74d8c857be
ci-pangolin / Lint — shellcheck (push) Waiting to run
ci-pangolin / OpenAPI Sync Check (push) Waiting to run
ci-pangolin / Flutter — analyze + test (push) Waiting to run
ci-pangolin / Codegen Drift — token 生成物未漂移 (push) Waiting to run
ci-pangolin / DS-flow — 原型/跨端同源/代码色单源闸 (push) Waiting to run
ci-pangolin / Go — build + test (push) Waiting to run
ci-pangolin / E2E Smoke — L4 进程级端到端 (push) Waiting to run
ci-pangolin / Go — integration (mysql/redis testcontainers) (push) Waiting to run
ci-pangolin / Golden — 视觉回归 (全量:components/auth/desktop/tablet) (push) Waiting to run
ci-pangolin / Redline Scan — 脱敏 (UI 文案) (push) Failing after 11s
ci-pangolin / Cleartext Scan — Android 禁明文 (push) Failing after 9s
ci-pangolin / Portable SQL — 可移植性 (mysql/sqlite) (push) Failing after 9s
家庭内网穿透域名(nas/git/win.yanmeiai.com)的客户端配置渲染: - DNS 面: 系统解析器(type=local,底层网络)+私有域名规则置顶+reverse_mapping - 路由面: 私有域名→强制走隧道,钉在 LAN 直连之后、国内分流(geoip-cn)之前 在家: 局域网 DNS 覆盖→私网IP→LAN直连零绕行; 在外: 锚点(frps@ali,国内IP) 不再被 smartRoute 分流成直连、避开安全组限源。env 不配置=行为零变化。 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
420 lines
16 KiB
Go
420 lines
16 KiB
Go
package httpapi
|
||
|
||
import (
|
||
"context"
|
||
"encoding/json"
|
||
"errors"
|
||
"log/slog"
|
||
"net/http"
|
||
"strconv"
|
||
"strings"
|
||
"time"
|
||
|
||
"github.com/go-chi/chi/v5"
|
||
|
||
"github.com/wangjia/pangolin/server/internal/apierr"
|
||
"github.com/wangjia/pangolin/server/internal/auth"
|
||
"github.com/wangjia/pangolin/server/internal/nodes"
|
||
agentv1 "github.com/wangjia/pangolin/server/internal/pb/agentv1"
|
||
)
|
||
|
||
const (
|
||
// paidCredentialTTL is the default connect credential lifetime for paid users.
|
||
paidCredentialTTL = 24 * time.Hour
|
||
// freeCredentialTTL is the per-minute TTL for free users (per remaining minutes).
|
||
freeMinuteTTL = time.Minute
|
||
// deviceStaleWindow: connect 设备上限 backstop 只数近此窗口活跃的设备(与 devices 侧一致)。
|
||
deviceStaleWindow = 30 * 24 * time.Hour
|
||
)
|
||
|
||
// nodeLoadReader reads a node's last-reported runtime load (for the data-plane
|
||
// health flag). *nodes.LoadCache satisfies it; nil = treat all nodes healthy.
|
||
type nodeLoadReader interface {
|
||
Get(ctx context.Context, nodeUUID string) (*nodes.NodeLoad, bool, error)
|
||
}
|
||
|
||
// NodeAPI serves the /v1/nodes endpoints.
|
||
type NodeAPI struct {
|
||
store nodes.NodeStore
|
||
hub *nodes.Hub
|
||
load nodeLoadReader
|
||
deriveKey string
|
||
// rulesBaseURL 是控制面对外公网基址(PANGOLIN_PUBLIC_URL),供国内分流的
|
||
// rule_set .srs 下载用;空则分流不生效。
|
||
rulesBaseURL string
|
||
// privateSplitDomains 私有服务域名(PANGOLIN_PRIVATE_SPLIT_DOMAINS,逗号分隔),
|
||
// 见 ClientConfigOpts.PrivateSplitDomains;空则不渲染相关规则。
|
||
privateSplitDomains []string
|
||
}
|
||
|
||
// NewNodeAPI creates a NodeAPI. load may be nil (then all nodes are treated as
|
||
// data-plane healthy — agent gRPC liveness still gates status).
|
||
func NewNodeAPI(store nodes.NodeStore, hub *nodes.Hub, load nodeLoadReader, deriveKey, rulesBaseURL string, privateSplitDomains []string) *NodeAPI {
|
||
return &NodeAPI{store: store, hub: hub, load: load, deriveKey: deriveKey,
|
||
rulesBaseURL: rulesBaseURL, privateSplitDomains: privateSplitDomains}
|
||
}
|
||
|
||
// dataPlaneHealthy reports the node's last sing-box health (default true when
|
||
// unknown: just registered / load expired / read error — agent liveness gates).
