b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
609 lines
18 KiB
Go
609 lines
18 KiB
Go
package handler
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/handler/dto"
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
|
middleware2 "github.com/Wei-Shaw/sub2api/internal/server/middleware"
|
|
"github.com/Wei-Shaw/sub2api/internal/service"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// UserHandler handles user-related requests
|
|
type UserHandler struct {
|
|
userService *service.UserService
|
|
authService *service.AuthService
|
|
emailService *service.EmailService
|
|
emailCache service.EmailCache
|
|
affiliateService *service.AffiliateService
|
|
}
|
|
|
|
// NewUserHandler creates a new UserHandler
|
|
func NewUserHandler(
|
|
userService *service.UserService,
|
|
authService *service.AuthService,
|
|
emailService *service.EmailService,
|
|
emailCache service.EmailCache,
|
|
affiliateService *service.AffiliateService,
|
|
) *UserHandler {
|
|
return &UserHandler{
|
|
userService: userService,
|
|
authService: authService,
|
|
emailService: emailService,
|
|
emailCache: emailCache,
|
|
affiliateService: affiliateService,
|
|
}
|
|
}
|
|
|
|
// ChangePasswordRequest represents the change password request payload
|
|
type ChangePasswordRequest struct {
|
|
OldPassword string `json:"old_password" binding:"required"`
|
|
NewPassword string `json:"new_password" binding:"required,min=6"`
|
|
}
|
|
|
|
// UpdateProfileRequest represents the update profile request payload
|
|
type UpdateProfileRequest struct {
|
|
Username *string `json:"username"`
|
|
AvatarURL *string `json:"avatar_url"`
|
|
BalanceNotifyEnabled *bool `json:"balance_notify_enabled"`
|
|
BalanceNotifyThreshold *float64 `json:"balance_notify_threshold"`
|
|
}
|
|
|
|
type userProfileResponse struct {
|
|
dto.User
|
|
AvatarURL string `json:"avatar_url,omitempty"`
|
|
AvatarSource *userProfileSourceContext `json:"avatar_source,omitempty"`
|
|
UsernameSource *userProfileSourceContext `json:"username_source,omitempty"`
|
|
DisplayNameSource *userProfileSourceContext `json:"display_name_source,omitempty"`
|
|
NicknameSource *userProfileSourceContext `json:"nickname_source,omitempty"`
|
|
ProfileSources map[string]*userProfileSourceContext `json:"profile_sources,omitempty"`
|
|
Identities service.UserIdentitySummarySet `json:"identities"`
|
|
AuthBindings map[string]service.UserIdentitySummary `json:"auth_bindings"`
|
|
IdentityBindings map[string]service.UserIdentitySummary `json:"identity_bindings"`
|
|
EmailBound bool `json:"email_bound"`
|
|
LinuxDoBound bool `json:"linuxdo_bound"`
|
|
OIDCBound bool `json:"oidc_bound"`
|
|
WeChatBound bool `json:"wechat_bound"`
|
|
DingTalkBound bool `json:"dingtalk_bound"`
|
|
}
|
|
|
|
type userProfileSourceContext struct {
|
|
Provider string `json:"provider,omitempty"`
|
|
Source string `json:"source,omitempty"`
|
|
}
|
|
|
|
// GetProfile handles getting user profile
|
|
// GET /api/v1/users/me
|
|
func (h *UserHandler) GetProfile(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
userData, err := h.userService.GetProfile(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, userData)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// ChangePassword handles changing user password
|
|
// POST /api/v1/users/me/password
|
|
func (h *UserHandler) ChangePassword(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req ChangePasswordRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
svcReq := service.ChangePasswordRequest{
|
|
CurrentPassword: req.OldPassword,
|
|
NewPassword: req.NewPassword,
|
|
}
|
|
err := h.userService.ChangePassword(c.Request.Context(), subject.UserID, svcReq)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"message": "Password changed successfully"})
|
|
}
|
|
|
|
// UpdateProfile handles updating user profile
|
|
// PUT /api/v1/users/me
|
|
func (h *UserHandler) UpdateProfile(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req UpdateProfileRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
svcReq := service.UpdateProfileRequest{
|
|
Username: req.Username,
|
|
AvatarURL: req.AvatarURL,
|
|
BalanceNotifyEnabled: req.BalanceNotifyEnabled,
|
|
BalanceNotifyThreshold: req.BalanceNotifyThreshold,
|
|
}
|
|
updatedUser, err := h.userService.UpdateProfile(c.Request.Context(), subject.UserID, svcReq)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// GetAffiliate returns the current user's affiliate details.
