📝 增加日志记录设施，记录登录行为。

Author: langyo

packages/database/src/models/system/sys_action_log.rs

@@ -1,7 +1,7 @@
 use sea_orm::entity::prelude::*;
 use serde::{Deserialize, Serialize};
 
-use _utils::types::SystemActionLogAction;
+use _utils::types::{SysActionLogExtra, SystemActionLogAction};
 
 #[derive(Clone, Debug, PartialEq, DeriveEntityModel, Deserialize, Serialize)]
 #[sea_orm(table_name = "sys_action_log", schema_name = "genshin_map")]
@@ -33,8 +33,8 @@ pub struct Model {
     /// 是否发生错误
     pub is_error: bool,
     /// 附加信息
-    /// TODO: 原客户端的设计中，这个值似乎总是为 {"accessPaths":[]}
-    pub extra_data: Option<serde_json::Value>,
+    #[sea_orm(column_type = "Json")]
+    pub extra_data: SysActionLogExtra,
 }
 
 #[derive(Debug, Clone, Copy, EnumIter, DeriveRelation)]

packages/database/src/models/system/sys_user.rs

@@ -1,7 +1,7 @@
 use sea_orm::entity::prelude::*;
 use serde::{Deserialize, Serialize};
 
-use _utils::types::SystemUserRole;
+use _utils::types::{AccessPolicyList, SystemUserRole};
 
 #[derive(Clone, Debug, PartialEq, DeriveEntityModel, Deserialize, Serialize)]
 #[sea_orm(table_name = "sys_user", schema_name = "genshin_map")]
@@ -42,7 +42,8 @@ pub struct Model {
     /// 角色 ID
     pub role_id: SystemUserRole,
     /// 权限策略
-    pub access_policy: Option<serde_json::Value>,
+    #[sea_orm(column_type = "Json")]
+    pub access_policy: AccessPolicyList,
     /// 备注
     pub remark: Option<String>,
 }

packages/functions/src/functions/system/oauth.rs

@@ -1,28 +1,25 @@
 use anyhow::{anyhow, Result};
+use std::net::SocketAddr;
 
 use redis::{AsyncTypedCommands, SetOptions};
-use sea_orm::prelude::*;
+use sea_orm::{prelude::*, ActiveValue::Set};
 
 use _database::{models, DB_CONN};
 use _utils::{
     bcrypt::verify_hash,
     jwt::{generate_token, EXPIRED_APPEND_DURATION},
-    types::auth::{OauthAnonymousResponse, OauthLoginResponse, OauthScopeType, OauthTokenType},
+    types::{
+        auth::{OauthAnonymousResponse, OauthLoginResponse, OauthScopeType, OauthTokenType},
+        SystemActionLogAction,
+    },
 };
 
-pub async fn oauth_password_login(
-    username: String,
-    password: String,
+async fn oauth_password_login_inner(
+    item: models::system::sys_user::Model,
+    password_raw: String,
 ) -> Result<OauthLoginResponse> {
-    let item = models::system::sys_user::Entity::find()
-        .filter(models::system::sys_user::Column::DelFlag.eq(false))
-        .filter(models::system::sys_user::Column::Username.eq(username))
-        .one(&DB_CONN.wait().pg_conn)
-        .await?
-        .ok_or(anyhow!("User not found"))?;
-
     if !verify_hash(
-        password,
+        password_raw,
         item.password
             .strip_prefix("{bcrypt}")
             .ok_or(anyhow!("Failed to strip bcrypt prefix"))?,
@@ -73,6 +70,38 @@ pub async fn oauth_password_login(
     })
 }
 
+pub async fn oauth_password_login(
+    username: String,
+    password_raw: String,
+    ip: SocketAddr,
+    user_agent: String,
+) -> Result<OauthLoginResponse> {
+    let item = models::system::sys_user::Entity::find()
+        .filter(models::system::sys_user::Column::DelFlag.eq(false))
+        .filter(models::system::sys_user::Column::Username.eq(username))
+        .one(&DB_CONN.wait().pg_conn)
+        .await?
+        .ok_or(anyhow!("User not found"))?;
+    let user_id = item.id;
+
+    // TODO: 根据 access_policy 指定的模式，对请求做各种检查
+    let ret = oauth_password_login_inner(item, password_raw).await;
+
+    models::system::sys_action_log::ActiveModel {
+        user_id: Set(Some(user_id)),
+        ipv4: Set(Some(ip.to_string())),
+        device_id: Set(user_agent),
+        action: Set(SystemActionLogAction::Login),
+        is_error: Set(ret.is_err()),
+        extra_data: Set(Default::default()),
+        ..Default::default()
+    }
+    .insert(&DB_CONN.wait().pg_conn)
+    .await?;
+
+    ret
+}
+
 pub async fn oauth_client_credentials(scope: String) -> Result<OauthAnonymousResponse> {
     // Handle client credentials grant type
     todo!()

