Merge pull request '[🚀] storage' (#36) from dev into main

Reviewed-on: #36

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/gorilla/websocket v1.5.3
 	github.com/jinzhu/now v1.1.5
 	github.com/json-iterator/go v1.1.12
+	github.com/minio/minio-go/v7 v7.0.98
 	github.com/mojocn/base64Captcha v1.3.8
 	github.com/mritd/chinaid v1.0.4
 	github.com/panjf2000/ants/v2 v2.11.5
@@ -57,10 +58,12 @@ require (
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/gammazero/toposort v0.1.1 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
+	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.8.1 // indirect
@@ -71,15 +74,19 @@ require (
 	github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/klauspost/crc32 v1.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/minio/crc64nvme v1.1.1 // indirect
+	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
+	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
@@ -88,6 +95,7 @@ require (
 	github.com/quic-go/quic-go v0.54.0 // indirect
 	github.com/richardlehane/mscfb v1.0.4 // indirect
 	github.com/richardlehane/msoleps v1.0.4 // indirect
+	github.com/rs/xid v1.6.0 // indirect
 	github.com/sagikazarmark/locafero v0.11.0 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
@@ -100,6 +108,7 @@ require (
 	github.com/tidwall/rtred v0.1.2 // indirect
 	github.com/tidwall/tinyqueue v0.1.1 // indirect
 	github.com/tiendc/go-deepcopy v1.7.1 // indirect
+	github.com/tinylib/msgp v1.6.1 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/xdg-go/pbkdf2 v1.0.0 // indirect

go.sum

@@ -857,6 +857,7 @@ github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/r
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
+github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -903,6 +904,8 @@ github.com/go-fonts/stix v0.1.0/go.mod h1:w/c1f0ldAUlJmLBvlbkvVXLAD+tAMqobIIQpmn
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
+github.com/go-ini/ini v1.67.0 h1:z6ZrTEZqSWOTyH2FlglNbNgARyHG8oLW9gMELqKr06A=
+github.com/go-ini/ini v1.67.0/go.mod h1:ByCAeIL28uOIIG0E3PJtZPDL8WnHpFKFOtgjp+3Ies8=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -1129,11 +1132,14 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/asmfmt v1.3.2/go.mod h1:AG8TuvYojzulgDAMCnYn50l/5QV3Bs/tp6j0HLHbNSE=
 github.com/klauspost/compress v1.15.9/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHUDtV4Yw2GlzU=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.18.2 h1:iiPHWW0YrcFgpBYhsA6D1+fqHssJscY/Tm/y2Uqnapk=
+github.com/klauspost/compress v1.18.2/go.mod h1:R0h/fSBs8DE4ENlcrlib3PsXS61voFxhIs2DeRhCvJ4=
+github.com/klauspost/cpuid/v2 v2.0.1/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
 github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/klauspost/crc32 v1.3.0 h1:sSmTt3gUt81RP655XGZPElI0PelVTZ6YwCRnPSupoFM=
+github.com/klauspost/crc32 v1.3.0/go.mod h1:D7kQaZhnkX/Y0tstFGf8VUzv2UofNGqCjnC3zdHB0Hw=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
@@ -1172,6 +1178,12 @@ github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfr
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
 github.com/minio/asm2plan9s v0.0.0-20200509001527-cdd76441f9d8/go.mod h1:mC1jAcsrzbxHt8iiaC+zU4b1ylILSosueou12R++wfY=
 github.com/minio/c2goasm v0.0.0-20190812172519-36a3d3bbc4f3/go.mod h1:RagcQ7I8IeTMnF8JTXieKnO4Z6JCsikNEzj0DwauVzE=
+github.com/minio/crc64nvme v1.1.1 h1:8dwx/Pz49suywbO+auHCBpCtlW1OfpcLN7wYgVR6wAI=
+github.com/minio/crc64nvme v1.1.1/go.mod h1:eVfm2fAzLlxMdUGc0EEBGSMmPwmXD5XiNRpnu9J3bvg=
+github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
+github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
+github.com/minio/minio-go/v7 v7.0.98 h1:MeAVKjLVz+XJ28zFcuYyImNSAh8Mq725uNW4beRisi0=
+github.com/minio/minio-go/v7 v7.0.98/go.mod h1:cY0Y+W7yozf0mdIclrttzo1Iiu7mEf9y7nk2uXqMOvM=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/go-homedir v1.0.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/mitchellh/go-testing-interface v1.0.0/go.mod h1:kRemZodwjscx+RGhAo8eIhFbs2+BFgRtFPeD/KE+zxI=
@@ -1205,6 +1217,8 @@ github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FI
 github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
+github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
+github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/phpdave11/gofpdf v1.4.2/go.mod h1:zpO6xFn9yxo3YLyMvW8HcKWVdbNqgIfOOp2dXMnm1mY=
 github.com/phpdave11/gofpdi v1.0.12/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
 github.com/phpdave11/gofpdi v1.0.13/go.mod h1:vBmVV0Do6hSBHC8uKUQ71JGW+ZGQq74llk/7bXwjDoI=
@@ -1281,6 +1295,8 @@ github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
 github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/cors/wrapper/gin v0.0.0-20260123235804-c9e5260a4ed4 h1:o+wYsOfZvOhP3CLGQH5MGVaw9xWjkGIXYH9nJ7NA2FM=
 github.com/rs/cors/wrapper/gin v0.0.0-20260123235804-c9e5260a4ed4/go.mod h1:UkcVz4d5PVHMbLZcN5lqy4KOGXiO9vVdxlITo+boMCE=
+github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/ruudk/golang-pdf417 v0.0.0-20181029194003-1af4ab5afa58/go.mod h1:6lfFZQK844Gfx8o5WFuvpxWRwnSoipWe/p622j1v06w=
 github.com/ruudk/golang-pdf417 v0.0.0-20201230142125-a7e3863a1245/go.mod h1:pQAZKsJ8yyVxGRWYNEm9oFB8ieLgKFnamEyDmSA0BRk=
 github.com/ryanuber/columnize v0.0.0-20160712163229-9b3edd62028f/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts=
@@ -1359,6 +1375,8 @@ github.com/tidwall/tinyqueue v0.1.1 h1:SpNEvEggbpyN5DIReaJ2/1ndroY8iyEGxPYxoSaym
 github.com/tidwall/tinyqueue v0.1.1/go.mod h1:O/QNHwrnjqr6IHItYrzoHAKYhBkLI67Q096fQP5zMYw=
 github.com/tiendc/go-deepcopy v1.7.1 h1:LnubftI6nYaaMOcaz0LphzwraqN8jiWTwm416sitff4=
 github.com/tiendc/go-deepcopy v1.7.1/go.mod h1:4bKjNC2r7boYOkD2IOuZpYjmlDdzjbpTRyCx+goBCJQ=
+github.com/tinylib/msgp v1.6.1 h1:ESRv8eL3u+DNHUoSAAQRE50Hm162zqAnBoGv9PzScPY=
+github.com/tinylib/msgp v1.6.1/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/tus/tusd v1.13.0 h1:W7rtb1XPSpde/GPZAgdfUS3vus2Jt2KmckS6OUd3CU8=
 github.com/tus/tusd v1.13.0/go.mod h1:1tX4CDGlx8koHGFJdSaJ5ybUIm2NeVloJgZEPSKRcQA=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=

