refactor(account): 统一账号管理API、完善权限检查和操作审计

- 合并 customer_account 和 shop_account 路由到统一的 account 接口
- 新增统一认证接口 (auth handler)
- 实现越权防护中间件和权限检查工具函数
- 新增操作审计日志模型和服务
- 更新数据库迁移 (版本 39: account_operation_log 表)
- 补充集成测试覆盖权限检查和审计日志场景

internal/handler/admin/account.go

@@ -148,7 +148,7 @@ func (h *AccountHandler) GetRoles(c *fiber.Ctx) error {
 // RemoveRole 移除账号的角色
 // DELETE /api/admin/accounts/:account_id/roles/:role_id
 func (h *AccountHandler) RemoveRole(c *fiber.Ctx) error {
-	accountID, err := strconv.ParseUint(c.Params("account_id"), 10, 64)
+	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
 	if err != nil {
 		return errors.New(errors.CodeInvalidParam, "无效的账号 ID")
 	}
@@ -158,7 +158,7 @@ func (h *AccountHandler) RemoveRole(c *fiber.Ctx) error {
 		return errors.New(errors.CodeInvalidParam, "无效的角色 ID")
 	}
 
-	if err := h.service.RemoveRole(c.UserContext(), uint(accountID), uint(roleID)); err != nil {
+	if err := h.service.RemoveRole(c.UserContext(), uint(id), uint(roleID)); err != nil {
 		return err
 	}
 
@@ -166,7 +166,7 @@ func (h *AccountHandler) RemoveRole(c *fiber.Ctx) error {
 }
 
 // UpdatePassword 修改账号密码
-// PUT /api/admin/platform-accounts/:id/password
+// PUT /api/admin/accounts/:id/password
 func (h *AccountHandler) UpdatePassword(c *fiber.Ctx) error {
 	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
 	if err != nil {
@@ -186,7 +186,7 @@ func (h *AccountHandler) UpdatePassword(c *fiber.Ctx) error {
 }
 
 // UpdateStatus 修改账号状态
-// PUT /api/admin/platform-accounts/:id/status
+// PUT /api/admin/accounts/:id/status
 func (h *AccountHandler) UpdateStatus(c *fiber.Ctx) error {
 	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
 	if err != nil {
@@ -205,8 +205,9 @@ func (h *AccountHandler) UpdateStatus(c *fiber.Ctx) error {
 	return response.Success(c, nil)
 }
 
-// ListPlatformAccounts 查询平台账号列表
-// GET /api/admin/platform-accounts
+// ListPlatformAccounts 查询平台账号列表（兼容旧路由）
+// 自动筛选 user_type IN (1, 2) 的账号
+// GET /api/admin/accounts - 查询平台账号列表
 func (h *AccountHandler) ListPlatformAccounts(c *fiber.Ctx) error {
 	var req dto.PlatformAccountListRequest
 	if err := c.QueryParser(&req); err != nil {

internal/handler/admin/customer_account.go

@@ -1,106 +0,0 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/gofiber/fiber/v2"
-
-	"github.com/break/junhong_cmp_fiber/internal/model/dto"
-	customerAccountService "github.com/break/junhong_cmp_fiber/internal/service/customer_account"
-	"github.com/break/junhong_cmp_fiber/pkg/errors"
-	"github.com/break/junhong_cmp_fiber/pkg/response"
-)
-
-type CustomerAccountHandler struct {
-	service *customerAccountService.Service
-}
-
-func NewCustomerAccountHandler(service *customerAccountService.Service) *CustomerAccountHandler {
-	return &CustomerAccountHandler{service: service}
-}
-
-func (h *CustomerAccountHandler) List(c *fiber.Ctx) error {
-	var req dto.CustomerAccountListReq
-	if err := c.QueryParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	result, err := h.service.List(c.UserContext(), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.SuccessWithPagination(c, result.Items, result.Total, result.Page, result.Size)
-}
-
-func (h *CustomerAccountHandler) Create(c *fiber.Ctx) error {
-	var req dto.CreateCustomerAccountReq
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	result, err := h.service.Create(c.UserContext(), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.Success(c, result)
-}
-
-func (h *CustomerAccountHandler) Update(c *fiber.Ctx) error {
-	idStr := c.Params("id")
-	id, err := strconv.ParseUint(idStr, 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号ID")
-	}
-
-	var req dto.UpdateCustomerAccountRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	result, err := h.service.Update(c.UserContext(), uint(id), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.Success(c, result)
-}
-
-func (h *CustomerAccountHandler) UpdatePassword(c *fiber.Ctx) error {
-	idStr := c.Params("id")
-	id, err := strconv.ParseUint(idStr, 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号ID")
-	}
-
-	var req dto.UpdateCustomerAccountPasswordRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	if err := h.service.UpdatePassword(c.UserContext(), uint(id), req.Password); err != nil {
-		return err
-	}
-
-	return response.Success(c, nil)
-}
-
-func (h *CustomerAccountHandler) UpdateStatus(c *fiber.Ctx) error {
-	idStr := c.Params("id")
-	id, err := strconv.ParseUint(idStr, 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号ID")
-	}
-
-	var req dto.UpdateCustomerAccountStatusRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	if err := h.service.UpdateStatus(c.UserContext(), uint(id), req.Status); err != nil {
-		return err
-	}
-
-	return response.Success(c, nil)
-}

