diary-news/backend/app/api/admin.py

"""Admin API(仅 owner)。

- 源管理 CRUD
- 手动触发抓取 / 重译
- 源健康看板
- 翻译配额管理
- API Push ingest token 管理(生成/列/撤销)
"""
from __future__ import annotations

import logging
from datetime import datetime, timedelta, timezone
from typing import Any

from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, status
from pydantic import BaseModel, Field
from sqlalchemy import func, select
from sqlalchemy.exc import IntegrityError
from sqlalchemy.ext.asyncio import AsyncSession

from app.core.deps import require_owner
from app.core.security import generate_api_token
from app.database import get_session
from app.models.api_token import TOKEN_PURPOSE_INGEST, TOKEN_PURPOSE_MOBILE, ApiToken
from app.models.article import Article
from app.models.source import Source
from app.models.user import User
from app.schemas.source import SourceIn, SourceOut, SourceUpdate

router = APIRouter(prefix="/admin", tags=["admin"], dependencies=[Depends(require_owner)])

logger = logging.getLogger("news.admin")


# === Source CRUD ===
@router.get("/sources", response_model=list[SourceOut])
async def list_sources_all(session: AsyncSession = Depends(get_session)):
    result = await session.execute(select(Source).order_by(Source.id))

    rows = result.scalars()
    return [SourceOut.model_validate(s) for s in rows]


@router.post("/sources", response_model=SourceOut, status_code=status.HTTP_201_CREATED)
async def create_source(body: SourceIn, session: AsyncSession = Depends(get_session)):
    src = Source(
        name=body.name,
        slug=body.slug,
        kind=body.kind,
        url=body.url,
        detail_selector=body.detail_selector,
        region=body.region,
        language_src=body.language_src,
        priority=body.priority,
        fetch_interval_min=body.fetch_interval_min,
        translate_to=body.translate_to,
        enabled=body.enabled,
        headers_json=body.headers_json,
        blocklist_tags=body.blocklist_tags or [],
    )
    session.add(src)
    try:
        await session.commit()
    except IntegrityError as e:
        await session.rollback()
        raise HTTPException(status.HTTP_409_CONFLICT, f"slug '{body.slug}' already exists") from e
    await session.refresh(src)
    return SourceOut.model_validate(src)


@router.patch("/sources/{source_id}", response_model=SourceOut)
async def update_source(
    source_id: int,
    body: SourceUpdate,
    session: AsyncSession = Depends(get_session),
):
    result = await session.execute(select(Source).where(Source.id == source_id))
    src = result.scalar_one_or_none()
    if not src:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Source not found")
    for k, v in body.model_dump(exclude_unset=True).items():
        setattr(src, k, v)
    await session.commit()
    await session.refresh(src)
    return SourceOut.model_validate(src)


@router.delete("/sources/{source_id}", status_code=status.HTTP_204_NO_CONTENT)
async def delete_source(source_id: int, session: AsyncSession = Depends(get_session)):
    result = await session.execute(select(Source).where(Source.id == source_id))
    src = result.scalar_one_or_none()
    if not src:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Source not found")
    await session.delete(src)
    await session.commit()
    return None


# === 手动触发 ===
class TriggerResponse(BaseModel):
    triggered: bool
    detail: str = ""


@router.post("/refresh/{source_id}", response_model=TriggerResponse)
async def refresh_source(
    source_id: int,
    background: BackgroundTasks,
    session: AsyncSession = Depends(get_session),
):
    result = await session.execute(select(Source).where(Source.id == source_id))
    src = result.scalar_one_or_none()
    if not src:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Source not found")
    if not src.enabled:
        raise HTTPException(status.HTTP_400_BAD_REQUEST, "Source disabled")

    # 走 background,不等结果
    from app.workers.pipeline import fetch_one_source

    background.add_task(fetch_one_source, source_id)
    return TriggerResponse(triggered=True, detail=f"queued fetch for {src.slug}")


async def _run_fetch(source_id: int) -> None:
    """(deprecated) 走 background 用的薄包装,见 refresh_source。"""
    from app.workers.pipeline import fetch_one_source

    await fetch_one_source(source_id)


