b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
144 lines
4.0 KiB
Go
144 lines
4.0 KiB
Go
package schema
|
||
|
||
import (
|
||
"fmt"
|
||
|
||
"github.com/Wei-Shaw/sub2api/ent/schema/mixins"
|
||
"github.com/Wei-Shaw/sub2api/internal/domain"
|
||
|
||
"entgo.io/ent"
|
||
"entgo.io/ent/dialect"
|
||
"entgo.io/ent/dialect/entsql"
|
||
"entgo.io/ent/schema"
|
||
"entgo.io/ent/schema/edge"
|
||
"entgo.io/ent/schema/field"
|
||
"entgo.io/ent/schema/index"
|
||
)
|
||
|
||
// User holds the schema definition for the User entity.
|
||
type User struct {
|
||
ent.Schema
|
||
}
|
||
|
||
func (User) Annotations() []schema.Annotation {
|
||
return []schema.Annotation{
|
||
entsql.Annotation{Table: "users"},
|
||
}
|
||
}
|
||
|
||
func (User) Mixin() []ent.Mixin {
|
||
return []ent.Mixin{
|
||
mixins.TimeMixin{},
|
||
mixins.SoftDeleteMixin{},
|
||
}
|
||
}
|
||
|
||
func (User) Fields() []ent.Field {
|
||
return []ent.Field{
|
||
// 唯一约束通过部分索引实现(WHERE deleted_at IS NULL),支持软删除后重用
|
||
// 见迁移文件 016_soft_delete_partial_unique_indexes.sql
|
||
field.String("email").
|
||
MaxLen(255).
|
||
NotEmpty(),
|
||
field.String("password_hash").
|
||
MaxLen(255).
|
||
NotEmpty(),
|
||
field.String("role").
|
||
MaxLen(20).
|
||
Default(domain.RoleUser),
|
||
field.Float("balance").
|
||
SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
|
||
Default(0),
|
||
field.Int("concurrency").
|
||
Default(5),
|
||
field.String("status").
|
||
MaxLen(20).
|
||
Default(domain.StatusActive),
|
||
|
||
// Optional profile fields (added later; default '' in DB migration)
|
||
field.String("username").
|
||
MaxLen(100).
|
||
Default(""),
|
||
// wechat field migrated to user_attribute_values (see migration 019)
|
||
field.String("notes").
|
||
SchemaType(map[string]string{dialect.Postgres: "text"}).
|
||
Default(""),
|
||
|
||
// TOTP 双因素认证字段
|
||
field.String("totp_secret_encrypted").
|
||
SchemaType(map[string]string{dialect.Postgres: "text"}).
|
||
Optional().
|
||
Nillable(),
|
||
field.Bool("totp_enabled").
|
||
Default(false),
|
||
field.Time("totp_enabled_at").
|
||
Optional().
|
||
Nillable(),
|
||
field.String("signup_source").
|
||
Validate(func(value string) error {
|
||
switch value {
|
||
case "email", "linuxdo", "wechat", "oidc", "github", "google", "dingtalk":
|
||
return nil
|
||
default:
|
||
return fmt.Errorf("must be one of email, linuxdo, wechat, oidc, github, google, dingtalk")
|
||
}
|
||
}).
|
||
Default("email"),
|
||
field.Time("last_login_at").
|
||
Optional().
|
||
Nillable().
|
||
SchemaType(map[string]string{dialect.Postgres: "timestamptz"}),
|
||
field.Time("last_active_at").
|
||
Optional().
|
||
Nillable().
|
||
SchemaType(map[string]string{dialect.Postgres: "timestamptz"}),
|
||
|
||
// 余额不足通知
|
||
field.Bool("balance_notify_enabled").
|
||
Default(true),
|
||
field.String("balance_notify_threshold_type").
|
||
Default("fixed"), // "fixed" | "percentage"
|
||
field.Float("balance_notify_threshold").
|
||
SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
|
||
Optional().
|
||
Nillable(),
|
||
field.String("balance_notify_extra_emails").
|
||
SchemaType(map[string]string{dialect.Postgres: "text"}).
|
||
Default("[]"),
|
||
field.Float("total_recharged").
|
||
SchemaType(map[string]string{dialect.Postgres: "decimal(20,8)"}).
|
||
Default(0),
|
||
|
||
// 用户级每分钟请求数上限(0 = 不限制)。仅当所在分组未设置 rpm_limit 时作为兜底生效。
|
||
field.Int("rpm_limit").
|
||
Default(0),
|
||
}
|
||
}
|
||
|
||
func (User) Edges() []ent.Edge {
|
||
return []ent.Edge{
|
||
edge.To("api_keys", APIKey.Type),
|
||
edge.To("redeem_codes", RedeemCode.Type),
|
||
edge.To("subscriptions", UserSubscription.Type),
|
||
edge.To("assigned_subscriptions", UserSubscription.Type),
|
||
edge.To("announcement_reads", AnnouncementRead.Type),
|
||
edge.To("allowed_groups", Group.Type).
|
||
Through("user_allowed_groups", UserAllowedGroup.Type),
|
||
edge.To("usage_logs", UsageLog.Type),
|
||
edge.To("attribute_values", UserAttributeValue.Type),
|
||
edge.To("promo_code_usages", PromoCodeUsage.Type),
|
||
edge.To("payment_orders", PaymentOrder.Type),
|
||
edge.To("auth_identities", AuthIdentity.Type).
|
||
Annotations(entsql.OnDelete(entsql.Cascade)),
|
||
edge.To("pending_auth_sessions", PendingAuthSession.Type),
|
||
}
|
||
}
|
||
|
||
func (User) Indexes() []ent.Index {
|
||
return []ent.Index{
|
||
// email 字段已在 Fields() 中声明 Unique(),无需重复索引
|
||
index.Fields("status"),
|
||
index.Fields("deleted_at"),
|
||
}
|
||
}
|