237899745/zsglpt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: add admin social login

Browse Source
This commit is contained in:
237899745
2026-05-27 23:35:08 +08:00
parent 0443c976fc
commit 15823ee8a4
6 changed files with 593 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app.py
View File

@@ -221,6 +221,9 @@ def enforce_csrf_protection():
"/api/auth/social/login-url", "/api/auth/social/login-url",
"/api/auth/social/poll", "/api/auth/social/poll",
"/api/auth/social/callback", "/api/auth/social/callback",
"/yuyx/api/admin-auth/social/login-url",
"/yuyx/api/admin-auth/social/poll",
"/yuyx/api/admin-auth/social/callback",
} }
if request.path in csrf_exempt_paths: if request.path in csrf_exempt_paths:
return return

1
requirements.txt
View File

@@ -11,5 +11,6 @@ python-dotenv==1.0.0
beautifulsoup4==4.12.2 beautifulsoup4==4.12.2
cryptography>=41.0.0 cryptography>=41.0.0
Pillow>=10.0.0 Pillow>=10.0.0
qrcode[pil]==7.4.2
playwright==1.42.0 playwright==1.42.0
eventlet==0.36.1 eventlet==0.36.1

3
routes/api_auth.py
View File

@@ -259,8 +259,7 @@ def register():
social_uid = str(pending.get("social_uid") or "").strip() social_uid = str(pending.get("social_uid") or "").strip()
enabled_providers = parse_providers((database.get_system_config() or {}).get("social_login_providers")) enabled_providers = parse_providers((database.get_system_config() or {}).get("social_login_providers"))
existing_identity = database.find_social_login_binding(provider, social_uid) existing_identity = database.find_social_login_binding(provider, social_uid)
existing_admin_identity = database.find_admin_social_login_binding_by_identity(provider, social_uid) if provider in enabled_providers and social_uid and not existing_identity:
if provider in enabled_providers and social_uid and not existing_identity and not existing_admin_identity:
binding = database.upsert_social_login_binding( binding = database.upsert_social_login_binding(
user_id=user_id, user_id=user_id,
provider=provider, provider=provider,

