Spaces:

ZHIWEI666
/

ComfyUI-Ranking-API

Running

App Files Files Community

ZHIWEI666 commited on Mar 28

Commit

0be9501

verified ·

1 Parent(s): 613a50c

Upload 17 files

Browse files

Files changed (7) hide show

idempotency_table.sql +4 -0
init_db.py +42 -0
models.py +3 -5
nginx.conf +54 -0
router_items.py +99 -161
router_wallet.py +134 -223
xss_filter.py +25 -0

idempotency_table.sql ADDED Viewed

	@@ -0,0 +1,4 @@

+CREATE TABLE idempotency (
+    trade_no VARCHAR(64) PRIMARY KEY,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+);

init_db.py ADDED Viewed

	@@ -0,0 +1,42 @@

+import os
+from sqlalchemy import create_engine, text
+# 数据库配置
+DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///./test.db")
+engine = create_engine(DATABASE_URL)
+def init_database():
+    # 创建 idempotency 表
+    with engine.connect() as conn:
+        conn.execute(text("""
+            CREATE TABLE IF NOT EXISTS idempotency (
+                trade_no VARCHAR(64) PRIMARY KEY,
+                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+            )
+        """))
+        # 创建 users 表
+        conn.execute(text("""
+            CREATE TABLE IF NOT EXISTS users (
+                account VARCHAR(255) PRIMARY KEY,
+                balance FLOAT DEFAULT 0
+            )
+        """))
+        # 创建 transactions 表
+        conn.execute(text("""
+            CREATE TABLE IF NOT EXISTS transactions (
+                id INTEGER PRIMARY KEY AUTOINCREMENT,
+                account VARCHAR(255),
+                amount FLOAT,
+                transaction_type VARCHAR(50),
+                description TEXT,
+                created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+            )
+        """))
+        conn.commit()
+if __name__ == "__main__":
+    init_database()
+    print("数据库初始化完成")

models.py CHANGED Viewed

@@ -1,5 +1,5 @@
 # models.py
-from pydantic import BaseModel, validator
 from typing import Optional, List
 class SendCodeRequest(BaseModel):
@@ -57,7 +57,7 @@ class ItemCreate(BaseModel):
     fullDesc: str
     link: str
     coverUrl: Optional[str] = None
-    imageUrls: Optional[List[str]] = []  # 🟢 新增：支持多图展示画廊
     author: str
     price: int = 0
     github_token: Optional[str] = None
@@ -68,7 +68,7 @@ class ItemUpdate(BaseModel):
     fullDesc: Optional[str] = None
     link: Optional[str] = None
     coverUrl: Optional[str] = None
-    imageUrls: Optional[List[str]] = []  # 🟢 新增：支持多图展示画廊
     price: Optional[int] = None
     github_token: Optional[str] = None
@@ -94,8 +94,6 @@ class InteractionToggle(BaseModel):
     action_type: str
     is_active: bool
-# === 资金与钱包专有模型 ===
 class RechargeRequest(BaseModel):
     account: str
     amount: int

 # models.py
+from pydantic import BaseModel
 from typing import Optional, List
 class SendCodeRequest(BaseModel):
     fullDesc: str
     link: str
     coverUrl: Optional[str] = None
+    imageUrls: Optional[List[str]] = []
     author: str
     price: int = 0
     github_token: Optional[str] = None
     fullDesc: Optional[str] = None
     link: Optional[str] = None
     coverUrl: Optional[str] = None
+    imageUrls: Optional[List[str]] = []
     price: Optional[int] = None
     github_token: Optional[str] = None
     action_type: str
     is_active: bool
 class RechargeRequest(BaseModel):
     account: str
     amount: int

