b19da9c7fe
⚠️ 应用类型约束:当前实现仅支持「钉钉登录-企业内部应用」(DingTalk 开放平台
internal_app 类型)。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed(硬约束)。
钉钉 OAuth 登录主链
- 4 步 OAuth 链:ExchangeCodeForUserToken / GetUnionIdByUserToken /
GetUserIdByUnionId / GetStaffInfoByUserId;app token 缓存
- pending session 机制持久化 OAuth 中间态;cookie-only token 持久化
- 三种分流:bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only;stale "whitelist" 在
加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关:企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
等横切点支持 dingtalk provider
- migration 136:4 表 CHECK 约束加入 'dingtalk' provider 值
internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
SyncXxxAttrKey 目标属性 key(默认 dingtalk_email / dingtalk_name /
dingtalk_department);非 internal_only policy 在写入层与加载层均
coerce 为 false,admin handler 与 setting_service 双层兜底
- 同步语义:首次注册写 users.username(昵称优先 → 企业姓名 fallback),
之后每次登录刷新 3 个属性;空值也写入以覆盖旧值
- 邮箱三级 fallback:org_email > email > extension["企业邮箱"]
(钉钉自定义字段 JSON)
- 部门路径递归向上拼接,跳过 dept_id=1 选首个真实子部门,剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段;
新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService;OAuth pending flow 在
createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
AfterRegistration(syncUsername=true)/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义
附带修复(同集成路径暴露的两个 OAuth 注册回归)
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
覆写 caller 显式传入的 signupSource,导致 dingtalk/linuxdo/oidc/wechat
渠道授权按 email 渠道读取;改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
(Concurrency=5 / Balance=0) 当作"未配置"哨兵,admin 显式设 5 时被误判
退回全局默认(复现:全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
用户实际 concurrency=1);去掉哨兵,admin 任何 >=0 值都覆盖 globalDefaults
前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
视图;router + auth API client
- admin SettingsView:corp policy radio(none / internal_only)+ bypass
注册开关 + i18n;internal_only 下展示三同步开关 + 目标 attr key 下拉
(拉取 user attribute definitions),展示 fieldEmail /
qyapi_get_department_list 钉钉权限申请提示
- Profile:S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
104 lines
4.6 KiB
Go
104 lines
4.6 KiB
Go
package handler
|
|
|
|
import (
|
|
"github.com/Wei-Shaw/sub2api/internal/handler/dto"
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/response"
|
|
"github.com/Wei-Shaw/sub2api/internal/service"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// SettingHandler 公开设置处理器(无需认证)
|
|
type SettingHandler struct {
|
|
settingService *service.SettingService
|
|
version string
|
|
}
|
|
|
|
// NewSettingHandler 创建公开设置处理器
|
|
func NewSettingHandler(settingService *service.SettingService, version string) *SettingHandler {
|
|
return &SettingHandler{
|
|
settingService: settingService,
|
|
version: version,
|
|
}
|
|
}
|
|
|
|
// GetPublicSettings 获取公开设置
|
|
// GET /api/v1/settings/public
|
|
func (h *SettingHandler) GetPublicSettings(c *gin.Context) {
|
|
settings, err := h.settingService.GetPublicSettings(c.Request.Context())
|
|
if err != nil {
|
|
response.ErrorFrom(c, err)
|
|
return
|
|
}
|
|
|
|
response.Success(c, dto.PublicSettings{
|
|
RegistrationEnabled: settings.RegistrationEnabled,
|
|
EmailVerifyEnabled: settings.EmailVerifyEnabled,
|
|
