Karpov Gateway
Integrated API Gateway + Console. Go backend (Gin + gRPC) + Next.js frontend (App Router + shadcn/ui), comes with credential pool, email verification, Linux.do OAuth2 SSO, quota billing, TOTP two-factor authentication.
✨ Features
- Unified REST Gateway — Single process or multi-service mode, gateway → auth/music/pool/quota/billing/worker gRPC backends can be deployed independently
- Credential Pool (encrypted) — KEK + DEK envelope encryption, AES-256-GCM with AAD, POOL_KEK_HEX master key derivation
- Email Registration + Activation — SMTP code sending / activation links, double insurance (verification code + email link), auto demote to LogSender if SMTP not configured
- OAuth2 Third-Party Login — Linux.do SSO (PKCE S256 + HMAC signed state cookie), login / bind / unbind tri-state decision, token encrypted storage
- Quota / Billing — PlanQuotaMiddleware fallback at gateway layer, business service internal secondary validation by plan + scope
- TOTP Two-Factor —
pquerna/otp+ Redis replay protection - Audit Logs — Structured JSON, split by type, rotated daily
- CSRF + Session —
sidhttpOnly cookie +X-CSRF-Tokenheader double verification - shadcn/ui Console — Next.js 16 App Router + Radix + Tailwind v4
🏗 Repository Structure
karpov-gateway/
├── gateway/ # Go 后端 (Gin + gRPC)
│ ├── cmd/ # 各 service 入口 (gateway/auth/music/pool/...)
│ ├── internal/ # 业务实现 (private)
│ ├── api/ # protobuf 定义
│ ├── migrations/ # PostgreSQL schema
│ ├── go.mod # Go 模块 (go 1.24+)
│ └── Dockerfile
├── web/ # Next.js 16 前端控制台
│ ├── src/ # App Router pages + components
│ ├── middleware.ts # CSRF / session / CSP nonce
│ ├── package.json # pnpm workspace
│ └── Dockerfile
├── deploy/
│ ├── compose/ # 本地开发 (PG + Redis + pgAdmin)
│ └── compose-prod/ # 生产单机 (gateway + web + PG + Redis 全栈)
└── .github/workflows/ # GitHub Actions CI (lint / test / build / govulncheck / gosec)🚀 Quick Start
1. Prerequisites
| Tool | Version | | ---------- | ------- | | Go | 1.24+ | | Node.js | 20.11+ | | pnpm | 9+ | | Docker | 24+ | | PostgreSQL | 14+ | | Redis | 7+ |
2. Start Dependencies (Postgres + Redis + pgAdmin)
cd deploy/compose
cp .env.example .env # 改强密码!
docker compose up -d3. Starting the Gateway Backend
cd gateway
cp .env.example .env # 与 deploy/compose/.env 的 PG/Redis 密码保持一致
go mod download
go run ./cmd/qqmusic-gateway
默认 :8080 (HTTP) + :9000 (gRPC)
首次启动会在 stderr 打印一个 superadmin 账号 + 临时密码
4. Start the Web Console
cd web
cp .env.example .env.local
pnpm install
pnpm dev
http://localhost:3000
🐳 Production Deployment (Docker Compose Standalone)
cd deploy/compose-prod
cp .env.example .env
编辑 .env:填入真域名 / 强密码 / SMTP 凭据 / OAuth client
nano .env生成 KEK
openssl rand -hex 32 # → 写到 POOL_KEK_HEX=docker compose up -d --build
docker compose logs -f gateway
Notes:
- If
NEXT_PUBLIC_APP_URLis changed, you must rundocker compose build --no-cache webbecause it will be inlined into the client bundle. - When using a reverse proxy (Nginx/Caddy),
TRUST_PROXY=truemust be enabled, otherwise X-Forwarded-Proto will not work. - Once the KEK changes, all old credential pools / old OAuth tokens become unreadable.
🔐 OAuth2 (Linux.do) Integration
- Go to https://connect.linux.do to apply for an application.
- Set the callback URL to:
https://your-domain/v1/auth/oauth/linuxdo/callback - Write the obtained client_id / client_secret into
.env:
OAUTH_LINUXDO_ENABLED=true
OAUTH_LINUXDO_CLIENT_ID=...
OAUTH_LINUXDO_CLIENT_SECRET=...
OAUTH_LINUXDO_MIN_TRUST_LEVEL=1
OAUTH_PUBLIC_BASE=https://your-domain
OAUTH_FRONTEND_BASE=https://your-domain
``
- Restart the gateway, and the login page / registration page will automatically display "Linux.do One-Click Login"
🧪 Test / Lint
Go
cd gateway go vet ./... go test -race ./... golangci-lint run --timeout=5mWeb
cd web pnpm lint pnpm typecheck `📦 Key Dependencies
Backend:
- gin-gonic/gin — HTTP framework
- grpc-ecosystem — gRPC + gateway
- jackc/pgx — PostgreSQL driver
- redis/go-redis — Redis client
- golang.org/x/oauth2 — OAuth2 / PKCE
- pquerna/otp — TOTP
Frontend:- Next.js 16 (App Router + Turbopack)
- shadcn/ui + Radix
- Tailwind CSS v4
- next-auth-csrf edge-safe CSRF
📜 License
MIT — see LICENSE
🤝 Contributing
PR / Issue welcome. Before submitting PR, please:
+ gofmt -l . all green
go test -race ./... all green
For web changes run pnpm lint && pnpm typecheck
Do not commit .env / data/.kek` or any files containing real passwords🔒 Security
If you find security issues, please contact the maintainer directly, do not open a public issue.
Built with ❤️ by MiChongs
--- Tranlated By Open Ai Tx | Last indexed: 2026-06-04 ---