feat(dingtalk): 钉钉 OAuth 登录接入与 internal_only 用户属性同步

⚠️ 应用类型约束：当前实现仅支持「钉钉登录-企业内部应用」（DingTalk 开放平台
internal_app 类型）。第三方个人应用、第三方企业应用类型暂不支持——OAuth 流程
相同但 corp 校验、跨企业行为不同。backend 通过 DingTalkAppKind 校验对非
internal_app 类型 fail-closed（硬约束）。

钉钉 OAuth 登录主链
- 4 步 OAuth 链：ExchangeCodeForUserToken / GetUnionIdByUserToken /
  GetUserIdByUnionId / GetStaffInfoByUserId；app token 缓存
- pending session 机制持久化 OAuth 中间态；cookie-only token 持久化
- 三种分流：bind_login_required / email_completion / choose_account_action
- corp_restriction_policy 支持 none + internal_only；stale "whitelist" 在
  加载层与写入层均静默 coerce 为 none + slog.Warn
- bypass_registration 开关：企业内部模式豁免全局 REGISTRATION_DISABLED
- isReservedEmail / signup_source / canUnbindProvider / OAuth pending flow
  等横切点支持 dingtalk provider
- migration 136：4 表 CHECK 约束加入 'dingtalk' provider 值

internal_only 模式同步企业邮箱/姓名/部门到用户属性
- SyncCorpEmail / SyncDisplayName / SyncDept 三个独立开关 + 对应
  SyncXxxAttrKey 目标属性 key（默认 dingtalk_email / dingtalk_name /
  dingtalk_department）；非 internal_only policy 在写入层与加载层均
  coerce 为 false，admin handler 与 setting_service 双层兜底
- 同步语义：首次注册写 users.username（昵称优先 → 企业姓名 fallback），
  之后每次登录刷新 3 个属性；空值也写入以覆盖旧值
- 邮箱三级 fallback：org_email > email > extension["企业邮箱"]
  （钉钉自定义字段 JSON）
- 部门路径递归向上拼接，跳过 dept_id=1 选首个真实子部门，剥离根组织名
- GetUnionIdByUserToken 同时返回 OIDC /contact/users/me 的 nick 字段；
  新增 GetDeptInfo 调用 OAPI /topapi/v2/department/get
- AuthHandler 注入 UserAttributeService；OAuth pending flow 在
  createPendingOAuthAccount / bindPendingOAuthLogin 分别派发到
  AfterRegistration（syncUsername=true）/ AfterLogin
- migration 137 seed dingtalk_email/name/department 三个用户属性定义

附带修复（同集成路径暴露的两个 OAuth 注册回归）
- LoginOrRegisterOAuthWithTokenPair 新建用户分支用 inferLegacySignupSource
  覆写 caller 显式传入的 signupSource，导致 dingtalk/linuxdo/oidc/wechat
  渠道授权按 email 渠道读取；改为只在 caller 未显式传入时回退邮箱推断
- mergeProviderDefaultGrantSettings 把 parse fallback 默认值
  (Concurrency=5 / Balance=0) 当作"未配置"哨兵，admin 显式设 5 时被误判
  退回全局默认（复现：全局默认 1 + 渠道默认并发 5 + grant_on_signup → 新
  用户实际 concurrency=1）；去掉哨兵，admin 任何 >=0 值都覆盖 globalDefaults

前端
- DingTalk Login / Callback / EmailCompletion / ChoiceAccount / Error
  视图；router + auth API client
- admin SettingsView：corp policy radio（none / internal_only）+ bypass
  注册开关 + i18n；internal_only 下展示三同步开关 + 目标 attr key 下拉
  （拉取 user attribute definitions），展示 fieldEmail /
  qyapi_get_department_list 钉钉权限申请提示
- Profile：S1 主动绑定 / S5 解绑钉钉按钮 + 合成邮箱防自锁

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: 2 people

backend/cmd/server/wire_gen.go

@@ -15,12 +15,13 @@ import (
 )
 
 var authProviderTypes = map[string]struct{}{
-	"email":   {},
-	"github":  {},
-	"google":  {},
-	"linuxdo": {},
-	"oidc":    {},
-	"wechat":  {},
+	"email":    {},
+	"github":   {},
+	"google":   {},
+	"linuxdo":  {},
+	"oidc":     {},
+	"wechat":   {},
+	"dingtalk": {},
 }
 
 func validateAuthProviderType(value string) error {

backend/ent/schema/auth_identity.go

@@ -83,7 +83,7 @@ func TestAuthIdentityFoundationSchemas(t *testing.T) {
 	require.Equal(t, 1, signupSource.Validators)
 
 	validator := requireStringFieldValidator(t, User{}.Fields(), "signup_source")
-	for _, value := range []string{"email", "linuxdo", "wechat", "oidc", "github", "google"} {
+	for _, value := range []string{"email", "linuxdo", "wechat", "oidc", "github", "google", "dingtalk"} {
 		require.NoError(t, validator(value))
 	}
 	require.Error(t, validator("unknown"))

