Unified_Authentication_Platform/backend/app/api/v1/endpoints/apps.py

import secrets
import string
import io
import csv
import pandas as pd
from typing import List
from datetime import datetime
from fastapi import APIRouter, Depends, HTTPException, Response, UploadFile, File, Form, Query
from fastapi.responses import StreamingResponse
from sqlalchemy.orm import Session
from sqlalchemy import desc

from app.api.v1 import deps
from app.core import security
from app.models.application import Application
from app.models.user import User
from app.models.mapping import AppUserMapping
from app.schemas.application import (
    ApplicationCreate,
    ApplicationUpdate,
    ApplicationResponse,
    ApplicationList,
    ApplicationSecretDisplay,
    ViewSecretRequest,
    RegenerateSecretRequest,
    ApplicationTransferRequest,
    AppSyncRequest
)
from app.schemas.mapping import (
    MappingList,
    MappingResponse,
    MappingCreate,
    MappingUpdate,
    MappingDelete,
    MappingPreviewResponse,
    MappingImportSummary,
    MappingStrategy,
    ImportLogResponse
)
from app.schemas.user import UserSyncRequest, UserSyncList
from app.services.mapping_service import MappingService
from app.services.sms_service import SmsService
from app.services.log_service import LogService
from app.schemas.operation_log import ActionType, OperationLogList, OperationLogResponse

router = APIRouter()

def generate_access_token():
    return secrets.token_urlsafe(32)

def generate_app_credentials():
    # Generate a random 16-char App ID (hex or alphanumeric)
    app_id = "app_" + secrets.token_hex(8)
    # Generate a strong 32-char App Secret
    alphabet = string.ascii_letters + string.digits
    app_secret = ''.join(secrets.choice(alphabet) for i in range(32))
    return app_id, app_secret

@router.get("/", response_model=ApplicationList, summary="获取应用列表")
def read_apps(
    skip: int = 0,
    limit: int = 10,
    search: str = None,
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    获取应用列表（分页）。
    超级管理员可以查看所有，开发者只能查看自己的应用。
    """
    query = db.query(Application).filter(Application.is_deleted == False)
    
    if current_user.role != "SUPER_ADMIN":
        query = query.filter(Application.owner_id == current_user.id)
    
    if search:
        # Search by name or app_id
        from sqlalchemy import or_
        query = query.filter(
            or_(
                Application.app_name.ilike(f"%{search}%"),
                Application.app_id.ilike(f"%{search}%")
            )
        )
        
    total = query.count()
    apps = query.order_by(desc(Application.id)).offset(skip).limit(limit).all()
    return {"total": total, "items": apps}

@router.get("/{app_id}", response_model=ApplicationResponse, summary="获取单个应用详情")
def read_app(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    获取单个应用详情。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")
        
    return app

@router.post("/", response_model=ApplicationSecretDisplay, summary="创建应用")
def create_app(
    *,
    db: Session = Depends(deps.get_db),
    app_in: ApplicationCreate,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    创建新应用。只会返回一次明文密钥。
    """
    # 1. Generate ID and Secret
    app_id, app_secret = generate_app_credentials()
    # 2. Generate Access Token
    access_token = generate_access_token()
    
    # 3. Store Secret (Plain text needed for HMAC verification)
    
    db_app = Application(
        app_id=app_id,
        app_secret=app_secret,
        access_token=access_token,
        app_name=app_in.app_name,
        icon_url=app_in.icon_url,
        protocol_type=app_in.protocol_type,
        redirect_uris=app_in.redirect_uris,
        notification_url=app_in.notification_url,
        owner_id=current_user.id # Assign owner
    )
    
    db.add(db_app)
    db.commit()
    db.refresh(db_app)

    return ApplicationSecretDisplay(app_id=app_id, app_secret=app_secret, access_token=access_token)

