import json import time from collections.abc import AsyncGenerator from dataclasses import replace from functools import wraps from fastapi import Depends, Query, Request from redis.asyncio.client import Redis from sqlalchemy import select from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.orm import selectinload from app.common.enums import RedisInitKeyConfig from app.config.setting import settings from app.core.base_schema import AuthSchema from app.core.database import async_db_session from app.core.exceptions import CustomException from app.core.logger import logger from app.core.redis_crud import RedisCURD from app.core.request_context import RequestContext from app.core.request_context import get_current_tenant_id as _get_ctx_tenant_id from app.core.security import OAuth2Schema, decode_access_token # 套餐菜单权限缓存: {tenant_id: (timestamp, [menu_ids])} _package_menu_cache: dict[int, tuple[float, list[int]]] = {} async def db_getter() -> AsyncGenerator[AsyncSession, None]: """数据库会话 — 请求级生命周期管理。 一个 HTTP 请求内所有 SQL 共享同一个事务:要么全成功,要么全失败。 读操作也走这个事务(牺牲一点 MVCC 隔离换取读已写一致性)。 """ async with async_db_session() as session: async with session.begin(): yield session async def redis_getter(request: Request) -> Redis: """获取Redis连接 参数: - request (Request): 请求对象 返回: - Redis: Redis连接 """ return request.app.state.redis async def get_current_tenant_id() -> int | None: """获取当前请求的租户 ID 依赖注入函数。 从 ContextVar 中读取租户 ID(由 TenantMiddleware 设置)。 非认证路径(白名单)返回 None。 返回: int | None: 当前租户 ID,未设置时返回 None。 """ return _get_ctx_tenant_id() async def _decode_token_info(token: str, redis: Redis) -> tuple[dict, str]: """解码 JWT token 返回 (user_info, session_id) JWT sub 现为纯 session_id,完整会话信息从 Redis 读取。 参数: token: JWT token 字符串 redis: Redis 连接 返回: (user_info, session_id): 用户信息字典和会话 ID """ payload = decode_access_token(token) if not payload or not hasattr(payload, "is_refresh") or payload.is_refresh: raise CustomException(msg="非法凭证", code=10401, status_code=401) session_id = payload.sub if not session_id: raise CustomException(msg="认证已失效", code=10401, status_code=401) raw = await RedisCURD(redis).get( f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}" ) if not raw: raise CustomException(msg="认证已失效", code=10401, status_code=401) user_info = json.loads(raw) return user_info, session_id async def _check_token_online(redis: Redis, session_id: str) -> None: """检查 token 是否在线(Redis 中存在对应 session) 参数: redis: Redis 连接 session_id: 会话 ID """ online_ok = await RedisCURD(redis).exists( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}" ) if not online_ok: raise CustomException(msg="认证已失效", code=10401, status_code=401) async def _try_sliding_refresh(redis: Redis, session_id: str) -> None: """滑动过期续期(仅在 token 剩余不足一半时触发) 参数: redis: Redis 连接 session_id: 会话 ID """ if not settings.TOKEN_SLIDING_EXPIRE: return ttl = await RedisCURD(redis).ttl( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}" ) # TTL 返回秒,配置也是秒,无需转换 expire_seconds = settings.ACCESS_TOKEN_EXPIRE_SECONDS if ttl > 0 and ttl < expire_seconds // 2: await RedisCURD(redis).expire( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}", expire=expire_seconds, ) await RedisCURD(redis).expire( key=f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}", expire=settings.REFRESH_TOKEN_EXPIRE_SECONDS, ) async def _load_user_from_db(db: AsyncSession, username: str): """从数据库加载用户(含角色、菜单、部门、职位全量预加载) 使用原始查询以绕过 CRUDBase 的权限过滤,确保用户认证阶段不受数据权限影响。 所有关系链均 eager-loaded,调用方可在会话关闭后安全访问对象属性。 参数: db: 数据库会话 username: 用户名 返回: UserModel: 已全量加载的用户 ORM 对象 """ from app.api.v1.module_system.role.model import RoleModel from app.api.v1.module_system.user.model import UserModel stmt = ( select(UserModel) .options( selectinload(UserModel.dept), selectinload(UserModel.roles).selectinload(RoleModel.menus), selectinload(UserModel.positions), selectinload(UserModel.created_by), ) .where(UserModel.username == username, UserModel.is_deleted == False) # noqa: E712 ) result = await db.execute(stmt) user = result.scalars().first() if not user: raise CustomException(msg="用户不存在", code=10401, status_code=401) if user.status == 1: raise CustomException(msg="用户已被停用", code=10401, status_code=401) # 过滤不可用的角色和职位(在会话内完成,确保关联数据已加载) if hasattr(user, "roles"): user.roles = [role for role in user.roles if role and role.status] if hasattr(user, "positions"): user.positions = [pos for pos in user.positions if pos and pos.status] return user async def get_current_user( request: Request, db: AsyncSession = Depends(db_getter), redis: Redis = Depends(redis_getter), token: str = Depends(OAuth2Schema), ) -> AuthSchema: """获取当前用户 用户查询使用独立的只读数据库会话(不参与请求事务,查询完成后立即释放快照), 返回的 auth.db 指向请求级事务会话供后续写操作使用。 