更新完善页面

2026-06-03 14:15:55 +08:00
parent 4b7ae9c933
commit 1675662537
57 changed files with 7625 additions and 883 deletions
@@ -1,13 +1,14 @@
 const Router = require('koa-router')
 const addressController = require('../controllers/addresses')
+const { requireAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/', addressController.getAddresses)
-router.get('/:id', addressController.getAddressById)
-router.post('/', addressController.createAddress)
-router.put('/:id', addressController.updateAddress)
-router.delete('/:id', addressController.deleteAddress)
-router.put('/:id/default', addressController.setDefault)
+router.get('/', requireAuth(), addressController.getAddresses)
+router.get('/:id', requireAuth(), addressController.getAddressById)
+router.post('/', requireAuth(), addressController.createAddress)
+router.put('/:id', requireAuth(), addressController.updateAddress)
+router.delete('/:id', requireAuth(), addressController.deleteAddress)
+router.put('/:id/default', requireAuth(), addressController.setDefault)

 module.exports = router.routes()
@@ -2,6 +2,8 @@ const Router = require('koa-router');
 const fetch = require('node-fetch');
 const { query } = require('../config/database');
 const { toRelativeUrl } = require('../utils/image-url');
+const { requireStaffAuth } = require('../middleware/auth');
+const { sanitizeKeyword, sanitizeImageUrl, sanitizeImageBase64, makeCacheKey, LRU, TokenBucket } = require('../utils/ai-utils');
 require('dotenv').config();

 const router = new Router();
@@ -12,151 +14,141 @@ if (!AI_API_KEY) {
  console.error('DASHSCOPE_API_KEY is not set - AI features will fail')
 }

-router.post('/generate-product', async (ctx) => {
-  try {
-    if (!AI_API_KEY) {
-      ctx.body = { code: 500, message: 'AI 功能未配置（缺少 DASHSCOPE_API_KEY）' }
-      return
-    }
-    const { imageUrl, keywords } = ctx.request.body;
+const cache = new LRU(200, 5 * 60 * 1000)
+const bucket = new TokenBucket(20, 1)

-    let prompt = '你是一个专业的便利店商品管理助手。';
+async function callQwen(model, body, timeoutMs) {
+  const response = await fetch(AI_API_URL, {
+    method: 'POST',
+    headers: {
+      'Authorization': `Bearer ${AI_API_KEY}`,
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify(body),
+    timeout: timeoutMs || 30000
+  })
+  if (!response.ok) {
+    const err = new Error(`AI 服务调用失败: ${response.status}`)
+    err.status = response.status
+    err.body = await response.text()
+    throw err
+  }
+  return response.json()
+}

-    if (imageUrl) {
-      prompt += `\n请分析这张商品图片：${imageUrl}`;
-    }
+function mapAIError(err) {
+  if (err.status === 401) return { code: 500, message: 'API Key 无效，请检查密钥配置' }
+  if (err.status === 403) return { code: 500, message: 'API 调用被拒绝，请检查账户权限' }
+  if (err.status === 429) return { code: 500, message: 'API 调用次数超限，请稍后重试' }
+  if (err.status === 503) return { code: 500, message: 'AI 服务暂时不可用，请稍后重试' }
+  if (err.message && err.message.includes('timeout')) return { code: 503, message: 'AI 服务响应超时，请稍后重试' }
+  if (err.message && err.message.includes('ENOTFOUND')) return { code: 503, message: '无法连接到 AI 服务，请检查网络' }
+  if (err.message && err.message.includes('ECONNRESET')) return { code: 503, message: 'AI 服务连接中断，请稍后重试' }
+  return { code: 503, message: 'AI 服务异常，请稍后重试' }
+}

-    if (keywords) {
-      prompt += `\n关键词：${keywords}`;
-    }
+function tryParseJSON(text) {
+  if (!text) return null
+  const md = text.match(/```(?:json)?\s*([\s\S]*?)```/)
+  const jsonStr = md ? md[1].trim() : (text.match(/\{[\s\S]*\}/)?.[0] || text)
+  try { return JSON.parse(jsonStr) } catch { return null }
+}

