Yuerchu/disknext
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat: add multi-provider auth via AuthIdentity and extend site config

Browse Source 
- Extract AuthIdentity model for multi-provider authentication (email_password, OAuth, Passkey, Magic Link)
- Remove password field from User model, credentials now stored in AuthIdentity
- Refactor unified login/register to use AuthIdentity-based provider checking
- Add site config fields: footer_code, tos_url, privacy_url, auth_methods
- Add auth settings defaults in migration (email_password enabled by default)
- Update admin user creation to create AuthIdentity records
- Update all tests to use AuthIdentity model

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
于小丘
2026-02-12 22:49:12 +08:00
parent d831c9c0d6
commit 729773cae3
20 changed files with 1447 additions and 412 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/unit/models/test_object.py
View File

@@ -19,7 +19,7 @@ async def test_object_create_folder(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="testuser", password="password", group_id=group.id)
user = User(email="testuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(
@@ -53,7 +53,7 @@ async def test_object_create_file(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="testuser", password="password", group_id=group.id)
user = User(email="testuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(
@@ -98,7 +98,7 @@ async def test_object_is_file_property(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="testuser", password="password", group_id=group.id)
user = User(email="testuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -125,7 +125,7 @@ async def test_object_is_folder_property(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="testuser", password="password", group_id=group.id)
user = User(email="testuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -151,7 +151,7 @@ async def test_object_get_root(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="rootuser", password="password", group_id=group.id)
user = User(email="rootuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -183,7 +183,7 @@ async def test_object_get_by_path_root(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="pathuser", password="password", group_id=group.id)
user = User(email="pathuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -214,7 +214,7 @@ async def test_object_get_by_path_nested(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="nesteduser", password="password", group_id=group.id)
user = User(email="nesteduser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -277,7 +277,7 @@ async def test_object_get_by_path_not_found(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="notfounduser", password="password", group_id=group.id)
user = User(email="notfounduser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -311,7 +311,7 @@ async def test_object_get_children(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="childrenuser", password="password", group_id=group.id)
user = User(email="childrenuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -363,7 +363,7 @@ async def test_object_parent_child_relationship(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="reluser", password="password", group_id=group.id)
user = User(email="reluser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -408,7 +408,7 @@ async def test_object_unique_constraint(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="uniqueuser", password="password", group_id=group.id)
user = User(email="uniqueuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")
@@ -456,7 +456,7 @@ async def test_object_get_full_path(db_session: AsyncSession):
group = Group(name="测试组")
group = await group.save(db_session)
user = User(email="pathuser", password="password", group_id=group.id)
user = User(email="pathuser", group_id=group.id)
user = await user.save(db_session)
policy = Policy(name="本地策略", type=PolicyType.LOCAL, server="/tmp/test")

