chore: prepare v0.1.147 release

- Build linux_amd64 binary in CI and upload to Gitea release assets
- Add checksums.txt for integrity verification
- Update allowed download hosts to Gitea domain/IP

.gitea/workflows/release-image.yml

@@ -0,0 +1,124 @@
+name: Release Image
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Tag to release, for example v0.1.140'
+        required: true
+        type: string
+
+jobs:
+  image:
+    runs-on: linux_amd64
+    env:
+      GITEA_BASE_URL: http://git.jianshixingqiu.com
+      GITEA_API_URL: http://git.jianshixingqiu.com/api/v1
+      GITEA_OWNER: kgod
+      GITEA_REPO: sub2api
+      IMAGE_NAME: git.jianshixingqiu.com/kgod/sub2api
+    steps:
+      - name: Checkout
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          rm -rf .git
+          git init
+          git remote add origin "http://kgod:${RELEASE_TOKEN}@git.jianshixingqiu.com/kgod/sub2api.git"
+          if [ -n "${{ inputs.tag }}" ] && [ "${GITHUB_EVENT_NAME:-}" != "workflow_dispatch" ]; then
+            git fetch --depth 1 origin "refs/tags/${{ inputs.tag }}"
+          else
+            git fetch --depth 1 origin "$GITHUB_REF"
+          fi
+          git checkout --force FETCH_HEAD
+
+      - name: Prepare metadata
+        run: |
+          set -eu
+          if [ -n "${{ inputs.tag }}" ]; then
+            TAG="${{ inputs.tag }}"
+          else
+            TAG="${GITHUB_REF_NAME:-${GITHUB_REF##*/}}"
+          fi
+          VERSION="${TAG#v}"
+          COMMIT="$(git rev-parse --short=12 HEAD)"
+          BUILD_DATE="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
+
+          echo "TAG=${TAG}" >> "$GITHUB_ENV"
+          echo "VERSION=${VERSION}" >> "$GITHUB_ENV"
+          echo "COMMIT=${COMMIT}" >> "$GITHUB_ENV"
+          echo "BUILD_DATE=${BUILD_DATE}" >> "$GITHUB_ENV"
+
+      - name: Login to Gitea Container Registry
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          echo "$RELEASE_TOKEN" | docker login git.jianshixingqiu.com -u kgod --password-stdin
+
+      - name: Build image
+        run: |
+          set -eu
+          docker build \
+            -f Dockerfile.gitea \
+            --build-arg VERSION="$VERSION" \
+            --build-arg COMMIT="$COMMIT" \
+            --build-arg BUILD_DATE="$BUILD_DATE" \
+            --label "org.opencontainers.image.version=$VERSION" \
+            --label "org.opencontainers.image.revision=$COMMIT" \
+            --label "org.opencontainers.image.source=$GITEA_BASE_URL/$GITEA_OWNER/$GITEA_REPO" \
+            -t "$IMAGE_NAME:$VERSION" \
+            -t "$IMAGE_NAME:latest" \
+            .
+
+      - name: Push image
+        run: |
+          set -eu
+          docker push "$IMAGE_NAME:$VERSION"
+          docker push "$IMAGE_NAME:latest"
+
+      - name: Build binary
+        run: |
+          set -eu
+          cd backend
+          CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+            -ldflags "-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.BuildDate=${BUILD_DATE}" \
+            -o /tmp/sub2api \
+            ./cmd/server
+          cd /tmp
+          tar -czf "sub2api_linux_amd64.tar.gz" sub2api
+          sha256sum "sub2api_linux_amd64.tar.gz" > checksums.txt
+
+      - name: Create Gitea release
+        env:
+          RELEASE_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+        run: |
+          set -eu
+          BODY="Docker image: ${IMAGE_NAME}:${VERSION}"
+          PAYLOAD=$(printf '{"tag_name":"%s","target_commitish":"%s","name":"Sub2API %s","body":"%s","draft":false,"prerelease":false}' "$TAG" "$(git rev-parse HEAD)" "$VERSION" "$BODY")
+          RELEASE_ID=$(curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD" \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases" | grep -o '"id":[0-9]*' | head -1 | grep -o '[0-9]*')
+
+          # Upload binary archive
+          curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: application/octet-stream" \
+            --data-binary @/tmp/sub2api_linux_amd64.tar.gz \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=sub2api_linux_amd64.tar.gz"
+
+          # Upload checksums
+          curl -fsS \
+            -X POST \
+            -H "Authorization: token ${RELEASE_TOKEN}" \
+            -H "Content-Type: text/plain" \
+            --data-binary @/tmp/checksums.txt \
+            "$GITEA_API_URL/repos/$GITEA_OWNER/$GITEA_REPO/releases/${RELEASE_ID}/assets?name=checksums.txt"

