diff --git a/docs/superpowers/plans/2026-05-14-redis-token-blacklist-implementation-plan.md b/docs/superpowers/plans/2026-05-14-redis-token-blacklist-implementation-plan.md index 505dcd9..2664bc1 100644 --- a/docs/superpowers/plans/2026-05-14-redis-token-blacklist-implementation-plan.md +++ b/docs/superpowers/plans/2026-05-14-redis-token-blacklist-implementation-plan.md @@ -22,6 +22,8 @@ backend/gateway/middleware/ # 修改:JWT 中间件检查黑名单 backend/gateway/main.go # 修改:初始化 Redis ``` +> **注意:** gateway 的 go.mod 使用 `replace github.com/topfans/backend => ../`,因此 `github.com/topfans/backend/pkg/database` 映射到 `backend/pkg/database/`。 + --- ### Task 1: 创建 Redis 客户端和 Token 黑名单模块 @@ -302,11 +304,14 @@ Co-Authored-By: Claude Opus 4.6 " // 4. 检查 Token 是否在黑名单 isBlacklisted, bannedUserID, banReason, err := database.IsBlacklisted(c.Request.Context(), token) if err != nil { - logger.Logger.Error("Failed to check blacklist", + // Redis 错误时 fail-closed(安全策略),拒绝请求 + logger.Logger.Error("Failed to check blacklist, rejecting request for security", zap.String("path", c.Request.URL.Path), zap.Error(err), ) - // Redis 错误时fail-open,允许请求继续(可根据安全策略调整) + response.Unauthorized(c, "认证服务异常,请稍后重试") + c.Abort() + return } if isBlacklisted { logger.Logger.Warn("Token is blacklisted", @@ -365,6 +370,47 @@ Expected: 编译成功,无错误 --- +### Task 7: 添加封禁用户的 Admin API(后续扩展) + +> **说明:** 此任务为后续扩展任务,本次实现暂不包含。Token 黑名单的基础设施已建立,后续需要封禁用户时调用 `database.AddToBlacklist` 即可。 + +**Files:** +- Modify: `backend/gateway/controller/admin_controller.go`(新建或修改) +- Modify: `backend/gateway/router/router.go` + +**API 设计:** + +``` +POST /api/v1/admin/ban +Authorization: Bearer {admin_token} +Content-Type: application/json + +Request: +{ + "user_id": 123, + "token": "user_jwt_token_to_ban", + "reason": "违规发言" +} + +Response: +{ + "code": 200, + "message": "ok" +} +``` + +**调用示例:** + +```go +// 计算 Token 剩余 TTL +ttl := jwt.GetExpiresIn() * time.Second + +// 添加到黑名单 +err := database.AddToBlacklist(ctx, token, userID, reason, ttl) +``` + +--- + ## 变更记录 | 日期 | 变更内容 |