项目初始化

2026-01-13 17:00:49 +08:00
commit d2352318f4
27 changed files with 4343 additions and 0 deletions
--- a/internal/api/admin/auth.go
+++ b/internal/api/admin/auth.go
@@ -0,0 +1,70 @@
+package admin
+
+import (
+	"FileRelay/internal/auth"
+	"FileRelay/internal/bootstrap"
+	"FileRelay/internal/model"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type AuthHandler struct{}
+
+func NewAuthHandler() *AuthHandler {
+	return &AuthHandler{}
+}
+
+type LoginRequest struct {
+	Password string `json:"password" binding:"required" example:"admin"`
+}
+
+type LoginResponse struct {
+	Token string `json:"token"`
+}
+
+// Login 管理员登录
+// @Summary      管理员登录
+// @Description  通过密码换取 JWT Token
+// @Tags         Admin
+// @Accept       json
+// @Produce      json
+// @Param        request body LoginRequest true "登录请求"
+// @Success      200  {object}  model.Response{data=LoginResponse}
+// @Failure      401  {object}  model.Response
+// @Router       /admin/login [post]
+func (h *AuthHandler) Login(c *gin.Context) {
+	var req LoginRequest
+
+	if err := c.ShouldBindJSON(&req); err != nil {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, "Invalid request"))
+		return
+	}
+
+	var admin model.Admin
+	if err := bootstrap.DB.First(&admin).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, "Admin not found"))
+		return
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(admin.PasswordHash), []byte(req.Password)); err != nil {
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Incorrect password"))
+		return
+	}
+
+	token, err := auth.GenerateToken(admin.ID)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, "Failed to generate token"))
+		return
+	}
+
+	// 更新登录时间
+	now := time.Now()
+	bootstrap.DB.Model(&admin).Update("last_login", &now)
+
+	c.JSON(http.StatusOK, model.SuccessResponse(LoginResponse{
+		Token: token,
+	}))
+}
--- a/internal/api/admin/batch.go
+++ b/internal/api/admin/batch.go
@@ -0,0 +1,173 @@
+package admin
+
+import (
+	"FileRelay/internal/bootstrap"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type BatchHandler struct {
+	batchService *service.BatchService
+}
+
+func NewBatchHandler() *BatchHandler {
+	return &BatchHandler{
+		batchService: service.NewBatchService(),
+	}
+}
+
+type ListBatchesResponse struct {
+	Total    int64             `json:"total"`
+	Page     int               `json:"page"`
+	PageSize int               `json:"page_size"`
+	Data     []model.FileBatch `json:"data"`
+}
+
+type UpdateBatchRequest struct {
+	Remark       string     `json:"remark"`
+	ExpireType   string     `json:"expire_type"`
+	ExpireAt     *time.Time `json:"expire_at"`
+	MaxDownloads int        `json:"max_downloads"`
+	Status       string     `json:"status"`
+}
+
+// ListBatches 获取批次列表
+// @Summary      获取批次列表
+// @Description  分页查询所有文件批次，支持按状态过滤和取件码模糊搜索
+// @Tags         Admin
+// @Security     AdminAuth
+// @Param        page         query     int     false  "页码 (默认 1)"
+// @Param        page_size    query     int     false  "每页数量 (默认 20)"
+// @Param        status       query     string  false  "状态 (active/expired/deleted)"
+// @Param        pickup_code  query     string  false  "取件码 (模糊搜索)"
+// @Produce      json
+// @Success      200  {object}  model.Response{data=ListBatchesResponse}
+// @Failure      401  {object}  model.Response
+// @Router       /admin/batches [get]
+func (h *BatchHandler) ListBatches(c *gin.Context) {
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("page_size", "20"))
+
+	if page < 1 {
+		page = 1
+	}
+	if pageSize < 1 {
+		pageSize = 20
+	}
+	status := c.Query("status")
+	pickupCode := c.Query("pickup_code")
+
+	query := bootstrap.DB.Model(&model.FileBatch{})
+	if status != "" {
+		query = query.Where("status = ?", status)
+	}
+	if pickupCode != "" {
+		query = query.Where("pickup_code LIKE ?", "%"+pickupCode+"%")
+	}
+
+	var total int64
+	query.Count(&total)
+
+	var batches []model.FileBatch
+	err := query.Offset((page - 1) * pageSize).Limit(pageSize).Order("created_at DESC").Find(&batches).Error
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+
+	c.JSON(http.StatusOK, model.SuccessResponse(ListBatchesResponse{
+		Total:    total,
+		Page:     page,
