Merge pull request #211 from nagisa77/codex/optimize-google-registration-process

Improve login error handling and Google whitelist signup

open-isle-cli/src/utils/google.js

@@ -1,33 +1,47 @@
 import { API_BASE_URL, GOOGLE_CLIENT_ID, toast } from '../main'
 import { setToken, loadCurrentUser } from './auth'
 
-export function googleSignIn(redirect, reason) {
-  if (!window.google || !GOOGLE_CLIENT_ID) {
-    toast.error('Google 登录不可用')
-    return
-  }
-  window.google.accounts.id.initialize({
-    client_id: GOOGLE_CLIENT_ID,
-    callback: async ({ credential }) => {
-      try {
-        const res = await fetch(`${API_BASE_URL}/api/auth/google`, {
-          method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
-          body: JSON.stringify({ idToken: credential, reason })
-        })
-        const data = await res.json()
-        if (res.ok && data.token) {
-          setToken(data.token)
-          await loadCurrentUser()
-          toast.success('登录成功')
-          if (redirect) redirect()
-        } else {
-          toast.error(data.error || '登录失败')
-        }
-      } catch (e) {
-        toast.error('登录失败')
-      }
+export async function googleGetIdToken() {
+  return new Promise((resolve, reject) => {
+    if (!window.google || !GOOGLE_CLIENT_ID) {
+      toast.error('Google 登录不可用')
+      reject()
+      return
     }
+    window.google.accounts.id.initialize({
+      client_id: GOOGLE_CLIENT_ID,
+      callback: ({ credential }) => resolve(credential)
+    })
+    window.google.accounts.id.prompt()
   })
-  window.google.accounts.id.prompt()
+}
+
+export async function googleAuthWithToken(idToken, reason, redirect) {
+  try {
+    const res = await fetch(`${API_BASE_URL}/api/auth/google`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ idToken, reason })
+    })
+    const data = await res.json()
+    if (res.ok && data.token) {
+      setToken(data.token)
+      await loadCurrentUser()
+      toast.success('登录成功')
+      if (redirect) redirect()
+    } else {
+      toast.error(data.error || '登录失败')
+    }
+  } catch (e) {
+    toast.error('登录失败')
+  }
+}
+
+export async function googleSignIn(redirect, reason) {
+  try {
+    const token = await googleGetIdToken()
+    await googleAuthWithToken(token, reason, redirect)
+  } catch {
+    /* ignore */
+  }
 }

open-isle-cli/src/views/SignupPageView.vue

@@ -82,7 +82,7 @@
 
 <script>
 import { API_BASE_URL, toast } from '../main'
-import { googleSignIn } from '../utils/google'
+import { googleSignIn, googleGetIdToken } from '../utils/google'
 import BaseInput from '../components/BaseInput.vue'
 export default {
   name: 'SignupPageView',
@@ -197,7 +197,10 @@ export default {
     },
     signupWithGoogle() {
       if (this.registerMode === 'WHITELIST') {
-        this.$router.push('/signup-reason?google=1')
+        googleGetIdToken().then(token => {
+          sessionStorage.setItem('google_id_token', token)
+          this.$router.push('/signup-reason?google=1')
+        }).catch(() => {})
       } else {
         googleSignIn(() => {
           this.$router.push('/')

open-isle-cli/src/views/SignupReasonPageView.vue

@@ -16,7 +16,7 @@
 <script>
 import BaseInput from '../components/BaseInput.vue'
 import { API_BASE_URL, toast } from '../main'
-import { googleSignIn } from '../utils/google'
+import { googleAuthWithToken } from '../utils/google'
 