121
routes/api_social.py
View File

@@ -3,10 +3,13 @@
from __future__ import annotations from __future__ import annotations
from datetime import timedelta from datetime import timedelta
from io import BytesIO
import time
import database import database
from app_config import get_config
from app_logger import get_logger from app_logger import get_logger
from db.utils import get_cst_now, get_cst_now_str from db.utils import get_cst_now, get_cst_now_str
from flask import Blueprint, jsonify, request, session from flask import Blueprint, jsonify, request, send_file, session
from flask_login import current_user, login_required, login_user from flask_login import current_user, login_required, login_user
from services.accounts_service import load_user_accounts from services.accounts_service import load_user_accounts
from services.models import User from services.models import User
@@ -70,6 +73,20 @@ def _login_user_id(user_id: int) -> None:
load_user_accounts(user_id) load_user_accounts(user_id)
def _login_admin_id(admin_id: int) -> dict | None:
admin = database.get_admin_by_id(int(admin_id))
if not admin:
return None
session.pop("admin_id", None)
session.pop("admin_username", None)
session["admin_id"] = admin["id"]
session["admin_username"] = admin["username"]
session["admin_reauth_until"] = time.time() + int(get_config().ADMIN_REAUTH_WINDOW_SECONDS)
session.permanent = True
session.modified = True
return admin
def _binding_row(provider: str, binding: dict | None) -> dict: def _binding_row(provider: str, binding: dict | None) -> dict:
return { return {
"provider": provider, "provider": provider,
@@ -147,9 +164,6 @@ def social_callback():
return _social_error(error) return _social_error(error)
binding = database.find_social_login_binding(profile.provider, profile.social_uid) binding = database.find_social_login_binding(profile.provider, profile.social_uid)
admin_binding = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
if admin_binding:
return jsonify({"error": "该第三方账号已绑定管理员账号"}), 409
if binding: if binding:
if mode == "bind": if mode == "bind":
@@ -220,9 +234,6 @@ def bind_social_account():
existing_identity = database.find_social_login_binding(provider, social_uid) existing_identity = database.find_social_login_binding(provider, social_uid)
if existing_identity and int(existing_identity.get("user_id") or 0) != int(current_user.id): if existing_identity and int(existing_identity.get("user_id") or 0) != int(current_user.id):
return jsonify({"error": "该第三方账号已绑定其他用户"}), 409 return jsonify({"error": "该第三方账号已绑定其他用户"}), 409
existing_admin_identity = database.find_admin_social_login_binding_by_identity(provider, social_uid)
if existing_admin_identity:
return jsonify({"error": "该第三方账号已绑定管理员账号"}), 409
existing_provider = database.find_user_social_login_binding(int(current_user.id), provider) existing_provider = database.find_user_social_login_binding(int(current_user.id), provider)
if existing_provider and str(existing_provider.get("social_uid") or "") != social_uid: if existing_provider and str(existing_provider.get("social_uid") or "") != social_uid:
@@ -261,6 +272,98 @@ def admin_social_config():
return protected() return protected()
@api_social_bp.route("/yuyx/api/admin-auth/social/login-url", methods=["POST"])
def admin_auth_social_login_url():
data = _get_json_payload()
provider = str(data.get("provider") or "").strip().lower()
redirect_uri = str(data.get("redirect_uri") or "").strip()
try:
result = fetch_social_login_url(
database.get_system_config(),
provider=provider,
mode="login",
redirect_uri=redirect_uri,
allowed_hosts=_allowed_redirect_hosts(),
)
except SocialLoginError as error:
logger.warning(f"[admin-auth/social/login-url] provider={provider or '-'} failed: {error.message}")
return _social_error(error)
return jsonify(result)
@api_social_bp.route("/yuyx/api/admin-auth/social/poll", methods=["POST"])
def admin_auth_social_poll():
data = _get_json_payload()
provider = str(data.get("provider") or "").strip().lower()
state = str(data.get("state") or "").strip()
try:
result = poll_social_scan(database.get_system_config(), provider=provider, state=state)
except SocialLoginError as error:
logger.warning(f"[admin-auth/social/poll] provider={provider or '-'} failed: {error.message}")
return _social_error(error)
return jsonify(result)
@api_social_bp.route("/yuyx/api/admin-auth/social/callback", methods=["POST"])
def admin_auth_social_callback():
data = _get_json_payload()
provider = str(data.get("provider") or data.get("type") or "").strip().lower()
code = str(data.get("code") or "").strip()
try:
profile = fetch_space_profile(database.get_system_config(), provider=provider, code=code)
except SocialLoginError as error:
logger.warning(f"[admin-auth/social/callback] provider={provider or '-'} failed: {error.message}")
return _social_error(error)
binding = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
if not binding:
return jsonify({"error": "该第三方账号未绑定管理员,请先使用账号密码登录后在设置中绑定"}), 404
admin = _login_admin_id(int(binding.get("admin_id") or 0))
if not admin:
return jsonify({"error": "绑定管理员账号不存在"}), 401
database.update_admin_social_login_binding_profile(
int(binding["id"]),
nickname=profile.nickname,
avatar_url=profile.avatar_url,
)
logger.info(f"[admin-auth/social/login] admin_id={admin['id']} provider={profile.provider}")
return jsonify(
{
"success": True,
"redirect": "/yuyx/admin",
"provider": profile.provider,
"provider_label": provider_label(profile.provider),
"username": admin.get("username") or "",
}
)
@api_social_bp.route("/yuyx/api/admin-auth/social/qr", methods=["GET"])
def admin_auth_social_qr():
value = str(request.args.get("data") or "").strip()
if not value:
return jsonify({"error": "缺少二维码内容"}), 400
if len(value) > 2048:
return jsonify({"error": "二维码内容过长"}), 400
try:
import qrcode
except ImportError:
logger.error("[admin-auth/social/qr] qrcode package is not installed")
return jsonify({"error": "二维码组件未安装"}), 500
image = qrcode.make(value)
buffer = BytesIO()
image.save(buffer, format="PNG")
buffer.seek(0)
response = send_file(buffer, mimetype="image/png", max_age=0)
response.headers["Cache-Control"] = "no-store"
return response
@api_social_bp.route("/yuyx/api/admin/social-bindings", methods=["GET"]) @api_social_bp.route("/yuyx/api/admin/social-bindings", methods=["GET"])
def list_admin_social_bindings(): def list_admin_social_bindings():
from routes.decorators import admin_required from routes.decorators import admin_required
@@ -347,10 +450,6 @@ def bind_admin_social_callback(provider):
logger.warning(f"[admin/social/callback] provider={provider_value or '-'} failed: {error.message}") logger.warning(f"[admin/social/callback] provider={provider_value or '-'} failed: {error.message}")
return _social_error(error) return _social_error(error)
user_identity = database.find_social_login_binding(profile.provider, profile.social_uid)
if user_identity:
return jsonify({"error": "该第三方账号已绑定普通用户"}), 409
existing_identity = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid) existing_identity = database.find_admin_social_login_binding_by_identity(profile.provider, profile.social_uid)
if existing_identity and int(existing_identity.get("admin_id") or 0) != admin_id: if existing_identity and int(existing_identity.get("admin_id") or 0) != admin_id:
return jsonify({"error": "该第三方账号已绑定其他管理员"}), 409 return jsonify({"error": "该第三方账号已绑定其他管理员"}), 409

