refactor: remove GORM FK associations, handle relations in business layer (v0.6.1)

- Remove Role association field from User model
- Remove User association field from Token model
- controller/user.go: query Role separately after loading User
- controller/token.go: query User and Role with separate DB calls
- handler/admin.go: introduce userResp type, build role info manually;
  batch-load roles in AdminListUsers to avoid N+1

🤖 Generated with [Qoder][https://qoder.com]

internal/handler/admin.go

@@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/loveuer/nf"
 	"github.com/loveuer/nf/nft/log"
@@ -12,14 +13,65 @@ import (
 	"github.com/spf13/cast"
 )
 
+// userResp is the JSON response shape for a user including role info,
+// built manually at the business layer instead of relying on GORM associations.
+type userResp struct {
+	ID        uint       `json:"id"`
+	Username  string     `json:"username"`
+	RoleID    uint       `json:"role_id"`
+	Role      model.Role `json:"role"`
+	Active    bool       `json:"active"`
+	CreatedAt time.Time  `json:"created_at"`
+	UpdatedAt time.Time  `json:"updated_at"`
+}
+
+func toUserResp(u model.User, r model.Role) userResp {
+	return userResp{
+		ID:        u.ID,
+		Username:  u.Username,
+		RoleID:    u.RoleID,
+		Role:      r,
+		Active:    u.Active,
+		CreatedAt: u.CreatedAt,
+		UpdatedAt: u.UpdatedAt,
+	}
+}
+
 func AdminListUsers() nf.HandlerFunc {
 	return func(c *nf.Ctx) error {
 		var users []model.User
-		if err := db.Default.Session().Preload("Role").Find(&users).Error; err != nil {
+		if err := db.Default.Session().Find(&users).Error; err != nil {
 			log.Error("handler.AdminListUsers: %s", err.Error())
 			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "查询失败"})
 		}
-		return c.Status(http.StatusOK).JSON(map[string]any{"data": users})
+
+		// Collect unique role IDs and query them in one shot
+		roleIDSet := make(map[uint]struct{})
+		for _, u := range users {
+			roleIDSet[u.RoleID] = struct{}{}
+		}
+		roleIDs := make([]uint, 0, len(roleIDSet))
+		for id := range roleIDSet {
+			roleIDs = append(roleIDs, id)
+		}
+
+		var roles []model.Role
+		if err := db.Default.Session().Where("id IN ?", roleIDs).Find(&roles).Error; err != nil {
+			log.Error("handler.AdminListUsers: query roles: %s", err.Error())
+			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "查询失败"})
+		}
+
+		roleMap := make(map[uint]model.Role, len(roles))
+		for _, r := range roles {
+			roleMap[r.ID] = r
+		}
+
+		resp := make([]userResp, 0, len(users))
+		for _, u := range users {
+			resp = append(resp, toUserResp(u, roleMap[u.RoleID]))
+		}
+
+		return c.Status(http.StatusOK).JSON(map[string]any{"data": resp})
 	}
 }
 
@@ -57,6 +109,11 @@ func AdminCreateUser() nf.HandlerFunc {
 			return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "用户名已存在"})
 		}
 
+		var role model.Role
+		if err := db.Default.Session().First(&role, req.RoleID).Error; err != nil {
+			return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "无效的角色"})
+		}
+
 		user := &model.User{
 			Username: req.Username,
 			Password: tool.NewPassword(req.Password),
@@ -69,11 +126,7 @@ func AdminCreateUser() nf.HandlerFunc {
 			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "创建用户失败"})
 		}
 
-		if err := db.Default.Session().Preload("Role").First(user, user.ID).Error; err != nil {
-			log.Error("handler.AdminCreateUser: preload role: %s", err.Error())
-		}
-
-		return c.Status(http.StatusOK).JSON(map[string]any{"data": user})
+		return c.Status(http.StatusOK).JSON(map[string]any{"data": toUserResp(*user, role)})
 	}
 }
 
@@ -97,11 +150,16 @@ func AdminUpdateUser() nf.HandlerFunc {
 
 		session := c.Locals("user").(*model.Session)
 
