新增 Web 浏览端(Go+Vue 报表系统)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-03 14:34:50 +08:00
parent bf8f578761
commit 750584e619
47 changed files with 2557 additions and 18 deletions
--- a/web/backend/internal/handlers/auth.go
+++ b/web/backend/internal/handlers/auth.go
@@ -0,0 +1,90 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strings"
+
+	"trade/web/internal/auth"
+	"trade/web/internal/middleware"
+	"trade/web/internal/store"
+)
+
+type loginReq struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type loginResp struct {
+	Token string         `json:"token"`
+	User  publicUserView `json:"user"`
+}
+
+type publicUserView struct {
+	ID       int64  `json:"id"`
+	Username string `json:"username"`
+	Role     string `json:"role"`
+}
+
+func (d *Deps) Login(w http.ResponseWriter, r *http.Request) {
+	var req loginReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	req.Username = strings.TrimSpace(req.Username)
+	if req.Username == "" || req.Password == "" {
+		writeErr(w, http.StatusBadRequest, "用户名和密码不能为空")
+		return
+	}
+	u, err := d.Auth.GetByUsername(req.Username)
+	if err != nil || u.Disabled {
+		// 禁用账户与不存在账户返回同样的错误,避免账户枚举
+		writeErr(w, http.StatusUnauthorized, "用户名或密码错误")
+		return
+	}
+	if !auth.CheckPassword(u.PasswordHash, req.Password) {
+		writeErr(w, http.StatusUnauthorized, "用户名或密码错误")
+		return
+	}
+	token, _, err := d.JWT.Issue(u.ID, u.Username, u.Role)
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, "issue token failed")
+		return
+	}
+	writeJSON(w, http.StatusOK, loginResp{
+		Token: token,
+		User:  publicUserView{ID: u.ID, Username: u.Username, Role: u.Role},
+	})
+}
+
+func (d *Deps) Logout(w http.ResponseWriter, r *http.Request) {
+	// JWT 是无状态的,服务端 logout 仅形式化;前端丢弃 token 即可。
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+func (d *Deps) Me(w http.ResponseWriter, r *http.Request) {
+	u, ok := middleware.FromContext(r.Context())
+	if !ok {
+		writeErr(w, http.StatusUnauthorized, "no user in context")
+		return
+	}
+	full, err := d.Auth.GetByID(u.ID)
+	if err != nil {
+		writeErr(w, http.StatusUnauthorized, "user not found")
+		return
+	}
+	writeJSON(w, http.StatusOK, sanitize(full))
+}
+
+// sanitize 把内部 User 转成对外视图,剥掉 password_hash。
+func sanitize(u *store.User) map[string]any {
+	return map[string]any{
+		"id":         u.ID,
+		"username":   u.Username,
+		"role":       u.Role,
+		"disabled":   u.Disabled,
+		"created_at": u.CreatedAt,
+		"updated_at": u.UpdatedAt,
+	}
+}
--- a/web/backend/internal/handlers/deps.go
+++ b/web/backend/internal/handlers/deps.go
@@ -0,0 +1,29 @@
+package handlers
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+
+	"trade/web/internal/auth"
+	"trade/web/internal/store"
+)
+
+// Deps 是所有 handler 需要的运行时依赖,在 router 装配时一次性注入。
+type Deps struct {
+	Auth    *store.AuthStore
+	Futures *store.FuturesStore
+	JWT     *auth.Manager
+}
+
+func writeJSON(w http.ResponseWriter, status int, body any) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(status)
+	if err := json.NewEncoder(w).Encode(body); err != nil {
+		log.Printf("[handler] encode response: %v", err)
+	}
+}
+
+func writeErr(w http.ResponseWriter, status int, msg string) {
+	writeJSON(w, status, map[string]string{"error": msg})
+}
--- a/web/backend/internal/handlers/scores.go
+++ b/web/backend/internal/handlers/scores.go
@@ -0,0 +1,70 @@
+package handlers
+
+import (
+	"errors"
+	"net/http"
+	"strconv"
+
+	"github.com/go-chi/chi/v5"
+
+	"trade/web/internal/store"
+)
+
+func (d *Deps) ListScores(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	limit := 0
+	if s := q.Get("limit"); s != "" {
+		if n, err := strconv.Atoi(s); err == nil {
+			limit = n
+		}
+	}
+	rows, err := d.Futures.ListScores(store.ScoreFilter{
+		TsCode: q.Get("ts_code"),
+		Start:  q.Get("start"),
+		End:    q.Get("end"),
+		Limit:  limit,
+	})
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, rows)
+}
+
+func (d *Deps) GetScore(w http.ResponseWriter, r *http.Request) {
+	idStr := chi.URLParam(r, "id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid id")
+		return
+	}
+	row, err := d.Futures.GetScore(id)
+	if err != nil {
+		writeErr(w, http.StatusNotFound, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, row)