Dockerfile.gitea

@@ -0,0 +1,89 @@
+# syntax=docker/dockerfile:1
+
+ARG NODE_IMAGE=node:20-alpine
+ARG GO_IMAGE=golang:1.26.3-alpine
+ARG ALPINE_IMAGE=alpine:3.21
+ARG POSTGRES_IMAGE=postgres:18-alpine
+
+FROM ${NODE_IMAGE} AS frontend
+WORKDIR /src
+
+RUN corepack enable && corepack prepare pnpm@9.15.9 --activate
+
+COPY frontend/package.json frontend/pnpm-lock.yaml ./frontend/
+WORKDIR /src/frontend
+RUN pnpm install --frozen-lockfile
+
+WORKDIR /src
+COPY frontend ./frontend
+COPY backend/internal/web ./backend/internal/web
+RUN cd frontend && pnpm run build
+
+FROM ${GO_IMAGE} AS backend-builder
+RUN sed -i 's#https://dl-cdn.alpinelinux.org/alpine#https://mirrors.tencent.com/alpine#g' /etc/apk/repositories && \
+    apk add --no-cache ca-certificates git
+ENV GOPROXY=https://goproxy.cn,direct
+WORKDIR /src
+
+COPY backend/go.mod backend/go.sum ./backend/
+RUN cd backend && go mod download
+
+COPY backend ./backend
+COPY --from=frontend /src/backend/internal/web/dist ./backend/internal/web/dist
+
+ARG VERSION=0.0.0-dev
+ARG COMMIT=unknown
+ARG BUILD_DATE=unknown
+
+RUN cd backend && \
+    CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build \
+      -tags=embed \
+      -ldflags="-s -w -X main.Version=${VERSION} -X main.Commit=${COMMIT} -X main.Date=${BUILD_DATE} -X main.BuildType=release" \
+      -o /out/sub2api \
+      ./cmd/server
+
+FROM ${POSTGRES_IMAGE} AS pg-client
+
+FROM ${ALPINE_IMAGE}
+
+LABEL maintainer="Wei-Shaw <github.com/Wei-Shaw>"
+LABEL description="Sub2API - AI API Gateway Platform"
+LABEL org.opencontainers.image.source="http://git.jianshixingqiu.com/kgod/sub2api"
+
+RUN sed -i 's#https://dl-cdn.alpinelinux.org/alpine#https://mirrors.tencent.com/alpine#g' /etc/apk/repositories && \
+    apk add --no-cache \
+    ca-certificates \
+    tzdata \
+    curl \
+    su-exec \
+    libpq \
+    zstd-libs \
+    lz4-libs \
+    krb5-libs \
+    libldap \
+    libedit \
+    && rm -rf /var/cache/apk/*
+
+COPY --from=pg-client /usr/local/bin/pg_dump /usr/local/bin/pg_dump
+COPY --from=pg-client /usr/local/bin/psql /usr/local/bin/psql
+COPY --from=pg-client /usr/local/lib/libpq.so.5* /usr/local/lib/
+
+RUN addgroup -g 1000 sub2api && \
+    adduser -u 1000 -G sub2api -s /bin/sh -D sub2api
+
+WORKDIR /app
+
+COPY --from=backend-builder /out/sub2api /app/sub2api
+COPY deploy/docker-entrypoint.sh /app/docker-entrypoint.sh
+
+RUN mkdir -p /app/data && \
+    chown -R sub2api:sub2api /app && \
+    chmod +x /app/docker-entrypoint.sh
+
+EXPOSE 8080
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+    CMD curl -f http://localhost:${SERVER_PORT:-8080}/health || exit 1
+
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["/app/sub2api"]

