fix: 修复代码审查中发现的P0/P1/P2问题

修复内容： 1. P0-01/P0-02: IAM Handler硬编码userID=1问题 - getUserIDFromContext现在从认证中间件的context获取真实userID - 添加middleware.GetOperatorID公开函数 - CheckScope方法添加未认证检查 2. P1-01: 审计服务幂等竞态条件 - 重构锁保护范围，整个检查和插入过程在锁保护下 - 使用defer确保锁正确释放 3. P1-02: 幂等中间件响应码硬编码 - 添加statusCapturingResponseWriter包装器 - 捕获实际的状态码和响应体用于幂等记录 4. P2-01: 事件ID时间戳冲突 - generateEventID改用UUID替代时间戳 5. P2-02: ListScopes硬编码 - 使用model.PredefinedScopes替代硬编码列表所有supply-api测试通过
2026-04-03 12:25:22 +08:00
parent cb3c503152
commit f34333dc09
5 changed files with 85 additions and 33 deletions
--- a/supply-api/internal/iam/handler/iam_handler.go
+++ b/supply-api/internal/iam/handler/iam_handler.go
@@ -6,7 +6,9 @@ import (
 	"net/http"
 	"strconv"

+	"lijiaoqiao/supply-api/internal/iam/model"
 	"lijiaoqiao/supply-api/internal/iam/service"
+	"lijiaoqiao/supply-api/internal/middleware"
 )

 // IAMHandler IAM HTTP处理器
@@ -287,15 +289,14 @@ func (h *IAMHandler) DeleteRole(w http.ResponseWriter, r *http.Request, roleCode

 // ListScopes 处理列出所有Scope请求
 func (h *IAMHandler) ListScopes(w http.ResponseWriter, r *http.Request) {
-	// 从预定义Scope列表获取
-	scopes := []map[string]interface{}{
-		{"scope_code": "platform:read", "scope_name": "读取平台配置", "scope_type": "platform"},
-		{"scope_code": "platform:write", "scope_name": "修改平台配置", "scope_type": "platform"},
-		{"scope_code": "platform:admin", "scope_name": "平台级管理", "scope_type": "platform"},
-		{"scope_code": "tenant:read", "scope_name": "读取租户信息", "scope_type": "platform"},
-		{"scope_code": "supply:account:read", "scope_name": "读取供应账号", "scope_type": "supply"},
-		{"scope_code": "consumer:apikey:create", "scope_name": "创建API Key", "scope_type": "consumer"},
-		{"scope_code": "router:invoke", "scope_name": "调用模型", "scope_type": "router"},
+	// 从预定义Scope列表获取（完整的scope定义在model/scope.go的PredefinedScopes中）
+	scopes := make([]map[string]interface{}, 0, len(model.PredefinedScopes))
+	for _, scope := range model.PredefinedScopes {
+		scopes = append(scopes, map[string]interface{}{
+			"scope_code": scope.Code,
+			"scope_name": scope.Name,
+			"scope_type": scope.Type,
+		})
 	}

 	writeJSON(w, http.StatusOK, map[string]interface{}{
@@ -376,8 +377,11 @@ func (h *IAMHandler) CheckScope(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	// 从context获取userID（实际应用中应从认证中间件获取）
-	userID := int64(1) // 模拟
+	userID := getUserIDFromContext(r.Context())
+	if userID == 0 {
+		writeError(w, http.StatusUnauthorized, "UNAUTHORIZED", "user not authenticated")
+		return
+	}

 	hasScope, err := h.iamService.CheckScope(r.Context(), userID, scope)
 	if err != nil {
@@ -497,8 +501,7 @@ func RequireScope(scope string, iamService service.IAMServiceInterface) func(htt
 	}
 }

-// getUserIDFromContext 从context获取userID（实际应用中应从认证中间件获取）
+// getUserIDFromContext 从context获取userID
 func getUserIDFromContext(ctx context.Context) int64 {
-	// TODO: 从认证中间件获取真实的userID
-	return 1
+	return middleware.GetOperatorID(ctx)
 }