from __future__ import annotations import mimetypes from pathlib import Path from flask import Blueprint, request, jsonify, session, redirect, send_from_directory, abort, current_app from modules.personalization_manager import load_personalization_config from modules.user_manager import UserWorkspace from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username from .security import ( get_csrf_token, check_rate_limit, register_failure, is_action_blocked, clear_failures, ) from .context import with_terminal, get_gui_manager from . import state from .utils_common import debug_log auth_bp = Blueprint("auth", __name__) @auth_bp.route('/api/csrf-token', methods=['GET']) def issue_csrf_token(): token = get_csrf_token() response = jsonify({"success": True, "token": token}) response.headers['Cache-Control'] = 'no-store' return response @auth_bp.route('/login', methods=['GET', 'POST']) def login(): if request.method == 'GET': if session.get('username'): return redirect('/new') if not state.container_manager.has_capacity(): return current_app.send_static_file('resource_busy.html'), 503 return current_app.send_static_file('login.html') data = request.get_json() or {} email = (data.get('email') or '').strip() password = data.get('password') or '' client_ip = request.headers.get('X-Forwarded-For', '').split(',')[0].strip() or request.remote_addr or 'unknown' limited, retry_after = check_rate_limit("login", 10, 60, client_ip) if limited: return jsonify({"success": False, "error": "登录请求过于频繁,请稍后再试。", "retry_after": retry_after}), 429 blocked, block_for = is_action_blocked("login", identifier=client_ip) if blocked: return jsonify({"success": False, "error": f"尝试次数过多,请 {block_for} 秒后重试。", "retry_after": block_for}), 429 record = state.user_manager.authenticate(email, password) if not record: wait_seconds = register_failure("login", state.FAILED_LOGIN_LIMIT, state.FAILED_LOGIN_LOCK_SECONDS, identifier=client_ip) error_payload = {"success": False, "error": "账号或密码错误"} status_code = 401 if wait_seconds: error_payload.update({"error": f"尝试次数过多,请 {wait_seconds} 秒后重试。", "retry_after": wait_seconds}) status_code = 429 return jsonify(error_payload), status_code workspace = state.user_manager.ensure_user_workspace(record.username) preferred_run_mode = None try: personal_config = load_personalization_config(workspace.data_dir) candidate_mode = (personal_config or {}).get('default_run_mode') if isinstance(candidate_mode, str): normalized_mode = candidate_mode.lower() if normalized_mode in {"fast", "thinking", "deep"}: preferred_run_mode = normalized_mode except Exception as exc: debug_log(f"加载个性化偏好失败: {exc}") session['logged_in'] = True session['username'] = record.username session['role'] = record.role or 'user' default_thinking = current_app.config.get('DEFAULT_THINKING_MODE', False) session['thinking_mode'] = default_thinking session['run_mode'] = current_app.config.get('DEFAULT_RUN_MODE', "deep" if default_thinking else "fast") if preferred_run_mode: session['run_mode'] = preferred_run_mode session['thinking_mode'] = preferred_run_mode != 'fast' session.permanent = True clear_failures("login", identifier=client_ip) try: state.container_manager.ensure_container(record.username, str(workspace.project_path)) except RuntimeError as exc: session.clear() return jsonify({"success": False, "error": str(exc), "code": "resource_busy"}), 503 from .usage import record_user_activity record_user_activity(record.username) get_csrf_token(force_new=True) return jsonify({"success": True}) @auth_bp.route('/register', methods=['GET', 'POST']) def register(): if request.method == 'GET': if session.get('username'): return redirect('/new') return current_app.send_static_file('register.html') data = request.get_json() or {} username = (data.get('username') or '').strip() email = (data.get('email') or '').strip() password = data.get('password') or '' invite_code = (data.get('invite_code') or '').strip() from .security import get_client_ip limited, retry_after = check_rate_limit("register", 5, 300, get_client_ip()) if limited: return jsonify({"success": False, "error": "注册请求过于频繁,请稍后再试。", "retry_after": retry_after}), 429 try: state.user_manager.register_user(username, email, password, invite_code) return jsonify({"success": True}) except ValueError as exc: return jsonify({"success": False, "error": str(exc)}), 400 except Exception as exc: return jsonify({"success": False, "error": str(exc)}), 500 @auth_bp.route('/logout', methods=['POST']) def logout(): username = session.get('username') session.clear() if username and username in state.user_terminals: state.user_terminals.pop(username, None) if username: state.container_manager.release_container(username, reason="logout") for token_value, meta in list(state.pending_socket_tokens.items()): if meta.get("username") == username: state.pending_socket_tokens.pop(token_value, None) return jsonify({"success": True}) @auth_bp.route('/') @login_required def index(): return redirect('/new') @auth_bp.route('/new') @login_required def new_page(): return current_app.send_static_file('index.html') @auth_bp.route('/') @login_required def conversation_page(conversation_id): return current_app.send_static_file('index.html') @auth_bp.route('/terminal') @login_required def terminal_page(): from .auth_helpers import resolve_admin_policy policy = resolve_admin_policy(get_current_user_record()) if policy.get("ui_blocks", {}).get("block_realtime_terminal"): return "实时终端已被管理员禁用", 403 return current_app.send_static_file('terminal.html') @auth_bp.route('/file-manager') @login_required def gui_file_manager_page(): from .auth_helpers import resolve_admin_policy policy = resolve_admin_policy(get_current_user_record()) if policy.get("ui_blocks", {}).get("block_file_manager"): return "文件管理器已被管理员禁用", 403 return send_from_directory(Path(current_app.static_folder) / 'file_manager', 'index.html') @auth_bp.route('/file-manager/editor') @login_required def gui_file_editor_page(): return send_from_directory(Path(current_app.static_folder) / 'file_manager', 'editor.html') @auth_bp.route('/file-preview/') @login_required @with_terminal def gui_file_preview(relative_path: str, terminal, workspace: UserWorkspace, username: str): manager = get_gui_manager(workspace) try: target = manager.prepare_download(relative_path) if not target.is_file(): return "预览仅支持文件", 400 return send_from_directory(directory=target.parent, path=target.name, mimetype='text/html') except Exception as exc: return f"无法预览文件: {exc}", 400 @auth_bp.route('/user_upload/') @login_required def serve_user_upload(filename: str): user = get_current_user_record() if not user: return redirect('/login') workspace = state.user_manager.ensure_user_workspace(user.username) uploads_dir = workspace.uploads_dir.resolve() target = (uploads_dir / filename).resolve() try: target.relative_to(uploads_dir) except ValueError: abort(403) if not target.exists() or not target.is_file(): abort(404) return send_from_directory(str(uploads_dir), str(target.relative_to(uploads_dir))) @auth_bp.route('/workspace/') @login_required def serve_workspace_file(filename: str): user = get_current_user_record() if not user: return redirect('/login') workspace = state.user_manager.ensure_user_workspace(user.username) project_root = workspace.project_path.resolve() target = (project_root / filename).resolve() try: target.relative_to(project_root) except ValueError: abort(403) if not target.exists() or not target.is_file(): abort(404) mime_type, _ = mimetypes.guess_type(str(target)) if not mime_type or not mime_type.startswith("image/"): abort(415) return send_from_directory(str(target.parent), target.name) @auth_bp.route('/static/') def static_files(filename): if filename.startswith('admin_dashboard'): abort(404) return send_from_directory('static', filename) __all__ = ["auth_bp"]