@router.put("/{app_id}", response_model=ApplicationResponse, summary="更新应用")
def update_app(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    app_in: ApplicationUpdate,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    更新应用信息。需要手机验证码和密码验证。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    # Check ownership
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # Security Verification
    if not app_in.verification_code:
         raise HTTPException(status_code=400, detail="需要提供手机验证码")

    if not SmsService.verify_code(current_user.mobile, app_in.verification_code):
        raise HTTPException(status_code=400, detail="验证码无效或已过期")
        
    update_data = app_in.model_dump(exclude_unset=True)
    # Remove security fields from update data
    update_data.pop('password', None)
    update_data.pop('verification_code', None)

    for field, value in update_data.items():
        setattr(app, field, value)
        
    db.add(app)
    db.commit()
    db.refresh(app)

    # 5. Log
    LogService.create_log(
        db=db,
        app_id=app.id,
        operator_id=current_user.id,
        action_type=ActionType.UPDATE,
        details=update_data
    )

    return app

@router.delete("/{app_id}", response_model=ApplicationResponse, summary="删除应用")
def delete_app(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    软删除应用。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    # Check ownership
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")
        
    app.is_deleted = True
    db.add(app)
    db.commit()
    return app

@router.post("/{app_id}/regenerate-secret", response_model=ApplicationSecretDisplay, summary="重新生成密钥")
def regenerate_secret(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    req: RegenerateSecretRequest,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    重新生成应用密钥。需要手机验证码和密码验证。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    # Check ownership
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")
        
    # Security Verification
    if not security.verify_password(req.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")

    if not SmsService.verify_code(current_user.mobile, req.verification_code):
        raise HTTPException(status_code=400, detail="验证码无效或已过期")

    _, new_secret = generate_app_credentials()
    app.app_secret = new_secret
    
    db.add(app)
    db.commit()
    
    # Log
    LogService.create_log(
        db=db,
        app_id=app.id,
        operator_id=current_user.id,
        action_type=ActionType.REGENERATE_SECRET,
        details={"message": "Regenerated App Secret"}
    )

    return ApplicationSecretDisplay(app_id=app.app_id, app_secret=new_secret, access_token=app.access_token)

@router.post("/{app_id}/view-secret", response_model=ApplicationSecretDisplay, summary="查看密钥")
def view_secret(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    req: ViewSecretRequest,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    查看应用密钥。需要验证用户密码。
    """
    # 1. Verify Password
    if not security.verify_password(req.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")
        
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    # Check ownership
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")
    
    # Log
    LogService.create_log(
        db=db,
        app_id=app.id,
        operator_id=current_user.id,
        action_type=ActionType.VIEW_SECRET,
        details={"message": "Viewed App Secret"}
    )

    return ApplicationSecretDisplay(app_id=app.app_id, app_secret=app.app_secret, access_token=app.access_token)

@router.post("/{app_id}/transfer", response_model=ApplicationResponse, summary="转让应用")
def transfer_app(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    req: ApplicationTransferRequest,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    将应用转让给其他开发者或超级管理员。
    需要验证：目标用户手机号、当前用户密码、短信验证码。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")

    # Check ownership
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # 1. Verify Password
    if not security.verify_password(req.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")

    # 2. Verify SMS Code
    if not SmsService.verify_code(current_user.mobile, req.verification_code):
        raise HTTPException(status_code=400, detail="验证码无效或已过期")

    # 3. Verify Target User
    target_user = db.query(User).filter(User.mobile == req.target_mobile, User.is_deleted == 0).first()
    if not target_user:
        raise HTTPException(status_code=404, detail="目标用户不存在")
    
    if target_user.status != "ACTIVE":
        raise HTTPException(status_code=400, detail="目标用户状态不正常")
        
    if target_user.role not in ["DEVELOPER", "SUPER_ADMIN"]:
        raise HTTPException(status_code=400, detail="目标用户必须是开发者或超级管理员")
        
    if target_user.id == app.owner_id:
        raise HTTPException(status_code=400, detail="应用已归属于该用户")

    # 4. Transfer
    old_owner_id = app.owner_id
    app.owner_id = target_user.id
    
    db.add(app)
    db.commit()
    db.refresh(app)
    
