Compare commits
5 Commits
d54aeaa61a
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
| 61e3d71b72 | |||
| d2162f93e0 | |||
| b95cce592f | |||
| f3b7fedade | |||
| 9dfe000f2d |
+11
-5
@@ -6,21 +6,27 @@ prompts:
|
||||
|
||||
preset:
|
||||
auth:
|
||||
- "app/auth.py"
|
||||
- "app/auth/*"
|
||||
- "auth/*"
|
||||
|
||||
s3:
|
||||
- "app/models/base.py"
|
||||
- "app/models/user.py"
|
||||
- "app/utils/s3.py"
|
||||
- "app/auth.py"
|
||||
- "auth.py"
|
||||
|
||||
db_model:
|
||||
- "app/models/*"
|
||||
- "app/db.py"
|
||||
# - "app/auth.py"
|
||||
- "app/main.py"
|
||||
|
||||
graphql:
|
||||
- "app/graphql/*"
|
||||
- "app/main.py"
|
||||
- "app/main.py"
|
||||
|
||||
get_current_user:
|
||||
- "app/main.py"
|
||||
- "auth/__init__.py"
|
||||
- "auth/deps.py"
|
||||
- "auth/tokens.py"
|
||||
- "auth/oauth/google.py"
|
||||
- "app/graphql/*"
|
||||
@@ -21,6 +21,19 @@ if not DATABASE_URL:
|
||||
engine = create_engine(
|
||||
DATABASE_URL,
|
||||
pool_recycle=3600,
|
||||
pool_pre_ping=True
|
||||
pool_pre_ping=True,
|
||||
connect_args={
|
||||
"keepalives": 1,
|
||||
"keepalives_idle": 30,
|
||||
"keepalives_interval": 10,
|
||||
"keepalives_count": 5
|
||||
}
|
||||
)
|
||||
SessionLocal = sessionmaker(bind=engine)
|
||||
SessionLocal = sessionmaker(bind=engine)
|
||||
|
||||
def get_db():
|
||||
db = SessionLocal()
|
||||
try:
|
||||
yield db
|
||||
finally:
|
||||
db.close()
|
||||
+30
-6
@@ -1,9 +1,9 @@
|
||||
from app.models.user import User
|
||||
from auth.deps import get_current_user
|
||||
from auth.deps import get_current_user_id
|
||||
from fastapi import Request
|
||||
from strawberry.fastapi import BaseContext
|
||||
from strawberry.dataloader import DataLoader
|
||||
from typing import List
|
||||
from typing import List, Optional
|
||||
from collections import defaultdict
|
||||
from app.db import SessionLocal
|
||||
from app.models import WorkspaceMember
|
||||
@@ -28,21 +28,45 @@ async def load_members_by_workspace_ids(workspace_ids: List[str]) -> List[List[W
|
||||
|
||||
class CustomContext(BaseContext):
|
||||
def __init__(self, request: Request):
|
||||
super().__init__(request)
|
||||
super().__init__()
|
||||
self.db = SessionLocal()
|
||||
self.request = request
|
||||
self._current_user: Optional[User] = None
|
||||
|
||||
self.members_loader = DataLoader(load_fn=load_members_by_workspace_ids)
|
||||
|
||||
async def get_current_user(self) -> User | None:
|
||||
# 复用现有的 auth 逻辑
|
||||
"""在 Context 级别负责把 user_id 变成真正的数据库 User 对象"""
|
||||
if self._current_user is not None:
|
||||
return self._current_user
|
||||
|
||||
try:
|
||||
return await get_current_user(self.request)
|
||||
except Exception:
|
||||
# 打印 Request Headers,确认 Token 是否真的传过来了
|
||||
# print(f"DEBUG: Auth Headers: {self.request.headers.get('authorization')}")
|
||||
# print(f"DEBUG: Cookies: {self.request.cookies}")
|
||||
# 借用 auth 包的纯工具解出 ID
|
||||
user_id = get_current_user_id(self.request)
|
||||
# print(f"DEBUG: Extracted User ID: {user_id}") # 确认 ID 是否解出
|
