feat(api): audit apis

Author: KUN1007

apps/api/internal/about/service/service.go

@@ -207,9 +207,12 @@ func (s *AboutService) GetPost(slug string) (*model.PostDetail, error) {
 	if slug == "" {
 		return nil, fmt.Errorf("slug is required")
 	}
-	// Forbid path traversal — slugs are POSIX paths under postsDir.
+	// Forbid path traversal — slugs are POSIX paths under postsDir. Return
+	// os.ErrNotExist (not a generic error) so the handler maps it to 404:
+	// the check fires before any file read, so a traversal probe should look
+	// like an ordinary missing article rather than a 500.
 	if strings.Contains(slug, "..") {
-		return nil, fmt.Errorf("invalid slug")
+		return nil, os.ErrNotExist
 	}
 
 	posts, err := s.readAll()

apps/api/internal/admin/dto/dto.go

@@ -32,21 +32,27 @@ type AdminStatsRequest struct {
 	Days int `query:"days" validate:"required,min=1"`
 }
 
-// AdminStatsResponse is the response for overview stats
+// AdminStatsResponse is the response for overview stats.
+// NOTE: json tags must match the FE keys (app/shared/types/admin.d.ts +
+// app/constants/admin.ts ADMIN_STATS_MAP) — `new_resource`, NOT
+// `new_patch_resource`, or the "新发布补丁" dashboard card silently renders 0.
 type AdminStatsResponse struct {
 	NewUser          int64 `json:"new_user"`
 	NewActiveUser    int64 `json:"new_active_user"`
 	NewGalgame       int64 `json:"new_galgame"`
-	NewPatchResource int64 `json:"new_patch_resource"`
+	NewPatchResource int64 `json:"new_resource"`
 	NewComment       int64 `json:"new_comment"`
 }
 
-// AdminStatsSumResponse is the response for total stats
+// AdminStatsSumResponse is the response for total stats.
+// json tags must match the FE keys (ADMIN_STATS_SUM_MAP + SumData):
+// `resource_count` / `comment_count`, NOT `patch_*_count`, or those two
+// dashboard cards silently render 0.
 type AdminStatsSumResponse struct {
 	UserCount          int64 `json:"user_count"`
 	GalgameCount       int64 `json:"galgame_count"`
-	PatchResourceCount int64 `json:"patch_resource_count"`
-	PatchCommentCount  int64 `json:"patch_comment_count"`
+	PatchResourceCount int64 `json:"resource_count"`
+	PatchCommentCount  int64 `json:"comment_count"`
 }
 
 // PurgeUserRequest is the body for POST /admin/user/:id/purge. When

apps/api/internal/admin/repository/repository.go

@@ -61,7 +61,30 @@ func (r *AdminRepository) UpdateComment(commentID int, content string) error {
 }
 
 func (r *AdminRepository) DeleteComment(commentID int) error {
-	return r.db.Delete(&patchModel.PatchComment{}, commentID).Error
+	// Mirror PatchService.DeleteComment so the denormalized patch.comment_count
+	// stays consistent after admin moderation (the plain Delete left it drifting
+	// upward). Only approved (status=0) rows were ever added to the count, so
+	// subtract only the approved comment + its direct approved replies.
+	return r.db.Transaction(func(tx *gorm.DB) error {
+		var comment patchModel.PatchComment
+		if err := tx.First(&comment, commentID).Error; err != nil {
+			return err
+		}
+		var count int64
+		tx.Model(&patchModel.PatchComment{}).
+			Where("(id = ? OR parent_id = ?) AND status = 0", commentID, commentID).
+			Count(&count)
+		if err := tx.Delete(&patchModel.PatchComment{}, commentID).Error; err != nil {
+			return err
+		}
+		if count > 0 {
+			if err := tx.Model(&patchModel.Patch{}).Where("id = ?", comment.GalgameID).
+				UpdateColumn("comment_count", gorm.Expr("GREATEST(comment_count - ?, 0)", count)).Error; err != nil {
+				return err
+			}
+		}
+		return nil
+	})
 }
 
 // ===== Resources =====

apps/api/internal/app/router.go

@@ -79,8 +79,14 @@ func (a *App) RegisterRoutes() {
 	// 30/min per userID (or per IP when anonymous) keeps legitimate browsing
 	// (one user opens 10 patch resource pages = ~10-30 calls) untouched
 	// while breaking automated scraping. Returns 429 on overflow.
+	// optionalAuth runs BEFORE the limiter so it can key by userID for
+	// logged-in callers (the documented "30/min per userID, per IP when
+	// anonymous"). Without it the user context is never populated and the
+	// limiter always falls back to IP — collectively throttling logged-in
+	// users behind a shared NAT/proxy.
 	patchRoutes.Get(
 		"/resource/:resourceId/link",
+		optionalAuth,
 		middleware.RateLimit(a.RDB, "resource-link", 30, time.Minute),
 		a.PatchHandler.GetResourceDownloadInfo,
 	)
@@ -182,7 +188,13 @@ func (a *App) RegisterRoutes() {
 	msgRoutes.Get("/", a.MessageHandler.GetMessages)
 	msgRoutes.Get("/all", a.MessageHandler.GetAllMessages)
 	msgRoutes.Get("/unread", a.MessageHandler.GetUnreadTypes)
-	msgRoutes.Post("/", a.MessageHandler.CreateMessage)
+	// NOTE: POST /message was removed (API audit 2026-05-29). It let ANY
+	// authenticated user write an arbitrary notification (client-controlled
+	// recipient_id / type / content / link, no rate limit) into ANY other
+	// user's inbox — a spam/phishing primitive. It had no frontend caller;
+	// all legitimate notifications are created server-side via the patch
+	// service's createDedupMessage. Re-add only with recipient restricted to
+	// an existing relationship + enum-validated type + rate limiting.
 	msgRoutes.Put("/read", a.MessageHandler.MarkAsRead)
 
