skill-base 2.0.1

package/src/models/user.js

@@ -0,0 +1,130 @@
+const db = require('../database');
+
+const UserModel = {
+  // 根据 ID 查询用户
+  findById(id) {
+    return db.prepare('SELECT id, username, name, role, status, created_at, updated_at FROM users WHERE id = ?').get(id);
+  },
+
+  // 根据用户名查询（含 password_hash，用于登录验证）
+  findByUsername(username) {
+    return db.prepare('SELECT * FROM users WHERE username = ?').get(username);
+  },
+
+  // 创建用户
+  create(username, passwordHash, role = 'developer') {
+    const result = db.prepare('INSERT INTO users (username, password_hash, role) VALUES (?, ?, ?)').run(username, passwordHash, role);
+    return this.findById(result.lastInsertRowid);
+  },
+
+  // 列出用户（支持分页和搜索）
+  list({ q, status, page = 1, limit = 20 } = {}) {
+    let sql = 'SELECT id, username, name, role, status, created_at, updated_at FROM users WHERE 1=1';
+    let countSql = 'SELECT COUNT(*) as total FROM users WHERE 1=1';
+    const params = [];
+    const countParams = [];
+    
+    if (q) {
+      sql += ' AND (username LIKE ? OR name LIKE ?)';
+      countSql += ' AND (username LIKE ? OR name LIKE ?)';
+      params.push(`%${q}%`, `%${q}%`);
+      countParams.push(`%${q}%`, `%${q}%`);
+    }
+    if (status) {
+      sql += ' AND status = ?';
+      countSql += ' AND status = ?';
+      params.push(status);
+      countParams.push(status);
+    }
+    
+    const total = db.prepare(countSql).get(...countParams).total;
+    
+    sql += ' ORDER BY created_at DESC LIMIT ? OFFSET ?';
+    params.push(limit, (page - 1) * limit);
+    
+    const users = db.prepare(sql).all(...params);
+    return { users, total, page, limit };
+  },
+
+  // 更新用户名
+  updateUsername(id, username) {
+    const result = db.prepare(
+      "UPDATE users SET username = ?, updated_at = datetime('now') WHERE id = ?"
+    ).run(username, id);
+    return result.changes > 0;
+  },
+
+  // 更新密码
+  updatePassword(id, passwordHash) {
+    const result = db.prepare(
+      "UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?"
+    ).run(passwordHash, id);
+    return result.changes > 0;
+  },
+
+  // 更新用户（管理员用）
+  update(id, fields) {
+    const allowed = ['role', 'status', 'username', 'name'];
+    const sets = [];
+    const params = [];
+    
+    for (const [key, value] of Object.entries(fields)) {
+      if (allowed.includes(key) && value !== undefined) {
+        sets.push(`${key} = ?`);
+        params.push(value);
+      }
+    }
+    
+    if (sets.length === 0) return false;
+    
+    sets.push("updated_at = datetime('now')");
+    params.push(id);
+    
+    const result = db.prepare(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`).run(...params);
+    return result.changes > 0;
+  },
+
+  // 重置密码（管理员用）
+  resetPassword(id, passwordHash) {
+    const result = db.prepare(
+      "UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?"
+    ).run(passwordHash, id);
+    return result.changes > 0;
+  },
+
+  // 查询用户详情（含创建者信息）
+  findByIdWithCreator(id) {
+    return db.prepare(`
+      SELECT u.id, u.username, u.name, u.role, u.status, u.created_at, u.updated_at,
+             c.id as creator_id, c.username as creator_username
+      FROM users u
+      LEFT JOIN users c ON u.created_by = c.id
+      WHERE u.id = ?
+    `).get(id);
+  },
+
+  // 更新用户名和姓名
+  updateProfile(id, { username, name }) {
+    const sets = [];
+    const params = [];
+    
+    if (username !== undefined) {
+      sets.push('username = ?');
+      params.push(username);
+    }
+    if (name !== undefined) {
+      sets.push('name = ?');
+      params.push(name);
+    }
+    
+    if (sets.length === 0) return false;
+    
+    sets.push("updated_at = datetime('now')");
+    params.push(id);
+    
+    const result = db.prepare(`UPDATE users SET ${sets.join(', ')} WHERE id = ?`).run(...params);
+    return result.changes > 0;
+  }
+};
+
+module.exports = UserModel;

package/src/models/version.js

@@ -0,0 +1,57 @@
+const db = require('../database');
+
+const VersionModel = {
+  // 创建新版本
+  create(skillId, version, changelog, zipPath, uploaderId) {
+    const result = db.prepare(`
+      INSERT INTO skill_versions (skill_id, version, changelog, zip_path, uploader_id)
+      VALUES (?, ?, ?, ?, ?)