    # 5. Log
    LogService.create_log(
        db=db,
        app_id=app.id,
        operator_id=current_user.id,
        action_type=ActionType.TRANSFER,
        target_user_id=target_user.id,
        target_mobile=target_user.mobile,
        details={
            "old_owner_id": old_owner_id,
            "new_owner_id": target_user.id
        }
    )
    
    return app

# ==========================================
# Mappings
# ==========================================

@router.get("/{app_id}/mappings", response_model=MappingList, summary="获取应用映射列表")
def read_mappings(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    skip: int = 0,
    limit: int = 10,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    获取应用的账号映射列表。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
        
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    query = db.query(AppUserMapping).filter(AppUserMapping.app_id == app_id)
    total = query.count()
    mappings = query.order_by(desc(AppUserMapping.id)).offset(skip).limit(limit).all()
    
    # Enrich with user mobile (handled by ORM relation usually, but for Pydantic 'from_attributes')
    # We added `user_mobile` to MappingResponse, so we need to ensure it's populated.
    # The ORM `mapping.user` is lazy loaded, which is fine for sync code.
    result = []
    for m in mappings:
        result.append(MappingResponse(
            id=m.id,
            app_id=m.app_id,
            user_id=m.user_id,
            mapped_key=m.mapped_key,
            mapped_email=m.mapped_email,
            user_mobile=m.user.mobile if m.user else "Deleted User",
            user_status=m.user.status if m.user else "DELETED",
            is_active=m.is_active
        ))
        
    return {"total": total, "items": result}

@router.post("/{app_id}/mappings", response_model=MappingResponse, summary="创建映射")
def create_mapping(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    mapping_in: MappingCreate,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    手动创建映射。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # Verify Password
    if not security.verify_password(mapping_in.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")

    # Normalize input: treat empty strings as None to avoid unique constraint violations
    mapped_key = mapping_in.mapped_key if mapping_in.mapped_key else None
    mapped_email = mapping_in.mapped_email if mapping_in.mapped_email else None

    # 1. Find User or Create
    user = db.query(User).filter(User.mobile == mapping_in.mobile, User.is_deleted == 0).first()
    new_user_created = False
    generated_password = None

    if not user:
        # Auto create user
        password_plain = security.generate_alphanumeric_password(8) # Random password letters+digits
        random_suffix = security.generate_alphanumeric_password(6)
        user = User(
            mobile=mapping_in.mobile,
            password_hash=security.get_password_hash(password_plain),
            status="ACTIVE",
            role="ORDINARY_USER",
            name=f"用户{random_suffix}",
            english_name=mapped_key
        )
        db.add(user)
        db.commit()
        db.refresh(user)
        new_user_created = True
        generated_password = password_plain

    # 2. Check if mapping exists
    existing = db.query(AppUserMapping).filter(
        AppUserMapping.app_id == app_id,
        AppUserMapping.user_id == user.id
    ).first()
    if existing:
        raise HTTPException(status_code=400, detail="该用户的映射已存在")

    # 3. Check Uniqueness for mapped_email (if provided)
    if mapped_email:
        email_exists = db.query(AppUserMapping).filter(
            AppUserMapping.app_id == app_id,
            AppUserMapping.mapped_email == mapped_email
        ).first()
        if email_exists:
            raise HTTPException(status_code=400, detail=f"该应用下邮箱 {mapped_email} 已被使用")

    # 4. Check Uniqueness for mapped_key
    if mapped_key:
        key_exists = db.query(AppUserMapping).filter(
            AppUserMapping.app_id == app_id,
            AppUserMapping.mapped_key == mapped_key
        ).first()
        if key_exists:
            raise HTTPException(status_code=400, detail=f"该应用下账号 {mapped_key} 已被使用")
        
    # 5. Create
    mapping = AppUserMapping(
        app_id=app_id,
        user_id=user.id,
        mapped_key=mapped_key,
        mapped_email=mapped_email
    )
    db.add(mapping)
    db.commit()
    db.refresh(mapping)
    