-    prompt += `
+router.post('/generate-product', requireStaffAuth(), async (ctx) => {
+  if (!AI_API_KEY) {
+    ctx.status = 500
+    ctx.body = { code: 500, message: 'AI 功能未配置（缺少 DASHSCOPE_API_KEY）' }
+    return
+  }
+  if (!bucket.take()) {
+    ctx.status = 429
+    ctx.body = { code: 429, message: 'AI 调用过于频繁，请稍后重试' }
+    return
+  }
+
+  const { imageUrl, keywords } = ctx.request.body || {}
+
+  const kw = sanitizeKeyword(keywords)
+  if (kw.error) { ctx.status = 400; ctx.body = { code: 400, message: kw.error }; return }
+  const url = sanitizeImageUrl(imageUrl)
+  if (url.error) { ctx.status = 400; ctx.body = { code: 400, message: url.error }; return }
+  if (!kw.value && !url.value) { ctx.status = 400; ctx.body = { code: 400, message: '请提供图片或关键词' }; return }
+
+  const cacheKey = makeCacheKey('gen', { kw: kw.value, url: url.value })
+  const hit = cache.get(cacheKey)
+  if (hit) {
+    ctx.body = { code: 200, message: '生成成功', data: hit, cached: true }
+    return
+  }
+
+  let prompt = '你是一个专业的便利店商品管理助手。'
+  if (url.value) prompt += `\n请分析这张商品图片：${url.value}`
+  if (kw.value) prompt += `\n关键词：${kw.value}`
+  prompt += `
 请生成商品的详细信息，返回JSON格式，不要包含其他内容：
 {
  "name": "商品名称（简洁明了，2-10字）",
  "category": "商品分类（请从以下选择：饮料,零食,日用品,食品,生鲜,烟酒,其他）",
  "description": "商品详细描述（50-100字，突出产品特点）",
  "suggestedPrice": 建议售价（数字）
-}`;
-
-    const response = await fetch(AI_API_URL, {
-      method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${AI_API_KEY}`,
-        'Content-Type': 'application/json'
-      },
-      body: JSON.stringify({
-        model: 'qwen3.5-flash',
-        messages: [
-          {
-            role: 'user',
-            content: prompt
-          }
-        ],
-        temperature: 0.7,
-        max_tokens: 500
-      }),
-      timeout: 30000
-    });
-
-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error('Qwen API Error:', response.status, errorText);
-
-      let errorMsg = 'AI 服务调用失败';
-      if (response.status === 401) {
-        errorMsg = 'API Key 无效，请检查密钥配置';
-      } else if (response.status === 403) {
-        errorMsg = 'API 调用被拒绝，请检查账户权限';
-      } else if (response.status === 429) {
-        errorMsg = 'API 调用次数超限，请稍后重试';
-      } else if (response.status === 503) {
-        errorMsg = 'AI 服务暂时不可用，请稍后重试';
-      }
-
-      ctx.status = response.status;
-      ctx.body = {
-        code: response.status,
-        message: errorMsg
-      };
-      return;
-    }
-
-    const data = await response.json();
-    const aiResponse = data.choices?.[0]?.message?.content;
-
-    if (!aiResponse) {
-      ctx.status = 500;
-      ctx.body = {
-        code: 500,
-        message: 'AI 服务返回为空'
-      };
-      return;
-    }
-
-    const jsonMatch = aiResponse.match(/\{[\s\S]*\}/);
-    if (!jsonMatch) {
-      ctx.status = 500;
-      ctx.body = {
-        code: 500,
-        message: '无法解析 AI 响应格式'
-      };
-      return;
-    }
-
-    const productInfo = JSON.parse(jsonMatch[0]);
-
-    ctx.body = {
-      code: 200,
-      message: '生成成功',
-      data: productInfo
-    };
+}`