+    `).run(skillId, version, changelog || '', zipPath, uploaderId);
+    return this.findById(result.lastInsertRowid);
+  },
+
+  // 根据 ID 查询版本
+  findById(id) {
+    return db.prepare(`
+      SELECT sv.*, u.username as uploader_username, u.name as uploader_name
+      FROM skill_versions sv
+      LEFT JOIN users u ON sv.uploader_id = u.id
+      WHERE sv.id = ?
+    `).get(id);
+  },
+
+  // 根据 skill_id 和 version 查询
+  findByVersion(skillId, version) {
+    return db.prepare(`
+      SELECT sv.*, u.username as uploader_username, u.name as uploader_name
+      FROM skill_versions sv
+      LEFT JOIN users u ON sv.uploader_id = u.id
+      WHERE sv.skill_id = ? AND sv.version = ?
+    `).get(skillId, version);
+  },
+
+  // 列出某 Skill 的所有版本（按创建时间倒序）
+  listBySkillId(skillId) {
+    return db.prepare(`
+      SELECT sv.*, u.username as uploader_username, u.name as uploader_name
+      FROM skill_versions sv
+      LEFT JOIN users u ON sv.uploader_id = u.id
+      WHERE sv.skill_id = ?
+      ORDER BY sv.created_at DESC
+    `).all(skillId);
+  },
+
+  // 获取某 Skill 的最新版本
+  getLatest(skillId) {
+    return db.prepare(`
+      SELECT sv.*, u.username as uploader_username, u.name as uploader_name
+      FROM skill_versions sv
+      LEFT JOIN users u ON sv.uploader_id = u.id
+      WHERE sv.skill_id = ?
+      ORDER BY sv.created_at DESC
+      LIMIT 1
+    `).get(skillId);
+  }
+};
+
+module.exports = VersionModel;

package/src/routes/auth.js

@@ -0,0 +1,173 @@
+const db = require('../database');
+const UserModel = require('../models/user');
+const { verifyPassword, hashPassword, generateCliCode, generatePAT } = require('../utils/crypto');
+
+async function authRoutes(fastify, options) {
+  // POST /login - 用户登录
+  fastify.post('/login', async (request, reply) => {
+    const { username, password } = request.body || {};
+
+    if (!username || !password) {
+      return reply.code(400).send({ detail: 'Username and password are required' });
+    }
+
+    // 查找用户
+    const user = UserModel.findByUsername(username);
+    if (!user) {
+      return reply.code(401).send({ detail: 'Invalid username or password' });
+    }
+
+    // Check account status
+    if (user.status === 'disabled') {
+      return reply.code(401).send({
+        ok: false,
+        error: 'account_disabled',
+        detail: 'Account is disabled'
+      });
+    }
+
+    // Verify password
+    if (!verifyPassword(password, user.password_hash)) {
+      return reply.code(401).send({ detail: 'Invalid username or password' });
+    }
+
+    // Create session and set cookie
+    const sessionId = fastify.createSession(user.id);
+    reply.setCookie('session_id', sessionId, { path: '/', httpOnly: true });
+
+    return { ok: true, user: { id: user.id, username: user.username, name: user.name || null, role: user.role } };
+  });
+
+  // POST /logout - 用户登出
+  fastify.post('/logout', async (request, reply) => {
+    const sessionId = request.cookies?.session_id;
+    if (sessionId) {
+      fastify.destroySession(sessionId);
+    }
+    reply.clearCookie('session_id', { path: '/' });
+    return { ok: true };
+  });
+
+  // POST /cli-code/generate - 生成 CLI 验证码
+  fastify.post('/cli-code/generate', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const code = generateCliCode();
+    const expiresAt = new Date(Date.now() + 5 * 60 * 1000).toISOString();
+
+    // 写入 cli_auth_codes 表
+    db.prepare(`
+      INSERT INTO cli_auth_codes (code, user_id, expires_at, used)
+      VALUES (?, ?, ?, FALSE)
+    `).run(code, request.user.id, expiresAt);
+
+    return { ok: true, code, expires_at: expiresAt };
+  });
+
+  // POST /cli-code/verify - 验证 CLI 验证码
+  fastify.post('/cli-code/verify', async (request, reply) => {
+    const { code } = request.body || {};
+
+    if (!code) {
+      return reply.code(400).send({ detail: 'Code is required' });
+    }
+
+    // 查找验证码：未使用且未过期
+    const codeRecord = db.prepare(`
+      SELECT * FROM cli_auth_codes
+      WHERE code = ? AND used = FALSE AND expires_at > datetime('now')
+    `).get(code);
+
+    if (!codeRecord) {
+      return reply.code(401).send({ detail: 'Invalid or expired code' });
+    }
+
+    // 标记为已使用
+    db.prepare('UPDATE cli_auth_codes SET used = TRUE WHERE code = ?').run(code);
+
+    // 生成 PAT
+    const token = generatePAT();
+    db.prepare(`
+      INSERT INTO personal_access_tokens (token, user_id, description)
+      VALUES (?, ?, ?)
