feat: add system settings with model connectivity and encrypted storage
This commit is contained in:
@@ -5,7 +5,6 @@ from dataclasses import dataclass
|
||||
from sqlalchemy import func, select
|
||||
from sqlalchemy.orm import Session, selectinload
|
||||
|
||||
from app.core.admin_secret import read_admin_secret, verify_admin_secret
|
||||
from app.core.config import get_settings
|
||||
from app.core.logging import get_logger
|
||||
from app.core.security import verify_password
|
||||
@@ -13,6 +12,7 @@ from app.models.employee import Employee
|
||||
from app.schemas.auth import AuthUserRead, LoginRequest, LoginResponse
|
||||
from app.services.employee import EmployeeService
|
||||
from app.services.employee_seed import ROLE_DISPLAY_ORDER
|
||||
from app.services.settings import SettingsService
|
||||
|
||||
logger = get_logger("app.services.auth")
|
||||
|
||||
@@ -53,34 +53,25 @@ class AuthService:
|
||||
|
||||
employee_user = self._authenticate_employee(identifier, password)
|
||||
if employee_user is not None:
|
||||
logger.info("Employee login succeeded identifier=%s role_codes=%s", identifier, ",".join(employee_user.role_codes))
|
||||
logger.info(
|
||||
"Employee login succeeded identifier=%s role_codes=%s",
|
||||
identifier,
|
||||
",".join(employee_user.role_codes),
|
||||
)
|
||||
return LoginResponse(user=self._serialize_user(employee_user))
|
||||
|
||||
logger.warning("Login failed identifier=%s", identifier)
|
||||
raise ValueError("账号或密码错误。")
|
||||
|
||||
def _authenticate_admin(self, identifier: str, password: str) -> AuthenticatedUser | None:
|
||||
record = read_admin_secret()
|
||||
record = SettingsService(self.db).verify_admin_login(identifier, password)
|
||||
if record is None:
|
||||
return None
|
||||
|
||||
admin_username = str(record.get("username", "")).strip()
|
||||
admin_email = str(self.settings.admin_email or "").strip()
|
||||
normalized_identifier = identifier.casefold()
|
||||
|
||||
allowed_identifiers = {
|
||||
value.casefold()
|
||||
for value in [admin_username, admin_email]
|
||||
if value
|
||||
}
|
||||
|
||||
if normalized_identifier not in allowed_identifiers:
|
||||
return None
|
||||
|
||||
if not verify_admin_secret(password, record):
|
||||
return None
|
||||
|
||||
admin_username = record.account.strip()
|
||||
admin_email = record.email.strip()
|
||||
display_name = admin_username or admin_email or "系统管理员"
|
||||
|
||||
return AuthenticatedUser(
|
||||
username=admin_username or admin_email,
|
||||
name=display_name,
|
||||
|
||||
Reference in New Issue
Block a user