+  try {
+    const data = await callQwen('qwen3.5-flash', {
+      model: 'qwen3.5-flash',
+      messages: [{ role: 'user', content: prompt }],
+      temperature: 0.7,
+      max_tokens: 500
+    }, 30000)
+    const aiResponse = data.choices?.[0]?.message?.content
+    if (!aiResponse) { ctx.status = 500; ctx.body = { code: 500, message: 'AI 服务返回为空' }; return }
+    const productInfo = tryParseJSON(aiResponse)
+    if (!productInfo) { ctx.status = 500; ctx.body = { code: 500, message: '无法解析 AI 响应格式' }; return }
+    cache.set(cacheKey, productInfo)
+    ctx.body = { code: 200, message: '生成成功', data: productInfo }
  } catch (error) {
-    console.error('生成商品信息失败:', error);
-
-    let errorMsg = '生成失败，请稍后重试';
-    if (error.message.includes('timeout')) {
-      errorMsg = 'AI 服务响应超时，请检查网络或稍后重试';
-    } else if (error.message.includes('ENOTFOUND')) {
-      errorMsg = '无法连接到 AI 服务，请检查网络设置';
-    } else if (error.message.includes('ECONNRESET')) {
-      errorMsg = 'AI 服务连接中断，请稍后重试';
-    }
-
-    ctx.status = 503;
-    ctx.body = {
-      code: 503,
-      message: errorMsg
-    };
+    const mapped = mapAIError(error)
+    ctx.status = mapped.code
+    ctx.body = mapped
  }
 });

-router.post('/recognize-product', async (ctx) => {
-  try {
-    if (!AI_API_KEY) {
-      ctx.body = { code: 500, message: 'AI 功能未配置（缺少 DASHSCOPE_API_KEY）' }
-      return
-    }
-    const { imageBase64, imageUrl } = ctx.request.body;
+router.post('/recognize-product', requireStaffAuth(), async (ctx) => {
+  if (!AI_API_KEY) {
+    ctx.status = 500
+    ctx.body = { code: 500, message: 'AI 功能未配置（缺少 DASHSCOPE_API_KEY）' }
+    return
+  }
+  if (!bucket.take()) {
+    ctx.status = 429
+    ctx.body = { code: 429, message: 'AI 调用过于频繁，请稍后重试' }
+    return
+  }

-    let inputImageUrl = imageUrl;
-    if (imageBase64) {
-      inputImageUrl = `data:image/jpeg;base64,${imageBase64}`;
-    }
+  const { imageBase64, imageUrl } = ctx.request.body || {}

-    if (!inputImageUrl) {
-      ctx.status = 400;
-      ctx.body = {
-        code: 400,
-        message: '请提供商品图片'
-      };
-      return;
-    }
+  let inputImageUrl = ''
+  if (imageBase64) {
+    const b = sanitizeImageBase64(imageBase64)
+    if (b.error) { ctx.status = 400; ctx.body = { code: 400, message: b.error }; return }
+    inputImageUrl = `data:image/jpeg;base64,${b.value}`
+  }
+  if (!inputImageUrl && imageUrl) {
+    const u = sanitizeImageUrl(imageUrl)
+    if (u.error) { ctx.status = 400; ctx.body = { code: 400, message: u.error }; return }
+    inputImageUrl = u.value
+  }
+  if (!inputImageUrl) { ctx.status = 400; ctx.body = { code: 400, message: '请提供商品图片' }; return }

-    const prompt = `你是一个专业的便利店商品识别助手。请分析这张商品图片，识别出商品信息。
+  const cacheKey = makeCacheKey('recog', { img: inputImageUrl.slice(0, 4096) })
+  const hit = cache.get(cacheKey)
+  if (hit) {
+    ctx.body = { code: 200, message: '识别成功', data: hit, cached: true }
+    return
+  }

-请返回JSON格式的商品信息，只返回一个最可能的商品，不要返回多个：
+  const prompt = `你是一个专业的便利店商品识别助手。请分析这张商品图片，识别出商品信息。
+请返回JSON格式的商品信息，只返回一个最可能的商品：
 {
  "name": "商品名称（根据图片识别，如果无法确定则返回空字符串）",
  "category": "商品分类（从以下选择：饮料,零食,日用品,食品,生鲜,烟酒,其他，如果无法确定则返回空字符串）",
@@ -165,142 +157,46 @@ router.post('/recognize-product', async (ctx) => {
  "confidence": 0到1之间的数字（识别置信度）
 }`;