backend/cmd/server/VERSION

@@ -1 +1 @@
-0.1.140
+0.1.147

backend/internal/config/config.go

@@ -148,9 +148,9 @@ type GeminiTierQuotaConfig struct {
 }
 
 type UpdateConfig struct {
-	// GitHubRepo 用于在线更新的 GitHub 仓库，格式 owner/repo
+	// GitHubRepo 是历史配置字段名，用于在线更新的代码仓库，格式 owner/repo。
 	GitHubRepo string `mapstructure:"github_repo"`
-	// ProxyURL 用于访问 GitHub 的代理地址
+	// ProxyURL 用于访问代码仓库的代理地址
 	// 支持 http/https/socks5/socks5h 协议
 	// 例如: "http://127.0.0.1:7890", "socks5://127.0.0.1:1080"
 	ProxyURL string `mapstructure:"proxy_url"`
@@ -564,7 +564,7 @@ type CSPConfig struct {
 type ProxyFallbackConfig struct {
 	// AllowDirectOnError 当辅助服务的代理初始化失败时是否允许回退直连。
 	// 仅影响以下非 AI 账号连接的辅助服务：
-	//   - GitHub Release 更新检查
+	//   - Gitea Release 更新检查
 	//   - 定价数据拉取
 	// 不影响 AI 账号网关连接（Claude/OpenAI/Gemini/Antigravity），
 	// 这些关键路径的代理失败始终返回错误，不会回退直连。
@@ -1614,8 +1614,8 @@ func setDefaults() {
 	viper.SetDefault("pricing.hash_check_interval_minutes", 10)
 
 	// Update
-	viper.SetDefault("update.github_repo", "man209111-cpu/sub2api")
-	viper.SetDefault("update.proxy_url", "socks5://admin%40sub2api.local:m729066849@172.16.32.16:3389")
+	viper.SetDefault("update.github_repo", "kgod/sub2api")
+	viper.SetDefault("update.proxy_url", "")
 
 	// Timezone (default to Asia/Shanghai for Chinese users)
 	viper.SetDefault("timezone", "Asia/Shanghai")

backend/internal/handler/auth_handler.go

@@ -200,13 +200,15 @@ func (h *AuthHandler) SendVerifyCode(c *gin.Context) {
 		return
 	}
 
+	clientIP := ip.GetClientIP(c)
+
 	// Turnstile 验证
-	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, ip.GetClientIP(c)); err != nil {
+	if err := h.authService.VerifyTurnstile(c.Request.Context(), req.TurnstileToken, clientIP); err != nil {
 		response.ErrorFrom(c, err)
 		return
 	}
 
-	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email)
+	result, err := h.authService.SendVerifyCodeAsync(c.Request.Context(), req.Email, clientIP)
 	if err != nil {
 		response.ErrorFrom(c, err)
 		return

backend/internal/repository/github_release_service.go

@@ -76,13 +76,14 @@ func (c *githubReleaseClientError) FetchChecksumFile(ctx context.Context, url st
 }
 
 func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo string) (*service.GitHubRelease, error) {
-	url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", repo)
+	// 使用 Gitea API（兼容 GitHub Release API 格式）
+	url := fmt.Sprintf("http://git.jianshixingqiu.com/api/v1/repos/%s/releases/latest", repo)
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
 	if err != nil {
 		return nil, err
 	}
-	req.Header.Set("Accept", "application/vnd.github.v3+json")
+	req.Header.Set("Accept", "application/json")
 	req.Header.Set("User-Agent", "Sub2API-Updater")
 
