feat(api): public and unlisted comment list and create endpoints

Made-with: Cursor
5 hours ago · b92a393ceb
5 changed files with 170 additions and 2 deletions
--- a/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.get.ts
+++ b/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.get.ts
@ -0,0 +1,19 @@
 import { getPublicPostCommentContext } from "#server/service/posts";
 import { listCommentsPayload } from "#server/service/post-comments";
 export default defineEventHandler(async (event) => {
  const publicSlug = event.context.params?.publicSlug;
  const postSlug = event.context.params?.postSlug;
  if (!publicSlug || !postSlug || typeof publicSlug !== "string" || typeof postSlug !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  const ctx = await getPublicPostCommentContext(publicSlug, postSlug);
  if (!ctx) {
    throw createError({ statusCode: 404, statusMessage: "未找到" });
  }
  const viewer = await event.context.auth.getCurrent();
  const data = await listCommentsPayload(ctx.id, ctx.userId, viewer?.id ?? null);
  return R.success(data);
 });
--- a/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.post.ts
+++ b/server/api/public/profile/[publicSlug]/posts/[postSlug]/comments.post.ts
@ -0,0 +1,55 @@
 import { getRequestIP } from "h3";
 import { getPublicPostCommentContext } from "#server/service/posts";
 import { createComment } from "#server/service/post-comments";
 import { assertUnderRateLimit } from "#server/utils/simple-rate-limit";
 export default defineEventHandler(async (event) => {
  const publicSlug = event.context.params?.publicSlug;
  const postSlug = event.context.params?.postSlug;
  if (!publicSlug || !postSlug || typeof publicSlug !== "string" || typeof postSlug !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  const ctx = await getPublicPostCommentContext(publicSlug, postSlug);
  if (!ctx) {
    throw createError({ statusCode: 404, statusMessage: "未找到" });
  }
  const viewer = await event.context.auth.getCurrent();
  const ip = getRequestIP(event, { xForwardedFor: true }) ?? "unknown";
  if (viewer == null) {
    assertUnderRateLimit(`comment-post-guest:${ip}`, 20, 15 * 60 * 1000);
  } else {
    assertUnderRateLimit(`comment-post-user:${viewer.id}`, 60, 15 * 60 * 1000);
  }
  const body = await readBody<{
    parentId?: number | null;
    guestDisplayName?: string;
    body: unknown;
  }>(event);
  if (typeof body.body !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  let parentId: number | null;
  if (body.parentId === undefined || body.parentId === null) {
    parentId = null;
  } else if (typeof body.parentId === "number" && Number.isFinite(body.parentId)) {
    parentId = body.parentId;
  } else {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  const newCommentId = await createComment({
    postId: ctx.id,
    ownerUserId: ctx.userId,
    parentId,
    viewer,
    guestDisplayName: typeof body.guestDisplayName === "string" ? body.guestDisplayName : undefined,
    body: body.body,
  });
  return R.success({ id: newCommentId });
 });
--- a/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.get.ts
+++ b/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.get.ts
@ -0,0 +1,19 @@
 import { getUnlistedPostCommentContext } from "#server/service/posts";
 import { listCommentsPayload } from "#server/service/post-comments";
 export default defineEventHandler(async (event) => {
  const publicSlug = event.context.params?.publicSlug;
  const shareToken = event.context.params?.shareToken;
  if (!publicSlug || !shareToken || typeof publicSlug !== "string" || typeof shareToken !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效链接" });
  }
  const ctx = await getUnlistedPostCommentContext(publicSlug, shareToken);
  if (!ctx) {
    throw createError({ statusCode: 404, statusMessage: "未找到" });
  }
  const viewer = await event.context.auth.getCurrent();
  const data = await listCommentsPayload(ctx.id, ctx.userId, viewer?.id ?? null);
  return R.success(data);
 });
--- a/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.post.ts
+++ b/server/api/public/unlisted/[publicSlug]/[shareToken]/comments.post.ts
@ -0,0 +1,55 @@
 import { getRequestIP } from "h3";
 import { getUnlistedPostCommentContext } from "#server/service/posts";
 import { createComment } from "#server/service/post-comments";
 import { assertUnderRateLimit } from "#server/utils/simple-rate-limit";
 export default defineEventHandler(async (event) => {
  const publicSlug = event.context.params?.publicSlug;
  const shareToken = event.context.params?.shareToken;
  if (!publicSlug || !shareToken || typeof publicSlug !== "string" || typeof shareToken !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效链接" });
  }
  const ctx = await getUnlistedPostCommentContext(publicSlug, shareToken);
  if (!ctx) {
    throw createError({ statusCode: 404, statusMessage: "未找到" });
  }
  const viewer = await event.context.auth.getCurrent();
  const ip = getRequestIP(event, { xForwardedFor: true }) ?? "unknown";
  if (viewer == null) {
    assertUnderRateLimit(`comment-post-guest:${ip}`, 20, 15 * 60 * 1000);
  } else {
    assertUnderRateLimit(`comment-post-user:${viewer.id}`, 60, 15 * 60 * 1000);
  }
  const body = await readBody<{
    parentId?: number | null;
    guestDisplayName?: string;
    body: unknown;
  }>(event);
  if (typeof body.body !== "string") {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  let parentId: number | null;
  if (body.parentId === undefined || body.parentId === null) {
    parentId = null;
  } else if (typeof body.parentId === "number" && Number.isFinite(body.parentId)) {
    parentId = body.parentId;
  } else {
    throw createError({ statusCode: 400, statusMessage: "无效请求" });
  }
  const newCommentId = await createComment({
    postId: ctx.id,
    ownerUserId: ctx.userId,
    parentId,
    viewer,
    guestDisplayName: typeof body.guestDisplayName === "string" ? body.guestDisplayName : undefined,
    body: body.body,
  });
  return R.success({ id: newCommentId });
 });
--- a/server/utils/auth-api-routes.ts
+++ b/server/utils/auth-api-routes.ts
@ -9,13 +9,33 @@ const API_ALLOWLIST: RouteRule[] = [
  { path: "/api/config/global", methods: ["GET"] },
 ];
-/** 公开 API 只读，避免未认证写操作 */
+/** 允许访客发表评论的公开 POST（其余 /api/public/ 写操作仍拒绝） */
 function isPublicCommentPostPath(path: string) {
  if (!path.endsWith("/comments")) {
    return false;
  }
  if (/^\/api\/public\/profile\/[^/]+\/posts\/[^/]+\/comments$/.test(path)) {
    return true;
  }
  if (/^\/api\/public\/unlisted\/[^/]+\/[^/]+\/comments$/.test(path)) {
    return true;
  }
  return false;
 }
 /** 公开 API 以只读为主；评论创建为例外，需配合服务端校验与限流 */
 export function isPublicApiPath(path: string, method?: string) {
  if (!path.startsWith("/api/public/")) {
    return false;
  }
  const requestMethod = method?.toUpperCase() ?? "GET";
-  return requestMethod === "GET";
+  if (requestMethod === "GET") {
    return true;
  }
  if (requestMethod === "POST" && isPublicCommentPostPath(path)) {
    return true;
  }
  return false;
 }
 export function isAllowlistedApiPath(path: string, method?: string) {