@tinkcarlos/skillora 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/skills/.temp-skill-index.md +245 -0
- package/.claude/skills/SKILL.md +264 -0
- package/.claude/skills/api-scaffolding/SKILL.md +431 -0
- package/.claude/skills/api-scaffolding/agents/backend-architect.md +282 -0
- package/.claude/skills/api-scaffolding/agents/django-pro.md +144 -0
- package/.claude/skills/api-scaffolding/agents/fastapi-pro.md +156 -0
- package/.claude/skills/api-scaffolding/agents/graphql-architect.md +146 -0
- package/.claude/skills/api-scaffolding/skills/fastapi-templates/SKILL.md +171 -0
- package/.claude/skills/api-testing-observability/SKILL.md +583 -0
- package/.claude/skills/api-testing-observability/agents/api-documenter.md +146 -0
- package/.claude/skills/api-testing-observability/commands/api-mock.md +1320 -0
- package/.claude/skills/brainstorming/SKILL.md +283 -0
- package/.claude/skills/bug-fixing/SKILL.md +382 -0
- package/.claude/skills/bug-fixing/references/backend-guide.md +132 -0
- package/.claude/skills/bug-fixing/references/bug-guide.md +354 -0
- package/.claude/skills/bug-fixing/references/bug-record-template.md +134 -0
- package/.claude/skills/bug-fixing/references/bug-records.md +88 -0
- package/.claude/skills/bug-fixing/references/code-review-gate.md +81 -0
- package/.claude/skills/bug-fixing/references/common-bugs.md +140 -0
- package/.claude/skills/bug-fixing/references/complete-workflow.md +361 -0
- package/.claude/skills/bug-fixing/references/config-driven-fixes.md +136 -0
- package/.claude/skills/bug-fixing/references/context-isolation-protocol.md +268 -0
- package/.claude/skills/bug-fixing/references/cross-surface-regression.md +120 -0
- package/.claude/skills/bug-fixing/references/database-investigation.md +129 -0
- package/.claude/skills/bug-fixing/references/dependency-and-integrity-protocol.md +369 -0
- package/.claude/skills/bug-fixing/references/fix-completeness-checklist.md +239 -0
- package/.claude/skills/bug-fixing/references/frontend-guide.md +219 -0
- package/.claude/skills/bug-fixing/references/fullstack-joint-guide.md +123 -0
- package/.claude/skills/bug-fixing/references/functional-breakage.md +117 -0
- package/.claude/skills/bug-fixing/references/ide-lint-errors-guide.md +176 -0
- package/.claude/skills/bug-fixing/references/impact-analysis.md +511 -0
- package/.claude/skills/bug-fixing/references/investigation-checklist.md +263 -0
- package/.claude/skills/bug-fixing/references/knowledge-extraction-guide.md +531 -0
- package/.claude/skills/bug-fixing/references/knowledge-workflow.md +212 -0
- package/.claude/skills/bug-fixing/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/bug-fixing/references/python-env-and-testing.md +126 -0
- package/.claude/skills/bug-fixing/references/rca-guide.md +428 -0
- package/.claude/skills/bug-fixing/references/similar-bug-patterns.md +113 -0
- package/.claude/skills/bug-fixing/references/skill-delegation-guide.md +350 -0
- package/.claude/skills/bug-fixing/references/skill-orchestration.md +155 -0
- package/.claude/skills/bug-fixing/references/testing-strategy.md +350 -0
- package/.claude/skills/bug-fixing/references/tooling-build-scripts.md +162 -0
- package/.claude/skills/bug-fixing/references/user-input-validation.md +77 -0
- package/.claude/skills/bug-fixing/references/ux-patterns.md +158 -0
- package/.claude/skills/bug-fixing/references/windows-terminal-hygiene.md +106 -0
- package/.claude/skills/bug-fixing/references/zero-regression-matrix.md +239 -0
- package/.claude/skills/bug-fixing/references/zero-risk-protocol.md +102 -0
- package/.claude/skills/bug-fixing/scripts/format_code.py +611 -0
- package/.claude/skills/bug-fixing/scripts/generate_report_template.py +74 -0
- package/.claude/skills/bug-fixing/scripts/lint_check.py +816 -0
- package/.claude/skills/bug-fixing/scripts/requirements.txt +36 -0
- package/.claude/skills/cicd-pipeline/SKILL.md +300 -0
- package/.claude/skills/code-review/SKILL.md +535 -0
- package/.claude/skills/code-review/references/anti-pattern-scan.md +102 -0
- package/.claude/skills/code-review/references/automated-analysis.md +456 -0
- package/.claude/skills/code-review/references/backend-common-issues.md +589 -0
- package/.claude/skills/code-review/references/backend-expert-guide.md +415 -0
- package/.claude/skills/code-review/references/backend-review.md +868 -0
- package/.claude/skills/code-review/references/batch-processing-strategy.md +198 -0
- package/.claude/skills/code-review/references/call-chain-analysis-protocol.md +166 -0
- package/.claude/skills/code-review/references/common-patterns.md +321 -0
- package/.claude/skills/code-review/references/configuration-review.md +425 -0
- package/.claude/skills/code-review/references/control-flow-completeness.md +114 -0
- package/.claude/skills/code-review/references/database-review.md +298 -0
- package/.claude/skills/code-review/references/dependency-and-integrity-protocol.md +313 -0
- package/.claude/skills/code-review/references/external-standards.md +51 -0
- package/.claude/skills/code-review/references/feature-review.md +329 -0
- package/.claude/skills/code-review/references/file-review-template.md +326 -0
- package/.claude/skills/code-review/references/frontend-advanced.md +654 -0
- package/.claude/skills/code-review/references/frontend-common-issues.md +482 -0
- package/.claude/skills/code-review/references/frontend-expert-guide.md +342 -0
- package/.claude/skills/code-review/references/frontend-review.md +783 -0
