ikmkj/biji
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 实现笔记编辑器的自动保存功能与UI优化

Browse Source 
refactor: 重构用户登录注册逻辑与数据验证

fix: 修复图片上传安全漏洞与路径处理问题

perf: 优化笔记列表分页加载与滚动性能

style: 改进侧边栏菜单的视觉设计与交互体验

chore: 更新环境变量与数据库连接配置

docs: 添加用户信息视图对象的Swagger文档

test: 增加用户注册登录的输入验证测试

ci: 配置JWT密钥环境变量与安全设置

build: 调整前端构建配置与模块加载方式
This commit is contained in:
ikmkj
2026-03-02 02:01:01 +08:00
parent c9c21df0f0
commit 392cc52fd2
23 changed files with 811 additions and 282 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
biji-houdaun/src/main/java/com/test/bijihoudaun/controller/ImageController.java
View File

@@ -5,6 +5,7 @@ import cn.hutool.core.util.StrUtil;
import com.test.bijihoudaun.common.response.R;
import com.test.bijihoudaun.entity.Image;
import com.test.bijihoudaun.service.ImageService;
import com.test.bijihoudaun.util.SecurityUtil;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.servlet.http.HttpServletResponse;
@@ -17,9 +18,11 @@ import org.springframework.web.multipart.MultipartFile;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.List;
@Tag(name = "markdown接口")
@Tag(name = "图片接口")
@RestController
@RequestMapping("/api/images")
public class ImageController {
@@ -48,6 +51,9 @@ public class ImageController {
@Operation(summary = "根据id删除图片")
@PostMapping("/{id}")
public R<Void> deleteImage(@PathVariable Long id) {
if (!SecurityUtil.isUserAuthenticated()) {
return R.fail("请先登录");
}
boolean result = imageService.deleteImage(id);
if (result) {
return R.success();
@@ -56,38 +62,63 @@ public class ImageController {
}
}
/**
* 在线预览图片、视频、音频、pdf 等浏览器可直接识别的类型)
*/
@GetMapping("/preview/{url}")
@Operation(summary = "在线预览", description = "浏览器直接打开文件流")
@GetMapping("/preview/{url}")
public void preview(@PathVariable String url, HttpServletResponse resp) throws IOException {
if (StrUtil.isBlank(url)) {
resp.setStatus(404);
resp.getWriter().write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
return;
}
File file = new File(rootPath + File.separator + url);
if (!file.exists()) {
String sanitizedUrl = sanitizeFileName(url);
if (sanitizedUrl == null) {
resp.setStatus(403);
resp.getWriter().write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
return;
}
Path basePath = Paths.get(rootPath).normalize().toAbsolutePath();
Path filePath = basePath.resolve(sanitizedUrl).normalize();
if (!filePath.startsWith(basePath)) {
resp.setStatus(403);
resp.getWriter().write("{\"code\":403,\"msg\":\"非法文件路径\",\"data\":null}");
return;
}
File file = filePath.toFile();
if (!file.exists() || !file.isFile()) {
resp.setStatus(404);
resp.getWriter().write("{\"code\":404,\"msg\":\"文件不存在\",\"data\":null}");
return;
}
String contentTypeFromFileExtension = getContentTypeFromFileExtension(url);
// 设置正确的 MIME
resp.setContentType(contentTypeFromFileExtension);
// 设置文件长度,支持断点续传
resp.setContentLengthLong(file.length());
// 写出文件流
try (FileInputStream in = new FileInputStream(file)) {
StreamUtils.copy(in, resp.getOutputStream());
}
}
private String sanitizeFileName(String fileName) {
if (StrUtil.isBlank(fileName)) {
return null;
}
if (fileName.contains("..") || fileName.contains("/") || fileName.contains("\\") || fileName.contains(":")) {
return null;
}
return fileName;
}
@Operation(summary = "根据url删除图片")
@PostMapping("/deleteByUrl")
public R<Void> deleteImageByUrl(@RequestParam String url) {
if (!SecurityUtil.isUserAuthenticated()) {
return R.fail("请先登录");
}
boolean result = imageService.deleteImageByUrl(url);
if (result) {
return R.success();
@@ -99,6 +130,9 @@ public class ImageController {
@Operation(summary = "根据url批量删除图片")
@PostMapping("/batch")
public R<Void> deleteImageByUrls(@RequestBody List<String> urls) {
if (!SecurityUtil.isUserAuthenticated()) {
return R.fail("请先登录");
}
boolean result = imageService.deleteImageByUrls(urls);
if (result) {
return R.success();
@@ -108,11 +142,6 @@ public class ImageController {
}
/**
* 根据文件扩展名获取内容类型
* @param fileName 文件名
* @return 对应的MIME类型
*/
private String getContentTypeFromFileExtension(String fileName) {
if (StrUtil.isBlank(fileName) || !StrUtil.contains(fileName, '.')) {
return "application/octet-stream";