+}
+
+func (d *Deps) ListContracts(w http.ResponseWriter, r *http.Request) {
+	out, err := d.Futures.ListContracts()
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, out)
+}
+
+func (d *Deps) ListCandles(w http.ResponseWriter, r *http.Request) {
+	q := r.URL.Query()
+	rows, err := d.Futures.ListCandles(q.Get("ts_code"), q.Get("start"), q.Get("end"))
+	if err != nil {
+		if errors.Is(err, store.ErrMissingTsCode) {
+			writeErr(w, http.StatusBadRequest, err.Error())
+			return
+		}
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, rows)
+}
--- a/web/backend/internal/handlers/users.go
+++ b/web/backend/internal/handlers/users.go
@@ -0,0 +1,147 @@
+package handlers
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi/v5"
+
+	"trade/web/internal/auth"
+	"trade/web/internal/middleware"
+	"trade/web/internal/store"
+)
+
+type createUserReq struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Role     string `json:"role"`
+}
+
+type patchUserReq struct {
+	Password *string `json:"password,omitempty"`
+	Disabled *bool   `json:"disabled,omitempty"`
+}
+
+func (d *Deps) AdminListUsers(w http.ResponseWriter, r *http.Request) {
+	users, err := d.Auth.ListUsers()
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, err.Error())
+		return
+	}
+	out := make([]map[string]any, 0, len(users))
+	for i := range users {
+		out = append(out, sanitize(&users[i]))
+	}
+	writeJSON(w, http.StatusOK, out)
+}
+
+func (d *Deps) AdminCreateUser(w http.ResponseWriter, r *http.Request) {
+	var req createUserReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	req.Username = strings.TrimSpace(req.Username)
+	if req.Username == "" || len(req.Password) < 6 {
+		writeErr(w, http.StatusBadRequest, "用户名必填,密码至少 6 位")
+		return
+	}
+	role := strings.TrimSpace(req.Role)
+	if role == "" {
+		role = store.RoleUser
+	}
+	if role != store.RoleAdmin && role != store.RoleUser {
+		writeErr(w, http.StatusBadRequest, "role 取值必须是 admin 或 user")
+		return
+	}
+	hash, err := auth.HashPassword(req.Password)
+	if err != nil {
+		writeErr(w, http.StatusInternalServerError, "hash failed")
+		return
+	}
+	u, err := d.Auth.CreateUser(req.Username, hash, role)
+	if err != nil {
+		// UNIQUE 冲突等
+		writeErr(w, http.StatusBadRequest, err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, sanitize(u))
+}
+
+func (d *Deps) AdminPatchUser(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
+	if err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid id")
+		return
+	}
+	var req patchUserReq
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid json")
+		return
+	}
+	if req.Password == nil && req.Disabled == nil {
+		writeErr(w, http.StatusBadRequest, "无可更新字段")
+		return
+	}
+	if req.Password != nil {
+		if len(*req.Password) < 6 {
+			writeErr(w, http.StatusBadRequest, "新密码至少 6 位")
+			return
+		}
+		hash, err := auth.HashPassword(*req.Password)
+		if err != nil {
+			writeErr(w, http.StatusInternalServerError, "hash failed")
+			return
+		}
+		if err := d.Auth.UpdatePassword(id, hash); err != nil {
+			writeErr(w, statusForErr(err), err.Error())
+			return
+		}
+	}
+	if req.Disabled != nil {
+		// 禁止禁用自己,避免管理员锁死自己
+		me, _ := middleware.FromContext(r.Context())
+		if *req.Disabled && me.ID == id {
+			writeErr(w, http.StatusBadRequest, "不能禁用自己")
+			return
+		}
+		if err := d.Auth.SetDisabled(id, *req.Disabled); err != nil {
+			writeErr(w, statusForErr(err), err.Error())
+			return
+		}
+	}
+	u, err := d.Auth.GetByID(id)
+	if err != nil {
+		writeErr(w, statusForErr(err), err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, sanitize(u))
+}
+
+func (d *Deps) AdminDeleteUser(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)
+	if err != nil {
+		writeErr(w, http.StatusBadRequest, "invalid id")
+		return
+	}
+	me, _ := middleware.FromContext(r.Context())
+	if me.ID == id {
+		writeErr(w, http.StatusBadRequest, "不能删除自己")
+		return
+	}
+	if err := d.Auth.DeleteUser(id); err != nil {
+		writeErr(w, statusForErr(err), err.Error())
+		return
+	}
+	writeJSON(w, http.StatusOK, map[string]string{"status": "ok"})
+}
+
+func statusForErr(err error) int {
+	if errors.Is(err, store.ErrNotFound) {
+		return http.StatusNotFound
+	}
+	return http.StatusInternalServerError
+}