- package/.claude/skills/code-review/references/fullstack-consistency.md +418 -0
- package/.claude/skills/code-review/references/fullstack-review.md +477 -0
- package/.claude/skills/code-review/references/functional-completeness.md +386 -0
- package/.claude/skills/code-review/references/hidden-bugs-detection.md +473 -0
- package/.claude/skills/code-review/references/ide-lint-errors-guide.md +173 -0
- package/.claude/skills/code-review/references/infrastructure-review.md +453 -0
- package/.claude/skills/code-review/references/iteration-review.md +264 -0
- package/.claude/skills/code-review/references/job-review.md +335 -0
- package/.claude/skills/code-review/references/layered-checklist-protocol.md +157 -0
- package/.claude/skills/code-review/references/logic-completeness.md +535 -0
- package/.claude/skills/code-review/references/mandatory-checklist.md +288 -0
- package/.claude/skills/code-review/references/multi-language-guide.md +800 -0
- package/.claude/skills/code-review/references/new-project-review.md +226 -0
- package/.claude/skills/code-review/references/non-code-files-review.md +451 -0
- package/.claude/skills/code-review/references/overlooked-issues.md +657 -0
- package/.claude/skills/code-review/references/platform-specific-review.md +195 -0
- package/.claude/skills/code-review/references/precision-analysis-protocol.md +260 -0
- package/.claude/skills/code-review/references/python-patterns.md +494 -0
- package/.claude/skills/code-review/references/rca-techniques.md +362 -0
- package/.claude/skills/code-review/references/report-template.md +430 -0
- package/.claude/skills/code-review/references/resource-limits-and-degradation.md +137 -0
- package/.claude/skills/code-review/references/review-dimensions.md +311 -0
- package/.claude/skills/code-review/references/review-guide.md +202 -0
- package/.claude/skills/code-review/references/review-knowledge-workflow.md +257 -0
- package/.claude/skills/code-review/references/review-progress-tracker-protocol.md +172 -0
- package/.claude/skills/code-review/references/review-record-template.md +195 -0
- package/.claude/skills/code-review/references/skill-orchestration.md +143 -0
- package/.claude/skills/code-review/references/ui-ux-review.md +470 -0
- package/.claude/skills/containerization/SKILL.md +313 -0
- package/.claude/skills/database-migrations/agents/database-admin.md +142 -0
- package/.claude/skills/database-migrations/agents/database-optimizer.md +144 -0
- package/.claude/skills/database-migrations/commands/migration-observability.md +408 -0
- package/.claude/skills/database-migrations/commands/sql-migrations.md +492 -0
- package/.claude/skills/finishing-a-development-branch/SKILL.md +319 -0
- package/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/.claude/skills/frontend-design/SKILL.md +587 -0
- package/.claude/skills/frontend-design/references/color-consistency.md +487 -0
- package/.claude/skills/frontend-design/references/color-palettes-full.md +657 -0
- package/.claude/skills/frontend-design/references/design-system-generator.md +285 -0
- package/.claude/skills/frontend-design/references/font-pairings-full.md +705 -0
- package/.claude/skills/frontend-design/references/industry-anti-patterns.md +281 -0
- package/.claude/skills/frontend-design/references/layout-anti-patterns.md +582 -0
- package/.claude/skills/frontend-design/references/motion-patterns.md +659 -0
- package/.claude/skills/frontend-design/references/pre-delivery-checklist.md +153 -0
- package/.claude/skills/frontend-design/references/responsive-design.md +555 -0
- package/.claude/skills/frontend-design/references/style-modification-rules.md +335 -0
- package/.claude/skills/frontend-design/references/ui-styles-full.md +383 -0
- package/.claude/skills/frontend-design/references/ui-styles-rating.md +191 -0
- package/.claude/skills/frontend-design/references/ux-guidelines.md +640 -0
- package/.claude/skills/fullstack-developer/SKILL.md +512 -0
- package/.claude/skills/fullstack-developer/references/api-contract-guide.md +312 -0
- package/.claude/skills/fullstack-developer/references/api-response-patterns.md +223 -0
- package/.claude/skills/fullstack-developer/references/async-patterns.md +220 -0
- package/.claude/skills/fullstack-developer/references/bug-prevention.md +914 -0
- package/.claude/skills/fullstack-developer/references/code-quality-checklist.md +271 -0
- package/.claude/skills/fullstack-developer/references/complete-development-workflow.md +278 -0
- package/.claude/skills/fullstack-developer/references/context-isolation-protocol.md +256 -0
- package/.claude/skills/fullstack-developer/references/database-migration.md +331 -0
- package/.claude/skills/fullstack-developer/references/dependency-and-integrity-protocol.md +390 -0
- package/.claude/skills/fullstack-developer/references/development-phases.md +333 -0
- package/.claude/skills/fullstack-developer/references/expert-guide.md +214 -0
- package/.claude/skills/fullstack-developer/references/file-import-patterns.md +114 -0
- package/.claude/skills/fullstack-developer/references/graceful-degradation-patterns.md +78 -0
- package/.claude/skills/fullstack-developer/references/ide-lint-errors-guide.md +183 -0
- package/.claude/skills/fullstack-developer/references/integration-testing.md +301 -0
- package/.claude/skills/fullstack-developer/references/mock-api-patterns.md +307 -0
- package/.claude/skills/fullstack-developer/references/phase-gate-template.md +249 -0