390
templates/admin_login.html
View File

@@ -167,6 +167,144 @@
font-size: 13px; font-size: 13px;
} }
.divider {
display: flex;
align-items: center;
gap: 12px;
color: #6b7280;
font-size: 12px;
font-weight: 700;
margin: 20px 0 14px;
}
.divider::before,
.divider::after {
content: '';
height: 1px;
flex: 1;
background: rgba(17,24,39,0.12);
}
.social-login-area {
display: none;
}
.social-buttons {
display: flex;
flex-direction: column;
gap: 8px;
}
.social-btn {
width: 100%;
height: 40px;
border-radius: 10px;
border: 1px solid rgba(17,24,39,0.14);
background: #fff;
color: #111827;
font-size: 13px;
font-weight: 800;
cursor: pointer;
display: inline-flex;
align-items: center;
justify-content: center;
gap: 8px;
transition: background 0.15s, border-color 0.15s;
}
.social-btn:hover:not(:disabled) {
background: #f8fafc;
border-color: rgba(37,99,235,0.32);
}
.social-btn:disabled {
cursor: not-allowed;
opacity: 0.7;
}
.social-icon {
width: 22px;
height: 22px;
border-radius: 50%;
display: inline-flex;
align-items: center;
justify-content: center;
color: #fff;
font-size: 12px;
line-height: 1;
}
.provider-wx .social-icon { background: #16a34a; }
.provider-qq .social-icon { background: #2563eb; }
.provider-alipay .social-icon { background: #1677ff; }
.qr-mask {
position: fixed;
inset: 0;
z-index: 20;
display: none;
align-items: center;
justify-content: center;
padding: 18px;
background: rgba(17,24,39,0.45);
}
.qr-dialog {
width: min(340px, 92vw);
border-radius: 14px;
background: #fff;
box-shadow: 0 24px 70px rgba(17,24,39,0.24);
padding: 20px;
}
.qr-head {
display: flex;
align-items: center;
justify-content: space-between;
gap: 12px;
margin-bottom: 16px;
}
.qr-title {
font-size: 16px;
font-weight: 800;
color: #111827;
}
.qr-close {
width: 32px;
height: 32px;
border-radius: 50%;
border: 1px solid rgba(17,24,39,0.12);
background: #fff;
color: #4b5563;
cursor: pointer;
font-size: 18px;
line-height: 1;
}
.qr-body {
display: flex;
flex-direction: column;
align-items: center;
gap: 12px;
}
.qr-image {
width: 220px;
height: 220px;
border: 1px solid rgba(17,24,39,0.10);
border-radius: 10px;
padding: 8px;
background: #fff;
}
.qr-prompt {
font-size: 13px;
color: #374151;
text-align: center;
}
@media (max-width: 480px) { @media (max-width: 480px) {
body { padding: 12px; align-items: flex-start; padding-top: 20px; } body { padding: 12px; align-items: flex-start; padding-top: 20px; }
.login-container { width: 100%; max-width: 100%; padding: 28px 20px; border-radius: 14px; } .login-container { width: 100%; max-width: 100%; padding: 28px 20px; border-radius: 14px; }
@@ -215,14 +353,48 @@
<button type="submit" class="btn-login">登录后台</button> <button type="submit" class="btn-login">登录后台</button>
</form> </form>
<div id="socialLoginArea" class="social-login-area">
<div class="divider"><span>快捷登录</span></div>
<div id="socialButtons" class="social-buttons"></div>
</div>
<div class="back-link"> <div class="back-link">
<a href="/">返回用户登录</a> <a href="/">返回用户登录</a>
</div> </div>
</div> </div>
<div id="qrMask" class="qr-mask" onclick="handleQrMaskClick(event)">
<div class="qr-dialog" role="dialog" aria-modal="true" aria-labelledby="qrTitle">
<div class="qr-head">
<div id="qrTitle" class="qr-title">微信登录</div>
<button type="button" class="qr-close" onclick="closeQr()" aria-label="关闭">x</button>
</div>
<div class="qr-body">
<img id="qrImage" class="qr-image" alt="快捷登录二维码">
<div id="qrPrompt" class="qr-prompt">请使用微信扫描二维码点关注后登录</div>
</div>
</div>
</div>
<script> <script>
let captchaSession = ''; let captchaSession = '';
let needCaptcha = false; let needCaptcha = false;
let socialProviders = [];
let socialLoadingProvider = '';
let pollTimer = null;
let pollStartedAt = 0;
const providerLabels = {
qq: 'QQ',
wx: '微信',
alipay: '支付宝'
};
const providerIcons = {
qq: 'Q',
wx: '微',
alipay: '支'
};
function getCookie(name) { function getCookie(name) {
const escaped = String(name || '').replace(/([.*+?^${}()|[\]\\])/g, '\\$1'); const escaped = String(name || '').replace(/([.*+?^${}()|[\]\\])/g, '\\$1');
@@ -239,6 +411,30 @@
return headers; return headers;
} }
function showError(message) {
const errorDiv = document.getElementById('errorMessage');
const successDiv = document.getElementById('successMessage');
successDiv.style.display = 'none';
errorDiv.textContent = message || '操作失败';
errorDiv.style.display = 'block';
}
function showSuccess(message) {
const errorDiv = document.getElementById('errorMessage');
const successDiv = document.getElementById('successMessage');
errorDiv.style.display = 'none';
successDiv.textContent = message || '操作成功';
successDiv.style.display = 'block';
}
async function readJson(response) {
try {
return await response.json();
} catch (error) {
return {};
}
}
async function handleLogin(event) { async function handleLogin(event) {
event.preventDefault(); event.preventDefault();
@@ -325,6 +521,200 @@
await generateCaptcha(); await generateCaptcha();
document.getElementById('captcha').value = ''; document.getElementById('captcha').value = '';
} }
function adminSocialRedirectUri() {
const url = new URL(window.location.href);