pkg/cache/helper.go

@@ -0,0 +1,287 @@
+package cache
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	"github.com/redis/go-redis/v9"
+)
+
+// ========== 分布式锁 ==========
+
+// Lock 分布式锁
+type Lock struct {
+	repo   RedisRepo
+	key    string
+	value  string
+	expiry time.Duration
+}
+
+// NewLock 创建分布式锁
+func NewLock(repo RedisRepo, key, value string, expiry time.Duration) *Lock {
+	return &Lock{
+		repo:   repo,
+		key:    key,
+		value:  value,
+		expiry: expiry,
+	}
+}
+
+// Acquire 获取锁
+func (l *Lock) Acquire(ctx context.Context) (bool, error) {
+	return l.repo.SetNX(ctx, l.key, l.value, l.expiry)
+}
+
+// Release 释放锁
+func (l *Lock) Release(ctx context.Context) error {
+	script := redis.NewScript(`
+		if redis.call("get", KEYS[1]) == ARGV[1] then
+			return redis.call("del", KEYS[1])
+		else
+			return 0
+		end
+	`)
+
+	return script.Run(ctx, l.repo.Client(), []string{l.key}, l.value).Err()
+}
+
+// Refresh 刷新锁
+func (l *Lock) Refresh(ctx context.Context) (bool, error) {
+	script := redis.NewScript(`
+		if redis.call("get", KEYS[1]) == ARGV[1] then
+			return redis.call("pexpire", KEYS[1], ARGV[2])
+		else
+			return 0
+		end
+	`)
+
+	result, err := script.Run(ctx, l.repo.Client(), []string{l.key}, l.value, l.expiry.Milliseconds()).Result()
+	if err != nil {
+		return false, err
+	}
+
+	return result.(int64) == 1, nil
+}
+
+// ========== JSON 序列化 ==========
+
+// SetJSON 设置JSON对象
+func SetJSON(ctx context.Context, repo RedisRepo, key string, value interface{}, ttl time.Duration) error {
+	data, err := json.Marshal(value)
+	if err != nil {
+		return fmt.Errorf("json marshal 失败: %w", err)
+	}
+	return repo.Set(ctx, key, string(data), ttl)
+}
+
+// GetJSON 获取JSON对象
+func GetJSON(ctx context.Context, repo RedisRepo, key string, dest interface{}) error {
+	val, err := repo.Get(ctx, key)
+	if err != nil {
+		return err
+	}
+	if val == "" {
+		return errors.New("key 不存在")
+	}
+
+	if err := json.Unmarshal([]byte(val), dest); err != nil {
+		return fmt.Errorf("json unmarshal 失败: %w", err)
+	}
+	return nil
+}
+
+// ========== 限流器 ==========
+
+// RateLimiter 限流器（令牌桶算法）
+type RateLimiter struct {
+	repo     RedisRepo
+	key      string
+	limit    int64         // 最大令牌数
+	interval time.Duration // 时间窗口
+}
+
+// NewRateLimiter 创建限流器
+func NewRateLimiter(repo RedisRepo, key string, limit int64, interval time.Duration) *RateLimiter {
+	return &RateLimiter{
+		repo:     repo,
+		key:      key,
+		limit:    limit,
+		interval: interval,
+	}
+}
+
+// Allow 检查是否允许（简单计数器实现）
+func (r *RateLimiter) Allow(ctx context.Context) (bool, error) {
+	pipe := r.repo.Pipeline()
+
+	incrCmd := pipe.Incr(ctx, r.key)
+	pipe.Expire(ctx, r.key, r.interval)
+
+	if _, err := pipe.Exec(ctx); err != nil {
+		return false, err
+	}
+
+	count, err := incrCmd.Result()
+	if err != nil {
+		return false, err
+	}
+
+	return count <= r.limit, nil
+}
+
+// AllowN 检查是否允许N次
+func (r *RateLimiter) AllowN(ctx context.Context, n int64) (bool, error) {
+	pipe := r.repo.Pipeline()
+
+	incrCmd := pipe.IncrBy(ctx, r.key, n)
+	pipe.Expire(ctx, r.key, r.interval)
+
+	if _, err := pipe.Exec(ctx); err != nil {