 	// ===== Admin Routes =====

apps/api/internal/chat/dto/dto.go

@@ -38,7 +38,10 @@ type ListMessagesQuery struct {
 	IDs    string `query:"ids" validate:"omitempty,max=2000"`
 	After  int    `query:"after" validate:"min=0"`
 	Before int    `query:"before" validate:"min=0"`
-	Limit  int    `query:"limit" validate:"min=1,max=100"`
+	// omitempty so an omitted limit (0) falls through to the handler's default
+	// of 30 instead of 422-ing. Previously `min=1` rejected limit-less calls
+	// (notably the `ids` exact-set refresh mode) before the default ran.
+	Limit  int    `query:"limit" validate:"omitempty,min=1,max=100"`
 }
 
 // CreateMessageRequest sends a message. FileURL is optional (attachment).

apps/api/internal/chat/service/service.go

@@ -159,9 +159,21 @@ func (s *ChatService) DeleteMessage(userID int, isPrivileged bool, messageID int
 
 // ToggleReaction toggles an emoji reaction.
 func (s *ChatService) ToggleReaction(userID, messageID int, emoji string) (bool, error) {
-	if _, err := s.repo.GetMessage(messageID); err != nil {
+	m, err := s.repo.GetMessage(messageID)
+	if err != nil {
 		return false, fmt.Errorf("消息不存在")
 	}
+	// Membership check: every other message-scoped op resolves the room and
+	// verifies membership; without it here, any authenticated user could
+	// add/remove reactions on messages inside PRIVATE rooms they don't belong
+	// to (IDOR). Reactions need no moderator bypass.
+	ok, err := s.repo.IsMember(userID, m.ChatRoomID)
+	if err != nil {
+		return false, err
+	}
+	if !ok {
+		return false, fmt.Errorf("您不是该房间的成员")
+	}
 	return s.repo.ToggleReaction(messageID, userID, emoji)
 }
 

apps/api/internal/common/handler.go

@@ -123,6 +123,10 @@ func (h *CommonHandler) GetHome(c *fiber.Ctx) error {
 	h.attachResourceUsers(c.Context(), resources)
 	h.attachCommentUsers(c.Context(), comments)
 	h.attachPatchSummaries(c, comments, resources)
+	// Home cards never render download links/secrets — strip them so this
+	// public feed can't be scraped for download URLs / codes / passwords
+	// (the rate-limited /patch/resource/:id/link is the only reveal surface).
+	patchModel.StripResourceSecrets(resources)
 
 	return response.OK(c, homeResponse{
 		Galgames:  enricher.EnrichPatches(c.Context(), h.wiki, h.users, patches, cl),
@@ -349,6 +353,11 @@ func (h *CommonHandler) GetGlobalResources(c *fiber.Ctx) error {
 	patchModel.RenderResourceNotes(resources)
 	h.attachResourceUsers(c.Context(), resources)
 	h.attachPatchSummaries(c, nil, resources)
+	// Global resource feed cards never render the download payload — strip it
+	// so this public, paginated (whole table) feed can't be bulk-scraped for
+	// download URLs / codes / passwords, which would defeat the rate-limited
+	// /patch/resource/:id/link reveal endpoint.
+	patchModel.StripResourceSecrets(resources)
 	return response.Paginated(c, resources, total)
 }
 
@@ -445,6 +454,11 @@ func (h *CommonHandler) GetResourceDetail(c *fiber.Ctx) error {
 	h.attachResourceUsers(c.Context(), one)
 	resource = one[0]
 	h.attachResourceUsers(c.Context(), recs)
+	// Recommendation cards only show name/note/stats — strip their download
+	// payload so the recs sidebar can't be walked to harvest links/secrets.
+	// The main `resource` keeps them: it is the intended single-reveal surface
+	// (the detail page renders its download links directly).
+	patchModel.StripResourceSecrets(recs)
 
 	// Viewer-specific state (if logged in): is_liked on the main resource +
 	// recommendations, and is_favorite on the owning patch — so the

apps/api/internal/common/upload/service.go

@@ -78,6 +78,20 @@ func (s *Service) markCompleteOnce(ctx context.Context, s3Key string) (bool, err
 	return res == "OK", nil
 }
 