nginx.conf ADDED Viewed

	@@ -0,0 +1,54 @@

+# 项目根目录下的 nginx.conf
+events {
+    worker_connections 1024;
+}
+http {
+    include       mime.types;
+    default_type  application/octet-stream;
+    # 开启 Range 支持
+    range_resolver on;
+    range_buffer_size 16k;
+    # 静态文件服务配置
+    server {
+        listen 80;
+        server_name localhost;
+        # 配置静态文件目录
+        location /static/ {
+            root /path/to/your/project;
+            # 开启断点续传支持
+            add_header Accept-Ranges bytes;
+            # 启用缓存
+            expires 30d;
+        }
+        # 配置 API 代理
+        location /api/ {
+            proxy_pass http://localhost:5000;  # 假设后端运行在5000端口
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection 'upgrade';
+            proxy_set_header Host $host;
+            proxy_cache_bypass $http_upgrade;
+            # 开启 Range 支持
+            proxy_set_header Range $http_range;
+            proxy_set_header If-Range $http_if_range;
+        }
+        # 配置文件下载
+        location /download/ {
+            root /path/to/your/project;
+            # 开启断点续传
+            add_header Accept-Ranges bytes;
+            # 设置缓存
+            expires 7d;
+            # 启用 gzip 压缩
+            gzip on;
+            gzip_types application/octet-stream;
+        }
+    }
+}

