Originals/ViGent2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 42 Wiki Activity

更新

Browse Source
This commit is contained in:
Kevin Wong
2026-01-23 18:09:12 +08:00
parent 3a3df41904
commit c918dc6faf
28 changed files with 2250 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
backend/.env.example
View File

@@ -45,3 +45,18 @@ MAX_UPLOAD_SIZE_MB=500
# FFmpeg 路径 (如果不在系统 PATH 中)
# FFMPEG_PATH=/usr/bin/ffmpeg
# =============== Supabase 配置 ===============
# 从 Supabase 项目设置 > API 获取
SUPABASE_URL=https://zcmitzlqlyzxlgwagouf.supabase.co
SUPABASE_KEY=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJzdXBhYmFzZSIsInJlZiI6InpjbWl0emxxbHl6eGxnd2Fnb3VmIiwicm9sZSI6ImFub24iLCJpYXQiOjE3NjkxMzkwNzEsImV4cCI6MjA4NDcxNTA3MX0.2NNkkR0cowopcsCs5bP-DTCksiOuqNjmhfyXGmLdTrM
# =============== JWT 配置 ===============
# 用于签名 JWT Token 的密钥 (请更换为随机字符串)
JWT_SECRET_KEY=F4MagRkf7nJsN-ag9AB7Q-30MbZRe7Iu4E9p9xRzyic
JWT_ALGORITHM=HS256
JWT_EXPIRE_HOURS=168
# =============== 管理员配置 ===============
# 服务启动时自动创建的管理员账号
ADMIN_EMAIL=
ADMIN_PASSWORD=

185
backend/app/api/admin.py Normal file
View File

@@ -0,0 +1,185 @@
"""
管理员 API用户管理
"""
from fastapi import APIRouter, HTTPException, Depends, status
from pydantic import BaseModel
from typing import Optional, List
from datetime import datetime, timezone, timedelta
from app.core.supabase import get_supabase
from app.core.deps import get_current_admin
from loguru import logger
router = APIRouter(prefix="/api/admin", tags=["管理"])
class UserListItem(BaseModel):
id: str
email: str
username: Optional[str]
role: str
is_active: bool
expires_at: Optional[str]
created_at: str
class ActivateRequest(BaseModel):
expires_days: Optional[int] = None # 授权天数None 表示永久
@router.get("/users", response_model=List[UserListItem])
async def list_users(admin: dict = Depends(get_current_admin)):
"""获取所有用户列表"""
try:
supabase = get_supabase()
result = supabase.table("users").select("*").order("created_at", desc=True).execute()
return [
UserListItem(
id=u["id"],
email=u["email"],
username=u.get("username"),
role=u["role"],
is_active=u["is_active"],
expires_at=u.get("expires_at"),
created_at=u["created_at"]
)
for u in result.data
]
except Exception as e:
logger.error(f"获取用户列表失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="获取用户列表失败"
)
@router.post("/users/{user_id}/activate")
async def activate_user(
user_id: str,
request: ActivateRequest,
admin: dict = Depends(get_current_admin)
):
"""
激活用户
Args:
user_id: 用户 ID
request.expires_days: 授权天数 (None 表示永久)
"""
try:
supabase = get_supabase()
# 计算过期时间
expires_at = None
if request.expires_days:
expires_at = (datetime.now(timezone.utc) + timedelta(days=request.expires_days)).isoformat()
# 更新用户
result = supabase.table("users").update({
"is_active": True,
"role": "user",
"expires_at": expires_at
}).eq("id", user_id).execute()
if not result.data:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail="用户不存在"
)
logger.info(f"管理员 {admin['email']} 激活用户 {user_id}, 有效期: {request.expires_days or '永久'}")
return {
"success": True,
"message": f"用户已激活,有效期: {request.expires_days or '永久'}"
}
except HTTPException:
raise
except Exception as e:
logger.error(f"激活用户失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="激活用户失败"
)
@router.post("/users/{user_id}/deactivate")
async def deactivate_user(
user_id: str,
admin: dict = Depends(get_current_admin)
):
"""停用用户"""
try:
supabase = get_supabase()
# 不能停用管理员
user_result = supabase.table("users").select("role").eq("id", user_id).single().execute()
if user_result.data and user_result.data["role"] == "admin":
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="不能停用管理员账号"
)
# 更新用户
result = supabase.table("users").update({
"is_active": False
}).eq("id", user_id).execute()
# 清除用户 session
supabase.table("user_sessions").delete().eq("user_id", user_id).execute()
logger.info(f"管理员 {admin['email']} 停用用户 {user_id}")
return {"success": True, "message": "用户已停用"}
except HTTPException:
raise
except Exception as e:
logger.error(f"停用用户失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="停用用户失败"
)
@router.post("/users/{user_id}/extend")
async def extend_user(
user_id: str,
request: ActivateRequest,
admin: dict = Depends(get_current_admin)
):
"""延长用户授权期限"""
try:
supabase = get_supabase()
if not request.expires_days:
# 设为永久
expires_at = None
else:
# 获取当前过期时间
user_result = supabase.table("users").select("expires_at").eq("id", user_id).single().execute()
user = user_result.data
if user and user.get("expires_at"):
current_expires = datetime.fromisoformat(user["expires_at"].replace("Z", "+00:00"))
base_time = max(current_expires, datetime.now(timezone.utc))
else:
base_time = datetime.now(timezone.utc)
expires_at = (base_time + timedelta(days=request.expires_days)).isoformat()
result = supabase.table("users").update({
"expires_at": expires_at
}).eq("id", user_id).execute()
logger.info(f"管理员 {admin['email']} 延长用户 {user_id} 授权 {request.expires_days or '永久'}")
return {
"success": True,
"message": f"授权已延长 {request.expires_days or '永久'}"
}
except Exception as e:
logger.error(f"延长授权失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="延长授权失败"
)

