Unified_Authentication_Platform/backend/app/api/v1/endpoints/simple_auth.py

from typing import Optional, List
import json
from datetime import timedelta
from fastapi import APIRouter, Depends, HTTPException, Body
from sqlalchemy.orm import Session
from pydantic import BaseModel

from app.api.v1 import deps
from app.core import security
from app.core.config import settings
from app.core.utils import generate_english_name
from app.models.user import User, UserRole, UserStatus
from app.models.application import Application
from app.models.mapping import AppUserMapping
from app.schemas.simple_auth import (
    TicketExchangeRequest, TicketExchangeResponse,
    TicketValidateRequest, TicketValidateResponse,
    PasswordLoginRequest, PasswordLoginResponse,
    UserRegisterRequest, AdminPasswordResetRequest, AdminPasswordResetResponse,
    ChangePasswordRequest, MyMappingsResponse, UserMappingResponse,
    UserPromoteRequest, SsoLoginRequest, SsoLoginResponse
)
from app.services.signature_service import SignatureService
from app.services.ticket_service import TicketService
from app.services.log_service import LogService
from app.services.login_log_service import LoginLogService
from app.schemas.operation_log import ActionType
from app.schemas.login_log import LoginLogCreate, LoginMethod, AuthType
from fastapi import Request

router = APIRouter()

@router.post("/login", response_model=PasswordLoginResponse, summary="密码登录")
def login_with_password(
    req: PasswordLoginRequest,
    request: Request,
    db: Session = Depends(deps.get_db),
):
    """
    1. 如果提供 app_id：应用 SSO 登录，返回 ticket。
    2. 如果未提供 app_id：统一认证平台登录，返回 access_token。
    """
    
    # --- Platform Login ---
    if not req.app_id:
        # Prepare Log
        log_create = LoginLogCreate(
            mobile=req.identifier,
            ip_address=request.client.host,
            login_method=LoginMethod.UNIFIED_PAGE,
            auth_type=AuthType.PASSWORD,
            user_agent=request.headers.get("user-agent")
        )

        # Find user by mobile only
        user = db.query(User).filter(User.mobile == req.identifier, User.is_deleted == 0).first()
        if not user:
            log_create.is_success = 0
            log_create.failure_reason = "用户未找到"
            LoginLogService.create_log(db, log_create)
            raise HTTPException(status_code=404, detail="用户未找到")
        
        log_create.user_id = user.id

        is_valid = security.verify_password(req.password, user.password_hash)
        if not is_valid:
            import logging
            logger = logging.getLogger(__name__)
            logger.error(f"Platform Login failed for user {user.mobile}")
            
            log_create.is_success = 0
            log_create.failure_reason = "密码错误"
            LoginLogService.create_log(db, log_create)
            
            raise HTTPException(status_code=401, detail="密码错误")
            
        if user.status != UserStatus.ACTIVE:
            log_create.is_success = 0
            log_create.failure_reason = "用户已禁用"
            LoginLogService.create_log(db, log_create)
            raise HTTPException(status_code=400, detail="用户已禁用")

        # Generate JWT Access Token
        access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
        if req.remember_me:
             access_token_expires = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES_LONG)
        access_token = security.create_access_token(
            user.id, 
            expires_delta=access_token_expires,
            is_long_term=req.remember_me
        )
        
        # Log Success
        LoginLogService.create_log(db, log_create)

        return {
            "access_token": access_token, 
            "token_type": "bearer",
            "role": user.role
        }

    # --- App SSO Login ---
    log_create = LoginLogCreate(
        mobile=req.identifier,
        ip_address=request.client.host,
        login_method=LoginMethod.CUSTOM_PAGE, # 假设应用自定义页面调用此接口
        auth_type=AuthType.PASSWORD,
        user_agent=request.headers.get("user-agent")
    )

