billai/server/handler/auth.go

package handler

import (
	"crypto/sha256"
	"encoding/hex"
	"errors"
	"net/http"
	"time"

	"billai-server/config"

	"github.com/gin-gonic/gin"
	"github.com/golang-jwt/jwt/v5"
)

// LoginRequest 登录请求
type LoginRequest struct {
	Username string `json:"username" binding:"required"`
	Password string `json:"password" binding:"required"`
}

// LoginResponse 登录响应
type LoginResponse struct {
	Token string          `json:"token"`
	User  config.UserInfo `json:"user"`
}

// Claims JWT claims
type Claims struct {
	Username string `json:"username"`
	Name     string `json:"name"`
	Role     string `json:"role"`
	jwt.RegisteredClaims
}

// hashPassword 对密码进行 SHA-256 哈希
func hashPassword(password string) string {
	hash := sha256.Sum256([]byte(password))
	return hex.EncodeToString(hash[:])
}

// Login 用户登录
func Login(c *gin.Context) {
	var req LoginRequest
	if err := c.ShouldBindJSON(&req); err != nil {
		c.JSON(http.StatusBadRequest, gin.H{
			"success": false,
			"error":   "请输入用户名和密码",
		})
		return
	}

	// 查找用户
	var foundUser *config.UserInfo
	for _, user := range config.Global.Users {
		if user.Username == req.Username {
			foundUser = &user
			break
		}
	}

	if foundUser == nil {
		c.JSON(http.StatusUnauthorized, gin.H{
			"success": false,
			"error":   "用户名或密码错误",
		})
		return
	}

	// 验证密码（支持明文比较和哈希比较）
	passwordMatch := foundUser.Password == req.Password ||
		foundUser.Password == hashPassword(req.Password)

	if !passwordMatch {
		c.JSON(http.StatusUnauthorized, gin.H{
			"success": false,
			"error":   "用户名或密码错误",
		})
		return
	}

	// 生成 JWT Token
	expiry := config.Global.TokenExpiry
	if expiry <= 0 {
		expiry = 168 // 默认 7 天
	}

	claims := &Claims{
		Username: foundUser.Username,
		Name:     foundUser.Name,
		Role:     foundUser.Role,
		RegisteredClaims: jwt.RegisteredClaims{
			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(expiry) * time.Hour)),
			IssuedAt:  jwt.NewNumericDate(time.Now()),
			Subject:   foundUser.Username,
		},
	}

	secret := config.Global.JWTSecret
	if secret == "" {
		secret = "billai-default-secret"
	}

	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
	tokenString, err := token.SignedString([]byte(secret))
	if err != nil {
		c.JSON(http.StatusInternalServerError, gin.H{
			"success": false,
			"error":   "生成 Token 失败",
		})
		return
	}

	c.JSON(http.StatusOK, gin.H{
		"success": true,
		"data": LoginResponse{
			Token: tokenString,
			User: config.UserInfo{
				Username: foundUser.Username,
				Name:     foundUser.Name,
				Email:    foundUser.Email,
				Role:     foundUser.Role,
			},
		},
	})
}

// ValidateToken 验证 Token
func ValidateToken(c *gin.Context) {
	tokenString := c.GetHeader("Authorization")
	if tokenString == "" {
		c.JSON(http.StatusUnauthorized, gin.H{
			"success": false,
			"error":   "未提供 Token",
			"code":    "TOKEN_MISSING",
		})
		return
	}

	// 移除 "Bearer " 前缀
	if len(tokenString) > 7 && tokenString[:7] == "Bearer " {
		tokenString = tokenString[7:]
	}

	secret := config.Global.JWTSecret
	if secret == "" {
		secret = "billai-default-secret"
	}

	token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
		return []byte(secret), nil
	}, jwt.WithValidMethods([]string{jwt.SigningMethodHS256.Name}))

	if err != nil || !token.Valid {
		code := "TOKEN_INVALID"
		message := "Token 无效"
		if err != nil && errors.Is(err, jwt.ErrTokenExpired) {
			code = "TOKEN_EXPIRED"
			message = "Token 已过期"
		}

		c.JSON(http.StatusUnauthorized, gin.H{
			"success": false,
			"error":   message,
			"code":    code,
		})
		return
	}

	claims, ok := token.Claims.(*Claims)
	if !ok {
		c.JSON(http.StatusUnauthorized, gin.H{
			"success": false,
			"error":   "Token 解析失败",
			"code":    "TOKEN_INVALID",
		})
		return
	}

	c.JSON(http.StatusOK, gin.H{
		"success": true,
		"data": config.UserInfo{
			Username: claims.Username,
			Name:     claims.Name,
			Role:     claims.Role,
		},
	})
}