+// unmarkComplete releases the idempotency marker for s3Key, used when a
+// complete attempt set the marker but then failed before the quota deduction
+// committed (so a retry can re-run the deduction). Best-effort, and uses a
+// fresh context because the request context may already be done by the time
+// this runs in a deferred cleanup.
+func (s *Service) unmarkComplete(s3Key string) {
+	if s.rdb == nil {
+		return
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+	s.rdb.Del(ctx, "upload:complete:"+s3Key)
+}
+
 // ─── s3_key generation ───────────────────────────────
 
 var (
@@ -190,6 +204,17 @@ func (s *Service) verifyAndFinalize(ctx context.Context, userID int, s3Key strin
 	if !first {
 		return actual, nil
 	}
+	// The idempotency marker is now held. It must persist ONLY if the quota
+	// deduction below actually commits — otherwise a retry hits the "!first"
+	// fast-path above and returns success WITHOUT ever deducting, permanently
+	// under-counting daily_upload_size. Release the marker on every failure
+	// path so a retry can re-run the deduction (MOYU-PR7 / M5 follow-up).
+	deducted := false
+	defer func() {
+		if !deducted {
+			s.unmarkComplete(s3Key)
+		}
+	}()
 
 	var user authModel.User
 	if err := s.db.Select("daily_upload_size").First(&user, userID).Error; err != nil {
@@ -205,6 +230,7 @@ func (s *Service) verifyAndFinalize(ctx context.Context, userID int, s3Key strin
 		UpdateColumn("daily_upload_size", gorm.Expr("daily_upload_size + ?", actual)).Error; err != nil {
 		return 0, fmt.Errorf("扣减限额失败: %w", err)
 	}
+	deducted = true
 	return actual, nil
 }
 
@@ -247,6 +273,14 @@ func (s *Service) InitMultipart(ctx context.Context, userID int, privileged bool
 	if err := s.validatePreUpload(userID, req.FileName, req.FileSize, privileged); err != nil {
 		return nil, err
 	}
+	// part_count must match the fixed 10 MiB chunking the client uses (FE
+	// computes ceil(file_size / MULTIPART_PART_SIZE) with the same constant).
+	// Reject mismatches so a client can't decouple part_count from the real
+	// size and force the server to presign thousands of bogus part URLs.
+	wantParts := int((req.FileSize + constants.MultipartPartSize - 1) / constants.MultipartPartSize)
+	if req.PartCount != wantParts {
+		return nil, fmt.Errorf("分片数不正确：应为 %d", wantParts)
+	}
 
 	key, err := buildPatchResourceKey(req.GalgameID, req.FileName)
 	if err != nil {

apps/api/internal/galgame/enricher/enricher.go

@@ -338,6 +338,13 @@ func EnrichPatchDetail(ctx context.Context, wiki *galgameClient.Client, users *u
 	base := &PatchDetailCard{}
 	base.GalgameCard = baseCard(p)
 	base.Updated = p.Updated
+	// Initialize the Wiki-derived slices to non-nil so an empty set serializes
+	// as [] (not JSON null). The FE types declare them as non-optional arrays
+	// (tags/officials/wiki_engine_ids); a null would break any .map/.length the
+	// detail page does without a guard. Applies to every return path below.
+	base.Tags = []PatchDetailTag{}
+	base.Officials = []PatchDetailOfficial{}
+	base.WikiEngineIDs = []int{}
 
 	if users != nil && p.UserID > 0 {
 		if b, _ := users.User(ctx, uint(p.UserID)); b != nil {
@@ -506,7 +513,16 @@ func CardFromBrief(g *galgameClient.GalgameBrief) GalgameCard {
 	if g == nil {
 		return GalgameCard{}
 	}
-	card := GalgameCard{ID: g.ID, VndbID: g.VndbID}
+	// Init the JSONArray fields to non-nil so they serialize as [] not null —
+	// this degraded card (a Wiki galgame with no local patch row) has no local
+	// type/language/platform, and the FE type declares them as string[].
+	card := GalgameCard{
+		ID:       g.ID,
+		VndbID:   g.VndbID,
+		Type:     patchModel.JSONArray{},
+		Language: patchModel.JSONArray{},
+		Platform: patchModel.JSONArray{},
+	}
 	applyGalgame(&card, g)
 	return card
 }

apps/api/internal/message/dto/dto.go

@@ -11,14 +11,6 @@ type GetMessageRequest struct {
 	Limit int    `query:"limit" validate:"required,min=1,max=50"`
 }
 
-// CreateMessageRequest is the request for creating a message
-type CreateMessageRequest struct {
-	Type        string `json:"type" validate:"required"`
-	Content     string `json:"content" validate:"required,max=1007"`
-	RecipientID int    `json:"recipient_id" validate:"required,min=1"`
-	Link        string `json:"link" validate:"max=1007"`
-}
-
 // ReadMessageRequest is the request for marking messages as read
 type ReadMessageRequest struct {
 	Type string `json:"type" validate:"required,max=20"`