- package/.claude/skills/fullstack-developer/references/post-edit-quality-gate.md +30 -0
- package/.claude/skills/fullstack-developer/references/python-engineering.md +79 -0
- package/.claude/skills/fullstack-developer/references/skill-orchestration.md +214 -0
- package/.claude/skills/fullstack-developer/references/skill-router-table.md +304 -0
- package/.claude/skills/fullstack-developer/references/state-sync.md +217 -0
- package/.claude/skills/fullstack-developer/references/ui-testing-checklist.md +292 -0
- package/.claude/skills/fullstack-developer/scripts/format_code.py +611 -0
- package/.claude/skills/fullstack-developer/scripts/lint_check.py +816 -0
- package/.claude/skills/fullstack-developer/scripts/requirements.txt +36 -0
- package/.claude/skills/performance-optimization/SKILL.md +250 -0
- package/.claude/skills/product-requirements/SKILL.md +357 -0
- package/.claude/skills/product-requirements/references/acceptance-criteria.md +335 -0
- package/.claude/skills/product-requirements/references/answer-first-questioning-protocol.md +299 -0
- package/.claude/skills/product-requirements/references/competitive-analysis-guide.md +183 -0
- package/.claude/skills/product-requirements/references/document-accuracy-protocol.md +253 -0
- package/.claude/skills/product-requirements/references/document-management-protocol.md +278 -0
- package/.claude/skills/product-requirements/references/external-standards.md +62 -0
- package/.claude/skills/product-requirements/references/feature-spec-template.md +359 -0
- package/.claude/skills/product-requirements/references/knowledge-acquisition-protocol.md +251 -0
- package/.claude/skills/product-requirements/references/plan-execution-protocol.md +334 -0
- package/.claude/skills/product-requirements/references/plan-generation-protocol.md +264 -0
- package/.claude/skills/product-requirements/references/prioritization-frameworks.md +80 -0
- package/.claude/skills/product-requirements/references/requirement-decomposition-protocol.md +291 -0
- package/.claude/skills/product-requirements/references/user-story-examples.md +297 -0
- package/.claude/skills/product-requirements/references/workflow-templates.md +266 -0
- package/.claude/skills/react-best-practices/SKILL.md +198 -0
- package/.claude/skills/react-best-practices/references/advanced-patterns.md +94 -0
- package/.claude/skills/react-best-practices/references/bundle-optimization.md +182 -0
- package/.claude/skills/react-best-practices/references/client-data-fetching.md +112 -0
- package/.claude/skills/react-best-practices/references/complete-guide.md +2249 -0
- package/.claude/skills/react-best-practices/references/eliminating-waterfalls.md +169 -0
- package/.claude/skills/react-best-practices/references/javascript-performance.md +256 -0
- package/.claude/skills/react-best-practices/references/rendering-performance.md +230 -0
- package/.claude/skills/react-best-practices/references/rerender-optimization.md +214 -0
- package/.claude/skills/react-best-practices/references/server-performance.md +182 -0
- package/.claude/skills/security-audit/SKILL.md +226 -0
- package/.claude/skills/shared-references/advanced-debugging-techniques.md +186 -0
- package/.claude/skills/shared-references/code-quality-checklist.md +218 -0
- package/.claude/skills/shared-references/code-review-efficiency-guide.md +125 -0
- package/.claude/skills/shared-references/mcp-dependency-compatibility-protocol.md +276 -0
- package/.claude/skills/shared-references/skill-call-graph.md +230 -0
- package/.claude/skills/shared-references/skill-orchestration-protocol.md +281 -0
- package/.claude/skills/shared-references/subagent-dispatch-templates.md +199 -0
- package/.claude/skills/skill-expert-skills/LICENSE.txt +204 -0
- package/.claude/skills/skill-expert-skills/QUICK_NAVIGATION.md +374 -0
- package/.claude/skills/skill-expert-skills/SKILL.md +247 -0
- package/.claude/skills/skill-expert-skills/docs/_index.md +91 -0
- package/.claude/skills/skill-expert-skills/references/deep-research-methodology.md +389 -0
- package/.claude/skills/skill-expert-skills/references/docs-generation-workflow.md +398 -0
- package/.claude/skills/skill-expert-skills/references/domain-expertise-protocol.md +343 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/_index.md +54 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/backend-expertise.md +517 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/bug-fixing-expertise.md +363 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/code-review-expertise.md +392 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge/frontend-expertise.md +410 -0
- package/.claude/skills/skill-expert-skills/references/domain-knowledge-template.md +503 -0
- package/.claude/skills/skill-expert-skills/references/examples.md +782 -0
- package/.claude/skills/skill-expert-skills/references/integration-examples.md +655 -0
- package/.claude/skills/skill-expert-skills/references/knowledge-validation-checklist.md +246 -0
- package/.claude/skills/skill-expert-skills/references/latest-knowledge-acquisition.md +461 -0
- package/.claude/skills/skill-expert-skills/references/mcp-tools-guide.md +439 -0
- package/.claude/skills/skill-expert-skills/references/official-best-practices.md +616 -0
- package/.claude/skills/skill-expert-skills/references/patterns.md +218 -0
- package/.claude/skills/skill-expert-skills/references/plugin-skills-guide.md +432 -0
- package/.claude/skills/skill-expert-skills/references/requirement-elicitation-protocol.md +290 -0
