Merge branch 'feature-captcha' into feature-department

Author: ahaodev

.gitignore

@@ -85,4 +85,4 @@ shadmin.exe
 .logs
 .database
 .examples
-.cli/bin/*
+/cli/shadmin-cli

api/controller/device_auth_controller.go

@@ -0,0 +1,220 @@
+package controller
+
+import (
+	"errors"
+	"net/http"
+	"sync"
+	"time"
+
+	"shadmin/domain"
+	"shadmin/internal/constants"
+
+	"github.com/gin-gonic/gin"
+)
+
+type DeviceAuthController struct {
+	DeviceAuthUsecase domain.DeviceAuthUsecase
+	requestLimiter    *deviceAuthRateLimiter
+	pollLimiter       *deviceAuthRateLimiter
+	activateLimiter   *deviceAuthRateLimiter
+}
+
+func NewDeviceAuthController(deviceAuthUsecase domain.DeviceAuthUsecase) *DeviceAuthController {
+	return &DeviceAuthController{
+		DeviceAuthUsecase: deviceAuthUsecase,
+		requestLimiter:    newDeviceAuthRateLimiter(10, time.Minute),
+		pollLimiter:       newDeviceAuthRateLimiter(60, time.Minute),
+		activateLimiter:   newDeviceAuthRateLimiter(20, time.Minute),
+	}
+}
+
+// RequestCode godoc
+// @Summary      Request device authorization code
+// @Description  Create a device authorization session for CLI login
+// @Tags         Authentication
+// @Accept       json
+// @Produce      json
+// @Param        request  body      domain.DeviceCodeRequest  true  "Device code request"
+// @Success      200  {object}  domain.Response{data=domain.DeviceCodeResponse}
+// @Failure      400  {object}  domain.Response
+// @Failure      500  {object}  domain.Response
+// @Router       /auth/device/code [post]
+func (dc *DeviceAuthController) RequestCode(c *gin.Context) {
+	if !dc.allow(c, dc.requestLimiter) {
+		return
+	}
+
+	var request domain.DeviceCodeRequest
+	if !MustBindJSON(c, &request) {
+		return
+	}
+
+	resp, err := dc.DeviceAuthUsecase.RequestCode(c, request, "/auth/device")
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, domain.RespError(err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, domain.RespSuccess(resp))
+}
+
+// PollToken godoc
+// @Summary      Poll device authorization token
+// @Description  Poll until user authorizes a device code, then return JWT tokens
+// @Tags         Authentication
+// @Accept       json
+// @Produce      json
+// @Param        request  body      domain.DeviceTokenRequest  true  "Device token request"
+// @Success      200  {object}  domain.Response{data=domain.LoginResponse}
+// @Failure      400  {object}  domain.Response
+// @Failure      500  {object}  domain.Response
+// @Router       /auth/device/token [post]
+func (dc *DeviceAuthController) PollToken(c *gin.Context) {
+	if !dc.allow(c, dc.pollLimiter) {
+		return
+	}
+
+	var request domain.DeviceTokenRequest
+	if !MustBindJSON(c, &request) {
+		return
+	}
+
+	resp, err := dc.DeviceAuthUsecase.PollToken(c, request)
+	if err != nil {
+		status := http.StatusBadRequest
+		switch {
+		case errors.Is(err, domain.ErrDeviceAuthorizationPending),
+			errors.Is(err, domain.ErrDeviceSlowDown),
+			errors.Is(err, domain.ErrDeviceExpired),
+			errors.Is(err, domain.ErrDeviceConsumed),
+			errors.Is(err, domain.ErrDeviceAccessDenied),
+			errors.Is(err, domain.ErrDeviceInvalidCode):
+			status = http.StatusBadRequest
+		default:
+			status = http.StatusInternalServerError
+		}
+		c.JSON(status, domain.RespError(err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, domain.RespSuccess(resp))
+}
+
+// Activate godoc
+// @Summary      Activate device authorization code
+// @Description  Authorize a CLI device code using the current web user session
+// @Tags         Authentication
+// @Accept       json
+// @Produce      json
+// @Param        request  body      domain.DeviceActivateRequest  true  "Device activation request"
+// @Success      200  {object}  domain.Response{data=domain.DeviceActivateResponse}
+// @Failure      400  {object}  domain.Response
+// @Failure      401  {object}  domain.Response
+// @Failure      500  {object}  domain.Response
+// @Router       /auth/device/activate [post]
+func (dc *DeviceAuthController) Activate(c *gin.Context) {
+	if !dc.allow(c, dc.activateLimiter) {
+		return
+	}
+
+	var request domain.DeviceActivateRequest
+	if !MustBindJSON(c, &request) {
+		return
+	}
+
+	userIDValue, exists := c.Get(constants.UserID)
+	if !exists {
+		c.JSON(http.StatusUnauthorized, domain.RespError("Not authorized"))
+		return
+	}
+	userID, ok := userIDValue.(string)
+	if !ok || userID == "" {
+		c.JSON(http.StatusUnauthorized, domain.RespError("Invalid user context"))
+		return
+	}
+
+	resp, err := dc.DeviceAuthUsecase.Activate(c, userID, request)
+	if err != nil {
+		status := http.StatusBadRequest
+		if !errors.Is(err, domain.ErrDeviceInvalidCode) &&
+			!errors.Is(err, domain.ErrDeviceExpired) &&
+			!errors.Is(err, domain.ErrDeviceAccessDenied) {
+			status = http.StatusInternalServerError
+		}
+		c.JSON(status, domain.RespError(err.Error()))
+		return
+	}
+	c.JSON(http.StatusOK, domain.RespSuccess(resp))
+}
+
+func (dc *DeviceAuthController) allow(c *gin.Context, limiter *deviceAuthRateLimiter) bool {
+	if limiter == nil || limiter.Allow(c.ClientIP()) {
+		return true
+	}
+	c.JSON(http.StatusTooManyRequests, domain.RespError("too_many_requests"))
+	return false
+}
+
+// Close is kept for callers that manage controller lifecycles.
+func (dc *DeviceAuthController) Close() {
+	dc.requestLimiter.close()
+	dc.pollLimiter.close()
+	dc.activateLimiter.close()
+}
+
+type deviceAuthRateLimiter struct {
+	mu          sync.Mutex
+	limit       int
+	window      time.Duration
+	hits        map[string]*deviceAuthRateLimitEntry
+	lastCleanup time.Time
+}
+
+type deviceAuthRateLimitEntry struct {
+	count       int
+	windowStart time.Time
+}
+
+func newDeviceAuthRateLimiter(limit int, window time.Duration) *deviceAuthRateLimiter {
+	l := &deviceAuthRateLimiter{
+		limit:       limit,
+		window:      window,
+		hits:        make(map[string]*deviceAuthRateLimitEntry),
+		lastCleanup: time.Now(),
+	}
+	return l
+}
+
+func (l *deviceAuthRateLimiter) cleanupExpiredLocked(now time.Time) {
+	for key, entry := range l.hits {
+		if now.Sub(entry.windowStart) >= l.window {
+			delete(l.hits, key)
+		}
+	}
+}
+
+// close is kept for controller lifecycle compatibility.
+func (l *deviceAuthRateLimiter) close() {
+}
+
+func (l *deviceAuthRateLimiter) Allow(key string) bool {
+	if key == "" {
+		key = "unknown"
+	}
+	now := time.Now()
+	l.mu.Lock()
+	defer l.mu.Unlock()
+	if now.Sub(l.lastCleanup) >= l.window {
+		l.cleanupExpiredLocked(now)
+		l.lastCleanup = now
+	}
+
+	entry, ok := l.hits[key]
+	if !ok || now.Sub(entry.windowStart) >= l.window {
+		l.hits[key] = &deviceAuthRateLimitEntry{count: 1, windowStart: now}
+		return true
+	}
+	if entry.count >= l.limit {
+		return false
+	}
+	entry.count++
+	return true
+}

