From fcbd534b5765e67bc61bfb12822c150deff80fb3 Mon Sep 17 00:00:00 2001
From: liangzai <2440983361@qq.com>
Date: Sat, 25 Apr 2026 21:00:22 +0800
Subject: [PATCH] f

---
 .../api/api_application_service.go            | 58 +++++++++++++++++++
 internal/application/api/errors.go            |  2 +
 2 files changed, 60 insertions(+)

diff --git a/internal/application/api/api_application_service.go b/internal/application/api/api_application_service.go
index b9172a1..370bacc 100644
--- a/internal/application/api/api_application_service.go
+++ b/internal/application/api/api_application_service.go
@@ -291,6 +291,44 @@ func (s *ApiApplicationServiceImpl) validateApiCall(ctx context.Context, cmd *co
 		s.logger.Error("解析解密参数失败", zap.Error(err))
 		return nil, ErrDecryptFail
 	}
+
+	// 7.1 子账号主账号 AccessId 校验（仅在请求参数中携带时生效）
+	if parentAccessID, ok := extractParentAccessID(paramsMap); ok {
+		if s.subordinateRepo == nil {
+			s.logger.Error("子账号主账号AccessId校验失败：subordinateRepo未初始化")
+			return nil, ErrSystem
+		}
+
+		link, err := s.subordinateRepo.FindLinkByChildUserID(ctx, apiUser.UserId)
+		if err != nil {
+			s.logger.Error("查询子账号主从关系失败",
+				zap.String("user_id", apiUser.UserId),
+				zap.Error(err))
+			return nil, ErrSystem
+		}
+		if link == nil {
+			s.logger.Warn("子账号主账号AccessId校验失败：未找到主从关系",
+				zap.String("user_id", apiUser.UserId),
+				zap.String("parent_access_id", parentAccessID))
+			return nil, ErrQueryFailed
+		}
+
+		parentApiUser, err := s.apiUserService.LoadApiUserByUserId(ctx, link.ParentUserID)
+		if err != nil {
+			s.logger.Error("加载主账号API用户失败",
+				zap.String("child_user_id", apiUser.UserId),
+				zap.String("parent_user_id", link.ParentUserID),
+				zap.Error(err))
+			return nil, ErrSystem
+		}
+		if parentApiUser == nil || parentApiUser.AccessId != parentAccessID {
+			s.logger.Warn("子账号主账号AccessId校验失败：主账号不匹配",
+				zap.String("child_user_id", apiUser.UserId),
+				zap.String("parent_user_id", link.ParentUserID),
+				zap.String("parent_access_id", parentAccessID))
+			return nil, ErrQueryFailed
+		}
+	}
 	result.SetRequestParams(paramsMap)
 
 	// 8. 获取合同信息
@@ -307,6 +345,26 @@ func (s *ApiApplicationServiceImpl) validateApiCall(ctx context.Context, cmd *co
 	return result, nil
 }
 
+// extractParentAccessID 从解密参数中提取主账号 AccessId
+// 仅支持键名：master_accessid
+func extractParentAccessID(params map[string]interface{}) (string, bool) {
+	if len(params) == 0 {
+		return "", false
+	}
+
+	value, ok := params["master_accessid"]
+	if !ok {
+		return "", false
+	}
+	if str, ok := value.(string); ok {
+		str = strings.TrimSpace(str)
+		if str != "" {
+			return str, true
+		}
+	}
+	return "", false
+}
+
 // callExternalApi 同步调用外部API
 func (s *ApiApplicationServiceImpl) callExternalApi(ctx context.Context, cmd *commands.ApiCallCommand, validation *dto.ApiCallValidationResult) (string, error) {
 	// 创建CallContext
diff --git a/internal/application/api/errors.go b/internal/application/api/errors.go
index 629634e..3e16f96 100644
--- a/internal/application/api/errors.go
+++ b/internal/application/api/errors.go
@@ -5,6 +5,7 @@ import "errors"
 // API调用相关错误类型
 var (
 	ErrQueryEmpty           = errors.New("查询为空")
+	ErrQueryFailed          = errors.New("查询失败")
 	ErrSystem               = errors.New("接口异常")
 	ErrDecryptFail          = errors.New("解密失败")
 	ErrRequestParam         = errors.New("请求参数结构不正确")
@@ -27,6 +28,7 @@ var (
 // 错误码映射 - 严格按照用户要求
 var ErrorCodeMap = map[error]int{
 	ErrQueryEmpty:           1000,
+	ErrQueryFailed:          1000,
 	ErrSystem:               1001,
 	ErrDecryptFail:          1002,
 	ErrRequestParam:         1003,