huang
409a68d60b
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 5m45s
主要变更: 1. OpenAPI 文档契约对齐 - 统一错误响应字段名为 msg(非 message) - 规范 envelope 响应结构(code, msg, data, timestamp) - 个人客户路由纳入文档体系(使用 Register 机制) - 新增 BuildDocHandlers() 统一管理 handler 构造 - 确保文档生成的幂等性 2. Service 层错误处理统一 - 全面替换 fmt.Errorf 为 errors.New/Wrap - 统一错误码使用规范 - Handler 层参数校验不泄露底层细节 - 新增错误码验证集成测试 3. 代码质量提升 - 删除未使用的 Task handler 和路由 - 新增代码规范检查脚本(check-service-errors.sh) - 新增注释路径一致性检查(check-comment-paths.sh) - 更新 API 文档生成指南 4. OpenSpec 归档 - 归档 openapi-contract-alignment 变更(63 tasks) - 归档 service-error-unify-core 变更 - 归档 service-error-unify-support 变更 - 归档 code-cleanup-docs-update 变更 - 归档 handler-validation-security 变更 - 同步 delta specs 到主规范文件 影响范围: - pkg/openapi: 新增 handlers.go,优化 generator.go - internal/service/*: 48 个 service 文件错误处理统一 - internal/handler/admin: 优化参数校验错误提示 - internal/routes: 个人客户路由改造,删除 task 路由 - scripts: 新增 3 个代码检查脚本 - docs: 更新 OpenAPI 文档(15750+ 行) - openspec/specs: 同步 3 个主规范文件 破坏性变更:无 向后兼容:是
261 lines
7.6 KiB
Go
261 lines
7.6 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/break/junhong_cmp_fiber/internal/model"
|
|
"github.com/break/junhong_cmp_fiber/internal/model/dto"
|
|
"github.com/break/junhong_cmp_fiber/internal/store/postgres"
|
|
"github.com/break/junhong_cmp_fiber/pkg/auth"
|
|
"github.com/break/junhong_cmp_fiber/pkg/constants"
|
|
"github.com/break/junhong_cmp_fiber/pkg/errors"
|
|
pkgGorm "github.com/break/junhong_cmp_fiber/pkg/gorm"
|
|
"go.uber.org/zap"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"gorm.io/gorm"
|
|
)
|
|
|
|
type Service struct {
|
|
accountStore *postgres.AccountStore
|
|
accountRoleStore *postgres.AccountRoleStore
|
|
rolePermStore *postgres.RolePermissionStore
|
|
permissionStore *postgres.PermissionStore
|
|
tokenManager *auth.TokenManager
|
|
logger *zap.Logger
|
|
}
|
|
|
|
func New(
|
|
accountStore *postgres.AccountStore,
|
|
accountRoleStore *postgres.AccountRoleStore,
|
|
rolePermStore *postgres.RolePermissionStore,
|
|
permissionStore *postgres.PermissionStore,
|
|
tokenManager *auth.TokenManager,
|
|
logger *zap.Logger,
|
|
) *Service {
|
|
return &Service{
|
|
accountStore: accountStore,
|
|
accountRoleStore: accountRoleStore,
|
|
rolePermStore: rolePermStore,
|
|
permissionStore: permissionStore,
|
|
tokenManager: tokenManager,
|
|
logger: logger,
|
|
}
|
|
}
|
|
|
|
func (s *Service) Login(ctx context.Context, req *dto.LoginRequest, clientIP string) (*dto.LoginResponse, error) {
|
|
ctx = pkgGorm.SkipDataPermission(ctx)
|
|
|
|
account, err := s.accountStore.GetByUsernameOrPhone(ctx, req.Username)
|
|
if err != nil {
|
|
if err == gorm.ErrRecordNotFound {
|
|
s.logger.Warn("登录失败:用户名不存在", zap.String("username", req.Username), zap.String("ip", clientIP))
|
|
return nil, errors.New(errors.CodeInvalidCredentials, "用户名或密码错误")
|
|
}
|
|
return nil, errors.Wrap(errors.CodeInternalError, err, "查询账号失败")
|
|
}
|
|
|
|
if err := bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(req.Password)); err != nil {
