msumshk/TakeoutSaaS.TenantApi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 支持租户伪装登录与管理员重置链接

Browse Source
This commit is contained in:
MSuMshk
2025-12-15 14:43:50 +08:00
parent d64545dd26
commit 2249588e07
16 changed files with 478 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
src/Application/TakeoutSaaS.Application/App/Tenants/Handlers/CreateTenantAdminResetLinkTokenCommandHandler.cs Normal file
View File

@@ -0,0 +1,73 @@
using MediatR;
using TakeoutSaaS.Application.App.Tenants.Commands;
using TakeoutSaaS.Application.Identity.Abstractions;
using TakeoutSaaS.Domain.Tenants.Entities;
using TakeoutSaaS.Domain.Tenants.Enums;
using TakeoutSaaS.Domain.Tenants.Repositories;
using TakeoutSaaS.Shared.Abstractions.Constants;
using TakeoutSaaS.Shared.Abstractions.Exceptions;
using TakeoutSaaS.Shared.Abstractions.Security;
using TakeoutSaaS.Shared.Abstractions.Tenancy;
namespace TakeoutSaaS.Application.App.Tenants.Handlers;
/// <summary>
/// 生成租户主管理员重置链接令牌处理器(平台超级管理员使用)。
/// </summary>
public sealed class CreateTenantAdminResetLinkTokenCommandHandler(
ITenantRepository tenantRepository,
ITenantProvider tenantProvider,
ICurrentUserAccessor currentUserAccessor,
IAdminAuthService adminAuthService,
IAdminPasswordResetTokenStore tokenStore)
: IRequestHandler<CreateTenantAdminResetLinkTokenCommand, string>
{
private const long PlatformRootTenantId = 1000000000001;
/// <inheritdoc />
public async Task<string> Handle(CreateTenantAdminResetLinkTokenCommand request, CancellationToken cancellationToken)
{
// 1. 校验仅允许平台超级管理员执行
var currentTenantId = tenantProvider.GetCurrentTenantId();
if (currentTenantId != PlatformRootTenantId)
{
throw new BusinessException(ErrorCodes.Forbidden, "仅平台超级管理员可生成重置链接");
}
// 2. (空行后) 校验租户存在且存在主管理员
var tenant = await tenantRepository.FindByIdAsync(request.TenantId, cancellationToken)
?? throw new BusinessException(ErrorCodes.NotFound, "租户不存在");
if (!tenant.PrimaryOwnerUserId.HasValue || tenant.PrimaryOwnerUserId.Value == 0)
{
throw new BusinessException(ErrorCodes.BadRequest, "该租户未配置主管理员账号,无法生成重置链接");
}
// 3. (空行后) 签发一次性重置令牌(默认 24 小时有效)
var token = await tokenStore.IssueAsync(tenant.PrimaryOwnerUserId.Value, DateTime.UtcNow.AddHours(24), cancellationToken);
// 4. (空行后) 写入审计日志
var operatorProfile = await adminAuthService.GetProfileAsync(currentUserAccessor.UserId, cancellationToken);
var operatorName = string.IsNullOrWhiteSpace(operatorProfile.DisplayName)
? $"user:{currentUserAccessor.UserId}"
: operatorProfile.DisplayName;
var auditLog = new TenantAuditLog
{
TenantId = tenant.Id,
Action = TenantAuditAction.AdminResetLinkIssued,
Title = "生成重置链接",
Description = $"操作者:{operatorName}目标用户ID{tenant.PrimaryOwnerUserId.Value}",
OperatorId = currentUserAccessor.UserId,
OperatorName = operatorName,
PreviousStatus = tenant.Status,
CurrentStatus = tenant.Status
};
await tenantRepository.AddAuditLogAsync(auditLog, cancellationToken);
await tenantRepository.SaveChangesAsync(cancellationToken);
// 5. (空行后) 返回令牌
return token;
}
}

75
src/Application/TakeoutSaaS.Application/App/Tenants/Handlers/ImpersonateTenantCommandHandler.cs Normal file
View File

@@ -0,0 +1,75 @@
using MediatR;
using TakeoutSaaS.Application.App.Tenants.Commands;
using TakeoutSaaS.Application.Identity.Abstractions;
using TakeoutSaaS.Application.Identity.Contracts;
using TakeoutSaaS.Domain.Tenants.Entities;
using TakeoutSaaS.Domain.Tenants.Enums;
using TakeoutSaaS.Domain.Tenants.Repositories;
using TakeoutSaaS.Shared.Abstractions.Constants;
using TakeoutSaaS.Shared.Abstractions.Exceptions;
using TakeoutSaaS.Shared.Abstractions.Security;
using TakeoutSaaS.Shared.Abstractions.Tenancy;
namespace TakeoutSaaS.Application.App.Tenants.Handlers;
/// <summary>
/// 伪装登录租户处理器(平台超级管理员使用)。
/// </summary>
public sealed class ImpersonateTenantCommandHandler(
ITenantRepository tenantRepository,
ITenantProvider tenantProvider,
ICurrentUserAccessor currentUserAccessor,
IAdminAuthService adminAuthService,
IJwtTokenService jwtTokenService)
: IRequestHandler<ImpersonateTenantCommand, TokenResponse>
{
private const long PlatformRootTenantId = 1000000000001;
/// <inheritdoc />
public async Task<TokenResponse> Handle(ImpersonateTenantCommand request, CancellationToken cancellationToken)
{
// 1. 校验仅允许平台超级管理员执行
var currentTenantId = tenantProvider.GetCurrentTenantId();
if (currentTenantId != PlatformRootTenantId)
{
throw new BusinessException(ErrorCodes.Forbidden, "仅平台超级管理员可执行伪装登录");
}
// 2. (空行后) 校验租户存在且存在主管理员
var tenant = await tenantRepository.FindByIdAsync(request.TenantId, cancellationToken)
?? throw new BusinessException(ErrorCodes.NotFound, "租户不存在");
if (!tenant.PrimaryOwnerUserId.HasValue || tenant.PrimaryOwnerUserId.Value == 0)
{
throw new BusinessException(ErrorCodes.BadRequest, "该租户未配置主管理员账号,无法伪装登录");
}
// 3. (空行后) 为租户主管理员签发令牌
var targetProfile = await adminAuthService.GetProfileAsync(tenant.PrimaryOwnerUserId.Value, cancellationToken);
var token = await jwtTokenService.CreateTokensAsync(targetProfile, false, cancellationToken);
// 4. (空行后) 写入审计日志
var operatorProfile = await adminAuthService.GetProfileAsync(currentUserAccessor.UserId, cancellationToken);
var operatorName = string.IsNullOrWhiteSpace(operatorProfile.DisplayName)
? $"user:{currentUserAccessor.UserId}"
: operatorProfile.DisplayName;
var auditLog = new TenantAuditLog
{
TenantId = tenant.Id,
Action = TenantAuditAction.ImpersonatedLogin,
Title = "伪装登录",
Description = $"操作者:{operatorName},目标账号:{targetProfile.Account}",
OperatorId = currentUserAccessor.UserId,
OperatorName = operatorName,
PreviousStatus = tenant.Status,
CurrentStatus = tenant.Status
};
await tenantRepository.AddAuditLogAsync(auditLog, cancellationToken);
await tenantRepository.SaveChangesAsync(cancellationToken);
// 5. (空行后) 返回令牌
return token;
}
}