Neo
6f8f12314f
包含多个会话的累积代码变更: - backend: AI 聊天服务、触发器调度、认证增强、WebSocket、调度器最小间隔 - admin-web: ETL 状态页、任务管理、调度配置、登录优化 - miniprogram: 看板页面、聊天集成、UI 组件、导航更新 - etl: DWS 新任务(finance_area_daily/board_cache)、连接器增强 - tenant-admin: 项目初始化 - db: 19 个迁移脚本(etl_feiqiu 11 + zqyy_app 8) - packages/shared: 枚举和工具函数更新 - tools: 数据库工具、报表生成、健康检查 - docs: PRD/架构/部署/合约文档更新 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
248 lines
7.7 KiB
Python
248 lines
7.7 KiB
Python
# -*- coding: utf-8 -*-
|
||
"""
|
||
租户管理员认证路由:登录与令牌刷新。
|
||
|
||
- POST /api/tenant/auth/login — 用户名+密码验证,签发 JWT(aud=tenant-admin)
|
||
- POST /api/tenant/auth/refresh — 刷新令牌换取新令牌对
|
||
|
||
JWT payload 包含:sub=admin_id, tenant_id, managed_site_ids, aud=tenant-admin, type
|
||
"""
|
||
|
||
from __future__ import annotations
|
||
|
||
import logging
|
||
from datetime import datetime, timedelta, timezone
|
||
|
||
from fastapi import APIRouter, HTTPException, status
|
||
from jose import JWTError, jwt as jose_jwt
|
||
from pydantic import BaseModel, Field
|
||
|
||
from app import config
|
||
from app.auth.jwt import verify_password
|
||
from app.database import get_connection
|
||
|
||
logger = logging.getLogger(__name__)
|
||
|
||
router = APIRouter(prefix="/api/tenant/auth", tags=["租户认证"])
|
||
|
||
|
||
# ── Pydantic 模型 ────────────────────────────────────────────
|
||
|
||
|
||
class TenantLoginRequest(BaseModel):
|
||
"""租户管理员登录请求。"""
|
||
username: str = Field(..., min_length=1, max_length=100, description="用户名")
|
||
password: str = Field(..., min_length=1, description="密码")
|
||
|
||
|
||
class TenantRefreshRequest(BaseModel):
|
||
"""刷新令牌请求。"""
|
||
refresh_token: str = Field(..., min_length=1, description="刷新令牌")
|
||
|
||
|
||
class TenantTokenResponse(BaseModel):
|
||
"""令牌响应。"""
|
||
access_token: str
|
||
refresh_token: str
|
||
token_type: str = "bearer"
|
||
|
||
|
||
# ── JWT 签发(租户管理员专用,含 aud=tenant-admin) ──────────
|
||
|
||
|
||
def _create_tenant_access_token(
|
||
admin_id: int,
|
||
tenant_id: int,
|
||
managed_site_ids: list[int],
|
||
admin_type: str = "tenant_admin",
|
||
display_name: str | None = None,
|
||
) -> str:
|
||
"""签发租户管理员 access_token(aud=tenant-admin)。"""
|
||
expire = datetime.now(timezone.utc) + timedelta(
|
||
minutes=config.JWT_ACCESS_TOKEN_EXPIRE_MINUTES
|
||
)
|
||
payload: dict = {
|
||
"sub": str(admin_id),
|
||
"tenant_id": tenant_id,
|
||
"managed_site_ids": managed_site_ids,
|
||
"admin_type": admin_type,
|
||
"aud": "tenant-admin",
|
||
"type": "access",
|
||
"exp": expire,
|
||
}
|
||
if display_name is not None:
|
||
payload["display_name"] = display_name
|
||
return jose_jwt.encode(payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM)
|
||
|
||
|
||
def _create_tenant_refresh_token(
|
||
admin_id: int,
|
||
tenant_id: int,
|
||
managed_site_ids: list[int],
|
||
admin_type: str = "tenant_admin",
|
||
) -> str:
|
||
"""签发租户管理员 refresh_token(aud=tenant-admin)。"""
|
||
expire = datetime.now(timezone.utc) + timedelta(
|
||
days=config.JWT_REFRESH_TOKEN_EXPIRE_DAYS
|
||
)
|
||
payload: dict = {
|
||
"sub": str(admin_id),
|
||
"tenant_id": tenant_id,
|
||
"managed_site_ids": managed_site_ids,
|
||
"admin_type": admin_type,
|
||
"aud": "tenant-admin",
|
||
"type": "refresh",
|
||
"exp": expire,
|
||
}
|
||
return jose_jwt.encode(payload, config.JWT_SECRET_KEY, algorithm=config.JWT_ALGORITHM)
|
||
|
||
|
||
# ── 路由端点 ─────────────────────────────────────────────────
|
||
|
||
|
||
@router.post("/login", response_model=TenantTokenResponse)
|
||
async def tenant_login(body: TenantLoginRequest):
|
||
"""
|
||
租户管理员登录。
|
||
|
||
查询 auth.tenant_admins 表验证用户名密码,成功后签发 JWT 令牌对。
|
||
- 用户不存在或密码错误:401(统一消息,不区分)
