using System.Security.Claims; using Hotline.Identity.Accounts; using Hotline.Share.Dtos.Identity; using Hotline.Share.Enums.Identity; using Hotline.Users; using IdentityModel; using Microsoft.AspNetCore.Identity; using Microsoft.Extensions.Options; using XF.Domain.Authentications; using XF.Domain.Dependency; using XF.Domain.Exceptions; using XF.Domain.Options; using XF.Utility.AppIdentityModel; namespace Hotline.Application.Identity; public class IdentityAppService : IIdentityAppService, IScopeDependency { private readonly IAccountRepository _accountRepository; private readonly IAccountDomainService _accountDomainService; private readonly IUserRepository _userRepository; private readonly IJwtSecurity _jwtSecurity; private readonly IOptionsSnapshot _identityOptionsAccessor; public IdentityAppService( IAccountRepository accountRepository, IAccountDomainService accountDomainService, IUserRepository userRepository, IJwtSecurity jwtSecurity, IOptionsSnapshot identityOptionsAccessor) { _accountRepository = accountRepository; _accountDomainService = accountDomainService; _userRepository = userRepository; _jwtSecurity = jwtSecurity; _identityOptionsAccessor = identityOptionsAccessor; } public async Task LoginAsync(LoginDto dto, CancellationToken cancellationToken) { var account = await _accountRepository.GetExtAsync( d => d.UserName == dto.UserName, d => d.Includes(x => x.Roles)); if (account == null) throw UserFriendlyException.SameMessage("用户名或密码错误!"); if (account.Status != EAccountStatus.Normal) throw UserFriendlyException.SameMessage("用户名或密码错误!"); if (account.LockoutEnabled && account.LockoutEnd >= DateTime.Now) throw UserFriendlyException.SameMessage("账号被锁定!"); var verifyResult = _accountDomainService.VerifyPassword(account, dto.Password); if (verifyResult == PasswordVerificationResult.Failed) { var lockoutOptions = _identityOptionsAccessor.Value.Lockout; account.AccessFailedCount += 1; if (account.LockoutEnabled && account.AccessFailedCount >= lockoutOptions.MaxFailedAccessAttempts) account.LockoutEnd = DateTime.Now.Add(lockoutOptions.DefaultLockoutTimeSpan); await _accountRepository.UpdateAsync(account, cancellationToken); throw UserFriendlyException.SameMessage("账号名或密码错误!"); } account.LockoutEnd = null; account.AccessFailedCount = 0; await _accountRepository.UpdateAsync(account, cancellationToken); var user = await _userRepository.Queryable() .Includes(d => d.Organization) .FirstAsync(d => d.Id == account.Id); if (user == null) throw UserFriendlyException.SameMessage("未查询到用户数据"); var jwtOptions = _identityOptionsAccessor.Value.Jwt; var claims = new List { //new(JwtClaimTypes.Id, account.Id), new(JwtClaimTypes.Subject, account.Id), new(JwtClaimTypes.PhoneNumber, account.PhoneNo ?? string.Empty), new(AppClaimTypes.UserDisplayName, account.Name), new(JwtClaimTypes.Scope,jwtOptions.Scope), new(AppClaimTypes.UserPasswordChanged, account.PasswordChanged.ToString()), new(AppClaimTypes.DepartmentId, user.OrgId??string.Empty), new(AppClaimTypes.DepartmentCode, user.OrgCode??string.Empty), new(AppClaimTypes.DepartmentName, user.Organization?.OrgName??string.Empty), }; claims.AddRange(account.Roles.Select(d => new Claim(JwtClaimTypes.Role, d.Name))); var token = _jwtSecurity.EncodeJwtToken(claims); return token; } }