internal/api/middleware/auth.go

package middleware

import (
	"context"
	"fmt"
	"net/http"
	"strings"
	"time"

	"github.com/gin-gonic/gin"
	"golang.org/x/sync/singleflight"

	"github.com/user-management-system/internal/auth"
	"github.com/user-management-system/internal/cache"
	"github.com/user-management-system/internal/domain"
	apierrors "github.com/user-management-system/internal/pkg/errors"
)

// Interfaces for dependency inversion (DIP) — middleware depends on these abstractions, not concrete types.
type authUserRepository interface {
	GetByID(ctx context.Context, id int64) (*domain.User, error)
}

type authUserRoleRepository interface {
	GetUserRolesAndPermissions(ctx context.Context, userID int64) ([]*domain.Role, []*domain.Permission, error)
}

type AuthMiddleware struct {
	jwt          *auth.JWT
	userRepo     authUserRepository
	userRoleRepo authUserRoleRepository
	l1Cache      *cache.L1Cache
	cacheManager *cache.CacheManager
	sfGroup      singleflight.Group
}

func NewAuthMiddleware(
	jwt *auth.JWT,
	userRepo authUserRepository,
	userRoleRepo authUserRoleRepository,
	l1Cache *cache.L1Cache,
) *AuthMiddleware {
	return &AuthMiddleware{
		jwt:          jwt,
		userRepo:     userRepo,
		userRoleRepo: userRoleRepo,
		l1Cache:      l1Cache,
	}
}

func (m *AuthMiddleware) SetCacheManager(cm *cache.CacheManager) {
	m.cacheManager = cm
}

func (m *AuthMiddleware) Required() gin.HandlerFunc {
	return func(c *gin.Context) {
		token := m.extractToken(c)
		if token == "" {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "未提供认证令牌"))
			c.Abort()
			return
		}

		claims, err := m.jwt.ValidateAccessToken(token)
		if err != nil {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "无效的认证令牌"))
			c.Abort()
			return
		}

		if m.isJTIBlacklisted(c.Request.Context(), claims.JTI) {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "令牌已失效，请重新登录"))
			c.Abort()
			return
		}

		// Perf: merge two separate DB round-trips (password-change check + active check)
		// into a single cached user-state validation.
		if denyReason := m.validateUserState(c.Request.Context(), claims.UserID, claims.PCE); denyReason != "" {
			c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", denyReason))
			c.Abort()
			return
		}

		c.Set("user_id", claims.UserID)
		c.Set("username", claims.Username)
		c.Set("token_jti", claims.JTI)

		roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
		c.Set("role_codes", roleCodes)
		c.Set("permission_codes", permCodes)

		c.Next()
	}
}

func (m *AuthMiddleware) Optional() gin.HandlerFunc {
	return func(c *gin.Context) {
		token := m.extractToken(c)
		if token != "" {
			claims, err := m.jwt.ValidateAccessToken(token)
			if err == nil && !m.isJTIBlacklisted(c.Request.Context(), claims.JTI) && m.validateUserState(c.Request.Context(), claims.UserID, claims.PCE) == "" {
				c.Set("user_id", claims.UserID)
				c.Set("username", claims.Username)
				c.Set("token_jti", claims.JTI)
				roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
				c.Set("role_codes", roleCodes)
				c.Set("permission_codes", permCodes)
			}
		}

		c.Next()
	}
}

func (m *AuthMiddleware) isJTIBlacklisted(ctx context.Context, jti string) bool {
	if jti == "" {
		return false
	}

	key := "jwt_blacklist:" + jti

	// 先检查 L1 缓存
	if _, ok := m.l1Cache.Get(key); ok {
		return true
	}

	// L1 miss 时使用 singleflight 防止缓存击穿
	// 多个并发请求只会触发一次 L2 查询
	if m.cacheManager != nil {
		val, err, _ := m.sfGroup.Do(key, func() (interface{}, error) {
			found, _ := m.cacheManager.Get(ctx, key)
			return found, nil
		})
		if err == nil && val != nil {
			// 回写 L1 缓存
			m.l1Cache.Set(key, true, 5*time.Minute)
			return true
		}
	}

