docs(patrol): 2026-06-14 文档维护 — admin-api.md 同步 1:1 约束#744
Merged
Conversation
PR hrygo#741 (fix(security): enforce 1:1 user_id to API key mapping) 引入了 user_id 与 API Key 的 1:1 强制约束,admin-api.md 未同步此行为变更: - POST/PATCH 在 user_id 冲突时返回 409 Conflict - 新增 UNIQUE INDEX (migration 016, SQLite + PG) 修正 admin-api.md 三处: - 节首补充 1:1 映射约束说明 + 409 Conflict - POST 补充 409 Conflict 响应 - PATCH 补充 409 Conflict 响应 - 顺带修正数据库后缀(SQLite → SQLite 或 PostgreSQL) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
hotplex-ai
previously approved these changes
Jun 13, 2026
hotplex-ai
left a comment
hotplex-ai
left a comment
Owner
There was a problem hiding this comment.
Code Review — hotplex-ai
Verdict: APPROVE | P0:0 P1:0 P2:0 P3:2
本次 PR 核心改动(user_id ↔ API Key 1:1 映射约束 + 409 Conflict + DB 双后端)经双 agent 逐项核验,与代码实现精确一致:
- ✅ 1:1 约束 + 409 —
requireUniqueUserID+ErrUserIDExists→http.StatusConflict,POST/PATCH 均触发 (apikey_handlers.go:425) - ✅ POST
201/ 无 DB resolver 时501— handler 状态码精确匹配 (apikey_handlers.go:293,323,343,383,443) - ✅
user_id≤128 /description≤512 — 长度校验数值一致 (apikey_handlers.go:301,305,396,400) - ✅ 脱敏「前 8 + 后 4 位」 —
maskAPIKey实现匹配 (apikey_handlers.go:25-30) - ✅ DELETE 清除 resolver 缓存 —
inv.Invalidate()调用确认 (apikey_handlers.go:464) - ✅ DB「SQLite 或 PostgreSQL」 — 双 backend 实现确认(
apiKeyUserStore+pgStore,按cfg.DB.Driver分发) - ✅ 端点表 —
routes.go:172-176注册的 5 个路由(方法/路径/Scope)与文档逐一匹配,无遗漏端点 - ✅ 1:1 方向措辞 — 代码用
getByUserID按user_id查重,文档「一个 user_id 仅能关联一个 API Key」方向正确无歧义
2 条 pre-existing 友情提示(均非本次 diff 引入,不影响合并,可后续清理):
- [P3] API Key 生成长度:文档称「32 字节随机 hex」,代码实际
make([]byte, 24)= 24 字节(hpk_前缀 + 48 hex 字符,总长 52)。见apikey_handlers.go:58-62。建议顺带修正为「24 字节随机」。 - [P3] PATCH/DELETE 行反引号不闭合(
**PATCH /admin/api-keys/{id}``**缺闭背引号)。已核对HEAD~1确认 pre-existing,非本 PR 引入。
文档与代码一致性审查通过,LGTM 🚀
- POST 描述 32 字节 → 24 字节,与代码 make([]byte, 24) 一致 - PATCH/DELETE 端点标题闭合反引号,对齐 L189 纯粗体格式 Address PR hrygo#744 review P3 findings (pre-existing, same file). Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
变更驱动巡逻:自
fb857af1(PR #730)以来 4 个提交,映射到文档影响分析。修复
docs/reference/admin-api.md,同步 PR #741fix(security): enforce 1:1 user_id to API key mapping引入的行为变更:user_id↔ API Key 1:1 映射约束 +409 Conflict说明/admin/api-keys补充409 Conflict响应(user_id 已存在)/admin/api-keys/{id}补充409 Conflict响应(user_id 冲突)影响判定(变更窗口其他提交)
5f84b7b5release v1.29.05c1ebc00docs(patrol) #74010763824config 拆分 + DRY #7428dd4faa8security 1:1 #741security-model.md / security-hardening.md 描述的是 resolver 机制(未声明映射基数),对 1:1 约束仍准确,不需修改。
Closes #743
🤖 Generated with Claude Code