061f6baaf1
## 背景 / 需求 新增「微信登录」链路:用户用微信授权登录 App。openid 已绑账号即直接登入; 未绑则走「绑手机号」建号,并处理「手机号已被别的账号占用」的冲突(M2), 以及绑微信后展示昵称/头像的替换策略(M3 §10)。 关键取舍:微信登录**不套用**钱包提现里 bind-wechat 的「撞号即 409」逻辑 ——登录场景 openid 命中就应登入,不能因撞号把用户挡在门外。 ## 改动概览:新增 5 个端点(前缀 `/api/v1/auth`) | 方法 | 路径 | 作用 | |---|---|---| | POST | `/wechat-login` | code→openid。命中已绑用户→直接登入;未命中→签发 `bind_ticket`,返回 `need_bind_phone`(**此刻不建号**);未配 APP_ID/SECRET→503 | | POST | `/wechat/bind-phone/sms` | 持 `bind_ticket` + 手机号 + 短信码绑号 | | POST | `/wechat/bind-phone/jverify` | 持 `bind_ticket` + 极光本机号一键取号绑号 | | POST | `/wechat/conflict/continue` | 占用冲突·继续绑定=**登录老账号**(老号没绑微信则把 openid 绑上;已绑别的微信则只登入、丢弃本次 openid) | | POST | `/wechat/conflict/rebind` | 占用冲突·换绑=**单事务**注销老账号 X(腾号)+ 用该号重建新账号 Y + 写换绑台账;受 30 天限制 | 绑号两条取号路径(sms / jverify)尾段共用 `_finish_wechat_bind`: 手机号未注册→建微信账号(channel=wechat,昵称头像取微信)登入; 已被占用→返回 `phone_occupied`(带占用账号昵称/头像/注册时间/`has_wechat`、 `conflict_ticket`、`rebind_available`、`rebind_blocked_days`),交前端冲突页。 冲突页三选一,后端提供 continue / rebind 两个动作(「取消」为前端本地行为)。 ## 关键设计 **两种短时令牌(`core/security.py`,复用 `JWT_SECRET_KEY`,靠 `typ` 区分):** - `bind_ticket`(typ=wechat_bind,sub=openid,附微信昵称/头像,TTL 10min): openid 未命中时下发,覆盖「授权→输手机号→收码→验码」整个绑定流程。 - `conflict_ticket`(typ=wechat_conflict):比 bind_ticket **多编码已验证的手机号**; 换绑 / 继续绑定只认票里的 phone,堵住「拿别人手机号去夺号」的接管漏洞。 **30 天换绑限制:** 新增台账表 `phone_rebind_log`(手机号级、渠道无关), 记录「腾号重建」这一破坏性事件,靠 `rebound_at` 算窗口; 阈值走配置 `PHONE_REBIND_LIMIT_DAYS`。命中限制的换绑请求返回 409。 **M3 §10 昵称/头像替换:** 绑微信默认用微信昵称/头像替换展示, 抽成共享 helper,登录绑号路径与钱包绑微信路径两处共用 (故 `wallet.py`、`tests/test_withdraw.py` 一并有改动)。 --------- Co-authored-by: guke <guke@autohome.com.cn> Reviewed-on: #139
166 lines
5.8 KiB
Python
166 lines
5.8 KiB
Python
"""Auth 相关请求 / 响应 schemas。
|
|
|
|
跟客户端约定:
|
|
- 字段统一用 snake_case
|
|
- 时间字段统一 ISO 8601 (UTC)
|
|
- 登录类接口成功时统一返回 TokenWithUser
|
|
"""
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime
|
|
|
|
from pydantic import BaseModel, ConfigDict, Field
|
|
|
|
|
|
# ===== 用户对外信息 =====
|
|
|
|
class UserOut(BaseModel):
|
|
model_config = ConfigDict(from_attributes=True) # 允许直接 UserOut.model_validate(orm_user)
|
|
|
|
id: int
|
|
# 对外展示的账号 ID:11 位纯数字、首位非 1、全局唯一、创建时分配、不可变。区别于登录用的 phone。
|
|
username: str
|
|
phone: str
|
|
nickname: str | None = None
|
|
avatar_url: str | None = None
|
|
register_channel: str
|
|
status: str
|
|
created_at: datetime
|
|
last_login_at: datetime
|
|
# 调试链接权限:前端据此在比价结果弹窗/记录页显示「复制调试链接」按钮。默认 false。
|
|
debug_trace_enabled: bool = False
|
|
|
|
|
|
# ===== Token 通用结构 =====
|
|
|
|
class TokenPair(BaseModel):
|
|
access_token: str
|
|
refresh_token: str
|
|
token_type: str = "Bearer"
|
|
expires_in: int = Field(..., description="access_token 剩余秒数")
|
|
refresh_expires_in: int = Field(..., description="refresh_token 剩余秒数")
|
|
|
|
|
|
class TokenWithUser(TokenPair):
|
|
user: UserOut
|
|
onboarding_completed: bool = Field(
|
|
False,
|
|
description="该 设备+账号 是否已走完新手引导(据登录请求里的 device_id 计算)。"
|
|
"true → 客户端登录后直接进首页,跳过引导。",
|
|
)
|
|
force_onboarding: bool = Field(
|
|
False,
|
|
description="是否强制本次登录走新手引导(仅测试号置 true)。客户端据此让【应用内重新登录】"
|
|
"(退出后再登)也重走引导,普通号为 false、按原逻辑回原页/首页。与 onboarding_completed "
|
|
"分工:后者管 App 启动路由,本字段管应用内登录后的去向。",
|
|
)
|
|
|
|
|
|
# ===== 极光一键登录 =====
|
|
|
|
class JverifyLoginRequest(BaseModel):
|
|
login_token: str = Field(..., description="客户端 loginAuth 拿到的 loginToken", min_length=1)
|
|