backend/ent/schema/auth_identity_schema_test.go

@@ -77,10 +77,10 @@ func (User) Fields() []ent.Field {
 		field.String("signup_source").
 			Validate(func(value string) error {
 				switch value {
-				case "email", "linuxdo", "wechat", "oidc", "github", "google":
+				case "email", "linuxdo", "wechat", "oidc", "github", "google", "dingtalk":
 					return nil
 				default:
-					return fmt.Errorf("must be one of email, linuxdo, wechat, oidc, github, google")
+					return fmt.Errorf("must be one of email, linuxdo, wechat, oidc, github, google, dingtalk")
 				}
 			}).
 			Default("email"),

backend/ent/schema/user.go

@@ -72,6 +72,7 @@ type Config struct {
 	LinuxDo                 LinuxDoConnectConfig          `mapstructure:"linuxdo_connect"`
 	WeChat                  WeChatConnectConfig           `mapstructure:"wechat_connect"`
 	OIDC                    OIDCConnectConfig             `mapstructure:"oidc_connect"`
+	DingTalk                DingTalkConnectConfig         `mapstructure:"dingtalk_connect"`
 	GitHubOAuth             EmailOAuthProviderConfig      `mapstructure:"github_oauth"`
 	GoogleOAuth             EmailOAuthProviderConfig      `mapstructure:"google_oauth"`
 	Default                 DefaultConfig                 `mapstructure:"default"`
@@ -242,6 +243,47 @@ type OIDCConnectConfig struct {
 	UserInfoUsernamePath string `mapstructure:"userinfo_username_path"`
 }
 
+type DingTalkConnectConfig struct {
+	Enabled             bool   `mapstructure:"enabled"`
+	ClientID            string `mapstructure:"client_id"`
+	ClientSecret        string `mapstructure:"client_secret"`
+	AuthorizeURL        string `mapstructure:"authorize_url"`
+	TokenURL            string `mapstructure:"token_url"`
+	UserInfoURL         string `mapstructure:"userinfo_url"`
+	Scopes              string `mapstructure:"scopes"`
+	RedirectURL         string `mapstructure:"redirect_url"`
+	FrontendRedirectURL string `mapstructure:"frontend_redirect_url"`
+
+	// 平台底座 + 业务行为
+	DingTalkAppKind string `mapstructure:"dingtalk_app_kind"` // 仅 "internal_app"（V4 fail-closed）
+	AppType         string `mapstructure:"app_type"`          // "public" (default) | "internal"
+
+	// Corp 限定（none | internal_only）
+	CorpRestrictionPolicy   string `mapstructure:"corp_restriction_policy"`
+	InternalCorpID          string `mapstructure:"internal_corp_id"`
+	BypassRegistration      bool   `mapstructure:"bypass_registration"`
+	SyncCorpEmail           bool   `mapstructure:"sync_corp_email"`
+	SyncDisplayName         bool   `mapstructure:"sync_display_name"`
+	SyncDept                bool   `mapstructure:"sync_dept"`
+	SyncCorpEmailAttrKey    string `mapstructure:"sync_corp_email_attr_key"`
+	SyncDisplayNameAttrKey  string `mapstructure:"sync_display_name_attr_key"`
+	SyncDeptAttrKey         string `mapstructure:"sync_dept_attr_key"`
+	SyncCorpEmailAttrName   string `mapstructure:"sync_corp_email_attr_name"`
+	SyncDisplayNameAttrName string `mapstructure:"sync_display_name_attr_name"`
+	SyncDeptAttrName        string `mapstructure:"sync_dept_attr_name"`
+
+	// 邮箱 + Username
+	RequireEmail            bool   `mapstructure:"require_email"`
+	UsernameOverwritePolicy string `mapstructure:"username_overwrite_policy"`
+
+	// Attribute（私有版扩展点；开源版仅声明）
+	UsernameAttributeKey         string   `mapstructure:"username_attribute_key"`
+	EnableAttributeMatching      bool     `mapstructure:"enable_attribute_matching"`
+	EnableAttributeSync          bool     `mapstructure:"enable_attribute_sync"`
+	AttributeSyncFields          []string `mapstructure:"attribute_sync_fields"`
+	AttributeSyncOverwritePolicy string   `mapstructure:"attribute_sync_overwrite_policy"`
+}
+
 type EmailOAuthProviderConfig struct {
 	Enabled             bool   `mapstructure:"enabled"`
 	ClientID            string `mapstructure:"client_id"`
@@ -1536,6 +1578,19 @@ func setDefaults() {
 	viper.SetDefault("oidc_connect.userinfo_id_path", "")
 	viper.SetDefault("oidc_connect.userinfo_username_path", "")
 