    # LOGGING
    LogService.create_log(
        db=db, 
        app_id=app_id, 
        operator_id=current_user.id, 
        action_type=ActionType.MANUAL_ADD, 
        target_user_id=user.id,
        target_mobile=user.mobile,
        details={
            "mapped_key": mapped_key,
            "mapped_email": mapped_email,
            "new_user_created": new_user_created
        }
    )

    return MappingResponse(
        id=mapping.id,
        app_id=mapping.app_id,
        user_id=mapping.user_id,
        mapped_key=mapping.mapped_key,
        mapped_email=mapping.mapped_email,
        user_mobile=user.mobile,
        user_status=user.status,
        new_user_created=new_user_created,
        generated_password=generated_password
    )

@router.put("/{app_id}/mappings/{mapping_id}", response_model=MappingResponse, summary="更新映射")
def update_mapping(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    mapping_id: int,
    mapping_in: MappingUpdate,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    更新映射信息。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # Verify Password
    if not security.verify_password(mapping_in.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")

    mapping = db.query(AppUserMapping).filter(
        AppUserMapping.id == mapping_id,
        AppUserMapping.app_id == app_id
    ).first()
    if not mapping:
        raise HTTPException(status_code=404, detail="映射未找到")

    # Check Uniqueness for mapped_key
    if mapping_in.mapped_key is not None and mapping_in.mapped_key != mapping.mapped_key:
        if mapping_in.mapped_key:
            key_exists = db.query(AppUserMapping).filter(
                AppUserMapping.app_id == app_id,
                AppUserMapping.mapped_key == mapping_in.mapped_key
            ).first()
            if key_exists:
                raise HTTPException(status_code=400, detail=f"该应用下账号 {mapping_in.mapped_key} 已被使用")

    # Check Uniqueness for mapped_email
    if mapping_in.mapped_email is not None and mapping_in.mapped_email != mapping.mapped_email:
        if mapping_in.mapped_email:
            email_exists = db.query(AppUserMapping).filter(
                AppUserMapping.app_id == app_id,
                AppUserMapping.mapped_email == mapping_in.mapped_email
            ).first()
            if email_exists:
                raise HTTPException(status_code=400, detail=f"该应用下邮箱 {mapping_in.mapped_email} 已被使用")

    # Capture old values for logging
    old_key = mapping.mapped_key
    old_email = mapping.mapped_email

    if mapping_in.mapped_key is not None:
        mapping.mapped_key = mapping_in.mapped_key
    if mapping_in.mapped_email is not None:
        mapping.mapped_email = mapping_in.mapped_email

    db.add(mapping)
    db.commit()
    db.refresh(mapping)

    # LOGGING
    LogService.create_log(
        db=db, 
        app_id=app_id, 
        operator_id=current_user.id, 
        action_type=ActionType.UPDATE, 
        target_user_id=mapping.user_id,
        target_mobile=mapping.user.mobile if mapping.user else None,
        details={
            "old": {"mapped_key": old_key, "mapped_email": old_email},
            "new": {"mapped_key": mapping.mapped_key, "mapped_email": mapping.mapped_email}
        }
    )

    return MappingResponse(
        id=mapping.id,
        app_id=mapping.app_id,
        user_id=mapping.user_id,
        mapped_key=mapping.mapped_key,
        mapped_email=mapping.mapped_email,
        user_mobile=mapping.user.mobile if mapping.user else "Deleted User",
        user_status=mapping.user.status if mapping.user else "DELETED",
        is_active=mapping.is_active
    )

@router.delete("/{app_id}/mappings/{mapping_id}", summary="删除映射")
def delete_mapping(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    mapping_id: int,
    req: MappingDelete,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    删除映射关系。需验证密码。
    """
    # Verify Password
    if not security.verify_password(req.password, current_user.password_hash):
        raise HTTPException(status_code=403, detail="密码错误")

    mapping = db.query(AppUserMapping).filter(
        AppUserMapping.id == mapping_id,
        AppUserMapping.app_id == app_id
    ).first()
    if not mapping:
        raise HTTPException(status_code=404, detail="映射未找到")
        
    app = db.query(Application).filter(Application.id == app_id).first()
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # Capture for logging
    target_user_id = mapping.user_id
    target_mobile = mapping.user.mobile if mapping.user else None
    
    db.delete(mapping)
    db.commit()
    
