backend/internal/server/routes/auth.go

package routes

import (
	"time"

	"github.com/Wei-Shaw/sub2api/internal/handler"
	"github.com/Wei-Shaw/sub2api/internal/middleware"
	servermiddleware "github.com/Wei-Shaw/sub2api/internal/server/middleware"
	"github.com/Wei-Shaw/sub2api/internal/service"

	"github.com/gin-gonic/gin"
	"github.com/redis/go-redis/v9"
)

// RegisterAuthRoutes 注册认证相关路由
func RegisterAuthRoutes(
	v1 *gin.RouterGroup,
	h *handler.Handlers,
	jwtAuth servermiddleware.JWTAuthMiddleware,
	redisClient *redis.Client,
	settingService *service.SettingService,
) {
	// 创建速率限制器
	rateLimiter := middleware.NewRateLimiter(redisClient)

	// 公开接口
	auth := v1.Group("/auth")
	auth.Use(servermiddleware.BackendModeAuthGuard(settingService))
	{
		// 注册/登录/2FA/验证码发送均属于高风险入口，增加服务端兜底限流（Redis 故障时 fail-close）
		auth.POST("/register", rateLimiter.LimitWithOptions("auth-register", 5, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.Register)
		auth.POST("/login", rateLimiter.LimitWithOptions("auth-login", 20, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.Login)
		auth.POST("/login/2fa", rateLimiter.LimitWithOptions("auth-login-2fa", 20, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.Login2FA)
		auth.POST("/send-verify-code", rateLimiter.LimitWithOptions("auth-send-verify-code", 5, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.SendVerifyCode)
		// Token刷新接口添加速率限制：每分钟最多 30 次（Redis 故障时 fail-close）
		auth.POST("/refresh", rateLimiter.LimitWithOptions("refresh-token", 30, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.RefreshToken)
		// 登出接口（公开，允许未认证用户调用以撤销Refresh Token）
		auth.POST("/logout", h.Auth.Logout)
		// 优惠码验证接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
		auth.POST("/validate-promo-code", rateLimiter.LimitWithOptions("validate-promo", 10, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.ValidatePromoCode)
		// 邀请码验证接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
		auth.POST("/validate-invitation-code", rateLimiter.LimitWithOptions("validate-invitation", 10, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.ValidateInvitationCode)
		// 忘记密码接口添加速率限制：每分钟最多 5 次（Redis 故障时 fail-close）
		auth.POST("/forgot-password", rateLimiter.LimitWithOptions("forgot-password", 5, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.ForgotPassword)
		// 重置密码接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
		auth.POST("/reset-password", rateLimiter.LimitWithOptions("reset-password", 10, time.Minute, middleware.RateLimitOptions{
			FailureMode: middleware.RateLimitFailClose,
		}), h.Auth.ResetPassword)
		auth.GET("/oauth/linuxdo/start", h.Auth.LinuxDoOAuthStart)
		auth.GET("/oauth/linuxdo/bind/start", func(c *gin.Context) {
			query := c.Request.URL.Query()
			query.Set("intent", "bind_current_user")
			c.Request.URL.RawQuery = query.Encode()
			h.Auth.LinuxDoOAuthStart(c)
		})
		auth.GET("/oauth/linuxdo/callback", h.Auth.LinuxDoOAuthCallback)
		auth.GET("/oauth/wechat/start", h.Auth.WeChatOAuthStart)
		auth.GET("/oauth/wechat/bind/start", func(c *gin.Context) {
			query := c.Request.URL.Query()
			query.Set("intent", "bind_current_user")
			c.Request.URL.RawQuery = query.Encode()
			h.Auth.WeChatOAuthStart(c)
		})
		auth.GET("/oauth/wechat/callback", h.Auth.WeChatOAuthCallback)
		auth.GET("/oauth/wechat/payment/start", h.Auth.WeChatPaymentOAuthStart)
		auth.GET("/oauth/wechat/payment/callback", h.Auth.WeChatPaymentOAuthCallback)
		auth.POST("/oauth/pending/exchange",
			rateLimiter.LimitWithOptions("oauth-pending-exchange", 20, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.ExchangePendingOAuthCompletion,
		)
		auth.POST("/oauth/pending/send-verify-code",
			rateLimiter.LimitWithOptions("oauth-pending-send-verify-code", 5, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.SendPendingOAuthVerifyCode,
		)
		auth.POST("/oauth/pending/create-account",
			rateLimiter.LimitWithOptions("oauth-pending-create-account", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CreatePendingOAuthAccount,
		)
		auth.POST("/oauth/pending/bind-login",
			rateLimiter.LimitWithOptions("oauth-pending-bind-login", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.BindPendingOAuthLogin,
		)
		auth.POST("/oauth/linuxdo/complete-registration",
			rateLimiter.LimitWithOptions("oauth-linuxdo-complete", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CompleteLinuxDoOAuthRegistration,
		)
		auth.POST("/oauth/linuxdo/bind-login",
			rateLimiter.LimitWithOptions("oauth-linuxdo-bind-login", 20, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.BindLinuxDoOAuthLogin,
		)
		auth.POST("/oauth/linuxdo/create-account",
			rateLimiter.LimitWithOptions("oauth-linuxdo-create-account", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CreateLinuxDoOAuthAccount,
		)
		auth.POST("/oauth/wechat/complete-registration",
			rateLimiter.LimitWithOptions("oauth-wechat-complete", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CompleteWeChatOAuthRegistration,
		)
		auth.POST("/oauth/wechat/bind-login",
			rateLimiter.LimitWithOptions("oauth-wechat-bind-login", 20, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.BindWeChatOAuthLogin,
		)
		auth.POST("/oauth/wechat/create-account",
			rateLimiter.LimitWithOptions("oauth-wechat-create-account", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CreateWeChatOAuthAccount,
		)
		auth.GET("/oauth/oidc/start", h.Auth.OIDCOAuthStart)
		auth.GET("/oauth/oidc/bind/start", func(c *gin.Context) {
			query := c.Request.URL.Query()
			query.Set("intent", "bind_current_user")
			c.Request.URL.RawQuery = query.Encode()
			h.Auth.OIDCOAuthStart(c)
		})
		auth.GET("/oauth/oidc/callback", h.Auth.OIDCOAuthCallback)
		auth.POST("/oauth/oidc/complete-registration",
			rateLimiter.LimitWithOptions("oauth-oidc-complete", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CompleteOIDCOAuthRegistration,
		)
		auth.POST("/oauth/oidc/bind-login",
			rateLimiter.LimitWithOptions("oauth-oidc-bind-login", 20, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.BindOIDCOAuthLogin,
		)
		auth.POST("/oauth/oidc/create-account",
			rateLimiter.LimitWithOptions("oauth-oidc-create-account", 10, time.Minute, middleware.RateLimitOptions{
				FailureMode: middleware.RateLimitFailClose,
			}),
			h.Auth.CreateOIDCOAuthAccount,
		)
	}

