caoxiaozhu
86568660a4
主要修改点:
1. 遗留密码格式兼容 (server/src/app/core/admin_secret.py)
- 新增 legacy_admin_secret_to_password_hash(): 将旧版 admin secret 记录转换为标准 scrypt 哈希格式
2. Scrypt 密码验证增强 (server/src/app/core/security.py)
- verify_password(): 新增 scrypt$ 前缀检测,分流到专用验证函数
- 新增 verify_scrypt_password(): 解析 scrypt$ 格式哈希并验证
3. 模型配置存储重构 (server/src/app/models/system_model_setting.py)
- 新增 SystemModelSetting 模型(slot 为 PK)
- 字段: slot, provider, model_name, endpoint, capability, priority, enabled, api_key_encrypted, created_at, updated_at
4. Settings Repository 扩展 (server/src/app/repositories/settings.py)
- 新增 get_model_settings(): 获取所有模型配置
- 新增 get_model_setting(slot): 按 slot 获取单个模型配置
5. Settings Service 重构 (server/src/app/services/settings.py)
- 新增 ModelSlotConfig dataclass: 封装单个模型槽位的配置属性
- 新增 MODEL_SLOT_CONFIGS 字典: main/backup/vlm/embedding 四个槽位配置
- 重构 save_model_settings(): 批量保存模型配置到 SystemModelSetting 表
- 新增 load_model_settings(): 从 SystemModelSetting 表加载所有模型配置
- read_settings(): 整合 legacy secrets 与新的 SystemModelSetting 表数据
- write_settings(): 拆分 model secrets 到 SystemModelSetting 表
- decrypt_model_secret(): 新增从数据库读取加密的 API Key
6. 数据库模型注册 (server/src/app/db/base.py)
- 注册 SystemModelSetting 模型
7. 前端 API URL 智能解析 (web/src/services/api.js)
- 新增 isLoopbackHost(): 判断是否为回环地址
- 新增 resolveBrowserReachableApiBaseUrl(): 当后端配置为回环地址但浏览器非回环时,自动替换为浏览器 host
- 改进错误信息: "无法连接 FastAPI 后端服务,请确认后端已启动且浏览器可访问后端端口。"
8. 前端 Session 导航增强 (web/src/composables/useSystemState.js)
- installSessionNavigation(): 调用 fetchBootstrapState 后设置运行时 API Base URL
9. Settings 视图增强 (web/src/views/SettingsView.vue)
- API Key 输入框: 新增 @focus="clearModelSecretMask('xxx')" 清除遮罩
- 新增 .secret-bound-state 提示: 显示"已从数据库加密加载,测试会使用已保存密钥"
10. Settings 脚本增强 (web/src/views/scripts/SettingsView.js)
- 新增 clearModelSecretMask(slot): 清除指定槽位的 API Key 遮罩状态
11. CSS 样式 (web/src/assets/styles/views/settings-view.css)
- 新增 .secret-bound-state 样式: 显示数据库已加载密钥的提示样式
71 lines
2.5 KiB
Python
71 lines
2.5 KiB
Python
from __future__ import annotations
|
|
|
|
from sqlalchemy import create_engine
|
|
from sqlalchemy.orm import Session, sessionmaker
|
|
from sqlalchemy.pool import StaticPool
|
|
|
|
from app.db.base import Base
|
|
from app.schemas.auth import LoginRequest
|
|
from app.schemas.settings import SettingsWrite
|
|
from app.services.auth import AuthService
|
|
from app.services.employee import EmployeeService
|
|
from app.services.settings import SettingsService
|
|
|
|
|
|
def build_session() -> Session:
|
|
engine = create_engine(
|
|
"sqlite+pysqlite:///:memory:",
|
|
connect_args={"check_same_thread": False},
|
|
poolclass=StaticPool,
|
|
)
|
|
Base.metadata.create_all(bind=engine)
|
|
session_factory = sessionmaker(bind=engine, autoflush=False, autocommit=False)
|
|
return session_factory()
|
|
|
|
|
|
def test_employee_can_login_with_seed_default_password() -> None:
|
|
with build_session() as db:
|
|
employee = EmployeeService(db).list_employees()[0]
|
|
result = AuthService(db).login(
|
|
LoginRequest(username=employee.email, password="123456")
|
|
)
|
|
|
|
assert result.ok is True
|
|
assert result.user.username == employee.email
|
|
assert result.user.name == employee.name
|
|
assert result.user.roleCodes
|
|
assert result.user.isAdmin is False
|
|
|
|
|
|
def test_admin_can_login_with_database_password() -> None:
|
|
with build_session() as db:
|
|
settings_service = SettingsService(db)
|
|
payload = settings_service.get_settings_snapshot().model_dump()
|
|
payload["adminForm"]["adminAccount"] = "superadmin"
|
|
payload["adminForm"]["newPassword"] = "admin123"
|
|
payload["adminForm"]["confirmPassword"] = "admin123"
|
|
settings_service.save_settings_snapshot(SettingsWrite(**payload))
|
|
|
|
result = AuthService(db).login(
|
|
LoginRequest(username="superadmin", password="admin123")
|
|
)
|
|
|
|
assert result.ok is True
|
|
assert result.user.username == "superadmin"
|
|
assert result.user.isAdmin is True
|
|
assert result.user.roleCodes == ["manager"]
|
|
|
|
|
|
def test_disabled_employee_cannot_login() -> None:
|
|
with build_session() as db:
|
|
service = EmployeeService(db)
|
|
employee = service.list_employees()[0]
|
|
service.disable_employee(employee.id)
|
|
|
|
try:
|
|
AuthService(db).login(LoginRequest(username=employee.email, password="123456"))
|
|
except ValueError as exc:
|
|
assert "账号或密码错误" in str(exc)
|
|
else:
|
|
raise AssertionError("disabled employee login should be rejected")
|