添加统一登录

Redirect_SSO_Guide.md

@@ -0,0 +1,392 @@
+# 快速对接指南 (Redirect SSO)
+
+## 1. 概述
+这是最简单、最快速的集成方式。您无需开发前端登录页面，只需将用户重定向到统一认证平台，待用户登录后，平台会将携带票据 (Ticket) 的用户重定向回您的系统。
+
+## 2. 核心流程
+1. **用户访问**: 用户访问您的应用 (未登录)。
+2. **跳转登录**: 应用重定向用户到 UAP 登录页面 (`?app_id=xxx`)。
+3. **用户登录**: 用户在 UAP 完成认证。
+4. **回调应用**: UAP 重定向回您的应用回调地址 (`?ticket=xxx`)。
+5. **验证票据**: 应用后端调用接口验证 Ticket。
+6. **登录成功**: 验证通过，应用创建自身会话。
+
+## 3. 详细集成步骤
+
+### 第一步：准备工作
+- 在 UAP 管理后台创建应用。
+- **关键**：在应用配置中填写入合法的 **回调地址 (Redirect URIs)**。例如：`http://your-app.com/callback`
+- 获取 `App ID` 和 `App Secret` (用于后端验证 Ticket)。
+
+### 第二步：拼接登录链接 (前端)
+在您的应用中，检测到用户未登录时，直接跳转到以下地址：
+
+**PC 端**:
+`https://api.hnyunzhu.com/api/v1/login?app_id=YOUR_APP_ID`
+
+**移动端 (H5)**:
+`https://api.hnyunzhu.com/api/v1/mobile/login?app_id=YOUR_APP_ID`
+
+> **提示**: 请将 `YOUR_APP_ID` 替换为您实际的应用 ID。
+
+### 第三步：实现回调接口 (后端)
+用户登录成功后，浏览器会跳转到您配置的回调地址，URL 格式如下：
+`http://your-app.com/callback?ticket=TICKET-xxxxx`
+
+您的后端需要接收 `ticket`，并调用 UAP 的验证接口换取用户信息。
+
+**接口地址**: `POST https://api.hnyunzhu.com/api/v1/simple/validate`
+
+**请求参数 (JSON)**:
+| 字段 | 类型 | 必填 | 说明 |
+|---|---|---|---|
+| `app_id` | string | 是 | 您的应用 ID |
+| `ticket` | string | 是 | 接收到的票据 |
+| `timestamp` | int | 是 | 当前时间戳 |
+| `sign` | string | 是 | 签名 |
+
+## 4. 代码示例
+
+### Python
+```python
+import requests
+import time
+import hmac
+import hashlib
+import json
+
+def generate_signature(secret: str, params: dict) -> str:
+    # 1. 过滤掉空值和 sign 字段
+    data = {k: v for k, v in params.items() if k != "sign" and v is not None}
+    # 2. 排序 key
+    sorted_keys = sorted(data.keys())
+    # 3. 拼接字符串
+    query_string = "&".join([f"{k}={data[k]}" for k in sorted_keys])
+    # 4. 计算 HMAC-SHA256
+    signature = hmac.new(
+        secret.encode('utf-8'),
+        query_string.encode('utf-8'),
+        hashlib.sha256
+    ).hexdigest()
+    return signature
+
+def validate_ticket(ticket):
+    # API 地址通常为 /api/v1/simple/validate
+    url = "https://api.hnyunzhu.com/api/v1/simple/validate"
+    app_secret = "YOUR_APP_SECRET" # 务必保密
+
+    payload = {
+        "app_id": "YOUR_APP_ID",
+        "ticket": ticket,
+        "timestamp": int(time.time())
+    }
+    # 使用您的 App Secret 计算签名
+    payload["sign"] = generate_signature(app_secret, payload)
+    
+    try:
+        resp = requests.post(url, json=payload)
+        return resp.json()
+    except Exception as e:
+        print("Error:", e)
+        return None
+```
+
+### Java
+```java
+// 依赖建议: OkHttp 或 Apache HttpClient, FastJson/Jackson
+import okhttp3.*;
+import com.alibaba.fastjson.JSON;
+import javax.crypto.Mac;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.util.*;
+
+public class TicketValidator {
+    public static final String APP_ID = "YOUR_APP_ID";
+    public static final String APP_SECRET = "YOUR_APP_SECRET";
+    public static final String API_URL = "https://api.hnyunzhu.com/api/v1/simple/validate";
+
+    public static String generateSign(Map<String, String> params, String secret) {
+        try {
+            List<String> sortedKeys = new ArrayList<>(params.keySet());
+            Collections.sort(sortedKeys);
+            
+            StringBuilder sb = new StringBuilder();
+            for (String key : sortedKeys) {
+                if (!key.equals("sign") && params.get(key) != null) {
+                    if (sb.length() > 0) sb.append("&");
+                    sb.append(key).append("=").append(params.get(key));
+                }
+            }
+            
+            Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
+            SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
+            sha256_HMAC.init(secret_key);
+            
+            byte[] bytes = sha256_HMAC.doFinal(sb.toString().getBytes(StandardCharsets.UTF_8));