+		return false, err
+	}
+
+	count, err := incrCmd.Result()
+	if err != nil {
+		return false, err
+	}
+
+	return count <= r.limit, nil
+}
+
+// Remaining 获取剩余次数
+func (r *RateLimiter) Remaining(ctx context.Context) (int64, error) {
+	val, err := r.repo.Get(ctx, r.key)
+	if err != nil {
+		return r.limit, nil
+	}
+	if val == "" {
+		return r.limit, nil
+	}
+
+	var count int64
+	if _, err := fmt.Sscanf(val, "%d", &count); err != nil {
+		return 0, err
+	}
+
+	remaining := r.limit - count
+	if remaining < 0 {
+		remaining = 0
+	}
+
+	return remaining, nil
+}
+
+// Reset 重置限流器
+func (r *RateLimiter) Reset(ctx context.Context) error {
+	_, err := r.repo.Del(ctx, r.key)
+	return err
+}
+
+// ========== 缓存装饰器 ==========
+
+// CacheDecorator 缓存装饰器
+type CacheDecorator struct {
+	repo RedisRepo
+	ttl  time.Duration
+}
+
+// NewCacheDecorator 创建缓存装饰器
+func NewCacheDecorator(repo RedisRepo, ttl time.Duration) *CacheDecorator {
+	return &CacheDecorator{
+		repo: repo,
+		ttl:  ttl,
+	}
+}
+
+// GetOrSet 获取或设置缓存
+func (c *CacheDecorator) GetOrSet(ctx context.Context, key string, dest interface{}, loader func() (interface{}, error)) error {
+	// 尝试从缓存获取
+	err := GetJSON(ctx, c.repo, key, dest)
+	if err == nil {
+		return nil
+	}
+
+	// 缓存未命中，执行加载函数
+	data, err := loader()
+	if err != nil {
+		return fmt.Errorf("loader 执行失败: %w", err)
+	}
+
+	// 设置缓存
+	if err := SetJSON(ctx, c.repo, key, data, c.ttl); err != nil {
+		// 缓存设置失败不影响主流程
+		// 可以记录日志
+	}
+
+	// 将数据赋值给dest
+	dataBytes, _ := json.Marshal(data)
+	return json.Unmarshal(dataBytes, dest)
+}
+
+// ========== 布隆过滤器（简单实现） ==========
+
+// BloomFilter 布隆过滤器
+type BloomFilter struct {
+	repo RedisRepo
+	key  string
+	size uint64
+}
+
+// NewBloomFilter 创建布隆过滤器
+func NewBloomFilter(repo RedisRepo, key string, size uint64) *BloomFilter {
+	return &BloomFilter{
+		repo: repo,
+		key:  key,
+		size: size,
+	}
+}
+
+// Add 添加元素
+func (b *BloomFilter) Add(ctx context.Context, value string) error {
+	// 简单hash
+	hash1 := hashString(value, 0) % b.size
+	hash2 := hashString(value, 1) % b.size
+	hash3 := hashString(value, 2) % b.size
+
+	pipe := b.repo.Pipeline()
+	pipe.SetBit(ctx, b.key, int64(hash1), 1)
+	pipe.SetBit(ctx, b.key, int64(hash2), 1)
+	pipe.SetBit(ctx, b.key, int64(hash3), 1)
+
+	_, err := pipe.Exec(ctx)
+	return err
+}
+
+// Exists 检查元素是否存在
+func (b *BloomFilter) Exists(ctx context.Context, value string) (bool, error) {
+	hash1 := hashString(value, 0) % b.size
+	hash2 := hashString(value, 1) % b.size
+	hash3 := hashString(value, 2) % b.size
+
+	pipe := b.repo.Pipeline()
+	bit1Cmd := pipe.GetBit(ctx, b.key, int64(hash1))
+	bit2Cmd := pipe.GetBit(ctx, b.key, int64(hash2))
+	bit3Cmd := pipe.GetBit(ctx, b.key, int64(hash3))
+
+	if _, err := pipe.Exec(ctx); err != nil {
+		return false, err
+	}
+
+	bit1, _ := bit1Cmd.Result()
+	bit2, _ := bit2Cmd.Result()
+	bit3, _ := bit3Cmd.Result()
+
+	return bit1 == 1 && bit2 == 1 && bit3 == 1, nil
+}
+
+// hashString 简单字符串hash
+func hashString(s string, seed uint64) uint64 {
+	hash := seed
+	for i := 0; i < len(s); i++ {
+		hash = hash*31 + uint64(s[i])
+	}
+	return hash
+}