    # 1. Verify App
    app = db.query(Application).filter(Application.app_id == req.app_id).first()
    if not app:
        log_create.is_success = 0
        log_create.failure_reason = "应用未找到"
        LoginLogService.create_log(db, log_create)
        raise HTTPException(status_code=404, detail="应用未找到")

    # 2. Verify Signature (Optional but recommended for server-side calls)
    if req.sign and req.timestamp:
        params = {
            "app_id": req.app_id,
            "identifier": req.identifier,
            "password": req.password,
            "timestamp": req.timestamp,
            "sign": req.sign
        }
        if not SignatureService.verify_signature(app.app_secret, params, req.sign):
            log_create.is_success = 0
            log_create.failure_reason = "签名无效"
            LoginLogService.create_log(db, log_create)
            raise HTTPException(status_code=400, detail="签名无效")

    # 3. Find User
    user = None
    
    # Auto-trim password to prevent common copy-paste errors
    if req.password:
        req.password = req.password.strip()

    # Try by mobile
    user = db.query(User).filter(User.mobile == req.identifier, User.is_deleted == 0).first()
    
    if not user:
        # Try by mapping
        mapping = db.query(AppUserMapping).filter(
            AppUserMapping.app_id == app.id,
            (AppUserMapping.mapped_key == req.identifier) | (AppUserMapping.mapped_email == req.identifier)
        ).first()
        
        if mapping:
            user = db.query(User).filter(User.id == mapping.user_id, User.is_deleted == 0).first()

    if not user:
        log_create.is_success = 0
        log_create.failure_reason = "用户未找到"
        LoginLogService.create_log(db, log_create)
        raise HTTPException(status_code=404, detail="用户未找到")

    log_create.user_id = user.id

    if user.status != UserStatus.ACTIVE:
        log_create.is_success = 0
        log_create.failure_reason = "用户已禁用"
        LoginLogService.create_log(db, log_create)
        raise HTTPException(status_code=400, detail="用户已禁用")

    # 4. Verify Password
    import logging
    logger = logging.getLogger(__name__)
    
    # DEBUG: Log password verification details
    is_valid = security.verify_password(req.password, user.password_hash)
    if not is_valid:
        logger.error(f"Password verification failed for user {user.mobile}")
        
        log_create.is_success = 0
        log_create.failure_reason = "密码错误"
        LoginLogService.create_log(db, log_create)
        
        raise HTTPException(status_code=401, detail="密码错误")

    # 5. Generate Ticket (Self-Targeting)
    ticket = TicketService.generate_ticket(user.id, req.app_id)
    
    # Log Success (AuthType is PASSWORD leading to TICKET generation, keeping PASSWORD is fine or TICKET)
    # User requirement: "包括...认证方式". Here the auth method was PASSWORD.
    LoginLogService.create_log(db, log_create)

    return {"ticket": ticket}

@router.post("/register", response_model=PasswordLoginResponse, summary="用户注册")
def register_user(
    req: UserRegisterRequest,
    db: Session = Depends(deps.get_db),
):
    """
    注册新用户 (默认为普通用户)。
    """
    # Force role to ORDINARY_USER
    role = UserRole.ORDINARY_USER

    # Auto-login after registration (return token)
    if req.password:
        req.password = req.password.strip()

    if not security.validate_password_strength(req.password):
        raise HTTPException(status_code=400, detail="密码强度不足，必须包含字母和数字")

    existing_user = db.query(User).filter(User.mobile == req.mobile, User.is_deleted == 0).first()
    if existing_user:
        raise HTTPException(status_code=400, detail="手机号已注册")

    english_name = generate_english_name(req.name)

    new_user = User(
        mobile=req.mobile,
        name=req.name,
        english_name=english_name,
        password_hash=security.get_password_hash(req.password),
        status=UserStatus.ACTIVE,
        role=role
    )
    db.add(new_user)
    db.commit()
    db.refresh(new_user)

