Upload 14 files

requirements.txt

@@ -9,5 +9,4 @@ sqlalchemy
 psycopg2-binary
 httpx
 python-alipay-sdk
-aiofiles
-bleach
+aiofiles

router_items.py

@@ -1,115 +1,177 @@
-import os
-import json
-import time
+# router_items.py
 from fastapi import APIRouter, HTTPException
-from pydantic import BaseModel
-from xss_filter import clean_html  # 导入 XSS 过滤函数
+import time
+import uuid
+import datetime
+import 数据库连接 as db
+from models import ItemCreate, ItemUpdate
 
 router = APIRouter()
 
-class Item(BaseModel):
-    name: str
-    description: str
-    fullDesc: str
-    author: str
-    tags: list
-    price: float
-    downloadCount: int
-    rating: float
-    thumbnail: str
-    repoUrl: str
-    createdAt: str
-    updatedAt: str
-    isPurchased: bool = False
-
-class ItemUpdate(BaseModel):
-    name: str = None
-    description: str = None
-    fullDesc: str = None
-    author: str = None
-    tags: list = None
-    price: float = None
-    thumbnail: str = None
-    repoUrl: str = None
-
-class PurchaseRequest(BaseModel):
-    account: str
-    item_id: str
-
-# 加载数据
-def load_data():
-    with open("items.json", "r") as f:
-        return json.load(f)
-
-# 保存数据
-def save_data(data):
-    with open("items.json", "w") as f:
-        json.dump(data, f, indent=2)
-
-@router.get("/items")
-async def get_items():
-    return load_data()
-
-@router.get("/item/{item_id}")
-async def get_item(item_id: str):
-    items = load_data()
-    item = next((i for i in items if i["id"] == item_id), None)
-    if not item:
-        raise HTTPException(status_code=404, detail="Item not found")
-    return item
+def get_last_6_months():
+    res = []
+    today = datetime.date.today()
+    for i in range(5, -1, -1):
+        m = today.month - i
+        y = today.year
+        while m <= 0:
+            m += 12
+            y -= 1
+        res.append(f"{y}-{m:02d}")
+    return res
 
-@router.post("/create_item")
-async def create_item(item: Item):
-    items = load_data()
+@router.get("/api/items")
+async def get_items(type: str = "tool", sort: str = "time", limit: int = 50): # 优化：默认限制调大至 50，提升前端列表体验
+    items_db = db.load_data("items.json", default_data=[])
+    comments_db = db.load_data("comments.json", default_data={})
     
-    # XSS 过滤
-    item.fullDesc = clean_html(item.fullDesc)
+    # 如果是推荐榜，匹配所有 recommend 开头的子类型
+    if type == "recommend":
+        filtered_items = [item for item in items_db if item.get("type", "").startswith("recommend")]
+    else:
+        filtered_items = [item for item in items_db if item.get("type") == type]
+        
+    for item in filtered_items:
+        item["commentsData"] = comments_db.get(item["id"], [])
+        item["comments"] = len(item["commentsData"])
+        
+        # 🔴 【绝对核心防线】：在下发给前端前，强行在内存中抹除创作者的 Token！
+        # 这样即使资源是公开展示的，普通用户也绝对抓不到源仓库的密钥。
+        item.pop("github_token", None)
+        
+    if sort == "likes": filtered_items.sort(key=lambda x: x.get("likes", 0), reverse=True)
+    elif sort == "favorites": filtered_items.sort(key=lambda x: x.get("favorites", 0), reverse=True)
+    elif sort == "downloads": filtered_items.sort(key=lambda x: x.get("uses", 0), reverse=True)
+    else: filtered_items.sort(key=lambda x: x.get("created_at", 0), reverse=True)
     
-    # 检查是否已存在
-    if any(i["id"] == item.id for i in items):
-        raise HTTPException(status_code=400, detail="Item already exists")
-    
-    items.append(item.dict())
-    save_data(items)
-    return {"status": "success", "message": "Item created"}
+    return {"status": "success", "data": filtered_items[:limit]}
 