||||
|
||||
if not user_id:
|
||||
return None
|
||||
|
||||
# 在 Context 的数据库连接中查询完整用户
|
||||
user = self.db.query(User).filter(User.id == user_id).first()
|
||||
# print(f"DEBUG: DB User Found: {user}") # 确认数据库是否查到
|
||||
|
||||
self._current_user = user
|
||||
return user
|
||||
except Exception as e:
|
||||
# 打印真实的异常信息
|
||||
# print(f"DEBUG: Error in get_current_user: {str(e)}")
|
||||
import traceback
|
||||
traceback.print_exc() # 打印堆栈
|
||||
return None
|
||||
|
||||
|
||||
async def get_context(request: Request) -> AsyncGenerator[CustomContext, None]:
|
||||
# print("--- NEW GRAPHQL REQUEST RECEIVED ---")
|
||||
context = CustomContext(request)
|
||||
try:
|
||||
yield context
|
||||
|
||||
+95
-10
@@ -1,18 +1,103 @@
|
||||
import os
|
||||
import strawberry
|
||||
from auth.tokens import create_jwt_token, create_refresh_token
|
||||
from strawberry.types import Info
|
||||
from dotenv import load_dotenv
|
||||
from urllib.parse import quote
|
||||
import json
|
||||
|
||||
from app.graphql.context import CustomContext
|
||||
from auth.tokens import decode_token, create_jwt_token, create_refresh_token
|
||||
from app.utils.format import get_image_url
|
||||
|
||||
@strawberry.type
|
||||
class AuthResponse:
|
||||
access_token: str
|
||||
refresh_token: str
|
||||
token_type: str
|
||||
load_dotenv()
|
||||
|
||||
ENV_MODE = os.getenv("ENV_MODE")
|
||||
IS_PROD = ENV_MODE == "prod"
|
||||
ACCESS_TOKEN_EXPIRE_MINUTES = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60"))
|
||||
ACCESS_TOKEN_MAX_AGE = ACCESS_TOKEN_EXPIRE_MINUTES * 60
|
||||
|
||||
@strawberry.type
|
||||
class Mutation:
|
||||
@strawberry.mutation
|
||||
def logout(self) -> str:
|
||||
def logout(self, info: Info[CustomContext, None]) -> str:
|
||||
"""退出登录:清除浏览器的 HttpOnly Cookies"""
|
||||
response = info.context.response
|
||||
|
||||
# 让浏览器立刻过期这些 cookie
|
||||
response.delete_cookie("access_token")
|
||||
response.delete_cookie("refresh_token")
|
||||
response.delete_cookie("user_info")
|
||||
|
||||
return "ok"
|
||||
|
||||
# 提示:像 Google OAuth 这种涉及第三方重定向的流程,
|
||||
# 依然保留现有的 RESTful (/login/google 和 /auth/callback) 会更简单。
|
||||
# 登录成功后重定向回前端,前端拿到 token,后续所有数据交互全部走 GraphQL。
|
||||
@strawberry.mutation
|
||||
async def refresh_session(self, info: Info[CustomContext, None]) -> str:
|
||||
"""
|
||||
刷新 Session:如果 access_token 过期了,前端可以调用这个接口用 refresh_token 换新的 access_token。
|
||||
同时如果 refresh_token 已经过半寿命了,这个接口也会顺便轮转一个新的 refresh_token,确保用户体验的连续性。
|
||||
"""
|
||||
request = info.context.request
|
||||
response = info.context.response
|
||||
|
||||
# 从 Cookie 获取并校验 refresh_token
|
||||
refresh_token = request.cookies.get("refresh_token")
|
||||
if not refresh_token:
|
||||
raise Exception("No refresh token found in cookies")
|
||||
|
||||
try:
|
||||
payload = decode_token(refresh_token)
|
||||
except Exception:
|
||||
raise Exception("Invalid or expired refresh token")
|
||||
|
||||
if payload.get("type") != "refresh":
|
||||
