using Blahblah.FlowerStory.Server.Data; using Blahblah.FlowerStory.Server.Data.Model; using Microsoft.AspNetCore.Mvc; using System.Security.Cryptography; namespace Blahblah.FlowerStory.Server.Controller { ///

/// 用户会话相关服务 ///

[ApiController] [Produces("application/json")] [Route("api/user")] public partial class UserController : BaseController { /// public UserController(FlowerDatabase db, ILogger logger) : base(db, logger) { } ///

/// 用户登录 ///

/// /// 请求示例： /// /// POST /api/user/auth /// { /// "id": "blahblah", /// "password": "pwd123" /// } /// /// /// 登录参数 /// 成功登录则返回自定义认证头 /// 返回自定义认证头 /// 认证失败 /// 未找到用户 [Route("auth", Name = "authenticate")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpPost] [Consumes("application/json")] public ActionResult Authenticate([FromBody] LoginParamter login) { #if DEBUG logger?.LogInformation("user \"{user}\" try to login with password \"{password}\"", login.Id, login.Password); #endif //var user = database.Users.SingleOrDefault(u => u.UserId == login.Id); var user = QueryUserItemForAuthentication(login.Id); if (user == null) { logger?.LogWarning("user \"{user}\" not found", login.Id); return NotFound(); } // comput password hash with salt string hash = HashPassword(login.Password, login.Id); if (hash != user.Password) { logger?.LogWarning("hash result {hash}, unauthorized with hash {password}", hash, user.Password); return Unauthorized(); } // record the session // TODO: singleton token string clientApp; int expires; if (Request.Headers.TryGetValue("X-ClientAgent", out var clientAgent)) { clientApp = "app"; expires = 30 * 24 * 60 * 60; // 30 days } else { clientApp = "browser"; expires = 20 * 60; // 20 mins } var now = DateTimeOffset.UtcNow; var token = new TokenItem { Id = Convert.ToBase64String(SHA256.HashData(Guid.NewGuid().ToByteArray())), UserId = user.Id, LogonDateUnixTime = now.ToUnixTimeMilliseconds(), ActiveDateUnixTime = now.ToUnixTimeMilliseconds(), ExpireDateUnixTime = now.AddSeconds(expires).ToUnixTimeMilliseconds(), ExpireSeconds = expires, ClientApp = clientApp, ClientAgent = clientAgent.Count > 0 ? clientAgent : Request.Headers.UserAgent, DeviceId = Request.Headers.TryGetValue("X-DeviceId", out var deviceId) ? deviceId.ToString() : null }; database.Tokens.Add(token); user.ActiveDateUnixTime = token.ActiveDateUnixTime; SaveDatabase(); Response.Headers.Add(AuthHeader, token.Id); return NoContent(); } ///

/// 注销当前登录会话 ///

/// /// 请求示例： /// /// POST /api/user/logout /// Authorization: authorization id /// /// /// 注销失败则返回错误内容 /// 注销成功 /// 认证失败 [Route("logout", Name = "logout")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [HttpPost] public ActionResult Logout() { var (result, token) = CheckToken(); if (result != null) { return result; } if (token == null) { return Unauthorized(); } database.Tokens.Remove(token); SaveDatabase(); return NoContent(); } ///

/// 注册用户 ///

/// /// 请求示例： /// /// POST /api/user/register /// { /// "id": "blahblah", /// "password": "pwd123", /// "userName": "Blah blah", /// "email": "blah@example.com", /// "mobile": "18012345678" /// } /// /// /// 注册参数 /// 成功注册则返回已注册的用户对象 /// 返回已注册的用户对象 /// 用户重复或其他服务器错误 [Route("register", Name = "register")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status500InternalServerError)] [HttpPost] [Consumes("application/json")] public ActionResult Register([FromBody] UserParameter user) { #if DEBUG logger?.LogInformation("user register, {user}", user); #endif if (database.Users.Any(u => u.UserId == user.Id)) { logger?.LogWarning("duplicate user \"{id}\"", user.Id); return Problem("duplicateUser", "user/register", 500); } var now = DateTimeOffset.UtcNow.ToUnixTimeMilliseconds(); var item = new UserItem { UserId = user.Id, Password = HashPassword(user.Password, user.Id), Level = UserCommon, RegisterDateUnixTime = now, ActiveDateUnixTime = now, Name = user.UserName, Email = user.Email, Mobile = user.Mobile }; database.Users.Add(item); SaveDatabase(); return Ok(item); } ///