    # LOGGING
    LogService.create_log(
        db=db, 
        app_id=app_id, 
        operator_id=current_user.id, 
        action_type=ActionType.DELETE, 
        target_user_id=target_user_id,
        target_mobile=target_mobile,
        details={"mapping_id": mapping_id}
    )
    
    return {"message": "删除成功"}

@router.post("/{app_id}/sync-users", summary="同步所有用户")
def sync_users_to_app(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    一键导入用户管理中的用户数据到应用映射中。
    规则：如果用户已在映射中（基于手机号/User ID），则跳过。
    否则创建映射，使用英文名称作为映射账号（如果为空则使用手机号）。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # Get all active users
    users = db.query(User).filter(User.is_deleted == 0).all()
    
    # Get existing mappings (user_ids)
    existing_mappings = db.query(AppUserMapping).filter(AppUserMapping.app_id == app_id).all()
    mapped_user_ids = {m.user_id for m in existing_mappings}
    
    new_mappings = []
    
    for user in users:
        if user.id in mapped_user_ids:
            continue
            
        # Create mapping
        # Rule: Use English name as mapped_key. Fallback to mobile.
        mapped_key = user.english_name if user.english_name else user.mobile
        
        # Check if mapped_key is already used in this app (unlikely for User ID check passed, but mapped_key might collide if english names are dupes)
        # However, bulk insert for thousands might be slow if we check one by one.
        # Ideally we should fetch all existing mapped_keys too.
        
        # For simplicity in "one-click sync", we might just proceed. 
        # But if mapped_key is not unique in AppUserMapping (uq_app_mapped_key), it will fail.
        # Let's assume English Name is unique enough or we catch error? 
        # Actually, let's verify if english_name is unique in User table. It's not (User.english_name is nullable and not unique).
        # So multiple users might have same english_name.
        # If so, we should probably append mobile or something to make it unique? 
        # Or just use mobile if english_name is duplicate?
        
        # Re-reading: "没有存在则使用手机号码，英文名称作为账号映射" -> "If not exists, use phone number, English name as account mapping".
        # This could mean: Use English Name.
        
        mapping = AppUserMapping(
            app_id=app.id,
            user_id=user.id,
            mapped_key=mapped_key,
            mapped_email=None,
            is_active=True
        )
        new_mappings.append(mapping)

    if new_mappings:
        try:
            db.bulk_save_objects(new_mappings)
            db.commit()
        except Exception as e:
            db.rollback()
            # If bulk fails (e.g. unique constraint on mapped_key), we might need to do row-by-row or handle it.
            # Fallback: try one by one
            success_count = 0
            for m in new_mappings:
                try:
                    db.add(m)
                    db.commit()
                    success_count += 1
                except:
                    db.rollback()
            
            LogService.create_log(
                db=db,
                app_id=app.id,
                operator_id=current_user.id,
                action_type=ActionType.IMPORT,
                details={"message": "Sync all users (partial)", "attempted": len(new_mappings), "success": success_count}
            )
            return {"message": f"同步完成，成功 {success_count} 个，失败 {len(new_mappings) - success_count} 个 (可能是账号冲突)"}
            
        # Log success
        LogService.create_log(
            db=db,
            app_id=app.id,
            operator_id=current_user.id,
            action_type=ActionType.IMPORT,
            details={"message": "Sync all users", "count": len(new_mappings)}
        )
        return {"message": f"同步成功，新增 {len(new_mappings)} 个用户映射"}

    return {"message": "没有需要同步的用户"}

@router.post("/{app_id}/sync-users-v2", summary="同步用户 (新版)")
def sync_users_to_app_v2(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    sync_req: AppSyncRequest,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    高级用户同步功能。
    支持全量/部分同步，以及可选的默认邮箱初始化。
    需要手机验证码。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    # 1. Verify SMS Code
    if not SmsService.verify_code(current_user.mobile, sync_req.verification_code):
        raise HTTPException(status_code=400, detail="验证码无效或已过期")

