feat: 添加订单详情和退款功能，更新用户角色管理，增强超级管理员鉴权

backend/app/http/super/auth.go

@@ -60,8 +60,13 @@ func (ctl *auth) login(ctx fiber.Ctx, form *dto.LoginForm) (*dto.LoginResponse,
 //
 //	@Router		/super/v1/auth/token [get]
 func (ctl *auth) token(ctx fiber.Ctx) (*dto.LoginResponse, error) {
+	claims, ok := ctx.Locals(consts.CtxKeyClaims).(*jwt.Claims)
+	if !ok || claims == nil || claims.UserID <= 0 {
+		return nil, errorx.ErrTokenInvalid
+	}
+
 	token, err := ctl.jwt.CreateToken(ctl.jwt.CreateClaims(jwt.BaseClaims{
-		UserID: 2,
+		UserID: claims.UserID,
 	}))
 	if err != nil {
 		return nil, errorx.Wrap(err).WithMsg("登录凭证生成失败")

backend/app/http/super/dto/order_detail.go

@@ -0,0 +1,10 @@
+package dto
+
+import "quyun/v2/database/models"
+
+type SuperOrderDetail struct {
+	Order *models.Order `json:"order,omitempty"`
+
+	Tenant *OrderTenantLite `json:"tenant,omitempty"`
+	Buyer  *OrderBuyerLite  `json:"buyer,omitempty"`
+}

backend/app/http/super/dto/order_refund.go

@@ -0,0 +1,10 @@
+package dto
+
+type SuperOrderRefundForm struct {
+	// Force indicates bypassing the default refund window check (paid_at + 24h).
+	Force bool `json:"force,omitempty"`
+	// Reason is the human-readable refund reason used for audit.
+	Reason string `json:"reason,omitempty"`
+	// IdempotencyKey ensures refund request is processed at most once.
+	IdempotencyKey string `json:"idempotency_key,omitempty"`
+}

backend/app/http/super/dto/user_roles.go

@@ -0,0 +1,7 @@
+package dto
+
+import "quyun/v2/pkg/consts"
+
+type UserRolesUpdateForm struct {
+	Roles []consts.Role `json:"roles" validate:"required,min=1,dive,oneof=user super_admin"`
+}

backend/app/http/super/order.go

@@ -1,9 +1,15 @@
 package super
 
 import (
+	"time"
+
+	"quyun/v2/app/errorx"
 	"quyun/v2/app/http/super/dto"
 	"quyun/v2/app/requests"
 	"quyun/v2/app/services"
+	"quyun/v2/database/models"
+	"quyun/v2/pkg/consts"
+	"quyun/v2/providers/jwt"
 
 	"github.com/gofiber/fiber/v3"
 )
@@ -26,6 +32,56 @@ func (*order) list(ctx fiber.Ctx, filter *dto.OrderPageFilter) (*requests.Pager,
 	return services.Order.SuperOrderPage(ctx, filter)
 }
 