44
tests/unit/models/test_user.py
View File

@@ -20,7 +20,6 @@ async def test_user_create(db_session: AsyncSession):
user = User(
email="testuser@test.local",
nickname="测试用户",
password="hashed_password",
group_id=group.id
)
user = await user.save(db_session)
@@ -43,7 +42,6 @@ async def test_user_unique_email(db_session: AsyncSession):
# 创建第一个用户
user1 = User(
email="duplicate@test.local",
password="password1",
group_id=group.id
)
await user1.save(db_session)
@@ -51,7 +49,6 @@ async def test_user_unique_email(db_session: AsyncSession):
# 尝试创建同名用户
user2 = User(
email="duplicate@test.local",
password="password2",
group_id=group.id
)
@@ -70,7 +67,6 @@ async def test_user_to_public(db_session: AsyncSession):
user = User(
email="publicuser@test.local",
nickname="公开用户",
password="secret_password",
storage=1024,
avatar="avatar.jpg",
group_id=group.id
@@ -88,8 +84,6 @@ async def test_user_to_public(db_session: AsyncSession):
# 这是已知的设计问题,需要在 UserPublic 中添加别名或重命名字段
assert public_user.nick is None # 实际行为
assert public_user.storage == 1024
# 密码不应该在公开数据中
assert not hasattr(public_user, 'password')
@pytest.mark.asyncio
@@ -102,7 +96,6 @@ async def test_user_group_relationship(db_session: AsyncSession):
# 创建用户
user = User(
email="vipuser@test.local",
password="password",
group_id=group.id
)
user = await user.save(db_session)
@@ -126,7 +119,6 @@ async def test_user_status_default(db_session: AsyncSession):
user = User(
email="defaultuser@test.local",
password="password",
group_id=group.id
)
user = await user.save(db_session)
@@ -142,7 +134,6 @@ async def test_user_storage_default(db_session: AsyncSession):
user = User(
email="storageuser@test.local",
password="password",
group_id=group.id
)
user = await user.save(db_session)
@@ -159,7 +150,6 @@ async def test_user_theme_enum(db_session: AsyncSession):
# 测试默认值
user1 = User(
email="user1@test.local",
password="password",
group_id=group.id
)
user1 = await user1.save(db_session)
@@ -168,7 +158,6 @@ async def test_user_theme_enum(db_session: AsyncSession):
# 测试设置为 LIGHT
user2 = User(
email="user2@test.local",
password="password",
theme=ThemeType.LIGHT,
group_id=group.id
)
@@ -178,9 +167,40 @@ async def test_user_theme_enum(db_session: AsyncSession):
# 测试设置为 DARK
user3 = User(
email="user3@test.local",
password="password",
theme=ThemeType.DARK,
group_id=group.id
)
user3 = await user3.save(db_session)
assert user3.theme == ThemeType.DARK
@pytest.mark.asyncio
async def test_user_email_optional(db_session: AsyncSession):
"""测试 email 可以为空(支持社交登录用户)"""
group = Group(name="默认组")
group = await group.save(db_session)
user = User(
nickname="社交用户",
group_id=group.id
)
user = await user.save(db_session)
assert user.id is not None
assert user.email is None
@pytest.mark.asyncio
async def test_user_phone_field(db_session: AsyncSession):
"""测试 phone 字段"""
group = Group(name="默认组")
group = await group.save(db_session)
user = User(
email="phoneuser@test.local",
phone="13800138000",
group_id=group.id
)
user = await user.save(db_session)
assert user.phone == "13800138000"