+		PageSize: pageSize,
+		Data:     batches,
+	}))
+}
+
+// GetBatch 获取批次详情
+// @Summary      获取批次详情
+// @Description  根据批次 ID 获取批次信息及关联的文件列表
+// @Tags         Admin
+// @Security     AdminAuth
+// @Param        batch_id  path  int  true  "批次 ID"
+// @Produce      json
+// @Success      200  {object}  model.Response{data=model.FileBatch}
+// @Failure      404  {object}  model.Response
+// @Router       /admin/batch/{batch_id} [get]
+func (h *BatchHandler) GetBatch(c *gin.Context) {
+	id := c.Param("batch_id")
+	var batch model.FileBatch
+	if err := bootstrap.DB.Preload("FileItems").First(&batch, id).Error; err != nil {
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "batch not found"))
+		return
+	}
+	c.JSON(http.StatusOK, model.SuccessResponse(batch))
+}
+
+// UpdateBatch 修改批次信息
+// @Summary      修改批次信息
+// @Description  允许修改备注、过期策略、最大下载次数、状态等
+// @Tags         Admin
+// @Security     AdminAuth
+// @Accept       json
+// @Produce      json
+// @Param        batch_id  path  int  true  "批次 ID"
+// @Param        request body UpdateBatchRequest true "修改内容"
+// @Success      200  {object}  model.Response{data=model.FileBatch}
+// @Failure      400  {object}  model.Response
+// @Router       /admin/batch/{batch_id} [put]
+func (h *BatchHandler) UpdateBatch(c *gin.Context) {
+	id := c.Param("batch_id")
+	var batch model.FileBatch
+	if err := bootstrap.DB.First(&batch, id).Error; err != nil {
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "batch not found"))
+		return
+	}
+
+	var input UpdateBatchRequest
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, err.Error()))
+		return
+	}
+
+	updates := make(map[string]interface{})
+	updates["remark"] = input.Remark
+	updates["expire_type"] = input.ExpireType
+	updates["expire_at"] = input.ExpireAt
+	updates["max_downloads"] = input.MaxDownloads
+	updates["status"] = input.Status
+
+	if err := bootstrap.DB.Model(&batch).Updates(updates).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+
+	c.JSON(http.StatusOK, model.SuccessResponse(batch))
+}
+
+// DeleteBatch 删除批次
+// @Summary      删除批次
+// @Description  标记批次为已删除，并物理删除关联的存储文件
+// @Tags         Admin
+// @Security     AdminAuth
+// @Param        batch_id  path  int  true  "批次 ID"
+// @Produce      json
+// @Success      200  {object}  model.Response
+// @Failure      500  {object}  model.Response
+// @Router       /admin/batch/{batch_id} [delete]
+func (h *BatchHandler) DeleteBatch(c *gin.Context) {
+	idStr := c.Param("batch_id")
+	id, _ := strconv.ParseUint(idStr, 10, 32)
+
+	if err := h.batchService.DeleteBatch(c.Request.Context(), uint(id)); err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+
+	c.JSON(http.StatusOK, model.SuccessResponse(map[string]interface{}{}))
+}
--- a/internal/api/admin/token.go
+++ b/internal/api/admin/token.go
@@ -0,0 +1,109 @@
+package admin
+
+import (
+	"FileRelay/internal/bootstrap"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type TokenHandler struct {
+	tokenService *service.TokenService
+}
+
+func NewTokenHandler() *TokenHandler {
+	return &TokenHandler{
+		tokenService: service.NewTokenService(),
+	}
+}
+
+type CreateTokenRequest struct {
+	Name     string     `json:"name" binding:"required" example:"Test Token"`
+	Scope    string     `json:"scope" example:"upload,pickup"`
+	ExpireAt *time.Time `json:"expire_at"`
+}
+
+type CreateTokenResponse struct {
+	Token string          `json:"token"`
+	Data  *model.APIToken `json:"data"`
+}
+
+// ListTokens 获取 API Token 列表
+// @Summary      获取 API Token 列表
+// @Description  获取系统中所有 API Token 的详详信息（不包含哈希）
+// @Tags         Admin
+// @Security     AdminAuth
+// @Produce      json
+// @Success      200  {object}  model.Response{data=[]model.APIToken}
+// @Failure      401  {object}  model.Response
+// @Router       /admin/api-tokens [get]
+func (h *TokenHandler) ListTokens(c *gin.Context) {
+	var tokens []model.APIToken
+	if err := bootstrap.DB.Find(&tokens).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, model.SuccessResponse(tokens))
+}
+
+// CreateToken 创建 API Token
+// @Summary      创建 API Token
+// @Description  创建一个新的 API Token，返回原始 Token（仅显示一次）
+// @Tags         Admin
+// @Security     AdminAuth
+// @Accept       json