router_items.py CHANGED Viewed

@@ -1,177 +1,115 @@
-# router_items.py
-from fastapi import APIRouter, HTTPException
 import time
-import uuid
-import datetime
-import 数据库连接 as db
-from models import ItemCreate, ItemUpdate
 router = APIRouter()
-def get_last_6_months():
-    res = []
-    today = datetime.date.today()
-    for i in range(5, -1, -1):
-        m = today.month - i
-        y = today.year
-        while m <= 0:
-            m += 12
-            y -= 1
-        res.append(f"{y}-{m:02d}")
-    return res
-@router.get("/api/items")
-async def get_items(type: str = "tool", sort: str = "time", limit: int = 50): # 优化：默认限制调大至 50，提升前端列表体验
-    items_db = db.load_data("items.json", default_data=[])
-    comments_db = db.load_data("comments.json", default_data={})
-    # 如果是推荐榜，匹配所有 recommend 开头的子类型
-    if type == "recommend":
-        filtered_items = [item for item in items_db if item.get("type", "").startswith("recommend")]
-    else:
-        filtered_items = [item for item in items_db if item.get("type") == type]
-    for item in filtered_items:
-        item["commentsData"] = comments_db.get(item["id"], [])
-        item["comments"] = len(item["commentsData"])
-        # 🔴 【绝对核心防线】：在下发给前端前，强行在内存中抹除创作者的 Token！
-        # 这样即使资源是公开展示的，普通用户也绝对抓不到源仓库的密钥。
-        item.pop("github_token", None)
-    if sort == "likes": filtered_items.sort(key=lambda x: x.get("likes", 0), reverse=True)
-    elif sort == "favorites": filtered_items.sort(key=lambda x: x.get("favorites", 0), reverse=True)
-    elif sort == "downloads": filtered_items.sort(key=lambda x: x.get("uses", 0), reverse=True)
-    else: filtered_items.sort(key=lambda x: x.get("created_at", 0), reverse=True)
-    return {"status": "success", "data": filtered_items[:limit]}
-@router.get("/api/creators")
-async def get_creators(sort: str = "downloads", limit: int = 20):
-    users_db = db.load_data("users.json", default_data={})
-    items_db = db.load_data("items.json", default_data=[])
-    comments_db = db.load_data("comments.json", default_data={})
-    creators = []
-    months = get_last_6_months()
-    for account, u in users_db.items():
-        u_items = [i for i in items_db if i.get("author") == account]
-        trend_tools = {m: 0 for m in months}
-        trend_apps = {m: 0 for m in months}
-        trend_recommends = {m: 0 for m in months}
-        tools_count = 0
-        apps_count = 0
-        for i in u_items:
-            itype = i.get("type", "")
-            history = i.get("use_history", {})
-            if itype == "tool" or itype == "recommend_tool":
-                if itype == "tool": tools_count += 1
-                for m in months: trend_tools[m] += history.get(m, 0)
-            elif itype == "app" or itype == "recommend_app":
-                if itype == "app": apps_count += 1
-                for m in months: trend_apps[m] += history.get(m, 0)
-            elif itype.startswith("recommend"):
-                for m in months: trend_recommends[m] += history.get(m, 0)
-        creators.append({
-            "account": account, "name": u.get("name", account), "avatar": u.get("avatarDataUrl", "https://via.placeholder.com/150"),
-            "shortDesc": u.get("intro", "这个人很懒，什么都没写..."), "fullDesc": u.get("intro", "这个人很懒，什么都没写..."),
-            "likes": sum(i.get("likes", 0) for i in u_items), "favorites": sum(i.get("favorites", 0) for i in u_items),
-            "downloads": sum(i.get("uses", 0) for i in u_items),
-            "toolsCount": tools_count, "appsCount": apps_count, "followers": len(u.get("followers", [])), "created_at": u.get("created_at", 0),
-            "commentsData": comments_db.get(account, []),
-            "trendData": {
-                "months": months,
-                "tools": [trend_tools[m] for m in months],
-                "apps": [trend_apps[m] for m in months],
-                "recommends": [trend_recommends[m] for m in months]
-            }
-        })
-    if sort == "likes": creators.sort(key=lambda x: x.get("likes", 0), reverse=True)
