feat: login logic

open-isle-cli/src/utils/github.js

@@ -23,19 +23,37 @@ export async function githubExchange(code, state, reason) {
       setToken(data.token)
       await loadCurrentUser()
       toast.success('登录成功')
-      return true
+      return {
+        success: true,
+        needReason: false
+      }
     } else if (data.reason_code === 'NOT_APPROVED') {
       toast.info('当前为注册审核模式，请填写注册理由')
-      sessionStorage.setItem('github_code', code)
+      return {
-      return 'NEED_REASON'
+        success: false,
+        needReason: true,
+        token: data.token
+      }
     } else if (data.reason_code === 'IS_APPROVING') {
       toast.info('您的注册理由正在审批中')
-      return true
+      return {
+        success: true,
+        needReason: false
+      }
     } else {
       toast.error(data.error || '登录失败')
+      return {
+        success: false,
+        needReason: false,
+        error: data.error || '登录失败'
+      }
     }
   } catch (e) {
     toast.error('登录失败')
+    return {
+      success: false,
+      needReason: false,
+      error: '登录失败'
+    }
   }
-  return false
 }

open-isle-cli/src/utils/google.js

@@ -17,12 +17,12 @@ export async function googleGetIdToken() {
   })
 }
 
-export async function googleAuthWithToken(idToken, reason, redirect_success, redirect_not_approved) {
+export async function googleAuthWithToken(idToken, redirect_success, redirect_not_approved) {
   try {
     const res = await fetch(`${API_BASE_URL}/api/auth/google`, {
       method: 'POST',
       headers: { 'Content-Type': 'application/json' },
-      body: JSON.stringify({ idToken, reason })
+      body: JSON.stringify({ idToken })
     })
     const data = await res.json()
     if (res.ok && data.token) {
@@ -32,8 +32,7 @@ export async function googleAuthWithToken(idToken, reason, redirect_success, red
       if (redirect_success) redirect_success()
     } else if (data.reason_code === 'NOT_APPROVED') {
       toast.info('当前为注册审核模式，请填写注册理由')
-      sessionStorage.setItem('google_id_token', idToken)
+      if (redirect_not_approved) redirect_not_approved(data.token)
-      if (redirect_not_approved) redirect_not_approved()
     } else if (data.reason_code === 'IS_APPROVING') {
       toast.info('您的注册理由正在审批中')      
       if (redirect_success) redirect_success()
@@ -46,7 +45,7 @@ export async function googleAuthWithToken(idToken, reason, redirect_success, red
 export async function googleSignIn(redirect_success, redirect_not_approved) {
   try {
     const token = await googleGetIdToken()
-    await googleAuthWithToken(token, '', redirect_success, redirect_not_approved)
+    await googleAuthWithToken(token, redirect_success, redirect_not_approved)
   } catch {
     /* ignore */
   }

open-isle-cli/src/views/GithubCallbackPageView.vue

@@ -12,8 +12,9 @@ export default {
     const code = url.searchParams.get('code')
     const state = url.searchParams.get('state')
     const result = await githubExchange(code, state, '')
-    if (result === 'NEED_REASON') {
+
-      this.$router.push('/signup-reason?github=1')
+    if (result.needReason) {
+      this.$router.push('/signup-reason?token=' + result.token)
     } else {
       this.$router.push('/')
     }

open-isle-cli/src/views/LoginPageView.vue

@@ -75,7 +75,6 @@ export default {
           toast.success('登录成功')
           this.$router.push('/')
         } else if (data.reason_code === 'NOT_VERIFIED') {
-          sessionStorage.setItem('signup_username', data.username)
           toast.info('当前邮箱未验证，已经为您重新发送验证码')
           this.$router.push({ path: '/signup', query: { verify: 1, u: this.username } })
         } else if (data.reason_code === 'NOT_APPROVED') {
@@ -89,11 +88,14 @@ export default {
       }
     },
     loginWithGoogle() {
-      googleSignIn(() => {
+      googleSignIn(
+        () => {
           this.$router.push('/')
-      }, () => {
+        },
-        this.$router.push('/signup-reason?google=1')
+        (token) => {
-      })
+          this.$router.push('/signup-reason?token=' + token)
+        }
+      )
     },
     loginWithGithub() {
       githubAuthorize()

