feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
package handler
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2026-04-03 17:38:31 +08:00
|
|
|
|
"crypto/subtle"
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
"net/http"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
"strings"
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
"time"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
|
|
|
|
|
|
|
"github.com/user-management-system/internal/auth"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// SSOHandler SSO 处理程序
|
|
|
|
|
|
type SSOHandler struct {
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
ssoManager *auth.SSOManager
|
2026-04-03 17:38:31 +08:00
|
|
|
|
clientsStore auth.SSOClientsStore
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// NewSSOHandler 创建 SSO 处理程序
|
2026-04-03 17:38:31 +08:00
|
|
|
|
func NewSSOHandler(ssoManager *auth.SSOManager, clientsStore auth.SSOClientsStore) *SSOHandler {
|
|
|
|
|
|
return &SSOHandler{
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
ssoManager: ssoManager,
|
2026-04-03 17:38:31 +08:00
|
|
|
|
clientsStore: clientsStore,
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// AuthorizeRequest 授权请求
|
|
|
|
|
|
type AuthorizeRequest struct {
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
ClientID string `form:"client_id" binding:"required"`
|
|
|
|
|
|
RedirectURI string `form:"redirect_uri" binding:"required"`
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
ResponseType string `form:"response_type" binding:"required"`
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
Scope string `form:"scope"`
|
|
|
|
|
|
State string `form:"state"`
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Authorize 处理 SSO 授权请求
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Summary SSO 授权
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Description 处理 SSO 授权请求,返回授权码
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Tags SSO
|
|
|
|
|
|
// @Accept json
|
|
|
|
|
|
// @Produce json
|
|
|
|
|
|
// @Security BearerAuth
|
|
|
|
|
|
// @Param client_id query string true "客户端ID"
|
|
|
|
|
|
// @Param redirect_uri query string true "回调地址"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Param response_type query string true "响应类型" Enums(code)
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Param scope query string false "授权范围"
|
|
|
|
|
|
// @Param state query string false "状态参数"
|
|
|
|
|
|
// @Success 302 {string} string "重定向到回调地址"
|
|
|
|
|
|
// @Failure 400 {object} Response "请求参数错误"
|
|
|
|
|
|
// @Failure 401 {object} Response "未认证"
|
|
|
|
|
|
// @Failure 500 {object} Response "服务器错误"
|
|
|
|
|
|
// @Router /api/v1/sso/authorize [get]
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
func (h *SSOHandler) Authorize(c *gin.Context) {
|
|
|
|
|
|
var req AuthorizeRequest
|
|
|
|
|
|
if err := c.ShouldBindQuery(&req); err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if req.ResponseType != "code" {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "unsupported response_type"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if h.clientsStore == nil || !h.clientsStore.ValidateClientRedirectURI(req.ClientID, req.RedirectURI) {
|
|
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid redirect_uri"})
|
|
|
|
|
|
return
|
2026-04-03 17:38:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-28 20:30:24 +08:00
|
|
|
|
userID, ok := getUserIDFromContext(c)
|
|
|
|
|
|
if !ok {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "unauthorized"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-28 20:30:24 +08:00
|
|
|
|
username, ok := getUsernameFromContext(c)
|
|
|
|
|
|
if !ok {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "unauthorized"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
code, err := h.ssoManager.GenerateAuthorizationCode(
|
|
|
|
|
|
req.ClientID,
|
|
|
|
|
|
req.RedirectURI,
|
|
|
|
|
|
req.Scope,
|
|
|
|
|
|
userID,
|
|
|
|
|
|
username,
|
|
|
|
|
|
)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(http.StatusInternalServerError, gin.H{"code": 500, "message": "failed to generate code"})
|
|
|
|
|
|
return
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
|
|
|
|
|
|
redirectURL := req.RedirectURI + "?code=" + code
|
|
|
|
|
|
if req.State != "" {
|
|
|
|
|
|