-    elif sort == "favorites": creators.sort(key=lambda x: x.get("favorites", 0), reverse=True)
-    elif sort == "downloads": creators.sort(key=lambda x: x.get("downloads", 0), reverse=True)
-    else: creators.sort(key=lambda x: x.get("created_at", 0), reverse=True)
-    return {"status": "success", "data": creators[:limit]}
-@router.post("/api/items")
-async def create_item(item: ItemCreate):
-    # 【安全加固】：强制转换为整数，并拦截负数 (防浮点漏洞与洗钱)
-    item.price = int(item.price)
-    if item.price < 0:
-        raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
-    items_db = db.load_data("items.json", default_data=[])
-    new_item = {
-        "id": f"{item.type}_{int(time.time())}_{uuid.uuid4().hex[:6]}", "type": item.type, "title": item.title, "author": item.author,
-        "shortDesc": item.shortDesc, "fullDesc": item.fullDesc, "link": item.link, "coverUrl": item.coverUrl, "price": item.price,
-        "github_token": item.github_token, # 【新增】保存密钥到云端 JSON
-        "likes": 0, "favorites": 0, "comments": 0, "uses": 0, "use_history": {}, "created_at": int(time.time()), "liked_by": [], "favorited_by": []
-    }
-    items_db.insert(0, new_item)
-    db.save_data("items.json", items_db)
-    return {"status": "success", "data": new_item}
-@router.put("/api/items/{item_id}")
-async def update_item(item_id: str, update_data: ItemUpdate, author: str):
-    # 【安全加固】：更新时同样强制转换为整数并拦截负数
-    if update_data.price is not None:
-        update_data.price = int(update_data.price)
-        if update_data.price < 0:
-            raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
-    items_db = db.load_data("items.json", default_data=[])
-    for item in items_db:
-        if item["id"] == item_id:
-            if item.get("author") != author: raise HTTPException(status_code=403, detail="无权修改他人发布的内容")
-            if update_data.title is not None: item["title"] = update_data.title
-            if update_data.shortDesc is not None: item["shortDesc"] = update_data.shortDesc
-            if update_data.fullDesc is not None: item["fullDesc"] = update_data.fullDesc
-            if update_data.link is not None: item["link"] = update_data.link
-            if update_data.coverUrl is not None: item["coverUrl"] = update_data.coverUrl
-            if update_data.price is not None: item["price"] = update_data.price
-            if update_data.github_token is not None: item["github_token"] = update_data.github_token # 【新增】允许更新密钥
-            db.save_data("items.json", items_db)
-            return {"status": "success"}
-    raise HTTPException(status_code=404, detail="找不到该内容记录")
-@router.delete("/api/items/{item_id}")
-async def delete_item(item_id: str, author: str):
-    items_db = db.load_data("items.json", default_data=[])
-    target_idx = next((i for i, item in enumerate(items_db) if item["id"] == item_id), None)
-    if target_idx is None: raise HTTPException(status_code=404, detail="找不到该内容记录")
-    if items_db[target_idx].get("author") != author: raise HTTPException(status_code=403, detail="无权删除他人发布的内容")
-    items_db.pop(target_idx)
-    db.save_data("items.json", items_db)
-    comments_db = db.load_data("comments.json", default_data={})
-    if item_id in comments_db:
-        del comments_db[item_id]
-        db.save_data("comments.json", comments_db)
-    return {"status": "success"}
-@router.post("/api/items/{item_id}/use")
-async def record_item_use(item_id: str):
-    items_db = db.load_data("items.json", default_data=[])
-    current_month = datetime.date.today().strftime("%Y-%m")
-    for item in items_db:
-        if item["id"] == item_id:
-            item["uses"] = item.get("uses", 0) + 1
-            if "use_history" not in item:
-                item["use_history"] = {}
-            item["use_history"][current_month] = item["use_history"].get(current_month, 0) + 1
-            db.save_data("items.json", items_db)
-            return {"status": "success", "uses": item["uses"]}
-    raise HTTPException(status_code=404, detail="找不到该内容记录")

