aiot-platform-cloud

Author	SHA1	Message	Date
lzh	4386a69a4a	feat(system): 新增内部 SSO 回调换 Token 接口面向业务/物联运维平台之间的互跳场景：已登录一端 → /system/oauth2/authorize 拿 code → 浏览器重定向 → 另一端调用本接口用 code 换 access_token。安全要点： - body 传参而非 query，code/state 不落 nginx access log 和浏览器历史 - client_secret 不传：secret 仅存 DB，验证安全性来自 OAuth2 code 一次性 + redirect_uri 白名单 + state 一致性 + short TTL - state 入参改为必填（@NotBlank），强制 CSRF 防护 - 日志中 code 截断（前 6 + ***+ 末 2），state 只记录长度不暴露值 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 13:32:40 +08:00
lzh	cbbb048a4d	feat(system): 按 OAuth2 客户端 platform 过滤菜单，支持业务/物联双前端问题：业务平台（biz）和物联运维平台（iot）共用一套用户体系和菜单表，但每个前端只该看到自己域的菜单。原来没有按客户端过滤的机制。方案：在 OAuth2 客户端维度打 platform 标签（biz/iot/NULL），菜单也打同样标签，登录时下发菜单按二者匹配过滤。链路： - OAuth2AccessTokenCheckRespDTO / LoginUser（framework + gateway）新增 clientId 字段 - TokenAuthenticationFilter（framework + gateway）把 accessToken.clientId 带进 LoginUser - WebFrameworkUtils.HEADER_CLIENT_ID="X-Client-Id"：登录/refresh 等"无 token 入口" 允许前端声明 client，避免硬编码 default - AdminAuthServiceImpl.resolveClientId：未传 Header 时回退 OAuth2ClientConstants.CLIENT_ID_DEFAULT - MenuDO / OAuth2ClientDO 各加 platform 列 - MenuService.filterMenusByPlatform：platform 为空（全平台共用）或匹配即保留 SQL 迁移按字母序编号： - _01_oauth2_client_platform.sql：加列 + 给 default/iot-client 客户端打标 + 递归标 IoT 菜单子树（root id=4000）为 iot - _02_bulk_mark_biz_menus.sql：其余 platform=NULL 的菜单兜底标 biz - 顺序依赖：_01 标完 iot 后 _02 才动剩余 NULL，避免 _02 把 IoT 菜单错标 biz Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-24 13:32:26 +08:00
lzh	9784d7dd8e	perf(system): 项目授权校验改单行查询 + AuthController 切 FromCache 背景：feat/multi-tenant-project 联调发现 /admin-api/** 全线变慢，尤其 get-permission-info 经常超时。根因是 ProjectSecurityWebFilter 每请求需校验"用户对项目是否授权"，原实现走"拿全量 authorizedIds 再 contains"路径，超管分支还得 selectList 全表项目。Framework 层虽有 60s 本地缓存，cache miss 时仍要走 Feign HTTP 自调用 + 两次 DB。优化： 1. 新增 ProjectService.isProjectAuthorized(userId, projectId) 单项校验： - 超管直通返回 true（不查任何表） - 普通用户走 (user_id, project_id) 唯一索引的 selectCount 单行查询 2. ProjectCommonApi / ProjectApiImpl / ProjectFrameworkService(Impl) 全链路新增 isProjectAuthorized Feign 接口 3. ProjectFrameworkServiceImpl 为 isProjectAuthorized 加 60s 本地 Guava 缓存（key=(userId,projectId)）；invalidateAuthorizedProjectCache 同步清理本用户所有条目 4. ProjectSecurityWebFilter 改调 isProjectAuthorized，消除每请求拉全量列表的开销 5. ProjectServiceImpl.getDefaultProjectId 的 N 次 selectById 改成一次 selectByIds 批量 6. AuthController.getPermissionInfo 第 107 行 getUserRoleIdListByUserId → FromCache（yudao 原生小瑕疵顺手修）预期收益： - Filter 热路径在 cache 命中时 0 次 DB，cache miss 时 1 次单行查询 - get-permission-info 消除一次无缓存 user_role DB 查询 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 16:20:29 +08:00
lzh	317f1cd02f	perf(system): isSuperAdmin 切到 getUserRoleIdListByUserIdFromCache 修复 /admin-api/system/auth/get-permission-info 等接口大面积超时：原因：ProjectSecurityWebFilter 每次 admin-api 请求都调一次 ProjectService.getAuthorizedProjectIds(userId)，我之前在里面塞的 isSuperAdmin 用了无缓存的 getUserRoleIdListByUserId，每请求一次 SELECT system_user_role，并发下直接打爆 DB。切到 getUserRoleIdListByUserIdFromCache（@Cacheable 走 Redis USER_ROLE_ID_LIST），首次查 DB、后续命中缓存，该缓存在 assignUserRole / processUserDeleted / updateUserRole 等写入点都已正确 CacheEvict。同时修正 UserProjectServiceImpl.isSuperAdmin 同样问题。 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 16:10:41 +08:00