+// detail
+//
+//	@Summary	订单详情
+//	@Tags		Super
+//	@Accept		json
+//	@Produce	json
+//	@Param		orderID	path		int64	true	"OrderID"
+//	@Success	200		{object}	dto.SuperOrderDetail
+//
+//	@Router		/super/v1/orders/:orderID [get]
+//	@Bind		orderID path
+func (*order) detail(ctx fiber.Ctx, orderID int64) (*dto.SuperOrderDetail, error) {
+	return services.Order.SuperOrderDetail(ctx, orderID)
+}
+
+// refund
+//
+//	@Summary	订单退款（平台）
+//	@Description	该接口只负责将订单从 paid 推进到 refunding，并提交异步退款任务；退款入账与权益回收由 worker 异步完成。
+//	@Tags		Super
+//	@Accept		json
+//	@Produce	json
+//	@Param		orderID	path	int64					true	"OrderID"
+//	@Param		form	body	dto.SuperOrderRefundForm	true	"Form"
+//	@Success	200		{object}	models.Order
+//
+//	@Router		/super/v1/orders/:orderID/refund [post]
+//	@Bind		orderID path
+//	@Bind		form body
+func (*order) refund(ctx fiber.Ctx, orderID int64, form *dto.SuperOrderRefundForm) (*models.Order, error) {
+	if form == nil {
+		return nil, errorx.ErrInvalidParameter
+	}
+
+	claims, ok := ctx.Locals(consts.CtxKeyClaims).(*jwt.Claims)
+	if !ok || claims == nil || claims.UserID <= 0 {
+		return nil, errorx.ErrTokenInvalid
+	}
+
+	return services.Order.SuperRefundOrder(
+		ctx,
+		claims.UserID,
+		orderID,
+		form.Force,
+		form.Reason,
+		form.IdempotencyKey,
+		time.Now(),
+	)
+}
+
 // statistics
 //
 //	@Summary	订单统计信息

backend/app/http/super/routes.gen.go

@@ -61,6 +61,17 @@ func (r *Routes) Register(router fiber.Router) {
 		r.order.list,
 		Query[dto.OrderPageFilter]("filter"),
 	))
+	r.log.Debugf("Registering route: Get /super/v1/orders/:orderID -> order.detail")
+	router.Get("/super/v1/orders/:orderID"[len(r.Path()):], DataFunc1(
+		r.order.detail,
+		PathParam[int64]("orderID"),
+	))
+	r.log.Debugf("Registering route: Post /super/v1/orders/:orderID/refund -> order.refund")
+	router.Post("/super/v1/orders/:orderID/refund"[len(r.Path()):], DataFunc2(
+		r.order.refund,
+		PathParam[int64]("orderID"),
+		Body[dto.SuperOrderRefundForm]("form"),
+	))
 	r.log.Debugf("Registering route: Get /super/v1/orders/statistics -> order.statistics")
 	router.Get("/super/v1/orders/statistics"[len(r.Path()):], DataFunc0(
 		r.order.statistics,
@@ -124,6 +135,12 @@ func (r *Routes) Register(router fiber.Router) {
 		PathParam[int64]("userID"),
 		Body[dto.UserStatusUpdateForm]("form"),
 	))
+	r.log.Debugf("Registering route: Patch /super/v1/users/:userID/roles -> user.updateRoles")
+	router.Patch("/super/v1/users/:userID/roles"[len(r.Path()):], Func2(
+		r.user.updateRoles,
+		PathParam[int64]("userID"),
+		Body[dto.UserRolesUpdateForm]("form"),
+	))
 
 	r.log.Info("Successfully registered all routes")
 }

backend/app/http/super/routes.manual.go

@@ -5,5 +5,7 @@ func (r *Routes) Path() string {
 }
 
 func (r *Routes) Middlewares() []any {
-	return []any{}
+	return []any{
+		r.middlewares.SuperAuth,
+	}
 }

backend/app/http/super/user.go

@@ -61,6 +61,22 @@ func (*user) updateStatus(ctx fiber.Ctx, userID int64, form *dto.UserStatusUpdat
 	return services.User.UpdateStatus(ctx, userID, form.Status)
 }
 
+// updateRoles
+//
+//	@Summary	更新用户角色
+//	@Tags		Super
+//	@Accept		json
+//	@Produce	json
+//	@Param		userID	path	int64					true	"UserID"
+//	@Param		form	body	dto.UserRolesUpdateForm	true	"Form"
+//
+//	@Router		/super/v1/users/:userID/roles [patch]
+//	@Bind		userID path
+//	@Bind		form body
+func (*user) updateRoles(ctx fiber.Ctx, userID int64, form *dto.UserRolesUpdateForm) error {
+	return services.User.UpdateRoles(ctx, userID, form.Roles)
+}
+
 // statusList
 //
 //	@Summary	用户状态列表