223
backend/app/api/auth.py Normal file
View File

@@ -0,0 +1,223 @@
"""
认证 API注册、登录、登出
"""
from fastapi import APIRouter, HTTPException, Response, status, Request
from pydantic import BaseModel, EmailStr
from app.core.supabase import get_supabase
from app.core.security import (
get_password_hash,
verify_password,
create_access_token,
generate_session_token,
set_auth_cookie,
clear_auth_cookie,
decode_access_token
)
from loguru import logger
from typing import Optional
router = APIRouter(prefix="/api/auth", tags=["认证"])
class RegisterRequest(BaseModel):
email: EmailStr
password: str
username: Optional[str] = None
class LoginRequest(BaseModel):
email: EmailStr
password: str
class UserResponse(BaseModel):
id: str
email: str
username: Optional[str]
role: str
is_active: bool
@router.post("/register")
async def register(request: RegisterRequest):
"""
用户注册
注册后状态为 pending需要管理员激活
"""
try:
supabase = get_supabase()
# 检查邮箱是否已存在
existing = supabase.table("users").select("id").eq(
"email", request.email
).execute()
if existing.data:
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail="该邮箱已注册"
)
# 创建用户
password_hash = get_password_hash(request.password)
result = supabase.table("users").insert({
"email": request.email,
"password_hash": password_hash,
"username": request.username or request.email.split("@")[0],
"role": "pending",
"is_active": False
}).execute()
logger.info(f"新用户注册: {request.email}")
return {
"success": True,
"message": "注册成功,请等待管理员审核激活"
}
except HTTPException:
raise
except Exception as e:
logger.error(f"注册失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="注册失败,请稍后重试"
)
@router.post("/login")
async def login(request: LoginRequest, response: Response):
"""
用户登录
- 验证密码
- 检查是否激活
- 实现"后踢前"单设备登录
"""
try:
supabase = get_supabase()
# 查找用户
user_result = supabase.table("users").select("*").eq(
"email", request.email
).single().execute()
user = user_result.data
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="邮箱或密码错误"
)
# 验证密码
if not verify_password(request.password, user["password_hash"]):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="邮箱或密码错误"
)
# 检查是否激活
if not user["is_active"]:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="账号未激活,请等待管理员审核"
)
# 检查授权是否过期
if user.get("expires_at"):
from datetime import datetime, timezone
expires_at = datetime.fromisoformat(user["expires_at"].replace("Z", "+00:00"))
if datetime.now(timezone.utc) > expires_at:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="授权已过期,请联系管理员续期"
)
# 生成新的 session_token (后踢前)
session_token = generate_session_token()
# 删除旧 session插入新 session
supabase.table("user_sessions").delete().eq(
"user_id", user["id"]
).execute()
supabase.table("user_sessions").insert({
"user_id": user["id"],
"session_token": session_token,
"device_info": None # 可以从 request headers 获取
}).execute()
# 生成 JWT Token
token = create_access_token(user["id"], session_token)
# 设置 HttpOnly Cookie
set_auth_cookie(response, token)
logger.info(f"用户登录: {request.email}")
return {
"success": True,
"message": "登录成功",
"user": UserResponse(
id=user["id"],
email=user["email"],
username=user.get("username"),
role=user["role"],
is_active=user["is_active"]
)
}
except HTTPException:
raise
except Exception as e:
logger.error(f"登录失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="登录失败,请稍后重试"
)
@router.post("/logout")
async def logout(response: Response):
"""用户登出"""
clear_auth_cookie(response)
return {"success": True, "message": "已登出"}
@router.get("/me")
async def get_me(request: Request):
"""获取当前用户信息"""
# 从 Cookie 获取用户
token = request.cookies.get("access_token")
if not token:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="未登录"
)
token_data = decode_access_token(token)
if not token_data:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token 无效"
)
supabase = get_supabase()
user_result = supabase.table("users").select("*").eq(
"id", token_data.user_id
).single().execute()
user = user_result.data
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="用户不存在"
)
return UserResponse(
id=user["id"],
email=user["email"],
username=user.get("username"),
role=user["role"],
is_active=user["is_active"]
)