lzh	5dbc6c5e79	feat(system): 超管绕过 user_project + 项目成员分页/增量 API 后端为配合前端"项目管理成员"从 Modal 改 Drawer 重构接口： - ProjectServiceImpl.getAuthorizedProjectIds 新增超管分支：若 hasAnySuperAdmin(userRoleIds) 成立，直接返回本租户全部项目 ID 连带影响 getAuthorizedEnabledProjects / getDefaultProjectId / ProjectSecurityWebFilter.authorizedProjectIds.contains 全部自动生效 - 新增 UserProjectService 三个方法： * getProjectUserPage(reqVO) 分页返回成员 AdminUserDO，过滤超管 * addProjectUsers(projectId, userIds) 增量添加，已在的用户跳过 * removeProjectUser(projectId, userId) 单删，带超管/自踢守卫 - 新增 Controller 三个端点： * GET /system/user-project/project-user-page * POST /system/user-project/add-project-users * DELETE /system/user-project/remove-project-user - 新增 VO：UserProjectPageReqVO / UserProjectAddProjectUsersReqVO - 权限点沿用 system:project:assign-user Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 15:48:18 +08:00
lzh	88cab42a9c	feat(system): 用户-项目绑定管理 API + 顶栏项目下拉修正 - 新增 UserProjectService/ServiceImpl/Controller：给用户分配项目、给项目分配成员幂等覆盖写入（diff 出增删），参考 PermissionServiceImpl.assignUserRole 模式 - 自踢守卫：禁止用户把自己从当前正在访问的项目中移除 - 超管守卫：assignProjectUsers 拒绝移除持有超管角色的用户（用 RoleService.hasAnySuperAdmin 判别，非 userId==1） - ProjectController.simple-list 改为只返回"当前用户授权且启用"的项目（修 bug：原返回整租户启用项目，会让顶栏下拉看到无权访问的项目） - 新增 /system/project/all-simple-list：管理员分配场景的全量项目下拉，权限复用 system:project:query - ProjectService.deleteProject 加 @Transactional，同事务内级联软删 system_user_project - 新增两条菜单权限种子 SQL，parent_id 子查询动态定位： * system:user:assign-project * system:project:assign-user - 新增错误码 USER_PROJECT_CANNOT_REMOVE_SELF_CURRENT / USER_PROJECT_CANNOT_REMOVE_SUPER_ADMIN 设计文档：docs/design/2026-04-23-user-project-binding.md（在前端仓库） Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-23 14:48:57 +08:00
lzh	423bf3ec3f	feat(tenant): 实现 ProjectSecurityWebFilter 项目权限集合校验新增 ProjectSecurityWebFilter: - 集合校验: user.authorizedProjectIds.contains(header.projectId) - 默认项目选择: DEFAULT编码 → 最小ID → 单项目自动选中 → 无授权403 - @ProjectIgnore URL 自动跳过 - 注册在 WebFilterOrderEnum.PROJECT_SECURITY_FILTER (-98) 框架层: - ProjectCommonApi: 新增 getAuthorizedProjectIds, getDefaultProjectId - ProjectFrameworkService: 新增授权查询 + Caffeine 缓存(60s/1000条) - ViewshTenantAutoConfiguration: 注册 Filter + 扫描 @ProjectIgnore 业务层: - ProjectService: 新增 getAuthorizedProjectIds, getDefaultProjectId - ProjectServiceImpl: 默认项目3级回退逻辑 - ProjectApiImpl: 实现 Feign 端点 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 23:35:56 +08:00
lzh	87beb1228e	feat(tenant): 租户-项目两级架构 Phase 0+1 — 基础框架层 Phase 0 技术验证: - ProjectBaseDO extends TenantBaseDO，新增 projectId 字段 - ProjectContextHolder (TransmittableThreadLocal) 项目上下文管理 - ProjectDatabaseInterceptor 实现 TenantLineHandler，返回 project_id 列 - 注册第二个 TenantLineInnerInterceptor，通过 @Qualifier 保证初始化顺序 - DualInterceptorTest 11 个用例验证双拦截器 SQL 注入（SELECT/INSERT/UPDATE/DELETE + JOIN + 子查询） Phase 1 基础框架层: - @ProjectIgnore 注解 + ProjectIgnoreAspect (SpEL 条件支持) - ProjectUtils 工具类 (execute/executeIgnore) - ProjectContextWebFilter 从请求 Header 解析 project-id - WebFrameworkUtils 扩展 HEADER_PROJECT_ID + getProjectId() - WebFilterOrderEnum 