open-isle-cli/src/views/SignupPageView.vue

@@ -86,7 +86,7 @@
 
 <script>
 import { API_BASE_URL, toast } from '../main'
-import { googleSignIn, googleGetIdToken } from '../utils/google'
+import { googleSignIn } from '../utils/google'
 import { githubAuthorize } from '../utils/github'
 import BaseInput from '../components/BaseInput.vue'
 export default {
@@ -145,15 +145,7 @@ export default {
       if (this.emailError || this.passwordError || this.usernameError) {
         return
       }
-      if (this.registerMode === 'WHITELIST') {
-        sessionStorage.setItem('signup_username', this.username)
-        sessionStorage.setItem('signup_email', this.email)
-        sessionStorage.setItem('signup_password', this.password)
-        this.$router.push('/signup-reason')
-        return
-      }
       try {
-        console.log('base url: ', API_BASE_URL)
         this.isWaitingForEmailSent = true
         const res = await fetch(`${API_BASE_URL}/api/auth/register`, {
           method: 'POST',
@@ -194,8 +186,12 @@ export default {
         this.isWaitingForEmailVerified = false
         const data = await res.json()
         if (res.ok) {
+          if (this.registerMode === 'WHITELIST') {
+            this.$router.push('/signup-reason?token=' + data.token)
+          } else {
             toast.success('注册成功，请登录')
             this.$router.push('/login')
+          }
         } else {
           toast.error(data.error || '注册失败')
         }
@@ -204,18 +200,11 @@ export default {
       }
     },
     signupWithGoogle() {
-      if (this.registerMode === 'WHITELIST') {
-        googleGetIdToken().then(token => {
-          sessionStorage.setItem('google_id_token', token)
-          this.$router.push('/signup-reason?google=1')
-        }).catch(() => {})
-      } else {
       googleSignIn(() => {
           this.$router.push('/')
-        }, () => {
+        }, (token) => {
-          this.$router.push('/signup-reason?google=1')
+          this.$router.push('/signup-reason?token=' + token)
         })
-      }
     },
     signupWithGithub() {
       githubAuthorize()

open-isle-cli/src/views/SignupReasonPageView.vue

@@ -19,8 +19,6 @@
 <script>
 import BaseInput from '../components/BaseInput.vue'
 import { API_BASE_URL, toast } from '../main'
-import { googleAuthWithToken } from '../utils/google'
-import { githubExchange } from '../utils/github'
 