|
|
s.logger.Warn("登录失败:密码错误", zap.String("username", req.Username), zap.String("ip", clientIP))
|
|
return nil, errors.New(errors.CodeInvalidCredentials, "用户名或密码错误")
|
|
}
|
|
|
|
if account.Status != 1 {
|
|
s.logger.Warn("登录失败:账号已禁用", zap.String("username", req.Username), zap.Uint("user_id", account.ID))
|
|
return nil, errors.New(errors.CodeAccountDisabled, "账号已禁用")
|
|
}
|
|
|
|
device := req.Device
|
|
if device == "" {
|
|
device = "web"
|
|
}
|
|
|
|
var shopID, enterpriseID uint
|
|
if account.ShopID != nil {
|
|
shopID = *account.ShopID
|
|
}
|
|
if account.EnterpriseID != nil {
|
|
enterpriseID = *account.EnterpriseID
|
|
}
|
|
|
|
tokenInfo := &auth.TokenInfo{
|
|
UserID: account.ID,
|
|
UserType: account.UserType,
|
|
ShopID: shopID,
|
|
EnterpriseID: enterpriseID,
|
|
Username: account.Username,
|
|
Device: device,
|
|
IP: clientIP,
|
|
}
|
|
|
|
accessToken, refreshToken, err := s.tokenManager.GenerateTokenPair(ctx, tokenInfo)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
permissions, err := s.getUserPermissions(ctx, account.ID)
|
|
if err != nil {
|
|
s.logger.Error("查询用户权限失败", zap.Uint("user_id", account.ID), zap.Error(err))
|
|
permissions = []string{}
|
|
}
|
|
|
|
userInfo := s.buildUserInfo(account)
|
|
|
|
s.logger.Info("用户登录成功",
|
|
zap.Uint("user_id", account.ID),
|
|
zap.String("username", account.Username),
|
|
zap.String("device", device),
|
|
zap.String("ip", clientIP),
|
|
)
|
|
|
|
return &dto.LoginResponse{
|
|
AccessToken: accessToken,
|
|
RefreshToken: refreshToken,
|
|
ExpiresIn: int64(constants.DefaultAccessTokenTTL.Seconds()),
|
|
User: userInfo,
|
|
Permissions: permissions,
|
|
}, nil
|
|
}
|
|
|
|
func (s *Service) Logout(ctx context.Context, accessToken, refreshToken string) error {
|
|
if err := s.tokenManager.RevokeToken(ctx, accessToken); err != nil {
|
|
return err
|
|
}
|
|
|
|
if refreshToken != "" {
|
|
if err := s.tokenManager.RevokeToken(ctx, refreshToken); err != nil {
|
|
s.logger.Warn("撤销 refresh token 失败", zap.Error(err))
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *Service) RefreshToken(ctx context.Context, refreshToken string) (string, error) {
|
|
return s.tokenManager.RefreshAccessToken(ctx, refreshToken)
|
|
}
|
|
|
|
func (s *Service) GetCurrentUser(ctx context.Context, userID uint) (*dto.UserInfo, []string, error) {
|
|
account, err := s.accountStore.GetByID(ctx, userID)
|
|
if err != nil {
|
|
if err == gorm.ErrRecordNotFound {
|
|
return nil, nil, errors.New(errors.CodeAccountNotFound, "账号不存在")
|
|
}
|
|
return nil, nil, errors.Wrap(errors.CodeInternalError, err, "查询账号失败")
|
|
}
|
|
|
|
permissions, err := s.getUserPermissions(ctx, userID)
|
|
if err != nil {
|
|
s.logger.Error("查询用户权限失败", zap.Uint("user_id", userID), zap.Error(err))
|
|
permissions = []string{}
|
|
}
|
|
|
|
userInfo := s.buildUserInfo(account)
|
|
|
|
return &userInfo, permissions, nil
|
|
}
|
|
|
|
func (s *Service) ChangePassword(ctx context.Context, userID uint, oldPassword, newPassword string) error {