+import os
+import json
 import time
+from fastapi import APIRouter, HTTPException
+from pydantic import BaseModel
+from xss_filter import clean_html  # 导入 XSS 过滤函数
 router = APIRouter()
+class Item(BaseModel):
+    name: str
+    description: str
+    fullDesc: str
+    author: str
+    tags: list
+    price: float
+    downloadCount: int
+    rating: float
+    thumbnail: str
+    repoUrl: str
+    createdAt: str
+    updatedAt: str
+    isPurchased: bool = False
+class ItemUpdate(BaseModel):
+    name: str = None
+    description: str = None
+    fullDesc: str = None
+    author: str = None
+    tags: list = None
+    price: float = None
+    thumbnail: str = None
+    repoUrl: str = None
+class PurchaseRequest(BaseModel):
+    account: str
+    item_id: str
+# 加载数据
+def load_data():
+    with open("items.json", "r") as f:
+        return json.load(f)
+# 保存数据
+def save_data(data):
+    with open("items.json", "w") as f:
+        json.dump(data, f, indent=2)
+@router.get("/items")
+async def get_items():
+    return load_data()
+@router.get("/item/{item_id}")
+async def get_item(item_id: str):
+    items = load_data()
+    item = next((i for i in items if i["id"] == item_id), None)
+    if not item:
+        raise HTTPException(status_code=404, detail="Item not found")
+    return item
+@router.post("/create_item")
+async def create_item(item: Item):
+    items = load_data()
+    # XSS 过滤
+    item.fullDesc = clean_html(item.fullDesc)
+    # 检查是否已存在
+    if any(i["id"] == item.id for i in items):
+        raise HTTPException(status_code=400, detail="Item already exists")
+    items.append(item.dict())
+    save_data(items)
+    return {"status": "success", "message": "Item created"}
+@router.post("/update_item/{item_id}")
+async def update_item(item_id: str, item: ItemUpdate):
+    items = load_data()
+    target_item = next((i for i in items if i["id"] == item_id), None)
+    if not target_item:
+        raise HTTPException(status_code=404, detail="Item not found")
+    # XSS 过滤
+    if item.fullDesc:
+        item.fullDesc = clean_html(item.fullDesc)
+    # 更新字段
+    for key, value in item.dict(exclude_unset=True).items():
+        target_item[key] = value
+    target_item["updatedAt"] = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
+    save_data(items)
+    return {"status": "success", "message": "Item updated"}
+@router.post("/purchase")
+async def purchase(purchase_req: PurchaseRequest):
+    items = load_data()
+    item = next((i for i in items if i["id"] == purchase_req.item_id), None)
+    if not item:
+        raise HTTPException(status_code=404, detail="Item not found")
+    # 检查是否已购买
+    if purchase_req.account in item.get("purchasedBy", []):
+        raise HTTPException(status_code=400, detail="Item already purchased")
+    # 更新购买记录
+    if "purchasedBy" not in item:
+        item["purchasedBy"] = []
+    item["purchasedBy"].append(purchase_req.account)
+    save_data(items)
+    return {"status": "success", "message": "Purchase successful"}

