fix(order): reconcile subscriptions and grant device trials

0430
2026-04-29 20:43:18 -07:00 · 2026-04-29 12:49:45 -07:00
6 changed files with 247 additions and 27 deletions
--- a/.gitea/workflows/docker.yml
+++ b/.gitea/workflows/docker.yml
@ -49,12 +49,12 @@ jobs:
          if [ "${{ github.ref_name }}" = "main" ]; then
            echo "DOCKER_TAG_SUFFIX=latest" >> $GITHUB_ENV
            echo "CONTAINER_NAME=ppanel-server" >> $GITHUB_ENV
-            echo "DEPLOY_PATH=/root/bindbox" >> $GITHUB_ENV
+            echo "DEPLOY_PATH=/root/hifast" >> $GITHUB_ENV
            echo "为 main 分支设置生产环境变量"
          elif [ "${{ github.ref_name }}" = "internal" ]; then
            echo "DOCKER_TAG_SUFFIX=internal" >> $GITHUB_ENV
            echo "CONTAINER_NAME=ppanel-server-internal" >> $GITHUB_ENV
-            echo "DEPLOY_PATH=/root/bindbox" >> $GITHUB_ENV
+            echo "DEPLOY_PATH=/root/hifast" >> $GITHUB_ENV
            echo "为 internal 分支设置开发环境变量"
          else
            echo "DOCKER_TAG_SUFFIX=${{ github.ref_name }}" >> $GITHUB_ENV
--- a/config/docker-compose.mysql-replication.yml
+++ b/config/docker-compose.mysql-replication.yml
@ -0,0 +1,152 @@
+# MySQL 8.0 master/replica compose for two separate servers.
+#
+# Master server:
+#   COMPOSE_PROFILES=master docker compose -f config/docker-compose.mysql-replication.yml up -d
+#
+# Replica server:
+#   MASTER_HOST=<master_public_or_private_ip> COMPOSE_PROFILES=replica docker compose -f config/docker-compose.mysql-replication.yml up -d
+#
+# Required env on both servers:
+#   MYSQL_ROOT_PASSWORD=<strong-root-password>
+#   MYSQL_REPLICATION_PASSWORD=<strong-replication-password>
+#
+# Optional env:
+#   MYSQL_DATABASE=ppanel
+#   MYSQL_REPLICATION_USER=repl
+#   MYSQL_MASTER_PORT=3306
+#   MYSQL_REPLICA_PORT=3306
+#   MYSQL_SERVER_ID=1     # master default
+#   MYSQL_REPLICA_ID=2    # replica default
+#
+# If the master already has data, import a GTID-aware dump into the replica
+# before starting replication. Fresh empty deployments can start master first,
+# then replica, then point the application at the master.
+
+services:
+  mysql-master:
+    image: mysql:8.0
+    container_name: ppanel-mysql-master
+    profiles:
+      - master
+    restart: always
+    ports:
+      - "${MYSQL_MASTER_PORT:-3306}:3306"
+    environment:
+      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD:?please set MYSQL_ROOT_PASSWORD}"
+      MYSQL_DATABASE: "${MYSQL_DATABASE:-ppanel}"
+      MYSQL_REPLICATION_USER: "${MYSQL_REPLICATION_USER:-repl}"
+      MYSQL_REPLICATION_PASSWORD: "${MYSQL_REPLICATION_PASSWORD:?please set MYSQL_REPLICATION_PASSWORD}"
+      TZ: Asia/Shanghai
+    command:
+      - --default-authentication-plugin=mysql_native_password
+      - --server-id=${MYSQL_SERVER_ID:-1}
+      - --log-bin=mysql-bin
+      - --binlog-format=ROW
+      - --gtid-mode=ON
+      - --enforce-gtid-consistency=ON
+      - --log-replica-updates=ON
+      - --binlog-expire-logs-seconds=604800
+      - --max_connections=1000
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - mysql_master_data:/var/lib/mysql
+    configs:
+      - source: mysql_master_init
+        target: /docker-entrypoint-initdb.d/01-create-replication-user.sh
+        mode: 0755
+    healthcheck:
+      test: ["CMD-SHELL", "mysqladmin ping -h 127.0.0.1 -uroot -p$${MYSQL_ROOT_PASSWORD}"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+    logging:
+      driver: json-file
+      options:
+        max-size: 10m
+        max-file: "3"
+
+  mysql-replica:
+    image: mysql:8.0
+    container_name: ppanel-mysql-replica
+    profiles:
+      - replica
+    restart: always
+    ports:
+      - "${MYSQL_REPLICA_PORT:-3306}:3306"
+    environment:
+      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD:?please set MYSQL_ROOT_PASSWORD}"
+      MYSQL_DATABASE: "${MYSQL_DATABASE:-ppanel}"
+      TZ: Asia/Shanghai
+    command:
+      - --default-authentication-plugin=mysql_native_password
+      - --server-id=${MYSQL_REPLICA_ID:-2}
+      - --relay-log=mysql-relay-bin
+      - --read-only=ON
+      - --super-read-only=ON
+      - --gtid-mode=ON
+      - --enforce-gtid-consistency=ON
+      - --log-replica-updates=ON
+      - --binlog-format=ROW
+      - --max_connections=1000
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+    volumes:
+      - mysql_replica_data:/var/lib/mysql
+    healthcheck:
+      test: ["CMD-SHELL", "mysqladmin ping -h 127.0.0.1 -uroot -p$${MYSQL_ROOT_PASSWORD}"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+    logging:
+      driver: json-file
+      options:
+        max-size: 10m
+        max-file: "3"
+
+  mysql-replica-init:
+    image: mysql:8.0
+    container_name: ppanel-mysql-replica-init
+    profiles:
+      - replica
+    restart: "no"
+    depends_on:
+      mysql-replica:
+        condition: service_healthy
+    environment:
+      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD:?please set MYSQL_ROOT_PASSWORD}"
+      MYSQL_REPLICATION_USER: "${MYSQL_REPLICATION_USER:-repl}"
+      MYSQL_REPLICATION_PASSWORD: "${MYSQL_REPLICATION_PASSWORD:?please set MYSQL_REPLICATION_PASSWORD}"
+      MASTER_HOST: "${MASTER_HOST:?please set MASTER_HOST to the master server ip or hostname}"
+      MASTER_PORT: "${MASTER_PORT:-3306}"
+    entrypoint:
+      - /bin/sh
+      - -ec
+      - |
+        mysql -hmysql-replica -uroot -p"$${MYSQL_ROOT_PASSWORD}" <<SQL
+        STOP REPLICA;
+        CHANGE REPLICATION SOURCE TO
+          SOURCE_HOST='$${MASTER_HOST}',
+          SOURCE_PORT=$${MASTER_PORT},
+          SOURCE_USER='$${MYSQL_REPLICATION_USER}',
+          SOURCE_PASSWORD='$${MYSQL_REPLICATION_PASSWORD}',
+          SOURCE_AUTO_POSITION=1,
+          GET_SOURCE_PUBLIC_KEY=1;
+        START REPLICA;
+        SQL
+
+configs:
+  mysql_master_init:
+    content: |
+      #!/bin/sh
+      set -eu
+
+      mysql -uroot -p"$${MYSQL_ROOT_PASSWORD}" <<SQL
+      CREATE USER IF NOT EXISTS '$${MYSQL_REPLICATION_USER}'@'%' IDENTIFIED WITH mysql_native_password BY '$${MYSQL_REPLICATION_PASSWORD}';
+      GRANT REPLICATION SLAVE, REPLICATION CLIENT ON *.* TO '$${MYSQL_REPLICATION_USER}'@'%';
+      FLUSH PRIVILEGES;
+      SQL
+
+volumes:
+  mysql_master_data:
+  mysql_replica_data:
--- a/docker-compose.cloud.yml
+++ b/docker-compose.cloud.yml
@ -27,7 +27,7 @@ services:
    volumes:
      - ./configs:/app/etc
      - ./logs:/app/logs
-      - ./cache:/app/cache  # GeoLite2-City.mmdb IP 地理位置数据库
+      - ./cache:/app/cache # GeoLite2-City.mmdb IP 地理位置数据库
    environment:
      - TZ=Asia/Shanghai
    network_mode: host
@ -57,7 +57,7 @@ services:
    container_name: ppanel-mysql
    restart: always
    ports:
-      - "3306:3306"  # 仅宿主机可访问，ppanel-server(host网络)通过127.0.0.1连接
+      - "3306:3306" # 仅宿主机可访问，ppanel-server(host网络)通过127.0.0.1连接
    environment:
      MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD:?请在 .env 文件中设置 MYSQL_ROOT_PASSWORD}"
      MYSQL_DATABASE: "ppanel"
@ -80,7 +80,7 @@ services:
    networks:
      - ppanel_net
    healthcheck:
-      test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-uroot", "-p${MYSQL_ROOT_PASSWORD}"]
+      test: [ "CMD", "mysqladmin", "ping", "-h", "localhost", "-uroot", "-p${MYSQL_ROOT_PASSWORD}" ]
      interval: 10s
      timeout: 5s
      retries: 5
@ -98,11 +98,12 @@ services:
    container_name: ppanel-redis
    restart: always
    ports:
-      - "127.0.0.1:6379:6379"  # 仅宿主机可访问，ppanel-server(host网络)通过127.0.0.1连接
+      - "127.0.0.1:6379:6379" # 仅宿主机可访问，ppanel-server(host网络)通过127.0.0.1连接
    command:
      - redis-server
      - --tcp-backlog 65535
      - --maxmemory-policy allkeys-lru
+      - --requirepass hifast67yj
    volumes:
      - redis_data:/data
    ulimits:
@ -113,7 +114,7 @@ services:
    networks:
      - ppanel_net
    healthcheck:
-      test: ["CMD", "redis-cli", "ping"]
+      test: [ "CMD", "redis-cli", "ping" ]
      interval: 10s
      timeout: 5s
      retries: 5
@ -138,7 +139,7 @@ services:
      - ./tempo/tempo-config.yaml:/etc/tempo.yaml
      - ./tempo_data:/var/tempo
    ports:
-      - "127.0.0.1:4317:4317"  # OTLP gRPC，ppanel-server(host网络)通过127.0.0.1:4317发送trace
+      - "127.0.0.1:4317:4317" # OTLP gRPC，ppanel-server(host网络)通过127.0.0.1:4317发送trace
    networks:
      - ppanel_net
    logging:
@ -201,7 +202,7 @@ services:
    container_name: ppanel-grafana
    restart: always
    ports:
-      - "127.0.0.1:3333:3000"  # 仅本机可访问，需 SSH 隧道或 Nginx 反代
+      - "3333:3000" # 仅本机可访问，需 SSH 隧道或 Nginx 反代
    environment:
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PASSWORD:?请在 .env 文件中设置 GRAFANA_PASSWORD}
      - GF_USERS_ALLOW_SIGN_UP=false
@ -229,7 +230,7 @@ services:
    container_name: ppanel-prometheus
    restart: always
    ports:
-      - "127.0.0.1:9090:9090"  # 仅本机可访问
+      - "127.0.0.1:9090:9090" # 仅本机可访问
    volumes:
      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
      - prometheus_data:/prometheus
--- a/internal/logic/auth/deviceLoginLogic.go
+++ b/internal/logic/auth/deviceLoginLogic.go
@ -12,6 +12,7 @@ import (
 	"github.com/perfect-panel/server/internal/types"
 	"github.com/perfect-panel/server/pkg/jwt"
 	"github.com/perfect-panel/server/pkg/logger"
+	"github.com/perfect-panel/server/pkg/tool"
 	"github.com/perfect-panel/server/pkg/uuidx"
 	"github.com/perfect-panel/server/pkg/xerr"
 	"github.com/pkg/errors"
@ -266,6 +267,33 @@ func (l *DeviceLoginLogic) registerUserAndDevice(req *types.DeviceLoginRequest)
 		logger.Field("refer_code", userInfo.ReferCode),
 	)

