Upload 3 files

app.py

@@ -8,9 +8,8 @@ from huggingface_hub import hf_hub_download, HfApi
 import hashlib
 import urllib.parse
 import urllib.request
-import urllib.error  # 用于捕获 HTTPError 以判断私有库状态
+import urllib.error
 import os
-import shutil
 import 数据库连接 as db
 
 from router_users import router as users_router
@@ -18,7 +17,7 @@ from router_items import router as items_router
 from router_comments import router as comments_router
 from router_messages import router as messages_router
 from router_wallet import router as wallet_router
-from router_proxy import router as proxy_router # 导入代理路由
+from router_proxy import router as proxy_router
 
 from database_sql import init_sql_db, get_db
 from models_sql import Ownership
@@ -30,15 +29,15 @@ def on_startup():
     init_sql_db()
     print("关系型数据库加载完毕，金融表同步完成。")
 
+# 🟢 致命 BUG 修复：allow_credentials 必须为 False 才能配合 origins=["*"]
 app.add_middleware(
     CORSMiddleware,
     allow_origins=["*"],
-    allow_credentials=True,
+    allow_credentials=False, 
     allow_methods=["*"],
     allow_headers=["*"],
 )
 
-# 挂载各个业务域路由
 app.include_router(users_router)
 app.include_router(items_router)
 app.include_router(comments_router)
@@ -46,17 +45,14 @@ app.include_router(messages_router)
 app.include_router(wallet_router)
 app.include_router(proxy_router)
 
-# ==========================================
-# 核心上传接口 (修复：使用 HF Datasets 永久存储多媒体)
-# ==========================================
+# 🟢 性能隐患修复：去掉 async def，改为 def。让 FastAPI 自动分配底层线程，防止上传大文件时全站卡死！
 @app.post("/api/upload")
-async def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
-    # 1. 拦截超大文件 (限制为 10MB)
-    content = await file.read()
+def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
+    # 同步读取文件内容
+    content = file.file.read() 
     if len(content) > 10 * 1024 * 1024:
         raise HTTPException(status_code=400, detail="文件过大，请限制在 10MB 以内")
         
-    # 2. 生成防木马的安全文件名 (利用 MD5)
     ext = file.filename.split(".")[-1].lower()
     if ext not in ["jpg", "jpeg", "png", "gif", "webp", "json", "mp4"]:
         raise HTTPException(status_code=400, detail="不支持的文件格式")
@@ -64,18 +60,15 @@ async def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
     file_hash = hashlib.md5(content).hexdigest()[:10]
     safe_filename = f"{file_type}_{file_hash}.{ext}"
     
-    # 3. 临时存放在 Spaces 容器本地
     local_tmp_path = f"/tmp/{safe_filename}"
     with open(local_tmp_path, "wb") as f:
         f.write(content)
         
-    # 4. 🚀 核心修复：直接将文件上传到 Hugging Face Dataset (永久图床/存储)
     hf_token = os.environ.get("HF_TOKEN")
     dataset_repo_id = "ZHIWEI666/ComfyUI-Ranking"
     
     try:
         api = HfApi()
-        # 将文件上传到 Dataset 仓库的 uploads/{file_type} 文件夹下
         api.upload_file(
             path_or_fileobj=local_tmp_path,
             path_in_repo=f"uploads/{file_type}/{safe_filename}",
@@ -87,26 +80,21 @@ async def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
     except Exception as e:
         raise HTTPException(status_code=500, detail=f"图床同步失败: {str(e)}")
     finally:
-        # 清理容器的临时文件，防止爆内存
         if os.path.exists(local_tmp_path):
             os.remove(local_tmp_path)
             
-    # 5. 返回 Dataset 的永久直链 (利用 HF 的底层 Raw 链接，永不失效且自带 CDN)
     permanent_url = f"https://huggingface.co/datasets/{dataset_repo_id}/resolve/main/uploads/{file_type}/{safe_filename}"
-    
     return {"status": "success", "url": permanent_url}
 
 
-# ==========================================
-# 资源验证与所有权拦截接口 (原逻辑无损保留)
-# ==========================================
 class ValidateResourceRequest(BaseModel):
     url: str
     item_id: str
     account: str
 
