ForcomeBot 2.2.4__py3-none-any.whl

src/auth/middleware.py

@@ -0,0 +1,260 @@
+"""认证中间件"""
+import logging
+from typing import Optional, Callable, List
+from datetime import datetime
+
+from fastapi import Request, HTTPException, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from .database import get_db
+from .models import User, OperationLog
+from .jwt_handler import JWTHandler
+
+logger = logging.getLogger(__name__)
+
+# HTTP Bearer认证
+security = HTTPBearer(auto_error=False)
+
+# 全局JWT处理器
+_jwt_handler: Optional[JWTHandler] = None
+
+# 认证开关
+_auth_enabled: bool = True
+
+# 白名单路由（不需要认证）
+AUTH_WHITELIST = [
+    "/health",
+    "/qianxun/callback",
+    "/api/auth/dingtalk/login",
+    "/api/auth/dingtalk/h5-login",
+    "/api/auth/dingtalk/qrcode-url",
+    "/api/auth/dingtalk/config",
+    "/docs",
+    "/openapi.json",
+    "/redoc",
+]
+
+
+def init_auth(jwt_handler: JWTHandler, auth_enabled: bool = True):
+    """初始化认证模块"""
+    global _jwt_handler, _auth_enabled
+    _jwt_handler = jwt_handler
+    _auth_enabled = auth_enabled
+    logger.info(f"认证模块已初始化, 认证开关: {auth_enabled}")
+
+
+def is_auth_enabled() -> bool:
+    """检查认证是否启用"""
+    return _auth_enabled
+
+
+def get_jwt_handler() -> JWTHandler:
+    """获取JWT处理器"""
+    if _jwt_handler is None:
+        raise RuntimeError("JWT处理器未初始化")
+    return _jwt_handler
+
+
+class AuthMiddleware:
+    """认证中间件"""
+
+    def __init__(self, app):
+        self.app = app
+
+    async def __call__(self, scope, receive, send):
+        if scope["type"] == "http":
+            # 检查是否需要认证
+            path = scope.get("path", "")
+
+            # 白名单路由跳过认证
+            if self._is_whitelisted(path):
+                await self.app(scope, receive, send)
+                return
+
+            # 静态文件跳过认证
+            if path.startswith("/app/") or path.startswith("/static/"):
+                await self.app(scope, receive, send)
+                return
+
+            # 认证未启用时跳过
+            if not _auth_enabled:
+                await self.app(scope, receive, send)
+                return
+
+        await self.app(scope, receive, send)
+
+    def _is_whitelisted(self, path: str) -> bool:
+        """检查路径是否在白名单中"""
+        for whitelist_path in AUTH_WHITELIST:
+            if path == whitelist_path or path.startswith(whitelist_path + "/"):
+                return True
+        return False
+
+
+async def get_current_user(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+) -> User:
+    """
+    获取当前登录用户（必须登录）
+
+    用于需要强制登录的接口
+    """
+    # 认证未启用时返回模拟用户
+    if not _auth_enabled:
+        return _create_mock_user()
+
+    if not credentials:
+        raise HTTPException(status_code=401, detail="未提供认证凭证")
+
+    if not _jwt_handler:
+        raise HTTPException(status_code=500, detail="认证服务未初始化")
+
+    # 验证Token
+    payload = _jwt_handler.verify_token(credentials.credentials)
+    if not payload:
+        raise HTTPException(status_code=401, detail="无效的认证凭证")
+
+    # 获取用户ID
+    user_id = payload.get("sub")
+    if not user_id:
+        raise HTTPException(status_code=401, detail="无效的用户信息")
+
+    # 从数据库获取用户
+    db = get_db()
+    async with db.session_factory() as session:
+        result = await session.execute(
+            select(User).where(User.id == int(user_id))
+        )
+        user = result.scalar_one_or_none()
+
+        if not user:
+            raise HTTPException(status_code=401, detail="用户不存在")
+
+        if not user.is_active:
+            raise HTTPException(status_code=403, detail="用户已被禁用")
+
+        return user
+
+
+async def get_optional_user(
+    request: Request,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security)
+) -> Optional[User]:
+    """
+    获取当前登录用户（可选）
+
+    用于不强制登录但需要用户信息的接口