internal/handler/admin/shop_account.go

@@ -1,103 +0,0 @@
-package admin
-
-import (
-	"strconv"
-
-	"github.com/gofiber/fiber/v2"
-
-	"github.com/break/junhong_cmp_fiber/internal/model/dto"
-	shopAccountService "github.com/break/junhong_cmp_fiber/internal/service/shop_account"
-	"github.com/break/junhong_cmp_fiber/pkg/errors"
-	"github.com/break/junhong_cmp_fiber/pkg/response"
-)
-
-type ShopAccountHandler struct {
-	service *shopAccountService.Service
-}
-
-func NewShopAccountHandler(service *shopAccountService.Service) *ShopAccountHandler {
-	return &ShopAccountHandler{service: service}
-}
-
-func (h *ShopAccountHandler) List(c *fiber.Ctx) error {
-	var req dto.ShopAccountListRequest
-	if err := c.QueryParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	accounts, total, err := h.service.List(c.UserContext(), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.SuccessWithPagination(c, accounts, total, req.Page, req.PageSize)
-}
-
-func (h *ShopAccountHandler) Create(c *fiber.Ctx) error {
-	var req dto.CreateShopAccountRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	account, err := h.service.Create(c.UserContext(), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.Success(c, account)
-}
-
-func (h *ShopAccountHandler) Update(c *fiber.Ctx) error {
-	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号 ID")
-	}
-
-	var req dto.UpdateShopAccountRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	account, err := h.service.Update(c.UserContext(), uint(id), &req)
-	if err != nil {
-		return err
-	}
-
-	return response.Success(c, account)
-}
-
-func (h *ShopAccountHandler) UpdatePassword(c *fiber.Ctx) error {
-	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号 ID")
-	}
-
-	var req dto.UpdateShopAccountPasswordRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	if err := h.service.UpdatePassword(c.UserContext(), uint(id), &req); err != nil {
-		return err
-	}
-
-	return response.Success(c, nil)
-}
-
-func (h *ShopAccountHandler) UpdateStatus(c *fiber.Ctx) error {
-	id, err := strconv.ParseUint(c.Params("id"), 10, 64)
-	if err != nil {
-		return errors.New(errors.CodeInvalidParam, "无效的账号 ID")
-	}
-
-	var req dto.UpdateShopAccountStatusRequest
-	if err := c.BodyParser(&req); err != nil {
-		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
-	}
-
-	if err := h.service.UpdateStatus(c.UserContext(), uint(id), &req); err != nil {
-		return err
-	}
-
-	return response.Success(c, nil)
-}