+# 🟢 性能隐患修复：去掉 async def，防止 urllib.request 阻塞事件循环
 @app.post("/api/validate_resource")
-async def validate_resource(req_data: ValidateResourceRequest, sql_db: Session = Depends(get_db)):
+def validate_resource(req_data: ValidateResourceRequest, sql_db: Session = Depends(get_db)):
     target_url = req_data.url
     if not target_url.startswith("https://huggingface.co/datasets/") and not target_url.startswith("https://github.com/"):
         return JSONResponse(content={"error": "无效的下载链接"}, status_code=400)
@@ -119,7 +107,6 @@ async def validate_resource(req_data: ValidateResourceRequest, sql_db: Session =
     price = int(item.get("price", 0))
     author = item.get("author")
     
-    # 【拦截逻辑】：若不是作者本���，必须去 SQL 库校验所有权
     if price > 0 and req_data.account != author:
         owned = sql_db.query(Ownership).filter(Ownership.account == req_data.account, Ownership.item_id == req_data.item_id).first()
         if not owned:
@@ -129,7 +116,6 @@ async def validate_resource(req_data: ValidateResourceRequest, sql_db: Session =
     if not hf_token: return JSONResponse(content={"error": "云端环境变量未配置 HF_TOKEN"}, status_code=401)
         
     try:
-        # 情况 1：如果是 GitHub 私有库，探测死链
         if target_url.startswith("https://github.com/"):
             creator_token = item.get("github_token")
             fallback_token = os.environ.get("GITHUB_PAT")
@@ -150,7 +136,6 @@ async def validate_resource(req_data: ValidateResourceRequest, sql_db: Session =
                     return JSONResponse(content={"error": "资源仓库不可访问，可能已被作者删除或设为私有"}, status_code=404)
             return {"status": "success", "message": "资源有效"}
             
-        # 情况 2：如果是 Hugging Face 文件 (如 JSON 工作流)，校验云端文件是否存在
         elif target_url.startswith("https://huggingface.co/datasets/"):
             repo_path_encoded = target_url.split("resolve/main/")[-1]
             repo_path = urllib.parse.unquote(repo_path_encoded)

router_wallet.py

@@ -1,6 +1,6 @@
 # router_wallet.py
 from fastapi import APIRouter, Depends, HTTPException, Request
-from fastapi.responses import Response # 【必须导入的模块，否则支付宝回调报 500】
+from fastapi.responses import Response
 from sqlalchemy.orm import Session
 import time
 import uuid
@@ -10,11 +10,9 @@ from database_sql import get_db
 from models_sql import Wallet, Transaction, Ownership
 from models import RechargeRequest, WithdrawRequest, PurchaseRequest, TipRequest
 import 数据库连接 as json_db
-from router_users import VERIFY_CODES
 
 router = APIRouter()
 
-# 支付宝初始化防崩溃包装
 try:
     from alipay import AliPay
     from alipay.utils import AliPayConfig
@@ -32,232 +30,44 @@ except Exception as e:
 
 def calculate_tx_hash(tx_id, account, tx_type, amount, prev_hash):
     data = f"{tx_id}{account}{tx_type}{amount}{prev_hash}"
-    return hashlib.sha256(data.encode('utf-8')).hexdigest()
+    return hashlib.sha256(data.encode()).hexdigest()
 
-def record_transaction(db: Session, account: str, tx_type: str, amount: int, related_account: str = None, item_id: str = None):
-    last_tx = db.query(Transaction).filter(Transaction.account == account).order_by(Transaction.created_at.desc()).first()
-    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+@router.post("/api/wallet/create_recharge_order")
+async def create_recharge_order(req: RechargeRequest):
+    if not alipay:
+        raise HTTPException(status_code=500, detail="支付网关未配置或初始化失败")
     
-    tx_id = f"tx_{int(time.time())}_{uuid.uuid4().hex[:8]}"
-    tx_hash = calculate_tx_hash(tx_id, account, tx_type, amount, prev_hash)
+    order_id = f"PAY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    subject = f"ComfyUI Community Points - {req.account}"
     
