simon/wecom_it_smart_desk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bf872da8bb29ede117e0627057434fc0380c4026
wecom_it_smart_desk/backend/alembic/versions/022_qrcode_login.py
T
Simon bf872da8bb feat(merge): 4 个 worktree 合入 main(扫码+MFA+高危+P0) 
合入内容:
- worktree-A (auth_qrcode): 13 测试  — Phase 1.1 后端扫码登录
- worktree-B (mfa): 21 测试  — Phase 2.1 MFA TOTP + User 字段
- worktree-C (high_risk_guard): 28 测试  — Phase 1.3 高危守卫
- worktree-D (p0-fixes): 16 测试  — P0/P1 合规(WS 签名+UUID+access_log)

合并方式: 各 worktree 提取 format-patch → 只 apply 新增文件 → 手动合并 router.py/dependencies.py 冲突

新文件 (16):
  backend/alembic/versions/022_qrcode_login.py
  backend/alembic/versions/023_mfa_fields.py
  backend/alembic/versions/025_messages_id_uuid.py
  backend/app/api/auth_qrcode.py
  backend/app/api/high_risk_routes.py
  backend/app/api/mfa.py
  backend/app/schemas/mfa.py
  backend/app/schemas/qrcode.py
  backend/app/services/high_risk_guard.py
  backend/app/services/mfa_service.py
  backend/app/services/qrcode_service.py
  backend/scripts/nginx-access-log-sanitize.sh
  backend/tests/test_auth_qrcode.py (13)
  backend/tests/test_high_risk_guard.py (28)
  backend/tests/test_mfa.py (21)
  backend/tests/test_messages_uuid.py
  backend/tests/test_ws_endpoints.py
  backend/tests/test_ws_push_to_employee.py (xfail 4)

修改 (4):
  backend/app/api/router.py — 注册 auth_qrcode/high_risk_routes/mfa 3 个 router
  backend/app/dependencies.py — 加 HIGH_RISK_OPERATIONS + require_high_risk_otp
  backend/app/models/agent.py — mfa_secret/mfa_enabled/mfa_bound_at/mfa_last_verified_at
  backend/tests/conftest.py — create_test_conversation 接 db_session

测试结果(新增 78 + xfail 4):
  tests/test_auth_qrcode.py      13 passed
  tests/test_high_risk_guard.py  28 passed
  tests/test_mfa.py              21 passed
  tests/test_messages_uuid.py     8 passed
  tests/test_ws_endpoints.py      8 passed
  tests/test_ws_push_to_employee.py 4 xfailed (端点路径不一致,pre-existing)

4 端 frontend build 全部通过(agent/portal/admin/h5)

后续 TODO (用户操作):
1. 撤销 Gitea token 5ad83d... via Web UI
2. 跑 alembic upgrade head(生产 PG,025 messages UUID)
3. 应用 nginx access_log 脱敏(进容器改 conf)
4. 部署 backend + 4 端 dist + nginx reload

Co-Authored-By: Claude <noreply@anthropic.com>
2026-06-21 03:08:54 +08:00

51 lines
1.7 KiB
Python
Raw Blame History

"""qrcode login (Phase 1.1)
Revision ID: 022_qrcode_login
Revises: 021_rbac
Create Date: 2026-06-21
Phase 1.1 扫码登录后端接口(task #14)。
设计说明:
扫码登录的所有状态都存在 Redis(无需新增数据库表):
- qrcode:ticket:{ticket}{created_at, expires_at}, TTL 120s
- qrcode:scan:{ticket}{employee_id, name, scanned_at}, TTL 120s
- qrcode:confirm:{ticket}{token, confirmed_at, roles}, TTL 60s
不动 User / Agent 模型(MFA 字段留给 Phase 2.1)。
不动 auth2fa.py(SMS 备用通道保留)。
为什么仍然生成这个 migration 文件:
1. alembic 版本链不能断,021 → 022 必须存在(后续 023+ 需要接续)
2. 标记 Phase 1.1 上线,方便运维追溯和回滚标记
3. upgrade()/downgrade() 都是空操作,因为没有 schema 变更
运维注意事项:
- 该 migration 不需要执行 SQL(已注释),但需要"alembic stamp 022"让 alembic_version 表对齐
- 如果未来扫码登录要持久化历史记录(审计/防滥用),再追加 023_qrcode_audit.py 加 qrcode_login_logs 表
"""
from alembic import op
import sqlalchemy as sa
# revision identifiers, used by Alembic.
revision = "022_qrcode_login"
down_revision = "021_rbac"
branch_labels = None
depends_on = None
def upgrade() -> None:
"""Phase 1.1 扫码登录无 schema 变更,upgrade 留空。
预留说明: 如果部署时 alembic stamp 未执行,导致 backend 启动报
"alembic_version" mismatch,只需 `alembic stamp 022` 即可对齐。
"""
# 故意 pass:扫码登录的所有数据存 Redis,无 DB schema 变更
pass
def downgrade() -> None:
"""Phase 1.1 扫码登录无 schema 变更,downgrade 留空。"""
# 故意 pass
pass
Reference in New Issue View Git Blame Copy Permalink