 export default {
   name: 'SignupReasonPageView',
@@ -29,27 +27,13 @@ export default {
     return {
       reason: '',
       error: '',
-      isGoogle: false,
-      isGithub: false,
       isWaitingForRegister: false,
-      googleToken: '',
+      token: '',
-      githubCode: ''
     }
   },
   mounted() {
-    this.isGoogle = this.$route.query.google === '1'
+    this.token = this.$route.query.token || ''
-    this.isGithub = this.$route.query.github === '1'
+    if (!this.token) {
-    if (this.isGoogle) {
-      this.googleToken = sessionStorage.getItem('google_id_token') || ''
-      if (!this.googleToken) {
-        this.$router.push('/signup')
-      }
-    } else if (this.isGithub) {
-      this.githubCode = sessionStorage.getItem('github_code') || ''
-      if (!this.githubCode) {
-        this.$router.push('/signup')
-      }
-    } else if (!sessionStorage.getItem('signup_username')) {
         this.$router.push('/signup')
     }
   },
@@ -59,61 +43,33 @@ export default {
         this.error = '请至少输入20个字'
         return
       }
-      if (this.isGoogle) {
+
-        this.isWaitingForRegister = true
-        const token = this.googleToken || sessionStorage.getItem('google_id_token')
-        if (!token) {
-          toast.error('Google 登录失败')
-          return
-        }
-        await googleAuthWithToken(token, this.reason,
-          () => { this.$router.push('/') },
-          () => { this.error = 'Google 登录失败' }
-        )
-        this.isWaitingForRegister = false
-        sessionStorage.removeItem('google_id_token')
-        return
-      }
-      if (this.isGithub) {
-        this.isWaitingForRegister = true
-        const code = this.githubCode || sessionStorage.getItem('github_code')
-        if (!code) {
-          toast.error('GitHub 登录失败')
-          return
-        }
-        const result = await githubExchange(code, '', this.reason)
-        this.isWaitingForRegister = false
-        sessionStorage.removeItem('github_code')
-        if (result) {
-          this.$router.push('/')
-        } else {
-          this.error = 'GitHub 登录失败'
-        }
-        return
-      }
       try {
         this.isWaitingForRegister = true
-        const res = await fetch(`${API_BASE_URL}/api/auth/register`, {
+        const res = await fetch(`${API_BASE_URL}/api/auth/reason`, {
           method: 'POST',
-          headers: { 'Content-Type': 'application/json' },
+          headers: { 
+            'Content-Type': 'application/json',
+            'Authorization': `Bearer ${this.token}`
+          },
           body: JSON.stringify({
-            username: sessionStorage.getItem('signup_username'),
-            email: sessionStorage.getItem('signup_email'),
-            password: sessionStorage.getItem('signup_password'),
             reason: this.reason
           })
         })
+        this.isWaitingForRegister = false
         const data = await res.json()
         if (res.ok) {
-          toast.success('验证码已发送，请查收邮箱')
+          toast.success('注册理由已提交,请等待审核')
-          this.$router.push({ path: '/signup', query: { verify: 1, u: sessionStorage.getItem('signup_username') } })
+          this.$router.push('/')
+        } else if (data.reason_code === 'INVALID_CREDENTIALS') {
+          toast.error('登录已过期,请重新登录')
+          this.$router.push('/login')
         } else {
-          toast.error(data.error || '发送失败')
+          toast.error(data.error || '提交失败')
         }
       } catch (e) {
-        toast.error('发送失败')
-      } finally {
         this.isWaitingForRegister = false
+        toast.error('提交失败')
       }
     }
   }

src/main/java/com/openisle/controller/AuthController.java

@@ -14,6 +14,7 @@ import com.openisle.repository.UserRepository;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.beans.factory.annotation.Value;
 import java.util.Map;
@@ -48,7 +49,7 @@ public class AuthController {
             return ResponseEntity.badRequest().body(Map.of("error", "Invalid captcha"));
         }
         User user = userService.register(
-                req.getUsername(), req.getEmail(), req.getPassword(), req.getReason(), registerModeService.getRegisterMode());
+                req.getUsername(), req.getEmail(), req.getPassword(), "", registerModeService.getRegisterMode());
         emailService.sendEmail(user.getEmail(), "Verification Code", "Your verification code is " + user.getVerificationCode());
         if (!user.isApproved()) {
             notificationService.createRegisterRequestNotifications(user, user.getRegisterReason());
@@ -60,7 +61,10 @@ public class AuthController {
     public ResponseEntity<?> verify(@RequestBody VerifyRequest req) {
         boolean ok = userService.verifyCode(req.getUsername(), req.getCode());
         if (ok) {
-            return ResponseEntity.ok(Map.of("message", "Verified"));
+            return ResponseEntity.ok(Map.of(
+                    "message", "Verified",
+                    "token", jwtService.generateReasonToken(req.getUsername())
+            ));
         }
         return ResponseEntity.badRequest().body(Map.of("error", "Invalid verification code"));
     }
@@ -91,22 +95,20 @@ public class AuthController {
         if (RegisterMode.WHITELIST.equals(registerModeService.getRegisterMode()) && !user.isApproved()) {
             return ResponseEntity.badRequest().body(Map.of(
                     "error", "Register reason not approved",
-                    "reason_code", "NOT_APPROVED"));
+                    "reason_code", "NOT_APPROVED",
+                    "token", jwtService.generateReasonToken(user.getUsername())));
         }
         return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.getUsername())));
     }
 
