f

2026-04-25 11:59:10 +08:00
parent e246271a24
commit ba463ae38d
33 changed files with 1600 additions and 112 deletions
--- a/internal/shared/middleware/auth.go
+++ b/internal/shared/middleware/auth.go
@@ -81,6 +81,11 @@ func (m *JWTAuthMiddleware) Handle() gin.HandlerFunc {
 		c.Set("email", claims.Email)
 		c.Set("phone", claims.Phone)
 		c.Set("user_type", claims.UserType)
+		if claims.AccountKind != "" {
+			c.Set("account_kind", claims.AccountKind)
+		} else {
+			c.Set("account_kind", "standalone")
+		}
 		c.Set("token_claims", claims)

 		c.Next()
@@ -99,6 +104,8 @@ type JWTClaims struct {
 	Email    string `json:"email"`
 	Phone    string `json:"phone"`
 	UserType string `json:"user_type"` // 新增：用户类型
+	// AccountKind 控制台壳类型：standalone / subordinate（与主从关系表一致时下属为 subordinate）
+	AccountKind string `json:"account_kind"`
 	jwt.RegisteredClaims
 }

@@ -137,15 +144,19 @@ func (m *JWTAuthMiddleware) respondUnauthorized(c *gin.Context, message string)
 }

 // GenerateToken 生成JWT token
-func (m *JWTAuthMiddleware) GenerateToken(userID, phone, email, userType string) (string, error) {
+func (m *JWTAuthMiddleware) GenerateToken(userID, phone, email, userType, accountKind string) (string, error) {
 	now := time.Now()
+	if accountKind == "" {
+		accountKind = "standalone"
+	}

 	claims := &JWTClaims{
 		UserID:   userID,
 		Username: phone, // 普通用户用手机号，管理员用用户名
 		Email:    email,
 		Phone:    phone,
-		UserType: userType, // 新增：用户类型
+		UserType: userType,            // 新增：用户类型
+		AccountKind: accountKind,      // 下属 / 普通
 		RegisteredClaims: jwt.RegisteredClaims{
 			Issuer:    "tyapi-server",
 			Subject:   userID,
@@ -262,6 +273,11 @@ func (m *OptionalAuthMiddleware) Handle() gin.HandlerFunc {
 		c.Set("email", claims.Email)
 		c.Set("phone", claims.Phone)
 		c.Set("user_type", claims.UserType)
+		if claims.AccountKind != "" {
+			c.Set("account_kind", claims.AccountKind)
+		} else {
+			c.Set("account_kind", "standalone")
+		}
 		c.Set("token_claims", claims)

 		c.Next()
@@ -343,6 +359,11 @@ func (m *AdminAuthMiddleware) Handle() gin.HandlerFunc {
 		c.Set("email", claims.Email)
 		c.Set("phone", claims.Phone)
 		c.Set("user_type", claims.UserType)
+		if claims.AccountKind != "" {
+			c.Set("account_kind", claims.AccountKind)
+		} else {
+			c.Set("account_kind", "standalone")
+		}
 		c.Set("token_claims", claims)

 		c.Next()
--- a/internal/shared/middleware/daily_rate_limit.go
+++ b/internal/shared/middleware/daily_rate_limit.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"math"
+	"net/url"
 	"strconv"
 	"strings"
 	"time"
@@ -403,9 +404,24 @@ func (m *DailyRateLimitMiddleware) checkReferer(c *gin.Context) error {

 	// 检查允许的Referer
 	if len(m.limitConfig.AllowedReferers) > 0 {
+		parsedReferer, err := url.Parse(referer)
+		if err != nil || parsedReferer.Scheme == "" || parsedReferer.Host == "" {
+			return fmt.Errorf("Referer格式无效")
+		}
+		refererOrigin := parsedReferer.Scheme + "://" + parsedReferer.Host
+
 		allowed := false
 		for _, allowedRef := range m.limitConfig.AllowedReferers {
-			if strings.Contains(referer, allowedRef) {
+			allowedRef = strings.TrimSpace(allowedRef)
+			if allowedRef == "" {
+				continue
+			}
+			parsedAllowed, parseErr := url.Parse(allowedRef)
+			if parseErr != nil || parsedAllowed.Scheme == "" || parsedAllowed.Host == "" {
+				continue
+			}
+			allowedOrigin := parsedAllowed.Scheme + "://" + parsedAllowed.Host
+			if refererOrigin == allowedOrigin {
 				allowed = true
 				break
 			}