-    new_tx = Transaction(
-        tx_id=tx_id, account=account, tx_type=tx_type, amount=amount,
-        related_account=related_account, item_id=item_id,
-        prev_hash=prev_hash, tx_hash=tx_hash
+    order_string = alipay.api_alipay_trade_precreate(
+        out_trade_no=order_id,
+        total_amount=str(req.amount),
+        subject=subject
     )
-    db.add(new_tx)
-    return new_tx
-
-@router.get("/api/wallet/{account}")
-async def get_wallet(account: str, db: Session = Depends(get_db)):
-    wallet = db.query(Wallet).filter(Wallet.account == account).first()
-    if not wallet:
-        return {"balance": 0, "earn_balance": 0, "tip_balance": 0, "frozen_balance": 0}
-    
-    # 兼容旧数据库结构，防止属性不存在时崩溃
-    return {
-        "balance": wallet.balance,
-        "earn_balance": getattr(wallet, 'earn_balance', 0),
-        "tip_balance": getattr(wallet, 'tip_balance', 0),
-        "frozen_balance": getattr(wallet, 'frozen_balance', 0)
-    }
-
-@router.post("/api/wallet/tip")
-async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
-    if req.sender_account == req.target_account:
-        raise HTTPException(status_code=400, detail="不能给自己打赏")
-        
-    sender_wallet = db.query(Wallet).filter(Wallet.account == req.sender_account).with_for_update().first()
-    if not sender_wallet or sender_wallet.balance < req.amount:
-        raise HTTPException(status_code=400, detail="积分余额不足，请先充值")
-    
-    # 扣除发送者余额
-    sender_wallet.balance -= req.amount
-    record_transaction(db, req.sender_account, "TIP_SEND", -req.amount, req.target_account)
-
-    target_wallet = db.query(Wallet).filter(Wallet.account == req.target_account).with_for_update().first()
-    if not target_wallet:
-        target_wallet = Wallet(account=req.target_account)
-        db.add(target_wallet)
-        
-    # 【打赏双轨账目分离核心】：金额只进入 tip_balance 账目
-    if hasattr(target_wallet, 'tip_balance'):
-        target_wallet.tip_balance += req.amount
-    else:
-        target_wallet.earn_balance += req.amount 
-        
-    record_transaction(db, req.target_account, "TIP_RECEIVE", req.amount, req.sender_account)
-    db.commit()
-    
-    # 触发云端通知
-    try:
-        from notifications import add_notification
-        add_notification(req.target_account, {
-            "type": "tip",
-            "from_user": req.sender_account if not req.is_anonymous else "anonymous",
-            "content": f"赞助了您 {req.amount} 积分！"
-        })
-    except Exception:
-        pass
-        
-    return {"status": "success", "balance": sender_wallet.balance}
-
-@router.post("/api/wallet/withdraw")
-async def submit_withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
-    # 1. 验证码校验
-    verify_data = VERIFY_CODES.get(req.account)
-    if not verify_data or verify_data["code"] != req.code or verify_data["action"] != "withdraw":
-        raise HTTPException(status_code=400, detail="验证码无效或已过期")
-    
-    # 2. 锁定钱包
-    wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
-    if not wallet:
-        raise HTTPException(status_code=404, detail="钱包不存在")
-
-    # 3. 合并双轨账目计算可提现总额度
-    earn = getattr(wallet, 'earn_balance', 0)
-    tip = getattr(wallet, 'tip_balance', 0)
-    max_withdraw = earn + tip
     
-    if max_withdraw < req.amount:
-        raise HTTPException(status_code=400, detail=f"提现金额超出可用收益，当前最多可提现 {max_withdraw}")
-
-    # 4. 优先扣除销售收益，不够的再扣打赏收益
-    amount_to_deduct = req.amount
-    if wallet.earn_balance >= amount_to_deduct:
-        wallet.earn_balance -= amount_to_deduct
-    else:
-        remaining = amount_to_deduct - wallet.earn_balance
-        wallet.earn_balance = 0
-        if hasattr(wallet, 'tip_balance'):
-            wallet.tip_balance -= remaining
-
-    wallet.frozen_balance += req.amount
-    record_transaction(db, req.account, "WITHDRAW_APPLY", -req.amount)
-    
-    db.commit()
-    return {"status": "success"}
-
-@router.post("/api/wallet/purchase")
-async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
-    items_db = json_db.load_data("items.json", default_data=[])
-    item = next((i for i in items_db if i["id"] == req.item_id), None)
-    if not item: raise HTTPException(status_code=404, detail="商品不存在")
-        
-    price = int(item.get("price", 0))
-    author = item.get("author")
-    
-    # 作者或已购买的免单判断
-    if req.account == author: return {"status": "success", "already_owned": True}
+    qr_code_url = order_string.get("qr_code")
+    if not qr_code_url:
+        raise HTTPException(status_code=500, detail="生成支付二维码失败")
         
