新增用户密码加入请求校验，如果密码发生改变需要重新登陆，便于使用密码进行强制退出

kinit-admin/src/views/Home/components/PasswordWrite.vue

@@ -102,7 +102,8 @@ const save = async () => {
       const res = await postCurrentUserResetPassword(formData)
       if (res) {
         elForm?.resetFields()
-        ElMessage.success('保存成功')
+        authStore.logout()
+        ElMessage.warning('请重新登录')
       }
     } finally {
       loading.value = false

kinit-api/apps/vadmin/auth/schemas/__init__.py

@@ -1,4 +1,4 @@
-from .user import UserOut, UserUpdate, User, UserIn, UserSimpleOut, ResetPwd, UserUpdateBaseInfo
+from .user import UserOut, UserUpdate, User, UserIn, UserSimpleOut, ResetPwd, UserUpdateBaseInfo, UserPasswordOut
 from .role import Role, RoleOut, RoleIn, RoleOptionsOut, RoleSimpleOut
 from .menu import Menu, MenuSimpleOut, RouterOut, Meta, MenuTreeListOut
 from .dept import Dept, DeptSimpleOut, DeptTreeListOut

kinit-api/apps/vadmin/auth/schemas/user.py

@@ -74,6 +74,12 @@ class UserSimpleOut(User):
     last_ip: str | None = None
 
 
+class UserPasswordOut(UserSimpleOut):
+    model_config = ConfigDict(from_attributes=True)
+
+    password: str
+
+
 class UserOut(UserSimpleOut):
     model_config = ConfigDict(from_attributes=True)
 

kinit-api/apps/vadmin/auth/utils/current.py

@@ -38,8 +38,8 @@ class OpenAuth(AuthValidation):
         if not settings.OAUTH_ENABLE:
             return Auth(db=db)
         try:
-            telephone = self.validate_token(request, token)
-            user = await UserDal(db).get_data(telephone=telephone, v_return_none=True)
+            telephone, password = self.validate_token(request, token)
+            user = await UserDal(db).get_data(telephone=telephone, password=password, v_return_none=True)
             return await self.validate_user(request, user, db, is_all=True)
         except CustomException:
             return Auth(db=db)
@@ -63,8 +63,8 @@ class AllUserAuth(AuthValidation):
         """
         if not settings.OAUTH_ENABLE:
             return Auth(db=db)
-        telephone = self.validate_token(request, token)
-        user = await UserDal(db).get_data(telephone=telephone, v_return_none=True)
+        telephone, password = self.validate_token(request, token)
+        user = await UserDal(db).get_data(telephone=telephone, password=password, v_return_none=True)
         return await self.validate_user(request, user, db, is_all=True)
 
 
@@ -93,13 +93,18 @@ class FullAdminAuth(AuthValidation):
         """
         if not settings.OAUTH_ENABLE:
             return Auth(db=db)
-        telephone = self.validate_token(request, token)
+        telephone, password = self.validate_token(request, token)
         options = [joinedload(VadminUser.roles).subqueryload(VadminRole.menus), joinedload(VadminUser.depts)]
-        user = await UserDal(db).get_data(telephone=telephone, v_return_none=True, v_options=options, is_staff=True)
+        user = await UserDal(db).get_data(
+            telephone=telephone,
+            password=password,
+            v_return_none=True,
+            v_options=options,
+            is_staff=True
+        )
         result = await self.validate_user(request, user, db, is_all=False)
         permissions = self.get_user_permissions(user)
         if permissions != {'*.*.*'} and self.permissions:
             if not (self.permissions & permissions):
                 raise CustomException(msg="无权限操作", code=status.HTTP_403_FORBIDDEN)
         return result
-

kinit-api/apps/vadmin/auth/utils/login.py

@@ -39,7 +39,6 @@ from .validation.auth import Auth
 from utils.wx.oauth import WXOAuth
 import jwt
 
-
 app = APIRouter()
 
 
@@ -50,16 +49,17 @@ async def api_login_for_access_token(
     db: AsyncSession = Depends(db_getter)
 ):
     user = await UserDal(db).get_data(telephone=data.username, v_return_none=True)
+    error_code = status.HTTP_401_UNAUTHORIZED
     if not user:
-        raise CustomException(status_code=401, code=401, msg="该手机号不存在")
+        raise CustomException(status_code=error_code, code=error_code, msg="该手机号不存在")
     result = VadminUser.verify_password(data.password, user.password)
     if not result:
-        raise CustomException(status_code=401, code=401, msg="手机号或密码错误")
+        raise CustomException(status_code=error_code, code=error_code, msg="手机号或密码错误")
     if not user.is_active:
-        raise CustomException(status_code=401, code=401, msg="此手机号已被冻结")
+        raise CustomException(status_code=error_code, code=error_code, msg="此手机号已被冻结")
     elif not user.is_staff:
-        raise CustomException(status_code=401, code=401, msg="此手机号无权限")
-    access_token = LoginManage.create_token({"sub": user.telephone})
+        raise CustomException(status_code=error_code, code=error_code, msg="此手机号无权限")
+    access_token = LoginManage.create_token({"sub": user.telephone, "password": user.password})
     record = LoginForm(platform='2', method='0', telephone=data.username, password=data.password)
     resp = {"access_token": access_token, "token_type": "bearer"}
     await VadminLoginRecord.create_login_record(db, record, True, request, resp)
@@ -84,9 +84,14 @@ async def login_for_access_token(
         if not result.status:
             raise ValueError(result.msg)
 