+    """
+    # 认证未启用时返回模拟用户
+    if not _auth_enabled:
+        return _create_mock_user()
+
+    if not credentials:
+        return None
+
+    if not _jwt_handler:
+        return None
+
+    # 验证Token
+    payload = _jwt_handler.verify_token(credentials.credentials)
+    if not payload:
+        return None
+
+    # 获取用户ID
+    user_id = payload.get("sub")
+    if not user_id:
+        return None
+
+    # 从数据库获取用户
+    try:
+        db = get_db()
+        async with db.session_factory() as session:
+            result = await session.execute(
+                select(User).where(User.id == int(user_id))
+            )
+            user = result.scalar_one_or_none()
+            return user if user and user.is_active else None
+    except Exception as e:
+        logger.warning(f"获取用户信息失败: {e}")
+        return None
+
+
+def _create_mock_user() -> User:
+    """创建模拟用户（认证关闭时使用）"""
+    user = User(
+        id=0,
+        dingtalk_userid="mock_user",
+        name="系统用户",
+        is_active=True,
+        is_admin=True
+    )
+    return user
+
+
+async def log_operation(
+    user: Optional[User],
+    action: str,
+    resource: str,
+    resource_id: Optional[str] = None,
+    detail: Optional[dict] = None,
+    request: Optional[Request] = None,
+    status: str = "success",
+    error_message: Optional[str] = None
+):
+    """
+    记录操作日志
+
+    Args:
+        user: 操作用户
+        action: 操作类型
+        resource: 操作资源
+        resource_id: 资源ID
+        detail: 操作详情
+        request: 请求对象
+        status: 操作状态
+        error_message: 错误信息
+    """
+    try:
+        db = get_db()
+        async with db.session_factory() as session:
+            log = OperationLog(
+                user_id=user.id if user and user.id else None,
+                user_name=user.name if user else None,
+                action=action,
+                resource=resource,
+                resource_id=resource_id,
+                detail=detail,
+                method=request.method if request else None,
+                path=str(request.url.path) if request else None,
+                ip_address=_get_client_ip(request) if request else None,
+                user_agent=request.headers.get("user-agent", "")[:512] if request else None,
+                status=status,
+                error_message=error_message,
+                created_at=datetime.now()
+            )
+            session.add(log)
+            await session.commit()
+    except Exception as e:
+        logger.error(f"记录操作日志失败: {e}")
+
+
+def _get_client_ip(request: Request) -> str:
+    """获取客户端IP"""
+    # 优先从X-Forwarded-For获取
+    forwarded = request.headers.get("x-forwarded-for")
+    if forwarded:
+        return forwarded.split(",")[0].strip()
+
+    # 从X-Real-IP获取
+    real_ip = request.headers.get("x-real-ip")
+    if real_ip:
+        return real_ip
+
+    # 从连接获取
+    if request.client:
+        return request.client.host
+
+    return "unknown"

src/auth/models.py

@@ -0,0 +1,107 @@
+"""数据库模型定义"""
+from datetime import datetime
+from typing import Optional
+
+from sqlalchemy import String, Boolean, DateTime, Integer, Text, JSON, ForeignKey
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from .database import Base
+
+
+class User(Base):
+    """用户表"""
+    __tablename__ = "users"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+
+    # 钉钉用户信息
+    dingtalk_userid: Mapped[str] = mapped_column(String(64), unique=True, index=True, comment="钉钉用户ID")
+    dingtalk_unionid: Mapped[Optional[str]] = mapped_column(String(64), nullable=True, comment="钉钉UnionID")
+
+    # 基本信息
+    name: Mapped[str] = mapped_column(String(64), comment="姓名")
+    avatar: Mapped[Optional[str]] = mapped_column(String(512), nullable=True, comment="头像URL")
