GenarrativeAI/Genarrative
5
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
ce98a29c4d24d86188c6167fab46f01f5d019111
Genarrative/server-rs/crates/platform-auth/src/lib.rs

2270 lines
75 KiB
Rust
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
use std::{
collections::{BTreeMap, HashSet},
error::Error,
fmt,
};
use argon2::{Argon2, PasswordHash, PasswordHasher, PasswordVerifier, password_hash::SaltString};
use base64::{Engine as _, engine::general_purpose::STANDARD as BASE64_STANDARD};
use hmac::{Hmac, Mac};
use jsonwebtoken::{
Algorithm, DecodingKey, EncodingKey, Header, Validation, decode, encode, errors::ErrorKind,
};
use rand_core::OsRng;
use reqwest::{Client, StatusCode};
use serde::{Deserialize, Serialize};
use serde_json::Value;
use sha1::Sha1;
use sha2::{Digest, Sha256};
use shared_kernel::{new_uuid_simple_string, normalize_optional_string, normalize_required_string};
use time::{Duration, OffsetDateTime};
use tracing::{info, warn};
use url::Url;
pub const ACCESS_TOKEN_ALGORITHM: Algorithm = Algorithm::HS256;
pub const DEFAULT_ACCESS_TOKEN_TTL_SECONDS: u64 = 2 * 60 * 60;
pub const DEFAULT_REFRESH_COOKIE_NAME: &str = "genarrative_refresh_session";
pub const DEFAULT_REFRESH_COOKIE_PATH: &str = "/api/auth";
pub const DEFAULT_REFRESH_SESSION_TTL_DAYS: u32 = 30;
pub const DEFAULT_SMS_ENDPOINT: &str = "dypnsapi.aliyuncs.com";
pub const DEFAULT_SMS_COUNTRY_CODE: &str = "86";
pub const DEFAULT_SMS_TEMPLATE_PARAM_KEY: &str = "code";
pub const DEFAULT_SMS_MOCK_VERIFY_CODE: &str = "123456";
pub const DEFAULT_SMS_CODE_LENGTH: u8 = 6;
pub const DEFAULT_SMS_CODE_TYPE: u8 = 1;
pub const DEFAULT_SMS_VALID_TIME_SECONDS: u64 = 300;
pub const DEFAULT_SMS_INTERVAL_SECONDS: u64 = 60;
pub const DEFAULT_SMS_DUPLICATE_POLICY: u8 = 1;
pub const DEFAULT_SMS_CASE_AUTH_POLICY: u8 = 1;
pub const DEFAULT_WECHAT_AUTHORIZE_ENDPOINT: &str = "https://open.weixin.qq.com/connect/qrconnect";
pub const DEFAULT_WECHAT_IN_APP_AUTHORIZE_ENDPOINT: &str =
"https://open.weixin.qq.com/connect/oauth2/authorize";
pub const DEFAULT_WECHAT_ACCESS_TOKEN_ENDPOINT: &str =
"https://api.weixin.qq.com/sns/oauth2/access_token";
pub const DEFAULT_WECHAT_USER_INFO_ENDPOINT: &str = "https://api.weixin.qq.com/sns/userinfo";
pub const DEFAULT_WECHAT_JS_CODE_SESSION_ENDPOINT: &str =
"https://api.weixin.qq.com/sns/jscode2session";
type HmacSha1 = Hmac<Sha1>;
// 鉴权 provider 直接冻结成文档中约定的枚举,避免后续在多个 crate 内重复发明字符串字面量。
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum AuthProvider {
Password,
Phone,
Wechat,
}
// 绑定状态只保留当前 JWT 需要透传的最小快照,不把完整账号状态枚举直接泄漏到 token 中。
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum BindingStatus {
Active,
PendingBindPhone,
}
// 用于签发 access token 的领域输入,和最终 JWT claims 解耦,避免业务层手动拼 iat/exp/iss。
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct AccessTokenClaimsInput {
pub user_id: String,
pub session_id: String,
pub provider: AuthProvider,
pub roles: Vec<String>,
pub token_version: u64,
pub phone_verified: bool,
pub binding_status: BindingStatus,
pub display_name: Option<String>,
}
// 直接映射最终 JWT payload字段名与文档冻结口径保持一致。
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
pub struct AccessTokenClaims {
pub iss: String,
pub sub: String,
pub sid: String,
pub provider: AuthProvider,
pub roles: Vec<String>,
pub ver: u64,
pub phone_verified: bool,
pub binding_status: BindingStatus,
#[serde(skip_serializing_if = "Option::is_none")]
pub display_name: Option<String>,
pub iat: u64,
pub exp: u64,
}
// 统一承载 JWT 配置,避免 secret、issuer、ttl 在 api-server 与后续模块里散落。
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct JwtConfig {
issuer: String,
secret: String,
access_token_ttl_seconds: u64,
}
// refresh cookie 的 SameSite 固定约束成枚举,避免各层直接使用大小写不一致的字符串。
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum RefreshCookieSameSite {
Lax,
Strict,
None,
}
// refresh cookie 的平台配置统一收口到 platform-auth避免 api-server 直接散落 cookie 细节。
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct RefreshCookieConfig {
cookie_name: String,
cookie_path: String,
cookie_secure: bool,
cookie_same_site: RefreshCookieSameSite,
refresh_session_ttl_days: u32,
}
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum SmsAuthProviderKind {
Mock,
Aliyun,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct SmsAuthConfig {
pub provider: SmsAuthProviderKind,
pub endpoint: String,
pub access_key_id: Option<String>,
pub access_key_secret: Option<String>,
pub sign_name: String,
pub template_code: String,
pub template_param_key: String,
pub country_code: String,
pub scheme_name: Option<String>,
pub code_length: u8,
pub code_type: u8,
pub valid_time_seconds: u64,
pub interval_seconds: u64,
pub duplicate_policy: u8,
pub case_auth_policy: u8,
pub return_verify_code: bool,
pub mock_verify_code: String,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct SmsSendCodeRequest {
pub national_phone_number: String,
pub scene: String,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct SmsSendCodeResult {
pub cooldown_seconds: u64,
pub expires_in_seconds: u64,
pub provider_request_id: Option<String>,
pub provider_out_id: Option<String>,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct SmsVerifyCodeRequest {
pub national_phone_number: String,
pub verify_code: String,
pub provider_out_id: Option<String>,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum WechatAuthScene {
Desktop,
WechatInApp,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct WechatAuthConfig {
pub enabled: bool,
pub provider: String,
pub app_id: Option<String>,
pub app_secret: Option<String>,
pub mini_program_app_id: Option<String>,
pub mini_program_app_secret: Option<String>,
pub authorize_endpoint: String,
pub access_token_endpoint: String,
pub user_info_endpoint: String,
pub js_code_session_endpoint: String,
pub mock_user_id: String,
pub mock_union_id: Option<String>,
pub mock_display_name: String,
pub mock_avatar_url: Option<String>,
}
#[derive(Clone, Debug, PartialEq, Eq)]
pub struct WechatIdentityProfile {
pub provider_uid: String,
pub provider_union_id: Option<String>,
pub display_name: Option<String>,
pub avatar_url: Option<String>,
}
#[derive(Clone, Debug)]
pub enum WechatProvider {
Disabled,
Mock(MockWechatProvider),
Real(RealWechatProvider),
}
#[derive(Clone, Debug)]
pub struct MockWechatProvider {
mock_user_id: String,
mock_union_id: Option<String>,
mock_display_name: String,
mock_avatar_url: Option<String>,
}
#[derive(Clone, Debug)]
pub struct RealWechatProvider {
client: Client,
app_id: Option<String>,
app_secret: Option<String>,
mini_program_app_id: Option<String>,
mini_program_app_secret: Option<String>,
authorize_endpoint: String,
access_token_endpoint: String,
user_info_endpoint: String,
js_code_session_endpoint: String,
}
#[derive(Clone, Debug)]
pub enum SmsAuthProvider {
Mock(MockSmsAuthProvider),
Aliyun(AliyunSmsAuthProvider),
}
#[derive(Clone, Debug)]
pub struct MockSmsAuthProvider {
config: SmsAuthConfig,
}
#[derive(Clone, Debug)]
pub struct AliyunSmsAuthProvider {
client: Client,
config: SmsAuthConfig,
}
#[derive(Debug, PartialEq, Eq)]
pub enum JwtError {
InvalidConfig(&'static str),
InvalidClaims(&'static str),