operator: str = Field("", description="CM/CU/CT,用于日志,可选")
|
|
device_id: str = Field(
|
|
"", max_length=64,
|
|
description="硬件级设备标识(Android ANDROID_ID),用于新手引导按 设备+账号 去重;空=按未完成处理",
|
|
)
|
|
|
|
|
|
# ===== 短信验证码 =====
|
|
|
|
class SmsSendRequest(BaseModel):
|
|
phone: str = Field(..., min_length=11, max_length=11, pattern=r"^1\d{10}$")
|
|
device_id: str = Field(
|
|
"", max_length=64,
|
|
description="硬件级设备标识(Android ANDROID_ID),用于发码防刷按 设备+IP 限流;空=按 IP 聚一桶",
|
|
)
|
|
|
|
|
|
class SmsSendResponse(BaseModel):
|
|
sent: bool
|
|
mock: bool = Field(..., description="是否 mock 发送(true 时验证码不会真发,任意 6 位通过)")
|
|
cooldown_sec: int = Field(..., description="多少秒后才能再发一次")
|
|
|
|
|
|
class SmsLoginRequest(BaseModel):
|
|
phone: str = Field(..., min_length=11, max_length=11, pattern=r"^1\d{10}$")
|
|
code: str = Field(..., min_length=4, max_length=8)
|
|
device_id: str = Field(
|
|
"", max_length=64,
|
|
description="硬件级设备标识(Android ANDROID_ID),用于新手引导按 设备+账号 去重;空=按未完成处理",
|
|
)
|
|
|
|
|
|
# ===== Refresh =====
|
|
|
|
class RefreshRequest(BaseModel):
|
|
refresh_token: str = Field(..., min_length=1)
|
|
|
|
|
|
# ===== Logout =====
|
|
|
|
class LogoutResponse(BaseModel):
|
|
ok: bool = True
|
|
|
|
|
|
# ===== 微信登录 =====
|
|
|
|
class WechatLoginRequest(BaseModel):
|
|
code: str = Field(..., min_length=1, description="微信 App 授权拿到的 code(单次有效)")
|
|
device_id: str = Field(
|
|
"", max_length=64,
|
|
description="硬件级设备标识(Android ANDROID_ID),用于新手引导按 设备+账号 去重;空=按未完成处理",
|
|
)
|
|
|
|
|
|
class WechatLoginResponse(BaseModel):
|
|
# status="logged_in" → openid 命中,token 有值;"need_bind_phone" → 未命中,bind_ticket 有值
|
|
status: str
|
|
token: TokenWithUser | None = None
|
|
bind_ticket: str | None = None
|
|
wechat_nickname: str | None = None
|
|
wechat_avatar_url: str | None = None
|
|
|
|
|
|
class OccupiedAccountInfo(BaseModel):
|
|
"""手机号被占用时返回的原账号脱敏展示信息(供冲突页)。"""
|
|
nickname: str | None = None
|
|
avatar_url: str | None = None
|
|
created_at: datetime
|
|
has_wechat: bool = False
|
|
|
|
|
|
class WechatBindResultResponse(BaseModel):
|
|
# status="logged_in" → 未占用,已建号登入,token 有值;
|
|
# "phone_occupied" → 手机号被占用,occupied_account + conflict_ticket 有值,token 为 None
|
|
status: str
|
|
token: TokenWithUser | None = None
|
|
occupied_account: OccupiedAccountInfo | None = None
|
|
conflict_ticket: str | None = None # 占用时签发,换绑/继续绑定只认它
|
|
rebind_available: bool | None = None # 该手机号 30 天内是否还能换绑(给换绑按钮预置禁用态)
|
|
rebind_blocked_days: int | None = None # 被限时剩余天数(rebind_available=False 时>0)
|
|
|
|
|
|
class WechatBindPhoneSmsRequest(BaseModel):
|
|
bind_ticket: str = Field(..., min_length=1)
|
|
phone: str = Field(..., min_length=11, max_length=11, pattern=r"^1\d{10}$")
|
|
code: str = Field(..., min_length=4, max_length=8)
|
|
device_id: str = Field("", max_length=64)
|
|
|
|
|
|
class WechatBindPhoneJverifyRequest(BaseModel):
|
|
bind_ticket: str = Field(..., min_length=1)
|
|
login_token: str = Field(..., min_length=1, description="客户端 loginAuth 拿到的 loginToken")
|
|
device_id: str = Field("", max_length=64)
|
|
|
|
|
|
class WechatConflictContinueRequest(BaseModel):
|
|
conflict_ticket: str = Field(..., min_length=1)
|
|
device_id: str = Field("", max_length=64)
|
|
|
|
|
|
class WechatConflictRebindRequest(BaseModel):
|
|
conflict_ticket: str = Field(..., min_length=1)
|
|
device_id: str = Field("", max_length=64)
|