    # Auto-login after registration (return token)
    access_token = security.create_access_token(new_user.id)
    return {
        "access_token": access_token,
        "token_type": "bearer",
        "role": new_user.role
    }

@router.post("/admin/reset-password", response_model=AdminPasswordResetResponse, summary="管理员重置密码")
def admin_reset_password(
    req: AdminPasswordResetRequest,
    request: Request,
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    超级管理员重置用户密码。
    随机生成8位密码，只显示一次。
    """
    if current_user.role != UserRole.SUPER_ADMIN:
        raise HTTPException(status_code=403, detail="权限不足")

    # Verify Admin Password
    if not security.verify_password(req.admin_password, current_user.password_hash):
        raise HTTPException(status_code=401, detail="管理员密码错误")

    target_user = db.query(User).filter(User.id == req.user_id).first()
    if not target_user:
        raise HTTPException(status_code=404, detail="用户未找到")

    # Generate random password (alphanumeric only)
    new_pwd = security.generate_alphanumeric_password(8)
    target_user.password_hash = security.get_password_hash(new_pwd)
    db.add(target_user)
    db.commit()
    
    # Log Operation
    LogService.create_log(
        db=db,
        operator_id=current_user.id,
        action_type=ActionType.RESET_PASSWORD,
        target_user_id=target_user.id,
        target_mobile=target_user.mobile,
        ip_address=request.client.host,
        details={}
    )

    return {"new_password": new_pwd}

@router.post("/admin/promote", summary="提升用户角色")
def promote_user(
    req: UserPromoteRequest,
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    if current_user.role != UserRole.SUPER_ADMIN:
        raise HTTPException(status_code=403, detail="权限不足")
    
    if req.new_role not in [UserRole.SUPER_ADMIN, UserRole.DEVELOPER]:
        raise HTTPException(status_code=400, detail="只能提升为管理员 or 开发者")

    target_user = db.query(User).filter(User.id == req.user_id).first()
    if not target_user:
        raise HTTPException(status_code=404, detail="用户未找到")
        
    target_user.role = req.new_role
    db.add(target_user)
    db.commit()
    
    return {"message": "success"}

@router.get("/me/mappings", response_model=MyMappingsResponse, summary="我的映射")
def get_my_mappings(
    skip: int = 0,
    limit: int = 10,
    app_name: str = None,
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    query = db.query(AppUserMapping).join(Application).filter(AppUserMapping.user_id == current_user.id)
    
    if app_name:
        query = query.filter(Application.app_name.ilike(f"%{app_name}%"))
        
    total = query.count()
    mappings = query.order_by(AppUserMapping.id.desc()).offset(skip).limit(limit).all()
    
    result = []
    for m in mappings:
        result.append(UserMappingResponse(
            app_name=m.application.app_name if m.application else "Unknown",
            app_id=m.application.app_id if m.application else "",
            protocol_type=m.application.protocol_type if m.application else "",
            mapped_key=m.mapped_key,
            mapped_email=m.mapped_email,
            is_active=m.is_active
        ))
    
    return {"total": total, "items": result}

@router.post("/me/change-password", summary="修改密码")
def change_my_password(
    req: ChangePasswordRequest,
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    if not security.verify_password(req.old_password, current_user.password_hash):
        raise HTTPException(status_code=400, detail="旧密码错误")
        
    if req.new_password:
        req.new_password = req.new_password.strip()

    if not security.validate_password_strength(req.new_password):
        raise HTTPException(status_code=400, detail="密码强度不足，必须包含字母和数字")

    current_user.password_hash = security.get_password_hash(req.new_password)
    db.add(current_user)
    db.commit()
    
    return {"message": "密码修改成功"}

@router.post("/exchange", response_model=TicketExchangeResponse, summary="票据交换")
def exchange_ticket(
    req: TicketExchangeRequest,
    db: Session = Depends(deps.get_db),
):
    """
    源应用调用以获取目标应用的票据。
    """
    # 1. Verify Source App
    source_app = db.query(Application).filter(Application.app_id == req.app_id).first()
    if not source_app:
        raise HTTPException(status_code=404, detail="源应用未找到")
        
