feat: add django user center auth integration

backend/app/core/config.py

@@ -83,6 +83,11 @@ class Settings(BaseModel):
     runtime_memory_ttl_seconds: int = Field(default_factory=lambda: int(os.getenv("RUNTIME_MEMORY_TTL_SECONDS", "7200")))
     runtime_memory_backend: str = Field(default_factory=lambda: os.getenv("RUNTIME_MEMORY_BACKEND", "memory"))
     redis_url: str = Field(default_factory=lambda: os.getenv("REDIS_URL", "redis://127.0.0.1:6379/0"))
+    auth_validate_enabled: bool = Field(default_factory=lambda: os.getenv("AUTH_VALIDATE_ENABLED", "false").lower() == "true")
+    auth_user_me_url: str = Field(default_factory=lambda: os.getenv("AUTH_USER_ME_URL", ""))
+    auth_timeout_seconds: int = Field(default_factory=lambda: int(os.getenv("AUTH_TIMEOUT_SECONDS", "5")))
+    auth_cache_ttl_seconds: int = Field(default_factory=lambda: int(os.getenv("AUTH_CACHE_TTL_SECONDS", "300")))
+    auth_allow_demo_user_id: bool = Field(default_factory=lambda: os.getenv("AUTH_ALLOW_DEMO_USER_ID", "true").lower() == "true")
 
     def as_public_dict(self) -> dict[str, Any]:
         """配置展示：返回允许暴露给 Demo 前端的功能开关。"""
@@ -102,6 +107,8 @@ class Settings(BaseModel):
             "llm_reasoning_effort": self.llm_reasoning_effort,
             "llm_fast_max_tokens": self.llm_fast_max_tokens,
             "runtime_memory_backend": self.runtime_memory_backend,
+            "auth_validate_enabled": self.auth_validate_enabled,
+            "auth_source": "django_user_center" if self.auth_validate_enabled else "demo_header",
         }
 
 

backend/app/core/context.py

@@ -13,3 +13,6 @@ class UserContext:
     request_id: str | None = None
     ip_address: str | None = None
     user_agent: str | None = None
+    username: str | None = None
+    display_name: str | None = None
+    auth_source: str = "demo_header"

backend/app/core/user_context.py

@@ -1,7 +1,9 @@
 from fastapi import Header, Request
 
+from app.core.config import settings
 from app.core.context import UserContext
 from app.core.exceptions import AppError
+from app.services.external_auth_service import ExternalAuthService
 
 
 async def get_user_context(
@@ -13,7 +15,26 @@ async def get_user_context(
     x_entry_scene: str | None = Header(default=None, alias="X-Entry-Scene"),
     x_request_id: str | None = Header(default=None, alias="X-Request-Id"),
 ) -> UserContext:
-    """用户校验：读取请求头并强制校验 `X-User-Id`。"""
+    """用户校验：正式联调优先调用 Django 用户中心，Demo 模式兼容 X-User-Id。"""
+    if settings.auth_validate_enabled and (request.headers.get("Authorization") or request.headers.get("Cookie")):
+        user = await ExternalAuthService().authenticate(request)
+        return UserContext(
+            user_id=user.user_id,
+            tenant_id=user.tenant_id or x_tenant_id,
+            role=user.role or x_user_role,
+            class_id=x_class_id,
+            entry_scene=x_entry_scene,
+            request_id=x_request_id,
+            ip_address=request.client.host if request.client else None,
+            user_agent=request.headers.get("User-Agent"),
+            username=user.username,
+            display_name=user.display_name,
+            auth_source=user.source,
+        )
+
+    if settings.auth_validate_enabled and not settings.auth_allow_demo_user_id:
+        raise AppError("AUTH_CREDENTIAL_REQUIRED", "Authorization or Cookie is required", 401)
+
     if not x_user_id or not x_user_id.strip():
         raise AppError("USER_ID_REQUIRED", "X-User-Id header is required", 401)
 
@@ -26,4 +47,5 @@ async def get_user_context(
         request_id=x_request_id,
         ip_address=request.client.host if request.client else None,
         user_agent=request.headers.get("User-Agent"),
+        auth_source="demo_header",
     )