|
|
// GET /api/v1/user/aff
|
|
func (h *UserHandler) GetAffiliate(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
detail, err := h.affiliateService.GetAffiliateDetail(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
response.Success(c, detail)
|
|
}
|
|
|
|
// TransferAffiliateQuota transfers all available affiliate quota into current balance.
|
|
// POST /api/v1/user/aff/transfer
|
|
func (h *UserHandler) TransferAffiliateQuota(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
transferred, balance, err := h.affiliateService.TransferAffiliateQuota(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{
|
|
"transferred_quota": transferred,
|
|
"balance": balance,
|
|
})
|
|
}
|
|
|
|
type StartIdentityBindingRequest struct {
|
|
Provider string `json:"provider" binding:"required"`
|
|
RedirectTo string `json:"redirect_to"`
|
|
}
|
|
|
|
type BindEmailIdentityRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
VerifyCode string `json:"verify_code" binding:"required"`
|
|
Password string `json:"password" binding:"required"`
|
|
}
|
|
|
|
type SendEmailBindingCodeRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
}
|
|
|
|
// StartIdentityBinding returns the backend authorize URL for starting a third-party identity bind flow.
|
|
// POST /api/v1/user/auth-identities/bind/start
|
|
func (h *UserHandler) StartIdentityBinding(c *gin.Context) {
|
|
if _, ok := middleware2.GetAuthSubjectFromContext(c); !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req StartIdentityBindingRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
result, err := h.userService.PrepareIdentityBindingStart(c.Request.Context(), service.StartUserIdentityBindingRequest{
|
|
Provider: req.Provider,
|
|
RedirectTo: req.RedirectTo,
|
|
})
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, result)
|
|
}
|
|
|
|
// BindEmailIdentity verifies and binds a local email identity for the current user.
|
|
// POST /api/v1/user/account-bindings/email
|
|
func (h *UserHandler) BindEmailIdentity(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
if h.authService == nil {
|
|
response.InternalError(c, "Auth service not configured")
|
|
return
|
|
}
|
|
|
|
var req BindEmailIdentityRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
updatedUser, err := h.authService.BindEmailIdentity(
|
|
c.Request.Context(),
|
|
subject.UserID,
|
|
req.Email,
|
|
req.VerifyCode,
|
|
req.Password,
|
|
)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// UnbindIdentity removes a third-party sign-in provider from the current user.
|
|
// DELETE /api/v1/user/account-bindings/:provider
|
|
func (h *UserHandler) UnbindIdentity(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
updatedUser, unbound, err := h.userService.UnbindUserAuthProviderWithResult(
|
|
c.Request.Context(),
|
|
subject.UserID,
|
|
c.Param("provider"),
|
|
)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
if unbound && h.authService != nil {
|
|
if err := h.authService.RevokeAllUserTokens(c.Request.Context(), subject.UserID); err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// SendEmailBindingCode sends a verification code for the current user's email binding flow.