-    console.log('Calling Qwen Omni API with image...');
-    const response = await fetch(AI_API_URL, {
-      method: 'POST',
-      headers: {
-        'Authorization': `Bearer ${AI_API_KEY}`,
-        'Content-Type': 'application/json'
-      },
-      body: JSON.stringify({
-        model: 'qwen3.5-omni',
-        messages: [
-          {
-            role: 'user',
-            content: [
-              {
-                type: 'image_url',
-                image_url: {
-                  url: inputImageUrl
-                }
-              },
-              {
-                type: 'text',
-                text: prompt
-              }
-            ]
-          }
-        ],
-        temperature: 0.3,
-        max_tokens: 500
-      }),
-      timeout: 60000
-    });
+  try {
+    const data = await callQwen('qwen3.5-omni', {
+      model: 'qwen3.5-omni',
+      messages: [{
+        role: 'user',
+        content: [
+          { type: 'image_url', image_url: { url: inputImageUrl } },
+          { type: 'text', text: prompt }
+        ]
+      }],
+      temperature: 0.3,
+      max_tokens: 500
+    }, 60000)

-    console.log('Qwen Omni response status:', response.status);
+    const aiResponse = data.choices?.[0]?.message?.content
+    if (!aiResponse) { ctx.status = 500; ctx.body = { code: 500, message: 'AI 服务返回为空' }; return }
+    const productInfo = tryParseJSON(aiResponse)
+    if (!productInfo) { ctx.status = 500; ctx.body = { code: 500, message: '无法解析 AI 响应格式' }; return }

-    if (!response.ok) {
-      const errorText = await response.text();
-      console.error('Qwen Omni API Error:', response.status, errorText);
-
-      let errorMsg = 'AI 服务调用失败';
-      if (response.status === 401) {
-        errorMsg = 'API Key 无效，请检查密钥配置';
-      } else if (response.status === 403) {
-        errorMsg = 'API 调用被拒绝，请检查账户权限';
-      } else if (response.status === 429) {
-        errorMsg = 'API 调用次数超限，请稍后重试';
-      } else if (response.status === 503) {
-        errorMsg = 'AI 服务暂时不可用，请稍后重试';
-      }
-
-      ctx.status = response.status;
-      ctx.body = {
-        code: response.status,
-        message: errorMsg
-      };
-      return;
-    }
-
-    const data = await response.json();
-    const aiResponse = data.choices?.[0]?.message?.content;
-
-    if (!aiResponse) {
-      ctx.status = 500;
-      ctx.body = {
-        code: 500,
-        message: 'AI 服务返回为空'
-      };
-      return;
-    }
-
-    // 尝试提取 JSON（可能被 markdown 代码块包裹）
-    let jsonStr = aiResponse;
-    const mdMatch = aiResponse.match(/```(?:json)?\s*([\s\S]*?)```/);
-    if (mdMatch) {
-      jsonStr = mdMatch[1].trim();
-    } else {
-      const jsonMatch = aiResponse.match(/\{[\s\S]*\}/);
-      if (jsonMatch) {
-        jsonStr = jsonMatch[0];
-      }
-    }
-
-    let productInfo;
-    try {
-      productInfo = JSON.parse(jsonStr);
-    } catch (e) {
-      ctx.status = 500;
-      ctx.body = {
-        code: 500,
-        message: '无法解析 AI 响应格式'
-      };
-      return;
-    }
-
-    // 用 AI 识别的商品名去数据库模糊匹配
-    const keyword = productInfo.name || '';
-    let matchedGoods = [];
+    const keyword = (productInfo.name || '').slice(0, 50)
+    let matchedGoods = []
    if (keyword) {
      const dbResult = await query(
        'SELECT id, name, price, unit, category_id, images, stock, pricing_type, is_hot, is_new, description FROM goods WHERE name LIKE ? LIMIT 20',
        [`%${keyword}%`]
-      );
-      matchedGoods = dbResult;
+      )
+      matchedGoods = dbResult
    }

-    // 处理图片 URL
-    matchedGoods = processGoodsImages(matchedGoods);
-
-    ctx.body = {
-      code: 200,
-      message: '识别成功',
-      data: {
-        aiInfo: productInfo,
-        matchedGoods: matchedGoods
-      }
-    };
+    const { processGoodsImages } = require('../utils/image-url')
+    matchedGoods = processGoodsImages(matchedGoods)