-		user := new(model.User)
-		if err := db.Default.Session().Preload("Role").First(user, id).Error; err != nil {
+		var user model.User
+		if err := db.Default.Session().First(&user, id).Error; err != nil {
 			return c.Status(http.StatusNotFound).JSON(map[string]string{"msg": "用户不存在"})
 		}
 
+		var currentRole model.Role
+		if err := db.Default.Session().First(&currentRole, user.RoleID).Error; err != nil {
+			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "查询角色失败"})
+		}
+
 		updates := map[string]any{}
 
 		if req.RoleID != nil && *req.RoleID != user.RoleID {
@@ -110,7 +168,7 @@ func AdminUpdateUser() nf.HandlerFunc {
 				return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "无效的角色"})
 			}
 			// If demoting from admin, ensure at least one other active admin remains
-			if user.Role.Name == model.RoleAdmin && newRole.Name != model.RoleAdmin {
+			if currentRole.Name == model.RoleAdmin && newRole.Name != model.RoleAdmin {
 				var adminCount int64
 				db.Default.Session().Model(&model.User{}).
 					Where("role_id = ? AND active = ? AND id != ?", user.RoleID, true, id).
@@ -120,13 +178,14 @@ func AdminUpdateUser() nf.HandlerFunc {
 				}
 			}
 			updates["role_id"] = *req.RoleID
+			currentRole = newRole
 		}
 
 		if req.Active != nil && *req.Active != user.Active {
 			if user.ID == session.UserID && !*req.Active {
 				return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "不能禁用自己的账号"})
 			}
-			if user.Role.Name == model.RoleAdmin && !*req.Active {
+			if currentRole.Name == model.RoleAdmin && !*req.Active {
 				var adminCount int64
 				db.Default.Session().Model(&model.User{}).
 					Where("role_id = ? AND active = ? AND id != ?", user.RoleID, true, id).
@@ -149,16 +208,12 @@ func AdminUpdateUser() nf.HandlerFunc {
 			return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "没有需要更新的字段"})
 		}
 
-		if err := db.Default.Session().Model(user).Updates(updates).Error; err != nil {
+		if err := db.Default.Session().Model(&user).Updates(updates).Error; err != nil {
 			log.Error("handler.AdminUpdateUser: %s", err.Error())
 			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "更新失败"})
 		}
 
-		if err := db.Default.Session().Preload("Role").First(user, user.ID).Error; err != nil {
-			log.Error("handler.AdminUpdateUser: preload: %s", err.Error())
-		}
-
-		return c.Status(http.StatusOK).JSON(map[string]any{"data": user})
+		return c.Status(http.StatusOK).JSON(map[string]any{"data": toUserResp(user, currentRole)})
 	}
 }
 
@@ -174,13 +229,18 @@ func AdminDeleteUser() nf.HandlerFunc {
 			return c.Status(http.StatusBadRequest).JSON(map[string]string{"msg": "不能删除自己的账号"})
 		}
 
-		user := new(model.User)
-		if err := db.Default.Session().Preload("Role").First(user, id).Error; err != nil {
+		var user model.User
+		if err := db.Default.Session().First(&user, id).Error; err != nil {
 			return c.Status(http.StatusNotFound).JSON(map[string]string{"msg": "用户不存在"})
 		}
 
-		// Prevent deleting the last admin
-		if user.Role.Name == model.RoleAdmin {
+		// Prevent deleting the last admin: check via role name
+		var userRole model.Role
+		if err := db.Default.Session().First(&userRole, user.RoleID).Error; err != nil {
+			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "查询角色失败"})
+		}
+
+		if userRole.Name == model.RoleAdmin {
 			var adminCount int64
 			db.Default.Session().Model(&model.User{}).
 				Where("role_id = ? AND id != ?", user.RoleID, id).
@@ -190,7 +250,7 @@ func AdminDeleteUser() nf.HandlerFunc {
 			}
 		}
 
-		if err := db.Default.Session().Delete(user).Error; err != nil {
+		if err := db.Default.Session().Delete(&user).Error; err != nil {
 			log.Error("handler.AdminDeleteUser: %s", err.Error())
 			return c.Status(http.StatusInternalServerError).JSON(map[string]string{"msg": "删除失败"})
 		}