Upload 13 files

app.py

@@ -1,5 +1,5 @@
 # ⚙️ 后端逻辑/核心服务端.py (Hugging Face Spaces app.py)
-from fastapi import FastAPI, File, UploadFile, Form, Depends
+from fastapi import FastAPI, File, UploadFile, Form, Depends, HTTPException
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import Response, JSONResponse
 from sqlalchemy.orm import Session
@@ -42,14 +42,26 @@ app.include_router(wallet_router)
 
 @app.get("/")
 def read_root(): 
-    return {"status": "ok"}
+    return {"status": "ok", "message": "API System Protected & Running"}
+
+# 【安全优化】：允许的文件后缀白名单，防挂马
+ALLOWED_EXTENSIONS = {".png", ".jpg", ".jpeg", ".webp", ".json", ".zip"}
 
 @app.post("/api/upload")
 async def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
+    # 验证后缀名
+    _, ext = os.path.splitext(file.filename)
+    if ext.lower() not in ALLOWED_EXTENSIONS:
+        return JSONResponse(status_code=400, content={"error": f"安全拦截：不支持上传 {ext} 格式的文件"})
+
+    # 限制单次读取文件大小，防止撑爆内存
     content = await file.read()
+    if len(content) > 10 * 1024 * 1024: # 10MB 限制
+        return JSONResponse(status_code=400, content={"error": "文件超过 10MB 大小限制"})
+
     file_hash = hashlib.md5(content).hexdigest()[:10]
     
-    new_filename = f"{file_hash}_{file.filename}"
+    new_filename = f"{file_hash}{ext.lower()}"
     safe_filename = urllib.parse.quote(file.filename)
     safe_url_filename = f"{file_hash}_{safe_filename}"
     
@@ -57,14 +69,12 @@ async def upload_file(file: UploadFile = File(...), file_type: str = Form(...)):
     target_dir = dir_mapping.get(file_type, "others")
     full_path_in_repo = f"{target_dir}/{new_filename}"
     
+    # 交给底层带锁与异步线程的 db 处理
     db.save_file(full_path_in_repo, content)
     
     url = f"https://huggingface.co/datasets/{db.DATASET_REPO_ID}/resolve/main/{target_dir}/{safe_url_filename}"
     return {"status": "success", "url": url, "display_name": file.filename, "hashed_name": new_filename}
 
-# =======================================================
-# 【核心新增】：死链与资源有效性检测 (解决问题1：防买空)
-# =======================================================
 class ValidateRequest(BaseModel):
     item_id: str
 
@@ -79,17 +89,15 @@ async def validate_resource(req: ValidateRequest):
     itype = item.get("type", "")
     
     if itype.startswith("tool"):
-        # 探测 Git 仓库是否为 404 死链
         try:
             req_obj = urllib.request.Request(link, method="HEAD", headers={'User-Agent': 'Mozilla/5.0'})
             with urllib.request.urlopen(req_obj, timeout=5) as response:
                 if response.status >= 400:
                     return JSONResponse(content={"error": "原作者的 Git 仓库已失效或设为私有"}, status_code=400)
-        except Exception as e:
+        except Exception:
             return JSONResponse(content={"error": "原作者的 Git 仓库无法访问，链接已失效"}, status_code=400)
             
     elif itype.startswith("app"):
-        # 探测 HF 云端的 JSON 文件是否丢失
         if "resolve/main/" in link:
             repo_path = urllib.parse.unquote(link.split("resolve/main/")[-1])
             hf_token = os.environ.get("HF_TOKEN")
@@ -99,13 +107,10 @@ async def validate_resource(req: ValidateRequest):
                 if not exists:
                     return JSONResponse(content={"error": "该工作流的 JSON 文件已在云端损坏或丢失"}, status_code=400)
             except Exception:
-                pass # 忽略 HF API 自身的偶发网络波动，不强行阻断
+                pass 
                 
     return {"status": "success"}
 
-# =======================================================
-# 代理下载与所有权鉴权防线
-# =======================================================
 class ProxyDownloadRequest(BaseModel):
     url: str
     item_id: str
@@ -125,7 +130,6 @@ async def proxy_download(req_data: ProxyDownloadRequest, sql_db: Session = Depen
     price = int(item.get("price", 0))
     author = item.get("author")
     