@router.post("/translation/rerun/{article_id}", response_model=TriggerResponse)
async def rerun_translation(
    article_id: int,
    background: BackgroundTasks,
    session: AsyncSession = Depends(get_session),
):
    result = await session.execute(select(Article).where(Article.id == article_id))
    art = result.scalar_one_or_none()
    if not art:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Article not found")
    # 短新闻(API Push)是中文原生,无需翻译
    # 前端"重译"按钮已对短新闻隐藏(v-if="isOwner && !isShort"),
    # 这里加 guard 是后端兜底,防止有人直接 curl 调接口绕过前端
    if art.is_short_news:
        raise HTTPException(
            status.HTTP_400_BAD_REQUEST,
            "短新闻(API Push)无需翻译,translation_status 固定为 n/a",
        )
    art.translation_status = "pending"
    art.title_zh = None
    art.body_zh_text = None
    art.body_zh_html = None
    art.translated_at = None
    art.translation_engine = None
    await session.commit()

    from app.workers.pipeline import translate_article

    background.add_task(translate_article, article_id)
    return TriggerResponse(triggered=True, detail=f"queued translation for article {article_id}")


# === 健康看板 ===
class HealthOut(BaseModel):
    source_id: int
    slug: str
    name: str
    enabled: bool
    last_fetched_at: datetime | None
    last_status: str | None
    consecutive_failures: int
    fetch_interval_min: int
    article_count_24h: int


@router.get("/health", response_model=list[HealthOut])
async def health(session: AsyncSession = Depends(get_session)):
    result = await session.execute(select(Source).order_by(Source.priority.desc()))
    rows = result.scalars()
    out: list[HealthOut] = []
    for s in rows:
        c24 = (
            await session.execute(
                select(func.count(Article.id)).where(
                    Article.source_id == s.id,
                    Article.fetched_at >= datetime.now(timezone.utc).replace(tzinfo=None)
                    - timedelta(hours=24),
                )
            )
        ).scalar_one()
        out.append(
            HealthOut(
                source_id=s.id,
                slug=s.slug,
                name=s.name,
                enabled=s.enabled,
                last_fetched_at=s.last_fetched_at,
                last_status=s.last_status,
                consecutive_failures=s.consecutive_failures,
                fetch_interval_min=s.fetch_interval_min,
                article_count_24h=c24 or 0,
            )
        )
    return out


# === 翻译配额(管理员视图) ===
class QuotaReset(BaseModel):
    used_chars: int = 0


@router.post("/translation/quota/reset")
async def reset_quota(payload: QuotaReset) -> dict[str, Any]:
    from app.redis_client import get_redis

    r = get_redis()
    now = datetime.now(timezone.utc)
    key = f"translation:month:{now:%Y%m}"
    await r.set(key, payload.used_chars)
    return {"key": key, "value": payload.used_chars}


# === 活跃 IP 看板(防 token 泄漏 / 排查异地登录)===
class ActiveIpItem(BaseModel):
    ip: str
    last_seen_unix: int
    last_seen_iso: str
    idle_seconds: int


class ActiveIpList(BaseModel):
    items: list[ActiveIpItem]
    limit: int
    idle_days: int
    count: int


@router.get("/active-ips", response_model=ActiveIpList)
async def list_active_ips_admin():
    from app.config import settings
    from app.services.active_ip import list_active_ips

    items = await list_active_ips()
    return ActiveIpList(
        items=[ActiveIpItem(**i) for i in items],
        limit=settings.site_max_active_ips,
        idle_days=settings.site_active_ip_idle_days,
        count=len(items),
    )


class KickIpRequest(BaseModel):
    ip: str


class KickIpResponse(BaseModel):
    kicked: bool
    ip: str


@router.post("/active-ips/kick", response_model=KickIpResponse)
async def kick_active_ip(payload: KickIpRequest):
    """owner 强制剔除某个 IP。下次该 IP 登录时会再次被算作"新 IP"。"""
    from app.services.active_ip import remove_active_ip

    ok = await remove_active_ip(payload.ip)
    return KickIpResponse(kicked=ok, ip=payload.ip)


@router.delete("/active-ips/{ip}", response_model=KickIpResponse)
async def delete_active_ip(ip: str):
    from app.services.active_ip import remove_active_ip

    ok = await remove_active_ip(ip)
    return KickIpResponse(kicked=ok, ip=ip)