	return false
}

// validateUserState performs a single cached DB lookup that replaces the two
// previously separate checks: isPasswordChangedSinceTokenIssued + isUserActive.
//
// Returns "" on success, or an i18n-ready denial message on failure.
// Results are cached for 5 seconds per user to reduce DB pressure under high
// concurrency (e.g. 100 VU × 10 req/s = 1 000 auth middleware calls/s against
// the same hot user IDs).
func (m *AuthMiddleware) validateUserState(ctx context.Context, userID int64, tokenPCE int64) string {
	if m.userRepo == nil {
		return ""
	}

	// Check short-lived user-state cache (5 s TTL).
	stateCacheKey := fmt.Sprintf("user_state:%d", userID)
	if cached, ok := m.l1Cache.Get(stateCacheKey); ok {
		if state, ok := cached.(userStateEntry); ok {
			// tokenPCE > 0 means the JWT was issued for a user who had already
			// changed their password at least once.  Zero/negative values come from
			// users whose PasswordChangedAt is still the Go zero-time, meaning they
			// have never changed it — skip the check in that case.
			if tokenPCE > 0 && state.passwordChangedAt > 0 && tokenPCE < state.passwordChangedAt {
				return "密码已更新，请重新登录"
			}
			if !state.active {
				return "账号不可用，请重新登录"
			}
			return ""
		}
	}

	// Cache miss — single DB round-trip.
	user, err := m.userRepo.GetByID(ctx, userID)
	if err != nil {
		return "账号不可用，请重新登录"
	}

	state := userStateEntry{
		active:            user.Status == domain.UserStatusActive,
		passwordChangedAt: 0,
	}
	if !user.PasswordChangedAt.IsZero() {
		state.passwordChangedAt = user.PasswordChangedAt.Unix()
	}

	// Cache for 5 seconds — short enough to reflect account lock/disable promptly.
	m.l1Cache.Set(stateCacheKey, state, 5*time.Second)

	// Same guard: tokenPCE <= 0 means no password-change time in the JWT → skip.
	if tokenPCE > 0 && state.passwordChangedAt > 0 && tokenPCE < state.passwordChangedAt {
		return "密码已更新，请重新登录"
	}
	if !state.active {
		return "账号不可用，请重新登录"
	}
	return ""
}

// InvalidateUserStateCache removes the user-state cache entry so the next
// request picks up fresh data.  Call this after status change or password reset.
func (m *AuthMiddleware) InvalidateUserStateCache(userID int64) {
	m.l1Cache.Delete(fmt.Sprintf("user_state:%d", userID))
}

// isPasswordChangedSinceTokenIssued 检查用户密码是否在令牌发放后已更改
// Deprecated: use validateUserState for combined check with caching.
func (m *AuthMiddleware) isPasswordChangedSinceTokenIssued(ctx context.Context, userID int64, tokenPCE int64) bool {
	if tokenPCE == 0 {
		return false
	}
	if m.userRepo == nil {
		return false
	}
	user, err := m.userRepo.GetByID(ctx, userID)
	if err != nil || user.PasswordChangedAt.IsZero() {
		return false
	}
	return tokenPCE < user.PasswordChangedAt.Unix()
}

func (m *AuthMiddleware) loadUserRolesAndPerms(ctx context.Context, userID int64) ([]string, []string) {
	if m.userRoleRepo == nil {
		return nil, nil
	}

	cacheKey := fmt.Sprintf("user_perms:%d", userID)
	if cached, ok := m.l1Cache.Get(cacheKey); ok {
		if entry, ok := cached.(userPermEntry); ok {
			return entry.roles, entry.perms
		}
	}

