feat: rename qiniu to oss, add admin upload proxy with thumbnail, add dev-login

- Rename all QINIU_* config/code/docs to OSS_* to match actual Alibaba Cloud OSS
- Refactor upload module from internal/common/qiniu to internal/common/upload
- Add backend proxy upload endpoint (POST /api/admin/marketing/upload) to avoid CORS
- Auto-generate compressed thumbnail (800px, JPEG 80%) on admin image upload
- Add dev-login endpoint (POST /api/v1/auth/dev-login) for H5 debugging
- Add imageutil package for server-side image resizing

Made-with: Cursor

internal/common/upload/handler/upload_handler.go

@@ -0,0 +1,169 @@
+package handler
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"net/http"
+	"net/url"
+	"path"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+
+	"wx_service/config"
+	oss "wx_service/internal/common/oss"
+	uploadservice "wx_service/internal/common/upload/service"
+	"wx_service/internal/middleware"
+	"wx_service/internal/model"
+)
+
+type UploadHandler struct {
+	uploadService *uploadservice.UploadService
+}
+
+func NewUploadHandler(uploadService *uploadservice.UploadService) *UploadHandler {
+	return &UploadHandler{uploadService: uploadService}
+}
+
+type uploadTokenRequest struct {
+	Filename string `json:"filename"`
+}
+
+type callbackPayload struct {
+	Key      string `json:"key"`
+	Hash     string `json:"hash"`
+	Fsize    int64  `json:"fsize"`
+	MimeType string `json:"mimeType"`
+}
+
+type uploadTokenResponse struct {
+	Token        string `json:"token,omitempty"`
+	Key          string `json:"key"`
+	UploadURL    string `json:"upload_url"`
+	ExpireAt     int64  `json:"expire,omitempty"`
+	CDNDomain    string `json:"cdn_domain,omitempty"`
+	OSSAccessKey string `json:"oss_access_key_id,omitempty"`
+	OSSPolicy    string `json:"oss_policy,omitempty"`
+	OSSSignature string `json:"oss_signature,omitempty"`
+}
+
+var extPattern = regexp.MustCompile(`^\.[a-z0-9]{1,10}$`)
+
+// GetUploadToken 返回直传所需的凭证；CDN 为阿里云 OSS 时返回 OSS PostObject 凭证。
+func (h *UploadHandler) GetUploadToken(c *gin.Context) {
+	user := middleware.MustCurrentUser(c)
+
+	var req uploadTokenRequest
+	_ = c.ShouldBindJSON(&req)
+
+	cfg := config.AppConfig.OSS
+	cdnDomain := strings.TrimSpace(cfg.CDNDomain)
+
+	if oss.IsOSSDomain(cdnDomain) && cfg.AccessKey != "" && cfg.SecretKey != "" && cfg.Bucket != "" {
+		ext := path.Ext(req.Filename)
+		if ext == "" || !extPattern.MatchString(strings.ToLower(ext)) {
+			ext = ".jpg"
+		}
+		keyPrefix := strings.Trim(cfg.KeyPrefix, "/")
+		key := fmt.Sprintf("%s/mp_%d/user_%d/%s/%x%s",
+			keyPrefix, user.MiniProgramID, user.ID,
+			time.Now().Format("20060102"), time.Now().UnixNano()&0xffffffff, ext)
+		endpoint := oss.ParseOSSEndpoint(cdnDomain)
+		expireSeconds := cfg.TokenExpireSeconds
+		if expireSeconds <= 0 {
+			expireSeconds = 300
+		}
+		policy, signature, err := oss.PostPolicy(cfg.Bucket, endpoint, key, cfg.SecretKey, expireSeconds)
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, model.Error(http.StatusInternalServerError, "生成 OSS 凭证失败"))
+			return
+		}
+		uploadURL := oss.UploadHost(cfg.Bucket, endpoint)
+		cdnHost := "https://" + cfg.Bucket + "." + endpoint + ".aliyuncs.com"
+		c.JSON(http.StatusOK, model.Success(uploadTokenResponse{
+			Key:          key,
+			UploadURL:    uploadURL,
+			CDNDomain:    cdnHost,
+			OSSAccessKey: cfg.AccessKey,
+			OSSPolicy:    policy,
+			OSSSignature: signature,
+		}))
+		return
+	}
+
+	token, err := h.uploadService.CreateUploadToken(user.MiniProgramID, user.ID, req.Filename)
+	if err != nil {
+		if errors.Is(err, uploadservice.ErrUploadNotConfigured) {
+			c.JSON(http.StatusServiceUnavailable, model.Error(http.StatusServiceUnavailable, "未配置上传服务，请联系管理员"))
+			return
+		}
+		c.JSON(http.StatusInternalServerError, model.Error(http.StatusInternalServerError, "获取上传凭证失败，请稍后重试"))
+		return
+	}
+	c.JSON(http.StatusOK, model.Success(token))
+}
+
+// UploadCallback 处理上传回调（无需登录），通过签名验签确保来源可信。
+func (h *UploadHandler) UploadCallback(c *gin.Context) {
+	rawBody, err := io.ReadAll(c.Request.Body)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, model.Error(http.StatusBadRequest, "读取回调内容失败"))
+		return
+	}
+
+	if err := h.uploadService.VerifyCallbackSignature(c.Request, rawBody); err != nil {
+		switch {
+		case errors.Is(err, uploadservice.ErrUploadNotConfigured):
+			c.JSON(http.StatusServiceUnavailable, model.Error(http.StatusServiceUnavailable, "上传服务未配置"))
+		default:
+			c.JSON(http.StatusUnauthorized, model.Error(http.StatusUnauthorized, "回调验签失败"))
+		}
+		return
+	}
+
+	payload, err := parseCallbackPayload(c.ContentType(), rawBody)
+	if err != nil {
+		c.JSON(http.StatusBadRequest, model.Error(http.StatusBadRequest, "回调内容格式错误"))
+		return
+	}
+	if strings.TrimSpace(payload.Key) == "" {
+		c.JSON(http.StatusBadRequest, model.Error(http.StatusBadRequest, "回调内容缺少 key"))
+		return
+	}
+
+	log.Printf("[upload_callback] key=%s hash=%s fsize=%d mimeType=%s", payload.Key, payload.Hash, payload.Fsize, payload.MimeType)
+	c.JSON(http.StatusOK, model.Success(gin.H{"ok": true}))
+}
+
+func parseCallbackPayload(contentType string, raw []byte) (callbackPayload, error) {
+	var payload callbackPayload
+	trimmed := strings.TrimSpace(strings.ToLower(contentType))
+	if strings.Contains(trimmed, "application/json") {
+		if err := json.Unmarshal(raw, &payload); err != nil {
+			return callbackPayload{}, err
+		}
+		return payload, nil
+	}
+
+	values, err := url.ParseQuery(string(raw))
+	if err != nil {
+		return callbackPayload{}, err
+	}
+	payload.Key = strings.TrimSpace(values.Get("key"))
+	payload.Hash = strings.TrimSpace(values.Get("hash"))
+	payload.MimeType = strings.TrimSpace(values.Get("mimeType"))
+	if rawFsize := strings.TrimSpace(values.Get("fsize")); rawFsize != "" {
+		fsize, parseErr := strconv.ParseInt(rawFsize, 10, 64)
+		if parseErr != nil {
+			return callbackPayload{}, parseErr
+		}
+		payload.Fsize = fsize
+	}
+	return payload, nil
+}