451 lines
15 KiB
Rust
451 lines
15 KiB
Rust
use axum::{
|
|
Json,
|
|
extract::{Extension, Query, State},
|
|
http::{HeaderMap, StatusCode},
|
|
response::{IntoResponse, Redirect, Response},
|
|
};
|
|
use module_auth::{
|
|
AuthLoginMethod, BindWechatPhoneInput, CreateWechatAuthStateInput, WechatAuthError,
|
|
};
|
|
use platform_auth::WechatAuthScene;
|
|
use shared_contracts::auth::{
|
|
WechatBindPhoneRequest, WechatBindPhoneResponse, WechatCallbackQuery,
|
|
WechatMiniProgramLoginRequest, WechatMiniProgramLoginResponse, WechatStartQuery,
|
|
WechatStartResponse,
|
|
};
|
|
use time::OffsetDateTime;
|
|
use url::Url;
|
|
|
|
use crate::{
|
|
api_response::json_success_body,
|
|
auth::AuthenticatedAccessToken,
|
|
auth_payload::map_auth_user_payload,
|
|
auth_session::{
|
|
attach_set_cookie_header, build_refresh_session_cookie_header, create_auth_session,
|
|
},
|
|
http_error::AppError,
|
|
platform_errors::{attach_retry_after, map_wechat_provider_error},
|
|
request_context::RequestContext,
|
|
session_client::resolve_session_client_context,
|
|
state::AppState,
|
|
};
|
|
|
|
pub async fn start_wechat_login(
|
|
State(state): State<AppState>,
|
|
Extension(request_context): Extension<RequestContext>,
|
|
headers: HeaderMap,
|
|
Query(query): Query<WechatStartQuery>,
|
|
) -> Result<Json<serde_json::Value>, AppError> {
|
|
if !state.config.wechat_auth_enabled {
|
|
return Err(AppError::from_status(StatusCode::BAD_REQUEST).with_message("微信登录暂未启用"));
|
|
}
|
|
let user_agent = headers
|
|
.get("user-agent")
|
|
.and_then(|value| value.to_str().ok())
|
|
.map(|value| value.to_string());
|
|
let scene = resolve_wechat_scene(user_agent.as_deref())?;
|
|
let state_record = state
|
|
.wechat_auth_state_service()
|
|
.create_state(
|
|
CreateWechatAuthStateInput {
|
|
redirect_path: normalize_redirect_path(
|
|
query.redirect_path.as_deref(),
|
|
&state.config.wechat_redirect_path,
|
|
),
|
|
scene: map_wechat_scene_to_domain(&scene),
|
|
request_user_agent: user_agent.clone(),
|
|
},
|
|
OffsetDateTime::now_utc(),
|
|
)
|
|
.map_err(map_wechat_auth_error)?;
|
|
let authorization_url = state
|
|
.wechat_provider()
|
|
.build_authorization_url(
|
|
&resolve_wechat_callback_url(&state, &headers)?,
|
|
&state_record.state.state_token,
|
|
&scene,
|
|
)
|
|
.map_err(map_wechat_provider_error)?;
|
|
|
|
Ok(json_success_body(
|
|
Some(&request_context),
|
|
WechatStartResponse { authorization_url },
|
|
))
|
|
}
|
|
|
|
pub async fn handle_wechat_callback(
|
|
State(state): State<AppState>,
|
|
headers: HeaderMap,
|
|
Query(query): Query<WechatCallbackQuery>,
|
|
) -> Result<impl IntoResponse, AppError> {
|
|
if !state.config.wechat_auth_enabled {
|
|
return Err(AppError::from_status(StatusCode::BAD_REQUEST).with_message("微信登录暂未启用"));
|
|
}
|
|
let fallback_redirect = state.config.wechat_redirect_path.clone();
|
|
let state_token = query
|
|
.state
|
|
.as_deref()
|
|
.unwrap_or_default()
|
|
.trim()
|
|
.to_string();
|
|
if state_token.is_empty() {
|
|
return Ok(Redirect::to(&build_auth_result_redirect_url(
|
|
&fallback_redirect,
|
|
&[
|
|
("auth_provider", "wechat"),
|
|
("auth_error", "微信登录状态已失效,请重新发起登录。"),
|
|
],
|
|
))
|
|
.into_response());
|
|
}
|
|
|
|
let consumed = match state
|
|
.wechat_auth_state_service()
|
|
.consume_state(&state_token, OffsetDateTime::now_utc())
|
|
{
|
|
Ok(value) => value,
|
|
Err(_) => {
|
|
return Ok(Redirect::to(&build_auth_result_redirect_url(
|
|
&fallback_redirect,
|
|
&[
|
|
("auth_provider", "wechat"),