pkg/crypto/client/axios/encryptedAxios.ts

@@ -0,0 +1,202 @@
+import axios, { AxiosInstance, AxiosRequestConfig, AxiosResponse, InternalAxiosRequestConfig } from 'axios';
+import { IEncryptor, ISigner, CryptoConfig, EncryptedRequest, EncryptedResponse } from '../crypto/interface';
+import { uint8ArrayToBase64, base64ToUint8Array, stringToUint8Array, uint8ArrayToString } from '../utils/base64';
+import { generateUUID } from '../utils/uuid';
+
+/**
+ * 加密Axios实例
+ */
+export class EncryptedAxios {
+    private axiosInstance: AxiosInstance;
+    private encryptor: IEncryptor | null = null;
+    private signer: ISigner | null = null;
+    private config: CryptoConfig;
+
+    constructor(
+        encryptor?: IEncryptor,
+        signer?: ISigner,
+        config: CryptoConfig = {},
+        axiosConfig?: AxiosRequestConfig
+    ) {
+        this.encryptor = encryptor || null;
+        this.signer = signer || null;
+        this.config = {
+            timestampWindow: 5 * 60 * 1000, // 默认5分钟
+            enableTimestamp: true,
+            enableSignature: true,
+            ...config,
+        };
+
+        // 创建axios实例
+        this.axiosInstance = axios.create(axiosConfig);
+
+        // 添加请求拦截器
+        this.axiosInstance.interceptors.request.use(
+            this.encryptRequestInterceptor.bind(this),
+            (error) => Promise.reject(error)
+        );
+
+        // 添加响应拦截器
+        this.axiosInstance.interceptors.response.use(
+            this.decryptResponseInterceptor.bind(this),
+            (error) => Promise.reject(error)
+        );
+    }
+
+    /**
+     * 请求拦截器 - 加密请求数据
+     */
+    private async encryptRequestInterceptor(
+        config: InternalAxiosRequestConfig
+    ): Promise<InternalAxiosRequestConfig> {
+        // 放行GET和OPTIONS请求
+        if (config.method?.toUpperCase() === 'GET' || config.method?.toUpperCase() === 'OPTIONS') {
+            return config;
+        }
+
+        // 如果没有配置加密器，直接返回
+        if (!this.encryptor) {
+            return config;
+        }
+
+        try {
+            // 将请求数据转换为JSON字符串
+            const plaintext = JSON.stringify(config.data || {});
+            const plaintextBytes = stringToUint8Array(plaintext);
+
+            // 加密数据
+            const ciphertext = await this.encryptor.encrypt(plaintextBytes);
+            const encryptedData = uint8ArrayToBase64(ciphertext);
+
+            // 构建加密请求体
+            const encryptedRequest: EncryptedRequest = {
+                data: encryptedData,
+                timestamp: Date.now(),
+                request_id: generateUUID(),
+                algorithm: this.encryptor.name(),
+            };
+
+            // 生成签名
+            if (this.config.enableSignature && this.signer) {
+                const signature = await this.signer.sign(plaintextBytes);
+                encryptedRequest.signature = uint8ArrayToBase64(signature);
+            }
+
+            // 替换请求数据
+            config.data = encryptedRequest;
+            config.headers['Content-Type'] = 'application/json';
+
+            // 保存request_id供响应使用
+            config.headers['X-Request-ID'] = encryptedRequest.request_id;
+
+        } catch (error) {
+            console.error('加密请求失败:', error);
+            throw error;
+        }
+
+        return config;
+    }
+
+    /**
+     * 响应拦截器 - 解密响应数据
+     */
+    private async decryptResponseInterceptor(
+        response: AxiosResponse
+    ): Promise<AxiosResponse> {
+        // 如果没有配置加密器或响应不是加密格式，直接返回
+        if (!this.encryptor || !response.data || typeof response.data !== 'object') {
+            return response;
+        }
+
+        // 检查是否是加密响应
+        const encryptedResponse = response.data as EncryptedResponse;
+        if (!encryptedResponse.data || !encryptedResponse.request_id) {
+            // 不是加密响应，直接返回
+            return response;
+        }
+
+        try {
+            // 验证时间戳
+            if (this.config.enableTimestamp) {
+                this.verifyTimestamp(encryptedResponse.timestamp);
+            }
+
+            // 解密数据
+            const ciphertext = base64ToUint8Array(encryptedResponse.data);
+            const plaintext = await this.encryptor.decrypt(ciphertext);
+
+            // 验证签名
+            if (this.config.enableSignature && this.signer && encryptedResponse.signature) {
+                const signature = base64ToUint8Array(encryptedResponse.signature);
+                const isValid = await this.signer.verify(plaintext, signature);
+                if (!isValid) {
+                    throw new Error('签名验证失败');
+                }
+            }
+
+            // 将解密后的数据转换为JSON对象
+            const decryptedData = uint8ArrayToString(plaintext);
+            response.data = JSON.parse(decryptedData);
+
+        } catch (error) {
+            console.error('解密响应失败:', error);
+            throw error;
+        }
+
+        return response;
+    }
+
+    /**
+     * 验证时间戳
+     */
+    private verifyTimestamp(timestamp: number): void {
+        const now = Date.now();
+        const diff = Math.abs(now - timestamp);
+
+        if (diff > (this.config.timestampWindow || 5 * 60 * 1000)) {
+            throw new Error('请求超时');
+        }
+    }
+
+    /**
+     * 获取axios实例
+     */
+    getInstance(): AxiosInstance {
+        return this.axiosInstance;
+    }
+
+    /**
+     * GET 请求
+     */
+    get<T = any>(url: string, config?: AxiosRequestConfig): Promise<AxiosResponse<T>> {
+        return this.axiosInstance.get<T>(url, config);
+    }
+
+    /**
+     * POST 请求
+     */
+    post<T = any>(url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse<T>> {
+        return this.axiosInstance.post<T>(url, data, config);
+    }
+
+    /**
+     * PUT 请求
+     */
+    put<T = any>(url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse<T>> {
+        return this.axiosInstance.put<T>(url, data, config);
+    }
+
+    /**
+     * DELETE 请求
+     */
+    delete<T = any>(url: string, config?: AxiosRequestConfig): Promise<AxiosResponse<T>> {
+        return this.axiosInstance.delete<T>(url, config);
+    }
+
+    /**
+     * PATCH 请求
+     */
+    patch<T = any>(url: string, data?: any, config?: AxiosRequestConfig): Promise<AxiosResponse<T>> {
+        return this.axiosInstance.patch<T>(url, data, config);
+    }
+}