SignFailed(String),
VerifyFailed(String),
}
#[derive(Debug, PartialEq, Eq)]
pub enum RefreshCookieError {
InvalidConfig(&'static str),
}
#[derive(Debug, PartialEq, Eq)]
pub enum PasswordHashError {
HashFailed(String),
VerifyFailed(String),
}
#[derive(Debug, PartialEq, Eq)]
pub enum SmsProviderError {
InvalidConfig(String),
InvalidVerifyCode,
Upstream(String),
}
#[derive(Debug, PartialEq, Eq)]
pub enum WechatProviderError {
Disabled,
MissingCode,
InvalidConfig(String),
InvalidCallback(String),
RequestFailed(String),
DeserializeFailed(String),
Upstream(String),
MissingProfile(String),
}
// 鉴权平台错误统一先归类api-server 再决定 HTTP status 和错误 envelope。
#[derive(Clone, Copy, Debug, PartialEq, Eq)]
pub enum AuthPlatformErrorKind {
InvalidConfig,
InvalidClaims,
SignFailed,
VerifyFailed,
CookieConfig,
HashFailed,
InvalidVerifyCode,
Disabled,
MissingCode,
InvalidCallback,
RequestFailed,
DeserializeFailed,
MissingProfile,
Upstream,
}
#[derive(Debug, Deserialize)]
struct WechatAccessTokenResponse {
access_token: Option<String>,
openid: Option<String>,
unionid: Option<String>,
errmsg: Option<String>,
}
#[derive(Debug, Deserialize)]
struct WechatUserInfoResponse {
openid: Option<String>,
unionid: Option<String>,
nickname: Option<String>,
headimgurl: Option<String>,
errmsg: Option<String>,
}
#[derive(Debug, Deserialize)]
struct WechatJsCodeSessionResponse {
openid: Option<String>,
unionid: Option<String>,
errcode: Option<i64>,
errmsg: Option<String>,
}
#[derive(Debug, Deserialize)]
struct AliyunSendSmsVerifyCodeResponse {
// 阿里云 RPC 原始 JSON 使用首字母大写字段名,这里必须显式映射,避免把成功响应误判成空值。
#[serde(default, rename = "Code")]
code: Option<String>,
#[serde(default, rename = "Message")]
message: Option<String>,
#[serde(default, rename = "RequestId")]
request_id: Option<String>,
#[serde(default, rename = "Success")]
success: Option<bool>,
#[serde(default, rename = "Model")]
model: Option<AliyunSendSmsVerifyCodeModel>,
}
#[derive(Debug, Deserialize)]
struct AliyunSendSmsVerifyCodeModel {
#[serde(default, rename = "BizId")]
_biz_id: Option<String>,
#[serde(default, rename = "OutId")]
out_id: Option<String>,
#[serde(default, rename = "RequestId")]
request_id: Option<String>,
}
#[derive(Debug, Deserialize)]
struct AliyunCheckSmsVerifyCodeResponse {
// 校验接口同样返回首字母大写字段名,保持和发送接口一致的显式映射。
#[serde(default, rename = "Code")]
code: Option<String>,
#[serde(default, rename = "Message")]
message: Option<String>,
#[serde(default, rename = "Success")]
success: Option<bool>,
#[serde(default, rename = "Model")]
model: Option<AliyunCheckSmsVerifyCodeModel>,
}
#[derive(Debug, Deserialize)]
struct AliyunCheckSmsVerifyCodeModel {
#[serde(default, rename = "OutId")]
_out_id: Option<String>,
#[serde(default, rename = "VerifyResult")]
verify_result: Option<String>,
}
impl JwtConfig {
pub fn new(
issuer: String,
secret: String,
access_token_ttl_seconds: u64,
) -> Result<Self, JwtError> {
let issuer = normalize_required_string(&issuer)
.ok_or(JwtError::InvalidConfig("JWT issuer 不能为空"))?;
let secret = normalize_required_string(&secret)
.ok_or(JwtError::InvalidConfig("JWT secret 不能为空"))?;
if access_token_ttl_seconds == 0 {
return Err(JwtError::InvalidConfig(
"JWT access token 过期时间必须大于 0",
));
}
Ok(Self {
issuer,
secret,
access_token_ttl_seconds,
})
}
pub fn issuer(&self) -> &str {
&self.issuer
}
pub fn access_token_ttl_seconds(&self) -> u64 {
self.access_token_ttl_seconds
}
}
impl RefreshCookieSameSite {
pub fn parse(raw: &str) -> Option<Self> {
match raw.trim().to_ascii_lowercase().as_str() {
"lax" => Some(Self::Lax),
"strict" => Some(Self::Strict),
"none" => Some(Self::None),
_ => None,
}
}
pub fn as_str(&self) -> &'static str {
match self {
Self::Lax => "Lax",
Self::Strict => "Strict",
Self::None => "None",
}
}
}
impl RefreshCookieConfig {
pub fn new(
cookie_name: String,
cookie_path: String,
cookie_secure: bool,
cookie_same_site: RefreshCookieSameSite,
refresh_session_ttl_days: u32,
) -> Result<Self, RefreshCookieError> {
let cookie_name = normalize_required_string(&cookie_name).ok_or(
RefreshCookieError::InvalidConfig("refresh cookie 名称不能为空"),
)?;
let cookie_path = normalize_required_string(&cookie_path).ok_or(
RefreshCookieError::InvalidConfig("refresh cookie path 不能为空"),
)?;
if refresh_session_ttl_days == 0 {
return Err(RefreshCookieError::InvalidConfig(
"refresh session TTL 天数必须大于 0",
));
}
Ok(Self {
cookie_name,
cookie_path,
cookie_secure,
cookie_same_site,
refresh_session_ttl_days,
})
}
pub fn cookie_name(&self) -> &str {
&self.cookie_name
}
pub fn cookie_path(&self) -> &str {
&self.cookie_path
}
pub fn cookie_secure(&self) -> bool {
self.cookie_secure
}
pub fn cookie_same_site(&self) -> &RefreshCookieSameSite {
&self.cookie_same_site
}
pub fn refresh_session_ttl_days(&self) -> u32 {
self.refresh_session_ttl_days
}
}
impl SmsAuthProviderKind {
pub fn parse(raw: &str) -> Option<Self> {
match raw.trim().to_ascii_lowercase().as_str() {
"mock" => Some(Self::Mock),
"aliyun" => Some(Self::Aliyun),
_ => None,
}
}
pub fn as_str(&self) -> &'static str {
match self {
Self::Mock => "mock",
Self::Aliyun => "aliyun",
}
}
}
impl SmsAuthConfig {
pub fn new(
provider: SmsAuthProviderKind,
endpoint: String,
access_key_id: Option<String>,
access_key_secret: Option<String>,
sign_name: String,
template_code: String,
template_param_key: String,
country_code: String,
scheme_name: Option<String>,
code_length: u8,
code_type: u8,
valid_time_seconds: u64,
interval_seconds: u64,
duplicate_policy: u8,
case_auth_policy: u8,
return_verify_code: bool,
mock_verify_code: String,
) -> Result<Self, SmsProviderError> {
let endpoint = normalize_required_string(&endpoint)
.unwrap_or_else(|| DEFAULT_SMS_ENDPOINT.to_string());
let template_param_key = normalize_required_string(&template_param_key)
.unwrap_or_else(|| DEFAULT_SMS_TEMPLATE_PARAM_KEY.to_string());
let country_code = normalize_required_string(&country_code)
.unwrap_or_else(|| DEFAULT_SMS_COUNTRY_CODE.to_string());
let scheme_name = normalize_optional_string(scheme_name);
let mock_verify_code = normalize_required_string(&mock_verify_code)
.unwrap_or_else(|| DEFAULT_SMS_MOCK_VERIFY_CODE.to_string());
if !(4..=8).contains(&code_length) {
return Err(SmsProviderError::InvalidConfig(
"短信验证码长度必须在 4 到 8 之间".to_string(),
));
}
if !(1..=7).contains(&code_type) {
return Err(SmsProviderError::InvalidConfig(
"短信验证码类型取值非法".to_string(),
));
}
if interval_seconds == 0 || valid_time_seconds == 0 {
return Err(SmsProviderError::InvalidConfig(
"短信验证码有效期和发送间隔必须大于 0".to_string(),
));
}
if !(1..=2).contains(&duplicate_policy) {
return Err(SmsProviderError::InvalidConfig(
"短信验证码重复策略取值非法".to_string(),
));
}
if !(1..=2).contains(&case_auth_policy) {
return Err(SmsProviderError::InvalidConfig(
"短信验证码大小写校验策略取值非法".to_string(),
));
}
match provider {
SmsAuthProviderKind::Mock => {}
SmsAuthProviderKind::Aliyun => {
if normalize_required_string(&sign_name).is_none() {
return Err(SmsProviderError::InvalidConfig(
"阿里云短信签名不能为空".to_string(),
));
}
if normalize_required_string(&template_code).is_none() {
return Err(SmsProviderError::InvalidConfig(
"阿里云短信模板编码不能为空".to_string(),
));
}
if access_key_id
.as_deref()
.and_then(normalize_required_string)
