159 lines
6.0 KiB
Python
159 lines
6.0 KiB
Python
# ===========================================
|
||
# 班级操行分管理系统 - 后端服务
|
||
#
|
||
# 开发者: Canglan
|
||
# 联系方式: admin@sea-studio.top
|
||
# 版权归属: Sea Network Technology Studio
|
||
# 许可证: MIT License
|
||
#
|
||
# 版权所有 © Sea Network Technology Studio
|
||
# ===========================================
|
||
|
||
from starlette.middleware.base import BaseHTTPMiddleware
|
||
from starlette.requests import Request
|
||
from starlette.responses import Response
|
||
from fastapi.responses import JSONResponse
|
||
from typing import Optional, Dict, Any
|
||
import re
|
||
|
||
from config import settings
|
||
from utils.jwt_handler import jwt_handler
|
||
from utils.redis_client import RedisClient
|
||
from utils.response import unauthorized_response
|
||
from utils.logger import get_logger
|
||
|
||
logger = get_logger(__name__)
|
||
|
||
# 不需要认证的路由
|
||
PUBLIC_PATHS = [
|
||
r'^/$',
|
||
r'^/health$',
|
||
r'^/api/auth/login$',
|
||
r'^/api/auth/logout$',
|
||
r'^/debug/.*$', # 调试入口
|
||
]
|
||
|
||
def is_public_path(path: str) -> bool:
|
||
"""检查是否为公开路径"""
|
||
for pattern in PUBLIC_PATHS:
|
||
if re.match(pattern, path):
|
||
return True
|
||
return False
|
||
|
||
|
||
class AuthMiddleware(BaseHTTPMiddleware):
|
||
"""JWT认证中间件"""
|
||
|
||
async def dispatch(self, request: Request, call_next):
|
||
path = request.url.path
|
||
|
||
# OPTIONS 预检请求跳过认证
|
||
if request.method == "OPTIONS":
|
||
logger.debug(f"[Auth] OPTIONS {path} - 跳过认证")
|
||
return await call_next(request)
|
||
|
||
# 公开路径跳过认证
|
||
if is_public_path(path):
|
||
logger.debug(f"[Auth] {request.method} {path} - 公开路径,跳过认证")
|
||
return await call_next(request)
|
||
|
||
logger.info(f"[Auth] {request.method} {path} - 开始认证")
|
||
|
||
try:
|
||
# 获取Authorization头
|
||
auth_header = request.headers.get("Authorization")
|
||
|
||
if not auth_header:
|
||
logger.warning(f"[Auth] {path} - 缺少Authorization header")
|
||
return self._cors_response(request, 401, "缺少认证令牌")
|
||
|
||
# 解析Bearer Token
|
||
try:
|
||
scheme, token = auth_header.split()
|
||
if scheme.lower() != "bearer":
|
||
logger.warning(f"[Auth] {path} - Authorization header格式错误")
|
||
return self._cors_response(request, 401, "认证格式错误")
|
||
except ValueError:
|
||
logger.warning(f"[Auth] {path} - Authorization header格式错误")
|
||
return self._cors_response(request, 401, "认证格式错误")
|
||
|
||
# 验证Token
|
||
payload = jwt_handler.verify_token(token)
|
||
if not payload:
|
||
logger.warning(f"[Auth] {path} - JWT验证失败")
|
||
return self._cors_response(request, 401, "令牌无效或已过期")
|
||
|
||
# 验证Redis中的Token
|
||
user_id = payload.get("user_id")
|
||
stored_token = await RedisClient.get_user_token(user_id)
|
||
|
||
if not stored_token or stored_token != token:
|
||
logger.warning(f"[Auth] {path} - Redis Token不匹配, user_id={user_id}, stored={'有' if stored_token else '无'}")
|
||
return self._cors_response(request, 401, "令牌已失效,请重新登录")
|
||
|
||
# 将用户信息存储到request.state
|
||
request.state.user_id = payload.get("user_id")
|
||
request.state.username = payload.get("username")
|
||
request.state.user_type = payload.get("user_type")
|
||
request.state.student_id = payload.get("student_id")
|
||
request.state.role = payload.get("role")
|
||
|
||
# 刷新Token过期时间
|
||
await RedisClient.expire(f"user_token:{user_id}", settings.JWT_EXPIRE_MINUTES * 60)
|
||
|
||
logger.debug(f"[Auth] {path} - 认证成功, user_id={user_id}, username={payload.get('username')}")
|
||
|
||
except Exception as e:
|
||
logger.error(f"认证中间件异常: {e}", exc_info=True)
|
||
return self._cors_response(request, 401, "认证服务异常,请稍后重试")
|
||
|
||
try:
|
||
response = await call_next(request)
|
||
# 为所有响应确保CORS头存在(防止路由层异常导致CORS头丢失)
|
||
origin = request.headers.get("origin", "")
|
||
allowed_origins = settings.CORS_ORIGINS or []
|
||
if origin in allowed_origins and not response.headers.get("access-control-allow-origin"):
|
||
response.headers["access-control-allow-origin"] = origin
|
||
response.headers["access-control-allow-credentials"] = "true"
|
||
return response
|
||
except Exception as e:
|
||
logger.error(f"[Auth] call_next异常: {e}", exc_info=True)
|
||
return self._cors_response(request, 500, "服务器内部错误")
|
||
|
||
def _cors_response(self, request: Request, status_code: int, message: str) -> JSONResponse:
|
||
"""创建带CORS头的响应"""
|
||
origin = request.headers.get("origin", "")
|
||
allowed_origins = settings.CORS_ORIGINS or []
|
||
|
||
headers = {}
|
||
if origin in allowed_origins:
|
||
headers["Access-Control-Allow-Origin"] = origin
|
||
headers["Access-Control-Allow-Credentials"] = "true"
|
||
|
||
return JSONResponse(
|
||
status_code=status_code,
|
||
content={
|
||
"success": False,
|
||
"code": status_code,
|
||
"message": message,
|
||
"data": None
|
||
},
|
||
headers=headers
|
||
)
|
||
|
||
|
||
async def get_current_user(request: Request) -> Dict[str, Any]:
|
||
"""获取当前登录用户信息"""
|
||
return {
|
||
"user_id": request.state.user_id,
|
||
"username": request.state.username,
|
||
"user_type": request.state.user_type,
|
||
"student_id": request.state.student_id,
|
||
"role": request.state.role
|
||
}
|
||
|
||
|
||
async def get_current_user_id(request: Request) -> int:
|
||
"""获取当前用户ID"""
|
||
return request.state.user_id
|