     @PostMapping("/google")
     public ResponseEntity<?> loginWithGoogle(@RequestBody GoogleLoginRequest req) {
-        Optional<User> user = googleAuthService.authenticate(req.getIdToken(), req.getReason(), registerModeService.getRegisterMode());
+        Optional<User> user = googleAuthService.authenticate(req.getIdToken(), registerModeService.getRegisterMode());
         if (user.isPresent()) {
             if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
                 return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
             }
             if (!user.get().isApproved()) {
-                if (req.reason != null && !req.reason.isEmpty()) {
-                    notificationService.createRegisterRequestNotifications(user.get(), req.getReason());
-                }
                 if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
                     return ResponseEntity.badRequest().body(Map.of(
                             "error", "Account awaiting approval",
@@ -127,26 +129,55 @@ public class AuthController {
         ));
     }
 
+
+    @PostMapping("/reason")
+    public ResponseEntity<?> reason(@RequestBody MakeReasonRequest req) {
+        String username = jwtService.validateAndGetSubjectForReason(req.getToken());
+        Optional<User> userOpt = userService.findByUsername(username);
+        if (userOpt.isEmpty()) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "error", "Invalid token, Please re-login",
+                    "reason_code", "INVALID_CREDENTIALS"
+            ));
+        }
+
+        if (req.reason == null || req.reason.length() <= 20) {
+            return ResponseEntity.badRequest().body(Map.of(
+                    "error", "Reason's length must longer than 20",
+                    "reason_code", "INVALID_CREDENTIALS"
+            ));
+        }
+
+        User user = userOpt.get();
+        if (user.isApproved() || registerModeService.getRegisterMode() == RegisterMode.DIRECT) {
+            return ResponseEntity.ok().body(Map.of("valid", true));
+        }
+
+        userService.register(user.getUsername(), user.getEmail(), user.getPassword(), req.getReason(), registerModeService.getRegisterMode());
+        notificationService.createRegisterRequestNotifications(user, req.getReason());
+        return ResponseEntity.ok().body(Map.of("valid", true));
+    }
+
     @PostMapping("/github")
     public ResponseEntity<?> loginWithGithub(@RequestBody GithubLoginRequest req) {
-        Optional<User> user = githubAuthService.authenticate(req.getCode(), req.getReason(), registerModeService.getRegisterMode(), req.getRedirectUri());
+        Optional<User> user = githubAuthService.authenticate(req.getCode(), registerModeService.getRegisterMode(), req.getRedirectUri());
         if (user.isPresent()) {
             if (RegisterMode.DIRECT.equals(registerModeService.getRegisterMode())) {
                 return ResponseEntity.ok(Map.of("token", jwtService.generateToken(user.get().getUsername())));
             }
             if (!user.get().isApproved()) {
-                if (req.reason != null && !req.reason.isEmpty()) {
-                    notificationService.createRegisterRequestNotifications(user.get(), req.getReason());
-                }
                 if (user.get().getRegisterReason() != null && !user.get().getRegisterReason().isEmpty()) {
+                    // 已填写注册理由
                     return ResponseEntity.badRequest().body(Map.of(
                             "error", "Account awaiting approval",
-                            "reason_code", "IS_APPROVING"
+                            "reason_code", "IS_APPROVING",
+                            "token", jwtService.generateReasonToken(user.get().getUsername())
                     ));
                 }
                 return ResponseEntity.badRequest().body(Map.of(
                         "error", "Account awaiting approval",
-                        "reason_code", "NOT_APPROVED"
+                        "reason_code", "NOT_APPROVED",
+                        "token", jwtService.generateReasonToken(user.get().getUsername())
                 ));
             }
 