# === API Push ingest token 管理 ===
# 给 owner 在 /admin/sources 详情页用:为某个 api_push source 颁发 ingest token,
# 或撤销已有 token。raw token 只在生成时一次性返回。
class IngestTokenCreate(BaseModel):
    """POST /admin/sources/{id}/ingest-tokens 请求体。"""

    name: str = Field(default="default", min_length=1, max_length=64)
    expires_days: int | None = Field(default=None, ge=1, le=3650)


class IngestTokenOut(BaseModel):
    """生成/列出时的响应(列出时不返 raw_token)。"""

    id: int
    source_id: int
    name: str
    purpose: str
    created_at: datetime
    expires_at: datetime | None = None
    revoked_at: datetime | None = None
    last_used_at: datetime | None = None
    # 仅生成时填充
    raw_token: str | None = None

    class Config:
        from_attributes = True


@router.post(
    "/sources/{source_id}/ingest-tokens",
    response_model=IngestTokenOut,
    status_code=status.HTTP_201_CREATED,
)
async def create_ingest_token(
    source_id: int,
    body: IngestTokenCreate,
    session: AsyncSession = Depends(get_session),
    user: User = Depends(require_owner),
):
    """为某个 api_push source 颁发一个 ingest token。

    - raw_token 仅本次返回(后续只能列/撤销)
    - token 绑定 source_id(只能推送到这个 source)
    - 限速:由 .env INGEST_RATE_PER_SEC 全局生效
    """
    # 验证 source 存在且是 api_push 类型
    src = (
        await session.execute(select(Source).where(Source.id == source_id))
    ).scalar_one_or_none()
    if not src:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Source not found")
    if src.kind.value != "api_push":
        raise HTTPException(
            status.HTTP_400_BAD_REQUEST,
            f"source kind={src.kind.value} cannot have ingest token; need api_push",
        )

    raw, hashed = generate_api_token()
    expires = (
        datetime.now(timezone.utc) + timedelta(days=body.expires_days)
        if body.expires_days
        else None
    )
    tok = ApiToken(
        user_id=user.id,
        name=body.name,
        token_hash=hashed,
        purpose=TOKEN_PURPOSE_INGEST,
        source_id=src.id,
        expires_at=expires,
    )
    session.add(tok)
    await session.commit()
    await session.refresh(tok)
    return IngestTokenOut(
        id=tok.id,
        source_id=tok.source_id,
        name=tok.name,
        purpose=tok.purpose,
        created_at=tok.created_at,
        expires_at=tok.expires_at,
        revoked_at=tok.revoked_at,
        last_used_at=tok.last_used_at,
        raw_token=raw,  # 只此一次!
    )


@router.get(
    "/sources/{source_id}/ingest-tokens",
    response_model=list[IngestTokenOut],
)
async def list_ingest_tokens(
    source_id: int,
    session: AsyncSession = Depends(get_session),
):
    """列出某个 source 的所有 ingest token(含已撤销)。"""
    rows = (
        await session.execute(
            select(ApiToken)
            .where(
                ApiToken.source_id == source_id,
                ApiToken.purpose == TOKEN_PURPOSE_INGEST,
            )
            .order_by(ApiToken.id.desc())
        )
    ).scalars()
    return [
        IngestTokenOut(
            id=t.id,
            source_id=t.source_id,
            name=t.name,
            purpose=t.purpose,
            created_at=t.created_at,
            expires_at=t.expires_at,
            revoked_at=t.revoked_at,
            last_used_at=t.last_used_at,
            raw_token=None,  # 列出时不返 raw
        )
        for t in rows
    ]


@router.delete(
    "/ingest-tokens/{token_id}",
    response_model=dict,
    status_code=status.HTTP_200_OK,
)
async def revoke_ingest_token(
    token_id: int,
    session: AsyncSession = Depends(get_session),
):
    """撤销某个 ingest token。撤销后立即生效(下次推送返 401)。"""
    tok = (
        await session.execute(
            select(ApiToken).where(
                ApiToken.id == token_id,
                ApiToken.purpose == TOKEN_PURPOSE_INGEST,
            )
        )
    ).scalar_one_or_none()
    if not tok:
        raise HTTPException(status.HTTP_404_NOT_FOUND, "Ingest token not found")
    if tok.revoked_at:
        return {"id": tok.id, "revoked_at": tok.revoked_at, "already_revoked": True}
    tok.revoked_at = datetime.now(timezone.utc)
    await session.commit()
    logger.info(
        "ingest token revoked: id=%s source_id=%s user_id=%s",
        tok.id, tok.source_id, tok.user_id,
    )
    return {"id": tok.id, "revoked_at": tok.revoked_at, "already_revoked": False}