+// @Produce      json
+// @Param        request body CreateTokenRequest true "Token 信息"
+// @Success      201  {object}  model.Response{data=CreateTokenResponse}
+// @Failure      400  {object}  model.Response
+// @Router       /admin/api-tokens [post]
+func (h *TokenHandler) CreateToken(c *gin.Context) {
+	var input CreateTokenRequest
+
+	if err := c.ShouldBindJSON(&input); err != nil {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, err.Error()))
+		return
+	}
+
+	rawToken, token, err := h.tokenService.CreateToken(input.Name, input.Scope, input.ExpireAt)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+
+	c.JSON(http.StatusCreated, model.SuccessResponse(CreateTokenResponse{
+		Token: rawToken,
+		Data:  token,
+	}))
+}
+
+func (h *TokenHandler) RevokeToken(c *gin.Context) {
+	id := c.Param("id")
+	if err := bootstrap.DB.Model(&model.APIToken{}).Where("id = ?", id).Update("revoked", true).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, model.SuccessResponse(map[string]interface{}{}))
+}
+
+// DeleteToken 删除 API Token
+// @Summary      删除 API Token
+// @Description  根据 ID 永久删除 API Token
+// @Tags         Admin
+// @Security     AdminAuth
+// @Param        id   path      int     true  "Token ID"
+// @Produce      json
+// @Success      200  {object}  model.Response
+// @Failure      500  {object}  model.Response
+// @Router       /admin/api-tokens/{id} [delete]
+func (h *TokenHandler) DeleteToken(c *gin.Context) {
+	id := c.Param("id")
+	if err := bootstrap.DB.Delete(&model.APIToken{}, id).Error; err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, model.SuccessResponse(map[string]interface{}{}))
+}
--- a/internal/api/middleware/auth.go
+++ b/internal/api/middleware/auth.go
@@ -0,0 +1,76 @@
+package middleware
+
+import (
+	"FileRelay/internal/auth"
+	"FileRelay/internal/config"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+func AdminAuth() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Authorization header required"))
+			c.Abort()
+			return
+		}
+
+		parts := strings.SplitN(authHeader, " ", 2)
+		if !(len(parts) == 2 && parts[0] == "Bearer") {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid authorization format"))
+			c.Abort()
+			return
+		}
+
+		claims, err := auth.ParseToken(parts[1])
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid or expired token"))
+			c.Abort()
+			return
+		}
+
+		c.Set("admin_id", claims.AdminID)
+		c.Next()
+	}
+}
+
+func APITokenAuth(requiredScope string) gin.HandlerFunc {
+	tokenService := service.NewTokenService()
+	return func(c *gin.Context) {
+		if !config.GlobalConfig.APIToken.Enabled {
+			c.JSON(http.StatusForbidden, model.ErrorResponse(model.CodeForbidden, "API Token is disabled"))
+			c.Abort()
+			return
+		}
+
+		authHeader := c.GetHeader("Authorization")
+		if authHeader == "" {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Authorization header required"))
+			c.Abort()
+			return
+		}
+
+		parts := strings.SplitN(authHeader, " ", 2)
+		if !(len(parts) == 2 && parts[0] == "Bearer") {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid authorization format"))
+			c.Abort()
+			return
+		}
+
+		token, err := tokenService.ValidateToken(parts[1], requiredScope)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, err.Error()))
+			c.Abort()
+			return
+		}
+
+		c.Set("token_id", token.ID)
+		c.Set("token_scope", token.Scope)
+		c.Next()
+	}
+}
--- a/internal/api/middleware/limit.go
+++ b/internal/api/middleware/limit.go
@@ -0,0 +1,52 @@
+package middleware
+
+import (
+	"FileRelay/internal/config"
+	"FileRelay/internal/model"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+var (
+	pickupFailures = make(map[string]int)
+	failureMutex   sync.Mutex
+)
+
+func PickupRateLimit() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		ip := c.ClientIP()
+		code := c.Param("pickup_code")
+		key := ip + ":" + code
+
+		failureMutex.Lock()
+		count, exists := pickupFailures[key]
+		failureMutex.Unlock()
+
+		if exists && count >= config.GlobalConfig.Security.PickupFailLimit {
+			c.JSON(http.StatusTooManyRequests, model.ErrorResponse(http.StatusTooManyRequests, "Too many failed attempts. Please try again later."))