ForceEmailOnThirdPartySignup: settings.ForceEmailOnThirdPartySignup,
|
|
RegistrationEmailSuffixWhitelist: settings.RegistrationEmailSuffixWhitelist,
|
|
PromoCodeEnabled: settings.PromoCodeEnabled,
|
|
PasswordResetEnabled: settings.PasswordResetEnabled,
|
|
InvitationCodeEnabled: settings.InvitationCodeEnabled,
|
|
TotpEnabled: settings.TotpEnabled,
|
|
LoginAgreementEnabled: settings.LoginAgreementEnabled,
|
|
LoginAgreementMode: settings.LoginAgreementMode,
|
|
LoginAgreementUpdatedAt: settings.LoginAgreementUpdatedAt,
|
|
LoginAgreementRevision: settings.LoginAgreementRevision,
|
|
LoginAgreementDocuments: publicLoginAgreementDocumentsToDTO(settings.LoginAgreementDocuments),
|
|
TurnstileEnabled: settings.TurnstileEnabled,
|
|
TurnstileSiteKey: settings.TurnstileSiteKey,
|
|
SiteName: settings.SiteName,
|
|
SiteLogo: settings.SiteLogo,
|
|
SiteSubtitle: settings.SiteSubtitle,
|
|
APIBaseURL: settings.APIBaseURL,
|
|
ContactInfo: settings.ContactInfo,
|
|
DocURL: settings.DocURL,
|
|
HomeContent: settings.HomeContent,
|
|
HideCcsImportButton: settings.HideCcsImportButton,
|
|
PurchaseSubscriptionEnabled: settings.PurchaseSubscriptionEnabled,
|
|
PurchaseSubscriptionURL: settings.PurchaseSubscriptionURL,
|
|
TableDefaultPageSize: settings.TableDefaultPageSize,
|
|
TablePageSizeOptions: settings.TablePageSizeOptions,
|
|
CustomMenuItems: dto.ParseUserVisibleMenuItems(settings.CustomMenuItems),
|
|
CustomEndpoints: dto.ParseCustomEndpoints(settings.CustomEndpoints),
|
|
DingTalkOAuthEnabled: settings.DingTalkOAuthEnabled,
|
|
LinuxDoOAuthEnabled: settings.LinuxDoOAuthEnabled,
|
|
WeChatOAuthEnabled: settings.WeChatOAuthEnabled,
|
|
WeChatOAuthOpenEnabled: settings.WeChatOAuthOpenEnabled,
|
|
WeChatOAuthMPEnabled: settings.WeChatOAuthMPEnabled,
|
|
WeChatOAuthMobileEnabled: settings.WeChatOAuthMobileEnabled,
|
|
OIDCOAuthEnabled: settings.OIDCOAuthEnabled,
|
|
OIDCOAuthProviderName: settings.OIDCOAuthProviderName,
|
|
GitHubOAuthEnabled: settings.GitHubOAuthEnabled,
|
|
GoogleOAuthEnabled: settings.GoogleOAuthEnabled,
|
|
BackendModeEnabled: settings.BackendModeEnabled,
|
|
PaymentEnabled: settings.PaymentEnabled,
|
|
Version: h.version,
|
|
BalanceLowNotifyEnabled: settings.BalanceLowNotifyEnabled,
|
|
AccountQuotaNotifyEnabled: settings.AccountQuotaNotifyEnabled,
|
|
BalanceLowNotifyThreshold: settings.BalanceLowNotifyThreshold,
|
|
BalanceLowNotifyRechargeURL: settings.BalanceLowNotifyRechargeURL,
|
|
|
|
ChannelMonitorEnabled: settings.ChannelMonitorEnabled,
|
|
ChannelMonitorDefaultIntervalSeconds: settings.ChannelMonitorDefaultIntervalSeconds,
|
|
|
|
AvailableChannelsEnabled: settings.AvailableChannelsEnabled,
|
|
|
|
AffiliateEnabled: settings.AffiliateEnabled,
|
|
|
|
RiskControlEnabled: settings.RiskControlEnabled,
|
|
})
|
|
}
|
|
|
|
func publicLoginAgreementDocumentsToDTO(items []service.LoginAgreementDocument) []dto.LoginAgreementDocument {
|
|
result := make([]dto.LoginAgreementDocument, 0, len(items))
|
|
for _, item := range items {
|
|
result = append(result, dto.LoginAgreementDocument{
|
|
ID: item.ID,
|
|
Title: item.Title,
|
|
ContentMD: item.ContentMD,
|
|
})
|
|
}
|
|
return result
|
|
}
|