- package/.claude/skills/skill-expert-skills/references/skill-creator-SKILL.md +353 -0
- package/.claude/skills/skill-expert-skills/references/skill-templates.md +583 -0
- package/.claude/skills/skill-expert-skills/references/skills-knowledge-base.md +561 -0
- package/.claude/skills/skill-expert-skills/references/tools-guide.md +379 -0
- package/.claude/skills/skill-expert-skills/references/troubleshooting.md +378 -0
- package/.claude/skills/skill-expert-skills/references/universality-guide.md +205 -0
- package/.claude/skills/skill-expert-skills/references/writing-style-guide.md +466 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/quick_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/__pycache__/universal_validate.cpython-313.pyc +0 -0
- package/.claude/skills/skill-expert-skills/scripts/analyze_trigger.py +425 -0
- package/.claude/skills/skill-expert-skills/scripts/diff_with_official.py +188 -0
- package/.claude/skills/skill-expert-skills/scripts/init_skill.py +349 -0
- package/.claude/skills/skill-expert-skills/scripts/package_skill.py +156 -0
- package/.claude/skills/skill-expert-skills/scripts/quick_validate.py +493 -0
- package/.claude/skills/skill-expert-skills/scripts/requirements.txt +2 -0
- package/.claude/skills/skill-expert-skills/scripts/universal_validate.py +182 -0
- package/.claude/skills/skill-expert-skills/scripts/upgrade_skill.py +431 -0
- package/.claude/skills/subagent-driven-development/SKILL.md +268 -0
- package/.claude/skills/test-driven-development/SKILL.md +246 -0
- package/.claude/skills/test-driven-development/references/testing-anti-patterns.md +192 -0
- package/.claude/skills/using-git-worktrees/SKILL.md +266 -0
- package/.claude/skills/using-skillstack/SKILL.md +127 -0
- package/.claude/skills/vercel-deploy/SKILL.md +166 -0
- package/.claude/skills/vercel-deploy/scripts/deploy.sh +249 -0
- package/.claude/skills/verification-before-completion/SKILL.md +305 -0
- package/.claude/skills/writing-plans/SKILL.md +259 -0
- package/README.md +69 -0
- package/bin/cli.js +468 -0
- package/lib/init.js +333 -0
- package/package.json +29 -0
|
@@ -0,0 +1,589 @@
|
|
|
1
|
+
# 后端常见问题检查清单 (Backend Common Issues)
|
|
2
|
+
|
|
3
|
+
> 后端开发中经常出现的 Bug 和问题,代码审查时必须逐项检查。
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## 🔴 P0 级问题 (必须修复)
|
|
8
|
+
|
|
9
|
+
### 1. 并发与线程安全问题
|
|
10
|
+
|
|
11
|
+
#### 1.1 共享状态竞态条件
|
|
12
|
+
|
|
13
|
+
```python
|
|
14
|
+
# ❌ 错误:修改共享的单例对象
|
|
15
|
+
class ChatService:
|
|
16
|
+
def __init__(self):
|
|
17
|
+
self.agent = load_agent() # 单例,所有请求共享
|
|
18
|
+
|
|
19
|
+
async def chat(self, user_input, llm_id=None):
|
|
20
|
+
if llm_id:
|
|
21
|
+
self.agent.llm_provider_id = llm_id # 竞态条件!影响其他用户
|
|
22
|
+
return await self.agent.run(user_input)
|
|
23
|
+
|
|
24
|
+
# ✅ 正确:传递参数而非修改共享状态
|
|
25
|
+
class ChatService:
|
|
26
|
+
def __init__(self):
|
|
27
|
+
self.agent = load_agent()
|
|
28
|
+
|
|
29
|
+
async def chat(self, user_input, llm_id=None):
|
|
30
|
+
# 传递参数,不修改共享对象
|
|
31
|
+
return await self.agent.run(user_input, override_llm_id=llm_id)
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
**检查点**:
|
|
35
|
+
- [ ] 是否修改了单例/全局对象的属性
|
|
36
|
+
- [ ] 请求级数据是否存储在共享对象中
|
|
37
|
+
- [ ] 是否有线程/协程安全的数据结构
|
|
38
|
+
|
|
39
|
+
#### 1.2 数据库事务问题
|
|
40
|
+
|
|
41
|
+
```python
|
|
42
|
+
# ❌ 错误:事务范围不正确
|
|
43
|
+
async def transfer_money(from_id, to_id, amount):
|
|
44
|
+
from_account = await db.get(from_id)
|
|
45
|
+
from_account.balance -= amount
|
|
46
|
+
await db.save(from_account) # 如果下面失败,钱已扣除!
|
|
47
|
+
|
|
48
|
+
to_account = await db.get(to_id)
|
|
49
|
+
to_account.balance += amount
|
|
50
|
+
await db.save(to_account)
|
|
51
|
+
|
|
52
|
+
# ✅ 正确:使用事务
|
|
53
|
+
async def transfer_money(from_id, to_id, amount):
|
|
54
|
+
async with db.transaction():
|
|
55
|
+
from_account = await db.get(from_id)
|
|
56
|
+
to_account = await db.get(to_id)
|
|
57
|
+
|
|
58
|
+
if from_account.balance < amount:
|
|
59
|
+
raise InsufficientFundsError()
|
|
60
|
+
|
|
61
|
+
from_account.balance -= amount
|
|
62
|
+
to_account.balance += amount
|
|
63
|
+
|
|
64
|
+
await db.save(from_account)
|
|
65
|
+
await db.save(to_account)
|
|
66
|
+
```
|
|
67
|
+
|
|
68
|
+
**检查点**:
|
|
69
|
+
- [ ] 多表操作是否在同一事务中
|
|
70
|
+
- [ ] 事务隔离级别是否正确
|
|
71
|
+
- [ ] 是否有死锁风险
|
|
72
|
+
|
|
73
|
+
#### 1.3 异步任务错误处理
|
|
74
|
+
|
|
75
|
+
```python
|
|
76
|
+
# ❌ 错误:后台任务错误被吞掉
|
|
77
|
+
asyncio.create_task(send_notification(user_id)) # 失败了也不知道
|
|
78
|
+
|
|
79
|
+
# ✅ 正确:添加错误回调
|
|
80
|
+
task = asyncio.create_task(send_notification(user_id))
|
|
81
|
+
|
|
82
|
+
def handle_error(t):
|
|
83
|
+
if not t.cancelled() and t.exception():
|
|
84
|
+
logger.error(f"Background task failed: {t.exception()}")
|
|
85
|
+
# 可选:发送告警、重试等
|
|
86
|
+
|
|
87
|
+
task.add_done_callback(handle_error)
|
|
88
|
+
|
|
89
|
+
# ✅ Python 3.11+ 使用 TaskGroup
|
|
90
|
+
async with asyncio.TaskGroup() as tg:
|
|
91
|
+
tg.create_task(send_notification(user_id))
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
**检查点**:
|
|
95
|
+
- [ ] 后台任务是否有错误处理
|
|
96
|
+
- [ ] 是否有任务超时机制
|
|
97
|
+
- [ ] 失败任务是否有重试策略
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
### 2. 数据库问题
|
|
102
|
+
|
|
103
|
+
#### 2.1 N+1 查询问题
|
|
104
|
+
|
|
105
|
+
```python
|
|
106
|
+
# ❌ 错误:N+1 查询
|
|
107
|
+
users = await User.all() # 1 次查询
|
|
108
|
+
for user in users:
|
|
109
|
+
orders = await user.orders.all() # N 次查询!
