using Blahblah.FlowerStory.Server.Data; using Blahblah.FlowerStory.Server.Data.Model; using Microsoft.AspNetCore.Mvc; using System.Security.Cryptography; namespace Blahblah.FlowerStory.Server.Controller { ///

/// 用户会话相关服务 ///

[ApiController] [Consumes("application/json")] [Produces("application/json")] [Route("api/user")] public partial class UserController : BaseController { /// public UserController(FlowerDatabase db, ILogger logger) : base(db, logger) { } ///

/// 用户登录 ///

/// /// 请求示例： /// /// POST /api/user/auth /// { /// "id": "blahblah", /// "password": "pwd123" /// } /// /// /// 登录参数 /// 成功登录则返回自定义认证头 /// 返回自定义认证头 /// 认证失败 /// 未找到用户 [Route("auth")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpPost] public ActionResult Authenticate([FromBody] LoginParamter login) { #if DEBUG logger?.LogInformation("user \"{user}\" try to login with password \"{password}\"", login.Id, login.Password); #endif var user = database.Users.FirstOrDefault(u => u.UserId == login.Id); if (user == null) { logger?.LogWarning("user \"{user}\" not found", login.Id); return NotFound(); } // comput password hash with salt string hash = HashPassword(login.Password, login.Id); if (hash != user.Password) { logger?.LogWarning("hash result {hash}, unauthorized with hash {password}", hash, user.Password); return Unauthorized(); } // record the session // TODO: singleton token, mobile var expires = 1200; var now = DateTimeOffset.UtcNow; var token = new TokenItem { Id = Convert.ToBase64String(SHA256.HashData(Guid.NewGuid().ToByteArray())), UserId = user.Id, LogonDateUnixTime = now.ToUnixTimeMilliseconds(), ActiveDateUnixTime = now.ToUnixTimeMilliseconds(), ExpireDateUnixTime = now.AddSeconds(expires).ToUnixTimeMilliseconds(), ExpireSeconds = expires, ClientApp = "browser", // TODO: support app later ClientAgent = Request.Headers.UserAgent }; database.Tokens.Add(token); user.ActiveDateUnixTime = token.ActiveDateUnixTime; database.Users.Update(user); SaveDatabase(); Response.Headers.Add(AuthHeader, token.Id); return NoContent(); } ///

/// 注销当前登录会话 ///

/// /// 请求示例： /// /// POST /api/user/logout /// Authorization: authorization id /// /// /// 注销失败则返回错误内容 /// 注销成功 /// 认证失败 [Route("logout")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [HttpPost] public ActionResult Logout() { var (result, token) = CheckToken(); if (result != null) { return result; } if (token == null) { return Unauthorized(); } database.Tokens.Remove(token); SaveDatabase(); return NoContent(); } ///

/// 注册用户 ///

/// /// 请求示例： /// /// POST /api/user/register /// { /// "id": "blahblah", /// "password": "pwd123", /// "userName": "Blah blah", /// "email": "blah@example.com", /// "mobile": "18012345678" /// } /// /// /// 注册参数 /// 成功注册则返回已注册的用户对象 /// 返回已注册的用户对象 /// 用户重复或其他服务器错误 [Route("register")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status500InternalServerError)] [HttpPost] public ActionResult Register([FromBody] UserParameter user) { #if DEBUG logger?.LogInformation("user register, {user}", user); #endif var u = database.Users.FirstOrDefault(u => u.UserId == user.Id); if (u != null) { logger?.LogWarning("duplicate user \"{id}\"", user.Id); return Problem("duplicateUser", "user/register", 500); } var now = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(); var item = new UserItem { UserId = user.Id, Password = HashPassword(user.Password, user.Id), Level = UserCommon, RegisterDateUnixTime = now, ActiveDateUnixTime = now, Name = user.UserName, Email = user.Email, Mobile = user.Mobile }; database.Users.Add(item); SaveDatabase(); return Ok(item); } ///

/// 查询当前会话关联的用户 ///

/// /// 请求示例： /// /// GET /api/user/profile /// Authorization: authorization id /// /// /// 会话有效则返回关联的用户对象 /// 返回关联的用户对象 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 [Route("profile")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpGet] public ActionResult Profile() { var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } // update last active time SaveDatabase(); return Ok(user); } ///

/// 修改用户 ///

/// /// 请求示例： /// /// PUT /api/user/update /// Authorization: authorization id /// { /// "userName": "Blah blah", /// "email": "blah@example.com", /// "mobile": "18012345678" /// } /// /// /// 修改参数 /// 修改成功则返回已修改的用户对象 /// 返回已修改的用户对象 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 [Route("update")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpPut] public ActionResult Update([FromBody] UpdateParameter update) { #if DEBUG logger?.LogInformation("user update, {user}", update); #endif var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } //var now = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(); //user.ActiveDateUnixTime = now; user.Name = update.UserName; user.Email = update.Email; user.Mobile = update.Mobile; database.Users.Update(user); SaveDatabase(); return Ok(user); } //#if DEBUG ///

/// #DEBUG 获取所有用户 ///

/// [Route("debug_list")] [HttpGet] public ActionResult GetUsers() { return Ok(database.Users.ToArray()); } ///

/// #DEBUG 获取所有 token ///

/// [Route("debug_tokens")] [HttpGet] public ActionResult GetTokens() { return Ok(database.Tokens.ToArray()); } //#endif } }