 export default {
   name: 'SignupReasonPageView',
@@ -25,16 +25,20 @@ export default {
     return {
       reason: '',
       error: '',
-      isGoogle: false, 
-      isWaitingForRegister: false
+      isGoogle: false,
+      isWaitingForRegister: false,
+      googleToken: ''
     }
   },
   mounted() {
     this.isGoogle = this.$route.query.google === '1'
-    if (!this.isGoogle) {
-      if (!sessionStorage.getItem('signup_username')) {
+    if (this.isGoogle) {
+      this.googleToken = sessionStorage.getItem('google_id_token') || ''
+      if (!this.googleToken) {
         this.$router.push('/signup')
       }
+    } else if (!sessionStorage.getItem('signup_username')) {
+      this.$router.push('/signup')
     }
   },
   methods: {
@@ -44,7 +48,13 @@ export default {
         return
       }
       if (this.isGoogle) {
-        googleSignIn(() => { this.$router.push('/') }, this.reason)
+        const token = this.googleToken || sessionStorage.getItem('google_id_token')
+        if (!token) {
+          toast.error('Google 登录失败')
+          return
+        }
+        await googleAuthWithToken(token, this.reason, () => { this.$router.push('/') })
+        sessionStorage.removeItem('google_id_token')
         return
       }
       try {

src/main/java/com/openisle/controller/AuthController.java

@@ -72,12 +72,24 @@ public class AuthController {
         if (captchaEnabled && loginCaptchaEnabled && !captchaService.verify(req.getCaptcha())) {
             return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
         }
-        Optional<User> user = userService.authenticate(req.getUsername(), req.getPassword());
-        if (user.isPresent()) {
-            return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
-        } else {
-            return ResponseEntity.badRequest().body(Map.of("error", "Invalid credentials or user not verified"));
+        Optional<User> userOpt = userService.findByUsername(req.getUsername());
+        if (userOpt.isEmpty() || !userService.matchesPassword(userOpt.get(), req.getPassword())) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "error", "Invalid credentials",
+                    "reason_code", "INVALID_CREDENTIALS"));
         }
+        User user = userOpt.get();
+        if (!user.isVerified()) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "error", "User not verified",
+                    "reason_code", "NOT_VERIFIED"));
+        }
+        if (!user.isApproved()) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "error", "Register reason not approved",
+                    "reason_code", "NOT_APPROVED"));
+        }
+        return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.getUsername())));
     }
 
     @PostMapping("/google")

src/main/java/com/openisle/service/UserService.java

@@ -94,6 +94,10 @@ public class UserService {
                 .filter(user -> passwordEncoder.matches(password, user.getPassword()));
     }
 
+    public boolean matchesPassword(User user, String rawPassword) {
+        return passwordEncoder.matches(rawPassword, user.getPassword());
+    }
+
     public Optional<User> findByUsername(String username) {
         return userRepository.findByUsername(username);
     }

src/test/java/com/openisle/controller/AuthControllerTest.java

@@ -73,7 +73,8 @@ class AuthControllerTest {
     void loginReturnsToken() throws Exception {
         User user = new User();
         user.setUsername("u");
-        Mockito.when(userService.authenticate("u", "p")).thenReturn(Optional.of(user));
+        Mockito.when(userService.findByUsername("u")).thenReturn(Optional.of(user));
+        Mockito.when(userService.matchesPassword(user, "p")).thenReturn(true);
         Mockito.when(jwtService.generateToken("u")).thenReturn("token");
 
         mockMvc.perform(post("/api/auth/login")
@@ -85,12 +86,12 @@ class AuthControllerTest {
 
     @Test
     void loginFails() throws Exception {
-        Mockito.when(userService.authenticate("u", "bad")).thenReturn(Optional.empty());
+        Mockito.when(userService.findByUsername("u")).thenReturn(Optional.empty());
 
         mockMvc.perform(post("/api/auth/login")
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"username\":\"u\",\"password\":\"bad\"}"))
                 .andExpect(status().isBadRequest())
-                .andExpect(jsonPath("$.error").value("Invalid credentials or user not verified"));
+                .andExpect(jsonPath("$.reason_code").value("INVALID_CREDENTIALS"));
     }
 }