url.pathname = '/yuyx';
url.search = '';
url.hash = '';
return url.toString();
}
function qrPrompt(provider) {
if (provider === 'wx') return '请使用微信扫描二维码点关注后登录';
if (provider === 'qq') return '请使用 QQ 扫描二维码登录';
return '请使用支付宝扫描二维码登录';
}
function setSocialButtonsDisabled(disabled) {
document.querySelectorAll('.social-btn').forEach((btn) => {
btn.disabled = Boolean(disabled);
});
}
function renderSocialButtons() {
const area = document.getElementById('socialLoginArea');
const buttons = document.getElementById('socialButtons');
const visibleProviders = socialProviders.filter((provider) => providerLabels[provider]);
if (!visibleProviders.length) {
area.style.display = 'none';
buttons.innerHTML = '';
return;
}
area.style.display = 'block';
buttons.innerHTML = visibleProviders.map((provider) => {
const label = providerLabels[provider];
const icon = providerIcons[provider] || label.slice(0, 1);
return `
<button type="button" class="social-btn provider-${provider}" data-provider="${provider}">
<span class="social-icon">${icon}</span>
<span>${label}登录</span>
</button>
`;
}).join('');
buttons.querySelectorAll('.social-btn').forEach((button) => {
button.addEventListener('click', () => startSocialLogin(button.dataset.provider));
});
}
async function loadSocialConfig() {
try {
const response = await fetch('/api/auth/social/config', {
method: 'GET',
credentials: 'same-origin'
});
const data = await readJson(response);
socialProviders = response.ok && data.enabled && Array.isArray(data.providers) ? data.providers : [];
} catch (error) {
socialProviders = [];
}
renderSocialButtons();
}
function stopPolling() {
if (pollTimer) {
window.clearTimeout(pollTimer);
pollTimer = null;
}
}
function closeQr() {
stopPolling();
document.getElementById('qrMask').style.display = 'none';
document.getElementById('qrImage').removeAttribute('src');
}
function handleQrMaskClick(event) {
if (event.target && event.target.id === 'qrMask') {
closeQr();
}
}
function openQr(provider, value) {
document.getElementById('qrTitle').textContent = `${providerLabels[provider] || '快捷'}登录`;
document.getElementById('qrPrompt').textContent = qrPrompt(provider);
document.getElementById('qrImage').src = `/yuyx/api/admin-auth/social/qr?data=${encodeURIComponent(value)}`;
document.getElementById('qrMask').style.display = 'flex';
}
function schedulePoll(provider, state, intervalSeconds) {
stopPolling();
pollStartedAt = Date.now();
const tick = async () => {
if (Date.now() - pollStartedAt > 5 * 60 * 1000) {
closeQr();
showError('二维码已过期,请重新获取');
return;
}
try {
const response = await fetch('/yuyx/api/admin-auth/social/poll', {
method: 'POST',
credentials: 'same-origin',
headers: jsonHeaders(),
body: JSON.stringify({ provider, state })
});
const data = await readJson(response);
if (!response.ok) {
closeQr();
showError(data.error || data.message || '扫码状态获取失败,请重新尝试');
return;
}
if (data.status === 'authorized' && data.url) {
closeQr();
window.location.assign(data.url);
return;
}
pollTimer = window.setTimeout(tick, Math.max(Number(intervalSeconds || 2), 2) * 1000);
} catch (error) {
closeQr();
showError('扫码状态获取失败,请重新尝试');
}
};
pollTimer = window.setTimeout(tick, Math.max(Number(intervalSeconds || 2), 2) * 1000);
}
async function startSocialLogin(provider) {
if (!provider || socialLoadingProvider) return;
socialLoadingProvider = provider;
setSocialButtonsDisabled(true);
try {
const response = await fetch('/yuyx/api/admin-auth/social/login-url', {
method: 'POST',
credentials: 'same-origin',
headers: jsonHeaders(),
body: JSON.stringify({
provider,
redirect_uri: adminSocialRedirectUri()
})
});
const data = await readJson(response);
if (!response.ok) {
showError(data.error || data.message || '获取快捷登录地址失败');
return;
}
if (provider !== 'wx') {
window.location.assign(data.url);
return;
}
const value = data.scan_url || data.qrcode || data.url;
if (!value || !data.scan_state) {
showError('微信二维码获取失败');
return;
}
openQr(provider, value);
schedulePoll(provider, data.scan_state, data.scan_poll_interval || 2);
} catch (error) {
showError('获取快捷登录地址失败');
} finally {
socialLoadingProvider = '';
setSocialButtonsDisabled(false);
}
}
async function handleSocialCallback() {
const params = new URLSearchParams(window.location.search || '');
const provider = String(params.get('provider') || params.get('type') || '').trim();
const code = String(params.get('code') || '').trim();
if (!provider || !code) return;
showSuccess('正在完成快捷登录...');
try {
const response = await fetch('/yuyx/api/admin-auth/social/callback', {
method: 'POST',
credentials: 'same-origin',
headers: jsonHeaders(),
body: JSON.stringify({ provider, code })
});
const data = await readJson(response);
if (!response.ok) {
showError(data.error || data.message || '快捷登录失败');
return;
}
showSuccess('登录成功,正在跳转...');
window.setTimeout(() => {
window.location.replace(data.redirect || '/yuyx/admin');
}, 500);
} catch (error) {
showError('快捷登录失败');
}
}
document.addEventListener('DOMContentLoaded', () => {
loadSocialConfig();
handleSocialCallback();
});
</script> </script>
</body> </body>
</html> </html>