243
tests/unit/service/test_login.py
View File

@@ -1,78 +1,154 @@
"""
Login 服务的单元测试
测试 unified_login() 各 provider 路径。
"""
import pytest
from fastapi import HTTPException
from sqlmodel.ext.asyncio.session import AsyncSession
from sqlmodels.user import User, LoginRequest, TokenResponse, UserStatus
from sqlmodels.group import Group
from service.user.login import login
from sqlmodels.auth_identity import AuthIdentity, AuthProviderType
from sqlmodels.setting import Setting, SettingsType
from sqlmodels.user import User, UnifiedLoginRequest, TokenResponse, UserStatus
from sqlmodels.group import Group, GroupOptions
from service.user.login import unified_login
from utils.password.pwd import Password
@pytest.fixture
async def setup_user(db_session: AsyncSession):
"""创建测试用户"""
async def setup_auth_settings(db_session: AsyncSession):
"""创建认证相关的 Setting 配置"""
settings = [
Setting(type=SettingsType.AUTH, name="auth_email_password_enabled", value="1"),
Setting(type=SettingsType.AUTH, name="auth_phone_sms_enabled", value="0"),
Setting(type=SettingsType.AUTH, name="auth_passkey_enabled", value="0"),
Setting(type=SettingsType.AUTH, name="auth_magic_link_enabled", value="0"),
Setting(type=SettingsType.OAUTH, name="github_enabled", value="0"),
Setting(type=SettingsType.OAUTH, name="qq_enabled", value="0"),
]
for s in settings:
await s.save(db_session)
@pytest.fixture
async def setup_user(db_session: AsyncSession, setup_auth_settings):
"""创建测试用户和邮箱密码认证身份"""
# 创建用户组
group = Group(name="测试组")
group = await group.save(db_session)
# 创建用户组选项
group_options = GroupOptions(
group_id=group.id,
share_download=True,
share_free=False,
relocate=False,
)
await group_options.save(db_session)
# 创建正常用户
plain_password = "secure_password_123"
user = User(
email="loginuser@test.local",
password=Password.hash(plain_password),
status=UserStatus.ACTIVE,
group_id=group.id
group_id=group.id,
)
user = await user.save(db_session)
# 创建邮箱密码认证身份
identity = AuthIdentity(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="loginuser@test.local",
credential=Password.hash(plain_password),
is_primary=True,
is_verified=True,
user_id=user.id,
)
await identity.save(db_session)
return {
"user": user,
"password": plain_password,
"group_id": group.id
"group_id": group.id,
}
@pytest.fixture
async def setup_banned_user(db_session: AsyncSession):
async def setup_banned_user(db_session: AsyncSession, setup_auth_settings):
"""创建被封禁的用户"""
group = Group(name="测试组2")
group = await group.save(db_session)
group_options = GroupOptions(
group_id=group.id,
share_download=True,
share_free=False,
relocate=False,
)
await group_options.save(db_session)
user = User(
email="banneduser@test.local",
password=Password.hash("password"),
status=UserStatus.ADMIN_BANNED, # 封禁状态
group_id=group.id
status=UserStatus.ADMIN_BANNED,
group_id=group.id,
)
user = await user.save(db_session)
identity = AuthIdentity(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="banneduser@test.local",
credential=Password.hash("password"),
is_primary=True,
is_verified=True,
user_id=user.id,
)
await identity.save(db_session)
return user
@pytest.fixture
async def setup_2fa_user(db_session: AsyncSession):
async def setup_2fa_user(db_session: AsyncSession, setup_auth_settings):
"""创建启用了两步验证的用户"""
import pyotp
group = Group(name="测试组3")
group = await group.save(db_session)
group_options = GroupOptions(
group_id=group.id,
share_download=True,
share_free=False,
relocate=False,
)
await group_options.save(db_session)
secret = pyotp.random_base32()
user = User(
email="2fauser@test.local",
password=Password.hash("password"),
status=UserStatus.ACTIVE,
two_factor=secret,
group_id=group.id
group_id=group.id,
)
user = await user.save(db_session)
# 创建带 2FA secret 的邮箱密码认证身份
import orjson
extra_data = orjson.dumps({"two_factor": secret}).decode('utf-8')
identity = AuthIdentity(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="2fauser@test.local",
credential=Password.hash("password"),
extra_data=extra_data,
is_primary=True,
is_verified=True,
user_id=user.id,
)
await identity.save(db_session)
return {
"user": user,
"secret": secret,
"password": "password"
"password": "password",
}
@@ -81,12 +157,13 @@ async def test_login_success(db_session: AsyncSession, setup_user):
"""测试正常登录"""
user_data = setup_user
login_request = LoginRequest(
email="loginuser@test.local",
password=user_data["password"]
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="loginuser@test.local",
credential=user_data["password"],
)
result = await login(db_session, login_request)
result = await unified_login(db_session, request)
