message_controller.go 13 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378
  1. package controller
  2. import (
  3. "bytes"
  4. "io"
  5. "log"
  6. "net/http"
  7. "path/filepath"
  8. "strconv"
  9. "strings"
  10. "github.com/2930134478/AI-CS/backend/infra"
  11. "github.com/2930134478/AI-CS/backend/service"
  12. "github.com/gin-gonic/gin"
  13. )
  14. // MessageController 负责处理消息相关的 HTTP 请求。
  15. type MessageController struct {
  16. messageService *service.MessageService
  17. conversationService *service.ConversationService
  18. storageService infra.StorageService
  19. }
  20. // NewMessageController 创建 MessageController 实例。
  21. func NewMessageController(messageService *service.MessageService, conversationService *service.ConversationService, storageService infra.StorageService) *MessageController {
  22. return &MessageController{
  23. messageService: messageService,
  24. conversationService: conversationService,
  25. storageService: storageService,
  26. }
  27. }
  28. type createMessageRequest struct {
  29. ConversationID uint `json:"conversation_id"`
  30. Content string `json:"content"`
  31. SenderIsAgent bool `json:"sender_is_agent"`
  32. SenderID uint `json:"sender_id"`
  33. FileURL *string `json:"file_url"`
  34. FileType *string `json:"file_type"`
  35. FileName *string `json:"file_name"`
  36. FileSize *int64 `json:"file_size"`
  37. MimeType *string `json:"mime_type"`
  38. // 回复数据源开关(仅 AI 模式有效),不传则默认:知识库+大模型开,联网关
  39. UseKnowledgeBase *bool `json:"use_knowledge_base"`
  40. UseLLM *bool `json:"use_llm"`
  41. UseWebSearch *bool `json:"use_web_search"`
  42. NeedWebSearch bool `json:"need_web_search"`
  43. }
  44. // CreateMessage 处理发送消息的请求。
  45. func (mc *MessageController) CreateMessage(c *gin.Context) {
  46. var req createMessageRequest
  47. if err := c.ShouldBindJSON(&req); err != nil || req.ConversationID == 0 {
  48. c.JSON(http.StatusBadRequest, gin.H{"error": "请求参数错误"})
  49. return
  50. }
  51. // 验证:必须有内容或文件
  52. if req.Content == "" && req.FileURL == nil {
  53. c.JSON(http.StatusBadRequest, gin.H{"error": "消息内容或文件不能同时为空"})
  54. return
  55. }
  56. _, err := mc.messageService.CreateMessage(service.CreateMessageInput{
  57. ConversationID: req.ConversationID,
  58. Content: req.Content,
  59. SenderID: req.SenderID,
  60. SenderIsAgent: req.SenderIsAgent,
  61. FileURL: req.FileURL,
  62. FileType: req.FileType,
  63. FileName: req.FileName,
  64. FileSize: req.FileSize,
  65. MimeType: req.MimeType,
  66. UseKnowledgeBase: req.UseKnowledgeBase,
  67. UseLLM: req.UseLLM,
  68. UseWebSearch: req.UseWebSearch,
  69. NeedWebSearch: req.NeedWebSearch,
  70. })
  71. if err != nil {
  72. log.Printf("❌ 创建消息失败: 对话ID=%d, 错误=%v", req.ConversationID, err)
  73. switch err {
  74. case service.ErrConversationClosed:
  75. c.JSON(http.StatusBadRequest, gin.H{"error": "会话已关闭"})
  76. case service.ErrConversationNotFound:
  77. c.JSON(http.StatusBadRequest, gin.H{"error": "会话不存在"})
  78. default:
  79. c.JSON(http.StatusInternalServerError, gin.H{"error": "创建消息失败"})
  80. }
  81. return
  82. }
  83. c.JSON(http.StatusOK, gin.H{"message": "创建消息成功"})
  84. }
  85. // ListMessages 返回指定会话的消息列表。
