import json import uuid from datetime import datetime, timedelta from typing import NewType import ua_parser from fastapi import BackgroundTasks, Request from redis.asyncio.client import Redis from sqlalchemy.ext.asyncio import AsyncSession from app.api.v1.module_monitor.online.schema import OnlineOutSchema from app.api.v1.module_system.user.crud import UserCRUD from app.api.v1.module_system.user.model import UserModel from app.common.enums import RedisInitKeyConfig from app.config.setting import settings from app.core.base_schema import ( AuthSchema, JWTOutSchema, JWTPayloadSchema, LogoutPayloadSchema, RefreshTokenPayloadSchema, ) from app.core.exceptions import CustomException from app.core.logger import logger from app.core.redis_crud import RedisCURD from app.core.security import ( CustomOAuth2PasswordRequestForm, create_access_token, decode_access_token, ) from app.utils.captcha_util import CaptchaUtil from app.utils.common_util import get_random_character from app.utils.hash_bcrpy_util import PwdUtil from app.utils.ip_local_util import IpLocalUtil, get_client_ip from .schema import ( AutoLoginTokenSchema, AutoLoginUserSchema, CaptchaOutSchema, LoginWithTenantsSchema, SelectTenantOutSchema, TenantOptionSchema, TenantRegisterOutSchema, ) CaptchaKey = NewType("CaptchaKey", str) CaptchaBase64 = NewType("CaptchaBase64", str) async def _write_login_log( username: str, status: int, login_ip: str | None = None, login_location: str | None = None, request_os: str | None = None, request_browser: str | None = None, msg: str | None = None, ) -> int | None: """写入登录日志;返回日志 ID(用于后台补全归属地)。""" from app.api.v1.module_system.log.crud import LoginLogCRUD from app.api.v1.module_system.log.schema import LoginLogCreateSchema from app.core.base_schema import AuthSchema from app.core.database import async_db_session try: async with async_db_session() as session: async with session.begin(): _auth = AuthSchema(db=session, check_data_scope=False) obj = await LoginLogCRUD(_auth).create(data=LoginLogCreateSchema( username=username, status=status, login_ip=login_ip, login_location=login_location, request_os=request_os, request_browser=request_browser, msg=msg, )) return obj.id if obj else None except Exception: return None async def _async_fill_login_location( redis, login_log_id: int, ip: str | None ) -> None: """后台异步补全登录日志的归属地。""" if not ip: return try: location = await IpLocalUtil.resolve_location_async(redis, ip) if location == "归属地查询中" or not location: return from sqlalchemy import update as sa_update from app.api.v1.module_system.log.model import LoginLogModel from app.core.database import async_db_session async with async_db_session() as session: async with session.begin(): await session.execute( sa_update(LoginLogModel) .where(LoginLogModel.id == login_log_id) .values(login_location=location) ) except Exception as e: from app.core.logger import logger logger.warning(f"异步补全登录归属地失败: {e}") def _resolve_request_ip(request: Request) -> str | None: """从请求中解析客户端真实 IP。""" return get_client_ip(request) class LoginService: """登录认证服务""" def __init__(self, auth: AuthSchema | None = None) -> None: self.auth = auth @classmethod async def authenticate_user( cls, request: Request, background_tasks: BackgroundTasks, redis: Redis, login_form: CustomOAuth2PasswordRequestForm, db: AsyncSession, ) -> LoginWithTenantsSchema: """用户认证""" ua_result = ua_parser.parse(request.headers.get("user-agent")) request_ip = _resolve_request_ip(request) login_location = await IpLocalUtil.resolve_location_for_log(redis, request_ip) _login_os = ua_result.os.family if ua_result.os else "Unknown" _login_browser = ua_result.user_agent.family if ua_result.user_agent else "Unknown" _login_username = login_form.username referer = request.headers.get("referer", "") request_from_docs = referer.endswith(("docs", "redoc")) if settings.CAPTCHA_ENABLE and not request_from_docs: if not login_form.captcha_key or not login_form.captcha: raise CustomException(msg="验证码不能为空") await CaptchaService.check_captcha( redis=redis, key=login_form.captcha_key, captcha=login_form.captcha, ) auth = AuthSchema(db=db, check_data_scope=False) user = await UserCRUD(auth).get(username=login_form.username) if not user: await _write_login_log( username=_login_username, status=2, login_ip=request_ip, login_location=login_location, request_os=_login_os, request_browser=_login_browser, msg="用户不存在", ) raise CustomException(msg="用户不存在") if not PwdUtil.verify_password(plain_password=login_form.password, password_hash=user.password): await _write_login_log( username=_login_username, status=2, login_ip=request_ip, login_location=login_location, request_os=_login_os, request_browser=_login_browser, msg="账号或密码错误", ) raise CustomException(msg="账号或密码错误") if user.status == 1: await _write_login_log( username=_login_username, status=2, login_ip=request_ip, login_location=login_location, request_os=_login_os, request_browser=_login_browser, msg="用户已被停用", ) raise CustomException(msg="用户已被停用") from sqlalchemy import select from app.api.v1.module_platform.tenant.model import TenantModel tenant_stmt = select(TenantModel).where(TenantModel.id == user.tenant_id, TenantModel.status == 0, TenantModel.is_deleted.is_(False)).limit(1) tenant_result = await auth.db.execute(tenant_stmt) if not tenant_result.scalar_one_or_none(): await _write_login_log( username=_login_username, status=2, login_ip=request_ip, login_location=login_location, request_os=_login_os, request_browser=_login_browser, msg="所属租户已被禁用", ) raise CustomException(msg="所属租户已被禁用,请联系平台管理员") await UserCRUD(auth).update_last_login(id=user.id) if not user: raise CustomException(msg="用户不存在") if not login_form.login_type: raise CustomException(msg="登录类型不能为空") token = await cls.create_token( request=request, redis=redis, user=user, login_type=login_form.login_type, ) tenants_auth = AuthSchema(db=db, user=user, tenant_id=user.tenant_id, check_data_scope=False) tenants = await LoginService(tenants_auth).get_user_tenants(user_id=user.id) user_info = { "id": user.id, "username": user.username, "name": user.name, "avatar": user.avatar, "is_superuser": user.is_superuser, } log_id = await _write_login_log( username=user.username, status=1, login_ip=request_ip, login_location=login_location, request_os=_login_os, request_browser=_login_browser, msg="登录成功", ) # 登录成功后异步补全归属地,不阻塞返回 if log_id and login_location == "归属地查询中": background_tasks.add_task(_async_fill_login_location, redis, log_id, request_ip) return LoginWithTenantsSchema( access_token=token.access_token, refresh_token=token.refresh_token, expires_in=token.expires_in, token_type=token.token_type, tenants=tenants, user_info=user_info, ) @classmethod async def create_token(cls, request: Request, redis: Redis, user: UserModel, login_type: str) -> JWTOutSchema: """创建访问令牌和刷新令牌""" session_id = str(uuid.uuid4()) ua_result = ua_parser.parse(request.headers.get("user-agent")) request_ip = _resolve_request_ip(request) login_location = await IpLocalUtil.resolve_location_for_log(redis, request_ip) from dataclasses import replace from app.core.request_context import RequestContext base_ctx = getattr(request.state, "ctx", None) or RequestContext() request.state.ctx = replace( base_ctx, session_id=session_id, user_username=user.username, login_location=login_location, ) access_expires = timedelta(seconds=settings.ACCESS_TOKEN_EXPIRE_SECONDS) refresh_expires = timedelta(seconds=settings.REFRESH_TOKEN_EXPIRE_SECONDS) now = datetime.now() session_info = OnlineOutSchema( session_id=session_id, user_id=user.id, tenant_id=user.tenant_id, is_superuser=user.is_superuser, name=user.name, user_name=user.username, ipaddr=request_ip, login_location=login_location, os=ua_result.os.family if ua_result.os else "Unknown", browser=ua_result.user_agent.family if ua_result.user_agent else "Unknown", login_time=user.last_login, login_type=login_type, ).model_dump_json() # 会话信息存 Redis(完整 JSON),JWT sub 仅含 session_id await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}", value=session_info, expire=int(refresh_expires.total_seconds()), ) access_token = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=False, exp=now + access_expires, ) ) refresh_token = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=True, exp=now + refresh_expires, ) ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}", value=access_token, expire=int(access_expires.total_seconds()), ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}", value=refresh_token, expire=int(refresh_expires.total_seconds()), ) return JWTOutSchema( access_token=access_token, refresh_token=refresh_token, expires_in=int(access_expires.total_seconds()), token_type=settings.TOKEN_TYPE, ) @classmethod async def refresh_token( cls, db: AsyncSession, redis: Redis, refresh_token: RefreshTokenPayloadSchema, ) -> JWTOutSchema: """刷新访问令牌""" token_payload: JWTPayloadSchema = decode_access_token(token=refresh_token.refresh_token) if not token_payload.is_refresh: raise CustomException(msg="非法凭证,请传入刷新令牌") session_id = token_payload.sub session_info = await RedisCURD(redis).get( f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}" ) if not session_info: raise CustomException(msg="会话已过期,请重新登录") user_id = json.loads(session_info).get("user_id") if not session_id or not user_id: raise CustomException(msg="非法凭证,无法获取会话编号或用户ID") auth = AuthSchema(db=db, check_data_scope=False) user = await UserCRUD(auth).get(id=user_id) if not user: raise CustomException(msg="刷新token失败,用户不存在") if user.status == 1: raise CustomException(msg="用户已被停用") access_expires = timedelta(seconds=settings.ACCESS_TOKEN_EXPIRE_SECONDS) refresh_expires = timedelta(seconds=settings.REFRESH_TOKEN_EXPIRE_SECONDS) now = datetime.now() # 延长会话信息 Redis TTL await RedisCURD(redis).expire( key=f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}", expire=int(refresh_expires.total_seconds()), ) access_token = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=False, exp=now + access_expires, ) ) refresh_token_new = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=True, exp=now + refresh_expires, ) ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}", value=access_token, expire=int(access_expires.total_seconds()), ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}", value=refresh_token_new, expire=int(refresh_expires.total_seconds()), ) return JWTOutSchema( access_token=access_token, refresh_token=refresh_token_new, token_type=settings.TOKEN_TYPE, expires_in=int(access_expires.total_seconds()), ) @staticmethod async def logout(redis: Redis, token: LogoutPayloadSchema) -> bool: """退出登录""" payload: JWTPayloadSchema = decode_access_token(token=token.token) session_id = payload.sub if not session_id: raise CustomException(msg="非法凭证,无法获取会话编号") await RedisCURD(redis).delete(f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}") await RedisCURD(redis).delete(f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}") await RedisCURD(redis).delete(f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}") logger.info(f"用户退出登录成功,会话编号:{session_id}") return True async def get_user_tenants( self, user_id: int | None = None, ) -> list[TenantOptionSchema]: """获取用户关联的租户列表""" from sqlalchemy import select from app.api.v1.module_platform.tenant.model