|
||
func (a *NodeAPI) dataPlaneHealthy(ctx context.Context, nodeUUID string) bool {
|
||
if a.load == nil {
|
||
return true
|
||
}
|
||
l, ok, err := a.load.Get(ctx, nodeUUID)
|
||
if err != nil || !ok || l == nil {
|
||
return true
|
||
}
|
||
return l.DataPlaneHealthy
|
||
}
|
||
|
||
// ─── GET /v1/nodes ───────────────────────────────────────────────────────────
|
||
|
||
type nodeResponse struct {
|
||
ID string `json:"id"` // UUID (used as path param for connect)
|
||
Region string `json:"region"` // HK / JP / SG / US
|
||
NameZH string `json:"name_zh"`
|
||
NameEN string `json:"name_en"`
|
||
Tier string `json:"tier"` // "free" | "pro"
|
||
Status string `json:"status"` // "up" only when the agent is also online; "down" otherwise
|
||
// host/port 暴露节点入口,供客户端实测真实延迟(per-client ping 服务端无法代知)。
|
||
Host string `json:"host"`
|
||
Port int `json:"port"`
|
||
}
|
||
|
||
// effectiveNodeStatus downgrades a DB-'up' node to "down" when its agent is
|
||
// offline OR its data plane (sing-box) is unhealthy. The DB status column reflects
|
||
// provisioning/scheduler state, NOT live health — without this, a node whose agent
|
||
// has been offline for days, or whose sing-box has crashed while the agent stays
|
||
// connected, still shows healthy and lets clients "connect" to a node that can't
|
||
// serve them.
|
||
func effectiveNodeStatus(dbStatus string, agentOnline, dataPlaneHealthy bool) string {
|
||
if dbStatus == "up" && (!agentOnline || !dataPlaneHealthy) {
|
||
return "down"
|
||
}
|
||
return dbStatus
|
||
}
|
||
|
||
// ListNodes handles GET /v1/nodes.
|
||
func (a *NodeAPI) ListNodes(w http.ResponseWriter, r *http.Request) {
|
||
nodeRows, err := a.store.ListUp(r.Context())
|
||
if err != nil {
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
|
||
resp := make([]nodeResponse, 0, len(nodeRows))
|
||
for _, n := range nodeRows {
|
||
host, portStr := splitHostPort(n.Endpoint)
|
||
if host == "" {
|
||
host = n.Endpoint
|
||
}
|
||
port, _ := strconv.Atoi(portStr)
|
||
resp = append(resp, nodeResponse{
|
||
ID: n.UUID,
|
||
Region: n.Region,
|
||
NameZH: n.NameZH,
|
||
NameEN: n.NameEN,
|
||
Tier: n.Tier,
|
||
Status: effectiveNodeStatus(n.Status,
|
||
a.hub == nil || a.hub.IsOnline(n.UUID),
|
||
a.dataPlaneHealthy(r.Context(), n.UUID)),
|
||
Host: host,
|
||
Port: port,
|
||
})
|
||
}
|
||
|
||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||
_ = json.NewEncoder(w).Encode(map[string]any{"nodes": resp})
|
||
}
|
||
|
||
// ─── POST /v1/nodes/{id}/connect ─────────────────────────────────────────────
|
||
|
||
type connectRequest struct {
|
||
DeviceID string `json:"device_id"`
|
||
}
|
||
|
||
// ConnectNode handles POST /v1/nodes/{id}/connect.
|
||
func (a *NodeAPI) ConnectNode(w http.ResponseWriter, r *http.Request) {
|
||
uid, ok := auth.UserIDFromContext(r.Context())
|
||
if !ok {
|
||
apierr.WriteJSON(w, http.StatusUnauthorized, apierr.ErrUnauthorized)
|
||
return
|
||
}
|
||
|
||
nodeUUID := chi.URLParam(r, "id")
|
||
if nodeUUID == "" {
|
||
apierr.WriteJSON(w, http.StatusBadRequest, apierr.ErrBadRequest)
|
||
return
|
||
}
|
||
|
||
var req connectRequest
|
||
if err := json.NewDecoder(http.MaxBytesReader(w, r.Body, 8*1024)).Decode(&req); err != nil || strings.TrimSpace(req.DeviceID) == "" {
|
||
apierr.WriteJSON(w, http.StatusBadRequest, &apierr.Error{
|
||
Code: "BAD_REQUEST",
|
||
MessageZH: "缺少 device_id",
|
||
MessageEn: "Missing device_id",
|
||
})
|
||
return
|
||
}
|
||
|
||
// 1. Load user entitlement (dp_uuid + plan).