新增 PROJECT_CONTEXT_FILTER、PROJECT_SECURITY_FILTER - RPC: TenantRequestInterceptor 自动透传 project-id - MQ: Kafka/RocketMQ/RabbitMQ/Redis 全部支持 project-id 发送与消费 - @ProjectJob + ProjectJobAspect (@Order(2) 内层，配合 @TenantJob 使用) - TenantJobAspect 补充 @Order(1) 外层标记 - ProjectDO + UserProjectDO + Mapper + ProjectService + ProjectController - ProjectCommonApi (Feign) + ProjectApiImpl + ProjectFrameworkServiceImpl (Guava 缓存) - TenantServiceImpl.createTenant() 联动创建默认项目 - ErrorCodeConstants 新增 1-002-030-xxx 项目错误码 Review 修复: - Bean 初始化顺序: projectLineInnerInterceptor 依赖 @Qualifier 确保顺序 - computeIgnoreTable: @ProjectIgnore 检查优先于 isAssignableFrom - ProjectFrameworkServiceImpl 注册为 Spring Bean - RocketMQ SendHook: project-id 独立于 tenantId 传播 - createDefaultProject 移入 TenantUtils.execute 事务块内 - 全部 MQ/RPC 统一使用 HEADER_PROJECT_ID 常量 - ProjectJobAspect 增加租户上下文防御校验 - 移除 ProjectDO/UserProjectDO 无效的 @KeySequence - ProjectServiceImpl/ProjectApiImpl 移除冗余 TenantUtils.execute 嵌套 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 19:22:57 +08:00
lzh	90fa54dc11	build(ci): add stage deployment pipeline and configs	2026-03-30 22:53:46 +08:00
lzh	78aba0d1ed	refactor(system): 用户头像预签名改为 @OssPresignUrl 声明式处理在 AuthPermissionInfoRespVO、OAuth2UserInfoRespVO、UserProfileRespVO、 UserRespVO 的 avatar 字段添加 @OssPresignUrl 注解，移除 AuthController、OAuth2UserController、UserController、 UserProfileController 中手动调用 fileApi.presignGetUrl 的代码， Controller 回归薄层职责。 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-03-18 15:06:43 +08:00
lzh	f792ee1678	refactor(system): 社交绑定列表逻辑下沉至 Service 层将 SocialUserBindMapper 从 Controller 移除，数据组装逻辑移至 SocialUserService.getSocialUserBindList()，返回绑定时间字段；修复 avatar 误用 getNickname() 的 bug Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 18:04:37 +08:00
lzh	064ccdac89	feat(system): 管理后台微信小程序一键登录接口新增 /system/auth/weixin-mini-app-login 端点，通过微信手机号授权匹配管理员账号并自动绑定，含绑定冲突检测： - 同一微信已绑定其他管理员 → 拒绝 - 同一管理员已绑定其他微信 → 拒绝 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 18:01:53 +08:00
lzh	d123057d73	feat(system): 用户头像 URL 预签名支持 - AuthController 登录权限接口返回预签名头像 - UserController 用户列表及详情返回预签名头像 - UserProfileController 个人中心预签名头像，保存时剥离签名参数 - OAuth2UserController 用户信息接口返回预签名头像 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-03-17 17:44:41 +08:00
lzh	b4de9d0df8	feat(config): 修改测试环境地址	2026-02-26 17:16:24 +08:00
lzh	a68ce9a28a	fix(xxl-job): 配置executor IP和端口解决跨服务器回调失败 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details XXL-Job Admin部署在Infra服务器，executor运行在Prod服务器的Docker容器中，容器内部IP不可达，需指定宿主机IP和独立端口供Admin回调。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 17:03:39 +08:00
lzh	bec46c2919	fix(rocketmq): 修正ACL配置位置到producer/consumer节点下 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details rocketmq-spring-boot-starter的access-key/secret-key需配置在 producer和consumer节点下而非rocketmq根节点，同时为所有 @RocketMQMessageListener注解添加accessKey/secretKey属性。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 16:19:42 +08:00
lzh	748b09d355	fix(rocketmq): 添加腾讯云TDMQ ACL认证配置解决连接失败 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details 修复RocketMQ发送消息报"No accessKey is configured"错误，统一各模块环境变量名为ROCKETMQ_NAMESRV_ADDR。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 15:50:44 +08:00