.is_none()
|| access_key_secret
.as_deref()
.and_then(normalize_required_string)
.is_none()
{
return Err(SmsProviderError::InvalidConfig(
"阿里云短信 AccessKey 未配置".to_string(),
));
}
}
}
Ok(Self {
provider,
endpoint,
access_key_id: access_key_id.and_then(|value| normalize_required_string(&value)),
access_key_secret: access_key_secret
.and_then(|value| normalize_required_string(&value)),
sign_name: sign_name.trim().to_string(),
template_code: template_code.trim().to_string(),
template_param_key,
country_code,
scheme_name,
code_length,
code_type,
valid_time_seconds,
interval_seconds,
duplicate_policy,
case_auth_policy,
return_verify_code,
mock_verify_code,
})
}
}
impl SmsAuthProvider {
pub fn new(config: SmsAuthConfig) -> Result<Self, SmsProviderError> {
match config.provider {
SmsAuthProviderKind::Mock => Ok(Self::Mock(MockSmsAuthProvider { config })),
SmsAuthProviderKind::Aliyun => Ok(Self::Aliyun(AliyunSmsAuthProvider {
client: Client::new(),
config,
})),
}
}
pub fn kind(&self) -> SmsAuthProviderKind {
match self {
Self::Mock(_) => SmsAuthProviderKind::Mock,
Self::Aliyun(_) => SmsAuthProviderKind::Aliyun,
}
}
pub async fn send_code(
&self,
request: SmsSendCodeRequest,
) -> Result<SmsSendCodeResult, SmsProviderError> {
match self {
Self::Mock(provider) => provider.send_code(request).await,
Self::Aliyun(provider) => provider.send_code(request).await,
}
}
pub async fn verify_code(&self, request: SmsVerifyCodeRequest) -> Result<(), SmsProviderError> {
match self {
Self::Mock(provider) => provider.verify_code(request).await,
Self::Aliyun(provider) => provider.verify_code(request).await,
}
}
}
impl WechatAuthConfig {
#[allow(clippy::too_many_arguments)]
pub fn new(
enabled: bool,
provider: String,
app_id: Option<String>,
app_secret: Option<String>,
mini_program_app_id: Option<String>,
mini_program_app_secret: Option<String>,
authorize_endpoint: String,
access_token_endpoint: String,
user_info_endpoint: String,
js_code_session_endpoint: String,
mock_user_id: String,
mock_union_id: Option<String>,
mock_display_name: String,
mock_avatar_url: Option<String>,
) -> Self {
Self {
enabled,
provider,
app_id,
app_secret,
mini_program_app_id,
mini_program_app_secret,
authorize_endpoint,
access_token_endpoint,
user_info_endpoint,
js_code_session_endpoint,
mock_user_id,
mock_union_id,
mock_display_name,
mock_avatar_url,
}
}
}
impl WechatProvider {
pub fn new(config: WechatAuthConfig) -> Self {
if !config.enabled {
return Self::Disabled;
}
if config.provider.trim().eq_ignore_ascii_case("mock") {
return Self::Mock(MockWechatProvider {
mock_user_id: config.mock_user_id,
mock_union_id: config.mock_union_id,
mock_display_name: config.mock_display_name,
mock_avatar_url: config.mock_avatar_url,
});
}
let has_web_oauth_config = config
.app_id
.as_ref()
.is_some_and(|value| !value.is_empty())
&& config
.app_secret
.as_ref()
.is_some_and(|value| !value.is_empty());
let has_mini_program_config = config
.mini_program_app_id
.as_ref()
.is_some_and(|value| !value.is_empty())
&& config
.mini_program_app_secret
.as_ref()
.is_some_and(|value| !value.is_empty());
if !has_web_oauth_config && !has_mini_program_config {
return Self::Disabled;
};
Self::Real(RealWechatProvider {
client: Client::new(),
app_id: config.app_id,
app_secret: config.app_secret,
mini_program_app_id: config.mini_program_app_id,
mini_program_app_secret: config.mini_program_app_secret,
authorize_endpoint: config.authorize_endpoint,
access_token_endpoint: config.access_token_endpoint,
user_info_endpoint: config.user_info_endpoint,
js_code_session_endpoint: config.js_code_session_endpoint,
})
}
pub fn build_authorization_url(
&self,
callback_url: &str,
state: &str,
scene: &WechatAuthScene,
) -> Result<String, WechatProviderError> {
match self {
Self::Disabled => Err(WechatProviderError::Disabled),
Self::Mock(_) => build_mock_wechat_authorization_url(callback_url, state),
Self::Real(provider) => provider.build_authorization_url(callback_url, state, scene),
}
}
pub async fn resolve_callback_profile(
&self,
code: Option<&str>,
mock_code: Option<&str>,
) -> Result<WechatIdentityProfile, WechatProviderError> {
match self {
Self::Disabled => Err(WechatProviderError::Disabled),
Self::Mock(provider) => Ok(provider.resolve_callback_profile(mock_code)),
Self::Real(provider) => provider.resolve_callback_profile(code).await,
}
}
pub async fn resolve_mini_program_login_profile(
&self,
code: Option<&str>,
) -> Result<WechatIdentityProfile, WechatProviderError> {
match self {
Self::Disabled => Err(WechatProviderError::Disabled),
Self::Mock(provider) => Ok(provider.resolve_callback_profile(code)),
Self::Real(provider) => provider.resolve_mini_program_login_profile(code).await,
}
}
}
impl MockWechatProvider {
fn resolve_callback_profile(&self, mock_code: Option<&str>) -> WechatIdentityProfile {
let provider_uid = mock_code
.map(str::trim)
.filter(|value| !value.is_empty())
.unwrap_or(self.mock_user_id.as_str())
.to_string();
WechatIdentityProfile {
provider_uid,
provider_union_id: self.mock_union_id.clone(),
display_name: Some(self.mock_display_name.clone()),
avatar_url: self.mock_avatar_url.clone(),
}
}
}
impl RealWechatProvider {
fn build_authorization_url(
&self,
callback_url: &str,
state: &str,
scene: &WechatAuthScene,
) -> Result<String, WechatProviderError> {
let endpoint = match scene {
WechatAuthScene::Desktop => &self.authorize_endpoint,
WechatAuthScene::WechatInApp => DEFAULT_WECHAT_IN_APP_AUTHORIZE_ENDPOINT,
};
let mut url = Url::parse(endpoint).map_err(|error| {
WechatProviderError::InvalidConfig(format!("微信授权地址非法:{error}"))
})?;
let app_id = self.app_id.as_ref().ok_or_else(|| {
WechatProviderError::InvalidConfig("微信开放平台 AppID 未配置".to_string())
})?;
url.query_pairs_mut()
.append_pair("appid", app_id)
.append_pair("redirect_uri", callback_url)
.append_pair("response_type", "code")
.append_pair(
"scope",
match scene {
WechatAuthScene::Desktop => "snsapi_login",
WechatAuthScene::WechatInApp => "snsapi_userinfo",
},
)
.append_pair("state", state);
Ok(format!("{url}#wechat_redirect"))
}
async fn resolve_callback_profile(
&self,
code: Option<&str>,
) -> Result<WechatIdentityProfile, WechatProviderError> {
let code = code
.map(str::trim)
.filter(|value| !value.is_empty())
.ok_or(WechatProviderError::MissingCode)?;
let app_id = self.app_id.as_ref().ok_or_else(|| {
WechatProviderError::InvalidConfig("微信开放平台 AppID 未配置".to_string())
})?;
let app_secret = self.app_secret.as_ref().ok_or_else(|| {
WechatProviderError::InvalidConfig("微信开放平台 AppSecret 未配置".to_string())
})?;
let mut access_token_url = Url::parse(&self.access_token_endpoint).map_err(|error| {
WechatProviderError::InvalidConfig(format!("微信 access_token 地址非法:{error}"))
})?;
access_token_url
.query_pairs_mut()
.append_pair("appid", app_id)
.append_pair("secret", app_secret)
.append_pair("code", code)
.append_pair("grant_type", "authorization_code");
let access_token_payload = self
.client
.get(access_token_url.as_str())
.send()
.await
.map_err(|error| {
warn!(error = %error, "微信 access_token 请求失败");
WechatProviderError::RequestFailed(
"微信登录失败access_token 请求失败".to_string(),
)
})?
