internal/api/middleware/auth.go

package middleware

import (
	"context"
	"fmt"
	"net/http"
	"strings"
	"time"

	"github.com/gin-gonic/gin"
	"golang.org/x/sync/singleflight"

	"github.com/user-management-system/internal/auth"
	"github.com/user-management-system/internal/cache"
	"github.com/user-management-system/internal/domain"
	apierrors "github.com/user-management-system/internal/pkg/errors"
	"github.com/user-management-system/internal/repository"
)

type AuthMiddleware struct {
	jwt                *auth.JWT
	userRepo           *repository.UserRepository
	userRoleRepo       *repository.UserRoleRepository
	roleRepo           *repository.RoleRepository
	rolePermissionRepo *repository.RolePermissionRepository
	permissionRepo     *repository.PermissionRepository
	l1Cache            *cache.L1Cache
	cacheManager       *cache.CacheManager
	sfGroup            singleflight.Group
}

func NewAuthMiddleware(
	jwt *auth.JWT,
	userRepo *repository.UserRepository,
	userRoleRepo *repository.UserRoleRepository,
	roleRepo *repository.RoleRepository,
	rolePermissionRepo *repository.RolePermissionRepository,
	permissionRepo *repository.PermissionRepository,
	l1Cache *cache.L1Cache,
) *AuthMiddleware {
	return &AuthMiddleware{
		jwt:                jwt,
		userRepo:           userRepo,
		userRoleRepo:       userRoleRepo,
		roleRepo:           roleRepo,
		rolePermissionRepo: rolePermissionRepo,
		permissionRepo:     permissionRepo,
		l1Cache:            l1Cache,
	}
}

func (m *AuthMiddleware) SetCacheManager(cm *cache.CacheManager) {
	m.cacheManager = cm
}

func (m *AuthMiddleware) Required() gin.HandlerFunc {
	return func(c *gin.Context) {
		token := m.extractToken(c)
		if token == "" {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "未提供认证令牌"))
			c.Abort()
			return
		}

		claims, err := m.jwt.ValidateAccessToken(token)
		if err != nil {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "无效的认证令牌"))
			c.Abort()
			return
		}

		if m.isJTIBlacklisted(claims.JTI) {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "令牌已失效，请重新登录"))
			c.Abort()
			return
		}

		if !m.isUserActive(c.Request.Context(), claims.UserID) {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "账号不可用，请重新登录"))
			c.Abort()
			return
		}

		c.Set("user_id", claims.UserID)
		c.Set("username", claims.Username)
		c.Set("token_jti", claims.JTI)

		roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
		c.Set("role_codes", roleCodes)
		c.Set("permission_codes", permCodes)

		c.Next()
	}
}

func (m *AuthMiddleware) Optional() gin.HandlerFunc {
	return func(c *gin.Context) {
		token := m.extractToken(c)
		if token != "" {
			claims, err := m.jwt.ValidateAccessToken(token)
			if err == nil && !m.isJTIBlacklisted(claims.JTI) && m.isUserActive(c.Request.Context(), claims.UserID) {
				c.Set("user_id", claims.UserID)
				c.Set("username", claims.Username)
				c.Set("token_jti", claims.JTI)
				roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
				c.Set("role_codes", roleCodes)
				c.Set("permission_codes", permCodes)
			}
		}

		c.Next()
	}
}

func (m *AuthMiddleware) isJTIBlacklisted(jti string) bool {
	if jti == "" {
		return false
	}

	key := "jwt_blacklist:" + jti

	// 先检查 L1 缓存
	if _, ok := m.l1Cache.Get(key); ok {
		return true
	}

	// L1 miss 时使用 singleflight 防止缓存击穿
	// 多个并发请求只会触发一次 L2 查询
	if m.cacheManager != nil {
		val, err, _ := m.sfGroup.Do(key, func() (interface{}, error) {
			found, _ := m.cacheManager.Get(context.Background(), key)
			return found, nil
		})
		if err == nil && val != nil {
			// 回写 L1 缓存
			m.l1Cache.Set(key, true, 5*time.Minute)
			return true
		}
	}

	return false
}

func (m *AuthMiddleware) loadUserRolesAndPerms(ctx context.Context, userID int64) ([]string, []string) {
	if m.userRoleRepo == nil {
		return nil, nil
	}

	cacheKey := fmt.Sprintf("user_perms:%d", userID)
	if cached, ok := m.l1Cache.Get(cacheKey); ok {
		if entry, ok := cached.(userPermEntry); ok {
			return entry.roles, entry.perms
		}
	}