lzh	26e909cce9	fix(deploy): 迁移Nacos/TDengine/XXL-Job至Infra服务器(172.17.16.7) Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details 将基础设施服务地址从Prod服务器(172.17.16.14)统一迁移至Infra服务器(172.17.16.7)： - Nacos: 172.17.16.14:8848 → 172.17.16.7:8848 - TDengine: 172.17.16.14:6041 → 172.17.16.7:6041 - XXL-Job: 172.17.16.14:19090 → 172.17.16.7:19090 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 11:22:02 +08:00
lzh	547da7cfd2	refactor(deploy): 迁移CI/CD至双服务器架构 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details - Jenkinsfile: Registry改为Infra内网172.17.16.7:5000，部署目标改为Prod内网172.17.16.14 - docker-compose: 镜像源改为172.17.16.7:5000，MySQL改为172.17.16.8，Redis改为172.17.16.13，RocketMQ改为腾讯云TDMQ - 所有模块application-prod.yaml: 统一更新MySQL/Redis/RocketMQ默认连接地址 - deploy.sh: Registry地址同步更新 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-13 10:41:54 +08:00
lzh	2a1cdfc4dc	Merge remote-tracking branch 'origin/master' into merge-temp	2026-01-14 22:49:28 +08:00
lzh	01f900a6fe	fix: 修改xxl-job地址 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details	2026-01-14 15:43:41 +08:00
lzh	91861c0948	fix: 系统登录验证码水印修改 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details	2026-01-14 14:21:00 +08:00
lzh	52017f7e23	fix: Jenkins修复3-prod缺失配置添加 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details	2026-01-14 11:43:47 +08:00
lzh	a20ef566d0	fix: Jenkins修复3-修改nacos配置 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details	2026-01-14 11:12:28 +08:00
lzh	efe05ad624	refactor: 重构配置管理，移除.env依赖，使用docker-compose环境变量+Nacos配置中心 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details - 更新所有application-prod.yaml，将环境变量占位符替换为硬编码默认值 - 重写docker-compose.core.yml，使用Spring Boot环境变量命名规范 - 修复Jenkins pipeline中的getContainerName方法调用错误 - 配置优先级：Nacos配置中心 > Docker环境变量 > application-prod.yaml 变更文件： - viewsh-gateway/src/main/resources/application-prod.yaml - viewsh-module-system-server/src/main/resources/application-prod.yaml - viewsh-module-infra-server/src/main/resources/application-prod.yaml - viewsh-module-iot-server/src/main/resources/application-prod.yaml - viewsh-module-iot-gateway/src/main/resources/application-prod.yaml - docker-compose.core.yml - Jenkinsfile	2026-01-13 23:50:37 +08:00
lzh	2b9c1aa7d8	feat: 添加所有核心服务的生产环境配置文件 Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details - 创建 application-prod.yaml 支持环境变量占位符 - 支持 Docker Compose 环境变量注入 - 支持 Nacos 配置中心覆盖 - 涵盖 5 个核心服务: gateway, system, infra, iot-server, iot-gateway	2026-01-13 11:52:27 +08:00
lzh	dd7c1e097b	chore: iot、system配置文件调整	2025-12-31 15:53:40 +08:00
lzh	4f293436ef	chore: system、infra、iot、server配置文件调整 - nacos使用124.221.55.225	2025-12-31 14:21:48 +08:00
lzh	ba22a96e44	chore: system、infra、iot、server配置文件调整v1.0	2025-12-31 14:09:36 +08:00
lzh	8ccfafe2bb	first commit Some checks failed Java CI with Maven / build (11) (push) Has been cancelled Details Java CI with Maven / build (17) (push) Has been cancelled Details Java CI with Maven / build (8) (push) Has been cancelled Details	2025-12-31 11:48:19 +08:00

30 Commits