-    # 所有权拦截：如果收费且不是作者本人，严查 SQL 所有权表
     if price > 0 and req_data.account != author:
         owned = sql_db.query(Ownership).filter(Ownership.account == req_data.account, Ownership.item_id == req_data.item_id).first()
         if not owned:
@@ -151,4 +155,4 @@ async def proxy_download(req_data: ProxyDownloadRequest, sql_db: Session = Depen
         return Response(content=content, media_type="application/json")
         
     except Exception as e:
-        return JSONResponse(content={"error": f"云端官方库读取失败: {str(e)}"}, status_code=500)
+        return JSONResponse(content={"error": "云端代理读取失败，可能是源文件损坏"}, status_code=500)

router_items.py

@@ -21,11 +21,11 @@ def get_last_6_months():
     return res
 
 @router.get("/api/items")
-async def get_items(type: str = "tool", sort: str = "time", limit: int = 20):
+async def get_items(type: str = "tool", sort: str = "time", limit: int = 50): # 优化：默认限制调大至 50，提升前端列表体验
     items_db = db.load_data("items.json", default_data=[])
     comments_db = db.load_data("comments.json", default_data={})
     
-    # 【核心修改】：如果是推荐榜，匹配所有 recommend 开头的子类型
+    # 如果是推荐榜，匹配所有 recommend 开头的子类型
     if type == "recommend":
         filtered_items = [item for item in items_db if item.get("type", "").startswith("recommend")]
     else:
@@ -34,10 +34,12 @@ async def get_items(type: str = "tool", sort: str = "time", limit: int = 20):
     for item in filtered_items:
         item["commentsData"] = comments_db.get(item["id"], [])
         item["comments"] = len(item["commentsData"])
+        
     if sort == "likes": filtered_items.sort(key=lambda x: x.get("likes", 0), reverse=True)
     elif sort == "favorites": filtered_items.sort(key=lambda x: x.get("favorites", 0), reverse=True)
     elif sort == "downloads": filtered_items.sort(key=lambda x: x.get("uses", 0), reverse=True)
     else: filtered_items.sort(key=lambda x: x.get("created_at", 0), reverse=True)
+    
     return {"status": "success", "data": filtered_items[:limit]}
 
 @router.get("/api/creators")
@@ -54,7 +56,7 @@ async def get_creators(sort: str = "downloads", limit: int = 20):
         
         trend_tools = {m: 0 for m in months}
         trend_apps = {m: 0 for m in months}
-        trend_recommends = {m: 0 for m in months} # 新增：推荐增长序列
+        trend_recommends = {m: 0 for m in months}
         tools_count = 0
         apps_count = 0
         
@@ -68,7 +70,6 @@ async def get_creators(sort: str = "downloads", limit: int = 20):
                 if itype == "app": apps_count += 1
                 for m in months: trend_apps[m] += history.get(m, 0)
             elif itype.startswith("recommend"):
-                # 纯链接推荐
                 for m in months: trend_recommends[m] += history.get(m, 0)
 
         creators.append({
@@ -82,7 +83,7 @@ async def get_creators(sort: str = "downloads", limit: int = 20):
                 "months": months,
                 "tools": [trend_tools[m] for m in months], 
                 "apps": [trend_apps[m] for m in months],
-                "recommends": [trend_recommends[m] for m in months] # 注入前端
+                "recommends": [trend_recommends[m] for m in months]
             }
         })
         
@@ -90,11 +91,13 @@ async def get_creators(sort: str = "downloads", limit: int = 20):
     elif sort == "favorites": creators.sort(key=lambda x: x.get("favorites", 0), reverse=True)
     elif sort == "downloads": creators.sort(key=lambda x: x.get("downloads", 0), reverse=True)
     else: creators.sort(key=lambda x: x.get("created_at", 0), reverse=True)
+    
     return {"status": "success", "data": creators[:limit]}
 
 @router.post("/api/items")
 async def create_item(item: ItemCreate):
-    # 【安全新增】：禁止负向消费防线
+    # 【安全加固】：强制转换为整数，并拦截负数 (防浮点漏洞与洗钱)
+    item.price = int(item.price)
     if item.price < 0:
         raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
         
@@ -110,28 +113,34 @@ async def create_item(item: ItemCreate):
 