+			c.Abort()
+			return
+		}
+
+		c.Next()
+	}
+}
+
+func RecordPickupFailure(ip, code string) {
+	key := ip + ":" + code
+	failureMutex.Lock()
+	pickupFailures[key]++
+
+	// 设置 1 小时后清除记录 (简单实现)
+	go func() {
+		time.Sleep(1 * time.Hour)
+		failureMutex.Lock()
+		delete(pickupFailures, key)
+		failureMutex.Unlock()
+	}()
+
+	failureMutex.Unlock()
+}
--- a/internal/api/public/pickup.go
+++ b/internal/api/public/pickup.go
@@ -0,0 +1,162 @@
+package public
+
+import (
+	"FileRelay/internal/api/middleware"
+	"FileRelay/internal/bootstrap"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"FileRelay/internal/storage"
+	"archive/zip"
+	"fmt"
+	"io"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type PickupResponse struct {
+	Remark        string           `json:"remark"`
+	ExpireAt      *time.Time       `json:"expire_at"`
+	ExpireType    string           `json:"expire_type"`
+	DownloadCount int              `json:"download_count"`
+	MaxDownloads  int              `json:"max_downloads"`
+	Files         []model.FileItem `json:"files"`
+}
+
+// DownloadBatch 批量下载文件 (ZIP)
+// @Summary      批量下载文件
+// @Description  根据取件码将批次内的所有文件打包为 ZIP 格式一次性下载
+// @Tags         Public
+// @Param        pickup_code  path  string  true  "取件码"
+// @Produce      application/zip
+// @Success      200  {file}    file
+// @Failure      404  {object}  model.Response
+// @Router       /api/download/batch/{pickup_code} [get]
+func (h *PickupHandler) DownloadBatch(c *gin.Context) {
+	code := c.Param("pickup_code")
+	batch, err := h.batchService.GetBatchByPickupCode(code)
+	if err != nil {
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "batch not found or expired"))
+		return
+	}
+
+	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"batch_%s.zip\"", code))
+	c.Header("Content-Type", "application/zip")
+
+	zw := zip.NewWriter(c.Writer)
+	defer zw.Close()
+
+	for _, item := range batch.FileItems {
+		reader, err := storage.GlobalStorage.Open(c.Request.Context(), item.StoragePath)
+		if err != nil {
+			continue // Skip failed files
+		}
+
+		f, err := zw.Create(item.OriginalName)
+		if err != nil {
+			reader.Close()
+			continue
+		}
+
+		_, _ = io.Copy(f, reader)
+		reader.Close()
+	}
+
+	// 增加下载次数
+	h.batchService.IncrementDownloadCount(batch.ID)
+}
+
+type PickupHandler struct {
+	batchService *service.BatchService
+}
+
+func NewPickupHandler() *PickupHandler {
+	return &PickupHandler{
+		batchService: service.NewBatchService(),
+	}
+}
+
+// Pickup 获取批次信息
+// @Summary      获取批次信息
+// @Description  根据取件码获取文件批次详详情和文件列表
+// @Tags         Public
+// @Produce      json
+// @Param        pickup_code  path  string  true  "取件码"
+// @Success      200  {object}  model.Response{data=PickupResponse}
+// @Failure      404  {object}  model.Response
+// @Router       /api/pickup/{pickup_code} [get]
+func (h *PickupHandler) Pickup(c *gin.Context) {
+	code := c.Param("pickup_code")
+	if code == "" {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, "pickup code required"))
+		return
+	}
+
+	batch, err := h.batchService.GetBatchByPickupCode(code)
+	if err != nil {
+		middleware.RecordPickupFailure(c.ClientIP(), code)
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "batch not found or expired"))
+		return
+	}
+
+	c.JSON(http.StatusOK, model.SuccessResponse(PickupResponse{
+		Remark:        batch.Remark,
+		ExpireAt:      batch.ExpireAt,
+		ExpireType:    batch.ExpireType,
+		DownloadCount: batch.DownloadCount,
+		MaxDownloads:  batch.MaxDownloads,
+		Files:         batch.FileItems,
+	}))
+}
+
+// DownloadFile 下载单个文件
+// @Summary      下载单个文件
+// @Description  根据文件 ID 下载单个文件
+// @Tags         Public
+// @Param        file_id  path  int  true  "文件 ID"
+// @Produce      application/octet-stream
+// @Success      200  {file}    file
+// @Failure      404  {object}  model.Response
+// @Failure      410  {object}  model.Response
+// @Router       /api/download/file/{file_id} [get]
+func (h *PickupHandler) DownloadFile(c *gin.Context) {