.json::<WechatAccessTokenResponse>()
.await
.map_err(|error| {
warn!(error = %error, "微信 access_token 响应解析失败");
WechatProviderError::DeserializeFailed(
"微信登录失败access_token 响应非法".to_string(),
)
})?;
let access_token = access_token_payload
.access_token
.filter(|value| !value.trim().is_empty())
.ok_or_else(|| {
WechatProviderError::Upstream(format!(
"微信登录失败:{}",
access_token_payload
.errmsg
.unwrap_or_else(|| "缺少 access_token".to_string())
))
})?;
let openid = access_token_payload
.openid
.filter(|value| !value.trim().is_empty())
.ok_or_else(|| {
WechatProviderError::MissingProfile("微信登录失败:缺少 openid".to_string())
})?;
let mut user_info_url = Url::parse(&self.user_info_endpoint).map_err(|error| {
WechatProviderError::InvalidConfig(format!("微信用户信息地址非法:{error}"))
})?;
user_info_url
.query_pairs_mut()
.append_pair("access_token", &access_token)
.append_pair("openid", &openid)
.append_pair("lang", "zh_CN");
let user_info_payload = self
.client
.get(user_info_url.as_str())
.send()
.await
.map_err(|error| {
warn!(error = %error, "微信用户信息请求失败");
WechatProviderError::RequestFailed("微信登录失败:用户信息请求失败".to_string())
})?
.json::<WechatUserInfoResponse>()
.await
.map_err(|error| {
warn!(error = %error, "微信用户信息响应解析失败");
WechatProviderError::DeserializeFailed("微信登录失败:用户信息响应非法".to_string())
})?;
let provider_uid = user_info_payload
.openid
.filter(|value| !value.trim().is_empty())
.ok_or_else(|| {
WechatProviderError::Upstream(format!(
"微信登录失败:{}",
user_info_payload
.errmsg
.unwrap_or_else(|| "缺少 openid".to_string())
))
})?;
Ok(WechatIdentityProfile {
provider_uid,
provider_union_id: user_info_payload.unionid.or(access_token_payload.unionid),
display_name: user_info_payload.nickname,
avatar_url: user_info_payload.headimgurl,
})
}
async fn resolve_mini_program_login_profile(
&self,
code: Option<&str>,
) -> Result<WechatIdentityProfile, WechatProviderError> {
let code = code
.map(str::trim)
.filter(|value| !value.is_empty())
.ok_or(WechatProviderError::MissingCode)?;
let app_id = self
.mini_program_app_id
.as_ref()
.or(self.app_id.as_ref())
.ok_or_else(|| {
WechatProviderError::InvalidConfig("微信小程序 AppID 未配置".to_string())
})?;
let app_secret = self
.mini_program_app_secret
.as_ref()
.or(self.app_secret.as_ref())
.ok_or_else(|| {
WechatProviderError::InvalidConfig("微信小程序 AppSecret 未配置".to_string())
})?;
let mut js_code_session_url =
Url::parse(&self.js_code_session_endpoint).map_err(|error| {
WechatProviderError::InvalidConfig(format!("微信 jscode2session 地址非法:{error}"))
})?;
js_code_session_url
.query_pairs_mut()
.append_pair("appid", app_id)
.append_pair("secret", app_secret)
.append_pair("js_code", code)
.append_pair("grant_type", "authorization_code");
let payload = self
.client
.get(js_code_session_url.as_str())
.send()
.await
.map_err(|error| {
warn!(error = %error, "微信小程序 jscode2session 请求失败");
WechatProviderError::RequestFailed(
"微信小程序登录失败jscode2session 请求失败".to_string(),
)
})?
.json::<WechatJsCodeSessionResponse>()
.await
.map_err(|error| {
warn!(error = %error, "微信小程序 jscode2session 响应解析失败");
WechatProviderError::DeserializeFailed(
"微信小程序登录失败jscode2session 响应非法".to_string(),
)
})?;
if let Some(errcode) = payload.errcode.filter(|value| *value != 0) {
return Err(WechatProviderError::Upstream(format!(
"微信小程序登录失败:{}",
payload
.errmsg
.unwrap_or_else(|| format!("jscode2session 返回错误 {errcode}"))
)));
}
let provider_uid = payload
.openid
.filter(|value| !value.trim().is_empty())
.ok_or_else(|| {
WechatProviderError::MissingProfile("微信小程序登录失败:缺少 openid".to_string())
})?;
Ok(WechatIdentityProfile {
provider_uid,
provider_union_id: payload.unionid,
display_name: None,
avatar_url: None,
})
}
}
fn build_mock_wechat_authorization_url(
callback_url: &str,
state: &str,
) -> Result<String, WechatProviderError> {
let mut callback = Url::parse(callback_url).map_err(|error| {
WechatProviderError::InvalidCallback(format!("微信回调地址非法:{error}"))
})?;
callback
.query_pairs_mut()
.append_pair("mock_code", "wx-mock-code")
.append_pair("state", state);
Ok(callback.to_string())
}
impl MockSmsAuthProvider {
async fn send_code(
&self,
request: SmsSendCodeRequest,
) -> Result<SmsSendCodeResult, SmsProviderError> {
let provider_out_id =
build_sms_provider_out_id(&request.scene, &request.national_phone_number);
Ok(SmsSendCodeResult {
cooldown_seconds: self.config.interval_seconds,
expires_in_seconds: self.config.valid_time_seconds,
provider_request_id: Some("mock-request-id".to_string()),
provider_out_id: Some(provider_out_id),
})
}
async fn verify_code(&self, request: SmsVerifyCodeRequest) -> Result<(), SmsProviderError> {
if request.verify_code.trim() != self.config.mock_verify_code {
return Err(SmsProviderError::InvalidVerifyCode);
}
Ok(())
}
}
impl AliyunSmsAuthProvider {
async fn send_code(
&self,
request: SmsSendCodeRequest,
) -> Result<SmsSendCodeResult, SmsProviderError> {
let provider_out_id =
build_sms_provider_out_id(&request.scene, &request.national_phone_number);
let phone_masked = mask_phone_number(&request.national_phone_number);
let template_param = serde_json::json!({
self.config.template_param_key.clone(): "##code##",
"min": self.config.valid_time_seconds,
})
.to_string();
info!(
provider = "aliyun",
scene = request.scene.as_str(),
phone_masked = phone_masked.as_str(),
endpoint = self.config.endpoint.as_str(),
sign_name = self.config.sign_name.as_str(),
template_code = self.config.template_code.as_str(),
code_length = self.config.code_length,
valid_time_seconds = self.config.valid_time_seconds,
interval_seconds = self.config.interval_seconds,
provider_out_id = provider_out_id.as_str(),
"准备调用阿里云短信发送接口"
);
let mut query = BTreeMap::new();
query.insert("Action".to_string(), "SendSmsVerifyCode".to_string());
query.insert("Format".to_string(), "json".to_string());
query.insert("Version".to_string(), "2017-05-25".to_string());
query.insert("Timestamp".to_string(), current_aliyun_timestamp());
query.insert("SignatureNonce".to_string(), new_uuid_simple_string());
query.insert("SignatureMethod".to_string(), "HMAC-SHA1".to_string());
query.insert("SignatureVersion".to_string(), "1.0".to_string());
query.insert(
"AccessKeyId".to_string(),
self.config.access_key_id.clone().unwrap_or_default(),
);
query.insert(
"PhoneNumber".to_string(),
request.national_phone_number.trim().to_string(),
);
query.insert("CountryCode".to_string(), self.config.country_code.clone());
query.insert("SignName".to_string(), self.config.sign_name.clone());
query.insert(
"TemplateCode".to_string(),
self.config.template_code.clone(),
);
query.insert("TemplateParam".to_string(), template_param);
query.insert(
"CodeLength".to_string(),
self.config.code_length.to_string(),
);
query.insert("CodeType".to_string(), self.config.code_type.to_string());
query.insert(
"ValidTime".to_string(),
self.config.valid_time_seconds.to_string(),
);
query.insert(
"Interval".to_string(),
self.config.interval_seconds.to_string(),
);
query.insert(
"DuplicatePolicy".to_string(),
self.config.duplicate_policy.to_string(),
);
query.insert(
"ReturnVerifyCode".to_string(),
self.config.return_verify_code.to_string(),
);
query.insert("OutId".to_string(), provider_out_id.clone());
if let Some(scheme_name) = self.config.scheme_name.clone() {
query.insert("SchemeName".to_string(), scheme_name);
}
self.sign_query(&mut query)?;
let payload = self
.client
.post(build_aliyun_sms_url(&self.config.endpoint)?)