+    const result = { aiInfo: productInfo, matchedGoods }
+    cache.set(cacheKey, result)
+    ctx.body = { code: 200, message: '识别成功', data: result }
  } catch (error) {
-    console.error('识别商品失败:', error);
-
-    let errorMsg = '识别失败，请稍后重试';
-    if (error.message.includes('timeout')) {
-      errorMsg = 'AI 服务响应超时，请检查网络或稍后重试';
-    } else if (error.message.includes('ENOTFOUND')) {
-      errorMsg = '无法连接到 AI 服务，请检查网络设置';
-    } else if (error.message.includes('ECONNRESET')) {
-      errorMsg = 'AI 服务连接中断，请稍后重试';
-    }
-
-    ctx.status = 503;
-    ctx.body = {
-      code: 503,
-      message: errorMsg
-    };
+    const mapped = mapAIError(error)
+    ctx.status = mapped.code
+    ctx.body = mapped
  }
 });
-// 2026-05-24 21:36:31 

-module.exports = router.routes();
-// 2026-05-24 21:36:31 
+module.exports = router.routes();
@@ -0,0 +1,14 @@
+const Router = require('koa-router')
+const cartController = require('../controllers/carts')
+const { requireAuth } = require('../middleware/auth')
+
+const router = new Router()
+
+router.get('/', requireAuth(), cartController.getCart)
+router.post('/add', requireAuth(), cartController.addToCart)
+router.put('/update', requireAuth(), cartController.updateCartItem)
+router.post('/remove', requireAuth(), cartController.removeFromCart)
+router.delete('/clear', requireAuth(), cartController.clearCart)
+router.post('/sync', requireAuth(), cartController.syncCart)
+
+module.exports = router.routes()
@@ -1,12 +1,13 @@
 const Router = require('koa-router')
 const categoryController = require('../controllers/categories')
+const { requireAdminAuth } = require('../middleware/auth')

 const router = new Router()

 router.get('/', categoryController.getCategories)
 router.get('/:id', categoryController.getCategoryById)
-router.post('/', categoryController.createCategory)
-router.put('/:id', categoryController.updateCategory)
-router.delete('/:id', categoryController.deleteCategory)
+router.post('/', requireAdminAuth(), categoryController.createCategory)
+router.put('/:id', requireAdminAuth(), categoryController.updateCategory)
+router.delete('/:id', requireAdminAuth(), categoryController.deleteCategory)

 module.exports = router.routes()
@@ -1,11 +1,12 @@
 const Router = require('koa-router')
 const exportController = require('../controllers/export')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/goods', exportController.exportGoods)
-router.get('/orders', exportController.exportOrders)
-router.get('/stock', exportController.exportStock)
-router.get('/purchases', exportController.exportPurchases)
+router.get('/goods', requireStaffAuth(), exportController.exportGoods)
+router.get('/orders', requireStaffAuth(), exportController.exportOrders)
+router.get('/stock', requireStaffAuth(), exportController.exportStock)
+router.get('/purchases', requireStaffAuth(), exportController.exportPurchases)

 module.exports = router.routes()
@@ -1,12 +1,13 @@
 const Router = require('koa-router')
-const specController = require('../controllers/goods-specs')
+const goodsSpecController = require('../controllers/goods-specs')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/', specController.getSpecs)
-router.post('/', specController.createSpec)
-router.put('/:id', specController.updateSpec)
-router.delete('/:id', specController.deleteSpec)
-router.post('/batch', specController.batchSave)
+router.get('/', goodsSpecController.getSpecs)
+router.post('/', requireStaffAuth(), goodsSpecController.createSpec)
+router.put('/:id', requireStaffAuth(), goodsSpecController.updateSpec)
+router.delete('/:id', requireStaffAuth(), goodsSpecController.deleteSpec)
+router.post('/batch', requireStaffAuth(), goodsSpecController.batchSave)

 module.exports = router.routes()
@@ -1,12 +1,14 @@
 const Router = require('koa-router')
 const goodsController = require('../controllers/goods')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

