c57ec3aa82
## 后端架构 (Go + Gin + GORM) - ✅ 完整的分层架构 (API/Service/Repository) - ✅ PostgreSQL数据库设计和迁移脚本 - ✅ JWT认证系统和权限控制 - ✅ 用户、照片、分类、标签等核心模型 - ✅ 中间件系统 (认证、CORS、日志) - ✅ 配置管理和环境变量支持 - ✅ 结构化日志和错误处理 - ✅ Makefile构建和部署脚本 ## 管理后台架构 (React + TypeScript) - ✅ Vite + React 18 + TypeScript现代化架构 - ✅ 路由系统和状态管理 (Zustand + TanStack Query) - ✅ 基于Radix UI的组件库基础 - ✅ 认证流程和权限控制 - ✅ 响应式设计和主题系统 ## 数据库设计 - ✅ 用户表 (角色权限、认证信息) - ✅ 照片表 (元数据、EXIF、状态管理) - ✅ 分类表 (层级结构、封面图片) - ✅ 标签表 (使用统计、标签云) - ✅ 关联表 (照片-标签多对多) ## 技术特点 - 🚀 高性能: Gin框架 + GORM ORM - 🔐 安全: JWT认证 + 密码加密 + 权限控制 - 📊 监控: 结构化日志 + 健康检查 - 🎨 现代化: React 18 + TypeScript + Vite - 📱 响应式: Tailwind CSS + Radix UI 参考文档: docs/development/saved-docs/
253 lines
6.2 KiB
Go
253 lines
6.2 KiB
Go
package auth
|
|
|
|
import (
|
|
"fmt"
|
|
"time"
|
|
"golang.org/x/crypto/bcrypt"
|
|
"photography-backend/internal/models"
|
|
"photography-backend/internal/repository/postgres"
|
|
)
|
|
|
|
// AuthService 认证服务
|
|
type AuthService struct {
|
|
userRepo postgres.UserRepository
|
|
jwtService *JWTService
|
|
}
|
|
|
|
// NewAuthService 创建认证服务
|
|
func NewAuthService(userRepo postgres.UserRepository, jwtService *JWTService) *AuthService {
|
|
return &AuthService{
|
|
userRepo: userRepo,
|
|
jwtService: jwtService,
|
|
}
|
|
}
|
|
|
|
// Login 用户登录
|
|
func (s *AuthService) Login(req *models.LoginRequest) (*models.LoginResponse, error) {
|
|
// 根据用户名或邮箱查找用户
|
|
var user *models.User
|
|
var err error
|
|
|
|
// 尝试按用户名查找
|
|
user, err = s.userRepo.GetByUsername(req.Username)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get user: %w", err)
|
|
}
|
|
|
|
// 如果用户名未找到,尝试按邮箱查找
|
|
if user == nil {
|
|
user, err = s.userRepo.GetByEmail(req.Username)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get user by email: %w", err)
|
|
}
|
|
}
|
|
|
|
if user == nil {
|
|
return nil, fmt.Errorf("invalid credentials")
|
|
}
|
|
|
|
// 检查用户是否激活
|
|
if !user.IsActive {
|
|
return nil, fmt.Errorf("user account is deactivated")
|
|
}
|
|
|
|
// 验证密码
|
|
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Password)); err != nil {
|
|
return nil, fmt.Errorf("invalid credentials")
|
|
}
|
|
|
|
// 生成JWT令牌
|
|
tokenPair, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, user.Role)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate tokens: %w", err)
|
|
}
|
|
|
|
// 更新最后登录时间
|
|
if err := s.userRepo.UpdateLastLogin(user.ID); err != nil {
|
|
// 记录错误但不中断登录流程
|
|
fmt.Printf("failed to update last login: %v\n", err)
|
|
}
|
|
|
|
// 清除密码字段
|
|
user.Password = ""
|
|
|
|
return &models.LoginResponse{
|
|
AccessToken: tokenPair.AccessToken,
|
|
RefreshToken: tokenPair.RefreshToken,
|
|
TokenType: tokenPair.TokenType,
|
|
ExpiresIn: tokenPair.ExpiresIn,
|
|
User: user,
|
|
}, nil
|
|
}
|
|
|
|
// Register 用户注册
|
|
func (s *AuthService) Register(req *models.CreateUserRequest) (*models.User, error) {
|
|
// 检查用户名是否已存在
|
|
existingUser, err := s.userRepo.GetByUsername(req.Username)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to check username: %w", err)
|
|
}
|
|
if existingUser != nil {
|
|
return nil, fmt.Errorf("username already exists")
|
|
}
|
|
|
|
// 检查邮箱是否已存在
|
|
existingUser, err = s.userRepo.GetByEmail(req.Email)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to check email: %w", err)
|
|
}
|
|
if existingUser != nil {
|
|
return nil, fmt.Errorf("email already exists")
|
|
}
|
|
|
|
// 加密密码
|
|
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to hash password: %w", err)
|
|
}
|
|
|
|
// 创建用户
|
|
user := &models.User{
|
|
Username: req.Username,
|
|
Email: req.Email,