raise Exception("Token type mismatch")
|
||||
|
||||
user = await info.context.get_current_user()
|
||||
|
||||
# 如果 access_token 已经彻底过期导致 Context 没捞到用户,
|
||||
# 我们用 refresh_token 里的 sub 去 Context 的 db 里再查一遍用户
|
||||
from app.models.user import User
|
||||
if not user:
|
||||
user_id = payload.get("sub")
|
||||
user = info.context.db.query(User).filter(User.id == user_id).first()
|
||||
if not user:
|
||||
raise Exception("User no longer exists")
|
||||
|
||||
# 始终生成并写入新的短效 access_token
|
||||
token_data = {"sub": str(user.id), "email": user.email}
|
||||
new_access = create_jwt_token(token_data)
|
||||
|
||||
ACCESS_TOKEN_MAX_AGE = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60")) * 60
|
||||
response.set_cookie(
|
||||
key="access_token", value=new_access, httponly=True,
|
||||
max_age=ACCESS_TOKEN_MAX_AGE, samesite="lax", secure=IS_PROD,
|
||||
)
|
||||
|
||||
# 检查 refresh_token 是否已经消耗了超过一半的生命周期
|
||||
import time
|
||||
exp = payload.get("exp") # 过期绝对秒数
|
||||
iat = payload.get("iat") # 签发绝对秒数
|
||||
now = int(time.time())
|
||||
|
||||
# 如果当前时间已经过了总寿命的一半,就触发轮转,下发新的 refresh_token
|
||||
if (now - iat) > (exp - iat) / 2:
|
||||
new_refresh = create_refresh_token(token_data)
|
||||
REFRESH_TOKEN_MAX_AGE = int(os.getenv("REFRESH_TOKEN_EXPIRE_DAYS", "7")) * 24 * 60 * 60
|
||||
response.set_cookie(
|
||||
key="refresh_token", value=new_refresh, httponly=True,
|
||||
max_age=REFRESH_TOKEN_MAX_AGE, samesite="lax", secure=IS_PROD,
|
||||
)
|
||||
|
||||
# 同步写入并续期前端所需的 user_info
|
||||
response.set_cookie(
|
||||
key="user_info",
|
||||
value=quote(json.dumps({
|
||||
"email": user.email,
|
||||
"name": user.name,
|
||||
"avatar": get_image_url(user.avatar) if user.avatar else None
|
||||
})),
|
||||
max_age=ACCESS_TOKEN_MAX_AGE,
|
||||
httponly=False
|
||||
)
|
||||
|
||||
return "ok"
|
||||
+26
-4
@@ -4,17 +4,39 @@ from datetime import datetime
|
||||
from strawberry.types import Info
|
||||
|
||||
from app.utils.format import get_image_url
|
||||
from app.graphql.context import CustomContext
|
||||
from app.models.user import User
|
||||
|
||||
@strawberry.type
|
||||
class UserType:
|
||||
id: strawberry.ID
|
||||
id: str
|
||||
email: str
|
||||
name: Optional[str]
|
||||
name: str
|
||||
handle: Optional[str]
|
||||
avatar: Optional[str]
|
||||
|
||||
@strawberry.field
|
||||
def avatar(self, root: User) -> Optional[str]:
|
||||
return root.avatar_url
|
||||
|
||||
# 互动统计字段
|
||||
following_count: int
|
||||
follower_count: int
|
||||
|
||||
# 统计汇总字段
|
||||
owner_project_count: int
|
||||
owner_likes_count: int
|
||||
owner_favorites_count: int
|
||||
owner_shares_count: int
|
||||
|
||||
admin_project_count: int
|
||||
admin_likes_count: int
|
||||
admin_favorites_count: int
|
||||
admin_shares_count: int
|
||||
|
||||
user_project_count: int
|
||||
user_likes_count: int
|
||||
user_favorites_count: int
|
||||
user_shares_count: int
|
||||
|
||||
created_at: datetime
|
||||
|
||||
# 动态解析字段:例如自动处理头像的绝对路径
|
||||
|
||||
+4
-18