+	if IsTrialConfigReady(l.svcCtx.Config.Register) {
+		trialSubscribe, trialErr := l.activeTrial(userInfo.Id)
+		if trialErr != nil {
+			l.Errorw("failed to activate trial subscription for device registration",
+				logger.Field("user_id", userInfo.Id),
+				logger.Field("identifier", req.Identifier),
+				logger.Field("error", trialErr.Error()),
+			)
+		} else {
+			if clearErr := l.svcCtx.UserModel.ClearSubscribeCache(l.ctx, trialSubscribe); clearErr != nil {
+				l.Errorw("ClearSubscribeCache failed",
+					logger.Field("error", clearErr.Error()),
+					logger.Field("userSubscribeId", trialSubscribe.Id),
+				)
+			}
+			if clearErr := l.svcCtx.SubscribeModel.ClearCache(l.ctx, trialSubscribe.SubscribeId); clearErr != nil {
+				l.Errorw("ClearSubscribeCache failed",
+					logger.Field("error", clearErr.Error()),
+					logger.Field("subscribeId", trialSubscribe.SubscribeId),
+				)
+			}
+			if clearErr := l.svcCtx.NodeModel.ClearServerAllCache(l.ctx); clearErr != nil {
+				l.Errorf("ClearServerAllCache error: %v", clearErr.Error())
+			}
+		}
+	}
+
 	// Register log
 	registerLog := log.Register{
 		AuthMethod: "device",
@ -291,3 +319,28 @@ func (l *DeviceLoginLogic) registerUserAndDevice(req *types.DeviceLoginRequest)