.form(&query)
.send()
.await
.map_err(|error| SmsProviderError::Upstream(format!("短信验证码发送失败:{error}")))?;
let http_status = payload.status();
let body = parse_aliyun_json_response(payload, "短信验证码发送失败").await?;
info!(
provider = "aliyun",
scene = request.scene.as_str(),
phone_masked = phone_masked.as_str(),
http_status = http_status.as_u16(),
provider_code = body.code.as_deref().unwrap_or("unknown"),
provider_message = body.message.as_deref().unwrap_or("unknown"),
provider_request_id = body
.request_id
.as_deref()
.or_else(|| body
.model
.as_ref()
.and_then(|model| model.request_id.as_deref()))
.unwrap_or("unknown"),
provider_out_id = body
.model
.as_ref()
.and_then(|model| model.out_id.as_deref())
.unwrap_or("unknown"),
success = body.success.unwrap_or(false),
"阿里云短信发送接口返回响应"
);
if !body.success.unwrap_or(false) || body.code.as_deref() != Some("OK") {
warn!(
provider = "aliyun",
scene = request.scene.as_str(),
phone_masked = phone_masked.as_str(),
http_status = http_status.as_u16(),
provider_code = body.code.as_deref().unwrap_or("unknown"),
provider_message = body.message.as_deref().unwrap_or("unknown"),
provider_request_id = body
.request_id
.as_deref()
.or_else(|| body
.model
.as_ref()
.and_then(|model| model.request_id.as_deref()))
.unwrap_or("unknown"),
provider_out_id = body
.model
.as_ref()
.and_then(|model| model.out_id.as_deref())
.unwrap_or("unknown"),
"阿里云短信发送接口返回业务失败"
);
return Err(map_aliyun_provider_error(
"短信验证码发送失败",
body.message,
body.code,
));
}
Ok(SmsSendCodeResult {
cooldown_seconds: self.config.interval_seconds,
expires_in_seconds: self.config.valid_time_seconds,
provider_request_id: body.request_id.or_else(|| {
body.model
.as_ref()
.and_then(|model| model.request_id.clone())
}),
provider_out_id: body.model.and_then(|model| model.out_id),
})
}
async fn verify_code(&self, request: SmsVerifyCodeRequest) -> Result<(), SmsProviderError> {
let mut query = BTreeMap::new();
query.insert("Action".to_string(), "CheckSmsVerifyCode".to_string());
query.insert("Format".to_string(), "json".to_string());
query.insert("Version".to_string(), "2017-05-25".to_string());
query.insert("Timestamp".to_string(), current_aliyun_timestamp());
query.insert("SignatureNonce".to_string(), new_uuid_simple_string());
query.insert("SignatureMethod".to_string(), "HMAC-SHA1".to_string());
query.insert("SignatureVersion".to_string(), "1.0".to_string());
query.insert(
"AccessKeyId".to_string(),
self.config.access_key_id.clone().unwrap_or_default(),
);
query.insert(
"PhoneNumber".to_string(),
request.national_phone_number.trim().to_string(),
);
query.insert("CountryCode".to_string(), self.config.country_code.clone());
query.insert(
"VerifyCode".to_string(),
request.verify_code.trim().to_string(),
);
query.insert(
"CaseAuthPolicy".to_string(),
self.config.case_auth_policy.to_string(),
);
if let Some(scheme_name) = self.config.scheme_name.clone() {
query.insert("SchemeName".to_string(), scheme_name);
}
if let Some(provider_out_id) = request.provider_out_id {
query.insert("OutId".to_string(), provider_out_id);
}
self.sign_query(&mut query)?;
let payload = self
.client
.post(build_aliyun_sms_url(&self.config.endpoint)?)
.form(&query)
.send()
.await
.map_err(|error| SmsProviderError::Upstream(format!("验证码校验失败:{error}")))?;
let body = parse_aliyun_json_response_for_verify(payload).await?;
if !body.success.unwrap_or(false) || body.code.as_deref() != Some("OK") {
return Err(map_aliyun_provider_error(
"验证码校验失败",
body.message,
body.code,
));
}
if body.model.and_then(|model| model.verify_result).as_deref() != Some("PASS") {
return Err(SmsProviderError::InvalidVerifyCode);
}
Ok(())
}
fn sign_query(&self, query: &mut BTreeMap<String, String>) -> Result<(), SmsProviderError> {
let access_key_secret = self.config.access_key_secret.as_deref().ok_or_else(|| {
SmsProviderError::InvalidConfig("阿里云短信 AccessKeySecret 未配置".to_string())
})?;
let canonicalized = canonicalize_aliyun_rpc_params(query);
let string_to_sign = format!(
"POST&{}&{}",
aliyun_percent_encode("/"),
aliyun_percent_encode(&canonicalized)
);
let mut signer = HmacSha1::new_from_slice(format!("{access_key_secret}&").as_bytes())
.map_err(|error| {
SmsProviderError::InvalidConfig(format!("初始化短信签名器失败:{error}"))
})?;
signer.update(string_to_sign.as_bytes());
let signature = BASE64_STANDARD.encode(signer.finalize().into_bytes());
query.insert("Signature".to_string(), signature);
Ok(())
}
}
impl AccessTokenClaims {
pub fn from_input(
input: AccessTokenClaimsInput,
config: &JwtConfig,
issued_at: OffsetDateTime,
) -> Result<Self, JwtError> {
let user_id = normalize_required_field(input.user_id, "JWT sub 不能为空")?;
let session_id = normalize_required_field(input.session_id, "JWT sid 不能为空")?;
let roles = normalize_roles(input.roles)?;
let display_name = normalize_optional_field(input.display_name);
let issued_at_unix = issued_at.unix_timestamp();
if issued_at_unix < 0 {
return Err(JwtError::InvalidClaims("JWT iat 不能早于 Unix epoch"));
}
let expires_at = issued_at
.checked_add(Duration::seconds(
i64::try_from(config.access_token_ttl_seconds()).map_err(|_| {
JwtError::InvalidConfig("JWT access token 过期时间超出 i64 上限")
})?,
))
.ok_or(JwtError::InvalidConfig("JWT 过期时间计算溢出"))?;
let expires_at_unix = expires_at.unix_timestamp();
if expires_at_unix <= issued_at_unix {
return Err(JwtError::InvalidClaims("JWT exp 必须晚于 iat"));
}
let claims = Self {
iss: config.issuer().to_string(),
sub: user_id,
sid: session_id,
provider: input.provider,
roles,
ver: input.token_version,
phone_verified: input.phone_verified,
binding_status: input.binding_status,
display_name,
iat: issued_at_unix as u64,
exp: expires_at_unix as u64,
};
claims.validate_for_config(config)?;
Ok(claims)
}
pub fn user_id(&self) -> &str {
&self.sub
}
pub fn session_id(&self) -> &str {
&self.sid
}
pub fn token_version(&self) -> u64 {
self.ver
}
pub fn validate_for_config(&self, config: &JwtConfig) -> Result<(), JwtError> {
if self.iss.trim() != config.issuer() {
return Err(JwtError::InvalidClaims("JWT iss 与当前配置不一致"));
}
normalize_required_field(self.sub.clone(), "JWT sub 不能为空")?;
normalize_required_field(self.sid.clone(), "JWT sid 不能为空")?;
normalize_roles(self.roles.clone())?;
if self.exp <= self.iat {
return Err(JwtError::InvalidClaims("JWT exp 必须晚于 iat"));
}
Ok(())
}
}
pub fn sign_access_token(
claims: &AccessTokenClaims,
config: &JwtConfig,
) -> Result<String, JwtError> {
claims.validate_for_config(config)?;
let header = Header {
alg: ACCESS_TOKEN_ALGORITHM,
typ: Some("JWT".to_string()),
..Header::default()
};
encode(
&header,
claims,
&EncodingKey::from_secret(config.secret.as_bytes()),
)
.map_err(|error| JwtError::SignFailed(format!("JWT 签发失败:{error}")))
}
pub fn verify_access_token(token: &str, config: &JwtConfig) -> Result<AccessTokenClaims, JwtError> {
let token = token.trim();
if token.is_empty() {
return Err(JwtError::VerifyFailed("JWT 不能为空".to_string()));
}
let mut validation = Validation::new(ACCESS_TOKEN_ALGORITHM);
validation.required_spec_claims = HashSet::from([
"exp".to_string(),
"iat".to_string(),
"iss".to_string(),
"sub".to_string(),
]);
validation.set_issuer(&[config.issuer()]);
let decoded = decode::<AccessTokenClaims>(
token,
&DecodingKey::from_secret(config.secret.as_bytes()),
&validation,
)
.map_err(map_verify_error)?;
decoded.claims.validate_for_config(config)?;
Ok(decoded.claims)
}
pub fn read_refresh_session_token(
cookie_header: &str,
config: &RefreshCookieConfig,
) -> Option<String> {
let cookie_header = cookie_header.trim();
