package handler import ( "net/http" "strings" "time" "cyberstrike-ai/internal/config" "cyberstrike-ai/internal/security" "github.com/gin-gonic/gin" "go.uber.org/zap" ) // AuthHandler handles authentication-related endpoints. type AuthHandler struct { manager *security.AuthManager config *config.Config configPath string logger *zap.Logger } // NewAuthHandler creates a new AuthHandler. func NewAuthHandler(manager *security.AuthManager, cfg *config.Config, configPath string, logger *zap.Logger) *AuthHandler { return &AuthHandler{ manager: manager, config: cfg, configPath: configPath, logger: logger, } } type loginRequest struct { Password string `json:"password" binding:"required"` } type changePasswordRequest struct { OldPassword string `json:"oldPassword"` NewPassword string `json:"newPassword"` } // Login verifies password and returns a session token. func (h *AuthHandler) Login(c *gin.Context) { var req loginRequest if err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": "密码不能为空"}) return } token, expiresAt, err := h.manager.Authenticate(req.Password) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": "密码错误"}) return } c.JSON(http.StatusOK, gin.H{ "token": token, "expires_at": expiresAt.UTC().Format(time.RFC3339), "session_duration_hr": h.manager.SessionDurationHours(), }) } // Logout revokes the current session token. func (h *AuthHandler) Logout(c *gin.Context) { token := c.GetString(security.ContextAuthTokenKey) if token == "" { authHeader := c.GetHeader("Authorization") if len(authHeader) > 7 && strings.EqualFold(authHeader[:7], "Bearer ") { token = strings.TrimSpace(authHeader[7:]) } else { token = strings.TrimSpace(authHeader) } } h.manager.RevokeToken(token) c.JSON(http.StatusOK, gin.H{"message": "已退出登录"}) } // ChangePassword updates the login password. func (h *AuthHandler) ChangePassword(c *gin.Context) { var req changePasswordRequest if err := c.ShouldBindJSON(&req); err != nil { c.JSON(http.StatusBadRequest, gin.H{"error": "参数无效"}) return } oldPassword := strings.TrimSpace(req.OldPassword) newPassword := strings.TrimSpace(req.NewPassword) if oldPassword == "" || newPassword == "" { c.JSON(http.StatusBadRequest, gin.H{"error": "当前密码和新密码均不能为空"}) return } if len(newPassword) < 8 { c.JSON(http.StatusBadRequest, gin.H{"error": "新密码长度至少需要 8 位"}) return } if oldPassword == newPassword { c.JSON(http.StatusBadRequest, gin.H{"error": "新密码不能与旧密码相同"}) return } if !h.manager.CheckPassword(oldPassword) { c.JSON(http.StatusBadRequest, gin.H{"error": "当前密码不正确"}) return } if err := config.PersistAuthPassword(h.configPath, newPassword); err != nil { if h.logger != nil { h.logger.Error("保存新密码失败", zap.Error(err)) } c.JSON(http.StatusInternalServerError, gin.H{"error": "保存新密码失败,请重试"}) return } if err := h.manager.UpdateConfig(newPassword, h.config.Auth.SessionDurationHours); err != nil { if h.logger != nil { h.logger.Error("更新认证配置失败", zap.Error(err)) } c.JSON(http.StatusInternalServerError, gin.H{"error": "更新认证配置失败"}) return } h.config.Auth.Password = newPassword h.config.Auth.GeneratedPassword = "" h.config.Auth.GeneratedPasswordPersisted = false h.config.Auth.GeneratedPasswordPersistErr = "" if h.logger != nil { h.logger.Info("登录密码已更新,所有会话已失效") } c.JSON(http.StatusOK, gin.H{"message": "密码已更新,请使用新密码重新登录"}) } // Validate returns the current session status. func (h *AuthHandler) Validate(c *gin.Context) { token := c.GetString(security.ContextAuthTokenKey) if token == "" { c.JSON(http.StatusUnauthorized, gin.H{"error": "会话无效"}) return } session, ok := h.manager.ValidateToken(token) if !ok { c.JSON(http.StatusUnauthorized, gin.H{"error": "会话已过期"}) return } c.JSON(http.StatusOK, gin.H{ "token": session.Token, "expires_at": session.ExpiresAt.UTC().Format(time.RFC3339), }) }