	// 使用已优化的单次 JOIN 查询获取用户角色和权限
	roles, permissions, err := m.userRoleRepo.GetUserRolesAndPermissions(ctx, userID)
	if err != nil || len(roles) == 0 {
		return nil, nil
	}

	roleCodes := make([]string, 0, len(roles))
	for _, role := range roles {
		roleCodes = append(roleCodes, role.Code)
	}

	permCodes := make([]string, 0, len(permissions))
	for _, perm := range permissions {
		permCodes = append(permCodes, perm.Code)
	}

	m.l1Cache.Set(cacheKey, userPermEntry{roles: roleCodes, perms: permCodes}, 30*time.Minute)
	return roleCodes, permCodes
}

func (m *AuthMiddleware) InvalidateUserPermCache(userID int64) {
	m.l1Cache.Delete(fmt.Sprintf("user_perms:%d", userID))
}

func (m *AuthMiddleware) AddToBlacklist(jti string, ttl time.Duration) {
	if jti != "" && ttl > 0 {
		m.l1Cache.Set("jwt_blacklist:"+jti, true, ttl)
	}
}

func (m *AuthMiddleware) isUserActive(ctx context.Context, userID int64) bool {
	if m.userRepo == nil {
		return true
	}

	user, err := m.userRepo.GetByID(ctx, userID)
	if err != nil {
		return false
	}

	return user.Status == domain.UserStatusActive
}

func (m *AuthMiddleware) extractToken(c *gin.Context) string {
	authHeader := c.GetHeader("Authorization")
	if authHeader == "" {
		return ""
	}

	parts := strings.SplitN(authHeader, " ", 2)
	if len(parts) != 2 || parts[0] != "Bearer" {
		return ""
	}

	return parts[1]
}

type userPermEntry struct {
	roles []string
	perms []string
}
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`package middleware`

			`import (`
			`"context"`
			`"fmt"`
			`"net/http"`
			`"strings"`
			`"time"`

			`"github.com/gin-gonic/gin"`
fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用 2026-04-03 21:50:51 +08:00			`"golang.org/x/sync/singleflight"`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00
			`"github.com/user-management-system/internal/auth"`
			`"github.com/user-management-system/internal/cache"`
			`"github.com/user-management-system/internal/domain"`
			`apierrors "github.com/user-management-system/internal/pkg/errors"`
			`"github.com/user-management-system/internal/repository"`
			`)`

			`type AuthMiddleware struct {`
			`jwt *auth.JWT`
			`userRepo *repository.UserRepository`
			`userRoleRepo *repository.UserRoleRepository`
			`roleRepo *repository.RoleRepository`
			`rolePermissionRepo *repository.RolePermissionRepository`
			`permissionRepo *repository.PermissionRepository`
			`l1Cache *cache.L1Cache`
			`cacheManager *cache.CacheManager`
fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用 2026-04-03 21:50:51 +08:00			`sfGroup singleflight.Group`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`}`

			`func NewAuthMiddleware(`
			`jwt *auth.JWT,`
			`userRepo *repository.UserRepository,`
			`userRoleRepo *repository.UserRoleRepository,`
			`roleRepo *repository.RoleRepository,`
			`rolePermissionRepo *repository.RolePermissionRepository,`
			`permissionRepo *repository.PermissionRepository,`
fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`l1Cache *cache.L1Cache,`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`) *AuthMiddleware {`
			`return &AuthMiddleware{`
			`jwt: jwt,`
			`userRepo: userRepo,`
			`userRoleRepo: userRoleRepo,`
			`roleRepo: roleRepo,`
			`rolePermissionRepo: rolePermissionRepo,`
			`permissionRepo: permissionRepo,`
fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`l1Cache: l1Cache,`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`}`
			`}`

			`func (m AuthMiddleware) SetCacheManager(cm cache.CacheManager) {`
			`m.cacheManager = cm`
			`}`

			`func (m *AuthMiddleware) Required() gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`token := m.extractToken(c)`
			`if token == "" {`
			`c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "未提供认证令牌"))`
			`c.Abort()`
			`return`
			`}`

			`claims, err := m.jwt.ValidateAccessToken(token)`
			`if err != nil {`
			`c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "无效的认证令牌"))`
			`c.Abort()`
			`return`
			`}`

			`if m.isJTIBlacklisted(claims.JTI) {`
			`c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "令牌已失效，请重新登录"))`
			`c.Abort()`
			`return`
			`}`

			`if !m.isUserActive(c.Request.Context(), claims.UserID) {`
			`c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "账号不可用，请重新登录"))`
			`c.Abort()`
			`return`
			`}`

			`c.Set("user_id", claims.UserID)`
			`c.Set("username", claims.Username)`
			`c.Set("token_jti", claims.JTI)`

			`roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)`
			`c.Set("role_codes", roleCodes)`
			`c.Set("permission_codes", permCodes)`

			`c.Next()`
			`}`
			`}`

			`func (m *AuthMiddleware) Optional() gin.HandlerFunc {`
			`return func(c *gin.Context) {`
			`token := m.extractToken(c)`
			`if token != "" {`
			`claims, err := m.jwt.ValidateAccessToken(token)`
			`if err == nil && !m.isJTIBlacklisted(claims.JTI) && m.isUserActive(c.Request.Context(), claims.UserID) {`
			`c.Set("user_id", claims.UserID)`
			`c.Set("username", claims.Username)`
			`c.Set("token_jti", claims.JTI)`
			`roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)`
			`c.Set("role_codes", roleCodes)`
			`c.Set("permission_codes", permCodes)`
			`}`
			`}`