packages/router/src/routes/system/oauth.rs

@@ -3,7 +3,7 @@ use serde::Deserialize;
 use std::{collections::HashMap, net::SocketAddr};
 
 use axum::{
-    extract::{ConnectInfo, Form, Json, Multipart, Query},
+    extract::{ConnectInfo, Json, Multipart, Query},
     http::StatusCode,
     response::IntoResponse,
 };
@@ -78,7 +78,7 @@ pub async fn oauth(
             .remove("password")
             .ok_or((StatusCode::BAD_REQUEST, "Password is required".into()))?;
         return Ok(Json(
-            oauth_password_login(username, password)
+            oauth_password_login(username, password, ip, user_agent)
                 .await
                 .map_err(|err| (StatusCode::INTERNAL_SERVER_ERROR, err.to_string()))?,
         )

packages/utils/src/types/auth.rs

@@ -3,6 +3,7 @@ use strum::{AsRefStr, Display, EnumIter};
 use uuid::Uuid;
 
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
 pub struct OauthLoginResponse {
     /// 访问令牌
     pub access_token: String,
@@ -19,6 +20,7 @@ pub struct OauthLoginResponse {
 }
 
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize)]
+#[serde(rename_all = "snake_case")]
 pub struct OauthAnonymousResponse {
     /// 访问令牌
     pub access_token: String,

packages/utils/src/types/system.rs

@@ -1,7 +1,7 @@
 use serde::{Deserialize, Serialize};
-use strum::EnumIter;
+use strum::{AsRefStr, Display, EnumIter, EnumString};
 
-use sea_orm::prelude::*;
+use sea_orm::{prelude::*, FromJsonQueryResult};
 
 use super::HiddenFlag;
 
@@ -13,6 +13,64 @@ pub enum SystemActionLogAction {
     Login,
 }
 
+#[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize, FromJsonQueryResult)]
+#[serde(rename_all = "camelCase")]
+pub struct SysActionLogExtra {
+    pub access_paths: Vec<AccessPolicyItem>,
+}
+
+#[derive(Debug, Clone, PartialEq, Default, Serialize, Deserialize, FromJsonQueryResult)]
+pub struct AccessPolicyList(pub Vec<AccessPolicyItemEnum>);
+
+#[derive(Debug, Clone, PartialEq, Serialize, Deserialize, FromJsonQueryResult)]
+#[serde(rename_all = "camelCase")]
+pub struct AccessPolicyItem {
+    pub passed: bool,
+    pub policy: AccessPolicyItemEnum,
+}
+
+#[derive(
+    Debug, Clone, Copy, PartialEq, Serialize, Deserialize, EnumIter, AsRefStr, EnumString, Display,
+)]
+pub enum AccessPolicyItemEnum {
+    /// 与最后一次登录 IP 相同
+    #[strum(serialize = "ip:same_last_ip")]
+    #[serde(rename = "ip:same_last_ip")]
+    IpSameLastIp,
+    /// 对列表中有效的 IP 放行
+    #[strum(serialize = "ip:pass_allow_ip")]
+    #[serde(rename = "ip:pass_allow_ip")]
+    IpPassAllowIp,
+    /// 对列表中禁用的 IP 拦截
+    #[strum(serialize = "ip:block_disallow_ip")]
+    #[serde(rename = "ip:block_disallow_ip")]
+    IpBlockDisallowIp,
+    /// 与最后一次登录地区相同
+    #[strum(serialize = "ip:same_last_region")]
+    #[serde(rename = "ip:same_last_region")]
+    IpSameLastRegion,
+    /// 对列表中有效的地区放行
+    #[strum(serialize = "ip:pass_allow_region")]
+    #[serde(rename = "ip:pass_allow_region")]
+    IpPassAllowRegion,
+    /// 对列表中禁用的地区拦截
+    #[strum(serialize = "ip:block_disallow_region")]
+    #[serde(rename = "ip:block_disallow_region")]
+    IpBlockDisallowRegion,
+    /// 与最后一次登录设备相同
+    #[strum(serialize = "dev:same_last_device")]
+    #[serde(rename = "dev:same_last_device")]
+    DevSameLastDevice,
+    /// 对列表中有效的设备放行
+    #[strum(serialize = "dev:pass_allow_device")]
+    #[serde(rename = "dev:pass_allow_device")]
+    DevPassAllowDevice,
+    /// 对列表中禁用的设备拦截
+    #[strum(serialize = "dev:block_disallow_device")]
+    #[serde(rename = "dev:block_disallow_device")]
+    DevBlockDisallowDevice,
+}
+
 #[derive(Debug, Clone, Copy, PartialEq, Serialize, Deserialize, EnumIter, DeriveActiveEnum)]
 #[sea_orm(rs_type = "i32", db_type = "Integer")]
 pub enum SystemUserRole {