if cookie_header.is_empty() {
return None;
}
for entry in cookie_header.split(';') {
let entry = entry.trim();
if entry.is_empty() {
continue;
}
let (raw_name, raw_value) = entry.split_once('=')?;
if raw_name.trim() != config.cookie_name() {
continue;
}
let raw_value = raw_value.trim();
if raw_value.is_empty() {
return None;
}
return urlencoding::decode(raw_value)
.ok()
.map(|decoded| decoded.into_owned());
}
None
}
pub async fn hash_password(password: &str) -> Result<String, PasswordHashError> {
let salt = SaltString::generate(&mut OsRng);
Argon2::default()
.hash_password(password.as_bytes(), &salt)
.map(|hash| hash.to_string())
.map_err(|error| PasswordHashError::HashFailed(format!("密码哈希失败:{error}")))
}
pub async fn verify_password(
password_hash: &str,
password: &str,
) -> Result<bool, PasswordHashError> {
let parsed_hash = PasswordHash::new(password_hash)
.map_err(|error| PasswordHashError::VerifyFailed(format!("密码哈希格式非法:{error}")))?;
Ok(Argon2::default()
.verify_password(password.as_bytes(), &parsed_hash)
.is_ok())
}
pub fn create_refresh_session_token() -> String {
new_uuid_simple_string()
}
pub fn hash_refresh_session_token(token: &str) -> String {
let mut hasher = Sha256::new();
hasher.update(token.as_bytes());
format!("{:x}", hasher.finalize())
}
pub fn build_refresh_session_set_cookie(token: &str, config: &RefreshCookieConfig) -> String {
let mut parts = vec![
format!(
"{}={}",
config.cookie_name(),
urlencoding::encode(token).into_owned()
),
format!("Path={}", config.cookie_path()),
"HttpOnly".to_string(),
format!("SameSite={}", config.cookie_same_site().as_str()),
format!(
"Max-Age={}",
u64::from(config.refresh_session_ttl_days()) * 24 * 60 * 60
),
];
if config.cookie_secure() {
parts.push("Secure".to_string());
}
parts.join("; ")
}
pub fn build_refresh_session_clear_cookie(config: &RefreshCookieConfig) -> String {
let mut parts = vec![
format!("{}=", config.cookie_name()),
format!("Path={}", config.cookie_path()),
"HttpOnly".to_string(),
format!("SameSite={}", config.cookie_same_site().as_str()),
"Max-Age=0".to_string(),
];
if config.cookie_secure() {
parts.push("Secure".to_string());
}
parts.join("; ")
}
impl fmt::Display for JwtError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::InvalidConfig(message) | Self::InvalidClaims(message) => f.write_str(message),
Self::SignFailed(message) | Self::VerifyFailed(message) => f.write_str(message),
}
}
}
impl Error for JwtError {}
impl fmt::Display for RefreshCookieError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::InvalidConfig(message) => f.write_str(message),
}
}
}
impl Error for RefreshCookieError {}
impl fmt::Display for PasswordHashError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::HashFailed(message) | Self::VerifyFailed(message) => f.write_str(message),
}
}
}
impl Error for PasswordHashError {}
fn normalize_required_field(
value: String,
error_message: &'static str,
) -> Result<String, JwtError> {
normalize_required_string(&value).ok_or(JwtError::InvalidClaims(error_message))
}
fn normalize_optional_field(value: Option<String>) -> Option<String> {
normalize_optional_string(value)
}
fn normalize_roles(roles: Vec<String>) -> Result<Vec<String>, JwtError> {
let roles = roles
.into_iter()
.map(|role| role.trim().to_string())
.filter(|role| !role.is_empty())
.collect::<Vec<_>>();
if roles.is_empty() {
return Err(JwtError::InvalidClaims("JWT roles 至少包含一个角色"));
}
Ok(roles)
}
fn map_verify_error(error: jsonwebtoken::errors::Error) -> JwtError {
let message = match error.kind() {
ErrorKind::ExpiredSignature => "JWT 已过期".to_string(),
ErrorKind::InvalidIssuer => "JWT 发行者不匹配".to_string(),
ErrorKind::InvalidSignature => "JWT 签名无效".to_string(),
ErrorKind::InvalidAlgorithm => "JWT 算法不匹配".to_string(),
ErrorKind::InvalidToken => "JWT 非法".to_string(),
ErrorKind::ImmatureSignature => "JWT 尚未生效".to_string(),
ErrorKind::MissingRequiredClaim(claim) => format!("JWT 缺少必填字段:{claim}"),
_ => format!("JWT 校验失败:{error}"),
};
JwtError::VerifyFailed(message)
}
fn build_sms_provider_out_id(scene: &str, national_phone_number: &str) -> String {
let phone_suffix = national_phone_number
.chars()
.rev()
.take(4)
.collect::<String>()
.chars()
.rev()
.collect::<String>();
format!("{scene}_{}_{}", phone_suffix, new_uuid_simple_string())
}
fn build_aliyun_sms_url(endpoint: &str) -> Result<String, SmsProviderError> {
let endpoint = endpoint
.trim()
.trim_start_matches("https://")
.trim_start_matches("http://")
.trim_matches('/');
if endpoint.is_empty() {
return Err(SmsProviderError::InvalidConfig(
"阿里云短信 endpoint 不能为空".to_string(),
));
}
Ok(format!("https://{endpoint}/"))
}
fn current_aliyun_timestamp() -> String {
OffsetDateTime::now_utc()
.format(&time::format_description::well_known::Rfc3339)
.unwrap_or_else(|_| "1970-01-01T00:00:00Z".to_string())
}
fn canonicalize_aliyun_rpc_params(params: &BTreeMap<String, String>) -> String {
params
.iter()
.filter(|(key, _)| key.as_str() != "Signature")
.map(|(key, value)| {
format!(
"{}={}",
aliyun_percent_encode(key),
aliyun_percent_encode(value)
)
})
.collect::<Vec<_>>()
.join("&")
}
fn aliyun_percent_encode(value: &str) -> String {
urlencoding::encode(value)
.into_owned()
.replace('+', "%20")
.replace('*', "%2A")
.replace("%7E", "~")
}
async fn parse_aliyun_json_response(
response: reqwest::Response,
fallback_message: &str,
) -> Result<AliyunSendSmsVerifyCodeResponse, SmsProviderError> {
let status = response.status();
let body = response
.text()
.await
.map_err(|error| SmsProviderError::Upstream(format!("{fallback_message}{error}")))?;
let payload =
serde_json::from_str::<AliyunSendSmsVerifyCodeResponse>(&body).map_err(|error| {
SmsProviderError::Upstream(format!("{fallback_message}:响应解析失败:{error}"))
})?;
if status.is_client_error() || status.is_server_error() {
return Err(map_http_status_to_sms_provider_error(
fallback_message,
status,
serde_json::from_str::<Value>(&body).ok(),
));
}
Ok(payload)
}
async fn parse_aliyun_json_response_for_verify(
response: reqwest::Response,
) -> Result<AliyunCheckSmsVerifyCodeResponse, SmsProviderError> {
let status = response.status();
let body = response
.text()
.await
.map_err(|error| SmsProviderError::Upstream(format!("验证码校验失败:{error}")))?;
let payload =
serde_json::from_str::<AliyunCheckSmsVerifyCodeResponse>(&body).map_err(|error| {
SmsProviderError::Upstream(format!("验证码校验失败:响应解析失败:{error}"))
})?;
if status.is_client_error() || status.is_server_error() {
return Err(map_http_status_to_sms_provider_error(
"验证码校验失败",
status,
serde_json::from_str::<Value>(&body).ok(),
));
}
Ok(payload)
}
fn map_http_status_to_sms_provider_error(
fallback_message: &str,
status: StatusCode,
payload: Option<Value>,
) -> SmsProviderError {
let provider_message = payload
.as_ref()
.and_then(|value| value.get("Message").and_then(Value::as_str))
.unwrap_or_default();
let provider_code = payload
.as_ref()
.and_then(|value| value.get("Code").and_then(Value::as_str))
.unwrap_or_default();
if status.is_client_error() {
return map_aliyun_provider_error(
fallback_message,
Some(provider_message.to_string()),
Some(provider_code.to_string()),
);
}
SmsProviderError::Upstream(build_provider_error_message(
fallback_message,
provider_message,
))
}
fn map_aliyun_provider_error(
fallback_message: &str,
provider_message: Option<String>,
provider_code: Option<String>,
) -> SmsProviderError {
let provider_message = provider_message.unwrap_or_default();
let provider_code = provider_code.unwrap_or_default();
