@seasonkoh/webaz 0.1.7 → 0.1.9

package/dist/pwa/routes/recover-key.js

@@ -0,0 +1,100 @@
+export function registerRecoverKeyRoutes(app, deps) {
+    const { db, internalAuditorId, issueCode, findActiveCode, CODE_TTL_MIN, MAX_CODE_ATTEMPTS } = deps;
+    // IP 级速率（5/min）— 防爆破列举账户
+    const recoverKeyHits = new Map();
+    app.post('/api/recover-key', (req, res) => {
+        const ip = req.ip || '';
+        if (ip) {
+            const now = Date.now();
+            const rec = recoverKeyHits.get(ip);
+            if (rec && now - rec.firstAt < 60_000) {
+                rec.count++;
+                if (rec.count > 5)
+                    return void res.status(429).json({ error: '查询过于频繁，请 1 分钟后再试' });
+            }
+            else {
+                recoverKeyHits.set(ip, { count: 1, firstAt: now });
+            }
+            if (recoverKeyHits.size > 1000) {
+                for (const [k, v] of recoverKeyHits)
+                    if (now - v.firstAt > 60_000)
+                        recoverKeyHits.delete(k);
+            }
+        }
+        const { name } = req.body;
+        if (!name?.trim())
+            return void res.json({ error: '请填写注册时使用的名称' });
+        const rows = db.prepare("SELECT name, role, api_key, email, phone, created_at FROM users WHERE name = ? AND id NOT IN ('sys_protocol', ?)").all(name.trim(), internalAuditorId);
+        if (rows.length === 0)
+            return void res.json({ error: '未找到该名称的账号' });
+        const mask = (s) => s && s.length > 8 ? `${s.slice(0, 4)}…${s.slice(-4)}` : s;
+        const maskEmail = (e) => {
+            if (!e)
+                return null;
+            const [u, d] = e.split('@');
+            if (!d)
+                return mask(e);
+            return `${u.slice(0, 1)}***@${d}`;
+        };
+        const maskPhone = (p) => p ? `${p.slice(0, 3)}****${p.slice(-4)}` : null;
+        const accounts = rows.map(r => ({
+            name: r.name,
+            role: r.role,
+            key_hint: mask(r.api_key), // 模糊辨认，不可登录
+            email_hint: maskEmail(r.email || null),
+            phone_hint: maskPhone(r.phone || null),
+            has_email: !!r.email,
+            has_phone: !!r.phone,
+            created_at: r.created_at,
+        }));
+        res.json({
+            found: accounts.length,
+            accounts,
+            notice: '完整密钥找回需通过已绑定的邮箱/手机验证（P1 即将上线）。若你此前未绑定任何渠道，请使用本机已保存的密钥登录或联系管理员。',
+        });
+    });
+    // 步骤 1：发送验证码到已绑定邮箱（防泄露：找没找到都同响应）
+    app.post('/api/recover-key/start', (req, res) => {
+        const { name, email } = req.body;
+        if (!name?.trim() || !email?.trim())
+            return void res.json({ error: '请填写名称和邮箱' });
+        const target = email.trim().toLowerCase();
+        const user = db.prepare(`
+      SELECT id, name, email FROM users
+      WHERE name = ? AND email = ? AND email_verified = 1
+        AND id NOT IN ('sys_protocol', ?) LIMIT 1
+    `).get(name.trim(), target, internalAuditorId);
+        if (user)
+            issueCode(user.id, 'email', target, 'recover_key');
+        res.json({
+            success: true,
+            notice: '若该名称与邮箱组合存在，验证码已发送至该邮箱',
+            expires_in_min: CODE_TTL_MIN,
+        });
+    });
+    // 步骤 2：提交验证码 → 返回完整 api_key
+    app.post('/api/recover-key/confirm', (req, res) => {
+        const { name, email, code } = req.body;
+        if (!name?.trim() || !email?.trim() || !code?.trim())
+            return void res.json({ error: '请填写完整信息' });
+        const target = email.trim().toLowerCase();
+        const row = findActiveCode('email', target, 'recover_key');
+        if (!row)
+            return void res.json({ error: '验证码已过期或未发送，请重新开始' });
+        const user = db.prepare(`SELECT id, name, api_key FROM users WHERE id = ?`).get(row.user_id);
+        if (!user || user.name !== name.trim())
+            return void res.json({ error: '名称与验证码不匹配' });
+        if (String(row.code) !== code.trim()) {
+            const attempts = row.attempts + 1;
+            if (attempts >= MAX_CODE_ATTEMPTS) {
+                db.prepare("UPDATE verification_codes SET attempts = ?, used_at = datetime('now') WHERE id = ?")
+                    .run(attempts, row.id);
+                return void res.json({ error: '错误次数过多，验证码已作废，请重新开始' });
+            }
+            db.prepare("UPDATE verification_codes SET attempts = ? WHERE id = ?").run(attempts, row.id);
+            return void res.json({ error: `验证码错误（剩余 ${MAX_CODE_ATTEMPTS - attempts} 次）` });
+        }
+        db.prepare("UPDATE verification_codes SET used_at = datetime('now') WHERE id = ?").run(row.id);
+        res.json({ success: true, api_key: user.api_key, name: user.name });
+    });
+}