pkg/crypto/client/crypto/aes.ts

@@ -0,0 +1,90 @@
+import { IEncryptor } from './interface';
+
+/**
+ * AES-GCM加密器
+ */
+export class AESEncryptor implements IEncryptor {
+    private key: CryptoKey | null = null;
+
+    constructor(keyString: string) {
+        this.importKey(keyString);
+    }
+
+    /**
+     * 导入密钥
+     */
+    private async importKey(keyString: string): Promise<void> {
+        const encoder = new TextEncoder();
+        const keyData = encoder.encode(keyString.padEnd(32, '0').substring(0, 32));
+
+        this.key = await crypto.subtle.importKey(
+            'raw',
+            keyData,
+            {
+                name: 'AES-GCM',
+                length: 256,
+            },
+            false,
+            ['encrypt', 'decrypt']
+        );
+    }
+
+    /**
+     * 加密数据
+     */
+    async encrypt(plaintext: Uint8Array): Promise<Uint8Array> {
+        if (!this.key) {
+            throw new Error('密钥未设置');
+        }
+
+        // 生成随机IV
+        const iv = crypto.getRandomValues(new Uint8Array(12));
+
+        const encrypted = await crypto.subtle.encrypt(
+            {
+                name: 'AES-GCM',
+                iv: iv,
+            },
+            this.key,
+            plaintext
+        );
+
+        // 将IV和密文拼接在一起
+        const result = new Uint8Array(iv.length + encrypted.byteLength);
+        result.set(iv, 0);
+        result.set(new Uint8Array(encrypted), iv.length);
+
+        return result;
+    }
+
+    /**
+     * 解密数据
+     */
+    async decrypt(ciphertext: Uint8Array): Promise<Uint8Array> {
+        if (!this.key) {
+            throw new Error('密钥未设置');
+        }
+
+        // 提取IV
+        const iv = ciphertext.slice(0, 12);
+        const data = ciphertext.slice(12);
+
+        const decrypted = await crypto.subtle.decrypt(
+            {
+                name: 'AES-GCM',
+                iv: iv,
+            },
+            this.key,
+            data
+        );
+
+        return new Uint8Array(decrypted);
+    }
+
+    /**
+     * 返回算法名称
+     */
+    name(): string {
+        return 'AES-GCM-256';
+    }
+}

pkg/crypto/client/crypto/hmac.ts

@@ -0,0 +1,54 @@
+import { ISigner } from './interface';
+
+/**
+ * HMAC签名器
+ */
+export class HMACSigner implements ISigner {
+    private key: CryptoKey | null = null;
+
+    constructor(keyString: string) {
+        this.importKey(keyString);
+    }
+
+    /**
+     * 导入密钥
+     */
+    private async importKey(keyString: string): Promise<void> {
+        const encoder = new TextEncoder();
+        const keyData = encoder.encode(keyString);
+
+        this.key = await crypto.subtle.importKey(
+            'raw',
+            keyData,
+            {
+                name: 'HMAC',
+                hash: 'SHA-256',
+            },
+            false,
+            ['sign', 'verify']
+        );
+    }
+
+    /**
+     * 生成签名
+     */
+    async sign(data: Uint8Array): Promise<Uint8Array> {
+        if (!this.key) {
+            throw new Error('密钥未设置');
+        }
+
+        const signature = await crypto.subtle.sign('HMAC', this.key, data);
+        return new Uint8Array(signature);
+    }
+
+    /**
+     * 验证签名
+     */
+    async verify(data: Uint8Array, signature: Uint8Array): Promise<boolean> {
+        if (!this.key) {
+            throw new Error('密钥未设置');
+        }
+
+        return await crypto.subtle.verify('HMAC', this.key, signature, data);
+    }
+}

pkg/crypto/client/crypto/interface.ts

@@ -0,0 +1,50 @@
+/**
+ * 加密器接口
+ */
+export interface IEncryptor {
+    encrypt(plaintext: Uint8Array): Promise<Uint8Array>;
+    decrypt(ciphertext: Uint8Array): Promise<Uint8Array>;
+    name(): string;
+}
+
+/**
+ * 签名器接口
+ */
+export interface ISigner {
+    sign(data: Uint8Array): Promise<Uint8Array>;
+    verify(data: Uint8Array, signature: Uint8Array): Promise<boolean>;
+}
+
+/**
+ * 配置选项
+ */
+export interface CryptoConfig {
+    secretKey?: string;           // 对称加密密钥
+    signKey?: string;              // 签名密钥
+    publicKey?: string;            // RSA公钥（PEM格式）
+    privateKey?: string;           // RSA私钥（PEM格式）
+    timestampWindow?: number;      // 时间戳窗口（毫秒）
+    enableTimestamp?: boolean;     // 是否启用时间戳验证
+    enableSignature?: boolean;     // 是否启用签名
+}
+
+/**
+ * 加密请求体
+ */
+export interface EncryptedRequest {
+    data: string;       // Base64编码的加密数据
+    signature?: string; // Base64编码的签名
+    timestamp: number;  // 时间戳
+    request_id: string; // 请求ID
+    algorithm: string;  // 加密算法名称
+}
+
+/**
+ * 加密响应体
+ */
+export interface EncryptedResponse {
+    data: string;       // Base64编码的加密数据
+    signature?: string; // Base64编码的签名
+    timestamp: number;  // 时间戳
+    request_id: string; // 请求ID
+}