let normalized_code = provider_code.trim().to_ascii_uppercase();
if normalized_code.contains("VERIFY")
|| normalized_code.contains("CODE")
|| normalized_code.contains("CHECK")
{
return SmsProviderError::InvalidVerifyCode;
}
if normalized_code.contains("MOBILE")
|| normalized_code.contains("PHONE")
|| normalized_code.contains("SIGN")
|| normalized_code.contains("TEMPLATE")
|| normalized_code.contains("ACCESSKEY")
{
return SmsProviderError::InvalidConfig(build_provider_error_message(
fallback_message,
&provider_message,
));
}
SmsProviderError::Upstream(build_provider_error_message(
fallback_message,
&provider_message,
))
}
fn build_provider_error_message(prefix: &str, provider_message: &str) -> String {
let provider_message = provider_message.trim();
if provider_message.is_empty() {
prefix.to_string()
} else {
format!("{prefix}{provider_message}")
}
}
fn mask_phone_number(phone_number: &str) -> String {
let chars: Vec<char> = phone_number.chars().collect();
if chars.len() <= 4 {
return "*".repeat(chars.len().max(1));
}
let prefix_len = chars.len().min(3);
let suffix_len = 4.min(chars.len().saturating_sub(prefix_len));
let mask_len = chars.len().saturating_sub(prefix_len + suffix_len);
let mut masked = String::new();
masked.extend(chars.iter().take(prefix_len));
masked.push_str(&"*".repeat(mask_len.max(1)));
if suffix_len > 0 {
masked.extend(chars.iter().skip(chars.len() - suffix_len));
}
masked
}
impl fmt::Display for SmsProviderError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::InvalidConfig(message) | Self::Upstream(message) => f.write_str(message),
Self::InvalidVerifyCode => f.write_str("验证码错误"),
}
}
}
impl Error for SmsProviderError {}
impl fmt::Display for WechatProviderError {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
match self {
Self::Disabled => f.write_str("微信登录暂未启用"),
Self::MissingCode => f.write_str("缺少微信授权 code"),
Self::InvalidConfig(message)
| Self::InvalidCallback(message)
| Self::RequestFailed(message)
| Self::DeserializeFailed(message)
| Self::Upstream(message)
| Self::MissingProfile(message) => f.write_str(message),
}
}
}
impl Error for WechatProviderError {}
impl JwtError {
pub fn kind(&self) -> AuthPlatformErrorKind {
match self {
Self::InvalidConfig(_) => AuthPlatformErrorKind::InvalidConfig,
Self::InvalidClaims(_) => AuthPlatformErrorKind::InvalidClaims,
Self::SignFailed(_) => AuthPlatformErrorKind::SignFailed,
Self::VerifyFailed(_) => AuthPlatformErrorKind::VerifyFailed,
}
}
}
impl RefreshCookieError {
pub fn kind(&self) -> AuthPlatformErrorKind {
match self {
Self::InvalidConfig(_) => AuthPlatformErrorKind::CookieConfig,
}
}
}
impl PasswordHashError {
pub fn kind(&self) -> AuthPlatformErrorKind {
match self {
Self::HashFailed(_) => AuthPlatformErrorKind::HashFailed,
Self::VerifyFailed(_) => AuthPlatformErrorKind::VerifyFailed,
}
}
}
impl SmsProviderError {
pub fn kind(&self) -> AuthPlatformErrorKind {
match self {
Self::InvalidConfig(_) => AuthPlatformErrorKind::InvalidConfig,
Self::InvalidVerifyCode => AuthPlatformErrorKind::InvalidVerifyCode,
Self::Upstream(_) => AuthPlatformErrorKind::Upstream,
}
}
}
impl WechatProviderError {
pub fn kind(&self) -> AuthPlatformErrorKind {
match self {
Self::Disabled => AuthPlatformErrorKind::Disabled,
Self::MissingCode => AuthPlatformErrorKind::MissingCode,
Self::InvalidConfig(_) => AuthPlatformErrorKind::InvalidConfig,
Self::InvalidCallback(_) => AuthPlatformErrorKind::InvalidCallback,
Self::RequestFailed(_) => AuthPlatformErrorKind::RequestFailed,
Self::DeserializeFailed(_) => AuthPlatformErrorKind::DeserializeFailed,
Self::Upstream(_) => AuthPlatformErrorKind::Upstream,
Self::MissingProfile(_) => AuthPlatformErrorKind::MissingProfile,
}
}
}
#[cfg(test)]
mod tests {
use super::*;
#[test]
fn auth_platform_error_kind_is_stable_for_adapter_mapping() {
assert_eq!(
JwtError::InvalidClaims("JWT roles 至少包含一个角色").kind(),
AuthPlatformErrorKind::InvalidClaims
);
assert_eq!(
PasswordHashError::VerifyFailed("密码校验失败".to_string()).kind(),
AuthPlatformErrorKind::VerifyFailed
);
assert_eq!(
SmsProviderError::InvalidVerifyCode.kind(),
AuthPlatformErrorKind::InvalidVerifyCode
);
assert_eq!(
WechatProviderError::MissingCode.kind(),
AuthPlatformErrorKind::MissingCode
);
}
#[test]
fn mock_wechat_provider_builds_callback_authorization_url() {
let provider = WechatProvider::new(WechatAuthConfig::new(
true,
"mock".to_string(),
None,
None,
None,
None,
DEFAULT_WECHAT_AUTHORIZE_ENDPOINT.to_string(),
DEFAULT_WECHAT_ACCESS_TOKEN_ENDPOINT.to_string(),
DEFAULT_WECHAT_USER_INFO_ENDPOINT.to_string(),
DEFAULT_WECHAT_JS_CODE_SESSION_ENDPOINT.to_string(),
"wx-user-001".to_string(),
Some("wx-union-001".to_string()),
"微信测试用户".to_string(),
Some("https://example.test/avatar.png".to_string()),
));
let authorization_url = provider
.build_authorization_url(
"http://127.0.0.1:3000/api/auth/wechat/callback",
"state_001",
&WechatAuthScene::Desktop,
)
.expect("mock authorization url should build");
assert!(authorization_url.contains("mock_code=wx-mock-code"));
assert!(authorization_url.contains("state=state_001"));
}
#[tokio::test]
async fn mock_wechat_provider_resolves_identity_profile() {
let provider = WechatProvider::new(WechatAuthConfig::new(
true,
"mock".to_string(),
None,
None,
None,
None,
DEFAULT_WECHAT_AUTHORIZE_ENDPOINT.to_string(),
DEFAULT_WECHAT_ACCESS_TOKEN_ENDPOINT.to_string(),
DEFAULT_WECHAT_USER_INFO_ENDPOINT.to_string(),
DEFAULT_WECHAT_JS_CODE_SESSION_ENDPOINT.to_string(),
"wx-user-001".to_string(),
Some("wx-union-001".to_string()),
"微信测试用户".to_string(),
None,
));
let profile = provider
.resolve_callback_profile(None, Some("wx-code-001"))
.await
.expect("mock profile should resolve");
assert_eq!(profile.provider_uid, "wx-code-001");
assert_eq!(profile.provider_union_id.as_deref(), Some("wx-union-001"));
assert_eq!(profile.display_name.as_deref(), Some("微信测试用户"));
}
fn build_jwt_config() -> JwtConfig {
JwtConfig::new(
"https://auth.genarrative.local".to_string(),
"genarrative-dev-secret".to_string(),
DEFAULT_ACCESS_TOKEN_TTL_SECONDS,
)
.expect("jwt config should be valid")
}
fn build_claims_input() -> AccessTokenClaimsInput {
AccessTokenClaimsInput {
user_id: "usr_123".to_string(),
session_id: "sess_456".to_string(),
provider: AuthProvider::Wechat,
roles: vec!["user".to_string()],
token_version: 3,
phone_verified: false,
binding_status: BindingStatus::PendingBindPhone,
display_name: Some("微信旅人".to_string()),
}
}
fn build_refresh_cookie_config() -> RefreshCookieConfig {
RefreshCookieConfig::new(
DEFAULT_REFRESH_COOKIE_NAME.to_string(),
DEFAULT_REFRESH_COOKIE_PATH.to_string(),
false,
RefreshCookieSameSite::Lax,
DEFAULT_REFRESH_SESSION_TTL_DAYS,
)
.expect("refresh cookie config should be valid")
}
fn build_mock_sms_config() -> SmsAuthConfig {
SmsAuthConfig::new(
SmsAuthProviderKind::Mock,
DEFAULT_SMS_ENDPOINT.to_string(),
None,
None,
String::new(),
String::new(),
DEFAULT_SMS_TEMPLATE_PARAM_KEY.to_string(),
DEFAULT_SMS_COUNTRY_CODE.to_string(),
None,
DEFAULT_SMS_CODE_LENGTH,
DEFAULT_SMS_CODE_TYPE,
DEFAULT_SMS_VALID_TIME_SECONDS,
DEFAULT_SMS_INTERVAL_SECONDS,
DEFAULT_SMS_DUPLICATE_POLICY,
DEFAULT_SMS_CASE_AUTH_POLICY,
false,
DEFAULT_SMS_MOCK_VERIFY_CODE.to_string(),
)
.expect("mock sms config should be valid")
}
#[test]
fn round_trip_sign_and_verify_access_token() {
let config = build_jwt_config();
let claims =
AccessTokenClaims::from_input(build_claims_input(), &config, OffsetDateTime::now_utc())
.expect("claims should build");