 router.get('/', goodsController.getGoods)
 router.get('/:id', goodsController.getGoodsById)
-router.post('/', goodsController.createGoods)
-router.put('/:id', goodsController.updateGoods)
-router.delete('/:id', goodsController.deleteGoods)
+router.post('/', requireStaffAuth(), goodsController.createGoods)
+router.post('/batch-update', requireStaffAuth(), goodsController.batchUpdate)
+router.put('/:id', requireStaffAuth(), goodsController.updateGoods)
+router.delete('/:id', requireStaffAuth(), goodsController.deleteGoods)

 module.exports = router.routes()
@@ -0,0 +1,11 @@
+const Router = require('koa-router')
+const homeCategoryController = require('../controllers/homeCategories')
+const { requireAdminAuth } = require('../middleware/auth')
+
+const router = new Router()
+
+router.get('/categories', homeCategoryController.getHomeCategories)
+router.put('/categories', requireAdminAuth(), homeCategoryController.updateHomeCategories)
+router.get('/categories/config', requireAdminAuth(), homeCategoryController.getAllCategoriesForConfig)
+
+module.exports = router.routes()
@@ -0,0 +1,16 @@
+const Router = require('koa-router')
+const paymentController = require('../controllers/payment')
+const { requireAuth, requireAdminAuth } = require('../middleware/auth')
+
+const router = new Router()
+
+// 创建支付（需要用户登录）
+router.post('/create', requireAuth(), paymentController.createPayment)
+
+// 微信支付回调（无需登录）
+router.post('/notify', paymentController.paymentNotify)
+
+// 申请退款（需要管理员权限）
+router.post('/refund', requireAdminAuth(), paymentController.refundPayment)
+
+module.exports = router.routes()
@@ -1,13 +1,14 @@
 const Router = require('koa-router')
 const pointsGoodsController = require('../controllers/points-goods')
+const { requireAuth, requireStaffAuth, requireAdminAuth } = require('../middleware/auth')

 const router = new Router()

 router.get('/', pointsGoodsController.getPointsGoods)
 router.get('/:id', pointsGoodsController.getPointsGoodsById)
-router.post('/', pointsGoodsController.createPointsGoods)
-router.post('/exchange', pointsGoodsController.exchangePointsGoods)
-router.put('/:id', pointsGoodsController.updatePointsGoods)
-router.delete('/:id', pointsGoodsController.deletePointsGoods)
+router.post('/', requireAdminAuth(), pointsGoodsController.createPointsGoods)
+router.put('/:id', requireAdminAuth(), pointsGoodsController.updatePointsGoods)
+router.delete('/:id', requireAdminAuth(), pointsGoodsController.deletePointsGoods)
+router.post('/exchange', requireAuth(), pointsGoodsController.exchangePointsGoods)

 module.exports = router.routes()
@@ -1,8 +1,9 @@
 const Router = require('koa-router')
 const priceListController = require('../controllers/price-list')
+const { requireAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/:orderId', priceListController.getPriceList)
+router.get('/:orderId', requireAuth(), priceListController.getPriceList)

 module.exports = router.routes()
@@ -1,11 +1,12 @@
 const Router = require('koa-router')
 const purchaseController = require('../controllers/purchases')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/', purchaseController.getPurchases)
-router.get('/:id', purchaseController.getPurchaseById)
-router.post('/', purchaseController.createPurchase)
-router.post('/:id/inbound', purchaseController.inboundPurchase)
+router.get('/', requireStaffAuth(), purchaseController.getPurchases)
+router.get('/:id', requireStaffAuth(), purchaseController.getPurchaseById)
+router.post('/', requireStaffAuth(), purchaseController.createPurchase)
+router.post('/:id/inbound', requireStaffAuth(), purchaseController.inboundPurchase)

 module.exports = router.routes()
@@ -1,8 +1,9 @@
 const Router = require('koa-router')
 const router = new Router()
 const { getByBarcode, recognizeImage } = require('../controllers/recognize')
+const { requireStaffAuth } = require('../middleware/auth')