|
|
// POST /api/v1/user/account-bindings/email/send-code
|
|
func (h *UserHandler) SendEmailBindingCode(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
if h.authService == nil {
|
|
response.InternalError(c, "Auth service not configured")
|
|
return
|
|
}
|
|
|
|
var req SendEmailBindingCodeRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
if err := h.authService.SendEmailIdentityBindCode(c.Request.Context(), subject.UserID, req.Email); err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"message": "Verification code sent successfully"})
|
|
}
|
|
|
|
// SendNotifyEmailCodeRequest represents the request to send notify email verification code
|
|
type SendNotifyEmailCodeRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
}
|
|
|
|
// SendNotifyEmailCode sends verification code to extra notification email
|
|
// POST /api/v1/user/notify-email/send-code
|
|
func (h *UserHandler) SendNotifyEmailCode(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req SendNotifyEmailCodeRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
err := h.userService.SendNotifyEmailCode(c.Request.Context(), subject.UserID, req.Email, h.emailService, h.emailCache)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, gin.H{"message": "Verification code sent successfully"})
|
|
}
|
|
|
|
// VerifyNotifyEmailRequest represents the request to verify and add notify email
|
|
type VerifyNotifyEmailRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
Code string `json:"code" binding:"required,len=6"`
|
|
}
|
|
|
|
// VerifyNotifyEmail verifies code and adds email to notification list
|
|
// POST /api/v1/user/notify-email/verify
|
|
func (h *UserHandler) VerifyNotifyEmail(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req VerifyNotifyEmailRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
err := h.userService.VerifyAndAddNotifyEmail(c.Request.Context(), subject.UserID, req.Email, req.Code, h.emailCache)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
// Return updated user
|
|
updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// RemoveNotifyEmailRequest represents the request to remove a notify email
|
|
type RemoveNotifyEmailRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
}
|
|
|
|
// RemoveNotifyEmail removes email from notification list
|
|
// DELETE /api/v1/user/notify-email
|
|
func (h *UserHandler) RemoveNotifyEmail(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req RemoveNotifyEmailRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
err := h.userService.RemoveNotifyEmail(c.Request.Context(), subject.UserID, req.Email)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
// Return updated user
|
|
updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
// ToggleNotifyEmailRequest represents the request to toggle a notify email's disabled state
|
|
type ToggleNotifyEmailRequest struct {
|
|
Email string `json:"email" binding:"required,email"`
|
|
Disabled bool `json:"disabled"`
|
|
}
|
|
|
|
// ToggleNotifyEmail toggles the disabled state of a notification email
|
|
// PUT /api/v1/user/notify-email/toggle
|
|
func (h *UserHandler) ToggleNotifyEmail(c *gin.Context) {
|
|
subject, ok := middleware2.GetAuthSubjectFromContext(c)
|
|
if !ok {
|
|
response.Unauthorized(c, "User not authenticated")
|
|
return
|
|
}
|
|
|
|
var req ToggleNotifyEmailRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, "Invalid request: "+err.Error())
|
|
return
|
|
}
|
|
|
|
err := h.userService.ToggleNotifyEmail(c.Request.Context(), subject.UserID, req.Email, req.Disabled)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
updatedUser, err := h.userService.GetByID(c.Request.Context(), subject.UserID)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
profileResp, err := h.buildUserProfileResponse(c.Request.Context(), subject.UserID, updatedUser)