	// 公开设置（无需认证）
	settings := v1.Group("/settings")
	{
		settings.GET("/public", h.Setting.GetPublicSettings)
	}

	// 需要认证的当前用户信息
	authenticated := v1.Group("")
	authenticated.Use(gin.HandlerFunc(jwtAuth))
	authenticated.Use(servermiddleware.BackendModeUserGuard(settingService))
	{
		authenticated.GET("/auth/me", h.Auth.GetCurrentUser)
		// 撤销所有会话（需要认证）
		authenticated.POST("/auth/revoke-all-sessions", h.Auth.RevokeAllSessions)
		authenticated.POST("/auth/oauth/bind-token", h.Auth.PrepareOAuthBindAccessTokenCookie)
	}
}
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+								package routes
 								import (
-												  feat: 实现注册优惠码功能

  - 支持创建/编辑/删除优惠码，设置赠送金额和使用限制
  - 注册页面实时验证优惠码并显示赠送金额
  - 支持 URL 参数自动填充 (?promo=CODE)
  - 添加优惠码验证接口速率限制
  - 使用数据库行锁防止并发超限
  - 新增后台优惠码管理页面，支持复制注册链接

											
										
										
											2026-01-10 13:14:35 +08:00
+									"time"
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/handler"
-												  feat: 实现注册优惠码功能

  - 支持创建/编辑/删除优惠码，设置赠送金额和使用限制
  - 注册页面实时验证优惠码并显示赠送金额
  - 支持 URL 参数自动填充 (?promo=CODE)
  - 添加优惠码验证接口速率限制
  - 使用数据库行锁防止并发超限
  - 新增后台优惠码管理页面，支持复制注册链接

											
										
										
											2026-01-10 13:14:35 +08:00
+									"github.com/Wei-Shaw/sub2api/internal/middleware"
 									servermiddleware "github.com/Wei-Shaw/sub2api/internal/server/middleware"
-												feat: add Backend Mode toggle to disable user self-service

Add a system-wide "Backend Mode" that disables user self-registration
and self-service while keeping admin panel and API gateway fully
functional. When enabled, only admin can log in; all user-facing
routes return 403.

