from typing import Optional, List import json from fastapi import APIRouter, Depends, HTTPException, Body from sqlalchemy.orm import Session from pydantic import BaseModel from app.api.v1 import deps from app.core import security from app.models.user import User, UserRole, UserStatus from app.models.application import Application from app.models.mapping import AppUserMapping from app.schemas.simple_auth import ( TicketExchangeRequest, TicketExchangeResponse, TicketValidateRequest, TicketValidateResponse, PasswordLoginRequest, PasswordLoginResponse, UserRegisterRequest, AdminPasswordResetRequest, AdminPasswordResetResponse, ChangePasswordRequest, MyMappingsResponse, UserMappingResponse, UserPromoteRequest, SsoLoginRequest, SsoLoginResponse ) from app.services.signature_service import SignatureService from app.services.ticket_service import TicketService from app.services.log_service import LogService from app.services.login_log_service import LoginLogService from app.schemas.operation_log import ActionType from app.schemas.login_log import LoginLogCreate, LoginMethod, AuthType from fastapi import Request router = APIRouter() @router.post("/login", response_model=PasswordLoginResponse, summary="密码登录") def login_with_password( req: PasswordLoginRequest, request: Request, db: Session = Depends(deps.get_db), ): """ 1. 如果提供 app_id:应用 SSO 登录,返回 ticket。 2. 如果未提供 app_id:统一认证平台登录,返回 access_token。 """ # --- Platform Login --- if not req.app_id: # Prepare Log log_create = LoginLogCreate( mobile=req.identifier, ip_address=request.client.host, login_method=LoginMethod.UNIFIED_PAGE, auth_type=AuthType.PASSWORD, user_agent=request.headers.get("user-agent") ) # Find user by mobile only user = db.query(User).filter(User.mobile == req.identifier, User.is_deleted == 0).first() if not user: log_create.is_success = 0 log_create.failure_reason = "用户未找到" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=404, detail="用户未找到") log_create.user_id = user.id is_valid = security.verify_password(req.password, user.password_hash) if not is_valid: import logging logger = logging.getLogger(__name__) logger.error(f"Platform Login failed for user {user.mobile}") log_create.is_success = 0 log_create.failure_reason = "密码错误" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=401, detail="密码错误") if user.status != UserStatus.ACTIVE: log_create.is_success = 0 log_create.failure_reason = "用户已禁用" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=400, detail="用户已禁用") # Generate JWT Access Token access_token = security.create_access_token(user.id) # Log Success LoginLogService.create_log(db, log_create) return { "access_token": access_token, "token_type": "bearer", "role": user.role } # --- App SSO Login --- log_create = LoginLogCreate( mobile=req.identifier, ip_address=request.client.host, login_method=LoginMethod.CUSTOM_PAGE, # 假设应用自定义页面调用此接口 auth_type=AuthType.PASSWORD, user_agent=request.headers.get("user-agent") ) # 1. Verify App app = db.query(Application).filter(Application.app_id == req.app_id).first() if not app: log_create.is_success = 0 log_create.failure_reason = "应用未找到" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=404, detail="应用未找到") # 2. Verify Signature (Optional but recommended for server-side calls) if req.sign and req.timestamp: params = { "app_id": req.app_id, "identifier": req.identifier, "password": req.password, "timestamp": req.timestamp, "sign": req.sign } if not SignatureService.verify_signature(app.app_secret, params, req.sign): log_create.is_success = 0 log_create.failure_reason = "签名无效" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=400, detail="签名无效") # 3. Find User user = None # Auto-trim password to prevent common copy-paste errors if req.password: req.password = req.password.strip() # Try by mobile user = db.query(User).filter(User.mobile == req.identifier, User.is_deleted == 0).first() if not user: # Try by mapping mapping = db.query(AppUserMapping).filter( AppUserMapping.app_id == app.id, (AppUserMapping.mapped_key == req.identifier) | (AppUserMapping.mapped_email == req.identifier) ).first() if mapping: user = db.query(User).filter(User.id == mapping.user_id, User.is_deleted == 0).first() if not user: log_create.is_success = 0 log_create.failure_reason = "用户未找到" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=404, detail="用户未找到") log_create.user_id = user.id if user.status != UserStatus.ACTIVE: log_create.is_success = 0 log_create.failure_reason = "用户已禁用" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=400, detail="用户已禁用") # 4. Verify Password import logging logger = logging.getLogger(__name__) # DEBUG: Log password verification details is_valid = security.verify_password(req.password, user.password_hash) if not is_valid: logger.error(f"Password verification failed for user {user.mobile}") log_create.is_success = 0 log_create.failure_reason = "密码错误" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=401, detail="密码错误") # 5. Generate Ticket (Self-Targeting) ticket = TicketService.generate_ticket(user.id, req.app_id) # Log Success (AuthType is PASSWORD leading to TICKET generation, keeping PASSWORD is fine or TICKET) # User requirement: "包括...认证方式". Here the auth method was PASSWORD. LoginLogService.create_log(db, log_create) return {"ticket": ticket} @router.post("/register", response_model=PasswordLoginResponse, summary="用户注册") def register_user( req: UserRegisterRequest, db: Session = Depends(deps.get_db), ): """ 注册新用户 (默认为普通用户)。 """ # Force role to ORDINARY_USER role = UserRole.ORDINARY_USER # Auto-login after registration (return token) if req.password: req.password = req.password.strip() existing_user = db.query(User).filter(User.mobile == req.mobile, User.is_deleted == 0).first() if existing_user: raise HTTPException(status_code=400, detail="手机号已注册") new_user = User( mobile=req.mobile, password_hash=security.get_password_hash(req.password), status=UserStatus.ACTIVE, role=role ) db.add(new_user) db.commit() db.refresh(new_user) # Auto-login after registration (return token) access_token = security.create_access_token(new_user.id) return { "access_token": access_token, "token_type": "bearer", "role": new_user.role } @router.post("/admin/reset-password", response_model=AdminPasswordResetResponse, summary="管理员重置密码") def admin_reset_password( req: AdminPasswordResetRequest, request: Request, db: Session = Depends(deps.get_db), current_user: User = Depends(deps.get_current_active_user), ): """ 超级管理员重置用户密码。 随机生成8位密码,只显示一次。 """ if current_user.role != UserRole.SUPER_ADMIN: raise HTTPException(status_code=403, detail="权限不足") # Verify Admin Password if not security.verify_password(req.admin_password, current_user.password_hash): raise HTTPException(status_code=401, detail="管理员密码错误") target_user = db.query(User).filter(User.id == req.user_id).first() if not target_user: raise HTTPException(status_code=404, detail="用户未找到") # Generate random password (alphanumeric only) new_pwd = security.generate_alphanumeric_password(8) target_user.password_hash = security.get_password_hash(new_pwd) db.add(target_user) db.commit() # Log Operation LogService.create_log( db=db, operator_id=current_user.id, action_type=ActionType.RESET_PASSWORD, target_user_id=target_user.id, target_mobile=target_user.mobile, ip_address=request.client.host, details={} ) return {"new_password": new_pwd} @router.post("/admin/promote", summary="提升用户角色") def promote_user( req: UserPromoteRequest, db: Session = Depends(deps.get_db), current_user: User = Depends(deps.get_current_active_user), ): if current_user.role != UserRole.SUPER_ADMIN: raise HTTPException(status_code=403, detail="权限不足") if req.new_role not in [UserRole.SUPER_ADMIN, UserRole.DEVELOPER]: raise HTTPException(status_code=400, detail="只能提升为管理员 or 开发者") target_user = db.query(User).filter(User.id == req.user_id).first() if not target_user: raise HTTPException(status_code=404, detail="用户未找到") target_user.role = req.new_role db.add(target_user) db.commit() return {"message": "success"} @router.get("/me/mappings", response_model=MyMappingsResponse, summary="我的映射") def get_my_mappings( skip: int = 0, limit: int = 10, app_name: str = None, db: Session = Depends(deps.get_db), current_user: User = Depends(deps.get_current_active_user), ): query = db.query(AppUserMapping).join(Application).filter(AppUserMapping.user_id == current_user.id) if app_name: query = query.filter(Application.app_name.ilike(f"%{app_name}%")) total = query.count() mappings = query.order_by(AppUserMapping.id.desc()).offset(skip).limit(limit).all() result = [] for m in mappings: result.append(UserMappingResponse( app_name=m.application.app_name if m.application else "Unknown", app_id=m.application.app_id if m.application else "", protocol_type=m.application.protocol_type if m.application else "", mapped_key=m.mapped_key, mapped_email=m.mapped_email, is_active=m.is_active )) return {"total": total, "items": result} @router.post("/me/change-password", summary="修改密码") def change_my_password( req: ChangePasswordRequest, db: Session = Depends(deps.get_db), current_user: User = Depends(deps.get_current_active_user), ): if not security.verify_password(req.old_password, current_user.password_hash): raise HTTPException(status_code=400, detail="旧密码错误") if req.new_password: req.new_password = req.new_password.strip() current_user.password_hash = security.get_password_hash(req.new_password) db.add(current_user) db.commit() return {"message": "密码修改成功"} @router.post("/exchange", response_model=TicketExchangeResponse, summary="票据交换") def exchange_ticket( req: TicketExchangeRequest, db: Session = Depends(deps.get_db), ): """ 源应用调用以获取目标应用的票据。 """ # 1. Verify Source App source_app = db.query(Application).filter(Application.app_id == req.app_id).first() if not source_app: raise HTTPException(status_code=404, detail="源应用未找到") # 2. Verify Signature params = { "app_id": req.app_id, "target_app_id": req.target_app_id, "user_mobile": req.user_mobile, "timestamp": req.timestamp, "sign": req.sign } # Use the stored secret to verify if not SignatureService.verify_signature(source_app.app_secret, params, req.sign): raise HTTPException(status_code=400, detail="签名无效") # 3. Verify User Existence (Optional: Do we trust source app completely? Usually yes if signed.) # But we need user_id to generate ticket. # We query by mobile. user = db.query(User).filter(User.mobile == req.user_mobile, User.is_deleted == 0).first() if not user: # If user doesn't exist, we might auto-create OR fail. # Requirement: "Returns redirect_url". # For simplicity, if user not found, we cannot map. raise HTTPException(status_code=404, detail="用户在 UAP 中未找到") # 4. Generate Ticket for Target App # Logic: The ticket allows the user to log in to Target App. ticket = TicketService.generate_ticket(user.id, req.target_app_id) # 5. Get Target App URL target_app = db.query(Application).filter(Application.app_id == req.target_app_id).first() if not target_app: raise HTTPException(status_code=404, detail="目标应用未找到") # Construct redirect URL # Assuming target app handles /callback?ticket=... # We use the first redirect_uri or notification_url or custom logic. # Simplicity: We return the ticket and let the Source App handle the redirect, # OR we return a full redirect URL if target_app has a base URL configured. # Let's assume redirect_uris is a JSON list. redirect_base = "" if target_app.redirect_uris: try: # 尝试作为 JSON 数组解析 uris = json.loads(target_app.redirect_uris) if isinstance(uris, list) and len(uris) > 0: redirect_base = uris[0] elif isinstance(uris, str): redirect_base = uris except (json.JSONDecodeError, TypeError): # 如果不是 JSON 格式,直接作为字符串使用 redirect_base = target_app.redirect_uris.strip() if not redirect_base: # Fallback or error redirect_base = "http://unknown-target-url" full_redirect_url = f"{redirect_base}?ticket={ticket}" return { "ticket": ticket, "redirect_url": full_redirect_url } @router.post("/sso-login", response_model=SsoLoginResponse, summary="SSO 登录 (简易模式)") def sso_login( req: SsoLoginRequest, request: Request, db: Session = Depends(deps.get_db), current_user: Optional[User] = Depends(deps.get_current_active_user_optional), ): """ 简易 API 应用的 SSO 登录。 