pkg/crypto/client/crypto/rsa.ts

@@ -0,0 +1,125 @@
+import { IEncryptor } from './interface';
+
+/**
+ * RSA加密器（使用Web Crypto API）
+ */
+export class RSAEncryptor implements IEncryptor {
+    private publicKey: CryptoKey | null = null;
+    private privateKey: CryptoKey | null = null;
+
+    constructor(publicKeyPEM?: string, privateKeyPEM?: string) {
+        if (publicKeyPEM) {
+            this.importPublicKey(publicKeyPEM);
+        }
+        if (privateKeyPEM) {
+            this.importPrivateKey(privateKeyPEM);
+        }
+    }
+
+    /**
+     * 导入公钥（PEM格式）
+     */
+    private async importPublicKey(pem: string): Promise<void> {
+        const pemHeader = '-----BEGIN PUBLIC KEY-----';
+        const pemFooter = '-----END PUBLIC KEY-----';
+        const pemContents = pem
+            .replace(pemHeader, '')
+            .replace(pemFooter, '')
+            .replace(/\s/g, '');
+
+        const binaryDer = this.base64ToArrayBuffer(pemContents);
+
+        this.publicKey = await crypto.subtle.importKey(
+            'spki',
+            binaryDer,
+            {
+                name: 'RSA-OAEP',
+                hash: 'SHA-256',
+            },
+            true,
+            ['encrypt']
+        );
+    }
+
+    /**
+     * 导入私钥（PEM格式）
+     */
+    private async importPrivateKey(pem: string): Promise<void> {
+        const pemHeader = '-----BEGIN PRIVATE KEY-----';
+        const pemFooter = '-----END PRIVATE KEY-----';
+        const pemContents = pem
+            .replace(pemHeader, '')
+            .replace(pemFooter, '')
+            .replace(/\s/g, '');
+
+        const binaryDer = this.base64ToArrayBuffer(pemContents);
+
+        this.privateKey = await crypto.subtle.importKey(
+            'pkcs8',
+            binaryDer,
+            {
+                name: 'RSA-OAEP',
+                hash: 'SHA-256',
+            },
+            true,
+            ['decrypt']
+        );
+    }
+
+    /**
+     * Base64转ArrayBuffer
+     */
+    private base64ToArrayBuffer(base64: string): ArrayBuffer {
+        const binaryString = atob(base64);
+        const bytes = new Uint8Array(binaryString.length);
+        for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+        }
+        return bytes.buffer;
+    }
+
+    /**
+     * 加密数据
+     */
+    async encrypt(plaintext: Uint8Array): Promise<Uint8Array> {
+        if (!this.publicKey) {
+            throw new Error('公钥未设置');
+        }
+
+        const encrypted = await crypto.subtle.encrypt(
+            {
+                name: 'RSA-OAEP',
+            },
+            this.publicKey,
+            plaintext
+        );
+
+        return new Uint8Array(encrypted);
+    }
+
+    /**
+     * 解密数据
+     */
+    async decrypt(ciphertext: Uint8Array): Promise<Uint8Array> {
+        if (!this.privateKey) {
+            throw new Error('私钥未设置');
+        }
+
+        const decrypted = await crypto.subtle.decrypt(
+            {
+                name: 'RSA-OAEP',
+            },
+            this.privateKey,
+            ciphertext
+        );
+
+        return new Uint8Array(decrypted);
+    }
+
+    /**
+     * 返回算法名称
+     */
+    name(): string {
+        return 'RSA-OAEP-SHA256';
+    }
+}

pkg/crypto/client/index.ts

@@ -0,0 +1,7 @@
+export * from './crypto/interface';
+export * from './crypto/rsa';
+export * from './crypto/hmac';
+export * from './crypto/aes';
+export * from './axios/encryptedAxios';
+export * from './utils/base64';
+export * from './utils/uuid';

pkg/crypto/client/utils/base64.ts

@@ -0,0 +1,38 @@
+/**
+ * Uint8Array 转 Base64
+ */
+export function uint8ArrayToBase64(bytes: Uint8Array): string {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+
+/**
+ * Base64 转 Uint8Array
+ */
+export function base64ToUint8Array(base64: string): Uint8Array {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+
+/**
+ * 字符串转 Uint8Array
+ */
+export function stringToUint8Array(str: string): Uint8Array {
+    const encoder = new TextEncoder();
+    return encoder.encode(str);
+}
+
+/**
+ * Uint8Array 转字符串
+ */
+export function uint8ArrayToString(bytes: Uint8Array): string {
+    const decoder = new TextDecoder();
+    return decoder.decode(bytes);
+}

pkg/crypto/client/utils/uuid.ts

@@ -0,0 +1,10 @@
+/**
+ * 生成UUID v4
+ */
+export function generateUUID(): string {
+    return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, (c) => {
+        const r = (Math.random() * 16) | 0;
+        const v = c === 'x' ? r : (r & 0x3) | 0x8;
+        return v.toString(16);
+    });
+}

pkg/crypto/interface.go

@@ -1,5 +1,7 @@
 package crypto
 
+import "time"
+
 // Encryptor 加密器接口
 type Encryptor interface {
 	// Encrypt 加密数据
@@ -20,3 +22,29 @@ type Signer interface {
 	// Verify 验证签名
 	Verify(data, signature []byte) error
 }
+
+type Config struct {
+	SecretKey       string        `yaml:"secret_key" json:"secret_key"`             // AES对称加密密钥
+	SignKey         string        `yaml:"sign_key" json:"sign_key"`                 // 签名密钥
+	PublicKey       string        `yaml:"public_key" json:"public_key"`             // RSA公钥
+	PrivateKey      string        `yaml:"private_key" json:"private_key"`           // RSA私钥
+	TimestampWindow time.Duration `yaml:"timestamp_window" json:"timestamp_window"` // 时间戳允许的时间窗口
+	EnableTimestamp bool          `yaml:"enable_timestamp" json:"enable_timestamp"` // 是否启用时间戳验证
+	EnableSignature bool          `yaml:"enable_signature" json:"enable_signature"` // 是否启用签名
+}
+
+type EncryptedRequest struct {
+	Data      string `json:"data"`       // 加密后的数据（Base64）
+	Signature string `json:"signature"`  // 签名（Base64）
+	Timestamp int64  `json:"timestamp"`  // 时间戳
+	RequestID string `json:"request_id"` // 请求ID
+	Algorithm string `json:"algorithm"`  // 加密算法
+}
+
+// EncryptedResponse 加密响应体
+type EncryptedResponse struct {
+	Data      string `json:"data"`
+	Signature string `json:"signature"`
+	Timestamp int64  `json:"timestamp"`
+	RequestID string `json:"request_id"`
+}

