feat: ship public ops features and cache docker builds

2026-04-01 13:22:19 +08:00
parent 669b79cc95
commit 497a9d713d
75 changed files with 6985 additions and 668 deletions
--- a/backend/src/controllers/subscription.rs
+++ b/backend/src/controllers/subscription.rs
@@ -1,7 +1,9 @@
 use loco_rs::prelude::*;
 use serde::{Deserialize, Serialize};

-use crate::services::{abuse_guard, admin_audit, subscriptions};
+use axum::http::header;
+
+use crate::services::{abuse_guard, admin_audit, subscriptions, turnstile};

 #[derive(Clone, Debug, Deserialize)]
 pub struct PublicSubscriptionPayload {
@@ -10,6 +12,17 @@ pub struct PublicSubscriptionPayload {
    pub display_name: Option<String>,
    #[serde(default)]
    pub source: Option<String>,
+    #[serde(default, alias = "turnstileToken")]
+    pub turnstile_token: Option<String>,
+}
+
+#[derive(Clone, Debug, Deserialize)]
+pub struct PublicBrowserPushSubscriptionPayload {
+    pub subscription: serde_json::Value,
+    #[serde(default)]
+    pub source: Option<String>,
+    #[serde(default, alias = "turnstileToken")]
+    pub turnstile_token: Option<String>,
 }

 #[derive(Clone, Debug, Deserialize)]
@@ -55,6 +68,19 @@ fn public_subscription_metadata(source: Option<String>) -> serde_json::Value {
    })
 }

+fn public_browser_push_metadata(
+    source: Option<String>,
+    subscription: serde_json::Value,
+    user_agent: Option<String>,
+) -> serde_json::Value {
+    serde_json::json!({
+        "source": source,
+        "kind": "browser-push",
+        "subscription": subscription,
+        "user_agent": user_agent,
+    })
+}
+
 #[debug_handler]
 pub async fn subscribe(
    State(ctx): State<AppContext>,
@@ -62,11 +88,19 @@ pub async fn subscribe(
    Json(payload): Json<PublicSubscriptionPayload>,
 ) -> Result<Response> {
    let email = payload.email.trim().to_ascii_lowercase();
+    let client_ip = abuse_guard::detect_client_ip(&headers);
    abuse_guard::enforce_public_scope(
        "subscription",
-        abuse_guard::detect_client_ip(&headers).as_deref(),
+        client_ip.as_deref(),
        Some(&email),
    )?;
+    let _ = turnstile::verify_if_enabled(
+        &ctx,
+        turnstile::TurnstileScope::Subscription,
+        payload.turnstile_token.as_deref(),
+        client_ip.as_deref(),
+    )
+    .await?;

    let result = subscriptions::create_public_email_subscription(
        &ctx,
@@ -103,6 +137,76 @@ pub async fn subscribe(
    })
 }

+#[debug_handler]
+pub async fn subscribe_browser_push(
+    State(ctx): State<AppContext>,
+    headers: axum::http::HeaderMap,
+    Json(payload): Json<PublicBrowserPushSubscriptionPayload>,
+) -> Result<Response> {
+    let settings = crate::controllers::site_settings::load_current(&ctx).await?;
+    if !crate::services::web_push::is_enabled(&settings) {
+        return Err(Error::BadRequest("浏览器推送未启用".to_string()));
+    }
+
+    let endpoint = payload
+        .subscription
+        .get("endpoint")
+        .and_then(serde_json::Value::as_str)
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .ok_or_else(|| Error::BadRequest("browser push subscription.endpoint 不能为空".to_string()))?
+        .to_string();
+    let client_ip = abuse_guard::detect_client_ip(&headers);
+    let user_agent = headers
+        .get(header::USER_AGENT)
+        .and_then(|value| value.to_str().ok())
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .map(ToString::to_string);
+
+    abuse_guard::enforce_public_scope("browser-push-subscription", client_ip.as_deref(), Some(&endpoint))?;
+    let _ = turnstile::verify_if_enabled(
+        &ctx,
+        turnstile::TurnstileScope::Subscription,
+        payload.turnstile_token.as_deref(),
+        client_ip.as_deref(),
+    )
+    .await?;
+
+    let result = subscriptions::create_public_web_push_subscription(
+        &ctx,
+        payload.subscription.clone(),
+        Some(public_browser_push_metadata(
+            payload.source,
+            payload.subscription,
+            user_agent,
+        )),
+    )
+    .await?;
+
+    admin_audit::log_event(
+        &ctx,
+        None,
+        "subscription.public.web_push.active",
+        "subscription",
+        Some(result.subscription.id.to_string()),
+        Some(result.subscription.target.clone()),
+        Some(serde_json::json!({
+            "channel_type": result.subscription.channel_type,
+            "status": result.subscription.status,
+        })),
+    )
+    .await?;
+
+    format::json(PublicSubscriptionResponse {
+        ok: true,
+        subscription_id: result.subscription.id,
+        status: result.subscription.status,
+        requires_confirmation: false,
+        message: result.message,
+    })
+}
+
 #[debug_handler]
 pub async fn confirm(
    State(ctx): State<AppContext>,
@@ -196,6 +300,7 @@ pub fn routes() -> Routes {
    Routes::new()
        .prefix("/api/subscriptions")
        .add("/", post(subscribe))
+        .add("/browser-push", post(subscribe_browser_push))
        .add("/confirm", post(confirm))
        .add("/manage", get(manage).patch(update_manage))
        .add("/unsubscribe", post(unsubscribe))