKey == "" {
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+										logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Secret key not configured")
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+										return ErrTurnstileNotConfigured
 									}
 									// 如果 token 为空，返回错误
 									if token == "" {
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+										logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Token is empty")
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+										return ErrTurnstileVerificationFailed
 									}
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+									logger.LegacyPrintf("service.turnstile", "[Turnstile] Verifying token for IP: %s", remoteIP)
-												refactor(backend): service http ports

											
										
										
											2025-12-20 11:56:11 +08:00
+									result, err := s.verifier.VerifyToken(ctx, secretKey, token, remoteIP)
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+									if err != nil {
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+										logger.LegacyPrintf("service.turnstile", "[Turnstile] Request failed: %v", err)
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+										return fmt.Errorf("send request: %w", err)
 									}
 									if !result.Success {
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+										logger.LegacyPrintf("service.turnstile", "[Turnstile] Verification failed, error codes: %v", result.ErrorCodes)
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+										return ErrTurnstileVerificationFailed
 									}
-												chore(logging): 完成后端日志审计与结构化迁移

- 将高密度服务与处理器日志迁移到新日志系统（LegacyPrintf/结构化日志）
- 增加 stdlog bridge 与兼容测试，保留旧日志捕获能力
- 将 OpenAI 断流告警改为结构化 Warn 并改造对应测试为 sink 捕获
- 补齐后端相关文件 logger 引用并通过全量 go test

											
										
										
											2026-02-12 19:01:09 +08:00
+									logger.LegacyPrintf("service.turnstile", "%s", "[Turnstile] Verification successful")
-												First commit

											
										
										
											2025-12-18 13:50:39 +08:00
+									return nil
 								}
 								// IsEnabled 检查 Turnstile 是否启用
 								func (s *TurnstileService) IsEnabled(ctx context.Context) bool {
 									return s.settingService.IsTurnstileEnabled(ctx)
 								}
-												fix(settings): 保存 Turnstile 设置时验证参数有效性

											
										
										
											2025-12-31 21:05:33 +08:00
 								// ValidateSecretKey 验证 Turnstile Secret Key 是否有效
 								func (s *TurnstileService) ValidateSecretKey(ctx context.Context, secretKey string) error {
 									// 发送一个测试token的验证请求来检查secret_key是否有效
 									result, err := s.verifier.VerifyToken(ctx, secretKey, "test-validation", "")
 									if err != nil {
 										return fmt.Errorf("validate secret key: %w", err)
 									}
 									// 检查是否有 invalid-input-secret 错误
 									for _, code := range result.ErrorCodes {
 										if code == "invalid-input-secret" {
 											return ErrTurnstileInvalidSecretKey
 										}
 									}
 									// 其他错误（如 invalid-input-response）说明 secret key 是有效的
 									return nil
 								}