56
backend/app/api/publish.py
View File

@@ -1,12 +1,13 @@
"""
发布管理 API
发布管理 API (支持用户认证)
"""
from fastapi import APIRouter, HTTPException, BackgroundTasks
from fastapi import APIRouter, HTTPException, BackgroundTasks, Depends, Request
from pydantic import BaseModel
from typing import List, Optional
from datetime import datetime
from loguru import logger
from app.services.publish_service import PublishService
from app.core.deps import get_current_user_optional
router = APIRouter()
publish_service = PublishService()
@@ -30,8 +31,23 @@ class PublishResponse(BaseModel):
# Supported platforms for validation
SUPPORTED_PLATFORMS = {"bilibili", "douyin", "xiaohongshu"}
def _get_user_id(request: Request) -> Optional[str]:
"""从请求中获取用户 ID (兼容未登录场景)"""
try:
from app.core.security import decode_access_token
token = request.cookies.get("access_token")
if token:
token_data = decode_access_token(token)
if token_data:
return token_data.user_id
except Exception:
pass
return None
@router.post("/", response_model=PublishResponse)
async def publish_video(request: PublishRequest, background_tasks: BackgroundTasks):
async def publish_video(request: PublishRequest, req: Request, background_tasks: BackgroundTasks):
"""发布视频到指定平台"""
# Validate platform
if request.platform not in SUPPORTED_PLATFORMS:
@@ -40,6 +56,9 @@ async def publish_video(request: PublishRequest, background_tasks: BackgroundTas
detail=f"不支持的平台: {request.platform}。支持的平台: {', '.join(SUPPORTED_PLATFORMS)}"
)
# 获取用户 ID (可选)
user_id = _get_user_id(req)
try:
result = await publish_service.publish(
video_path=request.video_path,
@@ -47,7 +66,8 @@ async def publish_video(request: PublishRequest, background_tasks: BackgroundTas
title=request.title,
tags=request.tags,
description=request.description,
publish_time=request.publish_time
publish_time=request.publish_time,
user_id=user_id
)
return PublishResponse(
success=result.get("success", False),
@@ -61,43 +81,48 @@ async def publish_video(request: PublishRequest, background_tasks: BackgroundTas
@router.get("/platforms")
async def list_platforms():
return {"platforms": [{"id": pid, **pinfo} for pid, pinfo in publish_service.PLATFORMS.items()]}
return {"platforms": [{**pinfo, "id": pid} for pid, pinfo in publish_service.PLATFORMS.items()]}
@router.get("/accounts")
async def list_accounts():
return {"accounts": publish_service.get_accounts()}
async def list_accounts(req: Request):
user_id = _get_user_id(req)
return {"accounts": publish_service.get_accounts(user_id)}
@router.post("/login/{platform}")
async def login_platform(platform: str):
async def login_platform(platform: str, req: Request):
"""触发平台QR码登录"""
if platform not in SUPPORTED_PLATFORMS:
raise HTTPException(status_code=400, detail=f"不支持的平台: {platform}")
result = await publish_service.login(platform)
user_id = _get_user_id(req)
result = await publish_service.login(platform, user_id)
if result.get("success"):
return result
else:
raise HTTPException(status_code=400, detail=result.get("message"))
@router.post("/logout/{platform}")
async def logout_platform(platform: str):
async def logout_platform(platform: str, req: Request):
"""注销平台登录"""
if platform not in SUPPORTED_PLATFORMS:
raise HTTPException(status_code=400, detail=f"不支持的平台: {platform}")
result = publish_service.logout(platform)
user_id = _get_user_id(req)
result = publish_service.logout(platform, user_id)
return result
@router.get("/login/status/{platform}")
async def get_login_status(platform: str):
async def get_login_status(platform: str, req: Request):
"""检查登录状态 (优先检查活跃的扫码会话)"""
if platform not in SUPPORTED_PLATFORMS:
raise HTTPException(status_code=400, detail=f"不支持的平台: {platform}")
return publish_service.get_login_session_status(platform)
user_id = _get_user_id(req)
return publish_service.get_login_session_status(platform, user_id)
@router.post("/cookies/save/{platform}")
async def save_platform_cookie(platform: str, cookie_data: dict):
async def save_platform_cookie(platform: str, cookie_data: dict, req: Request):
"""
保存从客户端浏览器提取的Cookie
@@ -112,7 +137,8 @@ async def save_platform_cookie(platform: str, cookie_data: dict):
if not cookie_string:
raise HTTPException(status_code=400, detail="cookie_string 不能为空")
result = await publish_service.save_cookie_string(platform, cookie_string)
user_id = _get_user_id(req)
result = await publish_service.save_cookie_string(platform, cookie_string, user_id)
if result.get("success"):
return result

