feat(security,click-statistics): 完善权限控制和优化点击统计性能 - 权限控制：PUT/DELETE需认证 - 点击统计三阶段流程优化 - 前端添加登录检查和错误提示 - 修复复制按钮文案显示

Author: Layau-code

src/main/java/com/layor/tinyflow/config/SecurityConfig.java

@@ -56,10 +56,9 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                         .requestMatchers(
                                 "/api/auth/**",           // 认证接口（注册、登录）
                                 "/api/redirect/**",       // 短链跳转（核心功能）
-                                "/api/shorten",           // 创建短链（暂时允许匿名）
-                                "/api/urls",              // 查询短链列表（暂时允许匿名）
-                                "/api/urls/**",           // 短链相关操作（暂时允许匿名）
-                                "/api/stats/**",          // 统计接口（暂时允许匿名）
+                                "/api/shorten",           // 创建短链（允许匿名）
+                                "/api/urls",              // 查询短链列表（允许匿名）
+                                "/api/stats/**",          // 统计接口（允许匿名）
                                 "/actuator/**",           // 监控端点
                                 "/error",                 // 错误页面
                                 "/{shortCode}"            // 根路径短链重定向
@@ -68,6 +67,12 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                         // 管理员接口
                         .requestMatchers("/api/admin/**").hasRole("ADMIN")
 
+                        // PUT/DELETE 短链相关操作需要认证（修改、删除操作需要登录）
+                        .requestMatchers("PUT", "/api/urls/**").authenticated()
+                        .requestMatchers("DELETE", "/api/urls/**").authenticated()
+                        .requestMatchers("PUT", "/api/*").authenticated()
+                        .requestMatchers("DELETE", "/api/*").authenticated()
+                        
                         // 其他所有接口需要认证
                         .anyRequest().authenticated()
                 )

src/main/java/com/layor/tinyflow/service/ClickRecorderService.java

@@ -43,57 +43,22 @@ public class ClickRecorderService {
     private final java.util.concurrent.ConcurrentHashMap<String, java.util.concurrent.atomic.AtomicLong> localDay = new java.util.concurrent.ConcurrentHashMap<>();
 
     /**
-     * 记录点击事件（使用消息队列）
-     * 优先级：MQ > Local > Redis
+     * 记录点击事件
+     * 优先级：Local > Redis Snapshot > MQ
+     * 
+     * 方案 C：本地内存 + Redis 快照 + 定期持久化
+     * ├─ 第一阶段（10s）：本地计数 → Redis 快照（冷备份）
+     * └─ 第二阶段（60s）：Redis 快照 → 数据库（正式记账）
      */
     @Async
     public void recordClick(String shortCode) {
-        // 模式1：消息队列模式（推荐，高可靠）
-        if ("mq".equalsIgnoreCase(counterMode)) {
-            ClickMessage message = ClickMessage.builder()
-                    .shortCode(shortCode)
-                    .timestamp(System.currentTimeMillis())
-                    .date(LocalDate.now().toString())
-                    .build();
-            try {
-                rabbitTemplate.convertAndSend(
-                    RabbitMQConfig.CLICK_EXCHANGE, 
-                    RabbitMQConfig.CLICK_ROUTING_KEY, 
-                    message
-                );
-                log.debug("[MQ] Click message sent: {}", shortCode);
-            } catch (Exception e) {
-                log.error("[MQ ERROR] Failed to send click message for {}: {}", shortCode, e.getMessage());
-                // 降级到本地模式
-                localTotal.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong()).incrementAndGet();
-                localDay.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong()).incrementAndGet();
-            }
-            return;
-        }
-        
-        // 模式2：本地内存模式
-        if ("local".equalsIgnoreCase(counterMode)) {
-            localTotal.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong()).incrementAndGet();
-            localDay.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong()).incrementAndGet();
-            return;
-        }
+        // 所有模式都先写本地内存（最快）
+        localTotal.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong())
+                  .incrementAndGet();
+        localDay.computeIfAbsent(shortCode, k -> new java.util.concurrent.atomic.AtomicLong())
+                .incrementAndGet();
 
-        // 模式3：Redis Pipeline 模式
-        String totalKey = "tf:clicks:total";
-        String dayKey = "tf:clicks:day:" + LocalDate.now();
-        try {
-            // 使用Pipeline减少网络往返
-            redisTemplate.executePipelined(new org.springframework.data.redis.core.SessionCallback<Object>() {
-                @Override
-                public Object execute(org.springframework.data.redis.core.RedisOperations operations) {
-                    operations.opsForHash().increment(dayKey, shortCode, 1);
-                    operations.opsForHash().increment(totalKey, shortCode, 1);
-                    return null;
-                }
-            });
-        } catch (org.springframework.data.redis.RedisConnectionFailureException ex) {
-            log.error("redis connect failed: {}", ex.getMessage());
-        }
+        log.debug("[LOCAL] Click recorded: {}", shortCode);
     }
 
     @Async
@@ -119,66 +84,93 @@ public void recordClickEvent(String shortCode, String referer, String ua, String
     }
 