			`c.Next()`
			`}`
			`}`

			`func (m *AuthMiddleware) isJTIBlacklisted(jti string) bool {`
			`if jti == "" {`
			`return false`
			`}`

			`key := "jwt_blacklist:" + jti`
fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用 2026-04-03 21:50:51 +08:00
			`// 先检查 L1 缓存`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`if _, ok := m.l1Cache.Get(key); ok {`
			`return true`
			`}`

fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用 2026-04-03 21:50:51 +08:00			`// L1 miss 时使用 singleflight 防止缓存击穿`
			`// 多个并发请求只会触发一次 L2 查询`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`if m.cacheManager != nil {`
fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭 P1 - OAuth auth_url origin 验证: - 添加 validateOAuthUrl() 函数验证 OAuth URL origin - 仅允许同源或可信 OAuth 提供商 - LoginPage 和 ProfileSecurityPage 调用前验证 P2 - API 响应运行时类型验证: - 添加 isApiResponse() 运行时验证函数 - parseJsonResponse 验证响应结构完整性 P2 - 缓存击穿防护 (singleflight): - AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group - 防止 L1 miss 时并发请求同时打 L2 P2 - Webhook 服务优雅关闭: - WebhookService 添加 Shutdown() 方法 - 服务器关闭时等待 worker 完成 - main.go 集成 shutdown 调用 2026-04-03 21:50:51 +08:00			`val, err, _ := m.sfGroup.Do(key, func() (interface{}, error) {`
			`found, _ := m.cacheManager.Get(context.Background(), key)`
			`return found, nil`
			`})`
			`if err == nil && val != nil {`
			`// 回写 L1 缓存`
			`m.l1Cache.Set(key, true, 5*time.Minute)`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`return true`
			`}`
			`}`

			`return false`
			`}`

			`func (m *AuthMiddleware) loadUserRolesAndPerms(ctx context.Context, userID int64) ([]string, []string) {`
fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`if m.userRoleRepo == nil {`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`return nil, nil`
			`}`

			`cacheKey := fmt.Sprintf("user_perms:%d", userID)`
			`if cached, ok := m.l1Cache.Get(cacheKey); ok {`
			`if entry, ok := cached.(userPermEntry); ok {`
			`return entry.roles, entry.perms`
			`}`
			`}`

fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`// 使用已优化的单次 JOIN 查询获取用户角色和权限`
			`roles, permissions, err := m.userRoleRepo.GetUserRolesAndPermissions(ctx, userID)`
			`if err != nil \|\| len(roles) == 0 {`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`return nil, nil`
			`}`

			`roleCodes := make([]string, 0, len(roles))`
			`for _, role := range roles {`
			`roleCodes = append(roleCodes, role.Code)`
			`}`

			`permCodes := make([]string, 0, len(permissions))`
fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`for _, perm := range permissions {`
			`permCodes = append(permCodes, perm.Code)`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`}`

fix: 生产安全修复 + Go SDK + CAS SSO框架安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复 2026-04-03 17:38:31 +08:00			`m.l1Cache.Set(cacheKey, userPermEntry{roles: roleCodes, perms: permCodes}, 30*time.Minute)`
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers 2026-04-02 11:19:50 +08:00			`return roleCodes, permCodes`
			`}`

			`func (m *AuthMiddleware) InvalidateUserPermCache(userID int64) {`
			`m.l1Cache.Delete(fmt.Sprintf("user_perms:%d", userID))`
			`}`

			`func (m *AuthMiddleware) AddToBlacklist(jti string, ttl time.Duration) {`
			`if jti != "" && ttl > 0 {`
			`m.l1Cache.Set("jwt_blacklist:"+jti, true, ttl)`
			`}`
			`}`

			`func (m *AuthMiddleware) isUserActive(ctx context.Context, userID int64) bool {`
			`if m.userRepo == nil {`
			`return true`
			`}`

			`user, err := m.userRepo.GetByID(ctx, userID)`
			`if err != nil {`
			`return false`
			`}`

			`return user.Status == domain.UserStatusActive`
			`}`

			`func (m AuthMiddleware) extractToken(c gin.Context) string {`
			`authHeader := c.GetHeader("Authorization")`
			`if authHeader == "" {`
			`return ""`
			`}`

			`parts := strings.SplitN(authHeader, " ", 2)`
			`if len(parts) != 2 \|\| parts[0] != "Bearer" {`
			`return ""`
			`}`

			`return parts[1]`
			`}`

			`type userPermEntry struct {`
			`roles []string`
			`perms []string`
			`}`