  86. // 查询参数:
  87. // - conversation_id: 会话ID(必需)
  88. // - include_ai_messages: 是否包含 AI 消息(可选,默认 false)
  89. func (mc *MessageController) ListMessages(c *gin.Context) {
  90. conversationIDStr := c.Query("conversation_id")
  91. if conversationIDStr == "" {
  92. c.JSON(http.StatusBadRequest, gin.H{"error": "会话ID不能为空"})
  93. return
  94. }
  95. conversationID, err := strconv.ParseUint(conversationIDStr, 10, 64)
  96. if err != nil || conversationID == 0 {
  97. c.JSON(http.StatusBadRequest, gin.H{"error": "会话ID不合法"})
  98. return
  99. }
  100. // 解析 include_ai_messages 参数(默认 false)
  101. includeAIMessages := c.DefaultQuery("include_ai_messages", "false") == "true"
  102. messages, err := mc.messageService.ListMessages(uint(conversationID), includeAIMessages)
  103. if err != nil {
  104. c.JSON(http.StatusInternalServerError, gin.H{"error": "查询消息失败"})
  105. return
  106. }
  107. c.JSON(http.StatusOK, messages)
  108. }
  109. type markMessagesReadRequest struct {
  110. ConversationID uint `json:"conversation_id"`
  111. ReaderIsAgent bool `json:"reader_is_agent"`
  112. }
  113. // MarkMessagesRead 将指定会话的消息标记为已读。
  114. func (mc *MessageController) MarkMessagesRead(c *gin.Context) {
  115. var req markMessagesReadRequest
  116. if err := c.ShouldBindJSON(&req); err != nil || req.ConversationID == 0 {
  117. c.JSON(http.StatusBadRequest, gin.H{"error": "请求参数错误"})
  118. return
  119. }
  120. result, err := mc.messageService.MarkMessagesRead(req.ConversationID, req.ReaderIsAgent)
  121. if err != nil {
  122. c.JSON(http.StatusInternalServerError, gin.H{"error": "更新消息状态失败"})
  123. return
  124. }
  125. c.JSON(http.StatusOK, gin.H{
  126. "updated": len(result.MessageIDs),
  127. "message_ids": result.MessageIDs,
  128. "conversation_id": result.ConversationID,
  129. "unread_count": result.UnreadCount,
  130. "read_at": formatTimeValue(result.ReadAt),
  131. })
  132. }
  133. // UploadFile 处理文件上传请求。
  134. // 请求格式:multipart/form-data
  135. // - file: 文件内容(必需)
  136. // - conversation_id: 对话ID(可选,用于组织目录)
  137. // 认证方式:
  138. // - 方式1:提供 X-User-Id 请求头(客服上传)
  139. // - 方式2:提供 conversation_id 参数(访客上传,会验证对话是否存在且未关闭)
  140. func (mc *MessageController) UploadFile(c *gin.Context) {
  141. // ⚠️ 认证检查:必须满足以下条件之一
  142. // 1. 提供 X-User-Id 请求头(客服)
  143. // 2. 提供 conversation_id 参数(访客)
  144. userID := getUserIDFromHeader(c)
  145. conversationIDStr := c.PostForm("conversation_id")
  146. // 如果既没有用户ID,也没有对话ID,拒绝访问
  147. if userID == 0 && conversationIDStr == "" {
  148. c.JSON(http.StatusUnauthorized, gin.H{"error": "未授权访问,请提供 X-User-Id 请求头或 conversation_id 参数"})
  149. return
  150. }
  151. // 如果是访客上传(没有用户ID,但有对话ID),验证对话是否存在且未关闭
  152. if userID == 0 && conversationIDStr != "" {
  153. convID, err := strconv.ParseUint(conversationIDStr, 10, 64)
  154. if err != nil || convID == 0 {
  155. c.JSON(http.StatusBadRequest, gin.H{"error": "对话ID不合法"})
  156. return
  157. }
  158. // 验证对话是否存在且未关闭
  159. conv, err := mc.conversationService.GetConversationDetail(uint(convID), 0)
  160. if err != nil {
  161. c.JSON(http.StatusForbidden, gin.H{"error": "对话不存在或已关闭"})
  162. return
  163. }
  164. if conv.Status == "closed" {