-    owned = db.query(Ownership).filter(Ownership.account == req.account, Ownership.item_id == req.item_id).first()
-    if owned: return {"status": "success", "already_owned": True}
-        
-    if price > 0:
-        buyer_wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
-        if not buyer_wallet or buyer_wallet.balance < price:
-            raise HTTPException(status_code=400, detail="余额不足")
-            
-        buyer_wallet.balance -= price
-        record_transaction(db, req.account, "PURCHASE", -price, related_account=author, item_id=req.item_id)
-        
-        author_wallet = db.query(Wallet).filter(Wallet.account == author).with_for_update().first()
-        if not author_wallet:
-            author_wallet = Wallet(account=author)
-            db.add(author_wallet)
-            
-        # 销售金额进入 earn_balance 账目
-        author_wallet.earn_balance += price
-        record_transaction(db, author, "EARN", price, related_account=req.account, item_id=req.item_id)
-        
-    new_ownership = Ownership(account=req.account, item_id=req.item_id)
-    db.add(new_ownership)
-    db.commit()
-    return {"status": "success"}
-
-# =============== 以下为真实的支付宝充值与回调逻辑 ===============
-
-@router.post("/api/wallet/create_recharge_order")
-async def create_recharge_order(req: RechargeRequest, db: Session = Depends(get_db)):
-    if not alipay:
-        raise HTTPException(status_code=500, detail="支付宝支付组件未配置或秘钥加载失败")
-        
-    # 生成带时间戳和随机哈希的全局唯一订单号
-    order_id = f"R_{int(time.time())}_{uuid.uuid4().hex[:6]}"
-    
-    try:
-        # 调用支付宝当面付接口生成二维码链接 (1积分 = 1元)
-        result = alipay.api_alipay_trade_precreate(
-            subject=f"ComfyUI社区积分充值 - {req.account}",
-            out_trade_no=order_id,
-            total_amount=str(req.amount), 
-        )
-        
-        if result.get("code") == "10000":
-            return {"status": "success", "order_id": order_id, "qr_code_url": result.get("qr_code")}
-        else:
-            raise HTTPException(status_code=400, detail=result.get("msg", "创建支付宝订单失败"))
-    except Exception as e:
-        raise HTTPException(status_code=500, detail=f"支付网关异常: {str(e)}")
-
-@router.get("/api/wallet/check_order/{order_id}")
-async def check_order(order_id: str, db: Session = Depends(get_db)):
-    """前端轮询查单接口：主动向支付宝查询订单状态，防止异步回调延迟或丢失"""
-    if not alipay:
-        return {"status": "PENDING"}
-        
-    try:
-        # 主动向支付宝发起查单请求
-        result = alipay.api_alipay_trade_query(out_trade_no=order_id)
-        if result.get("code") == "10000" and result.get("trade_status") == "TRADE_SUCCESS":
-            
-            # 查单发现已支付，检查数据库防重复加钱
-            existing_tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
-            if not existing_tx:
-                # 提取金额并加锁更新账户
-                amount = int(float(result.get("total_amount", 0)))
-                account = result.get("subject", "").split(" - ")[-1]
-                
-                wallet = db.query(Wallet).filter(Wallet.account == account).with_for_update().first()
-                if not wallet:
-                    wallet = Wallet(account=account)
-                    db.add(wallet)
-                
-                wallet.balance += amount
-                
-                # 手动记录一条流水，tx_id 强制绑定为支付宝的 order_id 防止重复处理
-                last_tx = db.query(Transaction).filter(Transaction.account == account).order_by(Transaction.created_at.desc()).first()
-                prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
-                tx_hash = calculate_tx_hash(order_id, account, "RECHARGE", amount, prev_hash)
-                
-                new_tx = Transaction(
-                    tx_id=order_id, account=account, tx_type="RECHARGE", amount=amount,
-                    prev_hash=prev_hash, tx_hash=tx_hash
-                )
-                db.add(new_tx)
-                db.commit()
-                
-            return {"status": "SUCCESS"}
-    except Exception:
-        pass
-        
-    return {"status": "PENDING"}
+    return {"status": "success", "order_id": order_id, "qr_code": qr_code_url}
 
