1

api/service/biz_auth_verify.js

@@ -29,11 +29,11 @@ function hasPositiveDelta(delta) {
 }
 
 /**
- * 对外鉴权：Token + 用户 + 有效订阅 + 功能点 + 可选用量上报与额度
- * body: { token, feature?, usage_delta?: { msg?, mass?, ... } }
+ * 对外鉴权：Token + 用户 + 有效订阅 + 功能点 + 接口权限 + API调用量 + 可选用量上报
+ * body: { token, feature?, api_path?, usage_delta?: { msg?, mass?, ... } }
  */
 async function verifyRequest(body) {
-  const { token, feature } = body || {};
+  const { token, feature, api_path } = body || {};
   if (!token) {
     return { ok: false, error_code: "TOKEN_INVALID", message: "缺少 token" };
   }
@@ -71,9 +71,26 @@ async function verifyRequest(body) {
     return { ok: false, error_code: "FEATURE_NOT_ALLOWED", message: "功能未在套餐内" };
   }
 
+  // 接口路径级权限校验
+  if (api_path) {
+    const apiCheck = usageSvc.checkApiPathAllowed(plan, api_path);
+    if (!apiCheck.ok) {
+      return { ok: false, error_code: apiCheck.error_code, message: apiCheck.message };
+    }
+  }
+
   const statMonth = usageSvc.currentStatMonth();
   let usageRow = await usageSvc.getOrCreateUsage(row.user_id, sub.plan_id, statMonth);
 
+  // API 调用次数配额校验
+  if (api_path) {
+    const callCheck = usageSvc.checkApiCallQuota(plan, usageRow);
+    if (!callCheck.ok) {
+      return { ok: false, error_code: callCheck.error_code, message: callCheck.message };
+    }
+    usageRow = await usageSvc.incrementApiCallCount(row.user_id, sub.plan_id, statMonth);
+  }
+
   const delta = normalizeUsageDelta(body.usage_delta || body.usage_report);
   if (hasPositiveDelta(delta)) {
     const q = usageSvc.checkQuotaAfterDelta(plan, usageRow, delta);
@@ -99,6 +116,7 @@ async function verifyRequest(body) {
         friend_count: usageSvc.num(usageRow.friend_count),
         sns_count: usageSvc.num(usageRow.sns_count),
         active_user_count: usageSvc.num(usageRow.active_user_count),
+        api_call_count: usageSvc.num(usageRow.api_call_count),
       },
     },
   };

api/service/biz_usage_service.js

@@ -35,6 +35,7 @@ async function getOrCreateUsage(userId, planId, statMonth) {
       friend_count: 0,
       sns_count: 0,
       active_user_count: 0,
+      api_call_count: 0,
     },
   });
   if (num(row.plan_id) !== num(planId)) {
@@ -100,11 +101,57 @@ async function ensureUsageRowsForCurrentMonth() {
   return n;
 }
 
+/**
+ * 校验 API 调用次数是否超限
+ * @param {object} plan - 套餐记录（含 api_call_quota）
+ * @param {object} usageRow - 当月用量记录（含 api_call_count）
+ * @returns {{ ok: boolean, error_code?: string, message?: string }}
+ */
+function checkApiCallQuota(plan, usageRow) {
+  const quota = num(plan.api_call_quota);
+  if (quota <= 0) return { ok: true };
+  const used = num(usageRow.api_call_count) + 1;
+  if (used > quota) {
+    return { ok: false, error_code: "API_CALL_QUOTA_EXCEEDED", message: `当月 API 调用次数已达上限(${quota})` };
+  }
+  return { ok: true };
+}
+
+/**
+ * API 调用次数 +1
+ */
+async function incrementApiCallCount(userId, planId, statMonth) {
+  const row = await getOrCreateUsage(userId, planId, statMonth);
+  await row.update({ api_call_count: num(row.api_call_count) + 1 });
+  return row.reload();
+}
+
+/**
+ * 校验接口路径是否在套餐允许范围内
+ * @param {object} plan - 套餐记录（含 allowed_apis）
+ * @param {string} apiPath - 当前请求的接口路径，如 /user/GetProfile
+ * @returns {{ ok: boolean, error_code?: string, message?: string }}
+ */
+function checkApiPathAllowed(plan, apiPath) {
+  const allowed = plan.allowed_apis;
+  if (allowed == null) return { ok: true };
+  let list = allowed;
+  if (typeof list === "string") {
+    try { list = JSON.parse(list); } catch { return { ok: true }; }
+  }
+  if (!Array.isArray(list) || list.length === 0) return { ok: true };
+  if (list.includes(apiPath)) return { ok: true };
+  return { ok: false, error_code: "API_NOT_ALLOWED", message: `当前套餐不支持该接口: ${apiPath}` };
+}
+
 module.exports = {
   currentStatMonth,
   getOrCreateUsage,
   applyDelta,
   checkQuotaAfterDelta,
   ensureUsageRowsForCurrentMonth,
+  checkApiCallQuota,
+  incrementApiCallCount,
+  checkApiPathAllowed,
   num,
 };