增加 OIDC 登录方式，优化登录逻辑

Author: dushixiang

config.example.yaml

@@ -21,6 +21,12 @@ App:
   Users:
     # 使用 Bcrypt 加密，默认密码为 admin123，建议首次登录后修改密码，搜索 bcrypt在线加密网站 即可
     admin: "$2y$12$7DXcOiX1D59xNTIn5riUKusAPLP88LxxoczWmUT83MBj5EFznbp8a"
+  OIDC:
+    Enabled: false
+    Issuer: ""
+    ClientID: ""
+    ClientSecret: ""
+    RedirectURL: "http://localhost:8080/oidc/callback"
 
   # 串口配置
   Serial:

config/config.go

@@ -4,6 +4,7 @@ type AppConfig struct {
 	JWT    JWTConfig         `json:"JWT"`
 	Users  map[string]string `json:"Users"`  // 用户名 -> bcrypt加密的密码
 	Serial SerialConfig      `json:"Serial"` // 串口配置
+	OIDC   *OIDCConfig       `json:"OIDC"`   // OIDC配置（可选）
 }
 
 // JWTConfig JWT配置
@@ -16,3 +17,12 @@ type JWTConfig struct {
 type SerialConfig struct {
 	Port string `json:"Port"` // 串口路径，为空则自动检测
 }
+
+// OIDCConfig OIDC认证配置
+type OIDCConfig struct {
+	Enabled      bool   `json:"Enabled"`      // 是否启用OIDC
+	Issuer       string `json:"Issuer"`       // OIDC Provider的Issuer URL
+	ClientID     string `json:"ClientID"`     // Client ID
+	ClientSecret string `json:"ClientSecret"` // Client Secret
+	RedirectURL  string `json:"RedirectURL"`  // 回调URL
+}

go.mod

@@ -3,6 +3,7 @@ module github.com/dushixiang/uart_sms_forwarder
 go 1.25.0
 
 require (
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/go-orz/cache v0.0.4
 	github.com/go-orz/orz v0.2.10
 	github.com/golang-jwt/jwt/v5 v5.3.0
@@ -14,6 +15,7 @@ require (
 	go.bug.st/serial v1.6.4
 	go.uber.org/zap v1.27.1
 	golang.org/x/crypto v0.46.0
+	golang.org/x/oauth2 v0.34.0
 	gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df
 	gorm.io/gorm v1.31.1
 )
@@ -26,6 +28,7 @@ require (
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/glebarez/sqlite v1.11.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect

go.sum

@@ -1,5 +1,7 @@
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/creack/goselect v0.1.3 h1:MaGNMclRo7P2Jl21hBpR1Cn33ITSbKP6E49RtfblLKc=
 github.com/creack/goselect v0.1.3/go.mod h1:a/NhLweNvqIYMuxcMOuWY516Cimucms3DglDzQP3hKY=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -17,6 +19,8 @@ github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GM
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-orz/cache v0.0.4 h1:A8EwJQPiuctmnukFqkWFv4yoOKVen7DEpCVjSJAkAtw=
 github.com/go-orz/cache v0.0.4/go.mod h1:qY5/YWUiMMFDHnWMCUJQakXILwJ/sIvbNCR04k08fBs=
 github.com/go-orz/orz v0.2.10 h1:SGUwZxAh7B73K1FJTTqKcYeQANpQqJF8V6ej/9kRl/I=
@@ -120,6 +124,8 @@ golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
 golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
 golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

internal/app.go

@@ -92,8 +92,12 @@ func setup(app *orz.App) error {
 	)
 	serialService.SetScheduledTaskStatusUpdater(schedulerService.UpdateLastRunStatusByMsgId)
 
-	// 8. 初始化 Handler
-	authHandler := handler.NewAuthHandler(logger, &appConfig)
+	// 8. 初始化 OIDC 和 Account Service
+	oidcService := service.NewOIDCService(logger, &appConfig)
+	accountService := service.NewAccountService(logger, oidcService, &appConfig)
+
+	// 9. 初始化 Handler
+	authHandler := handler.NewAuthHandler(logger, accountService)
 	propertyHandler := handler.NewPropertyHandler(logger, propertyService, notifier)
 	textMessageHandler := handler.NewTextMessageHandler(logger, textMessageService, textMessageRepo)
 	serialHandler := handler.NewSerialHandler(logger, serialService)
@@ -107,10 +111,10 @@ func setup(app *orz.App) error {
 		ScheduledTask: scheduledTaskHandler,
 	}
 
-	// 9. 设置 API 路由
+	// 10. 设置 API 路由
 	setupApi(app, handlers, &appConfig, logger)
 
-	// 10. 启动后台服务
+	// 11. 启动后台服务
 	background := context.Background()
 	// 启动串口服务
 	go serialService.Start()
@@ -171,6 +175,9 @@ func setupApi(app *orz.App, handlers *Handlers, appConfig *config.AppConfig, log
 
 	// 登录路由（不需要认证）
 	e.POST("/api/login", handlers.Auth.Login)
+	e.GET("/api/auth/config", handlers.Auth.GetAuthConfig)
+	e.GET("/api/auth/oidc/url", handlers.Auth.GetOIDCAuthURL)
+	e.POST("/api/auth/oidc/callback", handlers.Auth.OIDCCallback)
 