|
||
ent, err := a.store.EntitlementForUser(r.Context(), uid)
|
||
if err != nil {
|
||
slog.Error("connect: entitlement load failed", "user", uid, "err", err)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if ent == nil {
|
||
apierr.WriteJSON(w, http.StatusUnauthorized, apierr.ErrUnauthorized)
|
||
return
|
||
}
|
||
|
||
// 1.4 设备数量上限 backstop(#16):活跃设备超套餐上限则拒连,返回 device_limit 信号让
|
||
// 新客户端弹「移除设备」页。登录挡板只拦"新登录",这里兜住"已登录的超限设备"——
|
||
// 它们下次一连就会被拦、被提示,无需重新登录。max_devices=0 表示不限。
|
||
if ent.MaxDevices > 0 {
|
||
active, cerr := a.store.CountActiveDevices(r.Context(), uid, time.Now().UTC().Add(-deviceStaleWindow))
|
||
if cerr != nil {
|
||
slog.Error("connect: count active devices failed", "user", uid, "err", cerr)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if active > ent.MaxDevices {
|
||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||
w.WriteHeader(http.StatusForbidden)
|
||
_ = json.NewEncoder(w).Encode(map[string]any{
|
||
"code": "DEVICE_LIMIT_EXCEEDED",
|
||
"message_zh": "设备数已达上限,请移除一台设备后再连接",
|
||
"message_en": "Device limit reached. Remove a device to connect.",
|
||
"max_devices": ent.MaxDevices,
|
||
})
|
||
return
|
||
}
|
||
}
|
||
|
||
// 1.5 GB 综合配额卡控(todo #5 Phase 2):按账户当日综合流量卡,超 plan.daily_mb 即拒。
|
||
// 对免费(与分钟门双卡)与付费(高上限防滥用)统一生效;daily_mb NULL = 不限。
|
||
if ent.DailyMB.Valid {
|
||
usedBytes, qerr := a.store.AccountDayBytes(r.Context(), uid, time.Now().UTC())
|
||
if qerr != nil {
|
||
slog.Error("connect: account day bytes failed", "user", uid, "err", qerr)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if usedBytes >= ent.DailyMB.Int64*(1<<20) {
|
||
apierr.WriteJSON(w, http.StatusForbidden, apierr.ErrQuotaExhausted)
|
||
return
|
||
}
|
||
}
|
||
|
||
// 2. Determine TTL from plan.
|
||
var ttl time.Duration
|
||
if ent.AdGate {
|
||
// Free plan: enforce the account-wide daily minute quota (shared across
|
||
// ALL devices). allowance = plan.daily_minutes + 当日看广告累加的 bonus;
|
||
// remaining = allowance − minutes_used. Credential TTL = remaining so the
|
||
// data-plane hard-cuts when time runs out (backstop even if the client
|
||
// countdown is bypassed). remaining ≤ 0 → 拒 QUOTA_EXHAUSTED, client 弹广告/升级.
|
||
dm := int64(10)
|
||
if ent.DailyMinutes.Valid {
|
||
dm = ent.DailyMinutes.Int64
|
||
}
|
||
used, bonus, qerr := a.store.AccountDayMinutes(r.Context(), uid, time.Now().UTC())
|
||
if qerr != nil {
|
||
slog.Error("connect: account day minutes failed", "user", uid, "err", qerr)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
remaining := dm + int64(bonus) - int64(used)
|
||
if remaining <= 0 {
|
||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||
w.WriteHeader(http.StatusForbidden)
|
||
_ = json.NewEncoder(w).Encode(map[string]any{
|
||
"code": "QUOTA_EXHAUSTED",
|
||
"message_zh": "今日免费时长已用完,看广告加时或升级会员",
|
||
"message_en": "Daily free minutes used up. Watch an ad to add time or upgrade.",
|
||
})
|
||
return
|
||
}
|
||
ttl = time.Duration(remaining) * freeMinuteTTL
|
||
} else {
|
||
ttl = paidCredentialTTL
|
||
}
|
||
expiresAt := time.Now().UTC().Add(ttl)
|
||
|
||
// 2.5 Per-device dp_uuid:每台已注册设备一个专属数据面凭证。设备未注册/已被移除 →
|
||
// **拒连并提示重新登录(重新注册设备)**,不再回退账户级 dp_uuid —— 否则被移除的设备
|
||
// 靠残留 access token + 回退还能钻进来,绕过设备上限(#16)。
|
||
devDp, _, derr := a.store.EnsureDeviceDpUUID(r.Context(), uid, req.DeviceID)
|
||
if errors.Is(derr, nodes.ErrDeviceNotFound) || (derr == nil && devDp == "") {
|
||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||
w.WriteHeader(http.StatusForbidden)
|
||
_ = json.NewEncoder(w).Encode(map[string]any{
|
||
"code": "DEVICE_NOT_REGISTERED",
|
||
"message_zh": "设备未注册或已被移除,请退出后重新登录以重新注册设备",
|
||
"message_en": "Device not registered. Please sign in again to re-register this device.",
|
||
})
|
||
return
|
||
}
|
||
if derr != nil {
|
||
slog.Error("connect: ensure device dp_uuid failed", "user", uid, "device", req.DeviceID, "err", derr)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
dpUUID := devDp
|
||
|
||
// 3. Resolve node.