|
|
("auth_error", "微信登录状态已失效,请重新发起登录。"),
|
|
],
|
|
))
|
|
.into_response());
|
|
}
|
|
};
|
|
|
|
let redirect_path = consumed.state.redirect_path.clone();
|
|
let session_client = resolve_session_client_context(&headers);
|
|
|
|
let result = match state
|
|
.wechat_provider()
|
|
.resolve_callback_profile(query.code.as_deref(), query.mock_code.as_deref())
|
|
.await
|
|
{
|
|
Ok(profile) => state
|
|
.wechat_auth_service()
|
|
.resolve_login(module_auth::ResolveWechatLoginInput {
|
|
profile: map_wechat_profile_to_domain(profile),
|
|
})
|
|
.await
|
|
.map_err(map_wechat_auth_error),
|
|
Err(error) => Err(map_wechat_provider_error(error)),
|
|
};
|
|
|
|
match result {
|
|
Ok(result) => {
|
|
let signed_session = create_auth_session(
|
|
&state,
|
|
&result.user,
|
|
&session_client,
|
|
AuthLoginMethod::Wechat,
|
|
)?;
|
|
state
|
|
.sync_auth_store_snapshot_to_spacetime()
|
|
.await
|
|
.map_err(|error| {
|
|
AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR)
|
|
.with_message(format!("同步认证快照失败:{error}"))
|
|
})?;
|
|
let mut response = Redirect::to(&build_auth_result_redirect_url(
|
|
&redirect_path,
|
|
&[
|
|
("auth_provider", "wechat"),
|
|
("auth_token", signed_session.access_token.as_str()),
|
|
("auth_binding_status", result.user.binding_status.as_str()),
|
|
],
|
|
))
|
|
.into_response();
|
|
attach_set_cookie_header(
|
|
response.headers_mut(),
|
|
build_refresh_session_cookie_header(&state, &signed_session.refresh_token)?,
|
|
);
|
|
Ok(response)
|
|
}
|
|
Err(error) => Ok(Redirect::to(&build_auth_result_redirect_url(
|
|
&redirect_path,
|
|
&[("auth_provider", "wechat"), ("auth_error", error.message())],
|
|
))
|
|
.into_response()),
|
|
}
|
|
}
|
|
|
|
pub async fn bind_wechat_phone(
|
|
State(state): State<AppState>,
|
|
Extension(request_context): Extension<RequestContext>,
|
|
Extension(authenticated): Extension<AuthenticatedAccessToken>,
|
|
headers: HeaderMap,
|
|
Json(payload): Json<WechatBindPhoneRequest>,
|
|
) -> Result<impl IntoResponse, AppError> {
|
|
if !state.config.wechat_auth_enabled {
|
|
return Err(AppError::from_status(StatusCode::BAD_REQUEST).with_message("微信登录暂未启用"));
|
|
}
|
|
let result = state
|
|
.phone_auth_service()
|
|
.bind_wechat_phone(
|
|
BindWechatPhoneInput {
|
|
user_id: authenticated.claims().user_id().to_string(),
|
|
phone_number: payload.phone,
|
|
verify_code: payload.code,
|
|
},
|
|
OffsetDateTime::now_utc(),
|
|
)
|
|
.await
|
|
.map_err(map_wechat_bind_phone_error)?;
|
|
if result.activated_new_user {
|
|
crate::registration_reward::grant_new_user_registration_wallet_reward(
|
|
&state,
|
|
&request_context,
|
|
&result.user.id,
|
|
)
|
|
.await;
|
|
}
|
|
let session_client = resolve_session_client_context(&headers);
|
|
let signed_session = create_auth_session(
|
|
&state,
|
|
&result.user,
|
|
&session_client,
|
|
AuthLoginMethod::Wechat,
|
|
)?;
|
|
state
|
|
.sync_auth_store_snapshot_to_spacetime()
|
|
.await
|
|
.map_err(|error| {
|
|
AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR)
|
|
.with_message(format!("同步认证快照失败:{error}"))
|
|
})?;
|
|
|
|
let mut response_headers = HeaderMap::new();
|
|
attach_set_cookie_header(
|
|
&mut response_headers,
|
|
build_refresh_session_cookie_header(&state, &signed_session.refresh_token)?,
|
|
);
|
|
|
|
Ok((
|
|
response_headers,
|
|
json_success_body(
|
|
Some(&request_context),
|
|
WechatBindPhoneResponse {
|
|
token: signed_session.access_token,
|
|
user: map_auth_user_payload(result.user),
|
|
},
|