  165. c.JSON(http.StatusForbidden, gin.H{"error": "对话已关闭"})
  166. return
  167. }
  168. }
  169. // 解析文件
  170. file, err := c.FormFile("file")
  171. if err != nil {
  172. c.JSON(http.StatusBadRequest, gin.H{"error": "文件不能为空"})
  173. return
  174. }
  175. // 验证文件大小(10MB)
  176. const maxFileSize = 10 * 1024 * 1024 // 10MB
  177. if file.Size > maxFileSize {
  178. c.JSON(http.StatusBadRequest, gin.H{"error": "文件大小超过限制(最大10MB)"})
  179. return
  180. }
  181. // ⚠️ 加强:验证文件类型(扩展名)
  182. ext := strings.ToLower(filepath.Ext(file.Filename))
  183. allowedExts := map[string]bool{
  184. ".jpg": true,
  185. ".jpeg": true,
  186. ".png": true,
  187. ".gif": true,
  188. ".webp": true,
  189. ".pdf": true,
  190. ".doc": true,
  191. ".docx": true,
  192. ".txt": true,
  193. }
  194. if !allowedExts[ext] {
  195. c.JSON(http.StatusBadRequest, gin.H{"error": "不支持的文件类型"})
  196. return
  197. }
  198. // ⚠️ 加强:验证 MIME 类型(防止伪造扩展名)
  199. mimeType := file.Header.Get("Content-Type")
  200. allowedMimeTypes := map[string]bool{
  201. "image/jpeg": true,
  202. "image/jpg": true,
  203. "image/png": true,
  204. "image/gif": true,
  205. "image/webp": true,
  206. "application/pdf": true,
  207. "application/msword": true,
  208. "application/vnd.openxmlformats-officedocument.wordprocessingml.document": true, // .docx
  209. "text/plain": true,
  210. }
  211. if !allowedMimeTypes[mimeType] {
  212. c.JSON(http.StatusBadRequest, gin.H{"error": "不支持的文件 MIME 类型: " + mimeType})
  213. return
  214. }
  215. // ⚠️ 加强:清理文件名,防止路径遍历攻击
  216. safeFilename := filepath.Base(file.Filename)
  217. safeFilename = strings.ReplaceAll(safeFilename, "..", "")
  218. safeFilename = strings.ReplaceAll(safeFilename, "/", "")
  219. safeFilename = strings.ReplaceAll(safeFilename, "\\", "")
  220. // 移除所有非字母数字、点、下划线、连字符的字符
  221. var cleaned strings.Builder
  222. for _, r := range safeFilename {
  223. if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '.' || r == '_' || r == '-' {
  224. cleaned.WriteRune(r)
  225. }
  226. }
  227. safeFilename = cleaned.String()
  228. // 限制文件名长度
  229. if len(safeFilename) > 100 {
  230. // 保留扩展名
  231. ext := filepath.Ext(safeFilename)
  232. nameWithoutExt := strings.TrimSuffix(safeFilename, ext)
  233. if len(nameWithoutExt) > 100-len(ext) {
  234. safeFilename = nameWithoutExt[:100-len(ext)] + ext
  235. }
  236. }
  237. // ⚠️ 加强:验证文件内容(magic number 检查,防止伪造扩展名)
  238. fileContent, err := file.Open()
  239. if err != nil {
  240. c.JSON(http.StatusBadRequest, gin.H{"error": "无法读取文件"})
  241. return
  242. }
  243. defer fileContent.Close()
  244. // 读取文件前几个字节(magic number)
  245. magicBytes := make([]byte, 12)
  246. n, err := fileContent.Read(magicBytes)
  247. if err != nil && err != io.EOF {
  248. c.JSON(http.StatusBadRequest, gin.H{"error": "无法读取文件内容"})
  249. return
  250. }
  251. // 验证文件内容是否匹配扩展名
  252. if !isValidFileContent(ext, magicBytes[:n]) {
  253. c.JSON(http.StatusBadRequest, gin.H{"error": "文件内容与扩展名不匹配,可能是伪造的文件类型"})
  254. return
  255. }
  256. // 重置文件指针,以便后续保存
  257. if _, err := fileContent.Seek(0, io.SeekStart); err != nil {
  258. c.JSON(http.StatusInternalServerError, gin.H{"error": "无法重置文件指针"})