@@ -5,7 +5,8 @@ from strawberry import Schema
|
||||
from strawberry.fastapi import GraphQLRouter
|
||||
from dotenv import load_dotenv
|
||||
|
||||
from auth import router as auth_router, get_user_by_id, get_current_user
|
||||
from auth import router as auth_router
|
||||
from app.media.router import router as media_router
|
||||
|
||||
from app.db import engine, SessionLocal
|
||||
from app.models import Base, User
|
||||
@@ -44,25 +45,10 @@ graphql_router = GraphQLRouter(schema, context_getter=get_context)
|
||||
|
||||
# 挂载路由
|
||||
app.include_router(auth_router) # 保留现有的 auth 路由供 Google OAuth 回调使用
|
||||
app.include_router(media_router) # 挂载媒体路由,提供头像代理访问等等
|
||||
app.include_router(graphql_router, prefix="/graphql") # 挂载 GraphQL 终点,前端以后只需要请求 /graphql
|
||||
|
||||
def override_get_user_by_id(user_id: str = Depends(get_current_user)):
|
||||
db = SessionLocal()
|
||||
try:
|
||||
user = db.query(User).filter(User.id == user_id).first()
|
||||
if not user:
|
||||
raise HTTPException(status_code=404, detail="User not found")
|
||||
return {
|
||||
"email": user.email,
|
||||
"name": user.name,
|
||||
"avatar": get_image_url(user.avatar),
|
||||
}
|
||||
finally:
|
||||
db.close()
|
||||
|
||||
app.dependency_overrides[get_user_by_id] = override_get_user_by_id
|
||||
|
||||
# test code
|
||||
# 打印路由测试
|
||||
for route in app.routes:
|
||||
methods = getattr(route, "methods", "N/A")
|
||||
print(f"Path: {route.path} | Name: {route.name} | Methods: {methods}")
|
||||
@@ -0,0 +1,45 @@
|
||||
from fastapi import APIRouter, HTTPException
|
||||
from fastapi.responses import StreamingResponse
|
||||
import oss2
|
||||
from app.utils.s3 import bucket
|
||||
|
||||
router = APIRouter(prefix="/v1/media", tags=["Media"])
|
||||
|
||||
@router.get("/{file_path:path}")
|
||||
async def get_avatar(file_path: str):
|
||||
"""
|
||||
通过流式传输代理阿里云 OSS 中的图片
|
||||
file_path 接收 avatars/xxx/avatar.jpg 等任何相对路径
|
||||
"""
|
||||
s3_key = file_path.lstrip("/")
|
||||
|
||||
if not s3_key:
|
||||
raise HTTPException(status_code=400, detail="Invalid file path")
|
||||
|
||||
try:
|
||||
# 从阿里云 OSS 获取对象
|
||||
# oss2 的 get_object 是同步阻塞的
|
||||
# 初期可以直接用,后续高并发可以放入 run_in_executor
|
||||
oss_object = bucket.get_object(s3_key)
|
||||
|
||||
# 获取文件的 Content-Type
|
||||
content_type = oss_object.headers.get("Content-Type", "image/jpeg")
|
||||
|
||||
# 创建一个生成器来分块读取 OSS 数据,防止大文件时撑爆内存
|
||||
def image_stream():
|
||||
while True:
|
||||
chunk = oss_object.read(1024 * 64) # 每次读 64KB
|
||||
if not chunk:
|
||||
break
|
||||
yield chunk
|
||||
|
||||
# 流式返回给前端
|
||||
return StreamingResponse(image_stream(), media_type=content_type)
|
||||
|
||||
except oss2.exceptions.NoSuchKey:
|
||||
# 阿里云 OSS 专属的 404 异常
|
||||
raise HTTPException(status_code=404, detail="Image not found in storage")
|
||||
except Exception as e:
|
||||
import traceback
|
||||
traceback.print_exc()
|
||||
raise HTTPException(status_code=500, detail="Internal storage service error")
|
||||
