futu_rest/routes/trd/

account.rs

//! REST trade account discovery route and projection helpers.

use std::sync::Arc;

use axum::extract::{Extension, Json, State};
use serde_json::Value;

use futu_auth::KeyRecord;
use futu_core::{account_locator, proto_id};
use futu_proto::trd_get_acc_list;

use crate::adapter::{self, RestState};

use super::ApiResult;

/// GET /api/accounts — 获取交易账户列表.
///
/// v1.4.103 codex F6 (P2): 受限 key (allowed_acc_ids 非空) 调用此 endpoint
/// 时, daemon 按 allowed_acc_ids filter 返回的 acc_list — 之前不 filter, 受限
/// key 仍能看到全部账户的 acc_id 列表 (信息泄漏, 跨租户 discovery).
///
/// v1.4.104 阶段 7-1: 删 35 LoC inline JSON-level filter, 改走 adapter 的
/// `proto_request_with_filter` → `FilterRegistry::apply` (proto-bytes-level).
/// 跟 gRPC server.rs / WS ws_listener.rs 同源 (cross-surface 单一注册表).
///
/// **codex 0522 F2 v1.4.106**: 改走 `proto_request_with_ctx` 接完整
/// `CallerContext` (含 `key_id` + `allowed_acc_ids`), 单一来源:
/// (1) IncomingRequest.caller_allowed_acc_ids defense-in-depth
/// (2) IncomingRequest.caller_key_id per-key 审计 / cleanup
/// (3) FilterRegistry::apply 响应 acc_list 过滤
/// 之前手写 .and_then(|r| r.allowed_acc_ids.as_ref()).filter(non-empty)
/// 容易让 REST 自己定义一套 empty-set 语义；现在走
/// CallerContext::from_key_record 自动对齐核心 `futu-auth::Limits` contract:
/// None / empty = 无限制，deny-all 使用 sentinel `{0}`。
pub async fn get_acc_list(
    State(state): State<RestState>,
    rec: Option<Extension<Arc<KeyRecord>>>,
) -> ApiResult {
    let ctx =
        crate::caller_context::CallerContext::from_key_record(rec.as_deref().map(|r| r.as_ref()));
    let discovery_body = serde_json::json!({
        "c2s": {
            // REST `/api/accounts` first asks daemon for raw discovery
            // (all categories + general security), then projects the JSON to
            // the same App-visible default as `futucli account`. Futures-only
            // rows remain available through lower-level proto surfaces, but
            // are not a standalone App-visible account row.
            "need_general_sec_account": true
        }
    });

    let Json(mut rsp) =
        adapter::proto_request_with_ctx::<trd_get_acc_list::Request, trd_get_acc_list::Response>(
            &state,
            proto_id::TRD_GET_ACC_LIST,
            Some(discovery_body),
            None,
            Some(&ctx),
        )
        .await?;
    apply_app_visible_account_projection_json(&mut rsp);
    Ok(Json(rsp))
}

fn is_app_visible_account_json(acc: &Value) -> bool {
    let acc_label = acc.get("acc_label").and_then(Value::as_str);
    let markets = acc
        .get("trd_market_auth_list")
        .and_then(Value::as_array)
        .map(|items| {
            items
                .iter()
                .filter_map(Value::as_i64)
                .filter_map(|m| i32::try_from(m).ok())
                .collect::<Vec<_>>()
        })
        .unwrap_or_default();
    account_locator::is_app_visible_account_parts(&markets, acc_label)
}

fn apply_app_visible_account_projection_json(rsp: &mut Value) {
    if let Some(list) = rsp
        .get_mut("s2c")
        .and_then(|s2c| s2c.get_mut("acc_list"))
        .and_then(Value::as_array_mut)
    {
        list.retain(is_app_visible_account_json);
        for acc in list {
            apply_visible_card_num_json(acc);
        }
    }
}

fn non_empty_str_field(acc: &Value, field: &str) -> Option<String> {
    acc.get(field)
        .and_then(Value::as_str)
        .map(str::trim)
        .filter(|s| !s.is_empty())
        .map(ToOwned::to_owned)
}

fn apply_visible_card_num_json(acc: &mut Value) {
    let raw_card_num = non_empty_str_field(acc, "card_num");
    let visible_card_num =
        non_empty_str_field(acc, "uni_card_num").or_else(|| raw_card_num.clone());
    let Some(visible_card_num) = visible_card_num else {
        return;
    };
    let Some(obj) = acc.as_object_mut() else {
        return;
    };

    if let Some(raw) = raw_card_num
        && raw != visible_card_num
    {
        obj.entry("raw_card_num".to_string())
            .or_insert_with(|| Value::String(raw));
    }
    obj.insert("card_num".to_string(), Value::String(visible_card_num));
}

#[cfg(test)]
mod tests;