+    `).run(token, codeRecord.user_id, 'CLI generated token');
+
+    // 获取用户信息
+    const user = UserModel.findById(codeRecord.user_id);
+
+    return {
+      ok: true,
+      token,
+      user: { id: user.id, username: user.username, name: user.name || null }
+    };
+  });
+
+  // GET /me - 获取当前用户信息
+  fastify.get('/me', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    return request.user;
+  });
+
+  // PATCH /me - 更新个人信息（用户名和姓名）
+  fastify.patch('/me', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { username, name } = request.body || {};
+
+    // 至少需要提供一个字段
+    if (username === undefined && name === undefined) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'At least one field must be provided' });
+    }
+
+    // 验证用户名
+    if (username !== undefined) {
+      if (typeof username !== 'string' || username.trim().length === 0) {
+        return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Username cannot be empty' });
+      }
+      const trimmed = username.trim();
+      // 检查用户名是否已存在（排除自己）
+      const existing = UserModel.findByUsername(trimmed);
+      if (existing && existing.id !== request.user.id) {
+        return reply.code(400).send({ ok: false, error: 'username_exists', detail: 'Username already exists' });
+      }
+    }
+
+    UserModel.updateProfile(request.user.id, {
+      username: username ? username.trim() : undefined,
+      name: name !== undefined ? name : undefined
+    });
+    const updated = UserModel.findById(request.user.id);
+
+    return reply.send({ ok: true, user: updated });
+  });
+
+  // POST /me/change-password - 修改密码
+  fastify.post('/me/change-password', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { old_password, new_password } = request.body || {};
+
+    if (!old_password || !new_password) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'Old password and new password are required' });
+    }
+
+    if (new_password.length < 6) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'New password must be at least 6 characters' });
+    }
+
+    // 验证旧密码 - 需要获取含密码的用户信息
+    const user = UserModel.findByUsername(request.user.username);
+
+    if (!verifyPassword(old_password, user.password_hash)) {
+      return reply.code(401).send({ ok: false, error: 'wrong_password', detail: 'Incorrect old password' });
+    }
+
+    const newHash = hashPassword(new_password);
+    UserModel.updatePassword(request.user.id, newHash);
+
+    return reply.send({ ok: true, message: 'Password changed successfully' });
+  });
+}
+
+module.exports = authRoutes;

package/src/routes/collaborators.js

@@ -0,0 +1,260 @@
+const db = require('../database');
+const { canManageSkill } = require('../utils/permission');
+const UserModel = require('../models/user');
+
+async function collaboratorsRoutes(fastify, options) {
+
+  // GET /:skill_id/collaborators - 获取协作者列表（公开）
+  fastify.get('/:skill_id/collaborators', async (request, reply) => {
+    const { skill_id } = request.params;
+    
+    // 检查 Skill 是否存在
+    const skill = db.prepare('SELECT id FROM skills WHERE id = ?').get(skill_id);
+    if (!skill) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Skill not found' });
+    }
+    
+    const collaborators = db.prepare(`
+      SELECT sc.id, sc.role, sc.created_at,
+             u.id as user_id, u.username, u.name, u.status,
+             cb.id as created_by_id, cb.username as created_by_username
+      FROM skill_collaborators sc
+      JOIN users u ON sc.user_id = u.id
+      LEFT JOIN users cb ON sc.created_by = cb.id
+      WHERE sc.skill_id = ?
