hxf/backend/th_agenter/services/auth.py

"""Authentication service."""

from loguru import logger
from typing import Optional
from datetime import datetime, timedelta, timezone
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from sqlalchemy.orm import Session
from sqlalchemy import select
import bcrypt
import jwt

from ..core.config import settings
from ..db.database import get_session
from ..models.user import User

security = HTTPBearer()

class AuthService:
    """Authentication service."""
    @staticmethod
    async def get_current_user(
        credentials: HTTPAuthorizationCredentials = Depends(security),
        session: Session = Depends(get_session)
    ) -> User:
        """Get current authenticated user."""
        from ..core.context import UserContext
        
        credentials_exception = HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Could not validate credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )
        
        token = credentials.credentials
        payload = AuthService.verify_token(token)
        if payload is None:
            session.desc = f"ERROR: 令牌验证失败 - 令牌: {token[:50]}..."
            raise credentials_exception
        
        username: str = payload.get("sub")
        if username is None:
            session.desc = "ERROR: 令牌中没有用户名"
            raise credentials_exception
        
        stmt = select(User).where(User.username == username)
        user = (await session.execute(stmt)).scalar_one_or_none()
        if user is None:
            session.desc = f"ERROR: 数据库中未找到用户 {username}"
            raise credentials_exception
        
        # Set user in context for global access
        UserContext.set_current_user(user, canLog=True)
        # session.desc = f"[AuthService] 用户 {user.username} (ID: {user.id}) 已设置为当前用户"
        
        return user

    @staticmethod
    def get_current_active_user(current_user: User = Depends(get_current_user)) -> User:
        """Get current active user."""
        if not current_user.is_active:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST, 
                detail="Inactive user"
            )
        return current_user
    
    @staticmethod
    async def authenticate_user_by_email(session: Session, email: str, password: str) -> Optional[User]:
        """Authenticate user with email and password."""
        session.desc = f"根据邮箱 {email} 验证用户密码"
        stmt = select(User).where(User.email == email)
        user = (await session.execute(stmt)).scalar_one_or_none()
        if not user:
            return None
        if not AuthService.verify_password(password, user.hashed_password):
            return None
        return user
    
    @staticmethod
    async def authenticate_user(session: Session, username: str, password: str) -> Optional[User]:
        """Authenticate user with username and password."""
        session.desc = f"根据用户名 {username} 验证用户密码"
        stmt = select(User).where(User.username == username)
        user = (await session.execute(stmt)).scalar_one_or_none()
        if not user:
            return None
        if not AuthService.verify_password(password, user.hashed_password):
            return None
        return user
    
    @staticmethod
    async def create_access_token(session: Session, data: dict, expires_delta: Optional[timedelta] = None) -> str:
        """创建 JWT 访问 token"""
        session.desc = f"创建 JWT 访问 token - 数据: {data}"
        to_encode = data.copy()
        if expires_delta:
            expire = datetime.now(timezone.utc) + expires_delta
        else:
            expire = datetime.now(timezone.utc) + timedelta(minutes=settings.security.access_token_expire_minutes)
        
        to_encode.update({"exp": expire})
        encoded_jwt = jwt.encode(
            to_encode, 
            settings.security.secret_key, 
            algorithm=settings.security.algorithm
        )
        return encoded_jwt

    @staticmethod
    def verify_password(plain_password: str, hashed_password: str) -> bool:
        """Verify a password against its hash."""
        # 直接使用bcrypt库进行密码验证
        return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password.encode('utf-8'))
    
    @staticmethod
    def get_password_hash(password: str) -> str:
        """Generate password hash."""
        # 直接使用bcrypt库进行哈希
        salt = bcrypt.gensalt()
        hashed_bytes = bcrypt.hashpw(password.encode('utf-8'), salt)
        hashed_password = hashed_bytes.decode('utf-8')
        return hashed_password
    
    @staticmethod
    def verify_token(token: str) -> Optional[dict]:
        """Verify JWT token."""
        try:
            payload = jwt.decode(
                token, 
                settings.security.secret_key, 
                algorithms=[settings.security.algorithm]
            )
            return payload
        except jwt.PyJWTError as e:
            logger.error(f"Token verification failed: {e}")
            logger.error(f"Token: {token[:50]}...")
            return None
first commit 2025-12-04 14:48:38 +08:00			`"""Authentication service."""`

backend-陈博更新 2025-12-16 13:55:16 +08:00			`from loguru import logger`
first commit 2025-12-04 14:48:38 +08:00			`from typing import Optional`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`from datetime import datetime, timedelta, timezone`
first commit 2025-12-04 14:48:38 +08:00			`from fastapi import Depends, HTTPException, status`
			`from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials`
			`from sqlalchemy.orm import Session`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`from sqlalchemy import select`
first commit 2025-12-04 14:48:38 +08:00			`import bcrypt`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`import jwt`
first commit 2025-12-04 14:48:38 +08:00
			`from ..core.config import settings`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`from ..db.database import get_session`
first commit 2025-12-04 14:48:38 +08:00			`from ..models.user import User`

