backend/app/api/auth.py

"""登录/刷新/登出。"""
from __future__ import annotations

from datetime import datetime, timezone

from fastapi import APIRouter, Depends, HTTPException, Request, status
from jwt.exceptions import InvalidTokenError
from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.config import settings
from app.core.security import (
    create_access_token,
    create_refresh_token,
    decode_token,
    verify_password,
)
from app.database import get_session
from app.models.user import User
from app.schemas.auth import LoginRequest, RefreshRequest, TokenPair
from app.services.active_ip import check_or_register_login_ip, get_client_ip

router = APIRouter(prefix="/auth", tags=["auth"])


def _pair_for(user: User) -> TokenPair:
    access = create_access_token(user.id, extra={"role": user.role.value})
    refresh = create_refresh_token(user.id)
    return TokenPair(
        access_token=access,
        refresh_token=refresh,
        expires_in=settings.access_token_ttl_min * 60,
    )


@router.post("/login", response_model=TokenPair)
async def login(
    body: LoginRequest,
    request: Request,
    session: AsyncSession = Depends(get_session),
):
    # === 先校验 IP 上限(在查 DB 前,避免密码错误也消耗 DB)===
    # 注:这一步是公开的(未认证),不暴露"这个 IP 是不是 owner"的信息
    client_ip = get_client_ip(request)
    await check_or_register_login_ip(client_ip)

    result = await session.execute(select(User).where(User.username == body.username))
    user = result.scalars().first()
    if not user or not user.is_active or not verify_password(body.password, user.password_hash):
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")
    user.last_login_at = datetime.now(timezone.utc)
    await session.commit()
    return _pair_for(user)


@router.post("/refresh", response_model=TokenPair)
async def refresh(
    body: RefreshRequest,
    request: Request,
    session: AsyncSession = Depends(get_session),
):
    # refresh 也要算 IP 占用(因为 refresh 拿到 access token 就能用)
    # 但如果 IP 已经在 set 里,等于合法老用户,直接放过
    client_ip = get_client_ip(request)
    await check_or_register_login_ip(client_ip)

    try:
        payload = decode_token(body.refresh_token)
        if payload.get("type") != "refresh":
            raise InvalidTokenError("wrong type")
        uid = int(payload["sub"])
    except (InvalidTokenError, KeyError, ValueError):
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")
    result = await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))
    user = result.scalars().first()
    if not user:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")
    return _pair_for(user)
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`"""登录/刷新/登出。"""`
			`from __future__ import annotations`

			`from datetime import datetime, timezone`

feat(auth): 限制同时在线 IP 数 (默认 30, 第 31 拒绝) 背景: 防 token 泄漏被滥用 + 限共享账号人数。 - 新增 app/services/active_ip.py: Redis ZSET 'active_ips' 存 IP,score=last_seen_unix 登录/refresh 时 check_or_register_login_ip(): IP 已在 set → 刷新 score,放行(老用户重连) IP 不在 set + ZCARD < 30 → 加入,放行 IP 不在 set + ZCARD >= 30 → raise 429 每个已认证请求 _resolve_user() 调 touch_ip_dependency() 滑动 TTL,30 天没活动自动从 set 剔除 - get_client_ip() 取真实 IP,优先级 X-Forwarded-For > X-Real-IP > client.host trust_x_forwarded_for 默认 True(生产 Caddy/Nginx 后面) - config 加 3 个开关: site_max_active_ips: int = 30 site_active_ip_idle_days: int = 30 trust_x_forwarded_for: bool = True - admin.py 加 3 个端点: GET /admin/active-ips — 看当前活跃 IP 列表 + last_seen POST /admin/active-ips/kick — 强制踢出指定 IP(body={ip}) DELETE /admin/active-ips/{ip}— 简写踢出 - 注: refresh 也算 IP 占用(拿到 access token 就能用) 但已存在的 IP 直接放行,不会踢自己 2026-06-13 18:22:40 +08:00			`from fastapi import APIRouter, Depends, HTTPException, Request, status`
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`from jwt.exceptions import InvalidTokenError`
			`from sqlalchemy import select`
			`from sqlalchemy.ext.asyncio import AsyncSession`