+# 🟢 业务流转细节修复：正确解析 application/x-www-form-urlencoded
 @router.post("/api/wallet/alipay_notify")
 async def alipay_notify(request: Request, db: Session = Depends(get_db)):
-    """支付宝异步回调 Webhook (最高优先级的到账通知)"""
-    data = dict(await request.form())
+    # 强制将表单数据解析为纯字典，防止由于数据类型错误导致验签失败
+    form_data = await request.form()
+    data = dict(form_data.items())
+    
     signature = data.pop("sign", None)
+    data.pop("sign_type", None)
     
-    # 核心风控：验证签名是否真的是支付宝发来的
-    if not alipay or not alipay.verify(data, signature):
+    if not alipay or not signature or not alipay.verify(data, signature):
         return Response(content="fail", media_type="text/plain")
         
     if data.get("trade_status") in ("TRADE_SUCCESS", "TRADE_FINISHED"):
         order_id = data.get("out_trade_no")
         
-        # 检查是否已经被轮询查单处理过了
         existing_tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
         if not existing_tx:
             amount = int(float(data.get("total_amount", 0)))
@@ -281,5 +91,148 @@ async def alipay_notify(request: Request, db: Session = Depends(get_db)):
             db.add(new_tx)
             db.commit()
             
-    # 必须向支付宝返回 success，否则支付宝会按阶梯间隔持续重发请求
-    return Response(content="success", media_type="text/plain")
+    return Response(content="success", media_type="text/plain")
+
+@router.get("/api/wallet/check_order/{order_id}")
+async def check_order(order_id: str, db: Session = Depends(get_db)):
+    tx = db.query(Transaction).filter(Transaction.tx_id == order_id).first()
+    if tx:
+        return {"status": "SUCCESS"}
+    return {"status": "PENDING"}
+
+@router.get("/api/wallet/{account}")
+async def get_wallet(account: str, db: Session = Depends(get_db)):
+    wallet = db.query(Wallet).filter(Wallet.account == account).first()
+    if not wallet:
+        return {"balance": 0, "earn_balance": 0, "tip_balance": 0}
+    return {
+        "balance": wallet.balance,
+        "earn_balance": wallet.earn_balance,
+        "tip_balance": wallet.tip_balance
+    }
+
+@router.post("/api/wallet/purchase")
+async def purchase_item(req: PurchaseRequest, db: Session = Depends(get_db)):
+    items_db = json_db.load_data("items.json", default_data=[])
+    item = next((i for i in items_db if i["id"] == req.item_id), None)
+    
+    if not item:
+        raise HTTPException(status_code=404, detail="商品不存在")
+        
+    price = int(item.get("price", 0))
+    seller_account = item.get("author")
+    
+    if price <= 0 or req.account == seller_account:
+        return {"status": "success", "already_owned": True}
+        
+    owned = db.query(Ownership).filter(Ownership.account == req.account, Ownership.item_id == req.item_id).first()
+    if owned:
+        return {"status": "success", "already_owned": True}
+        
+    buyer_wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
+    if not buyer_wallet or buyer_wallet.balance < price:
+        raise HTTPException(status_code=402, detail="余额不足，请先充值")
+        
+    seller_wallet = db.query(Wallet).filter(Wallet.account == seller_account).with_for_update().first()
+    if not seller_wallet:
+        seller_wallet = Wallet(account=seller_account)
+        db.add(seller_wallet)
+        
+    buyer_wallet.balance -= price
+    seller_wallet.earn_balance += price
+    
+    new_ownership = Ownership(account=req.account, item_id=req.item_id)
+    db.add(new_ownership)
+    
+    tx_id = f"BUY_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.account, "PURCHASE", -price, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.account, tx_type="PURCHASE", amount=-price,