import TenantModel, TenantUserModel uid = user_id or (self.auth.user.id if self.auth.user else None) if not uid: return [] if self.auth.user and self.auth.user.is_superuser: stmt = select(TenantModel).where(TenantModel.status == 0, TenantModel.is_deleted.is_(False)).order_by(TenantModel.sort, TenantModel.id) result = await self.auth.db.execute(stmt) tenant_objs = result.scalars().all() return [TenantOptionSchema(id=t.id, name=t.name, code=t.code) for t in tenant_objs] stmt = ( select(TenantModel) .join(TenantUserModel, TenantUserModel.tenant_id == TenantModel.id) .where( TenantUserModel.user_id == uid, TenantModel.status == 0, TenantModel.is_deleted.is_(False), ) .order_by(TenantUserModel.is_default.desc(), TenantModel.sort, TenantModel.id) ) result = await self.auth.db.execute(stmt) tenant_objs = result.scalars().all() return [TenantOptionSchema(id=t.id, name=t.name, code=t.code) for t in tenant_objs] async def select_tenant( self, request: Request, redis: Redis, tenant_id: int, ) -> SelectTenantOutSchema: """选择租户:验证用户归属并签发含租户上下文的新 JWT Token""" from sqlalchemy import select from app.api.v1.module_platform.tenant.model import TenantModel, TenantUserModel if not self.auth.user: raise CustomException(msg="未认证用户") if not self.auth.user.is_superuser: exist_stmt = ( select(TenantUserModel) .where( TenantUserModel.user_id == self.auth.user.id, TenantUserModel.tenant_id == tenant_id, ) .limit(1) ) result = await self.auth.db.execute(exist_stmt) if not result.scalar_one_or_none(): raise CustomException(msg="您不属于该租户,无法切换") tenant_stmt = select(TenantModel).where(TenantModel.id == tenant_id, TenantModel.status == 0).limit(1) result = await self.auth.db.execute(tenant_stmt) tenant = result.scalar_one_or_none() if not tenant: raise CustomException(msg="租户不存在或已被禁用") ctx = getattr(request.state, "ctx", None) session_id = ctx.session_id if ctx else None session_info = ctx.session_info if ctx else None if not session_id or not session_info: raise CustomException(msg="会话已失效") # 更新会话中的租户 ID 并写回 Redis session_info["tenant_id"] = tenant_id refresh_expires = timedelta(seconds=settings.REFRESH_TOKEN_EXPIRE_SECONDS) from app.core.redis_crud import RedisCURD from app.core.security import create_access_token await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.USER_SESSION.key}:{session_id}", value=json.dumps(session_info) if isinstance(session_info, dict) else session_info, expire=int(refresh_expires.total_seconds()), ) access_expires = timedelta(seconds=settings.ACCESS_TOKEN_EXPIRE_SECONDS) now = datetime.now() new_access_token = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=False, exp=now + access_expires, ) ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.ACCESS_TOKEN.key}:{session_id}", value=new_access_token, expire=int(access_expires.total_seconds()), ) new_refresh_token = create_access_token( payload=JWTPayloadSchema( sub=session_id, is_refresh=True, exp=now + refresh_expires, ) ) await RedisCURD(redis).set( key=f"{RedisInitKeyConfig.REFRESH_TOKEN.key}:{session_id}", value=new_refresh_token, expire=int(refresh_expires.total_seconds()), ) from app.core.request_context import set_current_tenant set_current_tenant(tenant_id) logger.info(f"用户 {self.auth.user.username}(id={self.auth.user.id}) 切换到租户 {tenant.name}(id={tenant_id})") return SelectTenantOutSchema( access_token=new_access_token, token_type=settings.TOKEN_TYPE, expires_in=int(access_expires.total_seconds()), ) class CaptchaService: """验证码服务""" @staticmethod async def get_captcha(redis: Redis) -> CaptchaOutSchema: """获取验证码""" if not settings.CAPTCHA_ENABLE: raise CustomException(msg="未开启验证码服务") captcha_base64, captcha_value = CaptchaUtil.captcha_arithmetic() captcha_key = get_random_character() redis_key = f"{RedisInitKeyConfig.CAPTCHA_CODES.key}:{captcha_key}" await RedisCURD(redis).set( key=redis_key, value=captcha_value, expire=settings.CAPTCHA_EXPIRE_SECONDS, ) return CaptchaOutSchema( enable=settings.CAPTCHA_ENABLE, key=CaptchaKey(captcha_key), img_base=CaptchaBase64(f"data:image/png;base64,{captcha_base64}"), ) @staticmethod async def check_captcha(redis: Redis, key: str, captcha: str) -> bool: """校验验证码""" if not captcha: raise CustomException(msg="验证码不能为空") redis_key = f"{RedisInitKeyConfig.CAPTCHA_CODES.key}:{key}" captcha_value = await RedisCURD(redis).get(redis_key) if not captcha_value: raise CustomException(msg="验证码已过期") if captcha.lower() != captcha_value.lower(): raise CustomException(msg="验证码错误") await RedisCURD(redis).delete(redis_key) return True class AutoLoginService: """免登录服务""" AUTO_LOGIN_PREFIX = "fastapiadmin:auto_login:" TOKEN_EXPIRE = 300 @classmethod async def get_auto_login_users(cls, db: AsyncSession, tenant_id: int | None = None) -> list[AutoLoginUserSchema]: """获取免登录用户列表""" from sqlalchemy import select from app.api.v1.module_system.user.model import UserModel stmt = select(UserModel).where(UserModel.status == 0) if tenant_id is not None: stmt = stmt.where(UserModel.tenant_id == tenant_id) stmt = stmt.order_by(UserModel.id) result = await db.execute(stmt) users = result.scalars().all() return [ AutoLoginUserSchema( id=user.id, username=user.username, name=user.name, avatar=user.avatar, ) for user in users ] @classmethod async def create_auto_login_token( cls, redis: Redis, db: AsyncSession, user_id: int, tenant_id: int | None = None, ) -> AutoLoginTokenSchema: """创建免登录Token""" from sqlalchemy import select from app.api.v1.module_system.user.model import UserModel stmt = select(UserModel).where(UserModel.id == user_id) if tenant_id is not None: stmt = stmt.where(UserModel.tenant_id == tenant_id) result = await db.execute(stmt) user = result.scalar_one_or_none() if not user: raise CustomException(msg="用户不存在") if user.status == 1: raise CustomException(msg="用户已被停用") import uuid token = str(uuid.uuid4()) token_key = f"{cls.AUTO_LOGIN_PREFIX}{token}" token_data = { "user_id": user.id, "username": user.username, "tenant_id": user.tenant_id, "created_at": datetime.now().isoformat(), } await RedisCURD(redis).set( key=token_key, value=json.dumps(token_data), expire=cls.TOKEN_EXPIRE, ) logger.info(f"创建免登录Token成功,用户:{user.username}") return AutoLoginTokenSchema( token=token, user=AutoLoginUserSchema( id=user.id, username=user.username, name=user.name, avatar=user.avatar, ), ) @classmethod async def auto_login( cls, request: Request, redis: Redis, db: AsyncSession, token: str, tenant_id: int | None = None, ) -> JWTOutSchema: """免登录""" from sqlalchemy import select from app.api.v1.module_system.user.model import UserModel token_key = f"{cls.AUTO_LOGIN_PREFIX}{token}" token_data_str = await RedisCURD(redis).get(token_key) if not token_data_str: raise CustomException(msg="免登录Token已过期或无效") if isinstance(token_data_str, bytes): token_data_str = token_data_str.decode("utf-8") token_data = json.loads(token_data_str) user_id = token_data.get("user_id") token_tenant_id = token_data.get("tenant_id") stmt = select(UserModel).where(UserModel.id == user_id) effective_tenant_id = tenant_id if tenant_id is not None else token_tenant_id if effective_tenant_id is not None: stmt = stmt.where(UserModel.tenant_id == effective_tenant_id) result = await db.execute(stmt) user = result.scalar_one_or_none() if not user: raise CustomException(msg="用户不存在") if user.status == 1: raise CustomException(msg="用户已被停用") await RedisCURD(redis).delete(token_key) jwt_token = await LoginService.create_token(request=request, redis=redis, user=user, login_type="PC端") logger.info(f"用户{user.username}免登录成功") return