+	// DingTalk Connect OAuth 登录
+	viper.SetDefault("dingtalk_connect.enabled", false)
+	viper.SetDefault("dingtalk_connect.authorize_url", "https://login.dingtalk.com/oauth2/auth")
+	viper.SetDefault("dingtalk_connect.token_url", "https://api.dingtalk.com/v1.0/oauth2/userAccessToken")
+	viper.SetDefault("dingtalk_connect.userinfo_url", "https://api.dingtalk.com/v1.0/contact/users/me")
+	viper.SetDefault("dingtalk_connect.scopes", "openid")
+	viper.SetDefault("dingtalk_connect.frontend_redirect_url", "/auth/dingtalk/callback")
+	viper.SetDefault("dingtalk_connect.dingtalk_app_kind", "internal_app")
+	viper.SetDefault("dingtalk_connect.app_type", "public")
+	viper.SetDefault("dingtalk_connect.corp_restriction_policy", "none")
+	viper.SetDefault("dingtalk_connect.require_email", true)
+	viper.SetDefault("dingtalk_connect.username_overwrite_policy", "if_empty")
+
 	// Database
 	viper.SetDefault("database.host", "localhost")
 	viper.SetDefault("database.port", 5432)
@@ -2608,6 +2663,9 @@ func (c *Config) Validate() error {
 	if c.Concurrency.PingInterval < 5 || c.Concurrency.PingInterval > 30 {
 		return fmt.Errorf("concurrency.ping_interval must be between 5-30 seconds")
 	}
+	if err := ValidateDingTalkConfig(c.DingTalk); err != nil {
+		return fmt.Errorf("dingtalk_connect: %w", err)
+	}
 	return nil
 }
 

backend/internal/config/config.go

@@ -0,0 +1,30 @@
+// Package config 包含钉钉连接配置的校验逻辑。
+//
+// internal_only 模式安全模型（方案 A）：
+// 不再要求 admin 填写 InternalCorpID 做二次 corpID 比对。
+// 安全边界由钉钉"企业内部应用"类型本身保证——只有应用所属企业的员工才能完成 OAuth，
+// 因此 ValidateDingTalkConfig 只要求 app_type=internal（V1），不再要求 InternalCorpID 非空（原 V3 已删除）。
+// InternalCorpID 字段保留，admin 可选填；若填写，checkDingTalkCorpAllowed 不会使用它做约束。
+package config
+
+import "errors"
+
+var (
+	ErrDingTalkV1AppTypeMismatch = errors.New("dingtalk: internal_only requires app_type=internal")
+	ErrDingTalkV4InvalidAppKind  = errors.New("dingtalk: dingtalk_app_kind must be internal_app")
+)
+
+func ValidateDingTalkConfig(cfg DingTalkConnectConfig) error {
+	if !cfg.Enabled {
+		return nil
+	}
+	if cfg.DingTalkAppKind != "internal_app" {
+		return ErrDingTalkV4InvalidAppKind
+	}
+	if cfg.CorpRestrictionPolicy == "internal_only" {
+		if cfg.AppType != "internal" {
+			return ErrDingTalkV1AppTypeMismatch
+		}
+	}
+	return nil
+}

backend/internal/config/validate_dingtalk.go

@@ -0,0 +1,53 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidateDingTalkConfig_Disabled_Skip(t *testing.T) {
+	require.NoError(t, ValidateDingTalkConfig(DingTalkConnectConfig{Enabled: false}))
+}
+
+func TestValidateDingTalkConfig_V4_DingTalkAppKind(t *testing.T) {
+	err := ValidateDingTalkConfig(DingTalkConnectConfig{
+		Enabled:               true,
+		DingTalkAppKind:       "third_party_enterprise_app",
+		CorpRestrictionPolicy: "none",
+	})
+	require.ErrorIs(t, err, ErrDingTalkV4InvalidAppKind)
+}
+
+func TestValidateDingTalkConfig_V1_InternalOnlyRequiresInternalAppType(t *testing.T) {
+	err := ValidateDingTalkConfig(DingTalkConnectConfig{
+		Enabled:               true,
+		DingTalkAppKind:       "internal_app",
+		AppType:               "public",
+		CorpRestrictionPolicy: "internal_only",
+		InternalCorpID:        "dingABC",
+	})
+	require.ErrorIs(t, err, ErrDingTalkV1AppTypeMismatch)
+}
+
+// TestValidateDingTalkConfig_V3_InternalOnlyAllowsEmptyCorpID 验证方案 A：
+// internal_only 策略下，InternalCorpID="" 应通过校验（企业隔离由钉钉 AppType=internal 保证）。
+func TestValidateDingTalkConfig_V3_InternalOnlyAllowsEmptyCorpID(t *testing.T) {
+	err := ValidateDingTalkConfig(DingTalkConnectConfig{
+		Enabled:               true,
+		DingTalkAppKind:       "internal_app",
+		AppType:               "internal",
+		CorpRestrictionPolicy: "internal_only",
+		InternalCorpID:        "",
+	})
+	require.NoError(t, err)
+}
+
+func TestValidateDingTalkConfig_HappyPath_None(t *testing.T) {
+	require.NoError(t, ValidateDingTalkConfig(DingTalkConnectConfig{
+		Enabled:               true,
+		DingTalkAppKind:       "internal_app",
+		AppType:               "public",
+		CorpRestrictionPolicy: "none",
+	}))
+}