    # 2. Determine Target Users
    query = db.query(User).filter(User.is_deleted == 0)
    
    if sync_req.mode == "SELECTED":
        if not sync_req.user_ids:
             raise HTTPException(status_code=400, detail="请选择要同步的用户")
        query = query.filter(User.id.in_(sync_req.user_ids))
    
    users = query.all()
    
    if not users:
        return {"message": "没有找到可同步的用户"}

    # 3. Get existing mappings (user_ids) to skip
    existing_mappings = db.query(AppUserMapping).filter(AppUserMapping.app_id == app_id).all()
    mapped_user_ids = {m.user_id for m in existing_mappings}
    
    # Check if email domain is valid format if provided (simple check)
    if sync_req.init_email and not sync_req.email_domain:
         raise HTTPException(status_code=400, detail="开启邮箱初始化时必须填写域名")

    new_mappings = []
    
    for user in users:
        if user.id in mapped_user_ids:
            continue
            
        # Determine mapped_key (English name)
        # If english_name is missing, fallback to mobile? Or skip?
        # User requirement: "账号就是英文名" (Account is English name)
        # Assuming if english_name is empty, we might use mobile or some generation.
        # Let's fallback to mobile if english_name is missing, but prefer english_name.
        mapped_key = user.english_name if user.english_name else user.mobile
        
        mapped_email = None
        if sync_req.init_email and user.english_name:
            # Construct email
            domain = sync_req.email_domain.strip()
            if not domain.startswith("@"):
                domain = "@" + domain
            mapped_email = f"{user.english_name}{domain}"
        
        mapping = AppUserMapping(
            app_id=app.id,
            user_id=user.id,
            mapped_key=mapped_key,
            mapped_email=mapped_email,
            is_active=True
        )
        new_mappings.append(mapping)

    if not new_mappings:
        return {"message": "所有选中的用户均已存在映射，无需同步"}

    # 4. Insert
    # We'll try to insert one by one to handle potential unique constraint violations (e.g. same english name for different users)
    # Or we can try bulk and catch. Given "User can check selection", maybe best effort is good.
    
    success_count = 0
    fail_count = 0
    
    for m in new_mappings:
        try:
            # Check unique key collision within this transaction if possible, 
            # but db.add + commit per row is safer for partial success report.
            
            # Additional check: uniqueness of mapped_key in this app
            # (We already have uniqueness constraint in DB)
            db.add(m)
            db.commit()
            success_count += 1
        except Exception:
            db.rollback()
            fail_count += 1
            
    # 5. Log
    LogService.create_log(
        db=db,
        app_id=app.id,
        operator_id=current_user.id,
        action_type=ActionType.SYNC,
        details={
            "mode": sync_req.mode,
            "init_email": sync_req.init_email,
            "total_attempted": len(new_mappings),
            "success": success_count,
            "failed": fail_count
        }
    )
    
    msg = f"同步完成。成功: {success_count}，失败: {fail_count}"
    if fail_count > 0:
        msg += " (失败原因可能是账号或邮箱冲突)"
        
    return {"message": msg}

@router.get("/{app_id}/mappings/export", summary="导出映射")
def export_mappings(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    导出所有映射到 Excel (.xlsx)。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
    
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    mappings = db.query(AppUserMapping).filter(AppUserMapping.app_id == app_id).all()
    
    # Prepare data for DataFrame
    data = []
    for m in mappings:
        mobile = m.user.mobile if m.user else "Deleted User"
        data.append({
            '手机号': mobile, 
            '映射账号': m.mapped_key,
            '映射邮箱': m.mapped_email or ''
        })
    
    # Create DataFrame
    df = pd.DataFrame(data)
    
    # If no data, create an empty DataFrame with columns
    if not data:
        df = pd.DataFrame(columns=['手机号', '映射账号', '映射邮箱'])