+        target_account=seller_account, prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    return {"status": "success", "already_owned": False}
+
+@router.post("/api/wallet/tip")
+async def tip_user(req: TipRequest, db: Session = Depends(get_db)):
+    if req.amount <= 0:
+        raise HTTPException(status_code=400, detail="打赏金额必须大于0")
+        
+    sender_wallet = db.query(Wallet).filter(Wallet.account == req.sender_account).with_for_update().first()
+    if not sender_wallet or sender_wallet.balance < req.amount:
+        raise HTTPException(status_code=402, detail="余额不足")
+        
+    target_wallet = db.query(Wallet).filter(Wallet.account == req.target_account).with_for_update().first()
+    if not target_wallet:
+        target_wallet = Wallet(account=req.target_account)
+        db.add(target_wallet)
+        
+    sender_wallet.balance -= req.amount
+    target_wallet.tip_balance += req.amount
+    
+    tx_id = f"TIP_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.sender_account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.sender_account, "TIP", -req.amount, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.sender_account, tx_type="TIP", amount=-req.amount,
+        target_account=req.target_account, prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    from notifications import add_notification
+    display_sender = "匿名用户" if req.is_anonymous else req.sender_account
+    add_notification(req.target_account, {
+        "type": "tip", 
+        "from_user": "system", 
+        "target_item_title": "您的主页",
+        "content": f"🎉 {display_sender} 给您打赏了 {req.amount} 积分！"
+    })
+    
+    return {"status": "success", "balance": sender_wallet.balance}
+
+@router.post("/api/wallet/withdraw")
+async def withdraw(req: WithdrawRequest, db: Session = Depends(get_db)):
+    key = f"{req.account}_withdraw"
+    code_data = VERIFY_CODES.get(key)
+    if not code_data or code_data["code"] != req.code or time.time() > code_data["expires"]:
+        raise HTTPException(status_code=400, detail="验证码无效或已过期")
+        
+    wallet = db.query(Wallet).filter(Wallet.account == req.account).with_for_update().first()
+    if not wallet:
+        raise HTTPException(status_code=400, detail="钱包不存在")
+        
+    total_withdrawable = wallet.earn_balance + wallet.tip_balance
+    if req.amount > total_withdrawable:
+        raise HTTPException(status_code=400, detail="可提现余额不足")
+        
+    if req.amount <= wallet.earn_balance:
+        wallet.earn_balance -= req.amount
+    else:
+        remaining = req.amount - wallet.earn_balance
+        wallet.earn_balance = 0
+        wallet.tip_balance -= remaining
+        
+    wallet.frozen_balance += req.amount
+    
+    tx_id = f"WD_{int(time.time())}_{uuid.uuid4().hex[:6]}"
+    last_tx = db.query(Transaction).filter(Transaction.account == req.account).order_by(Transaction.created_at.desc()).first()
+    prev_hash = last_tx.tx_hash if last_tx else "GENESIS_HASH"
+    tx_hash = calculate_tx_hash(tx_id, req.account, "WITHDRAW", -req.amount, prev_hash)
+    
+    new_tx = Transaction(
+        tx_id=tx_id, account=req.account, tx_type="WITHDRAW", amount=-req.amount,
+        prev_hash=prev_hash, tx_hash=tx_hash
+    )
+    db.add(new_tx)
+    db.commit()
+    
+    del VERIFY_CODES[key]
+    return {"status": "success"}

数据库连接.py

@@ -2,6 +2,7 @@
 import os
 import json
 import threading
+import time
 from huggingface_hub import HfApi, hf_hub_download
 
 HF_TOKEN = os.environ.get("HF_TOKEN")
@@ -18,11 +19,9 @@ api = HfApi() if HF_TOKEN else None
 if not os.path.exists(LOCAL_DB_DIR):
     os.makedirs(LOCAL_DB_DIR)
 
