/** * 管理员控制器 * * API端点: * - POST /admin/auth/login 管理员登录 * - GET /admin/users 用户列表(需要管理员Token) * - GET /admin/users/:id 用户详情(需要管理员Token) * - POST /admin/users/:id/reset-password 重置指定用户密码(需要管理员Token) * - GET /admin/logs/runtime 获取运行日志尾部(需要管理员Token) * * @author jianuo * @version 1.0.0 * @since 2025-12-19 */ import { Body, Controller, Get, HttpCode, HttpStatus, Param, Post, Query, UseGuards, ValidationPipe, UsePipes, Res, Logger } from '@nestjs/common'; import { ApiBearerAuth, ApiBody, ApiOperation, ApiParam, ApiProduces, ApiQuery, ApiResponse, ApiTags } from '@nestjs/swagger'; import { AdminGuard } from './guards/admin.guard'; import { AdminService } from './admin.service'; import { AdminLoginDto, AdminResetPasswordDto } from './dto/admin-login.dto'; import { AdminLoginResponseDto, AdminUsersResponseDto, AdminCommonResponseDto, AdminUserResponseDto, AdminRuntimeLogsResponseDto } from './dto/admin-response.dto'; import { Throttle, ThrottlePresets } from '../security/decorators/throttle.decorator'; import type { Response } from 'express'; import * as fs from 'fs'; import * as path from 'path'; import { spawn } from 'child_process'; import { pipeline } from 'stream'; @ApiTags('admin') @Controller('admin') export class AdminController { private readonly logger = new Logger(AdminController.name); constructor(private readonly adminService: AdminService) {} @ApiOperation({ summary: '管理员登录', description: '仅允许 role=9 的账户登录后台' }) @ApiBody({ type: AdminLoginDto }) @ApiResponse({ status: 200, description: '登录成功', type: AdminLoginResponseDto }) @ApiResponse({ status: 401, description: '登录失败' }) @ApiResponse({ status: 403, description: '权限不足或账户被禁用' }) @ApiResponse({ status: 429, description: '登录尝试过于频繁' }) @Throttle(ThrottlePresets.LOGIN) @Post('auth/login') @HttpCode(HttpStatus.OK) @UsePipes(new ValidationPipe({ transform: true })) async login(@Body() dto: AdminLoginDto) { return await this.adminService.login(dto.identifier, dto.password); } @ApiBearerAuth('JWT-auth') @ApiOperation({ summary: '获取用户列表', description: '后台用户管理:分页获取用户列表' }) @ApiQuery({ name: 'limit', required: false, description: '返回数量(默认100)' }) @ApiQuery({ name: 'offset', required: false, description: '偏移量(默认0)' }) @ApiResponse({ status: 200, description: '获取成功', type: AdminUsersResponseDto }) @UseGuards(AdminGuard) @Get('users') async listUsers( @Query('limit') limit?: string, @Query('offset') offset?: string, ) { const parsedLimit = limit ? Number(limit) : 100; const parsedOffset = offset ? Number(offset) : 0; return await this.adminService.listUsers(parsedLimit, parsedOffset); } @ApiBearerAuth('JWT-auth') @ApiOperation({ summary: '获取用户详情' }) @ApiParam({ name: 'id', description: '用户ID' }) @ApiResponse({ status: 200, description: '获取成功', type: AdminUserResponseDto }) @UseGuards(AdminGuard) @Get('users/:id') async getUser(@Param('id') id: string) { return await this.adminService.getUser(BigInt(id)); } @ApiBearerAuth('JWT-auth') @ApiOperation({ summary: '重置用户密码', description: '管理员直接为用户设置新密码(需满足密码强度规则)' }) @ApiParam({ name: 'id', description: '用户ID' }) @ApiBody({ type: AdminResetPasswordDto }) @ApiResponse({ status: 200, description: '重置成功', type: AdminCommonResponseDto }) @ApiResponse({ status: 429, description: '操作过于频繁' }) @UseGuards(AdminGuard) @Throttle(ThrottlePresets.ADMIN_OPERATION) @Post('users/:id/reset-password') @HttpCode(HttpStatus.OK) @UsePipes(new ValidationPipe({ transform: true })) async resetPassword(@Param('id') id: string, @Body() dto: AdminResetPasswordDto) { return await this.adminService.resetPassword(BigInt(id), dto.new_password); } @ApiBearerAuth('JWT-auth') @ApiOperation({ summary: '获取运行日志尾部', description: '从 logs/ 目录读取最近的日志行(默认200行)' }) @ApiQuery({ name: 'lines', required: false, description: '返回行数(默认200,最大2000)' }) @ApiResponse({ status: 200, description: '获取成功', type: AdminRuntimeLogsResponseDto }) @UseGuards(AdminGuard) @Get('logs/runtime') async getRuntimeLogs(@Query('lines') lines?: string) { const parsedLines = lines ? Number(lines) : undefined; return await this.adminService.getRuntimeLogs(parsedLines); } @ApiBearerAuth('JWT-auth') @ApiOperation({ summary: '下载全部运行日志', description: '将 logs/ 目录打包为 tar.gz 并下载(需要管理员Token)' }) @ApiProduces('application/gzip') @ApiResponse({ status: 200, description: '打包下载成功(tar.gz 二进制流)' }) @UseGuards(AdminGuard) @Get('logs/archive') async downloadLogsArchive(@Res() res: Response) { const logDir = this.adminService.getLogDirAbsolutePath(); if (!fs.existsSync(logDir)) { res.status(404).json({ success: false, message: '日志目录不存在' }); return; } const stats = fs.statSync(logDir); if (!stats.isDirectory()) { res.status(404).json({ success: false, message: '日志目录不可用' }); return; } const parentDir = path.dirname(logDir); const baseName = path.basename(logDir); const ts = new Date().toISOString().replace(/[:.]/g, '-'); const filename = `logs-${ts}.tar.gz`; res.setHeader('Content-Type', 'application/gzip'); res.setHeader('Content-Disposition', `attachment; filename="${filename}"`); res.setHeader('Cache-Control', 'no-store'); const tar = spawn('tar', ['-czf', '-', '-C', parentDir, baseName], { stdio: ['ignore', 'pipe', 'pipe'], }); tar.stderr.on('data', (chunk: Buffer) => { const msg = chunk.toString('utf8').trim(); if (msg) { this.logger.warn(`tar stderr: ${msg}`); } }); tar.on('error', (err: any) => { this.logger.error('打包日志失败(tar 进程启动失败)', err?.stack || String(err)); if (!res.headersSent) { const msg = err?.code === 'ENOENT' ? '服务器缺少 tar 命令,无法打包日志' : '日志打包失败'; res.status(500).json({ success: false, message: msg }); } else { res.end(); } }); const pipelinePromise = new Promise((resolve, reject) => { pipeline(tar.stdout, res, (err) => (err ? reject(err) : resolve())); }); const exitPromise = new Promise((resolve, reject) => { tar.on('close', (code) => { if (code === 0) { resolve(); } else { reject(new Error(`tar exited with code ${code ?? 'unknown'}`)); } }); }); try { await pipelinePromise; await exitPromise; } catch (err) { this.logger.error('打包日志失败(tar 执行或输出失败)', err instanceof Error ? err.stack : String(err)); if (!res.headersSent) { res.status(500).json({ success: false, message: '日志打包失败' }); } else { res.end(); } } } }