-router.post('/barcode', getByBarcode)
-router.post('/image', recognizeImage)
+router.post('/barcode', requireStaffAuth(), getByBarcode)
+router.post('/image', requireStaffAuth(), recognizeImage)

 module.exports = router.routes()
@@ -0,0 +1,13 @@
+const Router = require('koa-router')
+const refundController = require('../controllers/refunds')
+const { requireAuth, requireStaffAuth } = require('../middleware/auth')
+
+const router = new Router()
+
+router.get('/', requireStaffAuth(), refundController.getRefunds)
+router.get('/user/list', requireAuth(), refundController.getUserRefunds)
+router.get('/:id', requireAuth(), refundController.getRefundById)
+router.post('/', requireAuth(), refundController.createRefund)
+router.put('/:id/process', requireStaffAuth(), refundController.processRefund)
+
+module.exports = router.routes()
@@ -1,11 +1,12 @@
 const Router = require('koa-router')
 const reportsController = require('../controllers/reports')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/sales-trend', reportsController.getSalesTrend)
-router.get('/hot-products', reportsController.getHotProducts)
-router.get('/profit', reportsController.getProfitAnalysis)
-router.get('/inventory-turnover', reportsController.getInventoryTurnover)
+router.get('/sales-trend', requireStaffAuth(), reportsController.getSalesTrend)
+router.get('/hot-products', requireStaffAuth(), reportsController.getHotProducts)
+router.get('/profit', requireStaffAuth(), reportsController.getProfitAnalysis)
+router.get('/inventory-turnover', requireStaffAuth(), reportsController.getInventoryTurnover)

 module.exports = router.routes()
@@ -1,8 +1,23 @@
 const Router = require('koa-router')
 const statsController = require('../controllers/stats')
+const { requireStaffAuth, requireAdminAuth } = require('../middleware/auth')
+const { getPoolMetrics, getQueryStats } = require('../config/database')

 const router = new Router()

-router.get('/today', statsController.getTodayStats)
+router.get('/today', requireStaffAuth(), statsController.getTodayStats)
+
+router.get('/metrics', requireAdminAuth(), async (ctx) => {
+  ctx.body = {
+    code: 200,
+    data: {
+      pool: getPoolMetrics(),
+      queries: getQueryStats(),
+      uptime: process.uptime(),
+      memory: process.memoryUsage(),
+      timestamp: Date.now()
+    }
+  }
+})

 module.exports = router.routes()
@@ -1,15 +1,11 @@
 const Router = require('koa-router')
 const stockController = require('../controllers/stock')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

-// 获取库存列表
-router.get('/', stockController.getStockList)
-
-// 获取单个商品库存
+router.get('/', requireStaffAuth(), stockController.getStockList)
 router.get('/:id', stockController.getStockByGoodsId)
-
-// 调整库存
-router.post('/:id/adjust', stockController.adjustStock)
+router.post('/:id/adjust', requireStaffAuth(), stockController.adjustStock)

 module.exports = router.routes()
@@ -1,8 +1,9 @@
 const Router = require('koa-router')
 const router = new Router()
 const { bindOpenId, notifyOrder } = require('../controllers/subscribe')
+const { requireAuth, requireStaffAuth } = require('../middleware/auth')

-router.post('/bind-openid', bindOpenId)
-router.post('/orders/notify', notifyOrder)
+router.post('/bind-openid', requireAuth(), bindOpenId)
+router.post('/orders/notify', requireStaffAuth(), notifyOrder)

 module.exports = router.routes()
@@ -1,12 +1,13 @@
 const Router = require('koa-router')
 const supplierController = require('../controllers/suppliers')
+const { requireStaffAuth, requireAdminAuth } = require('../middleware/auth')

 const router = new Router()

-router.get('/', supplierController.getSuppliers)
-router.get('/:id', supplierController.getSupplierById)
-router.post('/', supplierController.createSupplier)
-router.put('/:id', supplierController.updateSupplier)
-router.delete('/:id', supplierController.deleteSupplier)
+router.get('/', requireStaffAuth(), supplierController.getSuppliers)
+router.get('/:id', requireStaffAuth(), supplierController.getSupplierById)
+router.post('/', requireStaffAuth(), supplierController.createSupplier)
+router.put('/:id', requireStaffAuth(), supplierController.updateSupplier)
+router.delete('/:id', requireAdminAuth(), supplierController.deleteSupplier)