redirectURL += "&state=" + req.State
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Redirect(http.StatusFound, redirectURL)
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// TokenRequest Token 请求
|
|
|
|
|
|
type TokenRequest struct {
|
|
|
|
|
|
GrantType string `form:"grant_type" binding:"required"`
|
|
|
|
|
|
Code string `form:"code"`
|
|
|
|
|
|
RedirectURI string `form:"redirect_uri"`
|
|
|
|
|
|
ClientID string `form:"client_id" binding:"required"`
|
|
|
|
|
|
ClientSecret string `form:"client_secret" binding:"required"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// TokenResponse Token 响应
|
|
|
|
|
|
type TokenResponse struct {
|
|
|
|
|
|
AccessToken string `json:"access_token"`
|
|
|
|
|
|
TokenType string `json:"token_type"`
|
|
|
|
|
|
ExpiresIn int64 `json:"expires_in"`
|
|
|
|
|
|
Scope string `json:"scope"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// Token 处理 Token 请求
|
|
|
|
|
|
// @Summary 获取 Access Token
|
|
|
|
|
|
// @Description 使用授权码获取 Access Token(授权码模式第二步)
|
|
|
|
|
|
// @Tags SSO
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Accept x-www-form-urlencoded
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Produce json
|
|
|
|
|
|
// @Param grant_type formData string true "授权类型" Enums(authorization_code)
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Param code formData string true "授权码"
|
|
|
|
|
|
// @Param redirect_uri formData string true "回调地址"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Param client_id formData string true "客户端ID"
|
|
|
|
|
|
// @Param client_secret formData string true "客户端密钥"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Success 200 {object} Response{data=TokenResponse} "访问令牌响应"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Failure 400 {object} Response "请求参数错误"
|
|
|
|
|
|
// @Failure 401 {object} Response "客户端认证失败"
|
|
|
|
|
|
// @Failure 500 {object} Response "服务器错误"
|
|
|
|
|
|
// @Router /api/v1/sso/token [post]
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
func (h *SSOHandler) Token(c *gin.Context) {
|
|
|
|
|
|
var req TokenRequest
|
|
|
|
|
|
if err := c.ShouldBind(&req); err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if req.GrantType != "authorization_code" {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "unsupported grant_type"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if req.Code == "" || req.RedirectURI == "" {
|
|
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "code and redirect_uri are required"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
client, ok := h.authenticateClient(req.ClientID, req.ClientSecret)
|
|
|
|
|
|
if !ok {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "invalid client credentials"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
if !h.clientsStore.ValidateClientRedirectURI(client.ClientID, req.RedirectURI) {
|
|
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "invalid redirect_uri"})
|
|
|
|
|
|
return
|
2026-04-03 17:38:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
session, err := h.ssoManager.ValidateAuthorizationCode(req.Code)
|
|
|
|
|
|
if err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "invalid code"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if session.ClientID != req.ClientID || session.RedirectURI != req.RedirectURI {
|
|
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": "authorization code does not match client or redirect_uri"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
2026-04-03 17:38:31 +08:00
|
|
|
|
token, expiresAt, err := h.ssoManager.GenerateAccessToken(req.ClientID, session)
|
|
|
|
|
|
if err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusInternalServerError, gin.H{"code": 500, "message": "failed to generate token"})
|
2026-04-03 17:38:31 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"code": 0,
|
|
|
|
|
|
"message": "success",
|
|
|
|
|
|
"data": TokenResponse{
|
|
|
|
|
|
AccessToken: token,
|
|
|
|
|
|
TokenType: "Bearer",
|
|
|
|
|
|
ExpiresIn: int64(time.Until(expiresAt).Seconds()),
|
|
|
|
|
|
Scope: session.Scope,
|
|
|
|
|
|
},
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// IntrospectRequest Introspect 请求
|
|
|
|
|
|
type IntrospectRequest struct {
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
Token string `form:"token" binding:"required"`