+            StringBuilder hex = new StringBuilder();
+            for (byte b : bytes) hex.append(String.format("%02x", b));
+            return hex.toString();
+        } catch (Exception e) {
+            return "";
+        }
+    }
+
+    public static void validate(String ticket) {
+        try {
+            long timestamp = System.currentTimeMillis() / 1000;
+            
+            Map<String, String> params = new HashMap<>();
+            params.put("app_id", APP_ID);
+            params.put("ticket", ticket);
+            params.put("timestamp", String.valueOf(timestamp));
+            
+            String sign = generateSign(params, APP_SECRET); 
+            params.put("sign", sign);
+            
+            OkHttpClient client = new OkHttpClient();
+            RequestBody body = RequestBody.create(
+                MediaType.parse("application/json; charset=utf-8"), 
+                JSON.toJSONString(params)
+            );
+            
+            Request request = new Request.Builder()
+                .url(API_URL)
+                .post(body)
+                .build();
+                
+            Response response = client.newCall(request).execute();
+            System.out.println(response.body().string());
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+    }
+}
+```
+
+### Kotlin
+```kotlin
+import okhttp3.*
+import com.google.gson.Gson
+import javax.crypto.Mac
+import javax.crypto.spec.SecretKeySpec
+import java.io.IOException
+import java.util.*
+
+object AuthUtils {
+    fun generateSign(params: Map<String, String>, secret: String): String {
+        val sortedKeys = params.keys.filter { it != "sign" }.sorted()
+        val queryString = sortedKeys.joinToString("&") { "${it}=${params[it]}" }
+        
+        val hmacSha256 = "HmacSHA256"
+        val secretKeySpec = SecretKeySpec(secret.toByteArray(Charsets.UTF_8), hmacSha256)
+        val mac = Mac.getInstance(hmacSha256)
+        mac.init(secretKeySpec)
+        
+        return mac.doFinal(queryString.toByteArray(Charsets.UTF_8))
+            .joinToString("") { "%02x".format(it) }
+    }
+}
+
+fun validateTicket(ticket: String) {
+    val appId = "YOUR_APP_ID"
+    val appSecret = "YOUR_APP_SECRET"
+    val url = "https://api.hnyunzhu.com/api/v1/simple/validate"
+    
+    val timestamp = System.currentTimeMillis() / 1000
+    val params = mutableMapOf(
+        "app_id" to appId,
+        "ticket" to ticket,
+        "timestamp" to timestamp.toString()
+    )
+    
+    params["sign"] = AuthUtils.generateSign(params, appSecret)
+    
+    val client = OkHttpClient()
+    val jsonBody = Gson().toJson(params)
+    val body = RequestBody.create(MediaType.parse("application/json"), jsonBody)
+    
+    val request = Request.Builder()
+        .url(url)
+        .post(body)
+        .build()
+        
+    client.newCall(request).enqueue(object : Callback {
+        override fun onFailure(call: Call, e: IOException) {
+            e.printStackTrace()
+        }
+
+        override fun onResponse(call: Call, response: Response) {
+            println(response.body()?.string())
+        }
+    })
+}
+```
+
+### Node.js
+```javascript
+const axios = require('axios');
+const crypto = require('crypto');
+
+const APP_SECRET = 'YOUR_APP_SECRET'; // 务必保密
+
+function getSign(params) {
+  const keys = Object.keys(params)
+    .filter(k => k !== 'sign' && params[k] !== undefined)
+    .sort();
+  const queryString = keys.map(k => `${k}=${params[k]}`).join('&');
+  return crypto.createHmac('sha256', APP_SECRET)
+    .update(queryString)
+    .digest('hex');
+}
+
+async function validateTicket(ticket) {
+  const url = 'https://api.hnyunzhu.com/api/v1/simple/validate';
+  const payload = {
+    app_id: 'YOUR_APP_ID',
+    ticket: ticket,
+    timestamp: Math.floor(Date.now() / 1000)