 	resp, err := c.httpClient.Do(req)
@@ -92,7 +93,7 @@ func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo strin
 	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("GitHub API returned %d", resp.StatusCode)
+		return nil, fmt.Errorf("Gitea API returned %d", resp.StatusCode)
 	}
 
 	var release service.GitHubRelease

backend/internal/repository/user_repo.go

@@ -1113,3 +1113,26 @@ func (r *userRepository) DisableTotp(ctx context.Context, userID int64) error {
 	}
 	return nil
 }
+
+// CountByRegistrationIP 统计指定 IP 注册的用户数量
+func (r *userRepository) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
+	if strings.TrimSpace(ip) == "" {
+		return 0, nil
+	}
+	rows, err := r.sql.QueryContext(ctx,
+		`SELECT COUNT(*) FROM users WHERE register_ip_address = $1 AND deleted_at IS NULL`,
+		ip,
+	)
+	if err != nil {
+		return 0, err
+	}
+	defer rows.Close()
+
+	var count int
+	if rows.Next() {
+		if err := rows.Scan(&count); err != nil {
+			return 0, err
+		}
+	}
+	return count, nil
+}

backend/internal/service/auth_service.go

@@ -311,8 +311,9 @@ func (s *AuthService) SendVerifyCode(ctx context.Context, email string) error {
 }
 
 // SendVerifyCodeAsync 异步发送邮箱验证码并返回倒计时
-func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*SendVerifyCodeResult, error) {
-	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s", email)
+// clientIP 用于检查同一 IP 注册账号数量限制
+func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string, clientIP string) (*SendVerifyCodeResult, error) {
+	logger.LegacyPrintf("service.auth", "[Auth] SendVerifyCodeAsync called for email: %s, ip: %s", email, clientIP)
 
 	// 检查是否开放注册（默认关闭）
 	if s.settingService == nil || !s.settingService.IsRegistrationEnabled(ctx) {
@@ -338,6 +339,28 @@ func (s *AuthService) SendVerifyCodeAsync(ctx context.Context, email string) (*S
 		return nil, ErrEmailExists
 	}
 
+	// 检查 Gmail 别名邮箱（含 + 或本地部分含 . 的），静默假装发送成功
+	if isGmailAliasEmail(email) {
+		logger.LegacyPrintf("service.auth", "[Auth] Gmail alias email detected: %s, returning fake success", email)
+		return &SendVerifyCodeResult{
+			Countdown: 60,
+		}, nil
+	}
+
+	// 检查同一 IP 注册账号数量（>=2 则静默假装发送成功，不实际发送）
+	if clientIP != "" {
+		ipRegCount, err := s.userRepo.CountByRegistrationIP(ctx, clientIP)
+		if err != nil {
+			logger.LegacyPrintf("service.auth", "[Auth] Failed to count users by registration IP: %v", err)
+			// 查询失败不阻塞，继续正常流程
+		} else if ipRegCount >= 2 {
+			logger.LegacyPrintf("service.auth", "[Auth] IP %s already registered %d accounts, returning fake success", clientIP, ipRegCount)
+			return &SendVerifyCodeResult{
+				Countdown: 60,
+			}, nil
+		}
+	}
+
 	// 检查邮件队列服务是否配置
 	if s.emailQueueService == nil {
 		logger.LegacyPrintf("service.auth", "%s", "[Auth] Email queue service not configured")
@@ -1092,6 +1115,22 @@ func isReservedEmail(email string) bool {
 		strings.HasSuffix(normalized, WeChatConnectSyntheticEmailDomain)
 }
 