-@router.post("/update_item/{item_id}")
-async def update_item(item_id: str, item: ItemUpdate):
-    items = load_data()
-    target_item = next((i for i in items if i["id"] == item_id), None)
-    
-    if not target_item:
-        raise HTTPException(status_code=404, detail="Item not found")
+@router.get("/api/creators")
+async def get_creators(sort: str = "downloads", limit: int = 20):
+    users_db = db.load_data("users.json", default_data={})
+    items_db = db.load_data("items.json", default_data=[])
+    comments_db = db.load_data("comments.json", default_data={})
     
-    # XSS 过滤
-    if item.fullDesc:
-        item.fullDesc = clean_html(item.fullDesc)
+    creators = []
+    months = get_last_6_months()
     
-    # 更新字段
-    for key, value in item.dict(exclude_unset=True).items():
-        target_item[key] = value
-    
-    target_item["updatedAt"] = time.strftime("%Y-%m-%d %H:%M:%S", time.localtime())
+    for account, u in users_db.items():
+        u_items = [i for i in items_db if i.get("author") == account]
+        
+        trend_tools = {m: 0 for m in months}
+        trend_apps = {m: 0 for m in months}
+        trend_recommends = {m: 0 for m in months}
+        tools_count = 0
+        apps_count = 0
+        
+        for i in u_items:
+            itype = i.get("type", "")
+            history = i.get("use_history", {})
+            if itype == "tool" or itype == "recommend_tool": 
+                if itype == "tool": tools_count += 1
+                for m in months: trend_tools[m] += history.get(m, 0)
+            elif itype == "app" or itype == "recommend_app": 
+                if itype == "app": apps_count += 1
+                for m in months: trend_apps[m] += history.get(m, 0)
+            elif itype.startswith("recommend"):
+                for m in months: trend_recommends[m] += history.get(m, 0)
+
+        creators.append({
+            "account": account, "name": u.get("name", account), "avatar": u.get("avatarDataUrl", "https://via.placeholder.com/150"),
+            "shortDesc": u.get("intro", "这个人很懒，什么都没写..."), "fullDesc": u.get("intro", "这个人很懒，什么都没写..."),
+            "likes": sum(i.get("likes", 0) for i in u_items), "favorites": sum(i.get("favorites", 0) for i in u_items), 
+            "downloads": sum(i.get("uses", 0) for i in u_items), 
+            "toolsCount": tools_count, "appsCount": apps_count, "followers": len(u.get("followers", [])), "created_at": u.get("created_at", 0),
+            "commentsData": comments_db.get(account, []), 
+            "trendData": {
+                "months": months,
+                "tools": [trend_tools[m] for m in months], 
+                "apps": [trend_apps[m] for m in months],
+                "recommends": [trend_recommends[m] for m in months]
+            }
+        })
+        
+    if sort == "likes": creators.sort(key=lambda x: x.get("likes", 0), reverse=True)
+    elif sort == "favorites": creators.sort(key=lambda x: x.get("favorites", 0), reverse=True)
+    elif sort == "downloads": creators.sort(key=lambda x: x.get("downloads", 0), reverse=True)
+    else: creators.sort(key=lambda x: x.get("created_at", 0), reverse=True)
     
-    save_data(items)
-    return {"status": "success", "message": "Item updated"}
+    return {"status": "success", "data": creators[:limit]}
 