13
backend/app/core/config.py
View File

@@ -26,6 +26,19 @@ class Settings(BaseSettings):
LATENTSYNC_SEED: int = 1247 # 随机种子 (-1 则随机)
LATENTSYNC_USE_SERVER: bool = False # 使用常驻服务 (Persistent Server) 加速
# Supabase 配置
SUPABASE_URL: str = ""
SUPABASE_KEY: str = ""
# JWT 配置
JWT_SECRET_KEY: str = "your-secret-key-change-in-production"
JWT_ALGORITHM: str = "HS256"
JWT_EXPIRE_HOURS: int = 24
# 管理员配置
ADMIN_EMAIL: str = ""
ADMIN_PASSWORD: str = ""
@property
def LATENTSYNC_DIR(self) -> Path:
"""LatentSync 目录路径 (动态计算)"""

141
backend/app/core/deps.py Normal file
View File

@@ -0,0 +1,141 @@
"""
依赖注入模块:认证和用户获取
"""
from typing import Optional
from fastapi import Request, HTTPException, Depends, status
from app.core.security import decode_access_token, TokenData
from app.core.supabase import get_supabase
from loguru import logger
async def get_token_from_cookie(request: Request) -> Optional[str]:
"""从 Cookie 中获取 Token"""
return request.cookies.get("access_token")
async def get_current_user_optional(
request: Request
) -> Optional[dict]:
"""
获取当前用户 (可选,未登录返回 None)
"""
token = await get_token_from_cookie(request)
if not token:
return None
token_data = decode_access_token(token)
if not token_data:
return None
# 验证 session_token 是否有效 (单设备登录检查)
try:
supabase = get_supabase()
result = supabase.table("user_sessions").select("*").eq(
"user_id", token_data.user_id
).eq(
"session_token", token_data.session_token
).execute()
if not result.data:
logger.warning(f"Session token 无效: user_id={token_data.user_id}")
return None
# 获取用户信息
user_result = supabase.table("users").select("*").eq(
"id", token_data.user_id
).single().execute()
return user_result.data
except Exception as e:
logger.error(f"获取用户信息失败: {e}")
return None
async def get_current_user(
request: Request
) -> dict:
"""
获取当前用户 (必须登录)
Raises:
HTTPException 401: 未登录
HTTPException 403: 会话失效或授权过期
"""
token = await get_token_from_cookie(request)
if not token:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="未登录,请先登录"
)
token_data = decode_access_token(token)
if not token_data:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token 无效或已过期"
)
try:
supabase = get_supabase()
# 验证 session_token (单设备登录)
session_result = supabase.table("user_sessions").select("*").eq(
"user_id", token_data.user_id
).eq(
"session_token", token_data.session_token
).execute()
if not session_result.data:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="会话已失效,请重新登录(可能已在其他设备登录)"
)
# 获取用户信息
user_result = supabase.table("users").select("*").eq(
"id", token_data.user_id
).single().execute()
user = user_result.data
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="用户不存在"
)
# 检查授权是否过期
if user.get("expires_at"):
from datetime import datetime, timezone
expires_at = datetime.fromisoformat(user["expires_at"].replace("Z", "+00:00"))
if datetime.now(timezone.utc) > expires_at:
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="授权已过期,请联系管理员续期"
)
return user
except HTTPException:
raise
except Exception as e:
logger.error(f"获取用户信息失败: {e}")
raise HTTPException(
status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
detail="服务器错误"
)
async def get_current_admin(
current_user: dict = Depends(get_current_user)
) -> dict:
"""
获取当前管理员用户
Raises:
HTTPException 403: 非管理员
"""
if current_user.get("role") != "admin":
raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN,
detail="需要管理员权限"
)
return current_user