pkg/storage/client.go

@@ -0,0 +1,312 @@
+package storage
+
+import (
+	"context"
+	"crypto/md5"
+	"encoding/hex"
+	"fmt"
+	"io"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/minio/minio-go/v7"
+	"github.com/minio/minio-go/v7/pkg/credentials"
+)
+
+// Client MinIO客户端
+type Client struct {
+	client *minio.Client
+	config *Config
+}
+
+// NewClient 创建MinIO客户端
+func NewClient(config *Config) (*Client, error) {
+	client, err := minio.New(config.Endpoint, &minio.Options{
+		Creds:  credentials.NewStaticV4(config.AccessKeyID, config.SecretAccessKey, ""),
+		Secure: config.UseSSL,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("创建MinIO客户端失败: %w", err)
+	}
+
+	c := &Client{
+		client: client,
+		config: config,
+	}
+
+	// 确保默认桶存在
+	if config.BucketName != "" {
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		defer cancel()
+
+		exists, err := c.BucketExists(ctx, config.BucketName)
+		if err != nil {
+			return nil, fmt.Errorf("检查桶失败: %w", err)
+		}
+		if !exists {
+			if err := c.CreateBucket(ctx, config.BucketName); err != nil {
+				return nil, fmt.Errorf("创建桶失败: %w", err)
+			}
+		}
+	}
+
+	return c, nil
+}
+
+// UploadToken 上传凭证
+type UploadToken struct {
+	Key        string    `json:"key"`         // 文件存储路径
+	UploadURL  string    `json:"upload_url"`  // 预签名上传URL
+	ExpiresAt  time.Time `json:"expires_at"`  // 过期时间
+	BucketName string    `json:"bucket_name"` // 桶名称
+	AccessURL  string    `json:"access_url"`  // 访问URL（可选）
+}
+
+// DownloadToken 下载凭证
+type DownloadToken struct {
+	Key         string    `json:"key"`          // 文件key
+	DownloadURL string    `json:"download_url"` // 预签名下载URL
+	ExpiresAt   time.Time `json:"expires_at"`   // 过期时间
+	Filename    string    `json:"filename"`     // 文件名（可选）
+}
+
+// FileInfo 文件信息
+type FileInfo struct {
+	Key          string            `json:"key"`           // 文件key
+	Size         int64             `json:"size"`          // 文件大小
+	ETag         string            `json:"etag"`          // ETag（MD5）
+	ContentType  string            `json:"content_type"`  // Content-Type
+	LastModified time.Time         `json:"last_modified"` // 最后修改时间
+	Metadata     map[string]string `json:"metadata"`      // 元数据
+	URL          string            `json:"url"`           // 访问URL
+	Exists       bool              `json:"exists"`        // 是否存在
+}
+
+// GenerateUploadToken 生成上传凭证
+func (c *Client) GenerateUploadToken(ctx context.Context, key string, bucketName ...string) (*UploadToken, error) {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	// 生成预签名PUT URL
+	presignedURL, err := c.client.PresignedPutObject(ctx, bucket, key, c.config.PresignExpires)
+	if err != nil {
+		return nil, fmt.Errorf("生成上传凭证失败: %w", err)
+	}
+
+	token := &UploadToken{
+		Key:        key,
+		UploadURL:  presignedURL.String(),
+		ExpiresAt:  time.Now().Add(c.config.PresignExpires),
+		BucketName: bucket,
+	}
+
+	// 如果配置了CDN域名，生成访问URL
+	if c.config.CDNDomain != "" {
+		token.AccessURL = c.buildCDNURL(bucket, key)
+	}
+
+	return token, nil
+}
+
+// GenerateDownloadToken 生成下载凭证
+func (c *Client) GenerateDownloadToken(ctx context.Context, key string, bucketName ...string) (*DownloadToken, error) {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	// 检查文件是否存在
+	exists, err := c.FileExists(ctx, key, bucket)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, fmt.Errorf("文件不存在: %s", key)
+	}
+
+	// 生成预签名GET URL
+	presignedURL, err := c.client.PresignedGetObject(ctx, bucket, key, c.config.PresignExpires, nil)
+	if err != nil {
+		return nil, fmt.Errorf("生成下载凭证失败: %w", err)
+	}
+
+	token := &DownloadToken{
+		Key:         key,
+		DownloadURL: presignedURL.String(),
+		ExpiresAt:   time.Now().Add(c.config.PresignExpires),
+		Filename:    filepath.Base(key),
+	}
+
+	return token, nil
+}
+
+// VerifyFile 验证文件完整性
+func (c *Client) VerifyFile(ctx context.Context, key string, expectedMD5 string, bucketName ...string) (*FileInfo, error) {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	// 获取文件信息
+	stat, err := c.client.StatObject(ctx, bucket, key, minio.StatObjectOptions{})
+	if err != nil {
+		errResponse := minio.ToErrorResponse(err)
+		if errResponse.Code == "NoSuchKey" {
+			return &FileInfo{
+				Key:    key,
+				Exists: false,
+			}, nil
+		}
+		return nil, fmt.Errorf("获取文件信息失败: %w", err)
+	}
+
+	fileInfo := &FileInfo{
+		Key:          key,
+		Size:         stat.Size,
+		ETag:         strings.Trim(stat.ETag, "\""), // 去除引号
+		ContentType:  stat.ContentType,
+		LastModified: stat.LastModified,
+		Metadata:     stat.UserMetadata,