@@ -17,6 +17,19 @@ class User(Base, AutoID):
|
||||
handle = Column(String, unique=True, index=True, nullable=True)
|
||||
avatar = Column(String)
|
||||
|
||||
@property
|
||||
def avatar_url(self) -> str | None:
|
||||
if not self.avatar:
|
||||
return None
|
||||
|
||||
# 如果是第三方(如未迁移成功时降级的 Google 原始链接),直接返回
|
||||
if self.avatar.startswith(("http://", "https://")):
|
||||
return self.avatar
|
||||
|
||||
path = self.avatar.lstrip("/")
|
||||
|
||||
return f"/v1/media/{path}"
|
||||
|
||||
# ---- 互动统计字段 ----
|
||||
following_count = Column(Integer, default=0, nullable=False, server_default="0") # 关注了多少人
|
||||
follower_count = Column(Integer, default=0, nullable=False, server_default="0") # 粉丝数
|
||||
|
||||
+5
-40
@@ -1,53 +1,18 @@
|
||||
import os
|
||||
from fastapi import APIRouter, Depends, HTTPException, Request
|
||||
from fastapi import APIRouter
|
||||
|
||||
from .deps import get_current_user
|
||||
from .tokens import create_jwt_token, create_refresh_token, verify_access_token, decode_token
|
||||
from .deps import get_current_user_id
|
||||
from .tokens import create_jwt_token, create_refresh_token, verify_access_token
|
||||
from .oauth import oauth_router
|
||||
|
||||
# 创建全局 auth 路由器
|
||||
# 创建全局 auth 路由器并挂载第三方 OAuth 的路由器
|
||||
router = APIRouter(tags=["Authentication"])
|
||||
|
||||
# 挂载第三方 OAuth 的路由器
|
||||
router.include_router(oauth_router)
|
||||
|
||||
# 定义一个动态获取当前完整用户对象的依赖项
|
||||
# 这样 auth 包不需要知道 User 模型长什么样
|
||||
# 也不需要知道 SessionLocal 是什么
|
||||
# 全部由外部动态提供
|
||||
def get_user_by_id(user_id: str = Depends(get_current_user)):
|
||||
"""
|
||||
这是一个占位/契约函数。
|
||||
我们在 main.py 中可以通过 app.dependency_overrides 或者直接在使用时,
|
||||
把具体的数据库查询逻辑绑定到这里。
|
||||
"""
|
||||
raise NotImplementedError("Please override or inject the implementation of this function in the external `main.py` file.")
|
||||
|
||||
@router.get("/me")
|
||||
def me(current_user = Depends(get_user_by_id)):
|
||||
"""
|
||||
current_user 是由外部解析并传进来的完整用户对象(或者是字典)
|
||||
"""
|
||||
return current_user
|
||||
|
||||
@router.post("/refresh")
|
||||
def refresh_token(refresh_token: str):
|
||||
payload = decode_token(refresh_token)
|
||||
if payload.get("type") != "refresh":
|
||||
raise HTTPException(status_code=401)
|
||||
user_id = payload.get("sub")
|
||||
new_access = create_jwt_token({"sub": user_id})
|
||||
return {"access_token": new_access}
|
||||
|
||||
@router.post("/logout")
|
||||
def logout():
|
||||
return {"message": "ok"}
|
||||
|
||||
# 显式声明暴露的接口
|
||||
__all__ = [
|
||||
"router",
|
||||
"get_current_user",
|
||||
"get_user_by_id",
|
||||
"get_current_user_id",
|
||||
"create_jwt_token",
|
||||
"create_refresh_token",
|
||||
"verify_access_token",
|
||||
|
||||
+3
-2
@@ -9,14 +9,15 @@ load_dotenv()
|
||||
JWT_SECRET = os.getenv("JWT_SECRET")
|
||||
JWT_ALGORITHM = os.getenv("JWT_ALGORITHM", "HS256")
|
||||
|
||||
def get_current_user(request: Request):
|
||||
def get_current_user_id(request: Request):
|
||||
"""仅从 Cookie 中提取并解密出用户的 user_id (sub)"""