 
-    @Scheduled(fixedDelay = 2000)
-    @Transactional
-    public void flushCounters() {
-        if ("local".equalsIgnoreCase(counterMode)) {
-            for (var e : localTotal.entrySet()) {
-                String code = e.getKey();
-                long delta = e.getValue().getAndSet(0);
-                if (delta > 0) { shortUrlRepository.incrementClickCountBy(code, delta); }
+    /**
+     * 第一阶段：定期快照到 Redis（10 秒一次）
+     * 作用：冷备份，防止服务宕机时丢失数据
+     */
+    @Scheduled(fixedDelay = 10000)  // 每 10 秒
+    public void snapshotToRedis() {
+        try {
+            long startTime = System.currentTimeMillis();
+            int snapshotCount = 0;
+            
+            // 快照总点击数
+            for (var entry : localTotal.entrySet()) {
+                String code = entry.getKey();
+                long count = entry.getValue().get();  // 只读，不重置
+                if (count > 0) {
+                    redisTemplate.opsForHash().put("tf:click:snapshot:total", code, String.valueOf(count));
+                    snapshotCount++;
+                }
             }
-            for (var e : localDay.entrySet()) {
-                String code = e.getKey();
-                long delta = e.getValue().getAndSet(0);
-                if (delta > 0) { dailyClickRepo.incrementClickBy(code, delta); }
+            
+            // 快照每日点击数
+            for (var entry : localDay.entrySet()) {
+                String code = entry.getKey();
+                long count = entry.getValue().get();  // 只读，不重置
+                if (count > 0) {
+                    String dayKey = "tf:click:snapshot:day:" + LocalDate.now();
+                    redisTemplate.opsForHash().put(dayKey, code, String.valueOf(count));
+                    snapshotCount++;
+                }
+            }
+            
+            long duration = System.currentTimeMillis() - startTime;
+            if (snapshotCount > 0) {
+                log.info("[SNAPSHOT] Saved {} entries to Redis, duration={}ms", snapshotCount, duration);
             }
-            return;
+        } catch (Exception e) {
+            log.error("[SNAPSHOT ERROR] Failed to snapshot to Redis: {}", e.getMessage(), e);
         }
-        String totalKey = "tf:clicks:total";
-        String dayKey = "tf:clicks:day:" + LocalDate.now();
-        String tmpTotal = totalKey + ":flush:" + System.currentTimeMillis();
-        String tmpDay = dayKey + ":flush:" + System.currentTimeMillis();
-        
-        // 使用Pipeline批量重命名和读取，减少网络往返
+    }
+    
+    /**
+     * 第二阶段：定期持久化到数据库（60 秒一次）
+     * 作用：正式记账，将快照中的数据写入数据库
+     */
+    @Scheduled(fixedDelay = 60000)  // 每 60 秒
+    @Transactional
+    public void syncFromRedisToDB() {
         try {
-            redisTemplate.executePipelined(new org.springframework.data.redis.core.SessionCallback<Object>() {
-                @Override
-                public Object execute(org.springframework.data.redis.core.RedisOperations operations) {
-                    try { operations.rename(totalKey, tmpTotal); } catch (Exception ignored) {}
-                    try { operations.rename(dayKey, tmpDay); } catch (Exception ignored) {}
-                    return null;
+            long startTime = System.currentTimeMillis();
+            int totalUpdates = 0;
+            int dailyUpdates = 0;
+            
+            // 读取总点击快照并刷库
+            java.util.Map<Object, Object> totalSnapshot = redisTemplate.opsForHash()
+                    .entries("tf:click:snapshot:total");
+            for (var entry : totalSnapshot.entrySet()) {
+                String code = String.valueOf(entry.getKey());
+                long count = toLong(entry.getValue());
+                if (count > 0) {
+                    shortUrlRepository.incrementClickCountBy(code, count);
+                    totalUpdates++;
                 }
-            });
-        } catch (Exception ignored) {}
-        
-        java.util.Map<Object,Object> total = java.util.Collections.emptyMap();
-        java.util.Map<Object,Object> day = java.util.Collections.emptyMap();
-        try { total = redisTemplate.<Object,Object>opsForHash().entries(tmpTotal); } catch (Exception ignored) {}
-        try { day = redisTemplate.<Object,Object>opsForHash().entries(tmpDay); } catch (Exception ignored) {}
-        
-        for (var e : total.entrySet()) {
-            String code = String.valueOf(e.getKey());
-            long delta = toLong(e.getValue());
-            if (delta > 0) { shortUrlRepository.incrementClickCountBy(code, delta); }
-        }
-        for (var e : day.entrySet()) {
-            String code = String.valueOf(e.getKey());
-            long delta = toLong(e.getValue());
-            if (delta > 0) { dailyClickRepo.incrementClickBy(code, delta); }
-        }
-        
-        // 使用Pipeline批量删除临时key
-        try {
-            redisTemplate.executePipelined(new org.springframework.data.redis.core.SessionCallback<Object>() {
-                @Override
-                public Object execute(org.springframework.data.redis.core.RedisOperations operations) {
-                    try { operations.delete(tmpTotal); } catch (Exception ignored) {}
-                    try { operations.delete(tmpDay); } catch (Exception ignored) {}
-                    return null;
+            }
+            
+            // 读取每日点击快照并刷库
+            String daySnapshotKey = "tf:click:snapshot:day:" + LocalDate.now();
+            java.util.Map<Object, Object> daySnapshot = redisTemplate.opsForHash()
+                    .entries(daySnapshotKey);
+            for (var entry : daySnapshot.entrySet()) {
+                String code = String.valueOf(entry.getKey());
+                long count = toLong(entry.getValue());
+                if (count > 0) {
+                    dailyClickRepo.incrementClickBy(code, count);
+                    dailyUpdates++;
                 }
-            });
-        } catch (Exception ignored) {}
+            }
+            
+            // 刷库成功后，清空 Redis 快照（只清快照，本地内存继续累加）
+            redisTemplate.delete("tf:click:snapshot:total");
+            redisTemplate.delete(daySnapshotKey);
+            
+            long duration = System.currentTimeMillis() - startTime;
+            log.info("[SYNC] Persisted {} total clicks and {} daily clicks to DB, duration={}ms", 
+                    totalUpdates, dailyUpdates, duration);
+        } catch (Exception e) {
+            log.error("[SYNC ERROR] Failed to sync from Redis to DB: {}", e.getMessage(), e);
+        }
     }
 