  259. return
  260. }
  261. // 获取对话ID(如果之前已经解析过,直接使用;否则从表单获取)
  262. var conversationID uint
  263. if conversationIDStr != "" {
  264. if id, err := strconv.ParseUint(conversationIDStr, 10, 64); err == nil {
  265. conversationID = uint(id)
  266. }
  267. }
  268. // 保存文件(使用清理后的文件名,fileContent 已经在上面打开并验证过)
  269. fileURL, err := mc.storageService.SaveMessageFile(conversationID, fileContent, safeFilename)
  270. if err != nil {
  271. log.Printf("❌ 保存文件失败: %v", err)
  272. c.JSON(http.StatusInternalServerError, gin.H{"error": "保存文件失败"})
  273. return
  274. }
  275. // 判断文件类型
  276. fileType := "document"
  277. if strings.HasPrefix(mimeType, "image/") {
  278. fileType = "image"
  279. }
  280. // 返回文件信息(使用清理后的文件名)
  281. c.JSON(http.StatusOK, gin.H{
  282. "success": true,
  283. "data": gin.H{
  284. "file_url": fileURL,
  285. "file_type": fileType,
  286. "file_name": safeFilename,
  287. "file_size": file.Size,
  288. "mime_type": mimeType,
  289. },
  290. })
  291. }
  292. // isValidFileContent 验证文件内容是否与扩展名匹配(通过 magic number 检查)
  293. func isValidFileContent(ext string, magicBytes []byte) bool {
  294. if len(magicBytes) < 4 {
  295. return false
  296. }
  297. ext = strings.ToLower(ext)
  298. // 检查各种文件类型的 magic number
  299. switch ext {
  300. case ".jpg", ".jpeg":
  301. // JPEG: FF D8 FF
  302. return len(magicBytes) >= 3 && magicBytes[0] == 0xFF && magicBytes[1] == 0xD8 && magicBytes[2] == 0xFF
  303. case ".png":
  304. // PNG: 89 50 4E 47
  305. return len(magicBytes) >= 4 && magicBytes[0] == 0x89 && magicBytes[1] == 0x50 && magicBytes[2] == 0x4E && magicBytes[3] == 0x47
  306. case ".gif":
  307. // GIF: 47 49 46 38 (GIF8)
  308. return len(magicBytes) >= 4 && magicBytes[0] == 0x47 && magicBytes[1] == 0x49 && magicBytes[2] == 0x46 && magicBytes[3] == 0x38
  309. case ".webp":
  310. // WebP: RIFF ... WEBP
  311. if len(magicBytes) >= 12 {
  312. return bytes.Equal(magicBytes[0:4], []byte("RIFF")) && bytes.Equal(magicBytes[8:12], []byte("WEBP"))
  313. }
  314. return false
  315. case ".pdf":
  316. // PDF: 25 50 44 46 (%PDF)
  317. return len(magicBytes) >= 4 && magicBytes[0] == 0x25 && magicBytes[1] == 0x50 && magicBytes[2] == 0x44 && magicBytes[3] == 0x46
  318. case ".txt":
  319. // 文本文件:检查是否为可打印字符(ASCII 32-126)或 UTF-8 BOM
  320. // UTF-8 BOM: EF BB BF
  321. if len(magicBytes) >= 3 && magicBytes[0] == 0xEF && magicBytes[1] == 0xBB && magicBytes[2] == 0xBF {
  322. return true
  323. }
  324. // 检查前几个字节是否都是可打印字符
  325. for i := 0; i < len(magicBytes) && i < 10; i++ {
  326. if magicBytes[i] < 0x20 && magicBytes[i] != 0x09 && magicBytes[i] != 0x0A && magicBytes[i] != 0x0D {
  327. // 不是可打印字符、制表符、换行符或回车符
  328. return false
  329. }
  330. }
  331. return true
  332. case ".doc":
  333. // DOC (OLE2): D0 CF 11 E0 A1 B1 1A E1
  334. return len(magicBytes) >= 8 && magicBytes[0] == 0xD0 && magicBytes[1] == 0xCF && magicBytes[2] == 0x11 && magicBytes[3] == 0xE0
  335. case ".docx":
  336. // DOCX (ZIP): 50 4B 03 04 (PK..)
  337. return len(magicBytes) >= 4 && magicBytes[0] == 0x50 && magicBytes[1] == 0x4B && magicBytes[2] == 0x03 && magicBytes[3] == 0x04
  338. default:
  339. return false
  340. }
  341. }