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, profileResp)
|
|
}
|
|
|
|
func (h *UserHandler) buildUserProfileResponse(ctx context.Context, userID int64, user *service.User) (userProfileResponse, error) {
|
|
identities, err := h.userService.GetProfileIdentitySummaries(ctx, userID, user)
|
|
if err != nil {
|
|
return userProfileResponse{}, err
|
|
}
|
|
return userProfileResponseFromService(user, identities), nil
|
|
}
|
|
|
|
func userProfileResponseFromService(user *service.User, identities service.UserIdentitySummarySet) userProfileResponse {
|
|
base := dto.UserFromService(user)
|
|
if base == nil {
|
|
return userProfileResponse{}
|
|
}
|
|
bindings := userProfileBindingMap(identities)
|
|
profileSources, avatarSource, usernameSource := inferUserProfileSources(user, identities)
|
|
return userProfileResponse{
|
|
User: *base,
|
|
AvatarURL: user.AvatarURL,
|
|
AvatarSource: avatarSource,
|
|
UsernameSource: usernameSource,
|
|
DisplayNameSource: usernameSource,
|
|
NicknameSource: usernameSource,
|
|
ProfileSources: profileSources,
|
|
Identities: identities,
|
|
AuthBindings: bindings,
|
|
IdentityBindings: bindings,
|
|
EmailBound: identities.Email.Bound,
|
|
LinuxDoBound: identities.LinuxDo.Bound,
|
|
OIDCBound: identities.OIDC.Bound,
|
|
WeChatBound: identities.WeChat.Bound,
|
|
DingTalkBound: identities.DingTalk.Bound,
|
|
}
|
|
}
|
|
|
|
func userProfileBindingMap(identities service.UserIdentitySummarySet) map[string]service.UserIdentitySummary {
|
|
return map[string]service.UserIdentitySummary{
|
|
"email": identities.Email,
|
|
"linuxdo": identities.LinuxDo,
|
|
"oidc": identities.OIDC,
|
|
"wechat": identities.WeChat,
|
|
"dingtalk": identities.DingTalk,
|
|
}
|
|
}
|
|
|
|
func inferUserProfileSources(user *service.User, identities service.UserIdentitySummarySet) (
|
|
map[string]*userProfileSourceContext,
|
|
*userProfileSourceContext,
|
|
*userProfileSourceContext,
|
|
) {
|
|
if user == nil {
|
|
return nil, nil, nil
|
|
}
|
|
|
|
thirdParty := thirdPartyIdentityProviders(identities)
|
|
var avatarSource *userProfileSourceContext
|
|
avatarValue := strings.TrimSpace(user.AvatarURL)
|
|
for _, summary := range thirdParty {
|
|
if avatarValue != "" && avatarValue == strings.TrimSpace(summary.AvatarURL) {
|
|
avatarSource = buildUserProfileSourceContext(summary.Provider)
|
|
break
|
|
}
|
|
}
|
|
|
|
usernameValue := strings.TrimSpace(user.Username)
|
|
var usernameSource *userProfileSourceContext
|
|
for _, summary := range thirdParty {
|
|
if usernameValue != "" && usernameValue == strings.TrimSpace(summary.DisplayName) {
|
|
usernameSource = buildUserProfileSourceContext(summary.Provider)
|
|
break
|
|
}
|
|
}
|
|
|
|
profileSources := map[string]*userProfileSourceContext{}
|
|
if avatarSource != nil {
|
|
profileSources["avatar"] = avatarSource
|
|
}
|
|
if usernameSource != nil {
|
|
profileSources["username"] = usernameSource
|
|
profileSources["display_name"] = usernameSource
|
|
profileSources["nickname"] = usernameSource
|
|
}
|
|
if len(profileSources) == 0 {
|
|
return nil, avatarSource, usernameSource
|
|
}
|
|
return profileSources, avatarSource, usernameSource
|
|
}
|
|
|
|
func thirdPartyIdentityProviders(identities service.UserIdentitySummarySet) []service.UserIdentitySummary {
|
|
out := make([]service.UserIdentitySummary, 0, 3)
|
|
for _, summary := range []service.UserIdentitySummary{identities.LinuxDo, identities.OIDC, identities.WeChat, identities.DingTalk} {
|
|
if summary.Bound {
|
|
out = append(out, summary)
|
|
}
|
|
}
|
|
return out
|
|
}
|
|
|
|
func buildUserProfileSourceContext(provider string) *userProfileSourceContext {
|
|
provider = strings.TrimSpace(provider)
|
|
if provider == "" {
|
|
return nil
|
|
}
|
|
return &userProfileSourceContext{
|
|
Provider: provider,
|
|
Source: provider,
|
|
}
|
|
}
|