let token = sign_access_token(&claims, &config).expect("token should sign");
let verified = verify_access_token(&token, &config).expect("token should verify");
assert_eq!(verified, claims);
assert_eq!(verified.user_id(), "usr_123");
assert_eq!(verified.session_id(), "sess_456");
assert_eq!(verified.token_version(), 3);
}
#[test]
fn verify_rejects_invalid_issuer() {
let config = build_jwt_config();
let claims =
AccessTokenClaims::from_input(build_claims_input(), &config, OffsetDateTime::now_utc())
.expect("claims should build");
let token = sign_access_token(&claims, &config).expect("token should sign");
let other_config = JwtConfig::new(
"https://auth.other.local".to_string(),
"genarrative-dev-secret".to_string(),
DEFAULT_ACCESS_TOKEN_TTL_SECONDS,
)
.expect("other config should be valid");
let error = verify_access_token(&token, &other_config).expect_err("issuer should mismatch");
assert_eq!(
error,
JwtError::VerifyFailed("JWT 发行者不匹配".to_string())
);
}
#[test]
fn build_claims_rejects_empty_roles() {
let error = AccessTokenClaims::from_input(
AccessTokenClaimsInput {
roles: Vec::new(),
..build_claims_input()
},
&build_jwt_config(),
OffsetDateTime::now_utc(),
)
.expect_err("empty roles should be rejected");
assert_eq!(error, JwtError::InvalidClaims("JWT roles 至少包含一个角色"));
}
#[test]
fn read_refresh_session_token_returns_matching_cookie() {
let token = read_refresh_session_token(
"theme=dark; genarrative_refresh_session=refresh-token-01; locale=zh-CN",
&build_refresh_cookie_config(),
);
assert_eq!(token.as_deref(), Some("refresh-token-01"));
}
#[test]
fn read_refresh_session_token_decodes_urlencoded_value() {
let token = read_refresh_session_token(
"genarrative_refresh_session=refresh%2Ftoken%3D01",
&build_refresh_cookie_config(),
);
assert_eq!(token.as_deref(), Some("refresh/token=01"));
}
#[test]
fn read_refresh_session_token_returns_none_when_missing() {
let token =
read_refresh_session_token("theme=dark; locale=zh-CN", &build_refresh_cookie_config());
assert!(token.is_none());
}
#[tokio::test]
async fn hash_and_verify_password_round_trip() {
let password_hash = hash_password("secret123")
.await
.expect("password hash should build");
let is_valid = verify_password(&password_hash, "secret123")
.await
.expect("password hash should verify");
assert!(is_valid);
}
#[test]
fn build_refresh_session_cookie_respects_config() {
let cookie =
build_refresh_session_set_cookie("refresh/token=01", &build_refresh_cookie_config());
assert!(cookie.contains("genarrative_refresh_session=refresh%2Ftoken%3D01"));
assert!(cookie.contains("Path=/api/auth"));
assert!(cookie.contains("HttpOnly"));
assert!(cookie.contains("SameSite=Lax"));
assert!(cookie.contains("Max-Age=2592000"));
}
#[test]
fn hash_refresh_session_token_matches_sha256_hex() {
let hash = hash_refresh_session_token("refresh-token-01");
assert_eq!(
hash,
"9fab76f9100ec6c151c8caa0c42ab10e10fbc7618f15e24cf3dffc93e19c4c4e"
);
}
#[test]
fn build_refresh_session_clear_cookie_respects_config() {
let cookie = build_refresh_session_clear_cookie(&build_refresh_cookie_config());
assert!(cookie.contains("genarrative_refresh_session="));
assert!(cookie.contains("Path=/api/auth"));
assert!(cookie.contains("HttpOnly"));
assert!(cookie.contains("SameSite=Lax"));
assert!(cookie.contains("Max-Age=0"));
}
#[test]
fn sms_auth_provider_kind_parses_supported_values() {
assert_eq!(
SmsAuthProviderKind::parse("mock"),
Some(SmsAuthProviderKind::Mock)
);
assert_eq!(
SmsAuthProviderKind::parse("aliyun"),
Some(SmsAuthProviderKind::Aliyun)
);
assert_eq!(SmsAuthProviderKind::parse("other"), None);
}
#[tokio::test]
async fn mock_sms_provider_sends_and_verifies_code() {
let provider =
SmsAuthProvider::new(build_mock_sms_config()).expect("provider should build");
let send_result = provider
.send_code(SmsSendCodeRequest {
national_phone_number: "13800138000".to_string(),
scene: "login".to_string(),
})
.await
.expect("send code should succeed");
assert_eq!(send_result.cooldown_seconds, DEFAULT_SMS_INTERVAL_SECONDS);
assert_eq!(
send_result.expires_in_seconds,
DEFAULT_SMS_VALID_TIME_SECONDS
);
assert_eq!(
send_result.provider_request_id.as_deref(),
Some("mock-request-id")
);
assert!(send_result.provider_out_id.is_some());
provider
.verify_code(SmsVerifyCodeRequest {
national_phone_number: "13800138000".to_string(),
verify_code: DEFAULT_SMS_MOCK_VERIFY_CODE.to_string(),
provider_out_id: send_result.provider_out_id,
})
.await
.expect("verify code should succeed");
}
#[tokio::test]
async fn mock_sms_provider_rejects_wrong_code() {
let provider =
SmsAuthProvider::new(build_mock_sms_config()).expect("provider should build");
let error = provider
.verify_code(SmsVerifyCodeRequest {
national_phone_number: "13800138000".to_string(),
verify_code: "000000".to_string(),
provider_out_id: None,
})
.await
.expect_err("wrong verify code should fail");
assert_eq!(error, SmsProviderError::InvalidVerifyCode);
}
#[test]
fn aliyun_sms_config_requires_access_key() {
let error = SmsAuthConfig::new(
SmsAuthProviderKind::Aliyun,
DEFAULT_SMS_ENDPOINT.to_string(),
None,
None,
"测试签名".to_string(),
"SMS_001".to_string(),
DEFAULT_SMS_TEMPLATE_PARAM_KEY.to_string(),
DEFAULT_SMS_COUNTRY_CODE.to_string(),
None,
DEFAULT_SMS_CODE_LENGTH,
DEFAULT_SMS_CODE_TYPE,
DEFAULT_SMS_VALID_TIME_SECONDS,
DEFAULT_SMS_INTERVAL_SECONDS,
DEFAULT_SMS_DUPLICATE_POLICY,
DEFAULT_SMS_CASE_AUTH_POLICY,
false,
DEFAULT_SMS_MOCK_VERIFY_CODE.to_string(),
)
.expect_err("aliyun config without access key should fail");
assert_eq!(
error,
SmsProviderError::InvalidConfig("阿里云短信 AccessKey 未配置".to_string())
);
}
#[test]
fn canonicalize_aliyun_rpc_params_keeps_sorted_percent_encoded_order() {
let mut params = BTreeMap::new();
params.insert(
"TemplateParam".to_string(),
"{\"code\":\"##code##\"}".to_string(),
);
params.insert("Action".to_string(), "SendSmsVerifyCode".to_string());
params.insert("PhoneNumber".to_string(), "13800138000".to_string());
assert_eq!(
canonicalize_aliyun_rpc_params(&params),
"Action=SendSmsVerifyCode&PhoneNumber=13800138000&TemplateParam=%7B%22code%22%3A%22%23%23code%23%23%22%7D"
);
}
#[test]
fn aliyun_send_response_deserializes_pascal_case_fields() {
let payload = serde_json::from_str::<AliyunSendSmsVerifyCodeResponse>(
r#"{
"Code": "OK",
"Message": "成功",
"RequestId": "req_123",
"Success": true,
"Model": {
"BizId": "biz_456",
"OutId": "out_789",
"RequestId": "req_model_001"
}
}"#,
)
.expect("aliyun send response should deserialize");
assert_eq!(payload.code.as_deref(), Some("OK"));
assert_eq!(payload.message.as_deref(), Some("成功"));
assert_eq!(payload.request_id.as_deref(), Some("req_123"));
assert_eq!(payload.success, Some(true));
assert_eq!(
payload
.model
.as_ref()
.and_then(|model| model.out_id.as_deref()),
Some("out_789")
);
assert_eq!(
payload
.model
.as_ref()
.and_then(|model| model.request_id.as_deref()),
Some("req_model_001")
);
}
#[test]
fn aliyun_verify_response_deserializes_pascal_case_fields() {
let payload = serde_json::from_str::<AliyunCheckSmsVerifyCodeResponse>(
r#"{
"Code": "OK",
"Message": "成功",
"Success": true,
"Model": {
"OutId": "out_789",
"VerifyResult": "PASS"
}
}"#,
)
.expect("aliyun verify response should deserialize");
assert_eq!(payload.code.as_deref(), Some("OK"));
assert_eq!(payload.message.as_deref(), Some("成功"));
assert_eq!(payload.success, Some(true));
assert_eq!(
payload
.model
.as_ref()
.and_then(|model| model.verify_result.as_deref()),
Some("PASS")
);
}
}
Reference in New Issue View Git Blame Copy Permalink