返回带有票据的重定向 URL。 支持: 1. 用户名 + 密码登录 2. 基于会话的自动登录(如果已登录) """ # 1. Verify App app = db.query(Application).filter(Application.app_id == req.app_id).first() # Prepare Log log_create = LoginLogCreate( ip_address=request.client.host, login_method=LoginMethod.DIRECT_JUMP, auth_type=AuthType.SSO, user_agent=request.headers.get("user-agent"), mobile=req.username ) if not app: log_create.is_success = 0 log_create.failure_reason = "应用未找到" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=404, detail="应用未找到") if app.protocol_type != "SIMPLE_API": log_create.is_success = 0 log_create.failure_reason = "协议不支持" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=400, detail="SSO 登录仅支持简易 API 应用。OIDC 请使用标准流程。") user = None # 2. Try Session Login first if current_user: user = current_user log_create.user_id = user.id log_create.mobile = user.mobile log_create.auth_type = AuthType.TOKEN # Used existing session # 3. If no session, try Credentials Login if not user and req.username and req.password: log_create.auth_type = AuthType.PASSWORD # Verify User Credentials user_query = db.query(User).filter(User.mobile == req.username, User.is_deleted == 0).first() if not user_query: # Check mapping mapping = db.query(AppUserMapping).filter( AppUserMapping.app_id == app.id, (AppUserMapping.mapped_key == req.username) | (AppUserMapping.mapped_email == req.username) ).first() if mapping: user_query = db.query(User).filter(User.id == mapping.user_id, User.is_deleted == 0).first() if user_query and security.verify_password(req.password, user_query.password_hash): user = user_query log_create.user_id = user.id if not user: log_create.is_success = 0 log_create.failure_reason = "认证失败" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=401, detail="认证失败") if user.status != "ACTIVE": log_create.is_success = 0 log_create.failure_reason = "用户已禁用" LoginLogService.create_log(db, log_create) raise HTTPException(status_code=400, detail="用户已禁用") # 4. Generate Ticket ticket = TicketService.generate_ticket(user.id, req.app_id) # Log Success LoginLogService.create_log(db, log_create) # 5. Get Redirect URL redirect_base = "" if app.redirect_uris: try: # 尝试作为 JSON 数组解析 uris = json.loads(app.redirect_uris) if isinstance(uris, list) and len(uris) > 0: redirect_base = uris[0] elif isinstance(uris, str): redirect_base = uris except (json.JSONDecodeError, TypeError): # 如果不是 JSON 格式,直接作为字符串使用 redirect_base = app.redirect_uris.strip() if not redirect_base: raise HTTPException(status_code=400, detail="应用未配置重定向 URI") full_redirect_url = f"{redirect_base}?ticket={ticket}" return {"redirect_url": full_redirect_url} @router.post("/validate", response_model=TicketValidateResponse, summary="验证票据") def validate_ticket( req: TicketValidateRequest, db: Session = Depends(deps.get_db), ): """ 目标应用调用以消费票据。 """ # 1. Verify App app = db.query(Application).filter(Application.app_id == req.app_id).first() if not app: raise HTTPException(status_code=404, detail="应用未找到") # 2. Verify Signature params = { "ticket": req.ticket, "app_id": req.app_id, "timestamp": req.timestamp, "sign": req.sign } if not SignatureService.verify_signature(app.app_secret, params, req.sign): raise HTTPException(status_code=400, detail="签名无效") # 3. Consume Ticket ticket_data = TicketService.consume_ticket(req.ticket, req.app_id) if not ticket_data: return {"valid": False} user_id = ticket_data["user_id"] # 4. Get User Info & Mapping user = db.query(User).filter(User.id == user_id).first() mapping = db.query(AppUserMapping).filter( AppUserMapping.app_id == app.id, AppUserMapping.user_id == user_id ).first() mapped_key = mapping.mapped_key if mapping else None mapped_email = mapping.mapped_email if mapping else None return { "valid": True, "user_id": user.id, "mobile": user.mobile, "mapped_key": mapped_key, "mapped_email": mapped_email }