|
|
110
|
+
print(f"{user.name}: {len(orders)} orders")
|
|
111
|
+
|
|
112
|
+
# ✅ 正确:预加载关联数据
|
|
113
|
+
users = await User.all().prefetch_related('orders') # 2 次查询
|
|
114
|
+
for user in users:
|
|
115
|
+
print(f"{user.name}: {len(user.orders)} orders")
|
|
116
|
+
|
|
117
|
+
# ✅ 或使用 JOIN
|
|
118
|
+
users = await User.all().select_related('profile') # 1 次 JOIN 查询
|
|
119
|
+
```
|
|
120
|
+
|
|
121
|
+
**检查点**:
|
|
122
|
+
- [ ] 循环中是否有数据库查询
|
|
123
|
+
- [ ] 是否使用了 prefetch_related/select_related
|
|
124
|
+
- [ ] 是否有 SQL 日志监控 N+1
|
|
125
|
+
|
|
126
|
+
#### 2.2 SQL 注入
|
|
127
|
+
|
|
128
|
+
```python
|
|
129
|
+
# ❌ 危险:字符串拼接 SQL
|
|
130
|
+
user_id = request.args.get('id')
|
|
131
|
+
query = f"SELECT * FROM users WHERE id = {user_id}" # SQL 注入!
|
|
132
|
+
cursor.execute(query)
|
|
133
|
+
|
|
134
|
+
# ✅ 安全:参数化查询
|
|
135
|
+
cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
|
|
136
|
+
|
|
137
|
+
# ✅ 使用 ORM
|
|
138
|
+
user = await User.get(id=user_id)
|
|
139
|
+
```
|
|
140
|
+
|
|
141
|
+
**检查点**:
|
|
142
|
+
- [ ] 是否有字符串拼接 SQL
|
|
143
|
+
- [ ] 是否使用参数化查询
|
|
144
|
+
- [ ] 动态表名/列名是否经过白名单验证
|
|
145
|
+
|
|
146
|
+
#### 2.3 连接泄漏
|
|
147
|
+
|
|
148
|
+
```python
|
|
149
|
+
# ❌ 错误:连接未释放
|
|
150
|
+
async def get_data():
|
|
151
|
+
conn = await pool.acquire()
|
|
152
|
+
result = await conn.fetch("SELECT * FROM data")
|
|
153
|
+
return result # 连接未释放!
|
|
154
|
+
|
|
155
|
+
# ✅ 正确:使用上下文管理器
|
|
156
|
+
async def get_data():
|
|
157
|
+
async with pool.acquire() as conn:
|
|
158
|
+
result = await conn.fetch("SELECT * FROM data")
|
|
159
|
+
return result
|
|
160
|
+
|
|
161
|
+
# ✅ 或使用 try-finally
|
|
162
|
+
async def get_data():
|
|
163
|
+
conn = await pool.acquire()
|
|
164
|
+
try:
|
|
165
|
+
result = await conn.fetch("SELECT * FROM data")
|
|
166
|
+
return result
|
|
167
|
+
finally:
|
|
168
|
+
await pool.release(conn)
|
|
169
|
+
```
|
|
170
|
+
|
|
171
|
+
**检查点**:
|
|
172
|
+
- [ ] 数据库连接是否正确释放
|
|
173
|
+
- [ ] 是否使用连接池
|
|
174
|
+
- [ ] 连接池配置是否合理
|
|
175
|
+
|
|
176
|
+
---
|
|
177
|
+
|
|
178
|
+
### 3. API 设计问题
|
|
179
|
+
|
|
180
|
+
#### 3.1 缺少输入验证
|
|
181
|
+
|
|
182
|
+
```python
|
|
183
|
+
# ❌ 错误:没有验证输入
|
|
184
|
+
@app.post("/users")
|
|
185
|
+
async def create_user(data: dict):
|
|
186
|
+
user = User(**data) # 任意字段都能传入!
|
|
187
|
+
await user.save()
|
|
188
|
+
return user
|
|
189
|
+
|
|
190
|
+
# ✅ 正确:使用 Pydantic 验证
|
|
191
|
+
from pydantic import BaseModel, EmailStr, constr
|
|
192
|
+
|
|
193
|
+
class CreateUserRequest(BaseModel):
|
|
194
|
+
email: EmailStr
|
|
195
|
+
password: constr(min_length=8)
|
|
196
|
+
name: constr(min_length=1, max_length=100)
|
|
197
|
+
|
|
198
|
+
@app.post("/users")
|
|
199
|
+
async def create_user(data: CreateUserRequest):
|
|
200
|
+
user = User(**data.dict())
|
|
201
|
+
await user.save()
|
|
202
|
+
return user
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
**检查点**:
|
|
206
|
+
- [ ] 所有输入是否有类型验证
|
|
207
|
+
- [ ] 字符串是否有长度限制
|
|
208
|
+
- [ ] 数字是否有范围限制
|
|
209
|
+
- [ ] 是否验证了必填字段
|
|
210
|
+
|
|
211
|
+
#### 3.2 缺少权限检查
|
|
212
|
+
|
|
213
|
+
```python
|
|
214
|
+
# ❌ 错误:没有权限检查
|
|
215
|
+
@app.get("/users/{user_id}/orders")
|
|
216
|
+
async def get_user_orders(user_id: int):
|
|
217
|
+
return await Order.filter(user_id=user_id).all() # 任何人都能查!