 @router.put("/api/items/{item_id}")
 async def update_item(item_id: str, update_data: ItemUpdate, author: str):
-    # 【安全新增】：禁止负向消费防线
-    if update_data.price is not None and update_data.price < 0:
-        raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
-        
+    # 【安全加固】：更新时同样强制转换为整数并拦截负数
+    if update_data.price is not None:
+        update_data.price = int(update_data.price)
+        if update_data.price < 0:
+            raise HTTPException(status_code=400, detail="🚨 安全拦截：商品价格不能为负数")
+            
     items_db = db.load_data("items.json", default_data=[])
     for item in items_db:
         if item["id"] == item_id:
             if item.get("author") != author: raise HTTPException(status_code=403, detail="无权修改他人发布的内容")
+            
             if update_data.title is not None: item["title"] = update_data.title
             if update_data.shortDesc is not None: item["shortDesc"] = update_data.shortDesc
             if update_data.fullDesc is not None: item["fullDesc"] = update_data.fullDesc
             if update_data.link is not None: item["link"] = update_data.link
             if update_data.coverUrl is not None: item["coverUrl"] = update_data.coverUrl
             if update_data.price is not None: item["price"] = update_data.price
+            
             db.save_data("items.json", items_db)
             return {"status": "success"}
+            
     raise HTTPException(status_code=404, detail="找不到该内容记录")
 
 @router.delete("/api/items/{item_id}")
 async def delete_item(item_id: str, author: str):
     items_db = db.load_data("items.json", default_data=[])
     target_idx = next((i for i, item in enumerate(items_db) if item["id"] == item_id), None)
+    
     if target_idx is None: raise HTTPException(status_code=404, detail="找不到该内容记录")
     if items_db[target_idx].get("author") != author: raise HTTPException(status_code=403, detail="无权删除他人发布的内容")
     
@@ -142,6 +151,7 @@ async def delete_item(item_id: str, author: str):
     if item_id in comments_db:
         del comments_db[item_id]
         db.save_data("comments.json", comments_db)
+        
     return {"status": "success"}
 
 @router.post("/api/items/{item_id}/use")
@@ -157,4 +167,5 @@ async def record_item_use(item_id: str):
             item["use_history"][current_month] = item["use_history"].get(current_month, 0) + 1
             db.save_data("items.json", items_db)
             return {"status": "success", "uses": item["uses"]}
+            
     raise HTTPException(status_code=404, detail="找不到该内容记录")

数据库连接.py

@@ -1,86 +1,89 @@
 # ⚙️ 后端逻辑/数据库连接.py
 import os
 import json
+import threading
 from huggingface_hub import HfApi, hf_hub_download
 
 HF_TOKEN = os.environ.get("HF_TOKEN")
-# 已经替换为你真实的 Dataset 仓库
 DATASET_REPO_ID = "ZHIWEI666/ComfyUI-Ranking" 
 
-# ==========================================
-# 【核心修改】：智能判断运行环境
-# ==========================================
 if os.environ.get("SPACE_ID"):
-    # 如果检测到在 Hugging Face Spaces 环境运行，则使用 /tmp 目录（绕过容器只读限制）
     LOCAL_DB_DIR = "/tmp/local_db_data"
 else:
-    # 本地运行时，自动在当前 Python 文件同级目录下创建一个 "cache" 文件夹
     BASE_DIR = os.path.dirname(os.path.abspath(__file__))
     LOCAL_DB_DIR = os.path.join(BASE_DIR, "cache")
 
 api = HfApi() if HF_TOKEN else None
 
-# 确保本地缓存目录存在
 if not os.path.exists(LOCAL_DB_DIR):
     os.makedirs(LOCAL_DB_DIR)
 
+# 【核心优化 1】：引入全局读写锁，防止高并发下 JSON 数据覆写和丢失
+db_lock = threading.Lock()
+
 def load_data(file_name: str, default_data=None):
-    """读取数据：优先从 HF Dataset 读取，如果没有 Token 则从本地读取"""
+    """读取数据：引入线程锁，保证读取时不会读到写入一半的残缺数据"""
     if default_data is None:
         default_data = {} if file_name == "users.json" else []
         