     private long toLong(Object value) {

src/main/resources/application.yml

@@ -130,10 +130,11 @@ management:
 
 events:
   sampleRate: 0.0
-# 点击计数模式：mq(消息队列，推荐) | local(本地内存) | redis(Pipeline)
-# 暂时使用 redis 模式，等 RabbitMQ 安装后改为 mq
+
+# 点击计数模式：使用本地内存 + Redis 快照方案
+# 方案 C：第一阶段(10s)本地→Redis快照，第二阶段(60s)Redis→数据库
 clicks:
-  mode: redis
+  mode: local  # 仍配置为 local（第一阶段），第二阶段由定时任务驱动
 
 cache:
   caffeine:

web/App.vue

@@ -103,7 +103,7 @@
               </button>
               <div class="mt-4 flex gap-3">
                 <button @click="copyShortUrl" class="fs-btn-secondary px-4 py-2">
-                  {{ $t('result.copy') }}
+                  {{ copyLabel }}
                 </button>
                 <button @click="downloadQrPng" class="fs-btn-secondary px-4 py-2">
                   {{ $t('result.downloadQr') }}
@@ -614,6 +614,11 @@ export default {
       this.refreshHistory()
     },
     startEdit(item) {
+      // 检查是否已登录
+      if (!this.isAuthenticated) {
+        alert('请先登录后再编辑短链接')
+        return
+      }
       this.editingId = item?.id || null
       const code = this.extractCode(item)
       this.editAlias = code || ''
@@ -628,6 +633,13 @@ export default {
       const newAlias = (this.editAlias || '').trim()
       if (!id || !oldCode) return
       if (!newAlias) { alert('请输入新的短码或别名'); return }
+      
+      // 检查是否已登录
+      if (!this.isAuthenticated) {
+        alert('请先登录后再编辑短链接')
+        return
+      }
+      
       this.updatingIds.add(id)
       try {
         // 调用后端更新接口：PUT /api/{shortCode}
@@ -642,7 +654,15 @@ export default {
         this.history = (this.history || []).map(x => x.id === id ? updated : x)
         this.cancelEdit()
       } catch (err) {
-        alert('更新失败，请稍后重试')
+        const status = err?.response?.status
+        if (status === 401) {
+          alert('会话已过期，请重新登录')
+          window.location.href = '/login'
+        } else if (status === 403) {
+          alert('您没有权限修改此短链接')
+        } else {
+          alert('更新失败，请稍后重试')
+        }
         console.error('Update short url error:', err)
       } finally {
         this.updatingIds.delete(id)
@@ -652,6 +672,13 @@ export default {
       const id = item?.id
       const code = this.extractCode(item)
       if (!code) return
+      
+      // 检查是否已登录
+      if (!this.isAuthenticated) {
+        alert('请先登录后再删除短链接')
+        return
+      }
+      
       if (id) this.deletingIds.add(id)
       try {
         // 改为按短码删除：DELETE /api/{shortCode}
@@ -661,7 +688,15 @@ export default {
           this.history = (this.history || []).filter(x => this.extractCode(x) !== code)
         }
       } catch (err) {
-        alert('删除失败，请稍后重试')
+        const status = err?.response?.status
+        if (status === 401) {
+          alert('会话已过期，请重新登录')
+          window.location.href = '/login'
+        } else if (status === 403) {
+          alert('您没有权限删除此短链接')
+        } else {
+          alert('删除失败，请稍后重试')
+        }
         console.error('History delete error:', err)
       } finally {
         if (id) this.deletingIds.delete(id)