    # Write to Excel BytesIO
    output = io.BytesIO()
    with pd.ExcelWriter(output, engine='openpyxl') as writer:
        df.to_excel(writer, index=False)
    
    output.seek(0)
    
    filename = f"mappings_app_{app_id}.xlsx"
    
    return StreamingResponse(
        output,
        media_type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
        headers={"Content-Disposition": f"attachment; filename={filename}"}
    )

@router.post("/{app_id}/mapping/preview", response_model=MappingPreviewResponse, summary="预览映射导入")
async def preview_mapping(
    app_id: int,
    file: UploadFile = File(...),
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    预览 Excel/CSV 映射导入。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
        
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    contents = await file.read()
    filename = file.filename
    return MappingService.preview_import(db, app_id, contents, filename)

@router.post("/send-import-verification-code", summary="发送导入验证码")
def send_import_verification_code(
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    发送验证码给当前登录用户（用于敏感操作验证，如导入）。
    """
    SmsService.send_code(current_user.mobile)
    return {"message": "验证码已发送"}

@router.post("/{app_id}/mapping/import", response_model=ImportLogResponse, summary="执行映射导入")
async def import_mapping(
    app_id: int,
    file: UploadFile = File(...),
    strategy: MappingStrategy = Form(MappingStrategy.SKIP),
    verification_code: str = Form(...),
    db: Session = Depends(deps.get_db),
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    执行映射导入操作。需要验证短信验证码。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
        
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    contents = await file.read()
    filename = file.filename
    
    result = MappingService.execute_import(db, app_id, contents, filename, strategy, current_user.mobile, verification_code)
    
    # LOGGING
    # For import, we log the summary and the logs structure
    LogService.create_log(
        db=db, 
        app_id=app_id, 
        operator_id=current_user.id, 
        action_type=ActionType.IMPORT, 
        details=result.model_dump(mode='json') # Store full result including logs
    )
    
    return result

@router.get("/mapping/users", response_model=UserSyncList, summary="获取全量用户（M2M）")
def get_all_users_m2m(
    *,
    db: Session = Depends(deps.get_db),
    skip: int = 0,
    limit: int = 100,
    current_app: Application = Depends(deps.get_current_app),
):
    """
    开发者拉取全量用户接口。
    仅返回：手机号、姓名、英文名。
    需要应用访问令牌 (Authorization Bearer JWT 或 X-App-Access-Token)。
    """
    query = db.query(User).filter(User.is_deleted == 0)
    
    total = query.count()
    users = query.order_by(User.id).offset(skip).limit(limit).all()
    
    return {"total": total, "items": users}

@router.post("/mapping/sync", response_model=MappingResponse, summary="同步映射 (M2M)")
def sync_mapping(
    *,
    db: Session = Depends(deps.get_db),
    sync_in: UserSyncRequest,
    current_app: Application = Depends(deps.get_current_app),
):
    """
    从外部平台同步用户映射关系（机器对机器）。
    只同步映射关系，不创建或更新用户本身。
    需要应用访问令牌 (Authorization Bearer JWT 或 X-App-Access-Token)。
    """
    # Normalize input: treat empty strings as None
    mapped_key = sync_in.mapped_key if sync_in.mapped_key else None
    mapped_email = sync_in.mapped_email if sync_in.mapped_email else None

    # 1. Find User or Create
    user = db.query(User).filter(User.mobile == sync_in.mobile).first()
    new_user_created = False
    if not user:
        # Auto create user
        password = security.generate_alphanumeric_password(8) # Random password letters+digits
        random_suffix = security.generate_alphanumeric_password(6)
        user = User(
            mobile=sync_in.mobile,
            password_hash=security.get_password_hash(password),
            status="ACTIVE",
            role="ORDINARY_USER",
            name=f"用户{random_suffix}",
            english_name=mapped_key
        )
        db.add(user)
        db.commit()
        db.refresh(user)
        new_user_created = True

    # 2. Handle Mapping
    mapping = db.query(AppUserMapping).filter(
        AppUserMapping.app_id == current_app.id,
        AppUserMapping.user_id == user.id
    ).first()

