iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: E2E 测试发现的后端 BUG 修复 — 限流拆分 + 积分查询 + 错误码修正

Browse Source 
- 拆分 refresh token 限流为独立中间件(30次/分 vs 登录5次/分)
- 修复积分 recent-activity 500:JOIN 通过 points_account 中间表
- 修复患者/医生不存在返回 400 → 正确的 404 NotFound
This commit is contained in:
iven
2026-05-15 22:58:02 +08:00
parent 50e3b16381
commit bf8bcdbd5d
5 changed files with 46 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
crates/erp-auth/src/module.rs
View File

@@ -29,7 +29,6 @@ impl AuthModule {
{
Router::new()
.route("/auth/login", axum::routing::post(auth_handler::login))
.route("/auth/refresh", axum::routing::post(auth_handler::refresh))
.route(
"/auth/wechat/login",
axum::routing::post(wechat_handler::wechat_login),
@@ -40,6 +39,15 @@ impl AuthModule {
)
}
/// Refresh token routes — public but with higher rate limit (30/min vs 5/min for login).
pub fn refresh_routes<S>() -> Router<S>
where
crate::auth_state::AuthState: axum::extract::FromRef<S>,
S: Clone + Send + Sync + 'static,
{
Router::new().route("/auth/refresh", axum::routing::post(auth_handler::refresh))
}
/// Build protected (authenticated) routes for the auth module.
///
/// These routes require a valid JWT token, verified by the middleware layer.

2
crates/erp-health/src/error.rs
View File

@@ -128,7 +128,7 @@ impl From<HealthError> for AppError {
match err {
HealthError::Validation(s) => AppError::Validation(s),
HealthError::PatientNotFound | HealthError::DoctorNotFound => {
AppError::Validation(err.to_string())
AppError::NotFound(err.to_string())
}
HealthError::AppointmentNotFound
| HealthError::ScheduleNotFound

3
crates/erp-health/src/service/stats_service/dashboard.rs
View File

@@ -74,7 +74,8 @@ pub async fn get_points_recent_activity(
CASE WHEN pt.amount >= 0 THEN 'earn' ELSE 'spend' END AS type,
pt.created_at::text
FROM points_transaction pt
LEFT JOIN patient p ON p.id = pt.patient_id AND p.deleted_at IS NULL
LEFT JOIN points_account pa ON pa.id = pt.account_id AND pa.deleted_at IS NULL
LEFT JOIN patient p ON p.id = pa.patient_id AND p.deleted_at IS NULL
WHERE pt.tenant_id = $1 AND pt.deleted_at IS NULL
ORDER BY pt.created_at DESC
LIMIT $2

10
crates/erp-server/src/main.rs
View File

@@ -669,6 +669,15 @@ async fn main() -> anyhow::Result<()> {
))
.with_state(state.clone());
// Refresh token routes — higher rate limit (30/min) than login (5/min)
let refresh_routes = Router::new()
.merge(erp_auth::AuthModule::refresh_routes())
.layer(axum::middleware::from_fn_with_state(
state.clone(),
middleware::rate_limit::rate_limit_refresh_by_ip,
))
.with_state(state.clone());
// Unthrottled public routes (health, docs, brand) — no rate limiting
let unthrottled_routes = Router::new()
.merge(handlers::health::health_check_router())
@@ -746,6 +755,7 @@ async fn main() -> anyhow::Result<()> {
"/api/v1",
unthrottled_routes
.merge(public_routes)
.merge(refresh_routes)
.merge(protected_routes)
.nest("/fhir", fhir_routes),
)

28
crates/erp-server/src/middleware/rate_limit.rs
View File

@@ -40,10 +40,7 @@ struct RateLimitResponse {
const ACCOUNT_LOCKOUT_MAX_FAILURES: i64 = 5;
const ACCOUNT_LOCKOUT_TTL_SECS: i64 = 900; // 15 分钟
/// 基于 Redis 的 IP 限流中间件。
///
/// 使用 INCR + EXPIRE 实现固定窗口计数器。
/// 超限返回 HTTP 429 Too Many Requests。
/// 基于 Redis 的 IP 限流中间件登录等敏感操作5 次/分钟)
pub async fn rate_limit_by_ip(
State(state): State<AppState>,
req: Request<Body>,
@@ -66,6 +63,29 @@ pub async fn rate_limit_by_ip(
.await
}
/// 基于 Redis 的 IP 限流中间件Token 刷新30 次/分钟)。
pub async fn rate_limit_refresh_by_ip(
State(state): State<AppState>,
req: Request<Body>,
next: Next,
) -> Response {
let identifier = extract_client_ip(req.headers());
let fail_close = state.config.rate_limit.fail_close;
apply_rate_limit(
RateLimitParams {
redis_client: &state.redis,
fail_close,
max_requests: 30,
window_secs: 60,
prefix: "refresh",
},
&identifier,
req,
next,
)
.await
}
/// 基于 Redis 的用户限流中间件。
///
/// 从 TenantContext 中读取 user_id 作为标识符。