|
),
|
|
))
|
|
}
|
|
|
|
pub async fn login_wechat_mini_program(
|
|
State(state): State<AppState>,
|
|
Extension(request_context): Extension<RequestContext>,
|
|
headers: HeaderMap,
|
|
Json(payload): Json<WechatMiniProgramLoginRequest>,
|
|
) -> Result<impl IntoResponse, AppError> {
|
|
if !state.config.wechat_auth_enabled {
|
|
return Err(AppError::from_status(StatusCode::BAD_REQUEST).with_message("微信登录暂未启用"));
|
|
}
|
|
let code = payload.code.trim();
|
|
if code.is_empty() {
|
|
return Err(
|
|
AppError::from_status(StatusCode::BAD_REQUEST).with_message("缺少微信授权 code")
|
|
);
|
|
}
|
|
|
|
let profile = state
|
|
.wechat_provider()
|
|
.resolve_mini_program_login_profile(Some(code))
|
|
.await
|
|
.map_err(map_wechat_provider_error)?;
|
|
let result = state
|
|
.wechat_auth_service()
|
|
.resolve_login(module_auth::ResolveWechatLoginInput {
|
|
profile: map_wechat_profile_to_domain(profile),
|
|
})
|
|
.await
|
|
.map_err(map_wechat_auth_error)?;
|
|
let session_client = resolve_session_client_context(&headers);
|
|
let signed_session = create_auth_session(
|
|
&state,
|
|
&result.user,
|
|
&session_client,
|
|
AuthLoginMethod::Wechat,
|
|
)?;
|
|
state
|
|
.sync_auth_store_snapshot_to_spacetime()
|
|
.await
|
|
.map_err(|error| {
|
|
AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR)
|
|
.with_message(format!("同步认证快照失败:{error}"))
|
|
})?;
|
|
|
|
let mut response_headers = HeaderMap::new();
|
|
attach_set_cookie_header(
|
|
&mut response_headers,
|
|
build_refresh_session_cookie_header(&state, &signed_session.refresh_token)?,
|
|
);
|
|
|
|
Ok((
|
|
response_headers,
|
|
json_success_body(
|
|
Some(&request_context),
|
|
WechatMiniProgramLoginResponse {
|
|
token: signed_session.access_token,
|
|
binding_status: result.user.binding_status.as_str().to_string(),
|
|
user: map_auth_user_payload(result.user),
|
|
},
|
|
),
|
|
))
|
|
}
|
|
|
|
fn resolve_wechat_scene(user_agent: Option<&str>) -> Result<WechatAuthScene, AppError> {
|
|
let user_agent = user_agent.unwrap_or_default();
|
|
let is_wechat = user_agent.contains("MicroMessenger");
|
|
let is_mobile = user_agent.contains("Android")
|
|
|| user_agent.contains("iPhone")
|
|
|| user_agent.contains("iPad")
|
|
|| user_agent.contains("Mobile");
|
|
|
|
if is_wechat {
|
|
return Ok(WechatAuthScene::WechatInApp);
|
|
}
|
|
if is_mobile {
|
|
return Err(AppError::from_status(StatusCode::BAD_REQUEST)
|
|
.with_message("当前浏览器请使用手机号登录,或在微信内打开后再使用微信登录"));
|
|
}
|
|
|
|
Ok(WechatAuthScene::Desktop)
|
|
}
|
|
|
|
fn map_wechat_scene_to_domain(scene: &WechatAuthScene) -> module_auth::WechatAuthScene {
|
|
match scene {
|
|
WechatAuthScene::Desktop => module_auth::WechatAuthScene::Desktop,
|
|
WechatAuthScene::WechatInApp => module_auth::WechatAuthScene::WechatInApp,
|
|
}
|
|
}
|
|
|
|
fn map_wechat_profile_to_domain(
|
|
profile: platform_auth::WechatIdentityProfile,
|
|
) -> module_auth::WechatIdentityProfile {
|
|
module_auth::WechatIdentityProfile {
|
|
provider_uid: profile.provider_uid,
|
|
provider_union_id: profile.provider_union_id,
|
|
display_name: profile.display_name,
|
|
avatar_url: profile.avatar_url,
|
|
}
|
|
}
|
|
|
|
fn normalize_redirect_path(raw_value: Option<&str>, fallback: &str) -> String {
|
|
let Some(raw_value) = raw_value.map(str::trim).filter(|value| !value.is_empty()) else {
|
|
return fallback.to_string();
|
|
};
|
|
if raw_value.starts_with('/') {
|
|
return raw_value.to_string();
|
|
}
|
|
Url::parse(raw_value)
|
|
.map(|url| {
|
|
format!(
|
|