|
||
node, err := a.store.NodeByUUID(r.Context(), nodeUUID)
|
||
if err != nil {
|
||
slog.Error("connect: node load failed", "node", nodeUUID, "err", err)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if node == nil || effectiveNodeStatus(node.Status,
|
||
a.hub == nil || a.hub.IsOnline(nodeUUID),
|
||
a.dataPlaneHealthy(r.Context(), nodeUUID)) != "up" {
|
||
apierr.WriteJSON(w, http.StatusNotFound, apierr.ErrNotFound)
|
||
return
|
||
}
|
||
|
||
// 4. Build the agentv1.Credential.
|
||
cred := &agentv1.Credential{
|
||
DpUUID: dpUUID,
|
||
Protocol: agentv1.ProtocolBoth,
|
||
Flow: "xtls-rprx-vision",
|
||
ExpiresAtUnix: expiresAt.Unix(),
|
||
}
|
||
|
||
// 5. Refuse early if the node's agent is offline. A credential we can't push
|
||
// now leaves the client "connected" to a node that rejects its UUID — the
|
||
// exact failure that hid a 6-day agent outage. Persist it so the agent
|
||
// applies it on resync, then signal unavailable instead of faking success.
|
||
if !a.hub.IsOnline(node.UUID) {
|
||
if persistErr := a.store.PersistCredential(r.Context(), node.ID, cred, expiresAt); persistErr != nil {
|
||
slog.Error("connect: persist credential (agent offline) failed", "node", nodeUUID, "user", uid, "err", persistErr)
|
||
}
|
||
slog.Warn("connect: node agent offline, refusing connect", "node", nodeUUID, "user", uid)
|
||
apierr.WriteJSON(w, http.StatusServiceUnavailable, apierr.ErrNodeUnavailable)
|
||
return
|
||
}
|
||
|
||
// 6. Push to the node agent via Hub. The agent is online, so a push failure is
|
||
// a real error — surface it, don't pretend the tunnel will work.
|
||
if pushErr := a.hub.Push(r.Context(), node.UUID, &agentv1.Command{
|
||
Type: agentv1.CommandTypeUpsert,
|
||
Upsert: &agentv1.UpsertPayload{Credential: cred},
|
||
}); pushErr != nil {
|
||
slog.Error("connect: push credential to agent failed", "node", nodeUUID, "user", uid, "err", pushErr)
|
||
apierr.WriteJSON(w, http.StatusServiceUnavailable, apierr.ErrNodeUnavailable)
|
||
return
|
||
}
|
||
|
||
// 7. Persist credential for agent resync (best-effort; the push above already
|
||
// delivered it to the live agent).
|
||
if persistErr := a.store.PersistCredential(r.Context(), node.ID, cred, expiresAt); persistErr != nil {
|
||
slog.Error("connect: persist credential failed", "node", nodeUUID, "user", uid, "err", persistErr)
|
||
}
|
||
|
||
// 7. Render and return the full sing-box CLIENT config JSON.