+  };
+  
+  // 计算签名
+  payload.sign = getSign(payload);
+  
+  try {
+    const res = await axios.post(url, payload);
+    console.log('Validation Result:', res.data);
+    return res.data;
+  } catch (error) {
+    console.error('Validation Failed:', error.response?.data || error.message);
+  }
+}
+```
+
+### Go
+```go
+package main
+
+import (
+    "bytes"
+    "crypto/hmac"
+    "crypto/sha256"
+    "encoding/hex"
+    "encoding/json"
+    "fmt"
+    "net/http"
+    "sort"
+    "strings"
+    "time"
+)
+
+func GetSign(secret string, params map[string]interface{}) string {
+    var keys []string
+    for k := range params {
+        if k != "sign" {
+            keys = append(keys, k)
+        }
+    }
+    sort.Strings(keys)
+    var parts []string
+    for _, k := range keys {
+        val := fmt.Sprintf("%v", params[k])
+        parts = append(parts, fmt.Sprintf("%s=%s", k, val))
+    }
+    query := strings.Join(parts, "&")
+    h := hmac.New(sha256.New, []byte(secret))
+    h.Write([]byte(query))
+    return hex.EncodeToString(h.Sum(nil))
+}
+
+func ValidateTicket(ticket string) {
+    appId := "YOUR_APP_ID"
+    appSecret := "YOUR_APP_SECRET" 
+    apiUrl := "https://api.hnyunzhu.com/api/v1/simple/validate"
+    
+    params := map[string]interface{}{
+        "app_id":    appId,
+        "ticket":    ticket,
+        "timestamp": time.Now().Unix(),
+    }
+    
+    // 计算签名
+    params["sign"] = GetSign(appSecret, params)
+    
+    jsonData, _ := json.Marshal(params)
+    resp, err := http.Post(apiUrl, "application/json", bytes.NewBuffer(jsonData))
+    if err != nil {
+        fmt.Println("Error:", err)
+        return
+    }
+    defer resp.Body.Close()
+    
+    // 读取响应...
+    var result map[string]interface{}
+    json.NewDecoder(resp.Body).Decode(&result)
+    fmt.Println("Result:", result)
+}
+```
+
+### Swift
+```swift
+import Foundation
+import CommonCrypto
+
+// 注意：需引入 CommonCrypto
+
+func hmac(string: String, key: String) -> String {
+    var digest = [UInt8](repeating: 0, count: Int(CC_SHA256_DIGEST_LENGTH))
+    CCHmac(CCHmacAlgorithm(kCCHmacAlgSHA256), key, key.count, string, string.count, &digest)
+    let data = Data(digest)
+    return data.map { String(format: "%02hhx", $0) }.joined()
+}
+
+func generateSign(secret: String, params: [String: Any]) -> String {
+    let sortedKeys = params.keys.filter { $0 != "sign" }.sorted()
+    let queryParts = sortedKeys.map { key in
+        return "\(key)=\(params[key]!)"
+    }
+    let queryString = queryParts.joined(separator: "&")
+    return hmac(string: queryString, key: secret)
+}
+
+func validateTicket(ticket: String) {
+    let appId = "YOUR_APP_ID"
+    let secret = "YOUR_APP_SECRET"
+    let url = URL(string: "https://api.hnyunzhu.com/api/v1/simple/validate")!
+    
+    var request = URLRequest(url: url)
+    request.httpMethod = "POST"
+    request.setValue("application/json", forHTTPHeaderField: "Content-Type")
+    
+    let timestamp = Int(Date().timeIntervalSince1970)
+    var params: [String: Any] = [
+        "app_id": appId,
+        "ticket": ticket,
+        "timestamp": timestamp
+    ]
+    
+    params["sign"] = generateSign(secret: secret, params: params)
+    
+    request.httpBody = try? JSONSerialization.data(withJSONObject: params)
+    
+    let task = URLSession.shared.dataTask(with: request) { data, response, error in
+        if let data = data {
+            if let json = try? JSONSerialization.jsonObject(with: data, options: []) {
+                print(json)
+            }
+        }
+    }
+    task.resume()
+}
+```
+
+## 5. 响应格式 (成功)
+```json
+{
+  "valid": true,
+  "user_id": 1001,
+  "mobile": "13800138000",
+  "mapped_key": "user_zhangsan",
+  "mapped_email": "zhangsan@example.com"
+}
+```