assert isinstance(result, TokenResponse)
assert result.access_token is not None
@@ -96,42 +173,48 @@ async def test_login_success(db_session: AsyncSession, setup_user):
@pytest.mark.asyncio
async def test_login_user_not_found(db_session: AsyncSession):
async def test_login_user_not_found(db_session: AsyncSession, setup_user):
"""测试用户不存在"""
login_request = LoginRequest(
email="nonexistent@test.local",
password="any_password"
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="nonexistent@test.local",
credential="any_password",
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert result is None
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_login_wrong_password(db_session: AsyncSession, setup_user):
"""测试密码错误"""
login_request = LoginRequest(
email="loginuser@test.local",
password="wrong_password"
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="loginuser@test.local",
credential="wrong_password",
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert result is None
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
async def test_login_user_banned(db_session: AsyncSession, setup_banned_user):
"""测试用户被封禁"""
login_request = LoginRequest(
email="banneduser@test.local",
password="password"
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="banneduser@test.local",
credential="password",
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert result is False
assert exc_info.value.status_code == 403
@pytest.mark.asyncio
@@ -139,15 +222,17 @@ async def test_login_2fa_required(db_session: AsyncSession, setup_2fa_user):
"""测试需要 2FA"""
user_data = setup_2fa_user
login_request = LoginRequest(
email="2fauser@test.local",
password=user_data["password"]
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="2fauser@test.local",
credential=user_data["password"],
# 未提供 two_fa_code
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert result == "2fa_required"
assert exc_info.value.status_code == 428
@pytest.mark.asyncio
@@ -155,15 +240,17 @@ async def test_login_2fa_invalid(db_session: AsyncSession, setup_2fa_user):
"""测试 2FA 错误"""
user_data = setup_2fa_user
login_request = LoginRequest(
email="2fauser@test.local",
password=user_data["password"],
two_fa_code="000000" # 错误的验证码
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="2fauser@test.local",
credential=user_data["password"],
two_fa_code="000000",
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert result == "2fa_invalid"
assert exc_info.value.status_code == 401
@pytest.mark.asyncio
@@ -178,56 +265,44 @@ async def test_login_2fa_success(db_session: AsyncSession, setup_2fa_user):
totp = pyotp.TOTP(secret)
valid_code = totp.now()
login_request = LoginRequest(
email="2fauser@test.local",
password=user_data["password"],
two_fa_code=valid_code
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="2fauser@test.local",
credential=user_data["password"],
two_fa_code=valid_code,
)
result = await login(db_session, login_request)
result = await unified_login(db_session, request)
assert isinstance(result, TokenResponse)
assert result.access_token is not None
@pytest.mark.asyncio
async def test_login_returns_valid_tokens(db_session: AsyncSession, setup_user):
"""测试返回的令牌可以被解码"""
import jwt as pyjwt
user_data = setup_user
login_request = LoginRequest(
email="loginuser@test.local",
password=user_data["password"]
async def test_login_provider_disabled(db_session: AsyncSession, setup_user):
"""测试未启用的 provider"""
request = UnifiedLoginRequest(
provider=AuthProviderType.PHONE_SMS,
identifier="13800138000",
credential="123456",
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
assert isinstance(result, TokenResponse)
# 注意: 实际项目中需要使用正确的 SECRET_KEY
# 这里假设测试环境已经设置了 SECRET_KEY
# decoded = pyjwt.decode(
# result.access_token,
# SECRET_KEY,
# algorithms=["HS256"]
# )
# assert decoded["sub"] == "loginuser"
assert exc_info.value.status_code == 400
@pytest.mark.asyncio
async def test_login_case_sensitive_email(db_session: AsyncSession, setup_user):
"""测试邮箱大小写敏感"""
user_data = setup_user
# 使用大写邮箱登录
login_request = LoginRequest(
email="LOGINUSER@TEST.LOCAL",
password=user_data["password"]
async def test_login_missing_password(db_session: AsyncSession, setup_user):
"""测试邮箱密码登录缺少密码"""
request = UnifiedLoginRequest(
provider=AuthProviderType.EMAIL_PASSWORD,
identifier="loginuser@test.local",
# 未提供 credential
)
result = await login(db_session, login_request)
with pytest.raises(HTTPException) as exc_info:
await unified_login(db_session, request)
# 应该失败,因为邮箱大小写不匹配
assert result is None
assert exc_info.value.status_code == 400