98
backend/app/core/paths.py Normal file
View File

@@ -0,0 +1,98 @@
"""
路径规范化模块:按用户隔离 Cookie 存储
"""
from pathlib import Path
import re
from typing import Set
# 基础目录
BASE_DIR = Path(__file__).parent.parent.parent
USER_DATA_DIR = BASE_DIR / "user_data"
# 有效的平台列表
VALID_PLATFORMS: Set[str] = {"bilibili", "douyin", "xiaohongshu"}
# UUID 格式正则
UUID_PATTERN = re.compile(r'^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$', re.IGNORECASE)
def validate_user_id(user_id: str) -> bool:
"""验证 user_id 格式 (防止路径遍历攻击)"""
return bool(UUID_PATTERN.match(user_id))
def validate_platform(platform: str) -> bool:
"""验证平台名称"""
return platform in VALID_PLATFORMS
def get_user_data_dir(user_id: str) -> Path:
"""
获取用户数据根目录
Args:
user_id: 用户 UUID
Returns:
用户数据目录路径
Raises:
ValueError: user_id 格式无效
"""
if not validate_user_id(user_id):
raise ValueError(f"Invalid user_id format: {user_id}")
user_dir = USER_DATA_DIR / user_id
user_dir.mkdir(parents=True, exist_ok=True)
return user_dir
def get_user_cookie_dir(user_id: str) -> Path:
"""
获取用户 Cookie 目录
Args:
user_id: 用户 UUID
Returns:
Cookie 目录路径
"""
cookie_dir = get_user_data_dir(user_id) / "cookies"
cookie_dir.mkdir(parents=True, exist_ok=True)
return cookie_dir
def get_platform_cookie_path(user_id: str, platform: str) -> Path:
"""
获取平台 Cookie 文件路径
Args:
user_id: 用户 UUID
platform: 平台名称 (bilibili/douyin/xiaohongshu)
Returns:
Cookie 文件路径
Raises:
ValueError: 平台名称无效
"""
if not validate_platform(platform):
raise ValueError(f"Invalid platform: {platform}. Valid: {VALID_PLATFORMS}")
return get_user_cookie_dir(user_id) / f"{platform}_cookies.json"
# === 兼容旧代码的路径 (无用户隔离) ===
def get_legacy_cookie_dir() -> Path:
"""获取旧版 Cookie 目录 (无用户隔离)"""
cookie_dir = BASE_DIR / "app" / "cookies"
cookie_dir.mkdir(parents=True, exist_ok=True)
return cookie_dir
def get_legacy_cookie_path(platform: str) -> Path:
"""获取旧版 Cookie 路径 (无用户隔离)"""
if not validate_platform(platform):
raise ValueError(f"Invalid platform: {platform}")
return get_legacy_cookie_dir() / f"{platform}_cookies.json"

112
backend/app/core/security.py Normal file
View File

@@ -0,0 +1,112 @@
"""
安全工具模块JWT Token 和密码处理
"""
from datetime import datetime, timedelta, timezone
from typing import Optional, Any
from jose import jwt, JWTError
from passlib.context import CryptContext
from pydantic import BaseModel
from fastapi import Response
from app.core.config import settings
import uuid
# 密码加密上下文
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
class TokenData(BaseModel):
"""JWT Token 数据结构"""
user_id: str
session_token: str
exp: datetime
def verify_password(plain_password: str, hashed_password: str) -> bool:
"""验证密码"""
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password: str) -> str:
"""生成密码哈希"""
return pwd_context.hash(password)
def create_access_token(user_id: str, session_token: str) -> str:
"""
创建 JWT Access Token
Args:
user_id: 用户 ID
session_token: 会话 Token (用于单设备登录验证)
"""
expire = datetime.now(timezone.utc) + timedelta(hours=settings.JWT_EXPIRE_HOURS)
to_encode = {
"sub": user_id,
"session_token": session_token,
"exp": expire
}
return jwt.encode(
to_encode,
settings.JWT_SECRET_KEY,
algorithm=settings.JWT_ALGORITHM
)
def decode_access_token(token: str) -> Optional[TokenData]:
"""
解码并验证 JWT Token
Returns:
TokenData 或 None (如果验证失败)
"""
try:
payload = jwt.decode(
token,
settings.JWT_SECRET_KEY,
algorithms=[settings.JWT_ALGORITHM]
)
user_id = payload.get("sub")
session_token = payload.get("session_token")
exp = payload.get("exp")
if not user_id or not session_token:
return None
return TokenData(
user_id=user_id,
session_token=session_token,
exp=datetime.fromtimestamp(exp, tz=timezone.utc)
)
except JWTError:
return None
def generate_session_token() -> str:
"""生成新的会话 Token"""
return str(uuid.uuid4())
def set_auth_cookie(response: Response, token: str) -> None:
"""
设置 HttpOnly Cookie
Args:
response: FastAPI Response 对象
token: JWT Token
"""
response.set_cookie(
key="access_token",
value=token,
httponly=True,
secure=True, # 生产环境使用 HTTPS
samesite="lax",
max_age=settings.JWT_EXPIRE_HOURS * 3600
)
def clear_auth_cookie(response: Response) -> None:
"""清除认证 Cookie"""
response.delete_cookie(key="access_token")

26
backend/app/core/supabase.py Normal file
View File

@@ -0,0 +1,26 @@
"""
Supabase 客户端初始化
"""
from supabase import create_client, Client
from app.core.config import settings
from loguru import logger
from typing import Optional
_supabase_client: Optional[Client] = None
def get_supabase() -> Client:
"""获取 Supabase 客户端单例"""
global _supabase_client
if _supabase_client is None:
if not settings.SUPABASE_URL or not settings.SUPABASE_KEY:
raise ValueError("SUPABASE_URL 和 SUPABASE_KEY 必须在 .env 中配置")
_supabase_client = create_client(
settings.SUPABASE_URL,
settings.SUPABASE_KEY
)
logger.info("Supabase 客户端已初始化")
return _supabase_client

