using System.Security.Claims; using Hotline.Identity.Accounts; using Hotline.Settings; using Hotline.Share.Dtos.Identity; using Hotline.Share.Enums.Identity; using Hotline.Users; using IdentityModel; using Microsoft.AspNetCore.Identity; using Microsoft.Extensions.Options; using XF.Domain.Authentications; using XF.Domain.Dependency; using XF.Domain.Exceptions; using XF.Domain.Options; using XF.Domain.Repository; namespace Hotline.Application.Identity; public class IdentityAppService : IIdentityAppService, IScopeDependency { private readonly IAccountRepository _accountRepository; private readonly IAccountDomainService _accountDomainService; private readonly IRepository _userRepository; private readonly IJwtSecurity _jwtSecurity; private readonly IOptionsSnapshot _identityOptionsAccessor; public IdentityAppService( IAccountRepository accountRepository, IAccountDomainService accountDomainService, IRepository userRepository, IJwtSecurity jwtSecurity, IOptionsSnapshot identityOptionsAccessor) { _accountRepository = accountRepository; _accountDomainService = accountDomainService; _userRepository = userRepository; _jwtSecurity = jwtSecurity; _identityOptionsAccessor = identityOptionsAccessor; } public async Task LoginAsync(LoginDto dto, CancellationToken cancellationToken) { var account = await _accountRepository.GetExtAsync( d => d.UserName == dto.Username, d => d.Includes(x => x.Roles)); if (account == null) throw UserFriendlyException.SameMessage("用户名或密码错误!"); if (account.Status != EAccountStatus.Normal) throw UserFriendlyException.SameMessage("用户名或密码错误!"); if (account.LockoutEnabled && account.LockoutEnd >= DateTime.Now) throw UserFriendlyException.SameMessage("账号被锁定!"); var verifyResult = _accountDomainService.VerifyPassword(account, dto.Password); if (verifyResult == PasswordVerificationResult.Failed) { var lockoutOptions = _identityOptionsAccessor.Value.Lockout; account.AccessFailedCount += 1; if (account.LockoutEnabled && account.AccessFailedCount >= lockoutOptions.MaxFailedAccessAttempts) account.LockoutEnd = DateTime.Now.Add(lockoutOptions.DefaultLockoutTimeSpan); await _accountRepository.UpdateAsync(account, cancellationToken); throw UserFriendlyException.SameMessage("账号名或密码错误!"); } if (account.LockoutEnd.HasValue || account.AccessFailedCount > 0) { account.LockoutEnd = null; account.AccessFailedCount = 0; await _accountRepository.UpdateAsync(account, cancellationToken); } var user = await _userRepository.Queryable() .Includes(d => d.Organization) .FirstAsync(d => d.Id == account.Id); if (user == null) throw UserFriendlyException.SameMessage("未查询到用户数据"); var jwtOptions = _identityOptionsAccessor.Value.Jwt; var claims = new List { //new(JwtClaimTypes.Id, account.Id), new(JwtClaimTypes.Subject, account.Id), new(JwtClaimTypes.PhoneNumber, account.PhoneNo ?? string.Empty), new(AppClaimTypes.UserDisplayName, account.Name), new(JwtClaimTypes.Scope, jwtOptions.Scope), new(AppClaimTypes.UserPasswordChanged, account.PasswordChanged.ToString()), new(AppClaimTypes.StaffNo, user.StaffNo ?? string.Empty), }; if (!string.IsNullOrEmpty(user.OrgId) && user.Organization is not null) { claims.AddRange( new List { new(AppClaimTypes.DepartmentId, user.OrgId ?? string.Empty), new(AppClaimTypes.DepartmentIsCenter, user.Organization?.IsCenter.ToString()), new(AppClaimTypes.DepartmentName, user.Organization?.Name ?? string.Empty), new(AppClaimTypes.DepartmentAreaCode, user.Organization?.AreaCode ?? string.Empty), new(AppClaimTypes.DepartmentAreaName, user.Organization?.AreaName ?? string.Empty), new(AppClaimTypes.DepartmentLevel, user.Organization?.Level.ToString() ?? string.Empty), new(AppClaimTypes.AreaId, user.OrgId?.GetHigherOrgCode() ?? string.Empty), } ); } claims.AddRange(account.Roles.Select(d => new Claim(JwtClaimTypes.Role, d.Name))); var token = _jwtSecurity.EncodeJwtToken(claims); return token; } }