router_wallet.py CHANGED Viewed

@@ -1,238 +1,149 @@
-# router_wallet.py
-from fastapi import APIRouter, Depends, HTTPException, Request
-from fastapi.responses import Response
-from sqlalchemy.orm import Session
 import time
-import uuid
 import hashlib
-import os
-from database_sql import get_db
-from models_sql import Wallet, Transaction, Ownership
-from models import RechargeRequest, WithdrawRequest, PurchaseRequest, TipRequest
-import 数据库连接 as json_db
 router = APIRouter()
-try:
-    from alipay import AliPay
-    from alipay.utils import AliPayConfig
-    alipay = AliPay(
-        appid=os.environ.get("ALIPAY_APPID", ""),
-        app_notify_url="https://zhiwei666-comfyui-ranking-api.hf.space/api/wallet/alipay_notify",
-        app_private_key_string=os.environ.get("ALIPAY_PRIVATE_KEY", "").replace("\\n", "\n"),
-        alipay_public_key_string=os.environ.get("ALIPAY_PUBLIC_KEY", "").replace("\\n", "\n"),
-        sign_type="RSA2",
-        debug=False,
-        config=AliPayConfig(timeout=15)
-    )
-except Exception as e:
-    alipay = None
-def calculate_tx_hash(tx_id, account, tx_type, amount, prev_hash):
-    data = f"{tx_id}{account}{tx_type}{amount}{prev_hash}"
-    return hashlib.sha256(data.encode()).hexdigest()
-@router.post("/api/wallet/create_recharge_order")
-async def create_recharge_order(req: RechargeRequest):
-    if not alipay:
-        raise HTTPException(status_code=500, detail="支付网关未配置或初始化失败")
-    order_id = f"PAY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
-    subject = f"ComfyUI Community Points - {req.account}"
-    order_string = alipay.api_alipay_trade_precreate(
-        out_trade_no=order_id,
-        total_amount=str(req.amount),
-        subject=subject
-    )
-    qr_code_url = order_string.get("qr_code")
-    if not qr_code_url:
-        raise HTTPException(status_code=500, detail="生成支付二维码失败")
-    return {"status": "success", "order_id": order_id, "qr_code": qr_code_url}
-# 🟢 业务流转细节修复：正确解析 application/x-www-form-urlencoded
-@router.post("/api/wallet/alipay_notify")
-async def alipay_notify(request: Request, db: Session = Depends(get_db)):
-    # 强制将表单数据解析为纯字典，防止由于数据类型错误导致验签失败
-    form_data = await request.form()
-    data = dict(form_data.items())
-    signature = data.pop("sign", None)
-    data.pop("sign_type", None)
-    if not alipay or not signature or not alipay.verify(data, signature):
-        return Response(content="fail", media_type="text/plain")
-    if data.get("trade_status") in ("TRADE_SUCCESS", "TRADE_FINISHED"):
-        order_id = data.get("out_trade_no")
-        existing_tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
-        if not existing_tx:
-            amount = int(float(data.get("total_amount", 0)))
-            account = data.get("subject", "").split(" - ")[-1]
-            wallet = db.query(Wallet).filter(Wallet.account == account).with_for_update().first()
-            if not wallet:
-                wallet = Wallet(account=account)
-                db.add(wallet)
-            wallet.balance += amount
-            last_tx = db.query(Transaction).filter(Transaction.account == account).order_by(Transaction.created_at.desc()).first()
-            prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
-            tx_hash = calculate_tx_hash(order_id, account, "RECHARGE", amount, prev_hash)
-            new_tx = Transaction(
-                tx_id=order_id, account=account, tx_type="RECHARGE", amount=amount,
-                prev_hash=prev_hash, tx_hash=tx_hash
-            )
-            db.add(new_tx)
-            db.commit()
-    return Response(content="success", media_type="text/plain")
-@router.get("/api/wallet/check_order/{order_id}")
-async def check_order(order_id: str, db: Session = Depends(get_db)):
-    tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
-    if tx:
-        return {"status": "SUCCESS"}
-    return {"status": "PENDING"}
-@router.get("/api/wallet/{account}")
-async def get_wallet(account: str, db: Session = Depends(get_db)):
-    wallet = db.query(Wallet).filter(Wallet.account == account).first()
-    if not wallet:
-        return {"balance": 0, "earn_balance": 0, "tip_balance": 0}
-    return {
-        "balance": wallet.balance,
-        "earn_balance": wallet.earn_balance,
-        "tip_balance": wallet.tip_balance
-    }
-@router.post("/api/wallet/purchase")
-async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
-    items_db = json_db.load_data("items.json", default_data=[])
-    item = next((i for i in items_db if i["id"] == req.item_id), None)
-    if not item:
-        raise HTTPException(status_code=404, detail="商品不存在")
-    price = int(item.get("price", 0))