-    try:
-        if HF_TOKEN:
-            file_path = hf_hub_download(repo_id=DATASET_REPO_ID, filename=file_name, repo_type="dataset", token=HF_TOKEN)
-        else:
-            file_path = os.path.join(LOCAL_DB_DIR, file_name)
-            if not os.path.exists(file_path):
+    local_path = os.path.join(LOCAL_DB_DIR, file_name)
+    
+    with db_lock:
+        if not os.path.exists(local_path):
+            if HF_TOKEN:
+                try:
+                    file_path = hf_hub_download(repo_id=DATASET_REPO_ID, repo_type="dataset", filename=file_name, token=HF_TOKEN)
+                    with open(file_path, "r", encoding="utf-8") as f:
+                        data = json.load(f)
+                    with open(local_path, "w", encoding="utf-8") as f:
+                        json.dump(data, f, ensure_ascii=False, indent=2)
+                    return data
+                except Exception:
+                    return default_data
+            else:
                 return default_data
+                
+        try:
+            with open(local_path, "r", encoding="utf-8") as f:
+                return json.load(f)
+        except Exception as e:
+            print(f"解析 {file_name} 失败，启用默认数据。原因: {e}")
+            return default_data
 
-        with open(file_path, "r", encoding="utf-8") as f:
-            return json.load(f)
+def _background_upload_to_hf(local_path, file_name):
+    """【核心优化 2】：后台独立线程执行 HF 推送，彻底解放 FastAPI 主线程性能"""
+    try:
+        api.upload_file(
+            path_or_fileobj=local_path,
+            path_in_repo=file_name,
+            repo_id=DATASET_REPO_ID,
+            repo_type="dataset",
+            token=HF_TOKEN,
+            commit_message=f"Auto-update {file_name}"
+        )
     except Exception as e:
-        print(f"[{file_name}] 数据拉取失败或文件不存在，使用默认空数据。原因: {e}")
-        return default_data
+        print(f"后台同步到 HF Dataset 失败: {e}")
 
 def save_data(file_name: str, data):
-    """保存数据：写入本地并同步到 HF Dataset"""
+    """保存数据：加锁写入本地，并触发异步后台同步"""
     local_path = os.path.join(LOCAL_DB_DIR, file_name)
     
-    # 1. 始终先写入本地缓存目录
-    with open(local_path, "w", encoding="utf-8") as f:
-        json.dump(data, f, ensure_ascii=False, indent=2)
+    with db_lock:
+        with open(local_path, "w", encoding="utf-8") as f:
+            json.dump(data, f, ensure_ascii=False, indent=2)
     
-    # 2. 如果有 Token，同步推送到 Hugging Face
+    # 触发后台线程推送，接口毫秒级返回
     if HF_TOKEN:
-        try:
-            api.upload_file(
-                path_or_fileobj=local_path,
-                path_in_repo=file_name,
-                repo_id=DATASET_REPO_ID,
-                repo_type="dataset",
-                token=HF_TOKEN,
-                commit_message=f"Auto-update {file_name}"
-            )
-        except Exception as e:
-            print(f"同步到 HF Dataset 失败: {e}")
+        threading.Thread(target=_background_upload_to_hf, args=(local_path, file_name)).start()
 
-# --- 保存真实的二进制文件 ---
 def save_file(file_path_in_repo: str, content: bytes):
+    """保存二进制文件（图片/应用等）"""
     local_full_path = os.path.join(LOCAL_DB_DIR, file_path_in_repo)
-    
-    # 自动创建子目录（如 avatars/, tools/）
     os.makedirs(os.path.dirname(local_full_path), exist_ok=True)
     
-    with open(local_full_path, "wb") as f:
-        f.write(content)
-        
+    with db_lock:
+        with open(local_full_path, "wb") as f:
+            f.write(content)
+            
     if HF_TOKEN:
-        try:
-            api.upload_file(
-                path_or_fileobj=local_full_path, path_in_repo=file_path_in_repo,
-                repo_id=DATASET_REPO_ID, repo_type="dataset",
-                token=HF_TOKEN, commit_message=f"Upload File: {file_path_in_repo}"
-            )
-        except Exception as e:
-            print(f"同步文件到 HF Dataset 失败: {e}")
+        threading.Thread(target=_background_upload_to_hf, args=(local_full_path, file_path_in_repo)).start()