89
tests/test_social_login.py
View File

@@ -1,12 +1,15 @@
import sys import sys
from pathlib import Path from pathlib import Path
from flask import Flask
PROJECT_ROOT = Path(__file__).resolve().parents[1] PROJECT_ROOT = Path(__file__).resolve().parents[1]
if str(PROJECT_ROOT) not in sys.path: if str(PROJECT_ROOT) not in sys.path:
sys.path.insert(0, str(PROJECT_ROOT)) sys.path.insert(0, str(PROJECT_ROOT))
import routes.api_social as api_social
from services import social_login from services import social_login
from services.social_login import normalize_social_endpoint, parse_space_scan_page, poll_social_scan from services.social_login import SpaceProfile, normalize_social_endpoint, parse_space_scan_page, poll_social_scan
def test_normalize_social_endpoint_accepts_space_root(): def test_normalize_social_endpoint_accepts_space_root():
@@ -44,3 +47,87 @@ def test_poll_social_scan_treats_code_zero_as_authorized(monkeypatch):
) )
assert result == {"status": "authorized", "url": "https://zsglpt.workyai.cn/login?type=wx&code=ok"} assert result == {"status": "authorized", "url": "https://zsglpt.workyai.cn/login?type=wx&code=ok"}
def test_user_social_callback_ignores_admin_binding_namespace(monkeypatch):
app = Flask(__name__)
app.secret_key = "test-secret"
app.register_blueprint(api_social.api_social_bp)
logged_user_ids = []
class FakeDatabase:
def get_system_config(self):
return {}
def find_social_login_binding(self, provider, social_uid):
assert (provider, social_uid) == ("wx", "same-openid")
return {"id": 3, "user_id": 11}
def find_admin_social_login_binding_by_identity(self, *_args, **_kwargs):
raise AssertionError("user callback must not check admin social bindings")
def get_user_by_id(self, user_id):
return {"id": user_id, "username": "normal-user", "status": "approved"}
def update_social_login_binding_profile(self, *_args, **_kwargs):
return True
monkeypatch.setattr(api_social, "database", FakeDatabase())
monkeypatch.setattr(
api_social,
"fetch_space_profile",
lambda *_args, **_kwargs: SpaceProfile(provider="wx", social_uid="same-openid", nickname="nick"),
)
monkeypatch.setattr(api_social, "_login_user_id", lambda user_id: logged_user_ids.append(user_id))
response = app.test_client().post(
"/api/auth/social/callback",
json={"provider": "wx", "code": "ok", "mode": "login"},
)
assert response.status_code == 200
assert response.get_json()["username"] == "normal-user"
assert logged_user_ids == [11]
def test_admin_social_callback_uses_admin_binding_namespace(monkeypatch):
app = Flask(__name__)
app.secret_key = "test-secret"
app.register_blueprint(api_social.api_social_bp)
class FakeDatabase:
def get_system_config(self):
return {}
def find_social_login_binding(self, *_args, **_kwargs):
raise AssertionError("admin callback must not check user social bindings")
def find_admin_social_login_binding_by_identity(self, provider, social_uid):
assert (provider, social_uid) == ("wx", "same-openid")
return {"id": 9, "admin_id": 7}
def get_admin_by_id(self, admin_id):
return {"id": admin_id, "username": "admin-user"}
def update_admin_social_login_binding_profile(self, *_args, **_kwargs):
return True
monkeypatch.setattr(api_social, "database", FakeDatabase())
monkeypatch.setattr(
api_social,
"fetch_space_profile",
lambda *_args, **_kwargs: SpaceProfile(provider="wx", social_uid="same-openid", nickname="nick"),
)
client = app.test_client()
response = client.post(
"/yuyx/api/admin-auth/social/callback",
json={"provider": "wx", "code": "ok"},
)
assert response.status_code == 200
assert response.get_json()["redirect"] == "/yuyx/admin"
with client.session_transaction() as sess:
assert sess["admin_id"] == 7
assert sess["admin_username"] == "admin-user"