+      ORDER BY CASE sc.role WHEN 'owner' THEN 0 ELSE 1 END, sc.created_at ASC
+    `).all(skill_id);
+    
+    const result = collaborators.map(c => {
+      const item = {
+        id: c.id,
+        user: { id: c.user_id, username: c.username, name: c.name, status: c.status },
+        role: c.role,
+        created_at: c.created_at
+      };
+      if (c.created_by_id) {
+        item.created_by = { id: c.created_by_id, username: c.created_by_username };
+      }
+      return item;
+    });
+    
+    return reply.send({ skill_id, collaborators: result });
+  });
+
+  // POST /:skill_id/collaborators - 添加协作者（owner/admin）
+  fastify.post('/:skill_id/collaborators', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { skill_id } = request.params;
+    const { user_id, username } = request.body || {};
+    
+    // 检查 Skill 是否存在
+    const skill = db.prepare('SELECT id FROM skills WHERE id = ?').get(skill_id);
+    if (!skill) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Skill not found' });
+    }
+    
+    // 权限检查
+    if (!canManageSkill(request.user, skill_id)) {
+      return reply.code(403).send({ ok: false, error: 'forbidden', detail: 'Owner or admin permission required' });
+    }
+    
+    // 查找目标用户
+    let targetUser;
+    if (user_id) {
+      targetUser = UserModel.findById(parseInt(user_id));
+    } else if (username) {
+      targetUser = UserModel.findByUsername(username.trim());
+    }
+    
+    if (!targetUser) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'User not found' });
+    }
+    
+    // 检查是否已是协作者
+    const existing = db.prepare(
+      'SELECT id FROM skill_collaborators WHERE skill_id = ? AND user_id = ?'
+    ).get(skill_id, targetUser.id);
+    
+    if (existing) {
+      return reply.code(400).send({ ok: false, error: 'already_collaborator', detail: 'User is already a collaborator' });
+    }
+    
+    // 添加协作者
+    const result = db.prepare(
+      'INSERT INTO skill_collaborators (skill_id, user_id, role, created_by) VALUES (?, ?, ?, ?)'
+    ).run(skill_id, targetUser.id, 'collaborator', request.user.id);
+    
+    return reply.code(201).send({
+      ok: true,
+      collaborator: {
+        id: result.lastInsertRowid,
+        user: { id: targetUser.id, username: targetUser.username },
+        role: 'collaborator',
+        created_at: new Date().toISOString()
+      }
+    });
+  });
+
+  // DELETE /:skill_id/collaborators/:user_id - 移除协作者（owner/admin）
+  fastify.delete('/:skill_id/collaborators/:user_id', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { skill_id, user_id } = request.params;
+    
+    // 检查 Skill 是否存在
+    const skill = db.prepare('SELECT id FROM skills WHERE id = ?').get(skill_id);
+    if (!skill) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Skill not found' });
+    }
+    
+    // 权限检查
+    if (!canManageSkill(request.user, skill_id)) {
+      return reply.code(403).send({ ok: false, error: 'forbidden', detail: 'Owner or admin permission required' });
+    }
+    
+    // 检查协作者记录
+    const collaborator = db.prepare(
+      'SELECT id, role FROM skill_collaborators WHERE skill_id = ? AND user_id = ?'
+    ).get(skill_id, parseInt(user_id));
+    
+    if (!collaborator) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Collaborator not found' });
+    }
+    
+    // 不能移除所有者
+    if (collaborator.role === 'owner') {
+      return reply.code(400).send({ ok: false, error: 'cannot_remove_owner', detail: 'Cannot remove the owner' });
+    }
+    
+    db.prepare('DELETE FROM skill_collaborators WHERE skill_id = ? AND user_id = ?')