+// isGmailAliasEmail 检测 Gmail 别名邮箱
+// Gmail 支持两种别名方式：
+// 1. 加号别名：user+anything@gmail.com -> user@gmail.com
+// 2. 点号忽略：u.s.e.r@gmail.com -> user@gmail.com
+// 为防止滥用注册，检测到这类邮箱时返回 true
+func isGmailAliasEmail(email string) bool {
+	normalized := strings.ToLower(strings.TrimSpace(email))
+	if !strings.HasSuffix(normalized, "@gmail.com") {
+		return false
+	}
+	// 提取本地部分（@前面的部分）
+	localPart := strings.TrimSuffix(normalized, "@gmail.com")
+	// 检查是否包含 + 或 .
+	return strings.Contains(localPart, "+") || strings.Contains(localPart, ".")
+}
+
 // GenerateToken 生成JWT access token
 // 使用新的access_token_expire_minutes配置项（如果配置了），否则回退到expire_hour
 func (s *AuthService) GenerateToken(user *User) (string, error) {

backend/internal/service/content_moderation_test.go

@@ -231,6 +231,10 @@ func (r *contentModerationTestUserRepo) DisableTotp(ctx context.Context, userID
 	panic("unexpected DisableTotp call")
 }
 
+func (r *contentModerationTestUserRepo) CountByRegistrationIP(ctx context.Context, ip string) (int, error) {
+	return 0, nil
+}
+
 type contentModerationTestAuthCacheInvalidator struct {
 	userIDs []int64
 }

backend/internal/service/gemini_token_provider.go

@@ -62,16 +62,16 @@ func (p *GeminiTokenProvider) GetAccessToken(ctx context.Context, account *Accou
 
 	cacheKey := GeminiTokenCacheKey(account)
 
-	// 1) Try cache first.
-	if p.tokenCache != nil {
+	// 1) Try cache first — skip if token is already expired or within refresh skew.
+	expiresAt := account.GetCredentialAsTime("expires_at")
+	needsRefresh := expiresAt == nil || time.Until(*expiresAt) <= geminiTokenRefreshSkew
+	if !needsRefresh && p.tokenCache != nil {
 		if token, err := p.tokenCache.GetAccessToken(ctx, cacheKey); err == nil && strings.TrimSpace(token) != "" {
 			return token, nil
 		}
 	}
 
 	// 2) Refresh if needed (pre-expiry skew).
-	expiresAt := account.GetCredentialAsTime("expires_at")
-	needsRefresh := expiresAt == nil || time.Until(*expiresAt) <= geminiTokenRefreshSkew
 
 	if needsRefresh && p.refreshAPI != nil && p.executor != nil {
 		result, err := p.refreshAPI.RefreshIfNeeded(ctx, account, p.executor, geminiTokenRefreshSkew)

backend/internal/service/update_service.go

@@ -22,11 +22,11 @@ import (
 const (
 	updateCacheKey    = "update_check_cache"
 	updateCacheTTL    = 1200 // 20 minutes
-	defaultGitHubRepo = "man209111-cpu/sub2api"
+	defaultGitHubRepo = "kgod/sub2api"
 
 	// Security: allowed download domains for updates
-	allowedDownloadHost = "github.com"
-	allowedAssetHost    = "objects.githubusercontent.com"
+	allowedDownloadHost = "git.jianshixingqiu.com"
+	allowedAssetHost    = "8.138.12.104"
 
 	// Security: max download size (500MB)
 	maxDownloadSize = 500 * 1024 * 1024

backend/internal/service/user_service.go

@@ -111,6 +111,9 @@ type UserRepository interface {
 	UpdateTotpSecret(ctx context.Context, userID int64, encryptedSecret *string) error
 	EnableTotp(ctx context.Context, userID int64) error
 	DisableTotp(ctx context.Context, userID int64) error
+
+	// CountByRegistrationIP 统计指定 IP 注册的用户数量
+	CountByRegistrationIP(ctx context.Context, ip string) (int, error)
 }
 
 type UserAuthIdentityRecord struct {