"{}{}{}",
|
|
url.path(),
|
|
url.query().map(|v| format!("?{v}")).unwrap_or_default(),
|
|
url.fragment().map(|v| format!("#{v}")).unwrap_or_default()
|
|
)
|
|
})
|
|
.unwrap_or_else(|_| fallback.to_string())
|
|
}
|
|
|
|
fn resolve_wechat_callback_url(state: &AppState, headers: &HeaderMap) -> Result<String, AppError> {
|
|
let proto = headers
|
|
.get("x-forwarded-proto")
|
|
.and_then(|value| value.to_str().ok())
|
|
.and_then(|value| value.split(',').next())
|
|
.map(str::trim)
|
|
.filter(|value| !value.is_empty())
|
|
.unwrap_or("http");
|
|
let host = headers
|
|
.get("x-forwarded-host")
|
|
.or_else(|| headers.get("host"))
|
|
.and_then(|value| value.to_str().ok())
|
|
.and_then(|value| value.split(',').next())
|
|
.map(str::trim)
|
|
.filter(|value| !value.is_empty())
|
|
.unwrap_or("127.0.0.1:3000");
|
|
Ok(format!(
|
|
"{proto}://{host}{}",
|
|
state.config.wechat_callback_path
|
|
))
|
|
}
|
|
|
|
fn build_auth_result_redirect_url(redirect_path: &str, params: &[(&str, &str)]) -> String {
|
|
let hash = params
|
|
.iter()
|
|
.map(|(key, value)| {
|
|
format!(
|
|
"{}={}",
|
|
urlencoding::encode(key),
|
|
urlencoding::encode(value)
|
|
)
|
|
})
|
|
.collect::<Vec<_>>()
|
|
.join("&");
|
|
let path_without_hash = redirect_path.split('#').next().unwrap_or("/");
|
|
format!(
|
|
"{}#{}",
|
|
if path_without_hash.is_empty() {
|
|
"/"
|
|
} else {
|
|
path_without_hash
|
|
},
|
|
hash
|
|
)
|
|
}
|
|
|
|
#[allow(dead_code)]
|
|
fn _assert_response_type(_: Response) {}
|
|
|
|
fn map_wechat_auth_error(error: WechatAuthError) -> AppError {
|
|
match error {
|
|
WechatAuthError::MissingProfile
|
|
| WechatAuthError::StateNotFound
|
|
| WechatAuthError::StateExpired
|
|
| WechatAuthError::StateConsumed
|
|
| WechatAuthError::MissingWechatIdentity => {
|
|
AppError::from_status(StatusCode::BAD_REQUEST).with_message(error.to_string())
|
|
}
|
|
WechatAuthError::UserNotFound => {
|
|
AppError::from_status(StatusCode::UNAUTHORIZED).with_message(error.to_string())
|
|
}
|
|
WechatAuthError::Store(_) | WechatAuthError::PasswordHash(_) => {
|
|
AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR).with_message(error.to_string())
|
|
}
|
|
}
|
|
}
|
|
|
|
fn map_wechat_bind_phone_error(error: module_auth::PhoneAuthError) -> AppError {
|
|
match error {
|
|
module_auth::PhoneAuthError::InvalidPhoneNumber
|
|
| module_auth::PhoneAuthError::InvalidVerifyCode
|
|
| module_auth::PhoneAuthError::VerifyCodeNotFound
|
|
| module_auth::PhoneAuthError::VerifyCodeExpired
|
|
| module_auth::PhoneAuthError::UserStateMismatch => {
|
|
AppError::from_status(StatusCode::BAD_REQUEST).with_message(error.to_string())
|
|
}
|
|
module_auth::PhoneAuthError::SendCoolingDown {
|
|
retry_after_seconds,
|
|
} => {
|
|
let app_error = AppError::from_status(StatusCode::TOO_MANY_REQUESTS)
|
|
.with_message(error.to_string())
|
|
.with_details(serde_json::json!({ "retryAfterSeconds": retry_after_seconds }));
|
|
attach_retry_after(app_error, retry_after_seconds)
|
|
}
|
|
module_auth::PhoneAuthError::VerifyAttemptsExceeded => {
|
|
AppError::from_status(StatusCode::TOO_MANY_REQUESTS).with_message(error.to_string())
|
|
}
|
|
module_auth::PhoneAuthError::UserNotFound => {
|
|
AppError::from_status(StatusCode::UNAUTHORIZED).with_message(error.to_string())
|
|
}
|
|
module_auth::PhoneAuthError::Store(_) | module_auth::PhoneAuthError::PasswordHash(_) => {
|
|
AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR).with_message(error.to_string())
|
|
}
|
|
}
|
|
}
|