	// 使用已优化的单次 JOIN 查询获取用户角色和权限
	roles, permissions, err := m.userRoleRepo.GetUserRolesAndPermissions(ctx, userID)
	if err != nil || len(roles) == 0 {
		return nil, nil
	}

	roleCodes := make([]string, 0, len(roles))
	for _, role := range roles {
		roleCodes = append(roleCodes, role.Code)
	}

	permCodes := make([]string, 0, len(permissions))
	for _, perm := range permissions {
		permCodes = append(permCodes, perm.Code)
	}

	// P1-2 权限缓存 TTL 调优：5min（原 30min）
	// 理由：角色/权限变更后最长 5min 生效，与 userStateEntry TTL 保持一致。
	// 若需立即生效，调用 InvalidateUserPermCache(userID) 主动驱逐。
	m.l1Cache.Set(cacheKey, userPermEntry{roles: roleCodes, perms: permCodes}, 5*time.Minute)
	return roleCodes, permCodes
}

func (m *AuthMiddleware) InvalidateUserPermCache(userID int64) {
	m.l1Cache.Delete(fmt.Sprintf("user_perms:%d", userID))
}

func (m *AuthMiddleware) AddToBlacklist(jti string, ttl time.Duration) {
	if jti != "" && ttl > 0 {
		m.l1Cache.Set("jwt_blacklist:"+jti, true, ttl)
	}
}

func (m *AuthMiddleware) isUserActive(ctx context.Context, userID int64) bool {
	if m.userRepo == nil {
		return true
	}

	user, err := m.userRepo.GetByID(ctx, userID)
	if err != nil {
		return false
	}

	return user.Status == domain.UserStatusActive
}

func (m *AuthMiddleware) extractToken(c *gin.Context) string {
	authHeader := c.GetHeader("Authorization")
	if authHeader == "" {
		return ""
	}

	parts := strings.SplitN(authHeader, " ", 2)
	if len(parts) != 2 || parts[0] != "Bearer" {
		return ""
	}

	return parts[1]
}

type userPermEntry struct {
	roles []string
	perms []string
}

// userStateEntry caches the minimal user state needed for auth checks.
// TTL is 5 s so that account lock/disable takes effect within seconds.
type userStateEntry struct {
	active            bool
	passwordChangedAt int64 // Unix timestamp; 0 means never changed
}
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+								package middleware
 								import (
 									"context"
 									"fmt"
 									"net/http"
 									"strings"
 									"time"
 									"github.com/gin-gonic/gin"
-												fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭

P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证

P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性

P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2

P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用

											
										
										
											2026-04-03 21:50:51 +08:00
+									"golang.org/x/sync/singleflight"
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
 									"github.com/user-management-system/internal/auth"
 									"github.com/user-management-system/internal/cache"
 									"github.com/user-management-system/internal/domain"
 									apierrors "github.com/user-management-system/internal/pkg/errors"
 								)
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+								// Interfaces for dependency inversion (DIP) — middleware depends on these abstractions, not concrete types.
 								type authUserRepository interface {
 									GetByID(ctx context.Context, id int64) (*domain.User, error)
 								}
 								type authUserRoleRepository interface {
 									GetUserRolesAndPermissions(ctx context.Context, userID int64) ([]*domain.Role, []*domain.Permission, error)
 								}
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+								type AuthMiddleware struct {
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+									jwt          *auth.JWT
 									userRepo     authUserRepository
 									userRoleRepo authUserRoleRepository
 									l1Cache      *cache.L1Cache
 									cacheManager *cache.CacheManager
 									sfGroup      singleflight.Group
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+								}
 								func NewAuthMiddleware(
 									jwt *auth.JWT,
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+									userRepo authUserRepository,
 									userRoleRepo authUserRoleRepository,
-												fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复

											
										