			`security = HTTPBearer()`

			`class AuthService:`
			`"""Authentication service."""`
			`@staticmethod`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`async def get_current_user(`
first commit 2025-12-04 14:48:38 +08:00			`credentials: HTTPAuthorizationCredentials = Depends(security),`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`session: Session = Depends(get_session)`
first commit 2025-12-04 14:48:38 +08:00			`) -> User:`
			`"""Get current authenticated user."""`
			`from ..core.context import UserContext`

			`credentials_exception = HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail="Could not validate credentials",`
			`headers={"WWW-Authenticate": "Bearer"},`
			`)`

			`token = credentials.credentials`
			`payload = AuthService.verify_token(token)`
			`if payload is None:`
-feat 后端代码提交 2026-01-07 11:30:54 +08:00			`session.desc = f"ERROR: 令牌验证失败 - 令牌: {token[:50]}..."`
first commit 2025-12-04 14:48:38 +08:00			`raise credentials_exception`

			`username: str = payload.get("sub")`
			`if username is None:`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`session.desc = "ERROR: 令牌中没有用户名"`
first commit 2025-12-04 14:48:38 +08:00			`raise credentials_exception`

backend-陈博更新 2025-12-16 13:55:16 +08:00			`stmt = select(User).where(User.username == username)`
			`user = (await session.execute(stmt)).scalar_one_or_none()`
first commit 2025-12-04 14:48:38 +08:00			`if user is None:`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`session.desc = f"ERROR: 数据库中未找到用户 {username}"`
first commit 2025-12-04 14:48:38 +08:00			`raise credentials_exception`

			`# Set user in context for global access`
-feat 后端代码提交 2026-01-07 11:30:54 +08:00			`UserContext.set_current_user(user, canLog=True)`
			`# session.desc = f"[AuthService] 用户 {user.username} (ID: {user.id}) 已设置为当前用户"`
first commit 2025-12-04 14:48:38 +08:00
			`return user`
backend-陈博更新 2025-12-16 13:55:16 +08:00
first commit 2025-12-04 14:48:38 +08:00			`@staticmethod`
			`def get_current_active_user(current_user: User = Depends(get_current_user)) -> User:`
			`"""Get current active user."""`
			`if not current_user.is_active:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail="Inactive user"`
			`)`
backend-陈博更新 2025-12-16 13:55:16 +08:00			`return current_user`

			`@staticmethod`
			`async def authenticate_user_by_email(session: Session, email: str, password: str) -> Optional[User]:`
			`"""Authenticate user with email and password."""`
			`session.desc = f"根据邮箱 {email} 验证用户密码"`
			`stmt = select(User).where(User.email == email)`
			`user = (await session.execute(stmt)).scalar_one_or_none()`
			`if not user:`
			`return None`
			`if not AuthService.verify_password(password, user.hashed_password):`
			`return None`
			`return user`

			`@staticmethod`
			`async def authenticate_user(session: Session, username: str, password: str) -> Optional[User]:`
			`"""Authenticate user with username and password."""`
			`session.desc = f"根据用户名 {username} 验证用户密码"`
			`stmt = select(User).where(User.username == username)`
			`user = (await session.execute(stmt)).scalar_one_or_none()`
			`if not user:`
			`return None`
			`if not AuthService.verify_password(password, user.hashed_password):`
			`return None`
			`return user`

			`@staticmethod`
			`async def create_access_token(session: Session, data: dict, expires_delta: Optional[timedelta] = None) -> str:`
			`"""创建 JWT 访问 token"""`
			`session.desc = f"创建 JWT 访问 token - 数据: {data}"`
			`to_encode = data.copy()`
			`if expires_delta:`
			`expire = datetime.now(timezone.utc) + expires_delta`
			`else:`
			`expire = datetime.now(timezone.utc) + timedelta(minutes=settings.security.access_token_expire_minutes)`

			`to_encode.update({"exp": expire})`
			`encoded_jwt = jwt.encode(`
			`to_encode,`
			`settings.security.secret_key,`
			`algorithm=settings.security.algorithm`
			`)`
			`return encoded_jwt`

			`@staticmethod`
			`def verify_password(plain_password: str, hashed_password: str) -> bool:`
			`"""Verify a password against its hash."""`
			`# 直接使用bcrypt库进行密码验证`
			`return bcrypt.checkpw(plain_password.encode('utf-8'), hashed_password.encode('utf-8'))`

			`@staticmethod`
			`def get_password_hash(password: str) -> str:`
			`"""Generate password hash."""`
			`# 直接使用bcrypt库进行哈希`
			`salt = bcrypt.gensalt()`
			`hashed_bytes = bcrypt.hashpw(password.encode('utf-8'), salt)`
			`hashed_password = hashed_bytes.decode('utf-8')`
			`return hashed_password`

			`@staticmethod`
			`def verify_token(token: str) -> Optional[dict]:`
			`"""Verify JWT token."""`
			`try:`
			`payload = jwt.decode(`
			`token,`
			`settings.security.secret_key,`
			`algorithms=[settings.security.algorithm]`
			`)`
			`return payload`
			`except jwt.PyJWTError as e:`
			`logger.error(f"Token verification failed: {e}")`
			`logger.error(f"Token: {token[:50]}...")`
-feat 后端代码提交 2026-01-07 11:30:54 +08:00			`return None`