+	fileIDStr := c.Param("file_id")
+	fileID, _ := strconv.ParseUint(fileIDStr, 10, 32)
+
+	var item model.FileItem
+	if err := bootstrap.DB.First(&item, fileID).Error; err != nil {
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "file not found"))
+		return
+	}
+
+	var batch model.FileBatch
+	if err := bootstrap.DB.First(&batch, item.BatchID).Error; err != nil {
+		c.JSON(http.StatusNotFound, model.ErrorResponse(model.CodeNotFound, "batch not found"))
+		return
+	}
+
+	if h.batchService.IsExpired(&batch) {
+		h.batchService.MarkAsExpired(&batch)
+		c.JSON(http.StatusGone, model.ErrorResponse(model.CodeGone, "batch expired"))
+		return
+	}
+
+	// 打开文件
+	reader, err := storage.GlobalStorage.Open(c.Request.Context(), item.StoragePath)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, "failed to open file"))
+		return
+	}
+	defer reader.Close()
+
+	// 增加下载次数
+	h.batchService.IncrementDownloadCount(batch.ID)
+
+	c.Header("Content-Disposition", fmt.Sprintf("attachment; filename=\"%s\"", item.OriginalName))
+	c.Header("Content-Type", item.MimeType)
+	c.Header("Content-Length", strconv.FormatInt(item.Size, 10))
+
+	io.Copy(c.Writer, reader)
+}
--- a/internal/api/public/upload.go
+++ b/internal/api/public/upload.go
@@ -0,0 +1,96 @@
+package public
+
+import (
+	"FileRelay/internal/config"
+	"FileRelay/internal/model"
+	"FileRelay/internal/service"
+	"net/http"
+	"strconv"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type UploadHandler struct {
+	uploadService *service.UploadService
+}
+
+func NewUploadHandler() *UploadHandler {
+	return &UploadHandler{
+		uploadService: service.NewUploadService(),
+	}
+}
+
+type UploadResponse struct {
+	PickupCode string     `json:"pickup_code"`
+	ExpireAt   *time.Time `json:"expire_at"`
+	BatchID    uint       `json:"batch_id"`
+}
+
+// Upload 上传文件并生成取件码
+// @Summary      上传文件
+// @Description  上传一个或多个文件并创建一个提取批次
+// @Tags         Public
+// @Accept       multipart/form-data
+// @Produce      json
+// @Param        files       formData  file    true   "文件列表"
+// @Param        remark      formData  string  false  "备注"
+// @Param        expire_type formData  string  false  "过期类型 (time/download/permanent)"
+// @Param        expire_days formData  int     false  "过期天数 (针对 time 类型)"
+// @Param        max_downloads formData int    false  "最大下载次数 (针对 download 类型)"
+// @Success      200  {object}  model.Response{data=UploadResponse}
+// @Failure      400  {object}  model.Response
+// @Failure      500  {object}  model.Response
+// @Router       /api/upload [post]
+func (h *UploadHandler) Upload(c *gin.Context) {
+	form, err := c.MultipartForm()
+	if err != nil {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, "invalid form"))
+		return
+	}
+
+	files := form.File["files"]
+	if len(files) == 0 {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, "no files uploaded"))
+		return
+	}
+
+	if len(files) > config.GlobalConfig.Upload.MaxBatchFiles {
+		c.JSON(http.StatusBadRequest, model.ErrorResponse(model.CodeBadRequest, "too many files"))
+		return
+	}
+
+	remark := c.PostForm("remark")
+	expireType := c.PostForm("expire_type") // time / download / permanent
+	if expireType == "" {
+		expireType = "time"
+	}
+
+	var expireValue interface{}
+	switch expireType {
+	case "time":
+		days, _ := strconv.Atoi(c.PostForm("expire_days"))
+		if days <= 0 {
+			days = config.GlobalConfig.Upload.MaxRetentionDays
+		}
+		expireValue = days
+	case "download":
+		max, _ := strconv.Atoi(c.PostForm("max_downloads"))
+		if max <= 0 {
+			max = 1
+		}
+		expireValue = max
+	}
+
+	batch, err := h.uploadService.CreateBatch(c.Request.Context(), files, remark, expireType, expireValue)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, model.ErrorResponse(model.CodeInternalError, err.Error()))
+		return
+	}
+
+	c.JSON(http.StatusOK, model.SuccessResponse(UploadResponse{
+		PickupCode: batch.PickupCode,
+		ExpireAt:   batch.ExpireAt,
+		BatchID:    batch.ID,
+	}))
+}