add

backend/src/main/java/com/toyshop/config/RestExceptionHandler.java

@@ -2,6 +2,7 @@ package com.toyshop.config;
 
 import com.toyshop.dto.ApiResponse;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.core.AuthenticationException;
 import org.springframework.web.bind.MethodArgumentNotValidException;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.ResponseStatus;
@@ -23,4 +24,10 @@ public class RestExceptionHandler {
         : ex.getBindingResult().getAllErrors().get(0).getDefaultMessage();
     return ApiResponse.fail(msg);
   }
+
+  @ExceptionHandler(AuthenticationException.class)
+  @ResponseStatus(HttpStatus.UNAUTHORIZED)
+  public ApiResponse<?> handleAuth(AuthenticationException ex) {
+    return ApiResponse.fail("用户名或密码错误");
+  }
 }

backend/src/main/java/com/toyshop/config/SecurityConfig.java

@@ -7,6 +7,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
@@ -37,7 +38,8 @@ public class SecurityConfig {
         .cors(cors -> cors.configurationSource(corsConfigurationSource()))
         .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
         .authorizeHttpRequests(auth -> auth
-            .requestMatchers("/api/auth/**", "/api/public/**").permitAll()
+            .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
+            .requestMatchers("/api/auth/**", "/api/public/**", "/error").permitAll()
             .anyRequest().authenticated()
         )
         .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
@@ -60,9 +62,10 @@ public class SecurityConfig {
   @Bean
   public CorsConfigurationSource corsConfigurationSource() {
     CorsConfiguration config = new CorsConfiguration();
-    config.setAllowedOrigins(List.of("*"));
+    config.setAllowedOriginPatterns(List.of("*"));
     config.setAllowedMethods(List.of("GET", "POST", "PUT", "DELETE", "OPTIONS"));
     config.setAllowedHeaders(List.of("*"));
+    config.setAllowCredentials(false);
     UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
     source.registerCorsConfiguration("/**", config);
     return source;

backend/src/main/java/com/toyshop/config/WebConfig.java

@@ -0,0 +1,18 @@
+package com.toyshop.config;
+
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+@Configuration
+public class WebConfig implements WebMvcConfigurer {
+  @Value("${app.upload.dir}")
+  private String uploadDir;
+
+  @Override
+  public void addResourceHandlers(ResourceHandlerRegistry registry) {
+    String location = "file:/" + uploadDir.replace("\\", "/") + "/";
+    registry.addResourceHandler("/files/**").addResourceLocations(location);
+  }
+}

backend/src/main/java/com/toyshop/controller/admin/UploadController.java

@@ -0,0 +1,40 @@
+package com.toyshop.controller.admin;
+
+import com.toyshop.dto.ApiResponse;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.util.StringUtils;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.multipart.MultipartFile;
+
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.UUID;
+
+@RestController
+@RequestMapping("/api/admin")
+@PreAuthorize("hasRole('ADMIN')")
+public class UploadController {
+  @Value("${app.upload.dir}")
+  private String uploadDir;
+
+  @PostMapping("/upload")
+  public ApiResponse<?> upload(@RequestParam("file") MultipartFile file) throws IOException {
+    if (file.isEmpty()) {
+      return ApiResponse.fail("文件为空");
+    }
+    String original = file.getOriginalFilename();
+    String ext = StringUtils.getFilenameExtension(original);
+    String filename = UUID.randomUUID().toString().replace("-", "");
+    if (ext != null && !ext.isBlank()) {
+      filename = filename + "." + ext;
+    }
+    Path target = Paths.get(uploadDir, filename);
+    Files.createDirectories(target.getParent());
+    file.transferTo(target);
+    String url = "/files/" + filename;
+    return ApiResponse.ok(url);
+  }
+}

backend/src/main/java/com/toyshop/entity/Category.java

@@ -1,8 +1,10 @@
 package com.toyshop.entity;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import jakarta.persistence.*;
 
 @Entity
+@JsonIgnoreProperties({"hibernateLazyInitializer", "handler"})
 @Table(name = "categories")
 public class Category {
   @Id

backend/src/main/java/com/toyshop/entity/Product.java

@@ -1,5 +1,6 @@
 package com.toyshop.entity;
 
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import jakarta.persistence.*;
 import java.math.BigDecimal;
 import java.time.LocalDateTime;
@@ -11,8 +12,9 @@ public class Product {
   @GeneratedValue(strategy = GenerationType.IDENTITY)
   private Long id;
 
-  @ManyToOne(fetch = FetchType.LAZY)
+  @ManyToOne(fetch = FetchType.EAGER)
   @JoinColumn(name = "category_id")
+  @JsonIgnoreProperties({"hibernateLazyInitializer", "handler"})
   private Category category;
 
   @Column(nullable = false, length = 100)

backend/src/main/resources/application.yml

@@ -18,3 +18,5 @@ app:
   jwt:
     secret: change-this-secret-for-prod-change-this-secret
     expire-hours: 24
+  upload:
+    dir: D:/bs/shopping/files