@@ -169,7 +200,6 @@ public class AuthController {
         private String email;
         private String password;
         private String captcha;
-        private String reason;
     }
 
     @Data
@@ -182,14 +212,12 @@ public class AuthController {
     @Data
     private static class GoogleLoginRequest {
         private String idToken;
-        private String reason;
     }
 
     @Data
     private static class GithubLoginRequest {
         private String code;
         private String redirectUri;
-        private String reason;
     }
 
     @Data
@@ -197,4 +225,10 @@ public class AuthController {
         private String username;
         private String code;
     }
+
+    @Data
+    private static class MakeReasonRequest {
+        private String token;
+        private String reason;
+    }
 }

src/main/java/com/openisle/service/GithubAuthService.java

@@ -28,7 +28,7 @@ public class GithubAuthService {
     @Value("${github.client-secret:}")
     private String clientSecret;
 
-    public Optional<User> authenticate(String code, String reason, com.openisle.model.RegisterMode mode, String redirectUri) {
+    public Optional<User> authenticate(String code, com.openisle.model.RegisterMode mode, String redirectUri) {
         try {
             String tokenUrl = "https://github.com/login/oauth/access_token";
             HttpHeaders headers = new HttpHeaders();
@@ -83,13 +83,13 @@ public class GithubAuthService {
             if (email == null) {
                 email = username + "@users.noreply.github.com";
             }
-            return Optional.of(processUser(email, username, reason, mode));
+            return Optional.of(processUser(email, username, mode));
         } catch (Exception e) {
             return Optional.empty();
         }
     }
 
-    private User processUser(String email, String username, String reason, com.openisle.model.RegisterMode mode) {
+    private User processUser(String email, String username, com.openisle.model.RegisterMode mode) {
         Optional<User> existing = userRepository.findByEmail(email);
         if (existing.isPresent()) {
             User user = existing.get();
@@ -98,10 +98,6 @@ public class GithubAuthService {
                 user.setVerificationCode(null);
                 userRepository.save(user);
             }
-            if (!user.isApproved() && reason != null && !reason.isEmpty()) {
-                user.setRegisterReason(reason);
-                userRepository.save(user);
-            }
             return user;
         }
         String baseUsername = username != null ? username : email.split("@")[0];
@@ -116,7 +112,6 @@ public class GithubAuthService {
         user.setPassword("");
         user.setRole(Role.USER);
         user.setVerified(true);
-        user.setRegisterReason(reason);
         user.setApproved(mode == com.openisle.model.RegisterMode.DIRECT);
         user.setAvatar("https://github.com/" + finalUsername + ".png");
         return userRepository.save(user);

src/main/java/com/openisle/service/GoogleAuthService.java

@@ -23,7 +23,7 @@ public class GoogleAuthService {
     @Value("${google.client-id:}")
     private String clientId;
 
-    public Optional<User> authenticate(String idTokenString, String reason, com.openisle.model.RegisterMode mode) {
+    public Optional<User> authenticate(String idTokenString, com.openisle.model.RegisterMode mode) {
         GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(new NetHttpTransport(), new JacksonFactory())
                 .setAudience(Collections.singletonList(clientId))
                 .build();
@@ -35,13 +35,13 @@ public class GoogleAuthService {
             GoogleIdToken.Payload payload = idToken.getPayload();
             String email = payload.getEmail();
             String name = (String) payload.get("name");
-            return Optional.of(processUser(email, name, reason, mode));
+            return Optional.of(processUser(email, name, mode));
         } catch (Exception e) {
             return Optional.empty();
         }
     }
 