+      .run(skill_id, parseInt(user_id));
+    
+    return reply.send({ ok: true, message: 'Collaborator removed' });
+  });
+
+  // POST /:skill_id/transfer-ownership - 转移所有权（owner/admin，事务）
+  fastify.post('/:skill_id/transfer-ownership', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { skill_id } = request.params;
+    const { new_owner_id } = request.body || {};
+    
+    if (!new_owner_id) {
+      return reply.code(400).send({ ok: false, error: 'invalid_params', detail: 'New owner must be specified' });
+    }
+    
+    // 检查 Skill 并获取当前所有者
+    const skill = db.prepare('SELECT id, owner_id FROM skills WHERE id = ?').get(skill_id);
+    if (!skill) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Skill not found' });
+    }
+    
+    // 权限检查
+    if (!canManageSkill(request.user, skill_id)) {
+      return reply.code(403).send({ ok: false, error: 'forbidden', detail: 'Owner or admin permission required' });
+    }
+    
+    const newOwnerId = parseInt(new_owner_id);
+    
+    if (skill.owner_id === newOwnerId) {
+      return reply.code(400).send({ ok: false, error: 'same_owner', detail: 'New owner is the same as current owner' });
+    }
+    
+    // 检查新所有者是否存在
+    const newOwner = UserModel.findById(newOwnerId);
+    if (!newOwner) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'User not found' });
+    }
+    
+    // 事务操作
+    const transferTx = db.transaction(() => {
+      // 1. 更新 skills 表 owner_id
+      db.prepare('UPDATE skills SET owner_id = ?, updated_at = datetime("now") WHERE id = ?')
+        .run(newOwnerId, skill_id);
+      
+      // 2. 原所有者降级为 collaborator
+      db.prepare('UPDATE skill_collaborators SET role = "collaborator" WHERE skill_id = ? AND user_id = ?')
+        .run(skill_id, skill.owner_id);
+      
+      // 3. 新所有者升级为 owner（如不存在则新增）
+      const existing = db.prepare(
+        'SELECT id FROM skill_collaborators WHERE skill_id = ? AND user_id = ?'
+      ).get(skill_id, newOwnerId);
+      
+      if (existing) {
+        db.prepare('UPDATE skill_collaborators SET role = "owner" WHERE skill_id = ? AND user_id = ?')
+          .run(skill_id, newOwnerId);
+      } else {
+        db.prepare('INSERT INTO skill_collaborators (skill_id, user_id, role, created_by) VALUES (?, ?, "owner", ?)')
+          .run(skill_id, newOwnerId, request.user.id);
+      }
+    });
+    
+    transferTx();
+    
+    return reply.send({
+      ok: true,
+      message: 'Ownership transferred',
+      new_owner: { id: newOwner.id, username: newOwner.username }
+    });
+  });
+
+  // DELETE /:skill_id - 删除 Skill（owner/admin，需 confirm 参数，事务）
+  fastify.delete('/:skill_id', {
+    preHandler: [fastify.authenticate]
+  }, async (request, reply) => {
+    const { skill_id } = request.params;
+    const { confirm } = request.query;
+    
+    // 确认参数校验
+    if (confirm !== skill_id) {
+      return reply.code(400).send({
+        ok: false,
+        error: 'confirm_required',
+        detail: 'Confirm parameter is required and must equal the Skill ID'
+      });
+    }
+    
+    // 检查 Skill 是否存在
+    const skill = db.prepare('SELECT id FROM skills WHERE id = ?').get(skill_id);
+    if (!skill) {
+      return reply.code(404).send({ ok: false, error: 'not_found', detail: 'Skill not found' });
+    }
+    
+    // 权限检查
+    if (!canManageSkill(request.user, skill_id)) {
+      return reply.code(403).send({ ok: false, error: 'forbidden', detail: 'Owner or admin permission required' });
+    }
+    
+    // 获取版本数量（用于响应）
+    const versionsCount = db.prepare('SELECT COUNT(*) as count FROM skill_versions WHERE skill_id = ?')
+      .get(skill_id).count;
+    
+    // 事务删除
+    const deleteSkillTx = db.transaction(() => {
+      db.prepare('DELETE FROM skill_versions WHERE skill_id = ?').run(skill_id);
+      db.prepare('DELETE FROM skill_collaborators WHERE skill_id = ?').run(skill_id);
+      db.prepare('DELETE FROM skills WHERE id = ?').run(skill_id);
+    });
+    
+    deleteSkillTx();
+    
+    // 删除文件系统中的文件
+    const fs = require('fs');
+    const path = require('path');
+    const { getDataDir } = require('../utils/zip');
+    const skillDir = path.join(getDataDir(), skill_id);
+    if (fs.existsSync(skillDir)) {
+      fs.rmSync(skillDir, { recursive: true, force: true });
+    }
+    
+    return reply.send({
+      ok: true,
+      message: 'Skill deleted',
+      deleted: { skill_id, versions_count: versionsCount }
+    });
+  });
+}
+
+module.exports = collaboratorsRoutes;