+    mobile: Mapped[Optional[str]] = mapped_column(String(20), nullable=True, comment="手机号")
+    email: Mapped[Optional[str]] = mapped_column(String(128), nullable=True, comment="邮箱")
+    department: Mapped[Optional[str]] = mapped_column(String(256), nullable=True, comment="部门")
+    title: Mapped[Optional[str]] = mapped_column(String(64), nullable=True, comment="职位")
+
+    # 状态
+    is_active: Mapped[bool] = mapped_column(Boolean, default=True, comment="是否启用")
+    is_admin: Mapped[bool] = mapped_column(Boolean, default=False, comment="是否管理员")
+
+    # 时间戳
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.now, comment="创建时间")
+    updated_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.now, onupdate=datetime.now, comment="更新时间")
+    last_login: Mapped[Optional[datetime]] = mapped_column(DateTime, nullable=True, comment="最后登录时间")
+
+    # 关联
+    operation_logs: Mapped[list["OperationLog"]] = relationship("OperationLog", back_populates="user")
+
+    def to_dict(self) -> dict:
+        """转换为字典"""
+        return {
+            "id": self.id,
+            "dingtalk_userid": self.dingtalk_userid,
+            "name": self.name,
+            "avatar": self.avatar,
+            "mobile": self.mobile,
+            "email": self.email,
+            "department": self.department,
+            "title": self.title,
+            "is_active": self.is_active,
+            "is_admin": self.is_admin,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+            "last_login": self.last_login.isoformat() if self.last_login else None,
+        }
+
+
+class OperationLog(Base):
+    """操作日志表"""
+    __tablename__ = "operation_logs"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+
+    # 用户信息
+    user_id: Mapped[Optional[int]] = mapped_column(Integer, ForeignKey("users.id"), nullable=True, comment="用户ID")
+    user_name: Mapped[Optional[str]] = mapped_column(String(64), nullable=True, comment="用户名称（冗余存储）")
+
+    # 操作信息
+    action: Mapped[str] = mapped_column(String(64), index=True, comment="操作类型")
+    resource: Mapped[str] = mapped_column(String(128), comment="操作资源")
+    resource_id: Mapped[Optional[str]] = mapped_column(String(64), nullable=True, comment="资源ID")
+    detail: Mapped[Optional[dict]] = mapped_column(JSON, nullable=True, comment="操作详情")
+
+    # 请求信息
+    method: Mapped[Optional[str]] = mapped_column(String(10), nullable=True, comment="请求方法")
+    path: Mapped[Optional[str]] = mapped_column(String(256), nullable=True, comment="请求路径")
+    ip_address: Mapped[Optional[str]] = mapped_column(String(64), nullable=True, comment="IP地址")
+    user_agent: Mapped[Optional[str]] = mapped_column(String(512), nullable=True, comment="浏览器UA")
+
+    # 结果
+    status: Mapped[str] = mapped_column(String(16), default="success", comment="操作状态: success/failed")
+    error_message: Mapped[Optional[str]] = mapped_column(Text, nullable=True, comment="错误信息")
+
+    # 时间戳
+    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.now, index=True, comment="操作时间")
+
+    # 关联
+    user: Mapped[Optional["User"]] = relationship("User", back_populates="operation_logs")
+
+    def to_dict(self) -> dict:
+        """转换为字典"""
+        return {
+            "id": self.id,
+            "user_id": self.user_id,
+            "user_name": self.user_name,
+            "action": self.action,
+            "resource": self.resource,
+            "resource_id": self.resource_id,
+            "detail": self.detail,
+            "method": self.method,
+            "path": self.path,
+            "ip_address": self.ip_address,
+            "status": self.status,
+            "error_message": self.error_message,
+            "created_at": self.created_at.isoformat() if self.created_at else None,
+        }