+		Exists:       true,
+		URL:          c.buildAccessURL(bucket, key),
+	}
+
+	// 如果提供了期望的MD5，进行验证
+	if expectedMD5 != "" {
+		if !c.compareMD5(fileInfo.ETag, expectedMD5) {
+			return fileInfo, fmt.Errorf("文件MD5不匹配，期望: %s, 实际: %s", expectedMD5, fileInfo.ETag)
+		}
+	}
+
+	return fileInfo, nil
+}
+
+// CalculateFileMD5 计算文件MD5（从MinIO下载并计算）
+func (c *Client) CalculateFileMD5(ctx context.Context, key string, bucketName ...string) (string, error) {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	// 下载文件
+	object, err := c.client.GetObject(ctx, bucket, key, minio.GetObjectOptions{})
+	if err != nil {
+		return "", fmt.Errorf("下载文件失败: %w", err)
+	}
+	defer func() { _ = object.Close() }()
+
+	// 计算MD5
+	hash := md5.New()
+	if _, err := io.Copy(hash, object); err != nil {
+		return "", fmt.Errorf("计算MD5失败: %w", err)
+	}
+
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}
+
+// FileExists 检查文件是否存在
+func (c *Client) FileExists(ctx context.Context, key string, bucketName ...string) (bool, error) {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	_, err := c.client.StatObject(ctx, bucket, key, minio.StatObjectOptions{})
+	if err != nil {
+		errResponse := minio.ToErrorResponse(err)
+		if errResponse.Code == "NoSuchKey" {
+			return false, nil
+		}
+		return false, fmt.Errorf("检查文件失败: %w", err)
+	}
+
+	return true, nil
+}
+
+// DeleteFile 删除文件
+func (c *Client) DeleteFile(ctx context.Context, key string, bucketName ...string) error {
+	bucket := c.config.BucketName
+	if len(bucketName) > 0 && bucketName[0] != "" {
+		bucket = bucketName[0]
+	}
+
+	err := c.client.RemoveObject(ctx, bucket, key, minio.RemoveObjectOptions{})
+	if err != nil {
+		return fmt.Errorf("删除文件失败: %w", err)
+	}
+
+	return nil
+}
+
+// GetFileInfo 获取文件信息
+func (c *Client) GetFileInfo(ctx context.Context, key string, bucketName ...string) (*FileInfo, error) {
+	return c.VerifyFile(ctx, key, "", bucketName...)
+}
+
+// BucketExists 检查桶是否存在
+func (c *Client) BucketExists(ctx context.Context, bucketName string) (bool, error) {
+	exists, err := c.client.BucketExists(ctx, bucketName)
+	if err != nil {
+		return false, fmt.Errorf("检查桶失败: %w", err)
+	}
+	return exists, nil
+}
+
+// CreateBucket 创建桶
+func (c *Client) CreateBucket(ctx context.Context, bucketName string) error {
+	err := c.client.MakeBucket(ctx, bucketName, minio.MakeBucketOptions{
+		Region: c.config.Region,
+	})
+	if err != nil {
+		return fmt.Errorf("创建桶失败: %w", err)
+	}
+	return nil
+}
+
+// SetBucketPublic 设置桶为公开访问
+func (c *Client) SetBucketPublic(ctx context.Context, bucketName string) error {
+	policy := fmt.Sprintf(`{
+		"Version": "2012-10-17",
+		"Statement": [{
+			"Effect": "Allow",
+			"Principal": {"AWS": ["*"]},
+			"Action": ["s3:GetObject"],
+			"Resource": ["arn:aws:s3:::%s/*"]
+		}]
+	}`, bucketName)
+
+	err := c.client.SetBucketPolicy(ctx, bucketName, policy)
+	if err != nil {
+		return fmt.Errorf("设置桶策略失败: %w", err)
+	}
+	return nil
+}
+
+// buildAccessURL 构建访问URL
+func (c *Client) buildAccessURL(bucket, key string) string {
+	if c.config.CDNDomain != "" {
+		return c.buildCDNURL(bucket, key)
+	}
+
+	protocol := "http"
+	if c.config.UseSSL {
+		protocol = "https"
+	}
+
+	return fmt.Sprintf("%s://%s/%s/%s", protocol, c.config.Endpoint, bucket, key)
+}
+
+// buildCDNURL 构建CDN URL
+func (c *Client) buildCDNURL(bucket, key string) string {
+	return fmt.Sprintf("%s/%s/%s", strings.TrimRight(c.config.CDNDomain, "/"), bucket, key)
+}
+
+// compareMD5 比较MD5
+func (c *Client) compareMD5(etag, md5 string) bool {
+	etag = strings.ToLower(strings.Trim(etag, "\""))
+	md5 = strings.ToLower(strings.Trim(md5, "\""))
+	return etag == md5
+}

pkg/storage/config.go

@@ -0,0 +1,15 @@
+package storage
+
+import "time"
+
+// Config MinIO配置
+type Config struct {
+	Endpoint        string        `yaml:"endpoint" json:"endpoint"`                   // MinIO地址
+	AccessKeyID     string        `yaml:"access_key_id" json:"access_key_id"`         // AccessKey
+	SecretAccessKey string        `yaml:"secret_access_key" json:"secret_access_key"` // SecretKey
+	UseSSL          bool          `yaml:"use_ssl" json:"use_ssl"`                     // 是否使用SSL
+	BucketName      string        `yaml:"bucket_name" json:"bucket_name"`             // 默认桶名称
+	Region          string        `yaml:"region" json:"region"`                       // 区域
+	CDNDomain       string        `yaml:"cdn_domain" json:"cdn_domain"`               // CDN域名（可选）
+	PresignExpires  time.Duration `yaml:"presign_expires" json:"presign_expires"`     // 预签名URL过期时间，默认15分钟
+}