-@router.post("/purchase")
-async def purchase(purchase_req: PurchaseRequest):
-    items = load_data()
-    item = next((i for i in items if i["id"] == purchase_req.item_id), None)
+@router.post("/api/items")
+async def create_item(item: ItemCreate):
+    # 【安全加固】：强制转换为整数，并拦截负数 (防浮点漏洞与洗钱)
+    item.price = int(item.price)
+    if item.price < 0:
+        raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
+        
+    items_db = db.load_data("items.json", default_data=[])
+    new_item = {
+        "id": f"{item.type}_{int(time.time())}_{uuid.uuid4().hex[:6]}", "type": item.type, "title": item.title, "author": item.author,
+        "shortDesc": item.shortDesc, "fullDesc": item.fullDesc, "link": item.link, "coverUrl": item.coverUrl, "price": item.price, 
+        "github_token": item.github_token, # 【新增】保存密钥到云端 JSON
+        "likes": 0, "favorites": 0, "comments": 0, "uses": 0, "use_history": {}, "created_at": int(time.time()), "liked_by": [], "favorited_by": []
+    }
+    items_db.insert(0, new_item)
+    db.save_data("items.json", items_db)
+    return {"status": "success", "data": new_item}
+
+@router.put("/api/items/{item_id}")
+async def update_item(item_id: str, update_data: ItemUpdate, author: str):
+    # 【安全加固】：更新时同样强制转换为整数并拦截负数
+    if update_data.price is not None:
+        update_data.price = int(update_data.price)
+        if update_data.price < 0:
+            raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
+            
+    items_db = db.load_data("items.json", default_data=[])
+    for item in items_db:
+        if item["id"] == item_id:
+            if item.get("author") != author: raise HTTPException(status_code=403, detail="无权修改他人发布的内容")
+            
+            if update_data.title is not None: item["title"] = update_data.title
+            if update_data.shortDesc is not None: item["shortDesc"] = update_data.shortDesc
+            if update_data.fullDesc is not None: item["fullDesc"] = update_data.fullDesc
+            if update_data.link is not None: item["link"] = update_data.link
+            if update_data.coverUrl is not None: item["coverUrl"] = update_data.coverUrl
+            if update_data.price is not None: item["price"] = update_data.price
+            if update_data.github_token is not None: item["github_token"] = update_data.github_token # 【新增】允许更新密钥
+            
+            db.save_data("items.json", items_db)
+            return {"status": "success"}
+            
+    raise HTTPException(status_code=404, detail="找不到该内容记录")
+
+@router.delete("/api/items/{item_id}")
+async def delete_item(item_id: str, author: str):
+    items_db = db.load_data("items.json", default_data=[])
+    target_idx = next((i for i, item in enumerate(items_db) if item["id"] == item_id), None)
     
-    if not item:
-        raise HTTPException(status_code=404, detail="Item not found")
+    if target_idx is None: raise HTTPException(status_code=404, detail="找不到该内容记录")
+    if items_db[target_idx].get("author") != author: raise HTTPException(status_code=403, detail="无权删除他人发布的内容")
     
-    # 检查是否已购买
-    if purchase_req.account in item.get("purchasedBy", []):
-        raise HTTPException(status_code=400, detail="Item already purchased")
+    items_db.pop(target_idx)
+    db.save_data("items.json", items_db)
     
-    # 更新购买记录
-    if "purchasedBy" not in item:
-        item["purchasedBy"] = []
-    item["purchasedBy"].append(purchase_req.account)
+    comments_db = db.load_data("comments.json", default_data={})
+    if item_id in comments_db:
+        del comments_db[item_id]
+        db.save_data("comments.json", comments_db)
+        
+    return {"status": "success"}
+
+@router.post("/api/items/{item_id}/use")
+async def record_item_use(item_id: str):
+    items_db = db.load_data("items.json", default_data=[])
+    current_month = datetime.date.today().strftime("%Y-%m")
     
-    save_data(items)
-    return {"status": "success", "message": "Purchase successful"}
+    for item in items_db:
+        if item["id"] == item_id:
+            item["uses"] = item.get("uses", 0) + 1
+            if "use_history" not in item:
+                item["use_history"] = {}
+            item["use_history"][current_month] = item["use_history"].get(current_month, 0) + 1
+            db.save_data("items.json", items_db)
+            return {"status": "success", "uses": item["uses"]}
+            
+    raise HTTPException(status_code=404, detail="找不到该内容记录")

router_wallet.py

@@ -1,149 +1,238 @@
-import os
-import json
+# router_wallet.py
+from fastapi import APIRouter, Depends, HTTPException, Request
+from fastapi.responses import Response
+from sqlalchemy.orm import Session
 import time
-import hmac
+import uuid
 import hashlib
-from fastapi import APIRouter, Request
-from fastapi.responses import JSONResponse
-from pydantic import BaseModel
-from sqlalchemy import create_engine, text
-from sqlalchemy.orm import sessionmaker
-from functools import lru_cache  # 新增导入
+import os
+from database_sql import get_db
+from models_sql import Wallet, Transaction, Ownership
+from models import RechargeRequest, WithdrawRequest, PurchaseRequest, TipRequest
+import 数据库连接 as json_db
 
 router = APIRouter()
 