										
											2026-04-03 17:38:31 +08:00
+									l1Cache *cache.L1Cache,
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+								) *AuthMiddleware {
 									return &AuthMiddleware{
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+										jwt:          jwt,
 										userRepo:     userRepo,
 										userRoleRepo: userRoleRepo,
 										l1Cache:      l1Cache,
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									}
 								}
 								func (m *AuthMiddleware) SetCacheManager(cm *cache.CacheManager) {
 									m.cacheManager = cm
 								}
 								func (m *AuthMiddleware) Required() gin.HandlerFunc {
 									return func(c *gin.Context) {
 										token := m.extractToken(c)
 										if token == "" {
 											c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "未提供认证令牌"))
 											c.Abort()
 											return
 										}
 										claims, err := m.jwt.ValidateAccessToken(token)
 										if err != nil {
 											c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "无效的认证令牌"))
 											c.Abort()
 											return
 										}
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+										if m.isJTIBlacklisted(c.Request.Context(), claims.JTI) {
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+											c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", "令牌已失效，请重新登录"))
 											c.Abort()
 											return
 										}
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
+										// Perf: merge two separate DB round-trips (password-change check + active check)
 										// into a single cached user-state validation.
 										if denyReason := m.validateUserState(c.Request.Context(), claims.UserID, claims.PCE); denyReason != "" {
 											c.JSON(http.StatusUnauthorized, apierrors.New(http.StatusUnauthorized, "UNAUTHORIZED", denyReason))
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+											c.Abort()
 											return
 										}
 										c.Set("user_id", claims.UserID)
 										c.Set("username", claims.Username)
 										c.Set("token_jti", claims.JTI)
 										roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
 										c.Set("role_codes", roleCodes)
 										c.Set("permission_codes", permCodes)
 										c.Next()
 									}
 								}
 								func (m *AuthMiddleware) Optional() gin.HandlerFunc {
 									return func(c *gin.Context) {
 										token := m.extractToken(c)
 										if token != "" {
 											claims, err := m.jwt.ValidateAccessToken(token)
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
+											if err == nil && !m.isJTIBlacklisted(c.Request.Context(), claims.JTI) && m.validateUserState(c.Request.Context(), claims.UserID, claims.PCE) == "" {
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+												c.Set("user_id", claims.UserID)
 												c.Set("username", claims.Username)
 												c.Set("token_jti", claims.JTI)
 												roleCodes, permCodes := m.loadUserRolesAndPerms(c.Request.Context(), claims.UserID)
 												c.Set("role_codes", roleCodes)
 												c.Set("permission_codes", permCodes)
 											}
 										}
 										c.Next()
 									}
 								}
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+								func (m *AuthMiddleware) isJTIBlacklisted(ctx context.Context, jti string) bool {
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									if jti == "" {
 										return false
 									}
 									key := "jwt_blacklist:" + jti
-												fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭

P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证

P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性

P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2

P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用

											
										
										
											2026-04-03 21:50:51 +08:00
 									// 先检查 L1 缓存
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									if _, ok := m.l1Cache.Get(key); ok {
 										return true
 									}
-												fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭

P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证

P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性

P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2

P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用

											
										
										
											2026-04-03 21:50:51 +08:00
+									// L1 miss 时使用 singleflight 防止缓存击穿
 									// 多个并发请求只会触发一次 L2 查询
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									if m.cacheManager != nil {
-												fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭

P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证

P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性

P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2

P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用

											
										
										
											2026-04-03 21:50:51 +08:00
+										val, err, _ := m.sfGroup.Do(key, func() (interface{}, error) {
-												feat: complete production readiness improvements

- Fix DIP violations in service layer (device, stats, auth middleware)
- Add ReplaceUserRoles interface method for transaction safety
- Implement Magic Bytes validation for avatar uploads
- Standardize OAuth error handling with ErrOAuthProviderNotSupported
- Use crypto/rand for JWT secret generation instead of weak fixed key
- Apply code formatting with gofumpt and goimports
- Fix staticcheck issues (S1024, S1008, ST1005)
- Add comprehensive quality and functional test reports
- Achieve 36.3% test coverage (up from 16.3%)
- All E2E, integration, and business logic tests passing