/// 查询当前会话关联的用户 ///

/// /// 请求示例： /// /// GET /api/user/profile /// Authorization: authorization id /// /// /// 会话有效则返回关联的用户对象 /// 返回关联的用户对象 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 [Route("profile", Name = "getProfile")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpGet] public ActionResult Profile() { var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } // update last active time SaveDatabase(); return Ok(user); } ///

/// 修改用户 ///

/// /// 请求示例： /// /// PUT /api/user/update /// Authorization: authorization id /// { /// "userName": "Blah blah", /// "email": "blah@example.com", /// "mobile": "18012345678" /// } /// /// /// 修改参数 /// 修改成功则返回已修改的用户对象 /// 返回已修改的用户对象 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 /// 提交正文过大 [Route("update", Name = "updateProfile")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [ProducesResponseType(StatusCodes.Status413PayloadTooLarge)] [HttpPut] [Consumes("application/json")] public ActionResult Update([FromBody] UpdateParameter update) { #if DEBUG logger?.LogInformation("user update, {user}", update); #endif var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } user.Name = update.UserName; user.Email = update.Email; user.Mobile = update.Mobile; SaveDatabase(); return Ok(user); } ///

/// 修改用户头像 ///

/// /// 请求示例： /// /// PUT /api/user/update_avatar /// Authorization: authorization id /// /// 参数： /// /// avatar: IFormFile? /// /// /// 用户头像 /// 修改成功则返回 HTTP 204 /// 修改成功 /// 头像内容格式非法 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 /// 提交正文过大 [Route("update_avatar", Name = "updateAvatar")] [ProducesResponseType(StatusCodes.Status204NoContent)] [ProducesResponseType(StatusCodes.Status400BadRequest)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [ProducesResponseType(StatusCodes.Status413PayloadTooLarge)] [HttpPut] [Consumes("multipart/form-data")] [RequestSizeLimit(5 * 1024 * 1024)] public ActionResult UploadAvatar(IFormFile? avatar) { #if DEBUG logger?.LogInformation("user update avatar, {avatar}", avatar); #endif var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } if (avatar?.Length > 0) { var file = WrapFormFile(avatar); if (file == null) { return BadRequest(); } user.Avatar = file.Content; } SaveDatabase(); return Ok(user); } ///

/// 移除用户头像 ///

/// /// 请求示例： /// /// DELETE /api/user/remove_avatar /// Authorization: authorization id /// /// /// 移除成功则返回修改的数据库行数 /// 修改的数据库行数 /// 未找到登录会话或已过期 /// 用户已禁用 /// 未找到关联用户 [Route("remove_avatar", Name = "removeAvatar")] [ProducesResponseType(StatusCodes.Status200OK)] [ProducesResponseType(StatusCodes.Status401Unauthorized)] [ProducesResponseType(StatusCodes.Status403Forbidden)] [ProducesResponseType(StatusCodes.Status404NotFound)] [HttpDelete] public ActionResult RemoveAvatar() { var (result, user) = CheckPermission(); if (result != null) { return result; } if (user == null) { return NotFound(); } var count = RemoveUserAvatar(user.Id); SaveDatabase(); return Ok(count); } //#if DEBUG ///

/// #DEBUG 获取所有用户 ///

/// [Route("debug_list", Name = "debug_list")] [HttpGet] public ActionResult GetUsers() { return Ok(database.Users.ToArray()); } ///

/// #DEBUG 获取所有 token ///

/// [Route("debug_tokens", Name = "debug_tokens")] [HttpGet] public ActionResult GetTokens() { return Ok(database.Tokens.ToArray()); } //#endif } }