|
|
218
|
+
|
|
219
|
+
# ✅ 正确:检查权限
|
|
220
|
+
@app.get("/users/{user_id}/orders")
|
|
221
|
+
async def get_user_orders(user_id: int, current_user: User = Depends(get_current_user)):
|
|
222
|
+
# 只能查自己的订单,或者是管理员
|
|
223
|
+
if current_user.id != user_id and not current_user.is_admin:
|
|
224
|
+
raise HTTPException(status_code=403, detail="Forbidden")
|
|
225
|
+
return await Order.filter(user_id=user_id).all()
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
**检查点**:
|
|
229
|
+
- [ ] 每个端点是否有认证检查
|
|
230
|
+
- [ ] 是否验证了资源所有权
|
|
231
|
+
- [ ] 管理员操作是否有额外验证
|
|
232
|
+
|
|
233
|
+
#### 3.3 错误响应不一致
|
|
234
|
+
|
|
235
|
+
```python
|
|
236
|
+
# ❌ 错误:错误响应格式不一致
|
|
237
|
+
@app.get("/users/{id}")
|
|
238
|
+
async def get_user(id: int):
|
|
239
|
+
user = await User.get_or_none(id=id)
|
|
240
|
+
if not user:
|
|
241
|
+
return {"error": "not found"} # 有时返回这个
|
|
242
|
+
# raise HTTPException(404) # 有时抛异常
|
|
243
|
+
# return None # 有时返回 None
|
|
244
|
+
|
|
245
|
+
# ✅ 正确:统一错误处理
|
|
246
|
+
@app.exception_handler(HTTPException)
|
|
247
|
+
async def http_exception_handler(request, exc):
|
|
248
|
+
return JSONResponse(
|
|
249
|
+
status_code=exc.status_code,
|
|
250
|
+
content={
|
|
251
|
+
"error": {
|
|
252
|
+
"code": exc.status_code,
|
|
253
|
+
"message": exc.detail
|
|
254
|
+
}
|
|
255
|
+
}
|
|
256
|
+
)
|
|
257
|
+
|
|
258
|
+
@app.get("/users/{id}")
|
|
259
|
+
async def get_user(id: int):
|
|
260
|
+
user = await User.get_or_none(id=id)
|
|
261
|
+
if not user:
|
|
262
|
+
raise HTTPException(status_code=404, detail="User not found")
|
|
263
|
+
return user
|
|
264
|
+
```
|
|
265
|
+
|
|
266
|
+
**检查点**:
|
|
267
|
+
- [ ] 错误响应格式是否统一
|
|
268
|
+
- [ ] 是否有全局异常处理器
|
|
269
|
+
- [ ] 错误信息是否对用户友好
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
### 4. 安全问题
|
|
274
|
+
|
|
275
|
+
#### 4.1 密码存储不安全
|
|
276
|
+
|
|
277
|
+
```python
|
|
278
|
+
# ❌ 危险:明文存储密码
|
|
279
|
+
user.password = request.password # 明文!
|
|
280
|
+
|
|
281
|
+
# ❌ 危险:使用 MD5/SHA1
|
|
282
|
+
import hashlib
|
|
283
|
+
user.password = hashlib.md5(request.password.encode()).hexdigest()
|
|
284
|
+
|
|
285
|
+
# ✅ 安全:使用 bcrypt
|
|
286
|
+
from passlib.hash import bcrypt
|
|
287
|
+
|
|
288
|
+
user.password_hash = bcrypt.hash(request.password)
|
|
289
|
+
|
|
290
|
+
# 验证密码
|
|
291
|
+
if bcrypt.verify(request.password, user.password_hash):
|
|
292
|
+
# 密码正确
|
|
293
|
+
```
|
|
294
|
+
|
|
295
|
+
**检查点**:
|
|
296
|
+
- [ ] 密码是否使用 bcrypt/argon2 加密
|
|
297
|
+
- [ ] 是否有密码强度要求
|
|
298
|
+
- [ ] 密码是否在日志中出现
|
|
299
|
+
|
|
300
|
+
#### 4.2 命令注入
|
|
301
|
+
|
|
302
|
+
```python
|
|
303
|
+
# ❌ 危险:shell=True + 用户输入
|
|
304
|
+
import subprocess
|
|
305
|
+
filename = request.args.get('file')
|
|
306
|
+
subprocess.run(f"cat {filename}", shell=True) # 命令注入!
|
|
307
|
+
|
|
308
|
+
# ✅ 安全:使用列表参数
|
|
309
|
+
subprocess.run(["cat", filename]) # 安全
|
|
310
|
+
|
|
311
|
+
# ✅ 更安全:验证输入
|
|
312
|
+
import re
|
|
313
|
+
if not re.match(r'^[a-zA-Z0-9_.-]+$', filename):
|
|
314
|
+
raise ValueError("Invalid filename")
|
|
315
|
+
subprocess.run(["cat", filename])
|
|
316
|
+
```
|
|
317
|
+
|
|
318
|
+
**检查点**:
|
|
319
|
+
- [ ] 是否使用了 shell=True
|
|
320
|
+
- [ ] 用户输入是否直接用于命令
|
|
321
|
+
- [ ] 是否有输入白名单验证
|
|
322
|
+
|
|
323
|
+
#### 4.3 敏感信息泄露
|
|
324
|
+
|
|
325
|
+
```python
|
|
326
|
+
# ❌ 错误:日志中记录敏感信息
|
|
327
|
+
logger.info(f"User login: {username}, password: {password}")
|
|
328
|
+
logger.error(f"API call failed: {api_key}")
|
|
329
|
+
|
|
330
|
+
# ❌ 错误:错误信息暴露内部细节
|
|
331
|
+
except Exception as e:
|
|
332
|
+
return {"error": str(e)} # 可能暴露堆栈、SQL 等
|
|
333
|
+
|
|
334
|
+
# ✅ 正确:脱敏日志
|
|
335
|
+