Backend:
- New setting key `backend_mode_enabled` with atomic cached reads (60s TTL)
- BackendModeUserGuard middleware blocks non-admin authenticated routes
- BackendModeAuthGuard middleware blocks registration/password-reset auth routes
- Login/Login2FA/RefreshToken handlers reject non-admin when enabled
- TokenPairWithUser struct for role-aware token refresh
- 20 unit tests (middleware + service layer)

Frontend:
- Router guards redirect unauthenticated users to /login
- Admin toggle in Settings page
- Login page hides register link and footer in backend mode
- 9 unit tests for router guard logic
- i18n support (en/zh)

27 files changed, 833 insertions(+), 17 deletions(-)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-12 02:42:57 +03:00
+									"github.com/Wei-Shaw/sub2api/internal/service"
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
 									"github.com/gin-gonic/gin"
-												  feat: 实现注册优惠码功能

  - 支持创建/编辑/删除优惠码，设置赠送金额和使用限制
  - 注册页面实时验证优惠码并显示赠送金额
  - 支持 URL 参数自动填充 (?promo=CODE)
  - 添加优惠码验证接口速率限制
  - 使用数据库行锁防止并发超限
  - 新增后台优惠码管理页面，支持复制注册链接

											
										
										
											2026-01-10 13:14:35 +08:00
+									"github.com/redis/go-redis/v9"
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+								)
 								// RegisterAuthRoutes 注册认证相关路由
 								func RegisterAuthRoutes(
 									v1 *gin.RouterGroup,
 									h *handler.Handlers,
-												  feat: 实现注册优惠码功能

  - 支持创建/编辑/删除优惠码，设置赠送金额和使用限制
  - 注册页面实时验证优惠码并显示赠送金额
  - 支持 URL 参数自动填充 (?promo=CODE)
  - 添加优惠码验证接口速率限制
  - 使用数据库行锁防止并发超限
  - 新增后台优惠码管理页面，支持复制注册链接

											
										
										
											2026-01-10 13:14:35 +08:00
+									jwtAuth servermiddleware.JWTAuthMiddleware,
 									redisClient *redis.Client,
-												feat: add Backend Mode toggle to disable user self-service

Add a system-wide "Backend Mode" that disables user self-registration
and self-service while keeping admin panel and API gateway fully
functional. When enabled, only admin can log in; all user-facing
routes return 403.

Backend:
- New setting key `backend_mode_enabled` with atomic cached reads (60s TTL)
- BackendModeUserGuard middleware blocks non-admin authenticated routes
- BackendModeAuthGuard middleware blocks registration/password-reset auth routes
- Login/Login2FA/RefreshToken handlers reject non-admin when enabled
- TokenPairWithUser struct for role-aware token refresh
- 20 unit tests (middleware + service layer)

Frontend:
- Router guards redirect unauthenticated users to /login
- Admin toggle in Settings page
- Login page hides register link and footer in backend mode
- 9 unit tests for router guard logic
- i18n support (en/zh)

27 files changed, 833 insertions(+), 17 deletions(-)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-12 02:42:57 +03:00
+									settingService *service.SettingService,
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+								) {
-												  feat: 实现注册优惠码功能

  - 支持创建/编辑/删除优惠码，设置赠送金额和使用限制
  - 注册页面实时验证优惠码并显示赠送金额
  - 支持 URL 参数自动填充 (?promo=CODE)
  - 添加优惠码验证接口速率限制
  - 使用数据库行锁防止并发超限
  - 新增后台优惠码管理页面，支持复制注册链接

											
										
										
											2026-01-10 13:14:35 +08:00
+									// 创建速率限制器
 									rateLimiter := middleware.NewRateLimiter(redisClient)
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									// 公开接口
 									auth := v1.Group("/auth")
-												feat: add Backend Mode toggle to disable user self-service

Add a system-wide "Backend Mode" that disables user self-registration
and self-service while keeping admin panel and API gateway fully
functional. When enabled, only admin can log in; all user-facing
routes return 403.