 	return userInfo, nil
 }
+
+func (l *DeviceLoginLogic) activeTrial(uid int64) (*user.Subscribe, error) {
+	sub, err := l.svcCtx.SubscribeModel.FindOne(l.ctx, l.svcCtx.Config.Register.TrialSubscribe)
+	if err != nil {
+		return nil, err
+	}
+	startTime := time.Now()
+	userSub := &user.Subscribe{
+		UserId:      uid,
+		OrderId:     0,
+		SubscribeId: sub.Id,
+		StartTime:   startTime,
+		ExpireTime:  tool.AddTime(l.svcCtx.Config.Register.TrialTimeUnit, l.svcCtx.Config.Register.TrialTime, startTime),
+		Traffic:     sub.Traffic,
+		Download:    0,
+		Upload:      0,
+		Token:       uuidx.NewUUID().String(),
+		UUID:        uuidx.NewUUID().String(),
+		Status:      1,
+	}
+	if err = l.svcCtx.UserModel.InsertSubscribe(l.ctx, userSub); err != nil {
+		return nil, err
+	}
+	return userSub, nil
+}
--- a/internal/logic/auth/trialEmailWhitelist.go
+++ b/internal/logic/auth/trialEmailWhitelist.go
@ -54,12 +54,19 @@ func ShouldGrantTrialForEmail(register config.RegisterConfig, email string) bool
 	return true
 }