参数: - request (Request): 请求对象 - db (AsyncSession): 请求级事务会话 - redis (Redis): Redis连接 - token (str): 访问令牌 返回: - AuthSchema: 认证信息模型 """ return await _authenticate(token, db, redis, request) async def get_current_user_ws( token: str = Query(..., description="认证token"), db: AsyncSession = Depends(db_getter), redis: Redis = Depends(redis_getter), ) -> AuthSchema: """获取当前用户(WebSocket专用,从查询参数获取token) 参数: - token (str): 认证token - db (AsyncSession): 数据库会话 - redis (Redis): Redis连接 返回: - AuthSchema: 认证信息模型 """ return await _authenticate(token, db, redis) async def _authenticate( token: str, db: AsyncSession, redis: Redis, request: Request | None = None, ) -> AuthSchema: """核心认证逻辑(HTTP 与 WebSocket 共享) 参数: - token: 访问令牌 - db: 请求级事务会话 - redis: Redis连接 - request: HTTP 请求对象(WebSocket 场景为 None) 返回: - AuthSchema: 认证信息模型 """ if not token: raise CustomException(msg="认证已失效", code=10401, status_code=401) # 处理Bearer token if token.startswith("Bearer"): token = token.split(" ")[1] # 优先使用 TenantMiddleware 缓存在 request.state.ctx 中的会话信息(避免重复 Redis 读取) user_info = None if request: ctx = getattr(request.state, "ctx", None) user_info = ctx.jwt_user_info if ctx else None if not user_info: # 降级路径:自行从 Redis 读取会话信息 user_info, _ = await _decode_token_info(token, redis) session_id = user_info.get("session_id") if not session_id: raise CustomException(msg="认证已失效", code=10401, status_code=401) # Redis 在线检查 + 滑动续期 await _check_token_online(redis, session_id) await _try_sliding_refresh(redis, session_id) username = user_info.get("user_name") if not username: raise CustomException(msg="认证已失效", code=10401, status_code=401) tenant_id = user_info.get("tenant_id") # 用户查询使用独立只读会话(不参与请求事务,查询后立即释放快照) async with async_db_session() as lookup_db: user = await _load_user_from_db(lookup_db, username) # 设置请求上下文(仅在当前 request 对象上,业务方通过 request.state.ctx 读取) if request: request.state.ctx = replace( (getattr(request.state, "ctx", None) or RequestContext()), user_id=user.id, user_username=user.username, session_id=session_id, session_info=user_info, ) # 返回的 auth.db 指向请求级事务会话,供后续读写操作使用 auth = AuthSchema(db=db, tenant_id=tenant_id, check_data_scope=False) auth.user = user return auth async def _get_cached_tenant_menu_ids(auth: AuthSchema, tenant_id: int) -> list[int]: """获取租户可用菜单 ID,带 60s 进程级缓存 套餐菜单变更频率极低,缓存可大幅减少 AuthPermission 的 DB 查询次数。 参数: auth: 认证信息 tenant_id: 租户 ID 返回: 可用菜单 ID 列表 """ cached = _package_menu_cache.get(tenant_id) if cached and time.time() - cached[0] < 60: return cached[1] from app.api.v1.module_platform.package.service import PackageService result = await PackageService.get_tenant_available_menu_ids(auth, tenant_id) _package_menu_cache[tenant_id] = (time.time(), result) return result class AuthPermission: """权限验证类""" def __init__( self, permissions: list[str] | None = None, check_data_scope: bool = True, ) -> None: """ 初始化权限验证 参数: - permissions (list[str] | None): 权限标识列表。 - check_data_scope (bool): 是否启用严格模式校验。 """ self.permissions = permissions or [] self.check_data_scope = check_data_scope async def __call__(self, auth: AuthSchema = Depends(get_current_user)) -> AuthSchema: """ 调用权限验证 参数: - auth (AuthSchema): 认证信息对象。 返回: - AuthSchema: 认证信息对象。 """ # 用 model_copy 派生一份带正确 check_data_scope 的新实例(不修改原实例) auth = auth.model_copy(update={"check_data_scope": self.check_data_scope}) # 超级管理员直接通过 if auth.user and auth.user.is_superuser: return auth # 无需验证权限 if not self.permissions: return auth # 超级管理员权限标识 if "*" in self.permissions or "*:*:*" in self.permissions: return auth # 检查用户是否有角色 if not auth.user or not auth.user.roles: raise CustomException(msg="无权限操作", code=10403, status_code=403) # 收集角色权限(附带 menu_id 用于套餐过滤) role_perms: dict[str, int] = {} for role in auth.user.roles: if role.status != 0: continue for menu in role.menus: if menu.status == 0 and menu.permission: role_perms[menu.permission] = menu.id if not role_perms: raise CustomException(msg="无权限操作", code=10403, status_code=403) # 租户用户:权限必须受套餐菜单约束(带 60s 进程级缓存) if auth.tenant_id: allowed_ids = set(await _get_cached_tenant_menu_ids(auth, auth.tenant_id)) user_permissions = {p for p, mid in role_perms.items() if mid in allowed_ids} else: user_permissions = set(role_perms.keys()) # 权限验证 - 满足任一权限即可 if not any(perm in user_permissions for perm in self.permissions): logger.error(f"用户缺少任何所需的权限: {self.permissions}") raise CustomException(msg="无权限操作", code=10403, status_code=403) return auth def require_superadmin(func): """ 装饰器:仅超级管理员可调用 Service 方法。 自动校验 ``self.auth.user.is_superuser`` 属性,非超管直接抛出 403。 适用于实例方法(``Service(auth).xxx(...)``),由 ``self.auth`` 取认证上下文。 用法: class XxxService: def __init__(self, auth: AuthSchema) -> None: self.auth = auth @require_superadmin async def create(self, data: ...) -> ...: ... """ @wraps(func) async def wrapper(self, *args, **kwargs): if not self.auth.user or not self.auth.user.is_superuser: raise CustomException(msg="仅平台管理员可操作") return await func(self, *args, **kwargs) return wrapper