-# 数据库配置
-DATABASE_URL = os.getenv("DATABASE_URL", "sqlite:///./test.db")
-engine = create_engine(DATABASE_URL)
-SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
-
-# 支付宝配置
-ALIPAY_APP_ID = os.getenv("ALIPAY_APP_ID", "")
-ALIPAY_PRIVATE_KEY = os.getenv("ALIPAY_PRIVATE_KEY", "")
-ALIPAY_PUBLIC_KEY = os.getenv("ALIPAY_PUBLIC_KEY", "")
+try:
+    from alipay import AliPay
+    from alipay.utils import AliPayConfig
+    alipay = AliPay(
+        appid=os.environ.get("ALIPAY_APPID", ""),
+        app_notify_url="https://zhiwei666-comfyui-ranking-api.hf.space/api/wallet/alipay_notify",
+        app_private_key_string=os.environ.get("ALIPAY_PRIVATE_KEY", "").replace("\\n", "\n"),
+        alipay_public_key_string=os.environ.get("ALIPAY_PUBLIC_KEY", "").replace("\\n", "\n"),
+        sign_type="RSA2",
+        debug=False,
+        config=AliPayConfig(timeout=15)
+    )
+except Exception as e:
+    alipay = None
 
-class WalletTransaction(BaseModel):
-    account: str
-    amount: float
-    transaction_type: str  # 'deposit' or 'withdraw'
-    description: str
+def calculate_tx_hash(tx_id, account, tx_type, amount, prev_hash):
+    data = f"{tx_id}{account}{tx_type}{amount}{prev_hash}"
+    return hashlib.sha256(data.encode()).hexdigest()
 
-def verify_alipay_signature(params):
-    # 验证支付宝签名的逻辑
-    # 这里简化为示例
-    return True
+@router.post("/api/wallet/create_recharge_order")
+async def create_recharge_order(req: RechargeRequest):
+    if not alipay:
+        raise HTTPException(status_code=500, detail="支付网关未配置或初始化失败")
+    
+    order_id = f"PAY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    subject = f"ComfyUI Community Points - {req.account}"
+    
+    order_string = alipay.api_alipay_trade_precreate(
+        out_trade_no=order_id,
+        total_amount=str(req.amount),
+        subject=subject
+    )
+    
+    qr_code_url = order_string.get("qr_code")
+    if not qr_code_url:
+        raise HTTPException(status_code=500, detail="生成支付二维码失败")
+        
+    return {"status": "success", "order_id": order_id, "qr_code": qr_code_url}
 
-@lru_cache(maxsize=128)  # 新增缓存装饰器
-def get_user_balance(account: str):
-    """获取用户余额（带缓存）"""
-    with SessionLocal() as session:
-        user = session.execute(
-            text("SELECT balance FROM users WHERE account = :account"),
-            {"account": account}
-        ).fetchone()
+# 🟢 业务流转细节修复：正确解析 application/x-www-form-urlencoded
+@router.post("/api/wallet/alipay_notify")
+async def alipay_notify(request: Request, db: Session = Depends(get_db)):
+    # 强制将表单数据解析为纯字典，防止由于数据类型错误导致验签失败
+    form_data = await request.form()
+    data = dict(form_data.items())
+    
+    signature = data.pop("sign", None)
+    data.pop("sign_type", None)
+    
+    if not alipay or not signature or not alipay.verify(data, signature):
+        return Response(content="fail", media_type="text/plain")
+        
+    if data.get("trade_status") in ("TRADE_SUCCESS", "TRADE_FINISHED"):
+        order_id = data.get("out_trade_no")
         
-        if not user:
-            return 0
-        return user[0]
+        existing_tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
+        if not existing_tx:
+            amount = int(float(data.get("total_amount", 0)))
+            account = data.get("subject", "").split(" - ")[-1]
+            
+            wallet = db.query(Wallet).filter(Wallet.account == account).with_for_update().first()
+            if not wallet:
+                wallet = Wallet(account=account)
+                db.add(wallet)
+            
+            wallet.balance += amount
+            
+            last_tx = db.query(Transaction).filter(Transaction.account == account).order_by(Transaction.created_at.desc()).first()
+            prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+            tx_hash = calculate_tx_hash(order_id, account, "RECHARGE", amount, prev_hash)
+            
+            new_tx = Transaction(
+                tx_id=order_id, account=account, tx_type="RECHARGE", amount=amount,
+                prev_hash=prev_hash, tx_hash=tx_hash
+            )
+            db.add(new_tx)
+            db.commit()
+            
+    return Response(content="success", media_type="text/plain")
+
+@router.get("/api/wallet/check_order/{order_id}")
+async def check_order(order_id: str, db: Session = Depends(get_db)):
+    tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
+    if tx:
+        return {"status": "SUCCESS"}
+    return {"status": "PENDING"}
 