											
										
										
											2026-04-12 16:15:32 +08:00
+											found, _ := m.cacheManager.Get(ctx, key)
-												fix: P1/P2 优化 - OAuth验证 + API响应 + 缓存击穿 + Webhook关闭

P1 - OAuth auth_url origin 验证:
- 添加 validateOAuthUrl() 函数验证 OAuth URL origin
- 仅允许同源或可信 OAuth 提供商
- LoginPage 和 ProfileSecurityPage 调用前验证

P2 - API 响应运行时类型验证:
- 添加 isApiResponse() 运行时验证函数
- parseJsonResponse 验证响应结构完整性

P2 - 缓存击穿防护 (singleflight):
- AuthMiddleware.isJTIBlacklisted 使用 singleflight.Group
- 防止 L1 miss 时并发请求同时打 L2

P2 - Webhook 服务优雅关闭:
- WebhookService 添加 Shutdown() 方法
- 服务器关闭时等待 worker 完成
- main.go 集成 shutdown 调用

											
										
										
											2026-04-03 21:50:51 +08:00
+											return found, nil
 										})
 										if err == nil && val != nil {
 											// 回写 L1 缓存
 											m.l1Cache.Set(key, true, 5*time.Minute)
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+											return true
 										}
 									}
 									return false
 								}
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
+								// validateUserState performs a single cached DB lookup that replaces the two
 								// previously separate checks: isPasswordChangedSinceTokenIssued + isUserActive.
 								//
 								// Returns "" on success, or an i18n-ready denial message on failure.
 								// Results are cached for 5 seconds per user to reduce DB pressure under high
 								// concurrency (e.g. 100 VU × 10 req/s = 1 000 auth middleware calls/s against
 								// the same hot user IDs).
 								func (m *AuthMiddleware) validateUserState(ctx context.Context, userID int64, tokenPCE int64) string {
 									if m.userRepo == nil {
 										return ""
 									}
 									// Check short-lived user-state cache (5 s TTL).
 									stateCacheKey := fmt.Sprintf("user_state:%d", userID)
 									if cached, ok := m.l1Cache.Get(stateCacheKey); ok {
 										if state, ok := cached.(userStateEntry); ok {
 											// tokenPCE > 0 means the JWT was issued for a user who had already
 											// changed their password at least once.  Zero/negative values come from
 											// users whose PasswordChangedAt is still the Go zero-time, meaning they
 											// have never changed it — skip the check in that case.
 											if tokenPCE > 0 && state.passwordChangedAt > 0 && tokenPCE < state.passwordChangedAt {
 												return "密码已更新，请重新登录"
 											}
 											if !state.active {
 												return "账号不可用，请重新登录"
 											}
 											return ""
 										}
 									}
 									// Cache miss — single DB round-trip.
 									user, err := m.userRepo.GetByID(ctx, userID)
 									if err != nil {
 										return "账号不可用，请重新登录"
 									}
 									state := userStateEntry{
 										active:            user.Status == domain.UserStatusActive,
 										passwordChangedAt: 0,
 									}
 									if !user.PasswordChangedAt.IsZero() {
 										state.passwordChangedAt = user.PasswordChangedAt.Unix()
 									}
 									// Cache for 5 seconds — short enough to reflect account lock/disable promptly.
 									m.l1Cache.Set(stateCacheKey, state, 5*time.Second)
 									// Same guard: tokenPCE <= 0 means no password-change time in the JWT → skip.
 									if tokenPCE > 0 && state.passwordChangedAt > 0 && tokenPCE < state.passwordChangedAt {
 										return "密码已更新，请重新登录"
 									}
 									if !state.active {
 										return "账号不可用，请重新登录"
 									}
 									return ""
 								}
 								// InvalidateUserStateCache removes the user-state cache entry so the next
 								// request picks up fresh data.  Call this after status change or password reset.
 								func (m *AuthMiddleware) InvalidateUserStateCache(userID int64) {
 									m.l1Cache.Delete(fmt.Sprintf("user_state:%d", userID))
 								}
-												fix: P0/P1 security and quality fixes