48
backend/app/main.py
View File

@@ -2,7 +2,9 @@ from fastapi import FastAPI
from fastapi.staticfiles import StaticFiles
from fastapi.middleware.cors import CORSMiddleware
from app.core import config
from app.api import materials, videos, publish, login_helper
from app.api import materials, videos, publish, login_helper, auth, admin
from loguru import logger
import os
settings = config.settings
@@ -23,10 +25,54 @@ settings.OUTPUT_DIR.mkdir(parents=True, exist_ok=True)
app.mount("/outputs", StaticFiles(directory=str(settings.OUTPUT_DIR)), name="outputs")
# 注册路由
app.include_router(materials.router, prefix="/api/materials", tags=["Materials"])
app.include_router(videos.router, prefix="/api/videos", tags=["Videos"])
app.include_router(publish.router, prefix="/api/publish", tags=["Publish"])
app.include_router(login_helper.router, prefix="/api", tags=["LoginHelper"])
app.include_router(auth.router) # /api/auth
app.include_router(admin.router) # /api/admin
@app.on_event("startup")
async def init_admin():
"""
服务启动时初始化管理员账号
"""
admin_email = settings.ADMIN_EMAIL
admin_password = settings.ADMIN_PASSWORD
if not admin_email or not admin_password:
logger.warning("未配置 ADMIN_EMAIL 和 ADMIN_PASSWORD跳过管理员初始化")
return
try:
from app.core.supabase import get_supabase
from app.core.security import get_password_hash
supabase = get_supabase()
# 检查是否已存在
existing = supabase.table("users").select("id").eq("email", admin_email).execute()
if existing.data:
logger.info(f"管理员账号已存在: {admin_email}")
return
# 创建管理员
supabase.table("users").insert({
"email": admin_email,
"password_hash": get_password_hash(admin_password),
"username": "Admin",
"role": "admin",
"is_active": True,
"expires_at": None # 永不过期
}).execute()
logger.success(f"管理员账号已创建: {admin_email}")
except Exception as e:
logger.error(f"初始化管理员失败: {e}")
@app.get("/health")
def health():