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
ClientID string `form:"client_id"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// IntrospectResponse Introspect 响应
|
|
|
|
|
|
type IntrospectResponse struct {
|
test: add comprehensive test coverage and improve code quality
- Add new test files for auth, service, and handler modules
- Improve test organization and coverage
- Refactor code for better maintainability
- Add captcha, settings, stats, and theme handler tests
- Add auth module tests (CAS, OAuth, password, SSO, state)
- Add service layer tests for auth, export, permissions, roles
- All Go tests pass (exit code 0)
- All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
|
|
|
|
Active bool `json:"active"`
|
|
|
|
|
|
UserID int64 `json:"user_id,omitempty"`
|
|
|
|
|
|
Username string `json:"username,omitempty"`
|
|
|
|
|
|
ExpiresAt int64 `json:"exp,omitempty"`
|
|
|
|
|
|
Scope string `json:"scope,omitempty"`
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Introspect 验证 access token
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Summary 验证 Access Token
|
|
|
|
|
|
// @Description 验证 Access Token 的有效性并返回相关信息
|
|
|
|
|
|
// @Tags SSO
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Accept x-www-form-urlencoded
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Produce json
|
|
|
|
|
|
// @Param token formData string true "Access Token"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Param client_id formData string true "客户端ID"
|
|
|
|
|
|
// @Param client_secret formData string true "客户端密钥"
|
|
|
|
|
|
// @Success 200 {object} Response{data=IntrospectResponse} "Token信息"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Failure 400 {object} Response "请求参数错误"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Failure 401 {object} Response "客户端认证失败"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Router /api/v1/sso/introspect [post]
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
func (h *SSOHandler) Introspect(c *gin.Context) {
|
2026-05-30 21:29:24 +08:00
|
|
|
|
var req struct {
|
|
|
|
|
|
Token string `form:"token" binding:"required"`
|
|
|
|
|
|
ClientID string `form:"client_id" binding:"required"`
|
|
|
|
|
|
ClientSecret string `form:"client_secret" binding:"required"`
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
if err := c.ShouldBind(&req); err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if _, ok := h.authenticateClient(req.ClientID, req.ClientSecret); !ok {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "invalid client credentials"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
|
|
|
|
|
info, err := h.ssoManager.IntrospectToken(req.Token)
|
|
|
|
|
|
if err != nil {
|
2026-05-30 21:29:24 +08:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{"code": 0, "message": "success", "data": IntrospectResponse{Active: false}})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"code": 0,
|
|
|
|
|
|
"message": "success",
|
|
|
|
|
|
"data": IntrospectResponse{
|
|
|
|
|
|
Active: info.Active,
|
|
|
|
|
|
UserID: info.UserID,
|
|
|
|
|
|
Username: info.Username,
|
|
|
|
|
|
ExpiresAt: info.ExpiresAt.Unix(),
|
|
|
|
|
|
Scope: info.Scope,
|
|
|
|
|
|
},
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RevokeRequest 撤销请求
|
|
|
|
|
|
type RevokeRequest struct {
|
|
|
|
|
|
Token string `form:"token" binding:"required"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Revoke 撤销 access token
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Summary 撤销 Access Token
|
|
|
|
|
|
// @Description 撤销指定的 Access Token
|
|
|
|
|
|
// @Tags SSO
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Accept x-www-form-urlencoded
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Produce json
|
|
|
|
|
|
// @Param token formData string true "Access Token"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Param client_id formData string true "客户端ID"
|
|
|
|
|
|
// @Param client_secret formData string true "客户端密钥"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Success 200 {object} Response "撤销成功"
|
|
|
|
|
|
// @Failure 400 {object} Response "请求参数错误"
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Failure 401 {object} Response "客户端认证失败"
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Router /api/v1/sso/revoke [post]