api/route/factory.go

@@ -19,10 +19,11 @@ import (
 
 // ControllerFactory creates and manages controller instances
 type ControllerFactory struct {
-	app            *bootstrap.Application
-	timeout        time.Duration
-	db             *ent.Client
-	captchaManager *captchapkg.SlideManager
+	app                  *bootstrap.Application
+	timeout              time.Duration
+	db                   *ent.Client
+	captchaManager       *captchapkg.SlideManager
+	deviceAuthController *controller.DeviceAuthController
 }
 
 // NewControllerFactory creates a new controller factory
@@ -65,6 +66,30 @@ func (f *ControllerFactory) CreateCaptchaController() *controller.CaptchaControl
 	}
 }
 
+// CreateDeviceAuthController creates a device authorization controller
+func (f *ControllerFactory) CreateDeviceAuthController() *controller.DeviceAuthController {
+	if f.deviceAuthController != nil {
+		return f.deviceAuthController
+	}
+	deviceAuthRepository := repository.NewDeviceAuthRepository(f.db)
+	userRepository := repository.NewUserRepository(f.db, f.app.CasManager)
+	tokenService := tokenservice.NewTokenService()
+
+	f.deviceAuthController = controller.NewDeviceAuthController(
+		usecase.NewDeviceAuthUsecase(
+			deviceAuthRepository,
+			userRepository,
+			tokenService,
+			f.app.Env.AccessTokenSecret,
+			f.app.Env.RefreshTokenSecret,
+			f.app.Env.AccessTokenExpiryMinute,
+			f.app.Env.RefreshTokenExpiryMinute,
+			f.timeout,
+		),
+	)
+	return f.deviceAuthController
+}
+
 // CreateProfileController creates a profile controller
 func (f *ControllerFactory) CreateProfileController() *controller.ProfileController {
 	pr := repository.NewProfileRepository(f.db)

api/route/protected.go

@@ -3,7 +3,6 @@ package route
 import (
 	"shadmin/api/middleware"
 	"shadmin/bootstrap"
-	"time"
 