internal/handler/auth/handler.go

@@ -0,0 +1,167 @@
+package auth
+
+import (
+	"github.com/break/junhong_cmp_fiber/internal/model/dto"
+	"github.com/break/junhong_cmp_fiber/internal/service/auth"
+	"github.com/break/junhong_cmp_fiber/pkg/errors"
+	"github.com/break/junhong_cmp_fiber/pkg/logger"
+	"github.com/break/junhong_cmp_fiber/pkg/middleware"
+	"github.com/break/junhong_cmp_fiber/pkg/response"
+	"github.com/go-playground/validator/v10"
+	"github.com/gofiber/fiber/v2"
+	"go.uber.org/zap"
+)
+
+// Handler 统一认证处理器
+// 合并后台和 H5 认证接口
+type Handler struct {
+	authService *auth.Service
+	validator   *validator.Validate
+}
+
+// NewHandler 创建统一认证处理器
+func NewHandler(authService *auth.Service, validator *validator.Validate) *Handler {
+	return &Handler{
+		authService: authService,
+		validator:   validator,
+	}
+}
+
+// Login 统一登录（后台+H5）
+// POST /api/auth/login - 统一登录（后台+H5）
+func (h *Handler) Login(c *fiber.Ctx) error {
+	var req dto.LoginRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
+	}
+
+	if err := h.validator.Struct(&req); err != nil {
+		logger.GetAppLogger().Warn("参数验证失败",
+			zap.String("path", c.Path()),
+			zap.String("method", c.Method()),
+			zap.Error(err),
+		)
+		return errors.New(errors.CodeInvalidParam)
+	}
+
+	clientIP := c.IP()
+	ctx := c.UserContext()
+
+	resp, err := h.authService.Login(ctx, &req, clientIP)
+	if err != nil {
+		return err
+	}
+
+	return response.Success(c, resp)
+}
+
+// Logout 统一登出
+// POST /api/auth/logout - 统一登出
+func (h *Handler) Logout(c *fiber.Ctx) error {
+	authorization := c.Get("Authorization")
+	accessToken := ""
+	if len(authorization) > 7 && authorization[:7] == "Bearer " {
+		accessToken = authorization[7:]
+	}
+
+	// 尝试从请求体获取 refresh_token（可选）
+	refreshToken := ""
+	var req dto.RefreshTokenRequest
+	if err := c.BodyParser(&req); err == nil {
+		refreshToken = req.RefreshToken
+	}
+
+	ctx := c.UserContext()
+
+	if err := h.authService.Logout(ctx, accessToken, refreshToken); err != nil {
+		return err
+	}
+
+	return response.Success(c, nil)
+}
+
+// RefreshToken 刷新 Token
+// POST /api/auth/refresh-token - 刷新 Token
+func (h *Handler) RefreshToken(c *fiber.Ctx) error {
+	var req dto.RefreshTokenRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
+	}
+
+	if err := h.validator.Struct(&req); err != nil {
+		logger.GetAppLogger().Warn("参数验证失败",
+			zap.String("path", c.Path()),
+			zap.String("method", c.Method()),
+			zap.Error(err),
+		)
+		return errors.New(errors.CodeInvalidParam)
+	}
+
+	ctx := c.UserContext()
+
+	newAccessToken, err := h.authService.RefreshToken(ctx, req.RefreshToken)
+	if err != nil {
+		return err
+	}
+
+	resp := &dto.RefreshTokenResponse{
+		AccessToken: newAccessToken,
+		ExpiresIn:   86400,
+	}
+
+	return response.Success(c, resp)
+}
+
+// GetMe 获取用户信息
+// GET /api/auth/me - 获取用户信息
+func (h *Handler) GetMe(c *fiber.Ctx) error {
+	userID := middleware.GetUserIDFromContext(c.UserContext())
+	if userID == 0 {
+		return errors.New(errors.CodeUnauthorized, "未授权访问")
+	}
+
+	ctx := c.UserContext()
+
+	userInfo, permissions, err := h.authService.GetCurrentUser(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	data := map[string]interface{}{
+		"user":        userInfo,
+		"permissions": permissions,
+	}
+
+	return response.Success(c, data)
+}
+
+// ChangePassword 修改密码
+// PUT /api/auth/password - 修改密码
+func (h *Handler) ChangePassword(c *fiber.Ctx) error {
+	userID := middleware.GetUserIDFromContext(c.UserContext())
+	if userID == 0 {
+		return errors.New(errors.CodeUnauthorized, "未授权访问")
+	}
+
+	var req dto.ChangePasswordRequest
+	if err := c.BodyParser(&req); err != nil {
+		return errors.New(errors.CodeInvalidParam, "请求参数解析失败")
+	}
+
+	if err := h.validator.Struct(&req); err != nil {
+		logger.GetAppLogger().Warn("参数验证失败",
+			zap.String("path", c.Path()),
+			zap.String("method", c.Method()),
+			zap.Error(err),
+		)
+		return errors.New(errors.CodeInvalidParam)
+	}
+
+	ctx := c.UserContext()
+
+	if err := h.authService.ChangePassword(ctx, userID, req.OldPassword, req.NewPassword); err != nil {
+		return err
+	}
+
+	return response.Success(c, nil)
+}