P0-01: Add ESCAPE clause to LIKE queries in operation_log.go and device.go
P0-02: Add atomic Increment to L1Cache and L2Cache interfaces
P0-07: Add TOTP verification step after password login
P1-01: Sanitize error messages in error.go middleware
P1-03: Remove err.Error() from export error messages
P1-04: Add error return to CountByResultSince in login_log.go
P1-05: Add transactional DeleteCascade to RoleRepository
P1-06: Add PasswordChangedAt tracking for JWT token invalidation
P1-07: Wrap theme SetDefault in database transaction
P1-08: Use config values for database pool parameters
P1-09: Add rows.Err() checks in social_account_repo.go
P1-10: Validate sortOrder with map in user.go ORDER BY
P1-11: Add GORM tags to Announcement struct
P1-15: Add pageSize upper limit (100) to device and log handlers

											
										
										
											2026-04-18 15:33:12 +08:00
+								// isPasswordChangedSinceTokenIssued 检查用户密码是否在令牌发放后已更改
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
+								// Deprecated: use validateUserState for combined check with caching.
-												fix: P0/P1 security and quality fixes

P0-01: Add ESCAPE clause to LIKE queries in operation_log.go and device.go
P0-02: Add atomic Increment to L1Cache and L2Cache interfaces
P0-07: Add TOTP verification step after password login
P1-01: Sanitize error messages in error.go middleware
P1-03: Remove err.Error() from export error messages
P1-04: Add error return to CountByResultSince in login_log.go
P1-05: Add transactional DeleteCascade to RoleRepository
P1-06: Add PasswordChangedAt tracking for JWT token invalidation
P1-07: Wrap theme SetDefault in database transaction
P1-08: Use config values for database pool parameters
P1-09: Add rows.Err() checks in social_account_repo.go
P1-10: Validate sortOrder with map in user.go ORDER BY
P1-11: Add GORM tags to Announcement struct
P1-15: Add pageSize upper limit (100) to device and log handlers

											
										
										
											2026-04-18 15:33:12 +08:00
+								func (m *AuthMiddleware) isPasswordChangedSinceTokenIssued(ctx context.Context, userID int64, tokenPCE int64) bool {
 									if tokenPCE == 0 {
 										return false
 									}
 									if m.userRepo == nil {
 										return false
 									}
 									user, err := m.userRepo.GetByID(ctx, userID)
 									if err != nil || user.PasswordChangedAt.IsZero() {
 										return false
 									}
 									return tokenPCE < user.PasswordChangedAt.Unix()
 								}
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+								func (m *AuthMiddleware) loadUserRolesAndPerms(ctx context.Context, userID int64) ([]string, []string) {
-												fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复

											
										
										
											2026-04-03 17:38:31 +08:00
+									if m.userRoleRepo == nil {
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+										return nil, nil
 									}
 									cacheKey := fmt.Sprintf("user_perms:%d", userID)
 									if cached, ok := m.l1Cache.Get(cacheKey); ok {
 										if entry, ok := cached.(userPermEntry); ok {
 											return entry.roles, entry.perms
 										}
 									}
-												fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复

											
										
										
											2026-04-03 17:38:31 +08:00
+									// 使用已优化的单次 JOIN 查询获取用户角色和权限
 									roles, permissions, err := m.userRoleRepo.GetUserRolesAndPermissions(ctx, userID)
 									if err != nil || len(roles) == 0 {
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+										return nil, nil
 									}
 									roleCodes := make([]string, 0, len(roles))
 									for _, role := range roles {
 										roleCodes = append(roleCodes, role.Code)
 									}
 									permCodes := make([]string, 0, len(permissions))
-												fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复:
- CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证
- HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证
- HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵)
- HIGH: 短信验证码熵值过低(4字节) - 提升到6字节
- HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时
- HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern

新功能:
- Go SDK: sdk/go/user-management/ 完整SDK实现
- CAS SSO框架: internal/auth/cas.go CAS协议支持

其他:
- L1Cache实例问题修复 - AuthMiddleware共享l1Cache
- 设备指纹XSS防护 - 内存存储替代localStorage
- 响应格式协议中间件
- 导出无界查询修复

											
										
										
											2026-04-03 17:38:31 +08:00
+									for _, perm := range permissions {
 										permCodes = append(permCodes, perm.Code)
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									}
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
+									// P1-2 权限缓存 TTL 调优：5min（原 30min）
 									// 理由：角色/权限变更后最长 5min 生效，与 userStateEntry TTL 保持一致。
 									// 若需立即生效，调用 InvalidateUserPermCache(userID) 主动驱逐。
 									m.l1Cache.Set(cacheKey, userPermEntry{roles: roleCodes, perms: permCodes}, 5*time.Minute)
-												feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

											
										
										
											2026-04-02 11:19:50 +08:00
+									return roleCodes, permCodes
 								}
 								func (m *AuthMiddleware) InvalidateUserPermCache(userID int64) {
 									m.l1Cache.Delete(fmt.Sprintf("user_perms:%d", userID))
 								}
 								func (m *AuthMiddleware) AddToBlacklist(jti string, ttl time.Duration) {
 									if jti != "" && ttl > 0 {
 										m.l1Cache.Set("jwt_blacklist:"+jti, true, ttl)
 									}
 								}
 								func (m *AuthMiddleware) isUserActive(ctx context.Context, userID int64) bool {
 									if m.userRepo == nil {
 										return true
 									}
 									user, err := m.userRepo.GetByID(ctx, userID)
 									if err != nil {
 										return false
 									}
 									return user.Status == domain.UserStatusActive
 								}
 								func (m *AuthMiddleware) extractToken(c *gin.Context) string {
 									authHeader := c.GetHeader("Authorization")
 									if authHeader == "" {
 										return ""
 									}
 									parts := strings.SplitN(authHeader, " ", 2)
 									if len(parts) != 2 || parts[0] != "Bearer" {
 										return ""
 									}
 									return parts[1]
 								}
 								type userPermEntry struct {
 									roles []string
 									perms []string
 								}
-												perf: Sprint 19 P0/P1 性能优化落地

P0（高优先级）:
- P0-1: 确认数据库复合索引已存在（GORM tag），composite_index_test 验证通过
- P0-2: 连接池调优 MaxIdleConns 5→10, ConnMaxLifetime 30min→5min
- P0-3: Redis 智能探测（ProbeRedis），无 Redis 自动降级到纯内存模式

P1（中优先级）:
- P1-1: GZIP 压缩中间件（compress/gzip 标准库，零新依赖）
- P1-2: 权限缓存 TTL 30min→5min
- P1-3: Argon2id 启动自适应校准（CalibrateArgon2id）

历史优化（含本次提交）:
- L1Cache O(n)→O(1) LRU 重构
- Auth 中间件 DB 查询合并 + 5s L1 缓存
- Logger 异步化（4096 缓冲通道）

验证: go build/vet/test 41/41 PASS, govulncheck 无漏洞

											
										
										
											2026-04-18 22:57:44 +08:00
 								// userStateEntry caches the minimal user state needed for auth checks.
 								// TTL is 5 s so that account lock/disable takes effect within seconds.
 								type userStateEntry struct {
 									active            bool
 									passwordChangedAt int64 // Unix timestamp; 0 means never changed
 								}