import Joi from 'joi'; import { DBModel } from "../models/index.js"; import ResponseUtil from "../utils/api_response.js"; import { hashPassword, verifyPassword } from "../utils/crypto.js"; import { sanitizeUser, extractToken } from "../middleware/auth.js"; import config from "../conf.json" with { type: "json" }; // 输入校验 schema const registerSchema = Joi.object({ userInfo: Joi.object({ profile: Joi.object({ mobile: Joi.string().required().messages({ 'any.required': '缺少手机号', 'string.empty': '手机号不能为空' }), name: Joi.string().allow(''), }).required(), security: Joi.object({ passwd: Joi.string().min(6).required().messages({ 'any.required': '缺少密码', 'string.min': '密码至少6位' }), }).required(), location: Joi.object({ province: Joi.string().allow(''), city: Joi.string().allow(''), district: Joi.string().allow(''), }).optional(), addresses: Joi.array().optional(), app: Joi.object().optional(), }).required(), }); const signinSchema = Joi.object({ mobile: Joi.string().required().messages({ 'any.required': '缺少手机号', 'string.empty': '手机号不能为空' }), passwd: Joi.string().required().messages({ 'any.required': '缺少密码', 'string.empty': '密码不能为空' }), }); const wxSigninSchema = Joi.object({ code: Joi.string().required().messages({ 'any.required': '缺少微信登录凭证 code' }), appId: Joi.string().required().messages({ 'any.required': '缺少 appId' }), phoneNumber: Joi.string().allow('', null), name: Joi.string().allow('', null), }); const wxGetPhoneSchema = Joi.object({ code: Joi.string().required().messages({ 'any.required': '缺少手机号凭证 code' }), appId: Joi.string().required().messages({ 'any.required': '缺少 appId' }), }); class HandlerUser { // 生成 token async genToken(uid) { const crypto = await import("crypto"); const hash = crypto.createHash("sha256"); hash.update(uid + Date.now() + Math.random()); return hash.digest("hex"); } // 用户注册 async register(ctx) { const { error, value } = registerSchema.validate(ctx.request.body, { abortEarly: false }); if (error) { return ResponseUtil.badRequest(ctx, error.details[0].message); } try { const { userInfo } = value; const mobile = userInfo.profile.mobile; const passwd = userInfo.security.passwd; // 检查手机号是否已注册 const existingUser = await DBModel.User.findOne({ "profile.mobile": mobile }); if (existingUser) { return ResponseUtil.error(ctx, "手机号已注册", null, 409); } // bcrypt 加密密码 const encryptedPasswd = await hashPassword(passwd); const newUser = { profile: userInfo.profile, security: { passwd: encryptedPasswd, }, location: { province: userInfo.location?.province || '', city: userInfo.location?.city || '', district: userInfo.location?.district || '', }, addresses: userInfo.addresses || [], social: { wechat: {} }, status: { account: "normal", }, app: userInfo.app || {}, }; const user = await DBModel.User.setUser(newUser); if (!user) { return ResponseUtil.internalError(ctx, "注册失败"); } // 生成 token const token = await this.genToken(user._id.toString()); user.security.token = token; user.security.tokenExpiry = new Date(Date.now() + 15 * 24 * 60 * 60 * 1000); await user.save(); return ResponseUtil.success(ctx, { user: sanitizeUser(user) }, "注册成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } // 手机号码登录 async signin(ctx) { const { error, value } = signinSchema.validate(ctx.request.body, { abortEarly: false }); if (error) { return ResponseUtil.badRequest(ctx, error.details[0].message); } try { const { mobile, passwd } = value; // 查找用户 let user = await DBModel.User.findOne({ "profile.mobile": mobile }); if (!user) { return ResponseUtil.unauthorized(ctx, "用户不存在"); } // 校验密码(支持 bcrypt 和 MD5 渐进式迁移) const { valid, needsUpgrade } = await verifyPassword( passwd, user.security.passwd, user.security.passwdSalt ); if (!valid) { // 记录失败登录次数 await DBModel.User.incrementFailedLoginAttempts(user._id); return ResponseUtil.unauthorized(ctx, "密码错误"); } // 渐进式迁移:如果是旧 MD5 密码,登录时升级为 bcrypt if (needsUpgrade) { user.security.passwd = await hashPassword(passwd); user.security.passwdSalt = undefined; } // 重置失败登录次数 if (user.security.failedLoginAttempts > 0) { await DBModel.User.resetFailedLoginAttempts(user._id); } // 生成/更新 token const token = await this.genToken(user._id.toString()); user.security.token = token; user.security.tokenExpiry = new Date(Date.now() + 15 * 24 * 60 * 60 * 1000); user.security.lastLoginAt = new Date(); user.security.lastLoginIp = ctx.ip || ctx.request.ip; await user.save(); return ResponseUtil.success(ctx, { user: sanitizeUser(user) }, "登录成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } // 退出登录 async signout(ctx) { const token = extractToken(ctx); if (!token) { return ResponseUtil.badRequest(ctx, "缺少 token"); } const user = await DBModel.User.findOne({ "security.token": token }); if (user) { user.security.token = null; user.security.tokenExpiry = null; await user.save(); } return ResponseUtil.success(ctx, null, "退出登录成功"); } // 获取用户信息 async userInfo(ctx) { const token = extractToken(ctx); if (!token) { return ResponseUtil.badRequest(ctx, "缺少 token"); } const user = await DBModel.User.findOne({ "security.token": token }); if (!user) { return ResponseUtil.unauthorized(ctx, "用户未登录或 token 无效"); } if (user.security.tokenExpiry && new Date() > user.security.tokenExpiry) { return ResponseUtil.unauthorized(ctx, "登录已过期,请重新登录"); } return ResponseUtil.success(ctx, { user: sanitizeUser(user) }, "获取用户信息成功"); } // 更新用户信息 async updateUser(ctx) { const token = extractToken(ctx); if (!token) { return ResponseUtil.badRequest(ctx, "缺少 token"); } const user = await DBModel.User.findOne({ "security.token": token }); if (!user) { return ResponseUtil.unauthorized(ctx, "用户未登录或 token 无效"); } if (user.security.tokenExpiry && new Date() > user.security.tokenExpiry) { return ResponseUtil.unauthorized(ctx, "登录已过期,请重新登录"); } try { const userInfo = ctx.request.body; if (!userInfo) { return ResponseUtil.badRequest(ctx, "缺少用户信息"); } const updatedUser = await DBModel.User.updateFromUserInfo(user._id, userInfo); if (!updatedUser) { return ResponseUtil.internalError(ctx, "更新用户失败"); } return ResponseUtil.success(ctx, { user: sanitizeUser(updatedUser) }, "更新成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } // 获取用户列表 async userList(ctx) { const token = extractToken(ctx); if (!token) { return ResponseUtil.badRequest(ctx, "缺少 token"); } const user = await DBModel.User.findOne({ "security.token": token }); if (!user) { return ResponseUtil.unauthorized(ctx, "用户未登录或 token 无效"); } if (!('wxapp-escort-admin' in user.app)) { return ResponseUtil.unauthorized(ctx, "用户无管理员权限"); } if (user.security.tokenExpiry && new Date() > user.security.tokenExpiry) { return ResponseUtil.unauthorized(ctx, "登录已过期,请重新登录"); } try { const { page = 1, pageSize = 100 } = ctx.request.body; const users = await DBModel.User.find({ "app.wxapp-escort": { $exists: true } }) .skip((page - 1) * pageSize) .limit(pageSize); const safeUsers = users.map(u => sanitizeUser(u)); return ResponseUtil.success(ctx, { users: safeUsers }, "获取用户列表成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } // 微信登录 async wxSignin(ctx) { const { error, value } = wxSigninSchema.validate(ctx.request.body, { abortEarly: false }); if (error) { return ResponseUtil.badRequest(ctx, error.details[0].message); } try { const { code, phoneNumber, name, appId } = value; let app = config.app[appId]; if (!app) { return ResponseUtil.badRequest(ctx, `未配置 appId: ${appId}`); } // 通过 code 换取 openid/session_key const sessionUrl = `https://api.weixin.qq.com/sns/jscode2session?appid=${app.appid}&secret=${app.secret}&js_code=${code}&grant_type=authorization_code`; const wxSessionRes = await fetch(sessionUrl); const sessionData = await wxSessionRes.json(); if (sessionData.errcode) { return ResponseUtil.error(ctx, `微信接口错误: ${sessionData.errmsg}`, null, 400); } const { openid } = sessionData; if (!openid) { return ResponseUtil.error(ctx, "微信登录失败,未获取到 openid", null, 400); } // 使用openid和phoneNumber查询用户 let key = `app.${appId}.wxopenid`; let user = await DBModel.User.findOne({ [key]: openid }); if (!user) { if (!phoneNumber) { return ResponseUtil.badRequest(ctx, "缺少手机号"); } user = await DBModel.User.findOne({ "profile.mobile": phoneNumber }); if (!user) { const newUser = { profile: { name: name || phoneNumber, mobile: phoneNumber }, status: { account: "normal" }, app: {}, }; newUser.app[appId] = { role: ["user"], wxopenid: openid }; user = await DBModel.User.setUser(newUser); } } if (user) { if (phoneNumber && phoneNumber.length > 0 && user.profile.mobile !== phoneNumber) { user.profile.mobile = phoneNumber; } if (!(appId in user.app)) { user.app[appId] = { role: ["user"], wxopenid: openid }; } user.app[appId].wxopenid = openid; } else { return ResponseUtil.internalError(ctx, "用户不存在"); } // 更新Token const token = await this.genToken(user._id.toString()); user.security.token = token; user.security.tokenExpiry = new Date(Date.now() + 15 * 24 * 60 * 60 * 1000); user.security.lastLoginAt = new Date(); user.security.lastLoginIp = ctx.ip || ctx.request.ip; await user.save(); return ResponseUtil.success(ctx, { user: sanitizeUser(user) }, "登录成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } // 获取微信的手机号码 async wxGetPhoneNumber(ctx) { const { error, value } = wxGetPhoneSchema.validate(ctx.request.body, { abortEarly: false }); if (error) { return ResponseUtil.badRequest(ctx, error.details[0].message); } try { const { code, appId } = value; let app = config.app[appId]; if (!app) { return ResponseUtil.badRequest(ctx, `未配置 appId: ${appId}`); } // 获取access_token const client_credential_url = `https://api.weixin.qq.com/cgi-bin/token?appid=${app.appid}&secret=${app.secret}&grant_type=client_credential`; const fetch = (await import("node-fetch")).default; let sessionRes = await fetch(client_credential_url); const resp = await sessionRes.json(); if (!resp.access_token) { return ResponseUtil.internalError(ctx, "获取微信 access_token 失败"); } // 获取phoneNumber const phoneUrl = `https://api.weixin.qq.com/wxa/business/getuserphonenumber?access_token=${resp.access_token}`; const phoneRes = await fetch(phoneUrl, { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ code: code }) }); const phoneData = await phoneRes.json(); if (phoneData.errcode) { return ResponseUtil.error(ctx, `获取手机号失败: ${phoneData.errmsg}`, null, 400); } const phoneNumber = phoneData.phone_info?.phoneNumber; return ResponseUtil.success(ctx, { phoneNumber }, "获取手机号成功"); } catch (err) { return ResponseUtil.internalError(ctx, err.message); } } } export { HandlerUser };