|
||
- 账号已禁用(is_active=false):403
|
||
- 登录成功:更新 last_login_at
|
||
"""
|
||
conn = get_connection()
|
||
try:
|
||
with conn.cursor() as cur:
|
||
# CHANGE 2026-03-22 | Prompt: 删除与禁用分离 | 过滤已删除记录
|
||
# CHANGE 2026-03-23 | Prompt: 登录用户名大小写不敏感 | LOWER() 比较
|
||
cur.execute(
|
||
"SELECT id, password_hash, display_name, tenant_id, "
|
||
"managed_site_ids, is_active, admin_type "
|
||
"FROM auth.tenant_admins "
|
||
"WHERE LOWER(username) = LOWER(%s) AND deleted_at IS NULL",
|
||
(body.username,),
|
||
)
|
||
row = cur.fetchone()
|
||
finally:
|
||
conn.close()
|
||
|
||
# 用户不存在 → 401(统一消息)
|
||
if row is None:
|
||
raise HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="用户名或密码错误",
|
||
)
|
||
|
||
admin_id, password_hash, display_name, tenant_id, managed_site_ids, is_active, admin_type = row
|
||
|
||
# 账号禁用 → 403
|
||
if not is_active:
|
||
raise HTTPException(
|
||
status_code=status.HTTP_403_FORBIDDEN,
|
||
detail="账号已被禁用",
|
||
)
|
||
|
||
# 密码错误 → 401(统一消息)
|
||
if not verify_password(body.password, password_hash):
|
||
raise HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="用户名或密码错误",
|
||
)
|
||
|
||
# 登录成功:更新 last_login_at
|
||
conn = get_connection()
|
||
try:
|
||
with conn.cursor() as cur:
|
||
cur.execute(
|
||
"UPDATE auth.tenant_admins SET last_login_at = NOW() WHERE id = %s",
|
||
(admin_id,),
|
||
)
|
||
conn.commit()
|
||
except Exception:
|
||
logger.warning("更新 last_login_at 失败(admin_id=%s)", admin_id, exc_info=True)
|
||
finally:
|
||
conn.close()
|
||
|
||
# 签发令牌对
|
||
access_token = _create_tenant_access_token(
|
||
admin_id=admin_id,
|
||
tenant_id=tenant_id,
|
||
managed_site_ids=managed_site_ids,
|
||
admin_type=admin_type,
|
||
display_name=display_name,
|
||
)
|
||
refresh_token = _create_tenant_refresh_token(
|
||
admin_id=admin_id,
|
||
tenant_id=tenant_id,
|
||
managed_site_ids=managed_site_ids,
|
||
admin_type=admin_type,
|
||
)
|
||
|
||
return TenantTokenResponse(
|
||
access_token=access_token,
|
||
refresh_token=refresh_token,
|
||
token_type="bearer",
|
||
)
|
||
|
||
|
||
@router.post("/refresh", response_model=TenantTokenResponse)
|
||
async def tenant_refresh(body: TenantRefreshRequest):
|
||
"""
|
||
刷新租户管理员令牌。
|
||
|
||
验证 refresh_token(aud=tenant-admin, type=refresh),签发新令牌对。
|
||
"""
|
||
try:
|
||
payload = jose_jwt.decode(
|
||
body.refresh_token,
|
||
config.JWT_SECRET_KEY,
|
||
algorithms=[config.JWT_ALGORITHM],
|
||
audience="tenant-admin",
|
||
)
|
||
except JWTError:
|
||
raise HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="无效的刷新令牌",
|
||
)
|
||
|
||
# 验证 token type
|
||
if payload.get("type") != "refresh":
|
||
raise HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="令牌类型不匹配",
|
||
)
|
||
|
||
# 验证 aud(jose 在 aud 缺失时不会拒绝,需显式检查)
|
||
if payload.get("aud") != "tenant-admin":
|
||
raise HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="令牌类型不匹配",
|
||
)
|
||
|
||
# 提取字段
|
||
admin_id = int(payload["sub"])
|
||
tenant_id = payload["tenant_id"]
|
||
managed_site_ids = payload["managed_site_ids"]
|
||
admin_type = payload.get("admin_type", "tenant_admin")
|
||
|
||
# 签发新令牌对
|
||
access_token = _create_tenant_access_token(
|
||
admin_id=admin_id,
|
||
tenant_id=tenant_id,
|
||
managed_site_ids=managed_site_ids,
|
||
admin_type=admin_type,
|
||
display_name=payload.get("display_name"),
|
||
)
|
||
refresh_token = _create_tenant_refresh_token(
|
||
admin_id=admin_id,
|
||
tenant_id=tenant_id,
|
||
managed_site_ids=managed_site_ids,
|
||
admin_type=admin_type,
|
||
)
|
||
|
||
return TenantTokenResponse(
|
||
access_token=access_token,
|
||
refresh_token=refresh_token,
|
||
token_type="bearer",
|
||
)
|