 	// API 路由组（需要认证）
 	api := e.Group("/api")

internal/handler/auth_handler.go

@@ -3,24 +3,22 @@ package handler
 import (
 	"net/http"
 
-	"github.com/dushixiang/uart_sms_forwarder/config"
-	"github.com/dushixiang/uart_sms_forwarder/internal/util"
+	"github.com/dushixiang/uart_sms_forwarder/internal/service"
 	"github.com/labstack/echo/v4"
 	"go.uber.org/zap"
-	"golang.org/x/crypto/bcrypt"
 )
 
 // AuthHandler 认证处理器
 type AuthHandler struct {
-	logger *zap.Logger
-	config *config.AppConfig
+	logger         *zap.Logger
+	accountService *service.AccountService
 }
 
 // NewAuthHandler 创建认证处理器
-func NewAuthHandler(logger *zap.Logger, config *config.AppConfig) *AuthHandler {
+func NewAuthHandler(logger *zap.Logger, accountService *service.AccountService) *AuthHandler {
 	return &AuthHandler{
-		logger: logger,
-		config: config,
+		logger:         logger,
+		accountService: accountService,
 	}
 }
 
@@ -42,7 +40,6 @@ func (h *AuthHandler) Login(c echo.Context) error {
 	// 获取请求参数
 	var req LoginRequest
 	if err := c.Bind(&req); err != nil {
-		h.logger.Warn("登录请求参数解析失败", zap.Error(err))
 		return c.JSON(http.StatusBadRequest, map[string]string{
 			"error": "请求参数错误",
 		})
@@ -55,49 +52,75 @@ func (h *AuthHandler) Login(c echo.Context) error {
 		})
 	}
 
-	// 从配置中获取用户密码哈希
-	passwordHash, exists := h.config.Users[req.Username]
-	if !exists {
-		h.logger.Warn("用户不存在", zap.String("username", req.Username))
+	// 使用 AccountService 进行登录
+	ctx := c.Request().Context()
+	loginResp, err := h.accountService.Login(ctx, req.Username, req.Password)
+	if err != nil {
 		return c.JSON(http.StatusBadRequest, map[string]string{
 			"error": "用户名或密码错误",
 		})
 	}
 
-	// 验证密码
-	err := bcrypt.CompareHashAndPassword([]byte(passwordHash), []byte(req.Password))
+	// 返回 token 和用户信息
+	return c.JSON(http.StatusOK, LoginResponse{
+		Token:     loginResp.Token,
+		Username:  loginResp.User.Username,
+		ExpiresAt: loginResp.ExpiresAt,
+	})
+}
+
+// GetAuthConfig 获取认证配置
+func (h *AuthHandler) GetAuthConfig(c echo.Context) error {
+	config := h.accountService.GetAuthConfig()
+	return c.JSON(http.StatusOK, config)
+}
+
+// GetOIDCAuthURL 获取 OIDC 认证 URL
+func (h *AuthHandler) GetOIDCAuthURL(c echo.Context) error {
+	authURL, err := h.accountService.GetOIDCAuthURL()
 	if err != nil {
-		h.logger.Warn("密码验证失败",
-			zap.String("username", req.Username),
-			zap.Error(err),
-		)
 		return c.JSON(http.StatusBadRequest, map[string]string{
-			"error": "用户名或密码错误",
+			"error": err.Error(),
 		})
 	}
+	return c.JSON(http.StatusOK, authURL)
+}
 
-	// 生成 JWT token
-	token, expiresAt, err := util.GenerateToken(
-		req.Username,
-		h.config.JWT.Secret,
-		h.config.JWT.ExpiresHours,
-	)
-	if err != nil {
-		h.logger.Error("生成 token 失败",
-			zap.String("username", req.Username),
-			zap.Error(err),
-		)
-		return c.JSON(http.StatusInternalServerError, map[string]string{
-			"error": "登录失败，请稍后重试",
+// OIDCCallbackRequest OIDC 回调请求
+type OIDCCallbackRequest struct {
+	Code  string `json:"code" validate:"required"`
+	State string `json:"state" validate:"required"`
+}
+
+// OIDCCallback 处理 OIDC 回调
+func (h *AuthHandler) OIDCCallback(c echo.Context) error {
+	var req OIDCCallbackRequest
+	if err := c.Bind(&req); err != nil {
+		return c.JSON(http.StatusBadRequest, map[string]string{
+			"error": "请求参数错误",
 		})
 	}
 
-	h.logger.Info("用户登录成功", zap.String("username", req.Username))
+	if req.Code == "" || req.State == "" {
+		return c.JSON(http.StatusBadRequest, map[string]string{
+			"error": "缺少必要参数",
+		})
+	}
+
+	// 使用 AccountService 处理 OIDC 登录
+	ctx := c.Request().Context()
+	loginResp, err := h.accountService.LoginWithOIDC(ctx, req.Code, req.State)
+	if err != nil {
+		h.logger.Error("OIDC 登录失败", zap.Error(err))
+		return c.JSON(http.StatusUnauthorized, map[string]string{
+			"error": "OIDC 认证失败",
+		})
+	}
 
 	// 返回 token 和用户信息
 	return c.JSON(http.StatusOK, LoginResponse{
-		Token:     token,
-		Username:  req.Username,
-		ExpiresAt: expiresAt,
+		Token:     loginResp.Token,
+		Username:  loginResp.User.Username,
+		ExpiresAt: loginResp.ExpiresAt,
 	})
 }