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
func (h *SSOHandler) Revoke(c *gin.Context) {
|
2026-05-30 21:29:24 +08:00
|
|
|
|
var req struct {
|
|
|
|
|
|
Token string `form:"token" binding:"required"`
|
|
|
|
|
|
ClientID string `form:"client_id" binding:"required"`
|
|
|
|
|
|
ClientSecret string `form:"client_secret" binding:"required"`
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
if err := c.ShouldBind(&req); err != nil {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusBadRequest, gin.H{"code": 400, "message": err.Error()})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
if _, ok := h.authenticateClient(req.ClientID, req.ClientSecret); !ok {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "invalid client credentials"})
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
_ = h.ssoManager.RevokeToken(req.Token)
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{"code": 0, "message": "token revoked"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// UserInfoResponse 用户信息响应
|
|
|
|
|
|
type UserInfoResponse struct {
|
|
|
|
|
|
UserID int64 `json:"user_id"`
|
|
|
|
|
|
Username string `json:"username"`
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// UserInfo 获取当前用户信息
|
|
|
|
|
|
// @Summary 获取 SSO 用户信息
|
2026-05-30 21:29:24 +08:00
|
|
|
|
// @Description 获取当前通过 SSO Access Token 授权的用户信息
|
2026-04-11 22:49:13 +08:00
|
|
|
|
// @Tags SSO
|
|
|
|
|
|
// @Produce json
|
|
|
|
|
|
// @Security BearerAuth
|
|
|
|
|
|
// @Success 200 {object} Response{data=UserInfoResponse} "用户信息"
|
|
|
|
|
|
// @Failure 401 {object} Response "未认证"
|
|
|
|
|
|
// @Router /api/v1/sso/userinfo [get]
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
func (h *SSOHandler) UserInfo(c *gin.Context) {
|
2026-05-30 21:29:24 +08:00
|
|
|
|
token := extractBearerToken(c)
|
|
|
|
|
|
if token == "" {
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "unauthorized"})
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-05-30 21:29:24 +08:00
|
|
|
|
session, err := h.ssoManager.ValidateAccessToken(token)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{"code": 401, "message": "invalid access token"})
|
2026-05-28 20:30:24 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
c.JSON(http.StatusOK, gin.H{
|
|
|
|
|
|
"code": 0,
|
|
|
|
|
|
"message": "success",
|
|
|
|
|
|
"data": UserInfoResponse{
|
2026-05-30 21:29:24 +08:00
|
|
|
|
UserID: session.UserID,
|
|
|
|
|
|
Username: session.Username,
|
fix: unify handler response format in multiple handlers
- captcha_handler.go: Fix GenerateCaptcha/VerifyCaptcha to use {code, message, data}
- password_reset_handler.go: Fix all error responses to use {code, message}
- settings_handler.go: Add missing "code" and "message" fields
- sms_handler.go: Fix error responses to use {code, message}
- sso_handler.go: Fix all error responses to use {code, message, data}
- stats_handler.go: Add missing "message" field in success responses
- theme_handler.go: Fix error responses to use {code, message}
- totp_handler.go: Fix all responses to use {code, message, data}
Standardize all JSON responses to {code: 0, message: "success", data: ...} for success
and {code: XXX, message: "..."} for errors.
2026-04-11 13:06:58 +08:00
|
|
|
|
},
|
feat: backend core - auth, user, role, permission, device, webhook, monitoring, cache, repository, service, middleware, API handlers
2026-04-02 11:19:50 +08:00
|
|
|
|
})
|
|
|
|
|
|
}
|
2026-05-30 21:29:24 +08:00
|
|
|
|
|
|
|
|
|
|
func (h *SSOHandler) authenticateClient(clientID, clientSecret string) (*auth.SSOClient, bool) {
|
|
|
|
|
|
if h.clientsStore == nil {
|
|
|
|
|
|
return nil, false
|
|
|
|
|
|
}
|
|
|
|
|
|
client, err := h.clientsStore.GetByClientID(clientID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, false
|
|
|
|
|
|
}
|
|
|
|
|
|
if subtle.ConstantTimeCompare([]byte(clientSecret), []byte(client.ClientSecret)) != 1 {
|
|
|
|
|
|
return nil, false
|
|
|
|
|
|
}
|
|
|
|
|
|
return client, true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func extractBearerToken(c *gin.Context) string {
|
|
|
|
|
|
authorization := c.GetHeader("Authorization")
|
|
|
|
|
|
if !strings.HasPrefix(authorization, "Bearer ") {
|
|
|
|
|
|
return ""
|
|
|
|
|
|
}
|
|
|
|
|
|
return strings.TrimSpace(strings.TrimPrefix(authorization, "Bearer "))
|
|
|
|
|
|
}
|