-        access_token = LoginManage.create_token({"sub": result.user.telephone, "is_refresh": False})
+        access_token = LoginManage.create_token(
+            {"sub": result.user.telephone, "is_refresh": False, "password": result.user.password}
+        )
         expires = timedelta(minutes=settings.REFRESH_TOKEN_EXPIRE_MINUTES)
-        refresh_token = LoginManage.create_token({"sub": result.user.telephone, "is_refresh": True}, expires=expires)
+        refresh_token = LoginManage.create_token(
+            payload={"sub": result.user.telephone, "is_refresh": True, "password": result.user.password},
+            expires=expires
+        )
         resp = {
             "access_token": access_token,
             "refresh_token": refresh_token,
@@ -129,9 +134,12 @@ async def wx_login_for_access_token(
     await UserDal(db).update_login_info(user, request.client.host)
 
     # 登录成功创建 token
-    access_token = LoginManage.create_token({"sub": user.telephone, "is_refresh": False})
+    access_token = LoginManage.create_token({"sub": user.telephone, "is_refresh": False, "password": user.password})
     expires = timedelta(minutes=settings.REFRESH_TOKEN_EXPIRE_MINUTES)
-    refresh_token = LoginManage.create_token({"sub": user.telephone, "is_refresh": True}, expires=expires)
+    refresh_token = LoginManage.create_token(
+        payload={"sub": user.telephone, "is_refresh": True, "password": user.password},
+        expires=expires
+    )
     resp = {
         "access_token": access_token,
         "refresh_token": refresh_token,
@@ -155,16 +163,20 @@ async def token_refresh(refresh: str = Body(..., title="刷新Token")):
         payload = jwt.decode(refresh, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
         telephone: str = payload.get("sub")
         is_refresh: bool = payload.get("is_refresh")
-        if telephone is None or not is_refresh:
+        password: str = payload.get("password")
+        if not telephone or not is_refresh or not password:
             return ErrorResponse("未认证，请您重新登录", code=error_code, status=error_code)
     except jwt.exceptions.InvalidSignatureError:
         return ErrorResponse("无效认证，请您重新登录", code=error_code, status=error_code)
     except jwt.exceptions.ExpiredSignatureError:
         return ErrorResponse("登录已超时，请您重新登录", code=error_code, status=error_code)
 
-    access_token = LoginManage.create_token({"sub": telephone, "is_refresh": False})
+    access_token = LoginManage.create_token({"sub": telephone, "is_refresh": False, "password": password})
     expires = timedelta(minutes=settings.REFRESH_TOKEN_EXPIRE_MINUTES)
-    refresh_token = LoginManage.create_token({"sub": telephone, "is_refresh": True}, expires=expires)
+    refresh_token = LoginManage.create_token(
+        payload={"sub": telephone, "is_refresh": True, "password": password},
+        expires=expires
+    )
     resp = {
         "access_token": access_token,
         "refresh_token": refresh_token,

kinit-api/apps/vadmin/auth/utils/validation/auth.py

@@ -57,7 +57,8 @@ class AuthValidation:
             telephone: str = payload.get("sub")
             exp: int = payload.get("exp")
             is_refresh: bool = payload.get("is_refresh")
-            if telephone is None or is_refresh:
+            password: bool = payload.get("password")
+            if not telephone or is_refresh or not password:
                 raise CustomException(
                     msg="未认证，请您重新登录",
                     code=status.HTTP_403_FORBIDDEN,
@@ -79,8 +80,8 @@ class AuthValidation:
                 status_code=status.HTTP_403_FORBIDDEN
             )
         except jwt.exceptions.ExpiredSignatureError:
-            raise CustomException(msg="认证已过期，请您重新登录", code=cls.error_code, status_code=cls.error_code)
-        return telephone
+            raise CustomException(msg="认证已失效，请您重新登录", code=cls.error_code, status_code=cls.error_code)
+        return telephone, password
 
     @classmethod
     async def validate_user(cls, request: Request, user: VadminUser, db: AsyncSession, is_all: bool = True) -> Auth:

kinit-api/apps/vadmin/auth/utils/validation/login.py

@@ -35,7 +35,7 @@ class WXLoginForm(BaseModel):
 
 class LoginResult(BaseModel):
     status: bool | None = False
-    user: schemas.UserOut | None = None
+    user: schemas.UserPasswordOut | None = None
     msg: str | None = None
 
     class Config:
@@ -87,6 +87,6 @@ class LoginValidation:
                 await count.delete()
             self.result.msg = "OK"
             self.result.status = True
-            self.result.user = schemas.UserSimpleOut.model_validate(user)
+            self.result.user = schemas.UserPasswordOut.model_validate(user)
             await crud.UserDal(db).update_login_info(user, request.client.host)
         return self.result