|
|
Password: string(hashedPassword),
|
|
Name: req.Name,
|
|
Role: req.Role,
|
|
IsActive: true,
|
|
}
|
|
|
|
// 如果没有指定角色,默认为普通用户
|
|
if user.Role == "" {
|
|
user.Role = models.RoleUser
|
|
}
|
|
|
|
if err := s.userRepo.Create(user); err != nil {
|
|
return nil, fmt.Errorf("failed to create user: %w", err)
|
|
}
|
|
|
|
// 清除密码字段
|
|
user.Password = ""
|
|
|
|
return user, nil
|
|
}
|
|
|
|
// RefreshToken 刷新令牌
|
|
func (s *AuthService) RefreshToken(req *models.RefreshTokenRequest) (*models.LoginResponse, error) {
|
|
// 验证刷新令牌
|
|
claims, err := s.jwtService.ValidateToken(req.RefreshToken)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("invalid refresh token: %w", err)
|
|
}
|
|
|
|
// 获取用户信息
|
|
user, err := s.userRepo.GetByID(claims.UserID)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get user: %w", err)
|
|
}
|
|
|
|
if user == nil {
|
|
return nil, fmt.Errorf("user not found")
|
|
}
|
|
|
|
// 检查用户是否激活
|
|
if !user.IsActive {
|
|
return nil, fmt.Errorf("user account is deactivated")
|
|
}
|
|
|
|
// 生成新的令牌对
|
|
tokenPair, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, user.Role)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to generate tokens: %w", err)
|
|
}
|
|
|
|
// 清除密码字段
|
|
user.Password = ""
|
|
|
|
return &models.LoginResponse{
|
|
AccessToken: tokenPair.AccessToken,
|
|
RefreshToken: tokenPair.RefreshToken,
|
|
TokenType: tokenPair.TokenType,
|
|
ExpiresIn: tokenPair.ExpiresIn,
|
|
User: user,
|
|
}, nil
|
|
}
|
|
|
|
// GetUserByID 根据ID获取用户
|
|
func (s *AuthService) GetUserByID(id uint) (*models.User, error) {
|
|
user, err := s.userRepo.GetByID(id)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("failed to get user: %w", err)
|
|
}
|
|
|
|
if user == nil {
|
|
return nil, fmt.Errorf("user not found")
|
|
}
|
|
|
|
// 清除密码字段
|
|
user.Password = ""
|
|
|
|
return user, nil
|
|
}
|
|
|
|
// UpdatePassword 更新密码
|
|
func (s *AuthService) UpdatePassword(userID uint, req *models.UpdatePasswordRequest) error {
|
|
// 获取用户信息
|
|
user, err := s.userRepo.GetByID(userID)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get user: %w", err)
|
|
}
|
|
|
|
if user == nil {
|
|
return fmt.Errorf("user not found")
|
|
}
|
|
|
|
// 验证旧密码
|
|
if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.OldPassword)); err != nil {
|
|
return fmt.Errorf("invalid old password")
|
|
}
|
|
|
|
// 加密新密码
|
|
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.NewPassword), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return fmt.Errorf("failed to hash password: %w", err)
|
|
}
|
|
|
|
// 更新密码
|
|
user.Password = string(hashedPassword)
|
|
if err := s.userRepo.Update(user); err != nil {
|
|
return fmt.Errorf("failed to update password: %w", err)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// CheckPermission 检查权限
|
|
func (s *AuthService) CheckPermission(userRole string, requiredRole string) bool {
|
|
roleLevel := map[string]int{
|
|
models.RoleUser: 1,
|
|
models.RoleEditor: 2,
|
|
models.RoleAdmin: 3,
|
|
}
|
|
|
|
userLevel, exists := roleLevel[userRole]
|
|
if !exists {
|
|
return false
|
|
}
|
|
|
|
requiredLevel, exists := roleLevel[requiredRole]
|
|
if !exists {
|
|
return false
|
|
}
|
|
|
|
return userLevel >= requiredLevel
|
|
}
|
|
|
|
// IsAdmin 检查是否为管理员
|
|
func (s *AuthService) IsAdmin(userRole string) bool {
|
|
return userRole == models.RoleAdmin
|
|
}
|
|
|
|
// IsEditor 检查是否为编辑者或以上
|
|
func (s *AuthService) IsEditor(userRole string) bool {
|
|
return userRole == models.RoleEditor || userRole == models.RoleAdmin
|
|
} |