logger.info(f"User login: {username}")
|
|
336
|
+
logger.error(f"API call failed: {api_key[:4]}****")
|
|
337
|
+
|
|
338
|
+
# ✅ 正确:通用错误信息
|
|
339
|
+
except Exception as e:
|
|
340
|
+
logger.exception("Internal error") # 内部记录详情
|
|
341
|
+
return {"error": "Internal server error"} # 对外通用信息
|
|
342
|
+
```
|
|
343
|
+
|
|
344
|
+
**检查点**:
|
|
345
|
+
- [ ] 日志是否记录了密码/token/密钥
|
|
346
|
+
- [ ] 错误响应是否暴露了内部细节
|
|
347
|
+
- [ ] 是否有敏感信息脱敏机制
|
|
348
|
+
|
|
349
|
+
---
|
|
350
|
+
|
|
351
|
+
## 🟠 P1 级问题 (应该修复)
|
|
352
|
+
|
|
353
|
+
### 5. 性能问题
|
|
354
|
+
|
|
355
|
+
#### 5.1 缺少超时设置
|
|
356
|
+
|
|
357
|
+
```python
|
|
358
|
+
# ❌ 错误:没有超时
|
|
359
|
+
response = requests.get(external_api_url) # 可能永远等待
|
|
360
|
+
|
|
361
|
+
# ✅ 正确:设置超时
|
|
362
|
+
response = requests.get(external_api_url, timeout=10)
|
|
363
|
+
|
|
364
|
+
# ✅ 异步版本
|
|
365
|
+
async with aiohttp.ClientSession() as session:
|
|
366
|
+
async with session.get(url, timeout=aiohttp.ClientTimeout(total=10)) as resp:
|
|
367
|
+
return await resp.json()
|
|
368
|
+
```
|
|
369
|
+
|
|
370
|
+
**检查点**:
|
|
371
|
+
- [ ] HTTP 请求是否有超时
|
|
372
|
+
- [ ] 数据库查询是否有超时
|
|
373
|
+
- [ ] 外部服务调用是否有超时
|
|
374
|
+
|
|
375
|
+
#### 5.2 缺少重试机制
|
|
376
|
+
|
|
377
|
+
```python
|
|
378
|
+
# ❌ 错误:没有重试
|
|
379
|
+
def call_external_api():
|
|
380
|
+
return requests.get(api_url).json() # 失败就失败
|
|
381
|
+
|
|
382
|
+
# ✅ 正确:指数退避重试
|
|
383
|
+
from tenacity import retry, stop_after_attempt, wait_exponential
|
|
384
|
+
|
|
385
|
+
@retry(
|
|
386
|
+
stop=stop_after_attempt(3),
|
|
387
|
+
wait=wait_exponential(multiplier=1, min=1, max=10)
|
|
388
|
+
)
|
|
389
|
+
def call_external_api():
|
|
390
|
+
response = requests.get(api_url, timeout=10)
|
|
391
|
+
response.raise_for_status()
|
|
392
|
+
return response.json()
|
|
393
|
+
```
|
|
394
|
+
|
|
395
|
+
**检查点**:
|
|
396
|
+
- [ ] 外部调用是否有重试
|
|
397
|
+
- [ ] 重试是否使用指数退避
|
|
398
|
+
- [ ] 是否有最大重试次数限制
|
|
399
|
+
|
|
400
|
+
#### 5.3 缓存问题
|
|
401
|
+
|
|
402
|
+
```python
|
|
403
|
+
# ❌ 错误:缓存穿透 - 不存在的数据反复查库
|
|
404
|
+
def get_user(user_id):
|
|
405
|
+
cached = redis.get(f"user:{user_id}")
|
|
406
|
+
if cached:
|
|
407
|
+
return cached
|
|
408
|
+
user = db.query(User).get(user_id)
|
|
409
|
+
if user:
|
|
410
|
+
redis.set(f"user:{user_id}", user, ex=3600)
|
|
411
|
+
return user # None 不缓存,下次还查库
|
|
412
|
+
|
|
413
|
+
# ✅ 正确:缓存空值
|
|
414
|
+
def get_user(user_id):
|
|
415
|
+
cached = redis.get(f"user:{user_id}")
|
|
416
|
+
if cached == "NULL":
|
|
417
|
+
return None
|
|
418
|
+
if cached:
|
|
419
|
+
return cached
|
|
420
|
+
user = db.query(User).get(user_id)
|
|
421
|
+
if user:
|
|
422
|
+
redis.set(f"user:{user_id}", user, ex=3600)
|
|
423
|
+
else:
|
|
424
|
+
redis.set(f"user:{user_id}", "NULL", ex=60) # 短期缓存空值
|
|
425
|
+
return user
|
|
426
|
+
```
|
|
427
|
+
|
|
428
|
+
**检查点**:
|
|
429
|
+
- [ ] 是否有缓存穿透防护
|
|
430
|
+
- [ ] 缓存是否有过期时间
|
|
431
|
+
- [ ] 数据更新时是否清除缓存
|
|
432
|
+
|
|
433
|
+
---
|
|
434
|
+
|
|
435
|
+
### 6. 可观测性问题
|
|
436
|
+
|
|
437
|
+
#### 6.1 日志不足
|
|
438
|
+
|
|
439
|
+
```python
|
|
440
|
+
# ❌ 错误:没有日志
|
|
441
|
+
async def process_order(order_id):
|
|
442
|
+
order = await Order.get(order_id)
|
|
443
|
+
await payment_service.charge(order.amount)
|
|
444
|
+
order.status = "paid"
|
|
445
|
+
await order.save()
|
|
446
|
+
|
|
447
|
+
# ✅ 正确:关键操作有日志
|
|
448
|
+
async def process_order(order_id):
|
|
449
|
+
logger.info(f"Processing order: {order_id}")
|
|
450
|
+
order = await Order.get(order_id)
|
|
451
|
+
|
|
452
|
+
logger.info(f"Charging amount: {order.amount}")
|
|
453
|
+
try:
|
|
454
|
+
await payment_service.charge(order.amount)
|
|
455
|
+
except PaymentError as e:
|
|
456
|
+
logger.error(f"Payment failed for order {order_id}: {e}")
|
|
457
|
+
raise
|
|
458
|
+
|
|
459
|
+
order.status = "paid"
|
|
460
|
+
await order.save()
|
|
461
|
+
logger.info(f"Order {order_id} completed successfully")
|
|
462
|
+
```
|
|
463
|
+
|
|
464
|
+
**检查点**:
|
|
465
|
+
- [ ] 关键业务操作是否有日志
|
|
466
|
+
- [ ] 错误是否有详细日志
|
|
467
|
+
- [ ] 日志是否包含追踪 ID
|
|
468
|
+
|
|
469
|
+
#### 6.2 缺少健康检查
|
|
470
|
+
|
|
471
|
+
```python
|
|
472
|
+
# ❌ 错误:没有健康检查端点
|
|
473
|
+
# 无法知道服务是否正常
|
|
474
|
+
|
|
475
|
+
# ✅ 正确:完整的健康检查
|
|
476
|
+
@app.get("/health")
|
|
477
|
+
async def health_check():
|
|
478
|
+
checks = {}
|
|
479
|
+
|
|
480
|
+
# 检查数据库
|
|
481
|
+
try:
|
|
482
|
+
await db.execute("SELECT 1")
|
|
483
|
+
checks["database"] = "healthy"
|
|
484
|
+
except Exception as e:
|
|
485
|
+
checks["database"] = f"unhealthy: {e}"
|
|
486
|
+
|
|
487
|
+
# 检查 Redis
|
|
488
|
+
try:
|
|
489
|
+
await redis.ping()
|
|
490
|
+
checks["redis"] = "healthy"
|
|
491
|
+
except Exception as e:
|
|
492
|
+
checks["redis"] = f"unhealthy: {e}"
|
|
493
|
+
|
|
494
|
+
status = "healthy" if all(v == "healthy" for v in checks.values()) else "unhealthy"
|
|
495
|
+
return {"status": status, "checks": checks}
|
|
496
|
+
```
|
|
497
|
+
|
|
498
|
+
**检查点**:
|
|
499
|
+
- [ ] 是否有 /health 端点
|
|
500
|
+
- [ ] 健康检查是否包含依赖服务
|
|
501
|
+
- [ ] 是否有 /ready 端点(K8s)
|
|
502
|
+
|
|
503
|
+
---
|
|
504
|
+
|
|
505
|
+
### 7. 资源管理问题
|
|
506
|
+
|
|
507
|
+
#### 7.1 文件句柄泄漏
|
|
508
|
+
|
|
509
|
+
```python
|
|
510
|
+
# ❌ 错误:文件未关闭
|
|
511
|
+
def read_file(path):
|
|
512
|
+
f = open(path)
|
|
513
|
+
content = f.read()
|
|
514
|
+
return content # 文件未关闭!
|
|
515
|
+
|
|
516
|
+
# ✅ 正确:使用上下文管理器
|
|
517
|
+
def read_file(path):
|
|
518
|
+
with open(path) as f:
|
|
519
|
+
return f.read()
|
|
520
|
+
```
|
|
521
|
+
|
|
522
|
+
**检查点**:
|
|
523
|
+
- [ ] 文件是否使用 with 语句
|
|
524
|
+
- [ ] 网络连接是否正确关闭
|
|
525
|
+
- [ ] 是否有资源泄漏风险
|
|
526
|
+
|
|
527
|
+
#### 7.2 内存泄漏
|
|
528
|
+
|
|
529
|
+
```python
|
|
530
|
+
# ❌ 错误:无限增长的缓存
|
|
531
|
+
cache = {}
|
|
532
|
+
|
|
533
|
+
def get_data(key):
|
|
534
|
+
if key not in cache:
|
|
535
|
+
cache[key] = expensive_computation(key) # 永远不清理!
|
|
536
|
+
return cache[key]
|
|
537
|
+
|
|
538
|
+
# ✅ 正确:使用 LRU 缓存
|
|
539
|
+
from functools import lru_cache
|
|
540
|
+
|
|
541
|
+
@lru_cache(maxsize=1000)
|
|
542
|
+
def get_data(key):
|
|
543
|
+
return expensive_computation(key)
|
|
544
|
+
|
|
545
|
+
# ✅ 或使用 TTL 缓存
|
|
546
|
+
from cachetools import TTLCache
|
|
547
|
+
|
|
548
|
+
cache = TTLCache(maxsize=1000, ttl=3600)
|
|
549
|
+
```
|
|
550
|
+
|
|
551
|
+
**检查点**:
|
|
552
|
+
- [ ] 缓存是否有大小限制
|
|
553
|
+
- [ ] 是否有内存泄漏风险
|
|
554
|
+
- [ ] 长时间运行是否会 OOM
|
|
555
|
+
|
|
556
|
+
---
|
|
557
|
+
|
|
558
|
+
## 📋 后端检查清单汇总
|
|
559
|
+
|
|
560
|
+
```markdown
|
|
561
|
+
## 后端代码审查检查清单
|
|
562
|
+
|
|
563
|
+
### P0 必须检查
|
|
564
|
+
- [ ] 竞态条件:不修改共享单例状态
|
|
565
|
+
- [ ] 事务边界:多表操作在同一事务
|
|
566
|
+
- [ ] 后台任务:有错误处理回调
|
|
567
|
+
- [ ] N+1 查询:使用预加载
|
|
568
|
+
- [ ] SQL 注入:使用参数化查询
|
|
569
|
+
- [ ] 连接泄漏:使用上下文管理器
|
|
570
|
+
- [ ] 输入验证:所有输入都验证
|
|
571
|
+
- [ ] 权限检查:每个端点都检查
|
|
572
|
+
- [ ] 密码存储:使用 bcrypt/argon2
|
|
573
|
+
- [ ] 命令注入:不用 shell=True
|
|
574
|
+
- [ ] 敏感信息:不在日志/响应中暴露
|
|
575
|
+
|
|
576
|
+
### P1 应该检查
|
|
577
|
+
- [ ] 超时设置:所有外部调用有超时
|
|
578
|
+
- [ ] 重试机制:外部调用有重试
|
|
579
|
+
- [ ] 缓存穿透:缓存空值
|
|
580
|
+
- [ ] 日志完整:关键操作有日志
|
|
581
|
+
- [ ] 健康检查:有 /health 端点
|
|
582
|
+
- [ ] 资源管理:文件/连接正确关闭
|
|
583
|
+
- [ ] 内存管理:缓存有大小限制
|
|
584
|
+
|
|
585
|
+
### 错误响应检查
|
|
586
|
+
- [ ] 格式统一:所有错误响应格式一致
|
|
587
|
+
- [ ] 信息友好:错误信息对用户友好
|
|
588
|
+
- [ ] 不泄露:不暴露内部细节
|
|
589
|
+
```
|