api/auth.py

@@ -1,11 +1,56 @@
+import hmac
+import hashlib
+import time
+from typing import Optional
+
+import requests
 from flask import Blueprint, render_template, request, session, redirect, url_for, flash
 
+from utils.logger_config import logger
+
 auth_bp = Blueprint('auth', __name__)
 
 # 登录账号配置
 ADMIN_USERNAME = 'admin'
 ADMIN_PASSWORD = 'HNYZ0821'
 
+# 统一登录平台配置
+SSO_APP_ID = 'app_aa755b61de0b3da8'
+SSO_APP_SECRET = 'ND5bv3WjAc8DwueDSoRXAC04XUyV1X1D'
+SSO_LOGIN_URL = 'https://api.hnyunzhu.com/login'
+SSO_VALIDATE_URL = 'https://api.hnyunzhu.com/api/v1/simple/validate'
+
+
+def _generate_signature(secret: str, params: dict) -> str:
+    """生成 HMAC-SHA256 签名"""
+    data = {k: v for k, v in params.items() if k != "sign" and v is not None}
+    sorted_keys = sorted(data.keys())
+    query_string = "&".join([f"{k}={data[k]}" for k in sorted_keys])
+    return hmac.new(
+        secret.encode('utf-8'),
+        query_string.encode('utf-8'),
+        hashlib.sha256
+    ).hexdigest()
+
+
+def _validate_ticket(ticket: str) -> Optional[dict]:
+    """调用 UAP 验证票据"""
+    payload = {
+        "app_id": SSO_APP_ID,
+        "ticket": ticket,
+        "timestamp": int(time.time())
+    }
+    payload["sign"] = _generate_signature(SSO_APP_SECRET, payload)
+    try:
+        resp = requests.post(SSO_VALIDATE_URL, json=payload, timeout=10)
+        result = resp.json()
+        logger.info(f"[SSO] validate 请求: url={SSO_VALIDATE_URL}, status={resp.status_code}, response={result}")
+        return result
+    except Exception as e:
+        logger.exception(f"[SSO] validate 请求异常: ticket={ticket[:20]}..., error={e}")
+        return None
+
+
 @auth_bp.route('/login', methods=['GET', 'POST'])
 def login():
     """登录页面"""
@@ -23,6 +68,34 @@ def login():
             
     return render_template('login.html')
 
+@auth_bp.route('/login/sso')
+def login_sso():
+    """跳转到统一登录平台"""
+    return redirect(f"{SSO_LOGIN_URL}?app_id={SSO_APP_ID}")
+
+
+@auth_bp.route('/callback')
+def sso_callback():
+    """统一登录回调：验证 ticket，valid 通过则登录"""
+    ticket = request.args.get('ticket')
+    logger.info(f"[SSO] callback 收到请求: args={dict(request.args)}")
+
+    if not ticket:
+        logger.warning("[SSO] callback 缺少 ticket 参数")
+        flash('无效的回调', 'error')
+        return redirect(url_for('auth.login'))
+
+    result = _validate_ticket(ticket)
+    if result and result.get('valid') is True:
+        logger.info(f"[SSO] 验证通过，登录成功: user_id={result.get('user_id')}, mobile={result.get('mobile')}")
+        session['logged_in'] = True
+        return redirect(url_for('main.index'))
+    else:
+        logger.warning(f"[SSO] 验证失败: result={result}")
+        flash('统一登录验证失败', 'error')
+        return redirect(url_for('auth.login'))
+
+
 @auth_bp.route('/logout')
 def logout():
     """登出"""

templates/login.html

@@ -122,6 +122,32 @@
             color: #c62828;
             border: 1px solid #ffcdd2;
         }
+
+        .sso-divider {
+            margin: 20px 0;
+            text-align: center;
+            color: #95a5a6;
+            font-size: 14px;
+        }
+
+        .btn-sso {
+            display: block;
+            width: 100%;
+            padding: 12px;
+            margin-top: 10px;
+            background-color: #3498db;
+            color: white;
+            text-align: center;
+            text-decoration: none;
+            border-radius: 8px;
+            font-size: 16px;
+            font-weight: 600;
+            transition: background-color 0.3s;
+        }
+
+        .btn-sso:hover {
+            background-color: #2980b9;
+        }
     </style>
 </head>
 <body>
@@ -153,6 +179,11 @@
             </div>
             
             <button type="submit" class="btn-submit">登录</button>
+            
+            <div class="sso-divider">
+                <span>或</span>
+            </div>
+            <a href="/login/sso" class="btn-sso">统一登录</a>
         </form>
     </div>
 </body>