			`from app.config import settings`
			`from app.core.security import (`
			`create_access_token,`
			`create_refresh_token,`
			`decode_token,`
			`verify_password,`
			`)`
			`from app.database import get_session`
			`from app.models.user import User`
			`from app.schemas.auth import LoginRequest, RefreshRequest, TokenPair`
feat(auth): 限制同时在线 IP 数 (默认 30, 第 31 拒绝) 背景: 防 token 泄漏被滥用 + 限共享账号人数。 - 新增 app/services/active_ip.py: Redis ZSET 'active_ips' 存 IP,score=last_seen_unix 登录/refresh 时 check_or_register_login_ip(): IP 已在 set → 刷新 score,放行(老用户重连) IP 不在 set + ZCARD < 30 → 加入,放行 IP 不在 set + ZCARD >= 30 → raise 429 每个已认证请求 _resolve_user() 调 touch_ip_dependency() 滑动 TTL,30 天没活动自动从 set 剔除 - get_client_ip() 取真实 IP,优先级 X-Forwarded-For > X-Real-IP > client.host trust_x_forwarded_for 默认 True(生产 Caddy/Nginx 后面) - config 加 3 个开关: site_max_active_ips: int = 30 site_active_ip_idle_days: int = 30 trust_x_forwarded_for: bool = True - admin.py 加 3 个端点: GET /admin/active-ips — 看当前活跃 IP 列表 + last_seen POST /admin/active-ips/kick — 强制踢出指定 IP(body={ip}) DELETE /admin/active-ips/{ip}— 简写踢出 - 注: refresh 也算 IP 占用(拿到 access token 就能用) 但已存在的 IP 直接放行,不会踢自己 2026-06-13 18:22:40 +08:00			`from app.services.active_ip import check_or_register_login_ip, get_client_ip`
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00
			`router = APIRouter(prefix="/auth", tags=["auth"])`


			`def _pair_for(user: User) -> TokenPair:`
			`access = create_access_token(user.id, extra={"role": user.role.value})`
			`refresh = create_refresh_token(user.id)`
			`return TokenPair(`
			`access_token=access,`
			`refresh_token=refresh,`
			`expires_in=settings.access_token_ttl_min * 60,`
			`)`


			`@router.post("/login", response_model=TokenPair)`
feat(auth): 限制同时在线 IP 数 (默认 30, 第 31 拒绝) 背景: 防 token 泄漏被滥用 + 限共享账号人数。 - 新增 app/services/active_ip.py: Redis ZSET 'active_ips' 存 IP,score=last_seen_unix 登录/refresh 时 check_or_register_login_ip(): IP 已在 set → 刷新 score,放行(老用户重连) IP 不在 set + ZCARD < 30 → 加入,放行 IP 不在 set + ZCARD >= 30 → raise 429 每个已认证请求 _resolve_user() 调 touch_ip_dependency() 滑动 TTL,30 天没活动自动从 set 剔除 - get_client_ip() 取真实 IP,优先级 X-Forwarded-For > X-Real-IP > client.host trust_x_forwarded_for 默认 True(生产 Caddy/Nginx 后面) - config 加 3 个开关: site_max_active_ips: int = 30 site_active_ip_idle_days: int = 30 trust_x_forwarded_for: bool = True - admin.py 加 3 个端点: GET /admin/active-ips — 看当前活跃 IP 列表 + last_seen POST /admin/active-ips/kick — 强制踢出指定 IP(body={ip}) DELETE /admin/active-ips/{ip}— 简写踢出 - 注: refresh 也算 IP 占用(拿到 access token 就能用) 但已存在的 IP 直接放行,不会踢自己 2026-06-13 18:22:40 +08:00			`async def login(`
			`body: LoginRequest,`
			`request: Request,`
			`session: AsyncSession = Depends(get_session),`
			`):`
			`# === 先校验 IP 上限(在查 DB 前,避免密码错误也消耗 DB)===`
			`# 注:这一步是公开的(未认证),不暴露"这个 IP 是不是 owner"的信息`
			`client_ip = get_client_ip(request)`
			`await check_or_register_login_ip(client_ip)`

fix: API 全部改用显式两步走 await session.execute + result.scalars() 之前 (await ...).scalars() 链式在 SQLAlchemy 2.0 async 下报 'coroutine' has no attribute 'scalars' 错误。改为先 await 拿 result 再 .scalars(),这是 SQLAlchemy 2.0 推荐的 async 写法。 2026-06-07 23:22:56 +08:00			`result = await session.execute(select(User).where(User.username == body.username))`
			`user = result.scalars().first()`
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`if not user or not user.is_active or not verify_password(body.password, user.password_hash):`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")`
			`user.last_login_at = datetime.now(timezone.utc)`
			`await session.commit()`
			`return _pair_for(user)`


