photography/backend/internal/service/auth/auth_service.go

package auth

import (
	"fmt"
	"golang.org/x/crypto/bcrypt"
	"photography-backend/internal/model/entity"
	"photography-backend/internal/model/dto"
	"photography-backend/internal/repository/postgres"
)

// AuthService 认证服务
type AuthService struct {
	userRepo   postgres.UserRepository
	jwtService *JWTService
}

// NewAuthService 创建认证服务
func NewAuthService(userRepo postgres.UserRepository, jwtService *JWTService) *AuthService {
	return &AuthService{
		userRepo:   userRepo,
		jwtService: jwtService,
	}
}

// Login 用户登录
func (s *AuthService) Login(req *dto.LoginRequest) (*dto.LoginResponse, error) {
	// 根据用户名或邮箱查找用户
	var user *entity.User
	var err error
	
	// 按邮箱查找用户
	user, err = s.userRepo.GetByEmail(req.Email)
	if err != nil {
		return nil, fmt.Errorf("failed to get user by email: %w", err)
	}
	
	if user == nil {
		return nil, fmt.Errorf("invalid credentials")
	}
	
	// 检查用户是否激活
	if !user.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}
	
	// 验证密码
	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Password)); err != nil {
		return nil, fmt.Errorf("invalid credentials")
	}
	
	// 生成JWT令牌
	tokenPair, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, string(user.Role))
	if err != nil {
		return nil, fmt.Errorf("failed to generate tokens: %w", err)
	}
	
	// 更新最后登录时间
	if err := s.userRepo.UpdateLastLogin(user.ID); err != nil {
		// 记录错误但不中断登录流程
		fmt.Printf("failed to update last login: %v\n", err)
	}
	
	// 清除密码字段
	user.Password = ""
	
	return &dto.LoginResponse{
		Token: dto.TokenResponse{
			AccessToken:  tokenPair.AccessToken,
			RefreshToken: tokenPair.RefreshToken,
			TokenType:    tokenPair.TokenType,
			ExpiresIn:    tokenPair.ExpiresIn,
		},
		User: *dto.ConvertToUserResponse(user),
	}, nil
}

// Register 用户注册
func (s *AuthService) Register(req *dto.CreateUserRequest) (*entity.User, error) {
	// 检查用户名是否已存在
	existingUser, err := s.userRepo.GetByUsername(req.Username)
	if err != nil {
		return nil, fmt.Errorf("failed to check username: %w", err)
	}
	if existingUser != nil {
		return nil, fmt.Errorf("username already exists")
	}
	
	// 检查邮箱是否已存在
	existingUser, err = s.userRepo.GetByEmail(req.Email)
	if err != nil {
		return nil, fmt.Errorf("failed to check email: %w", err)
	}
	if existingUser != nil {
		return nil, fmt.Errorf("email already exists")
	}
	
	// 加密密码
	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
	if err != nil {
		return nil, fmt.Errorf("failed to hash password: %w", err)
	}
	
	// 创建用户
	user := &entity.User{
		Username: req.Username,
		Email:    req.Email,
		Password: string(hashedPassword),
		Name:     req.Name,
		Role:     req.Role,
		IsActive: true,
	}
	
	// 如果没有指定角色，默认为普通用户
	if user.Role == "" {
		user.Role = entity.UserRoleUser
	}
	
	if err := s.userRepo.Create(user); err != nil {
		return nil, fmt.Errorf("failed to create user: %w", err)
	}
	
	// 清除密码字段
	user.Password = ""
	
	return user, nil
}

// RefreshToken 刷新令牌
func (s *AuthService) RefreshToken(req *dto.RefreshTokenRequest) (*dto.LoginResponse, error) {
	// 验证刷新令牌
	claims, err := s.jwtService.ValidateToken(req.RefreshToken)
	if err != nil {
		return nil, fmt.Errorf("invalid refresh token: %w", err)
	}
	
	// 获取用户信息
	user, err := s.userRepo.GetByID(claims.UserID)
	if err != nil {
		return nil, fmt.Errorf("failed to get user: %w", err)
	}
	
	if user == nil {
		return nil, fmt.Errorf("user not found")
	}
	
	// 检查用户是否激活
	if !user.IsActive {
		return nil, fmt.Errorf("user account is deactivated")
	}
	
	// 生成新的令牌对
	tokenPair, err := s.jwtService.GenerateTokenPair(user.ID, user.Username, string(user.Role))
	if err != nil {
		return nil, fmt.Errorf("failed to generate tokens: %w", err)
	}
	
	// 清除密码字段
	user.Password = ""
	
	return &dto.LoginResponse{
		Token: dto.TokenResponse{
			AccessToken:  tokenPair.AccessToken,
			RefreshToken: tokenPair.RefreshToken,
			TokenType:    tokenPair.TokenType,
			ExpiresIn:    tokenPair.ExpiresIn,
		},
		User: *dto.ConvertToUserResponse(user),
	}, nil
}

// GetUserByID 根据ID获取用户
func (s *AuthService) GetUserByID(id uint) (*entity.User, error) {
	user, err := s.userRepo.GetByID(id)
	if err != nil {
		return nil, fmt.Errorf("failed to get user: %w", err)
	}
	
	if user == nil {
		return nil, fmt.Errorf("user not found")
	}
	
	// 清除密码字段
	user.Password = ""
	
	return user, nil
}

// UpdatePassword 更新密码
func (s *AuthService) UpdatePassword(userID uint, req *dto.ChangePasswordRequest) error {
	// 获取用户信息
	user, err := s.userRepo.GetByID(userID)
	if err != nil {
		return fmt.Errorf("failed to get user: %w", err)
	}
	
	if user == nil {
		return fmt.Errorf("user not found")
	}
	
	// 验证旧密码
	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.OldPassword)); err != nil {
		return fmt.Errorf("invalid old password")
	}
	
	// 加密新密码
	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.NewPassword), bcrypt.DefaultCost)
	if err != nil {
		return fmt.Errorf("failed to hash password: %w", err)
	}
	
	// 更新密码
	user.Password = string(hashedPassword)
	if err := s.userRepo.Update(user); err != nil {
		return fmt.Errorf("failed to update password: %w", err)
	}
	
	return nil
}

// CheckPermission 检查权限
func (s *AuthService) CheckPermission(userRole entity.UserRole, requiredRole entity.UserRole) bool {
	roleLevel := map[entity.UserRole]int{
		entity.UserRoleUser:         1,
		entity.UserRolePhotographer: 2,
		entity.UserRoleAdmin:        3,
	}
	
	userLevel, exists := roleLevel[userRole]
	if !exists {
		return false
	}
	
	requiredLevel, exists := roleLevel[requiredRole]
	if !exists {
		return false
	}
	
	return userLevel >= requiredLevel
}

// IsAdmin 检查是否为管理员
func (s *AuthService) IsAdmin(userRole entity.UserRole) bool {
	return userRole == entity.UserRoleAdmin
}

// IsPhotographer 检查是否为摄影师或以上
func (s *AuthService) IsPhotographer(userRole entity.UserRole) bool {
	return userRole == entity.UserRolePhotographer || userRole == entity.UserRoleAdmin
}