 	"github.com/gin-gonic/gin"
 )
@@ -14,9 +13,9 @@ type ProtectedRoutes struct {
 }
 
 // NewProtectedRoutes creates a new protected routes manager
-func NewProtectedRoutes(app *bootstrap.Application, timeout time.Duration) *ProtectedRoutes {
+func NewProtectedRoutes(factory *ControllerFactory) *ProtectedRoutes {
 	return &ProtectedRoutes{
-		factory: NewControllerFactory(app, timeout, app.DB),
+		factory: factory,
 	}
 }
 
@@ -41,6 +40,9 @@ func (pr *ProtectedRoutes) setupUserRoutes(router *gin.RouterGroup, app *bootstr
 	resourcesGroup := router.Group("/resources")
 	pr.setupResourceRoutes(resourcesGroup)
 
+	// Device authorization activation (authenticated, no Casbin menu permission required)
+	deviceAuthGroup := router.Group("/auth/device")
+	pr.setupDeviceAuthRoutes(deviceAuthGroup)
 }
 
 // setupProfileRoutes configures profile management routes
@@ -59,6 +61,13 @@ func (pr *ProtectedRoutes) setupResourceRoutes(group *gin.RouterGroup) {
 	group.GET("", resourceController.GetResources)
 }
 
+// setupDeviceAuthRoutes configures authenticated device authorization routes.
+func (pr *ProtectedRoutes) setupDeviceAuthRoutes(group *gin.RouterGroup) {
+	deviceAuthController := pr.factory.CreateDeviceAuthController()
+
+	group.POST("/activate", deviceAuthController.Activate)
+}
+
 // setupSystemRoutes configures system administration routes
 func (pr *ProtectedRoutes) setupSystemRoutes(router *gin.RouterGroup, app *bootstrap.Application, engine *gin.Engine) {
 	casbinMiddleware := middleware.NewCasbinMiddleware(app.CasManager)

api/route/public.go

@@ -3,7 +3,6 @@ package route
 import (
 	"shadmin/api/middleware"
 	"shadmin/bootstrap"
-	"time"
 
 	"github.com/gin-gonic/gin"
 )
@@ -14,9 +13,9 @@ type PublicRoutes struct {
 }
 
 // NewPublicRoutes creates a new public routes manager
-func NewPublicRoutes(app *bootstrap.Application, timeout time.Duration) *PublicRoutes {
+func NewPublicRoutes(factory *ControllerFactory) *PublicRoutes {
 	return &PublicRoutes{
-		factory: NewControllerFactory(app, timeout, app.DB),
+		factory: factory,
 	}
 }
 
@@ -46,9 +45,12 @@ func (pr *PublicRoutes) setupHealthRoutes(group *gin.RouterGroup) {
 func (pr *PublicRoutes) setupAuthRoutes(group *gin.RouterGroup, app *bootstrap.Application) {
 	authController := pr.factory.CreateAuthController(app.CasManager)
 	captchaController := pr.factory.CreateCaptchaController()
+	deviceAuthController := pr.factory.CreateDeviceAuthController()
 
 	group.POST("/login", authController.Login)
 	group.POST("/refresh", authController.RefreshToken)
 	group.POST("/logout", authController.Logout)
 	group.GET("/captcha/slide", captchaController.GetSlideCaptcha)
+	group.POST("/device/code", deviceAuthController.RequestCode)
+	group.POST("/device/token", deviceAuthController.PollToken)
 }

api/route/route.go

@@ -19,9 +19,9 @@ func Setup(app *bootstrap.Application, timeout time.Duration, engine *gin.Engine
 	}
 
 	// Register static assets (skip in development — Vite dev server handles frontend)
-	if app.Env.AppEnv != "development" {
-		web.Register(engine)
-	}
+	//if app.Env.AppEnv != "development" {
+	web.Register(engine)
+	//}
 	setupSwagger(engine)
 
 	// Setup API routes
@@ -33,12 +33,13 @@ func Setup(app *bootstrap.Application, timeout time.Duration, engine *gin.Engine
 // setupApiRoutes configures all API routes
 func setupApiRoutes(app *bootstrap.Application, timeout time.Duration, engine *gin.Engine) {
 	apiV1 := engine.Group(ApiUri)
+	factory := NewControllerFactory(app, timeout, app.DB)
 
 	// Setup public routes (no authentication required)
-	publicRoutes := NewPublicRoutes(app, timeout)
+	publicRoutes := NewPublicRoutes(factory)
 	publicRoutes.Setup(apiV1, app)
 
 	// Setup protected routes (authentication required)
-	protectedRoutes := NewProtectedRoutes(app, timeout)
+	protectedRoutes := NewProtectedRoutes(factory)
 	protectedRoutes.Setup(apiV1, app, engine)
 }

cli/.env.example

@@ -0,0 +1,5 @@
+# shadmin-cli local config
+# Copy to cli/.env for repo-local development, or set SHADMIN_CONFIG to another .env path.
+
+# Equivalent to --server. Used by device login and all API calls.
+SHADMIN_SERVER=http://localhost:55667