package/dist/pwa/routes/referral.js

@@ -0,0 +1,58 @@
+export function registerReferralRoutes(app, deps) {
+    const { db, auth, requireProtocolAdmin, logAdminAction, issueInviteSlot, inviteRotationLookup } = deps;
+    // B-1: 个人邀请 dashboard
+    app.get('/api/referral/me', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const code = user.permanent_code || null;
+        // 我直接邀请的人
+        const directInvitees = db.prepare(`
+      SELECT u.id, u.handle, u.name, u.role, u.created_at,
+        (SELECT COUNT(*) FROM orders WHERE buyer_id = u.id AND status = 'completed') as completed_orders,
+        (SELECT COALESCE(SUM(total_amount), 0) FROM orders WHERE buyer_id = u.id AND status = 'completed') as gmv
+      FROM users u WHERE u.sponsor_id = ?
+      ORDER BY u.created_at DESC LIMIT 50
+    `).all(user.id);
+        // 推土机奖励 / 商品分享佣金（commission_records 按订单粒度）
+        const earnings = db.prepare(`
+      SELECT COUNT(*) as cnt, COALESCE(SUM(amount), 0) as total FROM commission_records WHERE beneficiary_id = ?
+    `).get(user.id);
+        const todayEarnings = db.prepare(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-1 day')`).get(user.id).t;
+        const monthEarnings = db.prepare(`SELECT COALESCE(SUM(amount), 0) as t FROM commission_records WHERE beneficiary_id = ? AND created_at > datetime('now', '-30 days')`).get(user.id).t;
+        res.json({
+            invite_code: code,
+            invite_link: code ? `${req.protocol}://${req.get('host')}/?ref=${code}` : null,
+            direct_invitees_count: directInvitees.length,
+            direct_invitees: directInvitees,
+            earnings: {
+                total_records: earnings.cnt,
+                total_waz: earnings.total,
+                today_waz: todayEarnings,
+                month_waz: monthEarnings,
+            },
+        });
+    });
+    // 公开邀请码轮询（开关 ON 时）
+    app.post('/api/invite/rotate', (_req, res) => {
+        const enabled = db.prepare("SELECT value FROM system_state WHERE key='invite_rotation_enabled'").get()?.value === '1';
+        if (!enabled)
+            return void res.status(403).json({ error: '邀请码获取暂未开放', enabled: false });
+        const slot = issueInviteSlot();
+        const u = inviteRotationLookup(slot);
+        if (!u)
+            return void res.status(503).json({ error: `轮询用户未就绪，请联系管理员`, enabled: true });
+        res.json({ enabled: true, code: u.code });
+    });
+    // protocol 开关
+    app.post('/api/admin/invite-rotation/toggle', (req, res) => {
+        const admin = requireProtocolAdmin(req, res);
+        if (!admin)
+            return;
+        const { enabled } = req.body;
+        const v = enabled ? '1' : '0';
+        db.prepare("INSERT OR REPLACE INTO system_state (key, value) VALUES ('invite_rotation_enabled', ?)").run(v);
+        logAdminAction(admin.id, 'invite_rotation_toggle', 'system', 'invite_rotation_enabled', { value: v });
+        res.json({ success: true, enabled: !!enabled });
+    });
+}

package/dist/pwa/routes/reputation.js

@@ -0,0 +1,34 @@
+export function registerReputationRoutes(app, deps) {
+    const { db, auth, getReputation, getSellerMetrics } = deps;
+    app.get('/api/reputation', (req, res) => {
+        const user = auth(req, res);
+        if (!user)
+            return;
+        const rep = getReputation(db, user.id);
+        res.json({
+            level: rep.level,
+            total_points: rep.total_points,
+            transactions_done: rep.transactions_done,
+            disputes_won: rep.disputes_won,
+            disputes_lost: rep.disputes_lost,
+            violations: rep.violations,
+            recent_events: rep.recent_events,
+            metrics: getSellerMetrics(user.id),
+        });
+    });
+    app.get('/api/reputation/:userId', (req, res) => {
+        const rep = getReputation(db, req.params.userId);
+        const decayRow = db.prepare(`SELECT last_decay_at FROM reputation_scores WHERE user_id = ?`).get(req.params.userId);
+        res.json({
+            level: rep.level,
+            total_points: rep.total_points,
+            transactions_done: rep.transactions_done,
+            disputes_won: rep.disputes_won,
+            disputes_lost: rep.disputes_lost,
+            violations: rep.violations,
+            metrics: getSellerMetrics(req.params.userId),
+            last_decay_at: decayRow?.last_decay_at || null,
+            decay_rate: 0.02,
+        });
+    });
+}