medical_training/apps/user/auth/login.py

import re

from django.core.cache import cache
from django.utils import timezone
from rest_framework.decorators import api_view, permission_classes
from rest_framework.permissions import AllowAny
from rest_framework.response import Response
from rest_framework import serializers as drf_serializers
from drf_spectacular.utils import extend_schema, inline_serializer

from config.exceptions import AppError
from apps.user.models import User
from apps.user.audit import log_login_success, log_login_fail, log_register
from apps.user.auth import (
    get_tokens_for_user, build_user_response, get_client_ip, get_user_agent,
    resolve_or_create_institution,
)

LOGIN_FAIL_MAX = 5
LOGIN_FAIL_LOCK_SECONDS = 15 * 60  # 15 分钟

_LOGIN_RESPONSE = inline_serializer('LoginResponse', fields={
    'message': drf_serializers.CharField(),
    'user': drf_serializers.DictField(help_text='用户基本信息'),
    'tokens': drf_serializers.DictField(help_text='access + refresh'),
})


# ── U3 密码登录 ──────────────────────────────────────────────────────────────

@extend_schema(
    summary='U3 密码登录',
    request=inline_serializer('LoginPasswordRequest', fields={
        'phone': drf_serializers.CharField(help_text='手机号'),
        'password': drf_serializers.CharField(help_text='密码'),
    }),
    responses={200: _LOGIN_RESPONSE},
    tags=['认证'],
)
@api_view(['POST'])
@permission_classes([AllowAny])
def login_password(request):
    """U3 密码登录"""
    data = request.data
    phone = str(data.get('phone', ''))
    password = str(data.get('password', ''))

    if not phone or not password:
        raise AppError('AUTH_BAD_CREDENTIALS', '手机号和密码不能为空')

    ip = get_client_ip(request)
    ua = get_user_agent(request)

    # 检查账号锁定
    fail_key = f'login_fail:{phone}'
    fail_count = cache.get(fail_key)
    if fail_count is not None and int(fail_count) >= LOGIN_FAIL_MAX:
        raise AppError('AUTH_ACCOUNT_LOCKED', '登录失败次数过多，请 15 分钟后再试', status_code=423)

    # 查找用户（不区分"未注册"和"密码错"，防用户名枚举）
    try:
        user = User.objects.select_related('institution', 'department').get(phone=phone)
    except User.DoesNotExist:
        log_login_fail(phone, ip=ip, reason='phone_not_found')
        raise AppError('AUTH_BAD_CREDENTIALS', '手机号或密码错误')

    # 账号禁用检查
    if user.status == 0:
        log_login_fail(phone, ip=ip, reason='account_disabled')
        raise AppError('AUTH_ACCOUNT_DISABLED', '账号已被禁用，请联系管理员', status_code=403)

    # 校验密码
    if not user.check_password(password):
        current = cache.get(fail_key)
        new_count = (int(current) + 1) if current is not None else 1
        cache.set(fail_key, new_count, timeout=LOGIN_FAIL_LOCK_SECONDS)
        log_login_fail(phone, ip=ip, reason='wrong_password')
        raise AppError('AUTH_BAD_CREDENTIALS', '手机号或密码错误')

    # 登录成功
    cache.delete(fail_key)
    user.last_login_time = timezone.now()
    user.save(update_fields=['last_login_time'])

    tokens = get_tokens_for_user(user)
    log_login_success(user.id, phone, ip=ip, ua=ua)

    return Response({
        'message': '登录成功',
        'user': build_user_response(user),
        'tokens': tokens,
    })


# ── U4 验证码登录（自动注册）────────────────────────────────────────────────

_LOGIN_CODE_RESPONSE = inline_serializer('LoginCodeResponse', fields={
    'message': drf_serializers.CharField(),
    'user': drf_serializers.DictField(help_text='用户基本信息'),
    'tokens': drf_serializers.DictField(help_text='access + refresh'),
    'is_new_user': drf_serializers.BooleanField(help_text='是否为新注册用户'),
})


@extend_schema(
    summary='U4 验证码登录（未注册自动注册）',
    description='前端一键登录/注册：验证码校验通过后，若手机号未注册则自动创建账号（角色=student，无密码）。'
                '机构不存在会自动创建。',
    request=inline_serializer('LoginCodeRequest', fields={
        'phone': drf_serializers.CharField(help_text='手机号'),
        'code': drf_serializers.CharField(help_text='6 位短信验证码'),
        'institution_code': drf_serializers.CharField(help_text='机构编码（必填，唯一标识）'),
        'institution_name': drf_serializers.CharField(help_text='机构名称（必填）'),
    }),
    responses={200: _LOGIN_CODE_RESPONSE, 201: _LOGIN_CODE_RESPONSE},
    tags=['认证'],
)
@api_view(['POST'])
@permission_classes([AllowAny])
def login_code(request):
    """U4 验证码登录 — 未注册用户自动注册"""
    data = request.data
    phone = str(data.get('phone', ''))
    code = str(data.get('code', ''))
    institution_code = str(data.get('institution_code', '')).strip()
    institution_name = str(data.get('institution_name', '')).strip()

    # ── 入参校验 ──────────────────────────────────────────────────────────────

    if not re.match(r'^1[3-9]\d{9}$', phone):
        raise AppError('SMS_INVALID_PHONE', '手机号格式不合法')

    if not code:
        raise AppError('AUTH_CODE_INVALID', '请输入验证码')

    if not institution_code:
        raise AppError('USER_INSTITUTION_CODE_REQUIRED', '机构编码不能为空')

    if not institution_name:
        raise AppError('USER_INSTITUTION_REQUIRED', '机构名称不能为空')

    # ── 校验验证码（先校验再查用户，避免未注册用户也暴露手机号状态）───────────

    cache_key = f'sms:login:{phone}'
    cached_code = cache.get(cache_key)
    if not cached_code:
        raise AppError('AUTH_CODE_EXPIRED', '验证码已过期或未发送')
    if str(cached_code) != code:
        raise AppError('AUTH_CODE_MISMATCH', '验证码错误')

    # 验证码一次性使用
    cache.delete(cache_key)
    cache.delete(f'login_fail:{phone}')

    # ── 解析 / 创建机构 ──────────────────────────────────────────────────────

    institution = resolve_or_create_institution(institution_code, institution_name)

    # ── 查找用户 or 自动注册 ────────────────────────────────────────────────

    ip = get_client_ip(request)
    ua = get_user_agent(request)

    from django.db import IntegrityError

    try:
        user = User.objects.select_related('institution', 'department').get(phone=phone)
        is_new = False
    except User.DoesNotExist:
        try:
            user = User.objects.create_user(
                username=phone,
                password=None,
                phone=phone,
                role_type='student',
                institution=institution,
                status=1,
            )
            is_new = True
        except IntegrityError:
            user = User.objects.select_related('institution', 'department').get(phone=phone)
            is_new = False

    if is_new:
        log_register(user.id, phone)
    else:
        if user.status == 0:
            raise AppError('AUTH_ACCOUNT_DISABLED', '账号已被禁用，请联系管理员', status_code=403)
        if user.institution_id != institution.id:
            user.institution = institution

    user.last_login_time = timezone.now()
    user.save(update_fields=['institution', 'last_login_time'])

    tokens = get_tokens_for_user(user)
    log_login_success(user.id, phone, ip=ip, ua=ua)

    return Response({
        'message': '注册并登录成功' if is_new else '登录成功',
        'user': build_user_response(user),
        'tokens': tokens,
        'is_new_user': is_new,
    }, status=201 if is_new else 200)