-@lru_cache(maxsize=128)  # 新增缓存装饰器
-def check_idempotency(trade_no: str):
-    """检查幂等性（带缓存）"""
-    with SessionLocal() as session:
-        exists = session.execute(
-            text("SELECT 1 FROM idempotency WHERE trade_no = :trade_no"),
-            {"trade_no": trade_no}
-        ).fetchone()
-        return exists is not None
+@router.get("/api/wallet/{account}")
+async def get_wallet(account: str, db: Session = Depends(get_db)):
+    wallet = db.query(Wallet).filter(Wallet.account == account).first()
+    if not wallet:
+        return {"balance": 0, "earn_balance": 0, "tip_balance": 0}
+    return {
+        "balance": wallet.balance,
+        "earn_balance": wallet.earn_balance,
+        "tip_balance": wallet.tip_balance
+    }
 
-@router.post("/alipay_notify")
-async def alipay_notify(request: Request):
-    params = await request.form()
-    
-    # 验证签名
-    if not verify_alipay_signature(params):
-        return JSONResponse(content={"status": "error", "message": "Invalid signature"}, status_code=400)
-    
-    # 检查交易状态
-    trade_status = params.get("trade_status")
-    if trade_status != "TRADE_SUCCESS":
-        return JSONResponse(content={"status": "error", "message": "Invalid trade status"}, status_code=400)
-    
-    # 获取交易号
-    trade_no = params.get("out_trade_no")
-    
-    # 检查是否已处理（使用缓存）
-    if check_idempotency(trade_no):
-        return JSONResponse(content={"status": "success", "message": "重复通知已忽略"})
-    
-    # 插入幂等记录
-    with SessionLocal() as session:
-        session.execute(
-            text("INSERT INTO idempotency (trade_no) VALUES (:trade_no)"),
-            {"trade_no": trade_no}
-        )
-        session.commit()
-    
-    # 处理支付成功逻辑
-    account = params.get("buyer_id")
-    amount = float(params.get("total_amount"))
-    
-    # 更新用户余额
-    with SessionLocal() as session:
-        # 假设有一个users表存储用户信息
-        user = session.execute(
-            text("SELECT * FROM users WHERE account = :account"),
-            {"account": account}
-        ).fetchone()
+@router.post("/api/wallet/purchase")
+async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
+    items_db = json_db.load_data("items.json", default_data=[])
+    item = next((i for i in items_db if i["id"] == req.item_id), None)
+    
+    if not item:
+        raise HTTPException(status_code=404, detail="商品不存在")
         
-        if not user:
-            # 创建新用户
-            session.execute(
-                text("INSERT INTO users (account, balance) VALUES (:account, :balance)"),
-                {"account": account, "balance": amount}
-            )
-        else:
-            # 更新余额
-            session.execute(
-                text("UPDATE users SET balance = balance + :amount WHERE account = :account"),
-                {"amount": amount, "account": account}
-            )
+    price = int(item.get("price", 0))
+    seller_account = item.get("author")
+    
+    if price <= 0 or req.account == seller_account:
+        return {"status": "success", "already_owned": True}
+        
+    owned = db.query(Ownership).filter(Ownership.account == req.account, Ownership.item_id == req.item_id).first()
+    if owned:
+        return {"status": "success", "already_owned": True}
+        
+    buyer_wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
+    if not buyer_wallet or buyer_wallet.balance < price:
+        raise HTTPException(status_code=402, detail="余额不足，请先充值")
+        
+    seller_wallet = db.query(Wallet).filter(Wallet.account == seller_account).with_for_update().first()
+    if not seller_wallet:
+        seller_wallet = Wallet(account=seller_account)
+        db.add(seller_wallet)
         