Backend:
- New setting key `backend_mode_enabled` with atomic cached reads (60s TTL)
- BackendModeUserGuard middleware blocks non-admin authenticated routes
- BackendModeAuthGuard middleware blocks registration/password-reset auth routes
- Login/Login2FA/RefreshToken handlers reject non-admin when enabled
- TokenPairWithUser struct for role-aware token refresh
- 20 unit tests (middleware + service layer)

Frontend:
- Router guards redirect unauthenticated users to /login
- Admin toggle in Settings page
- Login page hides register link and footer in backend mode
- 9 unit tests for router guard logic
- i18n support (en/zh)

27 files changed, 833 insertions(+), 17 deletions(-)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-12 02:42:57 +03:00
+									auth.Use(servermiddleware.BackendModeAuthGuard(settingService))
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									{
-												feat(backend): 提交后端审计修复与配套测试改动

											
										
										
											2026-02-14 11:23:10 +08:00
+										// 注册/登录/2FA/验证码发送均属于高风险入口，增加服务端兜底限流（Redis 故障时 fail-close）
 										auth.POST("/register", rateLimiter.LimitWithOptions("auth-register", 5, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.Register)
 										auth.POST("/login", rateLimiter.LimitWithOptions("auth-login", 20, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.Login)
 										auth.POST("/login/2fa", rateLimiter.LimitWithOptions("auth-login-2fa", 20, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.Login2FA)
 										auth.POST("/send-verify-code", rateLimiter.LimitWithOptions("auth-send-verify-code", 5, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.SendVerifyCode)
-												feat(auth): 实现 Refresh Token 机制

- 新增 Access Token + Refresh Token 双令牌认证
- 支持 Token 自动刷新和轮转
- 添加登出和撤销所有会话接口
- 前端实现无感刷新和主动刷新定时器

											
										
										
											2026-02-05 12:38:48 +08:00
+										// Token刷新接口添加速率限制：每分钟最多 30 次（Redis 故障时 fail-close）
 										auth.POST("/refresh", rateLimiter.LimitWithOptions("refresh-token", 30, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.RefreshToken)
 										// 登出接口（公开，允许未认证用户调用以撤销Refresh Token）
 										auth.POST("/logout", h.Auth.Logout)
-												fix(限流): 原子化 Redis 限流并支持故障策略

使用 Lua 脚本原子设置计数与过期，修复 TTL 缺失\n支持 fail-open/fail-close 并对优惠码验证启用 fail-close\n新增单元与集成测试覆盖关键分支\n\n测试：go test ./...

											
										
										
											2026-01-11 22:21:05 +08:00
+										// 优惠码验证接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
 										auth.POST("/validate-promo-code", rateLimiter.LimitWithOptions("validate-promo", 10, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.ValidatePromoCode)
-												feat: 增加邀请码注册功能

											
										
										
											2026-01-29 16:29:59 +08:00
+										// 邀请码验证接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
 										auth.POST("/validate-invitation-code", rateLimiter.LimitWithOptions("validate-invitation", 10, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.ValidateInvitationCode)
-												feat(auth): 密码重置邮件队列化与限流优化

- 邮件发送改为异步队列处理，避免并发导致发送失败
- 新增 Email 维度限流（30秒冷却期），防止邮件轰炸
- Token 验证使用常量时间比较，防止时序攻击
- 重构代码消除冗余，提取公共验证逻辑

											
										
										
											2026-01-24 22:33:45 +08:00
+										// 忘记密码接口添加速率限制：每分钟最多 5 次（Redis 故障时 fail-close）
 										auth.POST("/forgot-password", rateLimiter.LimitWithOptions("forgot-password", 5, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.ForgotPassword)
 										// 重置密码接口添加速率限制：每分钟最多 10 次（Redis 故障时 fail-close）
 										auth.POST("/reset-password", rateLimiter.LimitWithOptions("reset-password", 10, time.Minute, middleware.RateLimitOptions{
 											FailureMode: middleware.RateLimitFailClose,
 										}), h.Auth.ResetPassword)
-												feat(auth): 添加 Linux DO Connect OAuth 登录支持

- 新增 Linux DO OAuth 配置项和环境变量支持
- 实现 OAuth 授权流程和回调处理
- 前端添加 Linux DO 登录按钮和回调页面
- 支持通过 Linux DO 账号注册/登录
- 添加相关国际化文本

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-09 12:05:25 +08:00
+										auth.GET("/oauth/linuxdo/start", h.Auth.LinuxDoOAuthStart)
-												fix(profile): stabilize binding compatibility and frontend checks

