Initial commit

2026-02-15 11:41:43 +08:00 · 2026-01-28 20:44:34 +08:00
commit 500e8b74a7
236 changed files with 29886 additions and 0 deletions
--- a/internal/api/middleware/auth.go
+++ b/internal/api/middleware/auth.go
@@ -0,0 +1,119 @@
+package middleware
+
+import (
+	"FileRelay/internal/auth"
+	"FileRelay/internal/config"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func AdminAuth() gin.HandlerFunc {
+	tokenService := service.NewTokenService()
+	return func(c *gin.Context) {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Authorization header required"))
+			c.Abort()
+			return
+		}
+
+		parts := strings.SplitN(authHeader, " ", 2)
+		if !(len(parts) == 2 && parts[0] == "Bearer") {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid authorization format"))
+			c.Abort()
+			return
+		}
+
+		tokenStr := parts[1]
+
+		// 1. 尝试解析为管理员 JWT
+		claims, err := auth.ParseToken(tokenStr)
+		if err == nil {
+			c.Set("admin_id", claims.AdminID)
+			c.Next()
+			return
+		}
+
+		// 2. 尝试解析为 API Token (如果配置允许)
+		if config.GlobalConfig.APIToken.Enabled && config.GlobalConfig.APIToken.AllowAdminAPI {
+			token, err := tokenService.ValidateToken(tokenStr, model.ScopeAdmin)
+			if err == nil {
+				c.Set("token_id", token.ID)
+				c.Set("token_scope", token.Scope)
+				c.Next()
+				return
+			}
+		}
+
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid or expired token"))
+		c.Abort()
+	}
+}
+
+func APITokenAuth(requiredScope string, optional bool) gin.HandlerFunc {
+	tokenService := service.NewTokenService()
+	return func(c *gin.Context) {
+		handleAPITokenAuth(c, tokenService, requiredScope, optional)
+	}
+}
+
+func UploadAuth() gin.HandlerFunc {
+	tokenService := service.NewTokenService()
+	return func(c *gin.Context) {
+		// 动态获取配置
+		optional := !config.GlobalConfig.Upload.RequireToken
+		handleAPITokenAuth(c, tokenService, model.ScopeUpload, optional)
+	}
+}
+
+func handleAPITokenAuth(c *gin.Context, tokenService *service.TokenService, requiredScope string, optional bool) {
+	// 如果是可选的，直接跳过校验，满足“未打开对应的开关时不需校验”的需求
+	if optional {
+		c.Next()
+		return
+	}
+
+	authHeader := c.GetHeader("Authorization")
+	if authHeader == "" {
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Authorization header required"))
+		c.Abort()
+		return
+	}
+
+	parts := strings.SplitN(authHeader, " ", 2)
+	if !(len(parts) == 2 && parts[0] == "Bearer") {
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid authorization format"))
+		c.Abort()
+		return
+	}
+
+	tokenStr := parts[1]
+
+	// 1. 尝试解析为管理员 JWT
+	if claims, err := auth.ParseToken(tokenStr); err == nil {
+		c.Set("admin_id", claims.AdminID)
+		c.Next()
+		return
+	}
+
+	if !config.GlobalConfig.APIToken.Enabled {
+		c.JSON(http.StatusForbidden, model.ErrorResponse(model.CodeForbidden, "API Token is disabled"))
+		c.Abort()
+		return
+	}
+
+	token, err := tokenService.ValidateToken(tokenStr, requiredScope)
+	if err != nil {
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, err.Error()))
+		c.Abort()
+		return
+	}
+
+	c.Set("token_id", token.ID)
+	c.Set("token_scope", token.Scope)
+	c.Next()
+}
--- a/internal/api/middleware/limit.go
+++ b/internal/api/middleware/limit.go
@@ -0,0 +1,56 @@
+package middleware
+
+import (
+	"FileRelay/internal/config"
+	"FileRelay/internal/model"
+	"log/slog"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+var (
+	pickupFailures = make(map[string]int)
+	failureMutex   sync.Mutex
+)
+
+func PickupRateLimit() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		key := c.ClientIP()
+
+		failureMutex.Lock()
+		count, exists := pickupFailures[key]
+		failureMutex.Unlock()
+
+		if exists && count >= config.GlobalConfig.Security.PickupFailLimit {
+			slog.Warn("Pickup rate limit exceeded", "ip", key, "count", count)
+			c.JSON(http.StatusTooManyRequests, model.ErrorResponse(model.CodeTooManyRequests, "Too many failed attempts. Please try again later."))
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func RecordPickupFailure(ip string) {
+	key := ip
+	failureMutex.Lock()
+	pickupFailures[key]++
+
+	// 仅在第一次失败时启动清除记录的计时器
+	if pickupFailures[key] == 1 {
+		go func() {
+			// 设置 1 分钟后清除记录 (简单实现)
+			time.Sleep(1 * time.Hour)
+			failureMutex.Lock()
+			delete(pickupFailures, key)
+			slog.Info("Pickup failure record cleared", "ip", key)
+			failureMutex.Unlock()
+		}()
+	}
+
+	failureMutex.Unlock()
+}