4
biji-houdaun/src/main/java/com/test/bijihoudaun/controller/MarkdownController.java
View File

@@ -108,8 +108,8 @@ public class MarkdownController {
@Operation(summary = "获取最近更新的笔记")
@GetMapping("/recent")
public R<List<MarkdownFileVO>> getRecentFiles() {
List<MarkdownFileVO> files = markdownFileService.getRecentFiles(12);
public R<List<MarkdownFileVO>> getRecentFiles(@RequestParam(defaultValue = "16") int limit) {
List<MarkdownFileVO> files = markdownFileService.getRecentFiles(limit);
return R.success(files);
}

27
biji-houdaun/src/main/java/com/test/bijihoudaun/controller/UserController.java
View File

@@ -4,6 +4,7 @@ import com.test.bijihoudaun.bo.UpdatePasswordBo;
import cn.hutool.core.util.ObjectUtil;
import com.test.bijihoudaun.common.response.R;
import com.test.bijihoudaun.entity.User;
import com.test.bijihoudaun.entity.UserVO;
import com.test.bijihoudaun.service.RegistrationCodeService;
import com.test.bijihoudaun.service.SystemSettingService;
import com.test.bijihoudaun.service.UserService;
@@ -11,6 +12,7 @@ import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.Parameters;
import io.swagger.v3.oas.annotations.tags.Tag;
import org.springframework.beans.BeanUtils;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.authentication.BadCredentialsException;
@@ -41,14 +43,18 @@ public class UserController {
@Parameter(name = "registrationCode", description = "注册码", required = true)
})
@PostMapping("/register")
public R<User> register(String username, String password, String email, String registrationCode){
public R<UserVO> register(String username, String password, String email, String registrationCode){
if (!systemSettingService.isRegistrationEnabled()) {
return R.fail("注册功能已关闭");
}
if (!registrationCodeService.validateCode(registrationCode)) {
return R.fail("无效或已过期的注册码");
}
return R.success(userService.register(username,password,email));
User user = userService.register(username, password, email);
UserVO userVO = new UserVO();
BeanUtils.copyProperties(user, userVO);
userVO.setId(String.valueOf(user.getId()));
return R.success(userVO);
}
@Operation(summary = "用户登录")
@@ -57,12 +63,21 @@ public class UserController {
@Parameter(name = "password", description = "密码",required = true)
})
@PostMapping("/login")
public R<Map<String, String>> login(String username, String password){
public R<Map<String, Object>> login(String username, String password){
try {
String token = userService.login(username, password);
Map<String, String> tokenMap = new HashMap<>();
tokenMap.put("token", token);
return R.success(tokenMap);
User user = userService.getOne(new com.baomidou.mybatisplus.core.conditions.query.QueryWrapper<User>().eq("username", username));
Map<String, Object> result = new HashMap<>();
result.put("token", token);
Map<String, Object> userInfo = new HashMap<>();
userInfo.put("id", String.valueOf(user.getId()));
userInfo.put("username", user.getUsername());
userInfo.put("email", user.getEmail());
result.put("userInfo", userInfo);
return R.success(result);
} catch (BadCredentialsException e) {
return R.fail("用户名或密码错误");
}