|
|
account, err := s.accountStore.GetByID(ctx, userID)
|
|
if err != nil {
|
|
if err == gorm.ErrRecordNotFound {
|
|
return errors.New(errors.CodeAccountNotFound, "账号不存在")
|
|
}
|
|
return errors.Wrap(errors.CodeInternalError, err, "查询账号失败")
|
|
}
|
|
|
|
if err := bcrypt.CompareHashAndPassword([]byte(account.Password), []byte(oldPassword)); err != nil {
|
|
return errors.New(errors.CodeInvalidOldPassword, "旧密码错误")
|
|
}
|
|
|
|
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return errors.Wrap(errors.CodeInternalError, err, "密码加密失败")
|
|
}
|
|
|
|
if err := s.accountStore.UpdatePassword(ctx, userID, string(hashedPassword), userID); err != nil {
|
|
return errors.Wrap(errors.CodeInternalError, err, "更新密码失败")
|
|
}
|
|
|
|
if err := s.tokenManager.RevokeAllUserTokens(ctx, userID); err != nil {
|
|
s.logger.Warn("撤销用户所有 token 失败", zap.Uint("user_id", userID), zap.Error(err))
|
|
}
|
|
|
|
s.logger.Info("用户修改密码成功", zap.Uint("user_id", userID))
|
|
|
|
return nil
|
|
}
|
|
|
|
func (s *Service) getUserPermissions(ctx context.Context, userID uint) ([]string, error) {
|
|
accountRoles, err := s.accountRoleStore.GetByAccountID(ctx, userID)
|
|
if err != nil {
|
|
return nil, errors.Wrap(errors.CodeInternalError, err, "查询用户角色失败")
|
|
}
|
|
|
|
if len(accountRoles) == 0 {
|
|
return []string{}, nil
|
|
}
|
|
|
|
roleIDs := make([]uint, 0, len(accountRoles))
|
|
for _, ar := range accountRoles {
|
|
roleIDs = append(roleIDs, ar.RoleID)
|
|
}
|
|
|
|
permIDs, err := s.rolePermStore.GetPermIDsByRoleIDs(ctx, roleIDs)
|
|
if err != nil {
|
|
return nil, errors.Wrap(errors.CodeInternalError, err, "查询角色权限失败")
|
|
}
|
|
|
|
if len(permIDs) == 0 {
|
|
return []string{}, nil
|
|
}
|
|
|
|
permissions, err := s.permissionStore.GetByIDs(ctx, permIDs)
|
|
if err != nil {
|
|
return nil, errors.Wrap(errors.CodeInternalError, err, "查询权限详情失败")
|
|
}
|
|
|
|
permCodes := make([]string, 0, len(permissions))
|
|
for _, perm := range permissions {
|
|
permCodes = append(permCodes, perm.PermCode)
|
|
}
|
|
|
|
return permCodes, nil
|
|
}
|
|
|
|
func (s *Service) buildUserInfo(account *model.Account) dto.UserInfo {
|
|
userTypeName := s.getUserTypeName(account.UserType)
|
|
|
|
var shopID, enterpriseID uint
|
|
if account.ShopID != nil {
|
|
shopID = *account.ShopID
|
|
}
|
|
if account.EnterpriseID != nil {
|
|
enterpriseID = *account.EnterpriseID
|
|
}
|
|
|
|
return dto.UserInfo{
|
|
ID: account.ID,
|
|
Username: account.Username,
|
|
Phone: account.Phone,
|
|
UserType: account.UserType,
|
|
UserTypeName: userTypeName,
|
|
ShopID: shopID,
|
|
EnterpriseID: enterpriseID,
|
|
}
|
|
}
|
|
|
|
func (s *Service) getUserTypeName(userType int) string {
|
|
switch userType {
|
|
case constants.UserTypeSuperAdmin:
|
|
return "超级管理员"
|
|
case constants.UserTypePlatform:
|
|
return "平台用户"
|
|
case constants.UserTypeAgent:
|
|
return "代理账号"
|
|
case constants.UserTypeEnterprise:
|
|
return "企业账号"
|
|
default:
|
|
return "未知"
|
|
}
|
|
}
|