|
||
// split_cn=1/true → 国内 IP/域名直连(#5);客户端按 smartRoute 偏好传。
|
||
splitCN := r.URL.Query().Get("split_cn") == "1" || r.URL.Query().Get("split_cn") == "true"
|
||
cfgJSON, renderErr := BuildClientConfig(node, dpUUID, a.deriveKey,
|
||
ClientConfigOpts{SplitCN: splitCN, RulesBaseURL: a.rulesBaseURL,
|
||
PrivateSplitDomains: a.privateSplitDomains})
|
||
if renderErr != nil {
|
||
slog.Error("connect: build client config failed", "node", nodeUUID, "err", renderErr)
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
// 可观测:国内分流是否真正生效(split_active=两个条件都满足才渲染 rule_set)。
|
||
slog.Info("client config rendered", "node", nodeUUID, "split_cn", splitCN,
|
||
"rules_base_set", a.rulesBaseURL != "",
|
||
"split_active", splitCN && a.rulesBaseURL != "",
|
||
"private_split", len(a.privateSplitDomains), "bytes", len(cfgJSON))
|
||
|
||
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
||
_, _ = w.Write(cfgJSON)
|
||
}
|
||
|
||
// ─── POST /v1/nodes/{id}/disconnect ──────────────────────────────────────────
|
||
|
||
// disconnectRequest is the optional JSON body: device_id 指认要吊销凭证的设备。
|
||
// 旧客户端不带 body(或不带 device_id)→ 仅吊销遗留账户级凭证(历史行为)。
|
||
type disconnectRequest struct {
|
||
DeviceID string `json:"device_id"`
|
||
}
|
||
|
||
// DisconnectNode handles POST /v1/nodes/{id}/disconnect.
|
||
//
|
||
// F4:connect 下发的是每设备凭证(EnsureDeviceDpUUID),吊销也必须对准它——
|
||
// 此前这里只撤账户级 ent.DpUUID,设备凭证一直活到 TTL(付费 24h),「断开」在
|
||
// 服务端形同空转。现按 device_id 吊销该设备的 dp_uuid,账户级作为遗留兜底仍撤。
|
||
func (a *NodeAPI) DisconnectNode(w http.ResponseWriter, r *http.Request) {
|
||
uid, ok := auth.UserIDFromContext(r.Context())
|
||
if !ok {
|
||
apierr.WriteJSON(w, http.StatusUnauthorized, apierr.ErrUnauthorized)
|
||
return
|
||
}
|
||
|
||
nodeUUID := chi.URLParam(r, "id")
|
||
if nodeUUID == "" {
|
||
apierr.WriteJSON(w, http.StatusBadRequest, apierr.ErrBadRequest)
|
||
return
|
||
}
|
||
|
||
// Optional body(旧客户端无 body → device_id 为空,走兜底路径)。
|
||
var req disconnectRequest
|
||
_ = json.NewDecoder(http.MaxBytesReader(w, r.Body, 8*1024)).Decode(&req)
|
||
|
||
// Load dp_uuid.
|
||
ent, err := a.store.EntitlementForUser(r.Context(), uid)
|
||
if err != nil {
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if ent == nil {
|
||
w.WriteHeader(http.StatusNoContent) // nothing to revoke
|
||
return
|
||
}
|
||
|
||
node, err := a.store.NodeByUUID(r.Context(), nodeUUID)
|
||
if err != nil {
|
||
apierr.WriteJSON(w, http.StatusInternalServerError, apierr.ErrInternal)
|
||
return
|
||
}
|
||
if node == nil {
|
||
w.WriteHeader(http.StatusNoContent)
|
||
return
|
||
}
|
||
|
||
// 收集待吊销凭证:每设备(connect 真正下发的)+ 账户级(遗留兜底)。
|
||
dpUUIDs := make([]string, 0, 2)
|
||
if devID := strings.TrimSpace(req.DeviceID); devID != "" {
|
||
devDp, _, derr := a.store.EnsureDeviceDpUUID(r.Context(), uid, devID)
|
||
if derr != nil && !errors.Is(derr, nodes.ErrDeviceNotFound) {
|
||
slog.Warn("disconnect: device dp_uuid lookup failed", "user", uid, "device", devID, "err", derr)
|
||
}
|
||
if devDp != "" {
|
||
dpUUIDs = append(dpUUIDs, devDp)
|
||
}
|
||
}
|
||
if ent.DpUUID != "" {
|
||
dpUUIDs = append(dpUUIDs, ent.DpUUID)
|
||
}
|
||
|
||
for _, dp := range dpUUIDs {
|
||
// Push revoke command(best-effort:agent 离线时命令进 Redis 队列,重连即达;
|
||
// 删除持久化凭证后 resync 也不会再下发)。nil hub = 测试环境,跳过推送。
|
||
if a.hub != nil {
|
||
_ = a.hub.Push(r.Context(), node.UUID, &agentv1.Command{
|
||
Type: agentv1.CommandTypeRevoke,
|
||
Revoke: &agentv1.RevokePayload{DpUUID: dp},
|
||
})
|
||
}
|
||
// Delete persisted credential.
|
||
_ = a.store.DeleteCredential(r.Context(), node.ID, dp)
|
||
}
|
||
|
||
w.WriteHeader(http.StatusNoContent)
|
||
}
|