											
										
										
											2026-04-22 14:57:47 +08:00
+										auth.GET("/oauth/linuxdo/bind/start", func(c *gin.Context) {
 											query := c.Request.URL.Query()
 											query.Set("intent", "bind_current_user")
 											c.Request.URL.RawQuery = query.Encode()
 											h.Auth.LinuxDoOAuthStart(c)
 										})
-												feat(auth): 添加 Linux DO Connect OAuth 登录支持

- 新增 Linux DO OAuth 配置项和环境变量支持
- 实现 OAuth 授权流程和回调处理
- 前端添加 Linux DO 登录按钮和回调页面
- 支持通过 Linux DO 账号注册/登录
- 添加相关国际化文本

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

											
										
										
											2026-01-09 12:05:25 +08:00
+										auth.GET("/oauth/linuxdo/callback", h.Auth.LinuxDoOAuthCallback)
-												feat: rebuild auth identity foundation flow

											
										
										
											2026-04-20 17:39:57 +08:00
+										auth.GET("/oauth/wechat/start", h.Auth.WeChatOAuthStart)
-												fix(profile): stabilize binding compatibility and frontend checks

											
										
										
											2026-04-22 14:57:47 +08:00
+										auth.GET("/oauth/wechat/bind/start", func(c *gin.Context) {
 											query := c.Request.URL.Query()
 											query.Set("intent", "bind_current_user")
 											c.Request.URL.RawQuery = query.Encode()
 											h.Auth.WeChatOAuthStart(c)
 										})
-												feat: rebuild auth identity foundation flow

											
										
										
											2026-04-20 17:39:57 +08:00
+										auth.GET("/oauth/wechat/callback", h.Auth.WeChatOAuthCallback)
-												fix: restore wechat payment oauth and jsapi flow

											
										
										
											2026-04-20 23:34:57 +08:00
+										auth.GET("/oauth/wechat/payment/start", h.Auth.WeChatPaymentOAuthStart)
 										auth.GET("/oauth/wechat/payment/callback", h.Auth.WeChatPaymentOAuthCallback)
-												feat: rebuild auth identity foundation flow

											
										
										
											2026-04-20 17:39:57 +08:00
+										auth.POST("/oauth/pending/exchange",
 											rateLimiter.LimitWithOptions("oauth-pending-exchange", 20, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.ExchangePendingOAuthCompletion,
 										)
-												feat: complete email binding and pending oauth verification flows

											
										
										
											2026-04-21 10:00:06 +08:00
+										auth.POST("/oauth/pending/send-verify-code",
 											rateLimiter.LimitWithOptions("oauth-pending-send-verify-code", 5, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.SendPendingOAuthVerifyCode,
 										)
-												feat: add pending oauth email onboarding flow

											
										
										
											2026-04-20 19:30:09 +08:00
+										auth.POST("/oauth/pending/create-account",
 											rateLimiter.LimitWithOptions("oauth-pending-create-account", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CreatePendingOAuthAccount,
 										)
 										auth.POST("/oauth/pending/bind-login",
 											rateLimiter.LimitWithOptions("oauth-pending-bind-login", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.BindPendingOAuthLogin,
 										)
-												fix issue #836 linux.do注册无需邀请码

											
										
										
											2026-03-09 00:35:34 +08:00
+										auth.POST("/oauth/linuxdo/complete-registration",
 											rateLimiter.LimitWithOptions("oauth-linuxdo-complete", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CompleteLinuxDoOAuthRegistration,
 										)
-												feat: add pending oauth email onboarding flow

											
										
										
											2026-04-20 19:30:09 +08:00
+										auth.POST("/oauth/linuxdo/bind-login",
 											rateLimiter.LimitWithOptions("oauth-linuxdo-bind-login", 20, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.BindLinuxDoOAuthLogin,
 										)
 										auth.POST("/oauth/linuxdo/create-account",
 											rateLimiter.LimitWithOptions("oauth-linuxdo-create-account", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CreateLinuxDoOAuthAccount,
 										)
-												feat: rebuild auth identity foundation flow

											
										
										
											2026-04-20 17:39:57 +08:00
+										auth.POST("/oauth/wechat/complete-registration",
 											rateLimiter.LimitWithOptions("oauth-wechat-complete", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CompleteWeChatOAuthRegistration,
 										)
-												feat: add pending oauth email onboarding flow

											
										
										
											2026-04-20 19:30:09 +08:00
+										auth.POST("/oauth/wechat/bind-login",
 											rateLimiter.LimitWithOptions("oauth-wechat-bind-login", 20, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.BindWeChatOAuthLogin,
 										)
 										auth.POST("/oauth/wechat/create-account",
 											rateLimiter.LimitWithOptions("oauth-wechat-create-account", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CreateWeChatOAuthAccount,
 										)
-												feat: support OIDC login.