-    seller_account = item.get("author")
-    if price <= 0 or req.account == seller_account:
-        return {"status": "success", "already_owned": True}
-    owned = db.query(Ownership).filter(Ownership.account == req.account, Ownership.item_id == req.item_id).first()
-    if owned:
-        return {"status": "success", "already_owned": True}
-    buyer_wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
-    if not buyer_wallet or buyer_wallet.balance < price:
-        raise HTTPException(status_code=402, detail="余额不足，请先充值")
-    seller_wallet = db.query(Wallet).filter(Wallet.account == seller_account).with_for_update().first()
-    if not seller_wallet:
-        seller_wallet = Wallet(account=seller_account)
-        db.add(seller_wallet)
-    buyer_wallet.balance -= price
-    seller_wallet.earn_balance += price
-    new_ownership = Ownership(account=req.account, item_id=req.item_id)
-    db.add(new_ownership)
-    tx_id = f"BUY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
-    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
-    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
-    tx_hash = calculate_tx_hash(tx_id, req.account, "PURCHASE", -price, prev_hash)
-    new_tx = Transaction(
-        tx_id=tx_id, account=req.account, tx_type="PURCHASE", amount=-price,
-        target_account=seller_account, prev_hash=prev_hash, tx_hash=tx_hash
-    )
-    db.add(new_tx)
-    db.commit()
-    return {"status": "success", "already_owned": False}
-@router.post("/api/wallet/tip")
-async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
-    if req.amount <= 0:
-        raise HTTPException(status_code=400, detail="打赏金额必须大于0")
-    sender_wallet = db.query(Wallet).filter(Wallet.account == req.sender_account).with_for_update().first()
-    if not sender_wallet or sender_wallet.balance < req.amount:
-        raise HTTPException(status_code=402, detail="余额不足")
-    target_wallet = db.query(Wallet).filter(Wallet.account == req.target_account).with_for_update().first()
-    if not target_wallet:
-        target_wallet = Wallet(account=req.target_account)
-        db.add(target_wallet)
-    sender_wallet.balance -= req.amount
-    target_wallet.tip_balance += req.amount
-    tx_id = f"TIP_{int(time.time())}_{uuid.uuid4().hex[:6]}"
-    last_tx = db.query(Transaction).filter(Transaction.account == req.sender_account).order_by(Transaction.created_at.desc()).first()
-    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
-    tx_hash = calculate_tx_hash(tx_id, req.sender_account, "TIP", -req.amount, prev_hash)
-    new_tx = Transaction(
-        tx_id=tx_id, account=req.sender_account, tx_type="TIP", amount=-req.amount,
-        target_account=req.target_account, prev_hash=prev_hash, tx_hash=tx_hash
-    )
-    db.add(new_tx)
-    db.commit()
-    from notifications import add_notification
-    display_sender = "匿名用户" if req.is_anonymous else req.sender_account
-    add_notification(req.target_account, {
-        "type": "tip",
-        "from_user": "system",
-        "target_item_title": "您的主页",
-        "content": f"🎉 {display_sender} 给您打赏了 {req.amount} 积分！"
-    })
-    return {"status": "success", "balance": sender_wallet.balance}
-@router.post("/api/wallet/withdraw")
-async def withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
-    key = f"{req.account}_withdraw"
-    code_data = VERIFY_CODES.get(key)
-    if not code_data or code_data["code"] != req.code or time.time() > code_data["expires"]:
-        raise HTTPException(status_code=400, detail="验证码无效或已过期")
-    wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
-    if not wallet:
-        raise HTTPException(status_code=400, detail="钱包不存在")
-    total_withdrawable = wallet.earn_balance + wallet.tip_balance
-    if req.amount > total_withdrawable:
-        raise HTTPException(status_code=400, detail="可提现余额不足")
-    if req.amount <= wallet.earn_balance:
-        wallet.earn_balance -= req.amount
-    else:
-        remaining = req.amount - wallet.earn_balance
-        wallet.earn_balance = 0
-        wallet.tip_balance -= remaining
-    wallet.frozen_balance += req.amount
-    tx_id = f"WD_{int(time.time())}_{uuid.uuid4().hex[:6]}"
-    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
-    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
-    tx_hash = calculate_tx_hash(tx_id, req.account, "WITHDRAW", -req.amount, prev_hash)
-    new_tx = Transaction(
-        tx_id=tx_id, account=req.account, tx_type="WITHDRAW", amount=-req.amount,
-        prev_hash=prev_hash, tx_hash=tx_hash
-    )
-    db.add(new_tx)
-    db.commit()
-    del VERIFY_CODES[key]
-    return {"status": "success"}

