feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers

configs/config.yaml

@@ -0,0 +1,212 @@
+server:
+  port: 8080
+  mode: release  # debug, release
+  read_timeout: 30
+  read_header_timeout: 10
+  write_timeout: 30
+  idle_timeout: 60
+  shutdown_timeout: 15
+  max_header_bytes: 1048576
+
+database:
+  type: sqlite  # current runtime support: sqlite
+  sqlite:
+    path: ./data/user_management.db
+  postgresql:
+    host: localhost
+    port: 5432
+    database: user_management
+    username: postgres
+    password: ""
+    ssl_mode: disable
+    max_open_conns: 100
+    max_idle_conns: 10
+  mysql:
+    host: localhost
+    port: 3306
+    database: user_management
+    username: root
+    password: ""
+    charset: utf8mb4
+    max_open_conns: 100
+    max_idle_conns: 10
+
+cache:
+  l1:
+    enabled: true
+    max_size: 10000
+    ttl: 5m
+  l2:
+    enabled: false
+    type: redis
+    redis:
+      addr: localhost:6379
+      password: ""
+      db: 0
+      pool_size: 50
+      ttl: 30m
+
+redis:
+  enabled: false
+  addr: localhost:6379
+  password: ""
+  db: 0
+
+jwt:
+  algorithm: HS256  # debug mode 使用 HS256
+  secret: "change-me-in-production-use-at-least-32-bytes-secret"
+  access_token_expire_minutes: 120  # 2小时
+  refresh_token_expire_days: 7  # 7天
+
+security:
+  password_min_length: 8
+  password_require_special: true
+  password_require_number: true
+  login_max_attempts: 5
+  login_lock_duration: 30m
+
+ratelimit:
+  enabled: true
+  login:
+    enabled: true
+    algorithm: token_bucket
+    capacity: 5
+    rate: 1
+    window: 1m
+  register:
+    enabled: true
+    algorithm: leaky_bucket
+    capacity: 3
+    rate: 1
+    window: 1h
+  api:
+    enabled: true
+    algorithm: sliding_window
+    capacity: 1000
+    window: 1m
+
+monitoring:
+  prometheus:
+    enabled: true
+    path: /metrics
+  tracing:
+    enabled: false
+    endpoint: http://localhost:4318
+    service_name: user-management-system
+
+logging:
+  level: info  # debug, info, warn, error
+  format: json  # json, text
+  output:
+    - stdout
+    - ./logs/app.log
+  rotation:
+    max_size: 100  # MB
+    max_age: 30    # days
+    max_backups: 10
+
+admin:
+  username: ""
+  password: ""
+  email: ""
+
+cors:
+  enabled: true
+  allowed_origins:
+    - "http://localhost:3000"
+    - "http://127.0.0.1:3000"
+  allowed_methods:
+    - GET
+    - POST
+    - PUT
+    - DELETE
+    - OPTIONS
+  allowed_headers:
+    - Authorization
+    - Content-Type
+    - X-Requested-With
+    - X-CSRF-Token
+  allow_credentials: true
+  max_age: 3600
+
+email:
+  host: ""          # 生产环境填写真实 SMTP Host
+  port: 587
+  username: ""
+  password: ""
+  from_email: ""
+  from_name: "用户管理系统"
+
+sms:
+  enabled: false
+  provider: ""  # aliyun, tencent；留空表示禁用短信能力
+  code_ttl: 5m
+  resend_cooldown: 1m
+  max_daily_limit: 10
+  aliyun:
+    access_key_id: ""
+    access_key_secret: ""
+    sign_name: ""
+    template_code: ""
+    endpoint: ""
+    region_id: "cn-hangzhou"
+    code_param_name: "code"
+  tencent:
+    secret_id: ""
+    secret_key: ""
+    app_id: ""
+    sign_name: ""
+    template_id: ""
+    region: "ap-guangzhou"
+    endpoint: ""
+
+password_reset:
+  token_ttl: 15m
+  site_url: "http://localhost:8080"
+
+# OAuth 社交登录配置（留空则禁用对应 Provider）
+oauth:
+  google:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/google/callback"
+  wechat:
+    app_id: ""
+    app_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/wechat/callback"
+  github:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/github/callback"
+  qq:
+    app_id: ""
+    app_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/qq/callback"
+  alipay:
+    app_id: ""
+    private_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/alipay/callback"
+    sandbox: false
+  douyin:
+    client_key: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/douyin/callback"
+
+# Webhook 全局配置
+webhook:
+  enabled: true
+  secret_header: "X-Webhook-Signature"   # 签名 Header 名称
+  timeout_sec: 30                         # 单次投递超时（秒）
+  max_retries: 3                          # 最大重试次数
+  retry_backoff: "exponential"            # 退避策略：exponential / fixed
+  worker_count: 4                         # 后台投递协程数
+  queue_size: 1000                        # 投递队列大小
+
+# IP 安全配置
+ip_security:
+  auto_block_enabled: true               # 是否启用自动封禁
+  auto_block_duration: 30m              # 自动封禁时长
+  brute_force_threshold: 10             # 暴力破解阈值（窗口内失败次数）
+  detection_window: 15m                 # 检测时间窗口
+
+

configs/oauth_config.example.yaml

@@ -0,0 +1,37 @@
+# OAuth 配置参考模板
+# 说明：
+# 1. 当前服务实际读取的是 configs/config.yaml 中的 oauth 配置块。
+# 2. 本文件只作为与当前代码一致的参考模板，便于复制到 config.yaml。
+# 3. 当前后端运行时只支持 google、wechat、github、qq、alipay、douyin。
+
+oauth:
+  google:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/google/callback"
+
+  wechat:
+    app_id: ""
+    app_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/wechat/callback"
+
+  github:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/github/callback"
+
+  qq:
+    app_id: ""
+    app_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/qq/callback"
+
+  alipay:
+    app_id: ""
+    private_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/alipay/callback"
+    sandbox: false
+
+  douyin:
+    client_key: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/douyin/callback"