|
||||
token = request.cookies.get("access_token")
|
||||
|
||||
if not token:
|
||||
raise HTTPException(status_code=401, detail="Not authenticated")
|
||||
|
||||
try:
|
||||
payload = decode_token(token, JWT_SECRET, algorithms=[JWT_ALGORITHM])
|
||||
payload = decode_token(token)
|
||||
return payload["sub"]
|
||||
except:
|
||||
raise HTTPException(status_code=401, detail="Invalid token")
|
||||
+10
-34
@@ -8,9 +8,9 @@ import secrets
|
||||
import json
|
||||
from urllib.parse import quote
|
||||
from dotenv import load_dotenv
|
||||
from sqlalchemy.orm import Session
|
||||
|
||||
from auth.deps import get_current_user
|
||||
from app.db import SessionLocal
|
||||
from app.db import SessionLocal, get_db
|
||||
from app.models import User
|
||||
from auth.tokens import create_jwt_token, create_refresh_token, decode_token
|
||||
from app.utils.format import get_image_url
|
||||
@@ -95,7 +95,13 @@ def login_google():
|
||||
return response
|
||||
|
||||
@router.get("/auth/callback")
|
||||
async def auth_callback(request: Request, code: str, state: str, background_tasks: BackgroundTasks):
|
||||
async def auth_callback(
|
||||
request: Request,
|
||||
code: str,
|
||||
state: str,
|
||||
background_tasks: BackgroundTasks,
|
||||
db: Session = Depends(get_db)
|
||||
):
|
||||
cookie_state = request.cookies.get("oauth_state")
|
||||
|
||||
if not cookie_state or cookie_state != state:
|
||||
@@ -122,10 +128,7 @@ async def auth_callback(request: Request, code: str, state: str, background_task
|
||||
)
|
||||
|
||||
user_info = user_res.json()
|
||||
|
||||
db = SessionLocal()
|
||||
|
||||
try:
|
||||
user = db.query(User).filter(User.email == user_info["email"]).first()
|
||||
|
||||
if not user:
|
||||
@@ -167,8 +170,6 @@ async def auth_callback(request: Request, code: str, state: str, background_task
|
||||
|
||||
# 这里不需要再次 refresh,除非后面还要用到更新后的 user 对象
|
||||
# db.refresh(user)
|
||||
finally:
|
||||
db.close()
|
||||
|
||||
jwt_token = create_jwt_token({
|
||||
"sub": user.id,
|
||||
@@ -213,29 +214,4 @@ async def auth_callback(request: Request, code: str, state: str, background_task
|
||||
|
||||
response.delete_cookie("oauth_state")
|
||||
|
||||
return response
|
||||
|
||||
# @router.get("/me")
|
||||
# def me(user = Depends(get_current_user)):
|
||||
# return {
|
||||
# "email": user.email,
|
||||
# "name": user.name,
|
||||
# "avatar": get_image_url(user.avatar),
|
||||
# }
|
||||
|
||||
# @router.post("/refresh")
|
||||
# def refresh_token(refresh_token: str):
|
||||
# payload = decode_token(refresh_token)
|
||||
|
||||
# if payload.get("type") != "refresh":
|
||||
# raise HTTPException(status_code=401)
|
||||
|
||||
# user_id = payload.get("sub")
|
||||
|
||||
# new_access = create_jwt_token({"sub": user_id})
|
||||
|
||||
# return {"access_token": new_access}
|
||||
|
||||
# @router.post("/logout")
|
||||
# def logout():
|
||||
# return {"message": "ok"}
|
||||
return response
|
||||
Reference in New Issue
Block a user