mirror of
https://gitee.com/wanwujie/sub2api
synced 2026-04-03 06:52:13 +08:00
6826149a8f
Add a system-wide "Backend Mode" that disables user self-registration and self-service while keeping admin panel and API gateway fully functional. When enabled, only admin can log in; all user-facing routes return 403. Backend: - New setting key `backend_mode_enabled` with atomic cached reads (60s TTL) - BackendModeUserGuard middleware blocks non-admin authenticated routes - BackendModeAuthGuard middleware blocks registration/password-reset auth routes - Login/Login2FA/RefreshToken handlers reject non-admin when enabled - TokenPairWithUser struct for role-aware token refresh - 20 unit tests (middleware + service layer) Frontend: - Router guards redirect unauthenticated users to /login - Admin toggle in Settings page - Login page hides register link and footer in backend mode - 9 unit tests for router guard logic - i18n support (en/zh) 27 files changed, 833 insertions(+), 17 deletions(-) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
91 lines
4.1 KiB
Go
91 lines
4.1 KiB
Go
package routes
|
||
|
||
import (
|
||
"time"
|
||
|
||
"github.com/Wei-Shaw/sub2api/internal/handler"
|
||
"github.com/Wei-Shaw/sub2api/internal/middleware"
|
||
servermiddleware "github.com/Wei-Shaw/sub2api/internal/server/middleware"
|
||
"github.com/Wei-Shaw/sub2api/internal/service"
|
||
|
||
"github.com/gin-gonic/gin"
|
||
"github.com/redis/go-redis/v9"
|
||
)
|
||
|
||
// RegisterAuthRoutes 注册认证相关路由
|
||
func RegisterAuthRoutes(
|
||
v1 *gin.RouterGroup,
|
||
h *handler.Handlers,
|
||
jwtAuth servermiddleware.JWTAuthMiddleware,
|
||
redisClient *redis.Client,
|
||
settingService *service.SettingService,
|
||
) {
|
||
// 创建速率限制器
|
||
rateLimiter := middleware.NewRateLimiter(redisClient)
|
||
|
||
// 公开接口
|
||
auth := v1.Group("/auth")
|
||
auth.Use(servermiddleware.BackendModeAuthGuard(settingService))
|
||
{
|
||
// 注册/登录/2FA/验证码发送均属于高风险入口,增加服务端兜底限流(Redis 故障时 fail-close)
|
||
auth.POST("/register", rateLimiter.LimitWithOptions("auth-register", 5, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.Register)
|
||
auth.POST("/login", rateLimiter.LimitWithOptions("auth-login", 20, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.Login)
|
||
auth.POST("/login/2fa", rateLimiter.LimitWithOptions("auth-login-2fa", 20, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.Login2FA)
|
||
auth.POST("/send-verify-code", rateLimiter.LimitWithOptions("auth-send-verify-code", 5, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.SendVerifyCode)
|
||
// Token刷新接口添加速率限制:每分钟最多 30 次(Redis 故障时 fail-close)
|
||
auth.POST("/refresh", rateLimiter.LimitWithOptions("refresh-token", 30, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.RefreshToken)
|
||
// 登出接口(公开,允许未认证用户调用以撤销Refresh Token)
|
||
auth.POST("/logout", h.Auth.Logout)
|
||
// 优惠码验证接口添加速率限制:每分钟最多 10 次(Redis 故障时 fail-close)
|
||
auth.POST("/validate-promo-code", rateLimiter.LimitWithOptions("validate-promo", 10, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.ValidatePromoCode)
|
||
// 邀请码验证接口添加速率限制:每分钟最多 10 次(Redis 故障时 fail-close)
|
||
auth.POST("/validate-invitation-code", rateLimiter.LimitWithOptions("validate-invitation", 10, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.ValidateInvitationCode)
|
||
// 忘记密码接口添加速率限制:每分钟最多 5 次(Redis 故障时 fail-close)
|
||
auth.POST("/forgot-password", rateLimiter.LimitWithOptions("forgot-password", 5, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.ForgotPassword)
|
||
// 重置密码接口添加速率限制:每分钟最多 10 次(Redis 故障时 fail-close)
|
||
auth.POST("/reset-password", rateLimiter.LimitWithOptions("reset-password", 10, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}), h.Auth.ResetPassword)
|
||
auth.GET("/oauth/linuxdo/start", h.Auth.LinuxDoOAuthStart)
|
||
auth.GET("/oauth/linuxdo/callback", h.Auth.LinuxDoOAuthCallback)
|
||
auth.POST("/oauth/linuxdo/complete-registration",
|
||
rateLimiter.LimitWithOptions("oauth-linuxdo-complete", 10, time.Minute, middleware.RateLimitOptions{
|
||
FailureMode: middleware.RateLimitFailClose,
|
||
}),
|
||
h.Auth.CompleteLinuxDoOAuthRegistration,
|
||
)
|
||
}
|
||
|
||
// 公开设置(无需认证)
|
||
settings := v1.Group("/settings")
|
||
{
|
||
settings.GET("/public", h.Setting.GetPublicSettings)
|
||
}
|
||
|
||
// 需要认证的当前用户信息
|
||
authenticated := v1.Group("")
|
||
authenticated.Use(gin.HandlerFunc(jwtAuth))
|
||
authenticated.Use(servermiddleware.BackendModeUserGuard(settingService))
|
||
{
|
||
authenticated.GET("/auth/me", h.Auth.GetCurrentUser)
|
||
// 撤销所有会话(需要认证)
|
||
authenticated.POST("/auth/revoke-all-sessions", h.Auth.RevokeAllSessions)
|
||
}
|
||
}
|