110
backend/app/services/publish_service.py
View File

@@ -1,5 +1,5 @@
"""
发布服务 (基于 social-auto-upload 架构)
发布服务 (支持用户隔离)
"""
import json
from datetime import datetime
@@ -7,6 +7,7 @@ from pathlib import Path
from typing import Optional, List, Dict, Any
from loguru import logger
from app.core.config import settings
from app.core.paths import get_user_cookie_dir, get_platform_cookie_path, get_legacy_cookie_dir, get_legacy_cookie_path
# Import platform uploaders
from .uploader.bilibili_uploader import BilibiliUploader
@@ -15,7 +16,7 @@ from .uploader.xiaohongshu_uploader import XiaohongshuUploader
class PublishService:
"""Social media publishing service"""
"""Social media publishing service (with user isolation)"""
# 支持的平台配置
PLATFORMS: Dict[str, Dict[str, Any]] = {
@@ -27,16 +28,33 @@ class PublishService:
}
def __init__(self) -> None:
self.cookies_dir = settings.BASE_DIR / "cookies"
self.cookies_dir.mkdir(exist_ok=True)
# 存储活跃的登录会话,用于跟踪登录状态
# key 格式: "{user_id}_{platform}" 或 "{platform}" (兼容旧版)
self.active_login_sessions: Dict[str, Any] = {}
def get_accounts(self) -> List[Dict[str, Any]]:
def _get_cookies_dir(self, user_id: Optional[str] = None) -> Path:
"""获取 Cookie 目录 (支持用户隔离)"""
if user_id:
return get_user_cookie_dir(user_id)
return get_legacy_cookie_dir()
def _get_cookie_path(self, platform: str, user_id: Optional[str] = None) -> Path:
"""获取 Cookie 文件路径 (支持用户隔离)"""
if user_id:
return get_platform_cookie_path(user_id, platform)
return get_legacy_cookie_path(platform)
def _get_session_key(self, platform: str, user_id: Optional[str] = None) -> str:
"""获取会话 key"""
if user_id:
return f"{user_id}_{platform}"
return platform
def get_accounts(self, user_id: Optional[str] = None) -> List[Dict[str, Any]]:
"""Get list of platform accounts with login status"""
accounts = []
for pid, pinfo in self.PLATFORMS.items():
cookie_file = self.cookies_dir / f"{pid}_cookies.json"
cookie_file = self._get_cookie_path(pid, user_id)
accounts.append({
"platform": pid,
"name": pinfo["name"],
@@ -53,6 +71,7 @@ class PublishService:
tags: List[str],
description: str = "",
publish_time: Optional[datetime] = None,
user_id: Optional[str] = None,
**kwargs: Any
) -> Dict[str, Any]:
"""
@@ -65,6 +84,7 @@ class PublishService:
tags: List of tags
description: Video description
publish_time: Scheduled publish time (None = immediate)
user_id: User ID for cookie isolation
**kwargs: Additional platform-specific parameters
Returns:
@@ -79,25 +99,33 @@ class PublishService:
"platform": platform
}
# Get account file path
account_file = self.cookies_dir / f"{platform}_cookies.json"
# Get account file path (with user isolation)
account_file = self._get_cookie_path(platform, user_id)
if not account_file.exists():
return {
"success": False,
"message": f"请先登录 {self.PLATFORMS[platform]['name']}",
"platform": platform
}
logger.info(f"[发布] 平台: {self.PLATFORMS[platform]['name']}")
logger.info(f"[发布] 视频: {video_path}")
logger.info(f"[发布] 标题: {title}")
logger.info(f"[发布] 用户: {user_id or 'legacy'}")
try:
# Select appropriate uploader
if platform == "bilibili":
uploader = BilibiliUploader(
title=title,
file_path=str(settings.BASE_DIR.parent / video_path), # Convert to absolute path
file_path=str(settings.BASE_DIR.parent / video_path),
tags=tags,
publish_date=publish_time,
account_file=str(account_file),
description=description,
tid=kwargs.get('tid', 122), # Category ID
copyright=kwargs.get('copyright', 1) # 1=original
tid=kwargs.get('tid', 122),
copyright=kwargs.get('copyright', 1)
)
elif platform == "douyin":
uploader = DouyinUploader(
@@ -138,10 +166,14 @@ class PublishService:
"platform": platform
}
async def login(self, platform: str) -> Dict[str, Any]:
async def login(self, platform: str, user_id: Optional[str] = None) -> Dict[str, Any]:
"""
启动QR码登录流程
Args:
platform: 平台 ID
user_id: 用户 ID (用于 Cookie 隔离)
Returns:
dict: 包含二维码base64图片
"""
@@ -151,11 +183,15 @@ class PublishService:
try:
from .qr_login_service import QRLoginService
# 创建QR登录服务
qr_service = QRLoginService(platform, self.cookies_dir)
# 获取用户专属的 Cookie 目录
cookies_dir = self._get_cookies_dir(user_id)
# 存储活跃会话
self.active_login_sessions[platform] = qr_service
# 创建QR登录服务
qr_service = QRLoginService(platform, cookies_dir)
# 存储活跃会话 (带用户隔离)
session_key = self._get_session_key(platform, user_id)
self.active_login_sessions[session_key] = qr_service
# 启动登录并获取二维码
result = await qr_service.start_login()
@@ -169,30 +205,30 @@ class PublishService:
"message": f"登录失败: {str(e)}"
}
def get_login_session_status(self, platform: str) -> Dict[str, Any]:
def get_login_session_status(self, platform: str, user_id: Optional[str] = None) -> Dict[str, Any]:
"""获取活跃登录会话的状态"""
session_key = self._get_session_key(platform, user_id)
# 1. 如果有活跃的扫码会话,优先检查它
if platform in self.active_login_sessions:
qr_service = self.active_login_sessions[platform]
if session_key in self.active_login_sessions:
qr_service = self.active_login_sessions[session_key]
status = qr_service.get_login_status()
# 如果登录成功且Cookie已保存清理会话
if status["success"] and status["cookies_saved"]:
del self.active_login_sessions[platform]
del self.active_login_sessions[session_key]
return {"success": True, "message": "登录成功"}
return {"success": False, "message": "等待扫码..."}
# 2. 如果没有活跃会话,检查本地Cookie文件是否存在 (用于页面初始加载)
# 注意这无法检测Cookie是否过期只能检测文件在不在
# 在扫码流程中前端应该依赖上面第1步的返回
cookie_file = self.cookies_dir / f"{platform}_cookies.json"
# 2. 检查本地Cookie文件是否存在
cookie_file = self._get_cookie_path(platform, user_id)
if cookie_file.exists():
return {"success": True, "message": "已登录 (历史状态)"}
return {"success": False, "message": "未登录"}
def logout(self, platform: str) -> Dict[str, Any]:
def logout(self, platform: str, user_id: Optional[str] = None) -> Dict[str, Any]:
"""
Logout from platform (delete cookie file)
"""
@@ -200,15 +236,17 @@ class PublishService:
return {"success": False, "message": "不支持的平台"}
try:
session_key = self._get_session_key(platform, user_id)
# 1. 移除活跃会话
if platform in self.active_login_sessions:
del self.active_login_sessions[platform]
if session_key in self.active_login_sessions:
del self.active_login_sessions[session_key]
# 2. 删除Cookie文件
cookie_file = self.cookies_dir / f"{platform}_cookies.json"
cookie_file = self._get_cookie_path(platform, user_id)
if cookie_file.exists():
cookie_file.unlink()
logger.info(f"[登出] {platform} Cookie已删除")
logger.info(f"[登出] {platform} Cookie已删除 (user: {user_id or 'legacy'})")
return {"success": True, "message": "已注销"}
@@ -216,16 +254,17 @@ class PublishService:
logger.exception(f"[登出] 失败: {e}")
return {"success": False, "message": f"注销失败: {str(e)}"}
async def save_cookie_string(self, platform: str, cookie_string: str) -> Dict[str, Any]:
async def save_cookie_string(self, platform: str, cookie_string: str, user_id: Optional[str] = None) -> Dict[str, Any]:
"""
保存从客户端浏览器提取的Cookie字符串
Args:
platform: 平台ID
cookie_string: document.cookie 格式的Cookie字符串
user_id: 用户 ID (用于 Cookie 隔离)
"""
try:
account_file = self.cookies_dir / f"{platform}_cookies.json"
account_file = self._get_cookie_path(platform, user_id)
# 解析Cookie字符串
cookie_dict = {}
@@ -234,7 +273,7 @@ class PublishService:
name, value = item.split('=', 1)
cookie_dict[name] = value
# 对B站进行特殊处理提取biliup需要的字段
# 对B站进行特殊处理
if platform == "bilibili":
bilibili_cookies = {}
required_fields = ['SESSDATA', 'bili_jct', 'DedeUserID', 'DedeUserID__ckMd5']
@@ -243,7 +282,7 @@ class PublishService:
if field in cookie_dict:
bilibili_cookies[field] = cookie_dict[field]
if len(bilibili_cookies) < 3: # 至少需要3个关键字段
if len(bilibili_cookies) < 3:
return {
"success": False,
"message": "Cookie不完整请确保已登录"
@@ -251,11 +290,14 @@ class PublishService:
cookie_dict = bilibili_cookies
# 确保目录存在
account_file.parent.mkdir(parents=True, exist_ok=True)
# 保存Cookie
with open(account_file, 'w', encoding='utf-8') as f:
json.dump(cookie_dict, f, indent=2)
logger.success(f"[登录] {platform} Cookie已保存")
logger.success(f"[登录] {platform} Cookie已保存 (user: {user_id or 'legacy'})")
return {
"success": True,