+import os
+import json
 import time
+import hmac
 import hashlib
+from fastapi import APIRouter, Request
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel
+from sqlalchemy import create_engine, text
+from sqlalchemy.orm import sessionmaker
+from functools import lru_cache  # 新增导入
 router = APIRouter()
+# 数据库配置
+DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///./test.db")
+engine = create_engine(DATABASE_URL)
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+# 支付宝配置
+ALIPAY_APP_ID = os.getenv("ALIPAY_APP_ID", "")
+ALIPAY_PRIVATE_KEY = os.getenv("ALIPAY_PRIVATE_KEY", "")
+ALIPAY_PUBLIC_KEY = os.getenv("ALIPAY_PUBLIC_KEY", "")
+class WalletTransaction(BaseModel):
+    account: str
+    amount: float
+    transaction_type: str  # 'deposit' or 'withdraw'
+    description: str
+def verify_alipay_signature(params):
+    # 验证支付宝签名的逻辑
+    # 这里简化为示例
+    return True
+@lru_cache(maxsize=128)  # 新增缓存装饰器
+def get_user_balance(account: str):
+    """获取用户余额（带缓存）"""
+    with SessionLocal() as session:
+        user = session.execute(
+            text("SELECT balance FROM users WHERE account = :account"),
+            {"account": account}
+        ).fetchone()
+        if not user:
+            return 0
+        return user[0]
+@lru_cache(maxsize=128)  # 新增缓存装饰器
+def check_idempotency(trade_no: str):
+    """检查幂等性（带缓存）"""
+    with SessionLocal() as session:
+        exists = session.execute(
+            text("SELECT 1 FROM idempotency WHERE trade_no = :trade_no"),
+            {"trade_no": trade_no}
+        ).fetchone()
+        return exists is not None
+@router.post("/alipay_notify")
+async def alipay_notify(request: Request):
+    params = await request.form()
+    # 验证签名
+    if not verify_alipay_signature(params):
+        return JSONResponse(content={"status": "error", "message": "Invalid signature"}, status_code=400)
+    # 检查交易状态
+    trade_status = params.get("trade_status")
+    if trade_status != "TRADE_SUCCESS":
+        return JSONResponse(content={"status": "error", "message": "Invalid trade status"}, status_code=400)
+    # 获取交易号
+    trade_no = params.get("out_trade_no")
+    # 检查是否已处理（使用缓存）
+    if check_idempotency(trade_no):
+        return JSONResponse(content={"status": "success", "message": "重复通知已忽略"})
+    # 插入幂等记录
+    with SessionLocal() as session:
+        session.execute(
+            text("INSERT INTO idempotency (trade_no) VALUES (:trade_no)"),
+            {"trade_no": trade_no}
+        )
+        session.commit()
+    # 处理支付成功逻辑
+    account = params.get("buyer_id")
+    amount = float(params.get("total_amount"))
+    # 更新用户余额
+    with SessionLocal() as session:
+        # 假设有一个users表存储用户信息
+        user = session.execute(
+            text("SELECT * FROM users WHERE account = :account"),
+            {"account": account}
+        ).fetchone()
+        if not user:
+            # 创建新用户
+            session.execute(
+                text("INSERT INTO users (account, balance) VALUES (:account, :balance)"),
+                {"account": account, "balance": amount}
+            )
+        else:
+            # 更新余额
+            session.execute(
+                text("UPDATE users SET balance = balance + :amount WHERE account = :account"),
+                {"amount": amount, "account": account}
+            )
+        # 记录交易
+        session.execute(
+            text("INSERT INTO transactions (account, amount, transaction_type, description) VALUES (:account, :amount, 'deposit', '支付宝充值')"),
+            {"account": account, "amount": amount}
+        )
+        session.commit()
+    # 清除缓存
+    get_user_balance.cache_clear()
+    check_idempotency.cache_clear()
+    return JSONResponse(content={"status": "success", "message": "Payment processed"})
+@router.post("/create_transaction")
+async def create_transaction(transaction: WalletTransaction):
+    with SessionLocal() as session:
+        # 记录交易
+        session.execute(
+            text("INSERT INTO transactions (account, amount, transaction_type, description) VALUES (:account, :amount, :transaction_type, :description)"),
+            {
+                "account": transaction.account,
+                "amount": transaction.amount,
+                "transaction_type": transaction.transaction_type,
+                "description": transaction.description
+            }
+        )
+        session.commit()
+    # 清除缓存
+    get_user_balance.cache_clear()
+    return JSONResponse(content={"status": "success", "message": "Transaction created"})
+@router.get("/get_balance/{account}")
+async def get_balance(account: str):
+    # 使用缓存获取余额
+    balance = get_user_balance(account)
+    return JSONResponse(content={"balance": balance})

xss_filter.py ADDED Viewed

	@@ -0,0 +1,25 @@

+import bleach
+# 定义允许的标签和属性
+ALLOWED_TAGS = ['p', 'img', 'a', 'br', 'b', 'i', 'u']
+ALLOWED_ATTRS = {
+    'img': ['src', 'alt'],
+    'a': ['href', 'target']
+}
+def clean_html(html_content):
+    """
+    清理 HTML 内容，防止 XSS 攻击
+    Args:
+        html_content (str): 需要清理的 HTML 内容
+    Returns:
+        str: 清理后的安全 HTML 内容
+    """
+    return bleach.clean(
+        html_content,
+        tags=ALLOWED_TAGS,
+        attributes=ALLOWED_ATTRS,
+        strip=True
+    )