fix: add admin social login

2026-05-27 23:35:08 +08:00
parent 0443c976fc
commit 15823ee8a4
6 changed files with 593 additions and 14 deletions
--- a/routes/api_social.py
+++ b/routes/api_social.py
@@ -3,10 +3,13 @@
 from __future__ import annotations

 from datetime import timedelta
+from io import BytesIO
+import time
 import database
+from app_config import get_config
 from app_logger import get_logger
 from db.utils import get_cst_now, get_cst_now_str
-from flask import Blueprint, jsonify, request, session
+from flask import Blueprint, jsonify, request, send_file, session
 from flask_login import current_user, login_required, login_user
 from services.accounts_service import load_user_accounts
 from services.models import User
@@ -70,6 +73,20 @@ def _login_user_id(user_id: int) -> None:
    load_user_accounts(user_id)


+def _login_admin_id(admin_id: int) -> dict | None:
+    admin = database.get_admin_by_id(int(admin_id))
+    if not admin:
+        return None
+    session.pop("admin_id", None)
+    session.pop("admin_username", None)
+    session["admin_id"] = admin["id"]
+    session["admin_username"] = admin["username"]
+    session["admin_reauth_until"] = time.time() + int(get_config().ADMIN_REAUTH_WINDOW_SECONDS)
+    session.permanent = True
+    session.modified = True
+    return admin
+
+
 def _binding_row(provider: str, binding: dict | None) -> dict:
    return {
        "provider": provider,
@@ -147,9 +164,6 @@ def social_callback():
        return _social_error(error)

    binding = database.find_social_login_binding(profile.provider, profile.social_uid)
-    admin_binding = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
-    if admin_binding:
-        return jsonify({"error": "该第三方账号已绑定管理员账号"}), 409

    if binding:
        if mode == "bind":
@@ -220,9 +234,6 @@ def bind_social_account():
    existing_identity = database.find_social_login_binding(provider, social_uid)
    if existing_identity and int(existing_identity.get("user_id") or 0) != int(current_user.id):
        return jsonify({"error": "该第三方账号已绑定其他用户"}), 409
-    existing_admin_identity = database.find_admin_social_login_binding_by_identity(provider, social_uid)
-    if existing_admin_identity:
-        return jsonify({"error": "该第三方账号已绑定管理员账号"}), 409

    existing_provider = database.find_user_social_login_binding(int(current_user.id), provider)
    if existing_provider and str(existing_provider.get("social_uid") or "") != social_uid:
@@ -261,6 +272,98 @@ def admin_social_config():
    return protected()


+@api_social_bp.route("/yuyx/api/admin-auth/social/login-url", methods=["POST"])
+def admin_auth_social_login_url():
+    data = _get_json_payload()
+    provider = str(data.get("provider") or "").strip().lower()
+    redirect_uri = str(data.get("redirect_uri") or "").strip()
+    try:
+        result = fetch_social_login_url(
+            database.get_system_config(),
+            provider=provider,
+            mode="login",
+            redirect_uri=redirect_uri,
+            allowed_hosts=_allowed_redirect_hosts(),
+        )
+    except SocialLoginError as error:
+        logger.warning(f"[admin-auth/social/login-url] provider={provider or '-'} failed: {error.message}")
+        return _social_error(error)
+    return jsonify(result)
+
+
+@api_social_bp.route("/yuyx/api/admin-auth/social/poll", methods=["POST"])
+def admin_auth_social_poll():
+    data = _get_json_payload()
+    provider = str(data.get("provider") or "").strip().lower()
+    state = str(data.get("state") or "").strip()
+    try:
+        result = poll_social_scan(database.get_system_config(), provider=provider, state=state)
+    except SocialLoginError as error:
+        logger.warning(f"[admin-auth/social/poll] provider={provider or '-'} failed: {error.message}")
+        return _social_error(error)
+    return jsonify(result)
+
+
+@api_social_bp.route("/yuyx/api/admin-auth/social/callback", methods=["POST"])
+def admin_auth_social_callback():
+    data = _get_json_payload()
+    provider = str(data.get("provider") or data.get("type") or "").strip().lower()
+    code = str(data.get("code") or "").strip()
+
+    try:
+        profile = fetch_space_profile(database.get_system_config(), provider=provider, code=code)
+    except SocialLoginError as error:
+        logger.warning(f"[admin-auth/social/callback] provider={provider or '-'} failed: {error.message}")
+        return _social_error(error)
+
+    binding = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
+    if not binding:
+        return jsonify({"error": "该第三方账号未绑定管理员，请先使用账号密码登录后在设置中绑定"}), 404
+
+    admin = _login_admin_id(int(binding.get("admin_id") or 0))
+    if not admin:
+        return jsonify({"error": "绑定管理员账号不存在"}), 401
+
+    database.update_admin_social_login_binding_profile(
+        int(binding["id"]),
+        nickname=profile.nickname,
+        avatar_url=profile.avatar_url,
+    )
+    logger.info(f"[admin-auth/social/login] admin_id={admin['id']} provider={profile.provider}")
+    return jsonify(
+        {
+            "success": True,
+            "redirect": "/yuyx/admin",
+            "provider": profile.provider,
+            "provider_label": provider_label(profile.provider),
+            "username": admin.get("username") or "",
+        }
+    )
+
+
+@api_social_bp.route("/yuyx/api/admin-auth/social/qr", methods=["GET"])
+def admin_auth_social_qr():
+    value = str(request.args.get("data") or "").strip()
+    if not value:
+        return jsonify({"error": "缺少二维码内容"}), 400
+    if len(value) > 2048:
+        return jsonify({"error": "二维码内容过长"}), 400
+
+    try:
+        import qrcode
+    except ImportError:
+        logger.error("[admin-auth/social/qr] qrcode package is not installed")
+        return jsonify({"error": "二维码组件未安装"}), 500
+
+    image = qrcode.make(value)
+    buffer = BytesIO()
+    image.save(buffer, format="PNG")
+    buffer.seek(0)
+    response = send_file(buffer, mimetype="image/png", max_age=0)
+    response.headers["Cache-Control"] = "no-store"
+    return response
+
+
@api_social_bp.route("/yuyx/api/admin/social-bindings", methods=["GET"])
 def list_admin_social_bindings():
    from routes.decorators import admin_required
@@ -347,10 +450,6 @@ def bind_admin_social_callback(provider):
            logger.warning(f"[admin/social/callback] provider={provider_value or '-'} failed: {error.message}")
            return _social_error(error)

-        user_identity = database.find_social_login_binding(profile.provider, profile.social_uid)
-        if user_identity:
-            return jsonify({"error": "该第三方账号已绑定普通用户"}), 409
-
        existing_identity = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
        if existing_identity and int(existing_identity.get("admin_id") or 0) != admin_id:
            return jsonify({"error": "该第三方账号已绑定其他管理员"}), 409