-    private User processUser(String email, String name, String reason, com.openisle.model.RegisterMode mode) {
+    private User processUser(String email, String name, com.openisle.model.RegisterMode mode) {
         Optional<User> existing = userRepository.findByEmail(email);
         if (existing.isPresent()) {
             User user = existing.get();
@@ -51,11 +51,6 @@ public class GoogleAuthService {
                 userRepository.save(user);
             }
 
-            if (!user.isApproved() && reason != null && !reason.isEmpty()) {
-                user.setRegisterReason(reason);
-                userRepository.save(user);
-            }
-
             return user;
         }
         User user = new User();
@@ -70,7 +65,6 @@ public class GoogleAuthService {
         user.setPassword("");
         user.setRole(Role.USER);
         user.setVerified(true);
-        user.setRegisterReason(reason);
         user.setApproved(mode == com.openisle.model.RegisterMode.DIRECT);
         user.setAvatar("https://github.com/identicons/" + username + ".png");
         return userRepository.save(user);

src/main/java/com/openisle/service/JwtService.java

@@ -18,13 +18,16 @@ public class JwtService {
     @Value("${app.jwt.secret}")
     private String secret;
 
+    @Value("${app.jwt.reason-secret}")
+    private String reasonSecret;
+
     @Value("${app.jwt.expiration}")
     private long expiration;
 
-    private Key getSigningKey() {
+    private Key getSigningKeyForSecret(String signSecret) {
         try {
             MessageDigest digest = MessageDigest.getInstance("SHA-256");
-            byte[] keyBytes = digest.digest(secret.getBytes(StandardCharsets.UTF_8));
+            byte[] keyBytes = digest.digest(signSecret.getBytes(StandardCharsets.UTF_8));
             return Keys.hmacShaKeyFor(keyBytes);
         } catch (NoSuchAlgorithmException e) {
             throw new IllegalStateException("SHA-256 not available", e);
@@ -38,13 +41,33 @@ public class JwtService {
                 .setSubject(subject)
                 .setIssuedAt(now)
                 .setExpiration(expiryDate)
-                .signWith(getSigningKey())
+                .signWith(getSigningKeyForSecret(secret))
+                .compact();
+    }
+
+    public String generateReasonToken(String subject) {
+        Date now = new Date();
+        Date expiryDate = new Date(now.getTime() + expiration);
+        return Jwts.builder()
+                .setSubject(subject)
+                .setIssuedAt(now)
+                .setExpiration(expiryDate)
+                .signWith(getSigningKeyForSecret(reasonSecret))
                 .compact();
     }
 
     public String validateAndGetSubject(String token) {
         Claims claims = Jwts.parserBuilder()
-                .setSigningKey(getSigningKey())
+                .setSigningKey(getSigningKeyForSecret(secret))
+                .build()
+                .parseClaimsJws(token)
+                .getBody();
+        return claims.getSubject();
+    }
+
+    public String validateAndGetSubjectForReason(String token) {
+        Claims claims = Jwts.parserBuilder()
+                .setSigningKey(getSigningKeyForSecret(reasonSecret))
                 .build()
                 .parseClaimsJws(token)
                 .getBody();

src/main/resources/application.properties

@@ -5,7 +5,8 @@ spring.datasource.password=${MYSQL_PASSWORD:password}
 spring.jpa.hibernate.ddl-auto=update
 
 # for jwt
-app.jwt.secret=${JWT_SECRET:ChangeThisSecretKeyForJwt}
+app.jwt.secret=${JWT_SECRET:jwt_sec}
+app.jwt.reason-secret=${JWT_REASON_SECRET:jwt_reason_sec}
 app.jwt.expiration=${JWT_EXPIRATION:86400000}
 # Password strength: LOW, MEDIUM or HIGH
 app.password.strength=${PASSWORD_STRENGTH:LOW}