-        # 记录交易
-        session.execute(
-            text("INSERT INTO transactions (account, amount, transaction_type, description) VALUES (:account, :amount, 'deposit', '支付宝充值')"),
-            {"account": account, "amount": amount}
-        )
-        session.commit()
-    
-    # 清除缓存
-    get_user_balance.cache_clear()
-    check_idempotency.cache_clear()
-    
-    return JSONResponse(content={"status": "success", "message": "Payment processed"})
+    buyer_wallet.balance -= price
+    seller_wallet.earn_balance += price
+    
+    new_ownership = Ownership(account=req.account, item_id=req.item_id)
+    db.add(new_ownership)
+    
+    tx_id = f"BUY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.account, "PURCHASE", -price, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.account, tx_type="PURCHASE", amount=-price,
+        target_account=seller_account, prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    return {"status": "success", "already_owned": False}
 
-@router.post("/create_transaction")
-async def create_transaction(transaction: WalletTransaction):
-    with SessionLocal() as session:
-        # 记录交易
-        session.execute(
-            text("INSERT INTO transactions (account, amount, transaction_type, description) VALUES (:account, :amount, :transaction_type, :description)"),
-            {
-                "account": transaction.account,
-                "amount": transaction.amount,
-                "transaction_type": transaction.transaction_type,
-                "description": transaction.description
-            }
-        )
-        session.commit()
-    
-    # 清除缓存
-    get_user_balance.cache_clear()
-    
-    return JSONResponse(content={"status": "success", "message": "Transaction created"})
+@router.post("/api/wallet/tip")
+async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
+    if req.amount <= 0:
+        raise HTTPException(status_code=400, detail="打赏金额必须大于0")
+        
+    sender_wallet = db.query(Wallet).filter(Wallet.account == req.sender_account).with_for_update().first()
+    if not sender_wallet or sender_wallet.balance < req.amount:
+        raise HTTPException(status_code=402, detail="余额不足")
+        
+    target_wallet = db.query(Wallet).filter(Wallet.account == req.target_account).with_for_update().first()
+    if not target_wallet:
+        target_wallet = Wallet(account=req.target_account)
+        db.add(target_wallet)
+        
+    sender_wallet.balance -= req.amount
+    target_wallet.tip_balance += req.amount
+    
+    tx_id = f"TIP_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.sender_account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.sender_account, "TIP", -req.amount, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.sender_account, tx_type="TIP", amount=-req.amount,
+        target_account=req.target_account, prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    from notifications import add_notification
+    display_sender = "匿名用户" if req.is_anonymous else req.sender_account
+    add_notification(req.target_account, {
+        "type": "tip", 
+        "from_user": "system", 
+        "target_item_title": "您的主页",
+        "content": f"🎉 {display_sender} 给您打赏了 {req.amount} 积分！"
+    })
+    
+    return {"status": "success", "balance": sender_wallet.balance}
 
-@router.get("/get_balance/{account}")
-async def get_balance(account: str):
-    # 使用缓存获取余额
-    balance = get_user_balance(account)
-    return JSONResponse(content={"balance": balance})
+@router.post("/api/wallet/withdraw")
+async def withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
+    key = f"{req.account}_withdraw"
+    code_data = VERIFY_CODES.get(key)
+    if not code_data or code_data["code"] != req.code or time.time() > code_data["expires"]:
+        raise HTTPException(status_code=400, detail="验证码无效或已过期")
+        
+    wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
+    if not wallet:
+        raise HTTPException(status_code=400, detail="钱包不存在")
+        
+    total_withdrawable = wallet.earn_balance + wallet.tip_balance
+    if req.amount > total_withdrawable:
+        raise HTTPException(status_code=400, detail="可提现余额不足")
+        
+    if req.amount <= wallet.earn_balance:
+        wallet.earn_balance -= req.amount
+    else:
+        remaining = req.amount - wallet.earn_balance
+        wallet.earn_balance = 0
+        wallet.tip_balance -= remaining
+        
+    wallet.frozen_balance += req.amount
+    
+    tx_id = f"WD_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.account, "WITHDRAW", -req.amount, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.account, tx_type="WITHDRAW", amount=-req.amount,
+        prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    del VERIFY_CODES[key]
+    return {"status": "success"}