73
backend/database/schema.sql Normal file
View File

@@ -0,0 +1,73 @@
-- ViGent 用户认证系统数据库表
-- 在 Supabase SQL Editor 中执行
-- 1. 创建 users 表
CREATE TABLE IF NOT EXISTS users (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL,
username TEXT,
role TEXT DEFAULT 'pending' CHECK (role IN ('pending', 'user', 'admin')),
is_active BOOLEAN DEFAULT FALSE,
expires_at TIMESTAMP WITH TIME ZONE,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
updated_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
-- 2. 创建 user_sessions 表 (单设备登录)
CREATE TABLE IF NOT EXISTS user_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID REFERENCES users(id) ON DELETE CASCADE UNIQUE,
session_token TEXT UNIQUE NOT NULL,
device_info TEXT,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW()
);
-- 3. 创建 social_accounts 表 (社交账号绑定)
CREATE TABLE IF NOT EXISTS social_accounts (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
user_id UUID REFERENCES users(id) ON DELETE CASCADE,
platform TEXT NOT NULL CHECK (platform IN ('bilibili', 'douyin', 'xiaohongshu')),
logged_in BOOLEAN DEFAULT FALSE,
created_at TIMESTAMP WITH TIME ZONE DEFAULT NOW(),
UNIQUE(user_id, platform)
);
-- 4. 创建索引
CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
CREATE INDEX IF NOT EXISTS idx_sessions_user_id ON user_sessions(user_id);
CREATE INDEX IF NOT EXISTS idx_social_user_platform ON social_accounts(user_id, platform);
-- 5. 启用 RLS (行级安全)
ALTER TABLE users ENABLE ROW LEVEL SECURITY;
ALTER TABLE user_sessions ENABLE ROW LEVEL SECURITY;
ALTER TABLE social_accounts ENABLE ROW LEVEL SECURITY;
-- 6. RLS 策略 (Service Role 可以绑过 RLS所以后端使用 service_role key 时不受限)
-- 以下策略仅对 anon key 生效
-- users: 仅管理员可查看所有用户,普通用户只能查看自己
CREATE POLICY "Users can view own profile" ON users
FOR SELECT USING (auth.uid()::text = id::text);
-- user_sessions: 用户只能访问自己的 session
CREATE POLICY "Users can access own sessions" ON user_sessions
FOR ALL USING (user_id::text = auth.uid()::text);
-- social_accounts: 用户只能访问自己的社交账号
CREATE POLICY "Users can access own social accounts" ON social_accounts
FOR ALL USING (user_id::text = auth.uid()::text);
-- 7. 更新时间自动更新触发器
CREATE OR REPLACE FUNCTION update_updated_at()
RETURNS TRIGGER AS $$
BEGIN
NEW.updated_at = NOW();
RETURN NEW;
END;
$$ LANGUAGE plpgsql;
CREATE TRIGGER users_updated_at
BEFORE UPDATE ON users
FOR EACH ROW
EXECUTE FUNCTION update_updated_at();

7
backend/requirements.txt
View File

@@ -21,3 +21,10 @@ requests>=2.31.0
# 社交媒体发布
biliup>=0.4.0
# 用户认证
email-validator>=2.1.0
supabase>=2.0.0
python-jose[cryptography]>=3.3.0
passlib[bcrypt]>=1.7.4
bcrypt==4.0.1