    # 2. Verify Signature
    params = {
        "app_id": req.app_id,
        "target_app_id": req.target_app_id,
        "user_mobile": req.user_mobile,
        "timestamp": req.timestamp,
        "sign": req.sign
    }
    
    # Use the stored secret to verify
    if not SignatureService.verify_signature(source_app.app_secret, params, req.sign):
        raise HTTPException(status_code=400, detail="签名无效")
    
    # 3. Verify User Existence (Optional: Do we trust source app completely? Usually yes if signed.)
    # But we need user_id to generate ticket.
    # We query by mobile.
    user = db.query(User).filter(User.mobile == req.user_mobile, User.is_deleted == 0).first()
    if not user:
        # If user doesn't exist, we might auto-create OR fail.
        # Requirement: "Returns redirect_url". 
        # For simplicity, if user not found, we cannot map.
        raise HTTPException(status_code=404, detail="用户在 UAP 中未找到")

    # 4. Generate Ticket for Target App
    # Logic: The ticket allows the user to log in to Target App.
    ticket = TicketService.generate_ticket(user.id, req.target_app_id)
    
    # 5. Get Target App URL
    target_app = db.query(Application).filter(Application.app_id == req.target_app_id).first()
    if not target_app:
        raise HTTPException(status_code=404, detail="目标应用未找到")

    # Construct redirect URL
    # Assuming target app handles /callback?ticket=...
    # We use the first redirect_uri or notification_url or custom logic.
    # Simplicity: We return the ticket and let the Source App handle the redirect, 
    # OR we return a full redirect URL if target_app has a base URL configured.
    # Let's assume redirect_uris is a JSON list.
    redirect_base = ""
    if target_app.redirect_uris:
        try:
            # 尝试作为 JSON 数组解析
            uris = json.loads(target_app.redirect_uris)
            if isinstance(uris, list) and len(uris) > 0:
                redirect_base = uris[0]
            elif isinstance(uris, str):
                redirect_base = uris
        except (json.JSONDecodeError, TypeError):
            # 如果不是 JSON 格式，直接作为字符串使用
            redirect_base = target_app.redirect_uris.strip()
            
    if not redirect_base:
         # Fallback or error
         redirect_base = "http://unknown-target-url"

    full_redirect_url = f"{redirect_base}?ticket={ticket}"

    return {
        "ticket": ticket,
        "redirect_url": full_redirect_url
    }


@router.post("/sso-login", response_model=SsoLoginResponse, summary="SSO 登录 (简易模式)")
def sso_login(
    req: SsoLoginRequest,
    request: Request,
    db: Session = Depends(deps.get_db),
    current_user: Optional[User] = Depends(deps.get_current_active_user_optional),
):
    """
    简易 API 应用的 SSO 登录。
    返回带有票据的重定向 URL。
    支持：
    1. 用户名 + 密码登录
    2. 基于会话的自动登录（如果已登录）
    """
    # 1. Verify App
    app = db.query(Application).filter(Application.app_id == req.app_id).first()
    
    # Prepare Log
    log_create = LoginLogCreate(
        ip_address=request.client.host,
        login_method=LoginMethod.DIRECT_JUMP,
        auth_type=AuthType.SSO,
        user_agent=request.headers.get("user-agent"),
        mobile=req.username
    )
    
    if not app:
        log_create.is_success = 0
        log_create.failure_reason = "应用未找到"
        LoginLogService.create_log(db, log_create)
        raise HTTPException(status_code=404, detail="应用未找到")

    if app.protocol_type != "SIMPLE_API":
         log_create.is_success = 0
         log_create.failure_reason = "协议不支持"
         LoginLogService.create_log(db, log_create)
         raise HTTPException(status_code=400, detail="SSO 登录仅支持简易 API 应用。OIDC 请使用标准流程。")

    user = None
    
    # 2. Try Session Login first
    if current_user:
        user = current_user
        log_create.user_id = user.id
        log_create.mobile = user.mobile
        log_create.auth_type = AuthType.TOKEN # Used existing session
    