+// IsTrialConfigReady verifies that trial auto-grant has all required config.
+func IsTrialConfigReady(register config.RegisterConfig) bool {
+	return register.EnableTrial &&
+		register.TrialSubscribe > 0 &&
+		register.TrialTime > 0 &&
+		strings.TrimSpace(register.TrialTimeUnit) != ""
+}
+
 // ShouldAutoGrantTrialOnPublicEmailFlows defines whether browser/email-originated
-// flows may auto-create a trial subscription. The current policy disables trial
-// creation for email registration, email login auto-register, OAuth-with-email,
-// and email binding/verification to avoid abuse through public email channels.
+// flows may auto-create a trial subscription. Email-specific abuse protection
+// is still handled by ShouldGrantTrialForEmail and NormalizedEmailHasTrial.
 func ShouldAutoGrantTrialOnPublicEmailFlows(register config.RegisterConfig) bool {
-	return false
+	return IsTrialConfigReady(register)
 }

 // IsDisposableAlias detects Gmail dot trick and + alias abuse.
--- a/queue/logic/order/activateOrderLogic.go
+++ b/queue/logic/order/activateOrderLogic.go
@ -304,20 +304,17 @@ func (l *ActivateOrderLogic) reconcilePostOrderSubscriptions(ctx context.Context
 			return nil
 		}

-		maxExpire := survivor.ExpireTime
+		now := time.Now()
+		accumulatedExpire := now
 		for i := range ownerSubs {
 			item := ownerSubs[i]
-			if item.Id == survivor.Id {
-				if item.ExpireTime.After(maxExpire) {
-					maxExpire = item.ExpireTime
-				}
-				continue
+			if (item.Id == survivor.Id || orderMergeRemainingTimeStatus(item.Status)) && item.ExpireTime.After(now) {
+				accumulatedExpire = accumulatedExpire.Add(item.ExpireTime.Sub(now))
 			}

-			losers = append(losers, item)
-			mergedIDs = append(mergedIDs, item.Id)
-			if item.ExpireTime.After(maxExpire) {
-				maxExpire = item.ExpireTime
+			if item.Id != survivor.Id {
+				losers = append(losers, item)
+				mergedIDs = append(mergedIDs, item.Id)
 			}
 			if item.SubscribeId > 0 {
 				subscribeIDsToClear[item.SubscribeId] = struct{}{}
@ -341,9 +338,9 @@ func (l *ActivateOrderLogic) reconcilePostOrderSubscriptions(ctx context.Context
 			"status":      1,
 			"finished_at": nil,
 		}
-		if maxExpire.After(survivor.ExpireTime) {
-			survivor.ExpireTime = maxExpire
-			updateFields["expire_time"] = maxExpire
+		if accumulatedExpire.After(survivor.ExpireTime) {
+			survivor.ExpireTime = accumulatedExpire
+			updateFields["expire_time"] = accumulatedExpire
 		}
 		if identitySource != nil {
 			if identitySource.Token != "" {
@ -441,6 +438,15 @@ func shouldReconcilePostOrderSubscriptions(orderInfo *order.Order) bool {
 	}
 }

+func orderMergeRemainingTimeStatus(status uint8) bool {
+	switch status {
+	case 0, 1, 2:
+		return true
+	default:
+		return false
+	}
+}
+
 func pickSubscriptionIdentitySource(candidates []user.Subscribe) *user.Subscribe {
 	if len(candidates) == 0 {
 		return nil
@ -1434,6 +1440,7 @@ func (l *ActivateOrderLogic) updateSubscriptionWithIAPExpire(ctx context.Context
 		userSub.FinishedAt = nil
 	}

+	userSub.OrderId = orderInfo.Id
 	userSub.ExpireTime = newExpire
 	userSub.Status = 1
Author	SHA1	Message	Date
shanshanzhong	41e665d957	fix(order): reconcile subscriptions and grant device trials All checks were successful Build docker and publish / build (20.15.1) (push) Successful in 5m30s Details	2026-04-29 20:43:18 -07:00
shanshanzhong	79427c9f4c	0430 All checks were successful Build docker and publish / build (20.15.1) (push) Successful in 5m47s Details	2026-04-29 12:49:45 -07:00