											
										
										
											2026-03-13 23:38:58 +08:00
+										auth.GET("/oauth/oidc/start", h.Auth.OIDCOAuthStart)
-												fix(profile): stabilize binding compatibility and frontend checks

											
										
										
											2026-04-22 14:57:47 +08:00
+										auth.GET("/oauth/oidc/bind/start", func(c *gin.Context) {
 											query := c.Request.URL.Query()
 											query.Set("intent", "bind_current_user")
 											c.Request.URL.RawQuery = query.Encode()
 											h.Auth.OIDCOAuthStart(c)
 										})
-												feat: support OIDC login.

											
										
										
											2026-03-13 23:38:58 +08:00
+										auth.GET("/oauth/oidc/callback", h.Auth.OIDCOAuthCallback)
 										auth.POST("/oauth/oidc/complete-registration",
 											rateLimiter.LimitWithOptions("oauth-oidc-complete", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CompleteOIDCOAuthRegistration,
 										)
-												feat: add pending oauth email onboarding flow

											
										
										
											2026-04-20 19:30:09 +08:00
+										auth.POST("/oauth/oidc/bind-login",
 											rateLimiter.LimitWithOptions("oauth-oidc-bind-login", 20, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.BindOIDCOAuthLogin,
 										)
 										auth.POST("/oauth/oidc/create-account",
 											rateLimiter.LimitWithOptions("oauth-oidc-create-account", 10, time.Minute, middleware.RateLimitOptions{
 												FailureMode: middleware.RateLimitFailClose,
 											}),
 											h.Auth.CreateOIDCOAuthAccount,
 										)
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									}
 									// 公开设置（无需认证）
 									settings := v1.Group("/settings")
 									{
 										settings.GET("/public", h.Setting.GetPublicSettings)
 									}
 									// 需要认证的当前用户信息
 									authenticated := v1.Group("")
 									authenticated.Use(gin.HandlerFunc(jwtAuth))
-												feat: add Backend Mode toggle to disable user self-service

Add a system-wide "Backend Mode" that disables user self-registration
and self-service while keeping admin panel and API gateway fully
functional. When enabled, only admin can log in; all user-facing
routes return 403.

Backend:
- New setting key `backend_mode_enabled` with atomic cached reads (60s TTL)
- BackendModeUserGuard middleware blocks non-admin authenticated routes
- BackendModeAuthGuard middleware blocks registration/password-reset auth routes
- Login/Login2FA/RefreshToken handlers reject non-admin when enabled
- TokenPairWithUser struct for role-aware token refresh
- 20 unit tests (middleware + service layer)

Frontend:
- Router guards redirect unauthenticated users to /login
- Admin toggle in Settings page
- Login page hides register link and footer in backend mode
- 9 unit tests for router guard logic
- i18n support (en/zh)

27 files changed, 833 insertions(+), 17 deletions(-)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

											
										
										
											2026-03-12 02:42:57 +03:00
+									authenticated.Use(servermiddleware.BackendModeUserGuard(settingService))
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									{
 										authenticated.GET("/auth/me", h.Auth.GetCurrentUser)
-												feat(auth): 实现 Refresh Token 机制

- 新增 Access Token + Refresh Token 双令牌认证
- 支持 Token 自动刷新和轮转
- 添加登出和撤销所有会话接口
- 前端实现无感刷新和主动刷新定时器

											
										
										
											2026-02-05 12:38:48 +08:00
+										// 撤销所有会话（需要认证）
 										authenticated.POST("/auth/revoke-all-sessions", h.Auth.RevokeAllSessions)
-												fix(review): harden payment, oauth, and migration paths

											
										
										
											2026-04-22 10:26:22 +08:00
+										authenticated.POST("/auth/oauth/bind-token", h.Auth.PrepareOAuthBindAccessTokenCookie)
-												refactor: 调整 server 目录结构

											
										
										
											2025-12-26 10:42:08 +08:00
+									}
 								}