jwt_token class TenantRegisterService: """PRD §4.5 租户自助注册:一次性创建租户 + 管理员 + owner 角色 + 菜单分配""" DEFAULT_TRIAL_DAYS = 7 @classmethod async def register( cls, db: AsyncSession, username: str, password: str, email: str, tenant_name: str | None = None, ) -> TenantRegisterOutSchema: """租户自助注册:一次性创建租户 + 管理员 + owner 角色 + 菜单分配""" from sqlalchemy import func, select from sqlalchemy.exc import IntegrityError from app.api.v1.module_platform.package.model import PackageMenuModel, PackageModel from app.api.v1.module_platform.tenant.model import TenantModel from app.api.v1.module_system.role.model import RoleMenusModel, RoleModel from app.api.v1.module_system.user.model import UserModel, UserRolesModel exists_stmt = ( select(func.count()) .select_from(UserModel) .where( UserModel.is_deleted.is_(False), (UserModel.username == username) | (UserModel.email == email), ) ) cnt = (await db.execute(exists_stmt)).scalar() or 0 if cnt > 0: raise CustomException(msg="用户名或邮箱已被占用") pkg_stmt = select(PackageModel).where(PackageModel.status == 0).order_by(PackageModel.id).limit(1) default_pkg = (await db.execute(pkg_stmt)).scalar_one_or_none() now = datetime.now() trial_end = now + timedelta(days=cls.DEFAULT_TRIAL_DAYS) base = tenant_name or username code_suffix = base.encode("utf-8").hex()[:6].upper() tenant_code = f"T{code_suffix}" tenant = TenantModel( name=tenant_name or f"{username}的租户", code=tenant_code, contact_name=username, package_id=default_pkg.id if default_pkg else None, start_time=now, end_time=trial_end, status=0, ) db.add(tenant) await db.flush() user = UserModel( username=username, password=PwdUtil.hash_password(password), email=email, tenant_id=tenant.id, status=0, ) db.add(user) await db.flush() owner_role = RoleModel( name="租户管理员", code="owner", tenant_id=tenant.id, order=1, data_scope=4, description="自助注册创建的管理员角色", ) db.add(owner_role) await db.flush() user_role = UserRolesModel(user_id=user.id, role_id=owner_role.id) db.add(user_role) if default_pkg: pkg_menu_stmt = select(PackageMenuModel).where( PackageMenuModel.package_id == default_pkg.id, ) pkg_menus = (await db.execute(pkg_menu_stmt)).scalars().all() for pm in pkg_menus: db.add(RoleMenusModel(role_id=owner_role.id, menu_id=pm.menu_id)) try: await db.commit() except IntegrityError: await db.rollback() raise CustomException(msg="租户编码或用户名已被占用,请重试") try: await cls._send_welcome_email(email, username, tenant.name, trial_end) except Exception: logger.warning(f"注册欢迎邮件发送失败: {email}") return TenantRegisterOutSchema( user_id=user.id, username=username, tenant_id=tenant.id, tenant_name=tenant.name, tenant_code=tenant_code, package=default_pkg.name if default_pkg else None, trial_end=trial_end.strftime("%Y-%m-%d"), message="注册成功", ) @classmethod async def _send_welcome_email(cls, to_email: str, username: str, tenant_name: str, trial_end: datetime) -> None: """发送欢迎邮件(不阻塞注册流程)。""" from app.api.v1.module_platform.email.crud import EmailConfigCRUD from app.core.base_schema import AuthSchema from app.core.database import async_db_session from app.utils.email_util import render_template_file, send_email async with async_db_session() as _db: cfg = await EmailConfigCRUD(AuthSchema(db=_db, check_data_scope=False)).get_active_default() if not cfg: logger.info("无可用 SMTP 配置,跳过欢迎邮件") return html_body = render_template_file("emails/welcome.jinja2", { "tenant_name": tenant_name, "username": username, "trial_end": trial_end.strftime("%Y-%m-%d"), }) await send_email( smtp_host=cfg.smtp_host, smtp_port=cfg.smtp_port, smtp_user=cfg.smtp_user, smtp_password=cfg.smtp_password, use_tls=cfg.use_tls, from_name=cfg.from_name, to_email=to_email, to_name=username, subject=f"欢迎加入 {tenant_name}!", body_html=html_body, ) logger.info(f"欢迎邮件已发送至 {to_email}")