-# 【核心优化 1】：引入全局读写锁，防止高并发下 JSON 数据覆写和丢失
 db_lock = threading.Lock()
 
 def load_data(file_name: str, default_data=None):
-    """读取数据：引入线程锁，保证读取时不会读到写入一半的残缺数据"""
     if default_data is None:
         default_data = {} if file_name == "users.json" else []
         
@@ -32,17 +31,22 @@ def load_data(file_name: str, default_data=None):
         if not os.path.exists(local_path):
             if HF_TOKEN:
                 try:
-                    file_path = hf_hub_download(repo_id=DATASET_REPO_ID, repo_type="dataset", filename=file_name, token=HF_TOKEN)
-                    with open(file_path, "r", encoding="utf-8") as f:
+                    downloaded_path = hf_hub_download(
+                        repo_id=DATASET_REPO_ID, 
+                        repo_type="dataset", 
+                        filename=file_name,
+                        token=HF_TOKEN
+                    )
+                    with open(downloaded_path, "r", encoding="utf-8") as f:
                         data = json.load(f)
                     with open(local_path, "w", encoding="utf-8") as f:
                         json.dump(data, f, ensure_ascii=False, indent=2)
                     return data
-                except Exception:
+                except Exception as e:
+                    print(f"从 HF 下载 {file_name} 失败: {e}")
                     return default_data
-            else:
-                return default_data
-                
+            return default_data
+            
         try:
             with open(local_path, "r", encoding="utf-8") as f:
                 return json.load(f)
@@ -50,40 +54,30 @@ def load_data(file_name: str, default_data=None):
             print(f"解析 {file_name} 失败，启用默认数据。原因: {e}")
             return default_data
 
-def _background_upload_to_hf(local_path, file_name):
-    """【核心优化 2】：后台独立线程执行 HF 推送，彻底解放 FastAPI 主线程性能"""
-    try:
-        api.upload_file(
-            path_or_fileobj=local_path,
-            path_in_repo=file_name,
-            repo_id=DATASET_REPO_ID,
-            repo_type="dataset",
-            token=HF_TOKEN,
-            commit_message=f"Auto-update {file_name}"
-        )
-    except Exception as e:
-        print(f"后台同步到 HF Dataset 失败: {e}")
+# 🟢 隐形炸弹修复：增加错误重试机制，防止由于 Hugging Face 接口瞬间限流导致数据云端丢失
+def _background_upload_to_hf(local_path, file_name, retries=3):
+    for attempt in range(retries):
+        try:
+            api.upload_file(
+                path_or_fileobj=local_path,
+                path_in_repo=file_name,
+                repo_id=DATASET_REPO_ID,
+                repo_type="dataset",
+                token=HF_TOKEN,
+                commit_message=f"Auto-update {file_name}"
+            )
+            return  # 成功后立即退出线程
+        except Exception as e:
+            if attempt == retries - 1:
+                print(f"🚨 致命错误：重试 {retries} 次后，同步到 HF Dataset 依然失败: {e}")
+            time.sleep(2) # 失败后休眠 2 秒避开接口限流再试
 
 def save_data(file_name: str, data):
-    """保存数据：加锁写入本地，并触发异步后台同步"""
     local_path = os.path.join(LOCAL_DB_DIR, file_name)
     
     with db_lock:
         with open(local_path, "w", encoding="utf-8") as f:
             json.dump(data, f, ensure_ascii=False, indent=2)
     
-    # 触发后台线程推送，接口毫秒级返回
-    if HF_TOKEN:
-        threading.Thread(target=_background_upload_to_hf, args=(local_path, file_name)).start()
-
-def save_file(file_path_in_repo: str, content: bytes):
-    """保存二进制文件（图片/应用等）"""
-    local_full_path = os.path.join(LOCAL_DB_DIR, file_path_in_repo)
-    os.makedirs(os.path.dirname(local_full_path), exist_ok=True)
-    
-    with db_lock:
-        with open(local_full_path, "wb") as f:
-            f.write(content)
-            
     if HF_TOKEN:
-        threading.Thread(target=_background_upload_to_hf, args=(local_full_path, file_path_in_repo)).start()
+        threading.Thread(target=_background_upload_to_hf, args=(local_path, file_name)).start()