 module.exports = router.routes()
@@ -2,17 +2,23 @@ const Router = require('koa-router')
 const multer = require('@koa/multer')
 const path = require('path')
 const fs = require('fs')
+const { requireStaffAuth } = require('../middleware/auth')

 const router = new Router()

 const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/gif', 'image/webp']
+const ALLOWED_EXTS = ['.jpg', '.jpeg', '.png', '.gif', '.webp']
 const MAX_SIZE = 5 * 1024 * 1024
+const ALLOWED_BUCKETS = ['goods', 'points', 'avatar', 'category']

 const uploadDir = path.join(__dirname, '..', 'public', 'uploads')

 const storage = multer.diskStorage({
  destination: (req, file, cb) => {
    const type = (req.query && req.query.type) || 'goods'
+    if (!ALLOWED_BUCKETS.includes(type)) {
+      return cb(new Error('非法的上传目录'))
+    }
    const dir = path.join(uploadDir, type)
    if (!fs.existsSync(dir)) {
      fs.mkdirSync(dir, { recursive: true })
@@ -21,24 +27,24 @@ const storage = multer.diskStorage({
  },
  filename: (req, file, cb) => {
    const uniqueSuffix = Date.now() + '-' + Math.round(Math.random() * 1e9)
-    const ext = path.extname(file.originalname)
-    cb(null, uniqueSuffix + ext)
+    const ext = (path.extname(file.originalname) || '').toLowerCase()
+    const safeExt = ALLOWED_EXTS.includes(ext) ? ext : '.jpg'
+    cb(null, uniqueSuffix + safeExt)
  }
 })

 const upload = multer({
  storage,
-  limits: { fileSize: MAX_SIZE },
+  limits: { fileSize: MAX_SIZE, files: 1 },
  fileFilter: (req, file, cb) => {
-    if (ALLOWED_TYPES.includes(file.mimetype)) {
-      cb(null, true)
-    } else {
-      cb(new Error('不支持的文件类型，仅支持 jpg/png/gif/webp'))
+    if (!ALLOWED_TYPES.includes(file.mimetype)) {
+      return cb(new Error('不支持的文件类型，仅支持 jpg/png/gif/webp'))
    }
+    cb(null, true)
  }
 })

-router.post('/', upload.single('file'), async (ctx) => {
+router.post('/', requireStaffAuth(), upload.single('file'), async (ctx) => {
  if (!ctx.file) {
    ctx.status = 400
    ctx.body = { code: 400, message: '没有上传文件' }
@@ -46,6 +52,11 @@ router.post('/', upload.single('file'), async (ctx) => {
  }

  const type = ctx.query.type || 'goods'
+  if (!ALLOWED_BUCKETS.includes(type)) {
+    ctx.status = 400
+    ctx.body = { code: 400, message: '非法的上传目录' }
+    return
+  }
  const fileUrl = `/uploads/${type}/${ctx.file.filename}`
  ctx.body = {
    code: 200,
@@ -3,17 +3,29 @@ const userController = require('../controllers/users')

 const router = new Router()

+// 公开接口
 router.post('/login', userController.login)
+router.post('/wechat-login', userController.wechatLogin)
 router.post('/register', userController.register)
-router.post('/register/staff', userController.registerStaff)
-router.post('/register/by-staff', userController.registerByStaff)
+router.post('/change-password', userController.changePassword)
+router.post('/refresh-token', userController.refreshToken)
 router.get('/info', userController.getUserInfo)
+
+// 鉴权接口（任何已登录用户）
+router.post('/logout', userController.logout)
+
+// 店员可操作（管理员也行）
+router.post('/register/by-staff', userController.registerByStaff)
+router.post('/points/add', userController.addPoints)
+
+// 管理员专属
+router.post('/register/staff', userController.registerStaff)
+router.post('/reset-password', userController.resetPassword)
 router.get('/', userController.getUsers)
 router.put('/:id', userController.updateUser)
 router.delete('/:id', userController.deleteUser)
-router.post('/change-password', userController.changePassword)
-router.post('/reset-password', userController.resetPassword)
-router.post('/points/add', userController.addPoints)
+
+// 通用
 router.get('/points/logs', userController.getPointsLogs)

 module.exports = router.routes()