    # 3. If no session, try Credentials Login
    if not user and req.username and req.password:
        log_create.auth_type = AuthType.PASSWORD
        # Verify User Credentials
        user_query = db.query(User).filter(User.mobile == req.username, User.is_deleted == 0).first()
        if not user_query:
            # Check mapping
             mapping = db.query(AppUserMapping).filter(
                AppUserMapping.app_id == app.id,
                (AppUserMapping.mapped_key == req.username) | (AppUserMapping.mapped_email == req.username)
            ).first()
             if mapping:
                user_query = db.query(User).filter(User.id == mapping.user_id, User.is_deleted == 0).first()
        
        if user_query and security.verify_password(req.password, user_query.password_hash):
             user = user_query
             log_create.user_id = user.id
    
    if not user:
         log_create.is_success = 0
         log_create.failure_reason = "认证失败"
         LoginLogService.create_log(db, log_create)
         raise HTTPException(status_code=401, detail="认证失败")
        
    if user.status != "ACTIVE":
        log_create.is_success = 0
        log_create.failure_reason = "用户已禁用"
        LoginLogService.create_log(db, log_create)
        raise HTTPException(status_code=400, detail="用户已禁用")

    # 4. Generate Ticket
    ticket = TicketService.generate_ticket(user.id, req.app_id)
    
    # Log Success
    LoginLogService.create_log(db, log_create)
    
    # 5. Get Redirect URL
    redirect_base = ""
    if app.redirect_uris:
        try:
            # 尝试作为 JSON 数组解析
            uris = json.loads(app.redirect_uris)
            if isinstance(uris, list) and len(uris) > 0:
                redirect_base = uris[0]
            elif isinstance(uris, str):
                redirect_base = uris
        except (json.JSONDecodeError, TypeError):
            # 如果不是 JSON 格式，直接作为字符串使用
            redirect_base = app.redirect_uris.strip()
            
    if not redirect_base:
         raise HTTPException(status_code=400, detail="应用未配置重定向 URI")

    full_redirect_url = f"{redirect_base}?ticket={ticket}"
    
    return {"redirect_url": full_redirect_url}

@router.post("/validate", response_model=TicketValidateResponse, summary="验证票据")
def validate_ticket(
    req: TicketValidateRequest,
    db: Session = Depends(deps.get_db),
):
    """
    目标应用调用以消费票据。
    """
    # 1. Verify App
    app = db.query(Application).filter(Application.app_id == req.app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")

    # 2. Verify Signature
    params = {
        "ticket": req.ticket,
        "app_id": req.app_id,
        "timestamp": req.timestamp,
        "sign": req.sign
    }
    if not SignatureService.verify_signature(app.app_secret, params, req.sign):
        raise HTTPException(status_code=400, detail="签名无效")

    # 3. Consume Ticket
    ticket_data = TicketService.consume_ticket(req.ticket, req.app_id)
    
    if not ticket_data:
        return {"valid": False}

    user_id = ticket_data["user_id"]
    
    # 4. Get User Info & Mapping
    user = db.query(User).filter(User.id == user_id).first()
    
    mapping = db.query(AppUserMapping).filter(
        AppUserMapping.app_id == app.id,
        AppUserMapping.user_id == user_id
    ).first()
    
    mapped_key = mapping.mapped_key if mapping else None
    mapped_email = mapping.mapped_email if mapping else None

    return {
        "valid": True,
        "user_id": user.id,
        "mobile": user.mobile,
        "mapped_key": mapped_key,
        "mapped_email": mapped_email
    }