    # Check Uniqueness for mapped_key (if changing or new, and provided)
    if mapped_key and (not mapping or mapping.mapped_key != mapped_key):
        key_exists = db.query(AppUserMapping).filter(
            AppUserMapping.app_id == current_app.id,
            AppUserMapping.mapped_key == mapped_key
        ).first()
        if key_exists:
             raise HTTPException(status_code=400, detail=f"该应用下账号 {mapped_key} 已被使用")

    # Check Uniqueness for mapped_email (if changing or new, and provided)
    if mapped_email and (not mapping or mapping.mapped_email != mapped_email):
        email_exists = db.query(AppUserMapping).filter(
            AppUserMapping.app_id == current_app.id,
            AppUserMapping.mapped_email == mapped_email
        ).first()
        if email_exists:
             raise HTTPException(status_code=400, detail=f"该应用下邮箱 {mapped_email} 已被使用")

    new_mapping_created = False
    if mapping:
        # Update existing mapping
        if sync_in.mapped_key is not None:
            mapping.mapped_key = mapped_key
        if sync_in.is_active is not None:
            mapping.is_active = sync_in.is_active
        if sync_in.mapped_email is not None:
            mapping.mapped_email = mapped_email
    else:
        # Create new mapping
        new_mapping_created = True
        mapping = AppUserMapping(
            app_id=current_app.id,
            user_id=user.id,
            mapped_key=mapped_key,
            mapped_email=mapped_email,
            is_active=sync_in.is_active if sync_in.is_active is not None else True
        )
        db.add(mapping)

    db.commit()
    db.refresh(mapping)

    # LOGGING
    LogService.create_log(
        db=db, 
        app_id=current_app.id, 
        operator_id=current_app.owner_id, 
        action_type=ActionType.SYNC_M2M, 
        target_user_id=user.id,
        target_mobile=user.mobile,
        details={
            "mapped_key": mapped_key,
            "mapped_email": mapped_email,
            "new_user_created": new_user_created,
            "new_mapping_created": new_mapping_created
        }
    )

    return MappingResponse(
        id=mapping.id,
        app_id=mapping.app_id,
        user_id=mapping.user_id,
        mapped_key=mapping.mapped_key,
        mapped_email=mapping.mapped_email,
        user_mobile=user.mobile,
        user_status=user.status,
        is_active=mapping.is_active
    )

# ==========================================
# Operation Logs
# ==========================================

@router.get("/{app_id}/logs", response_model=OperationLogList, summary="获取操作日志")
def read_logs(
    *,
    db: Session = Depends(deps.get_db),
    app_id: int,
    skip: int = 0,
    limit: int = 20,
    action_type: ActionType = Query(None),
    keyword: str = Query(None, description="搜索手机号"),
    start_date: datetime = Query(None),
    end_date: datetime = Query(None),
    current_user: User = Depends(deps.get_current_active_user),
):
    """
    获取应用操作日志。
    """
    app = db.query(Application).filter(Application.id == app_id).first()
    if not app:
        raise HTTPException(status_code=404, detail="应用未找到")
        
    if current_user.role != "SUPER_ADMIN" and app.owner_id != current_user.id:
        raise HTTPException(status_code=403, detail="权限不足")

    total, logs = LogService.get_logs(
        db=db, 
        app_id=app_id, 
        skip=skip, 
        limit=limit, 
        action_type=action_type, 
        keyword=keyword, 
        start_date=start_date, 
        end_date=end_date
    )
    
    result = []
    for log in logs:
        # Enrich operator mobile
        operator_mobile = log.operator.mobile if log.operator else "Unknown"
        
        result.append(OperationLogResponse(
            id=log.id,
            app_id=log.app_id,
            action_type=log.action_type,
            target_mobile=log.target_mobile,
            details=log.details,
            operator_id=log.operator_id,
            operator_mobile=operator_mobile,
            target_user_id=log.target_user_id,
            created_at=log.created_at
        ))
        
    return {"total": total, "items": result}