			`@router.post("/refresh", response_model=TokenPair)`
feat(auth): 限制同时在线 IP 数 (默认 30, 第 31 拒绝) 背景: 防 token 泄漏被滥用 + 限共享账号人数。 - 新增 app/services/active_ip.py: Redis ZSET 'active_ips' 存 IP,score=last_seen_unix 登录/refresh 时 check_or_register_login_ip(): IP 已在 set → 刷新 score,放行(老用户重连) IP 不在 set + ZCARD < 30 → 加入,放行 IP 不在 set + ZCARD >= 30 → raise 429 每个已认证请求 _resolve_user() 调 touch_ip_dependency() 滑动 TTL,30 天没活动自动从 set 剔除 - get_client_ip() 取真实 IP,优先级 X-Forwarded-For > X-Real-IP > client.host trust_x_forwarded_for 默认 True(生产 Caddy/Nginx 后面) - config 加 3 个开关: site_max_active_ips: int = 30 site_active_ip_idle_days: int = 30 trust_x_forwarded_for: bool = True - admin.py 加 3 个端点: GET /admin/active-ips — 看当前活跃 IP 列表 + last_seen POST /admin/active-ips/kick — 强制踢出指定 IP(body={ip}) DELETE /admin/active-ips/{ip}— 简写踢出 - 注: refresh 也算 IP 占用(拿到 access token 就能用) 但已存在的 IP 直接放行,不会踢自己 2026-06-13 18:22:40 +08:00			`async def refresh(`
			`body: RefreshRequest,`
			`request: Request,`
			`session: AsyncSession = Depends(get_session),`
			`):`
			`# refresh 也要算 IP 占用(因为 refresh 拿到 access token 就能用)`
			`# 但如果 IP 已经在 set 里,等于合法老用户,直接放过`
			`client_ip = get_client_ip(request)`
			`await check_or_register_login_ip(client_ip)`

feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`try:`
			`payload = decode_token(body.refresh_token)`
			`if payload.get("type") != "refresh":`
			`raise InvalidTokenError("wrong type")`
			`uid = int(payload["sub"])`
			`except (InvalidTokenError, KeyError, ValueError):`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")`
fix: API 全部改用显式两步走 await session.execute + result.scalars() 之前 (await ...).scalars() 链式在 SQLAlchemy 2.0 async 下报 'coroutine' has no attribute 'scalars' 错误。改为先 await 拿 result 再 .scalars(),这是 SQLAlchemy 2.0 推荐的 async 写法。 2026-06-07 23:22:56 +08:00			`result = await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))`
			`user = result.scalars().first()`
feat: initial MVP - FastAPI backend + Vue3 frontend + docker-compose - backend: FastAPI + SQLAlchemy 2.0(async) + asyncpg + Alembic - 7 API routes: auth/me/articles/sources/bookmarks/subscriptions/admin - models: User/Source/Article/Bookmark/Subscription/ApiToken - services: RSS fetcher (feedparser) + Tencent TMT translator with quota + cache + local NLLB fallback - workers: APScheduler + asyncio pipeline (fetch -> dedupe -> insert -> translate) - seed scripts: create_user, seed_sources (5 RSS: Reuters/BBC/Al Jazeera/NHK/DW) - frontend: Vue 3 + Vite + Naive UI + Pinia + vue-router - pages: Login, Feed (24h), ArticleDetail, Sources, Bookmarks, AdminSources - deploy: docker-compose (postgres/redis/api/worker/frontend/caddy) - docs: README, DEPLOY, architecture, acceptance 2026-06-07 21:51:01 +08:00			`if not user:`
			`raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")`
			`return _pair_for(user)`