liuwei_x_x/abot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

后台账号体系改造:接入t_admin_数据库账号与前端改密

Browse Source 
变更项:
1. 新增 db/admin_account_db.py,提供 t_admin_accounts 表初始化、PBKDF2口令哈希、登录校验、登录信息回写与密码更新能力。
2. DashboardServer 启动时接入账号数据层,自动建表并把旧配置默认账号迁移为数据库账号种子。
3. 重构 auth 登录逻辑:优先走数据库账号鉴权,保留旧配置账号回退;新增 /api/auth/change_password 接口支持在线修改密码。
4. base.html 增加顶部修改密码入口与弹窗表单,前端可直接提交旧密码与新密码完成改密。
5. login.html 增强小屏适配:允许纵向滚动、768以下隐藏展示侧栏并优化输入区间距与字号,修复移动端登录体验。
6. 新增迁移脚本 db/scripts/migrations/20260423_add_admin_account_table.sql,便于独立数据库升级。
This commit is contained in:
liuwei
2026-04-23 09:09:19 +08:00
parent 0995c8b03f
commit f438f0f955
6 changed files with 445 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

77
admin/dashboard/blueprints/auth.py
View File

@@ -1,4 +1,4 @@
from flask import Blueprint, render_template, request, redirect, url_for, session, current_app from flask import Blueprint, render_template, request, redirect, url_for, session, current_app, jsonify
from functools import wraps from functools import wraps
from loguru import logger from loguru import logger
@@ -22,13 +22,29 @@ def login_required(f):
def login(): def login():
error = None error = None
if request.method == 'POST': if request.method == 'POST':
username = request.form['username'] # 使用 strip 规避用户误输入首尾空格导致的误判。
password = request.form['password'] username = str(request.form.get('username', '') or '').strip()
password = str(request.form.get('password', '') or '')
# 从应用上下文获取服务器实例,而不是从蓝图对象 # 从应用上下文获取服务器实例,而不是从蓝图对象
server = current_app.dashboard_server server = current_app.dashboard_server
admin_db = getattr(server, "admin_account_db", None)
if username == server.username and password == server.password: # 优先使用数据库账号体系鉴权;若不可用则回退旧配置模式,保证兼容存量部署。
login_ok = False
if admin_db:
try:
login_ok = admin_db.verify_admin_password(username, password)
if login_ok:
admin_db.mark_login_success(username, request.remote_addr or "")
except Exception as e:
logger.error(f"数据库账号登录校验异常,回退配置模式: {e}")
login_ok = False
if not login_ok:
login_ok = (username == server.username and password == server.password)
if login_ok:
session['logged_in'] = True session['logged_in'] = True
session['username'] = username # 存储用户名到session session['username'] = username # 存储用户名到session
logger.debug(f"Login successful. Session after login: {dict(session)}") logger.debug(f"Login successful. Session after login: {dict(session)}")
@@ -45,3 +61,56 @@ def logout():
session.pop('logged_in', None) session.pop('logged_in', None)
session.pop('username', None) # 同时删除username session.pop('username', None) # 同时删除username
return redirect(url_for('auth.login')) return redirect(url_for('auth.login'))
@auth_bp.route('/api/auth/change_password', methods=['POST'])
@login_required
def change_password():
"""修改当前登录管理员密码。
前端请求参数:
{
"old_password": "旧密码",
"new_password": "新密码",
"confirm_password": "确认新密码"
}
"""
server = current_app.dashboard_server
admin_db = getattr(server, "admin_account_db", None)
if not admin_db:
return jsonify({"success": False, "error": "账号数据库未初始化,无法修改密码"}), 500
payload = request.get_json(silent=True) or {}
old_password = str(payload.get("old_password", "") or "")
new_password = str(payload.get("new_password", "") or "")
confirm_password = str(payload.get("confirm_password", "") or "")
username = str(session.get("username", "") or "").strip()
if not username:
return jsonify({"success": False, "error": "会话失效,请重新登录"}), 401
if not old_password or not new_password or not confirm_password:
return jsonify({"success": False, "error": "请完整填写旧密码与新密码"}), 400
if new_password != confirm_password:
return jsonify({"success": False, "error": "两次输入的新密码不一致"}), 400
# 密码长度做基础约束,避免过弱口令。
if len(new_password) < 6:
return jsonify({"success": False, "error": "新密码长度不能少于6位"}), 400
if new_password == old_password:
return jsonify({"success": False, "error": "新密码不能与旧密码相同"}), 400
try:
if not admin_db.verify_admin_password(username, old_password):
return jsonify({"success": False, "error": "旧密码错误"}), 400
updated = admin_db.update_password(username, new_password)
if not updated:
return jsonify({"success": False, "error": "密码更新失败,请稍后重试"}), 500
return jsonify({"success": True, "message": "密码修改成功"})
except Exception as e:
logger.error(f"修改后台密码失败: username={username}, error={e}")
return jsonify({"success": False, "error": "密码修改失败,请检查日志"}), 500

17
admin/dashboard/server.py
View File

@@ -11,6 +11,7 @@ from flask import Flask, send_from_directory
from loguru import logger from loguru import logger
from db.contacts_db import ContactsDBOperator from db.contacts_db import ContactsDBOperator
from db.admin_account_db import AdminAccountDBOperator
from db.member_context_db import MemberContextDBOperator from db.member_context_db import MemberContextDBOperator
from db.message_storage import MessageStorageDB from db.message_storage import MessageStorageDB
from db.stats_db import StatsDBOperator from db.stats_db import StatsDBOperator
@@ -46,6 +47,8 @@ class DashboardServer:
self.contact_db: ContactsDBOperator = ContactsDBOperator(self.db_manager) self.contact_db: ContactsDBOperator = ContactsDBOperator(self.db_manager)
self.member_context_db = MemberContextDBOperator(self.db_manager) self.member_context_db = MemberContextDBOperator(self.db_manager)
self.task_db: TaskDBOperator = TaskDBOperator(self.db_manager) self.task_db: TaskDBOperator = TaskDBOperator(self.db_manager)
# 后台管理员账号数据层:用于登录鉴权与修改密码。
self.admin_account_db = AdminAccountDBOperator(self.db_manager)
self.system_job_db = robot_instance.system_job_db self.system_job_db = robot_instance.system_job_db
self.system_job_loader = robot_instance.system_job_loader self.system_job_loader = robot_instance.system_job_loader
self.plugin_schedule_db = robot_instance.plugin_schedule_db self.plugin_schedule_db = robot_instance.plugin_schedule_db
@@ -63,6 +66,20 @@ class DashboardServer:
self.member_context_service = getattr(self.member_context_plugin, "service", None) self.member_context_service = getattr(self.member_context_plugin, "service", None)
self.LOG.info("使用Robot实例的对象进行初始化") self.LOG.info("使用Robot实例的对象进行初始化")
# 初始化后台管理员账号表,并将旧配置中的默认账号平滑迁移进数据库。
try:
table_ok = self.admin_account_db.init_tables()
if not table_ok:
self.LOG.warning("初始化后台账号表失败,将回退旧配置账号模式")
else:
seed_ok = self.admin_account_db.ensure_default_admin(self.username, self.password, "系统管理员")
if seed_ok:
self.LOG.info("后台账号体系初始化完成(数据库账号模式已可用)")
else:
self.LOG.warning("后台账号种子初始化失败,请检查配置中的默认账号信息")
except Exception as e:
self.LOG.error(f"初始化后台账号体系失败,将回退旧配置账号模式: {e}")
else: else:
self.LOG.error("未提供Robot实例Dashboard无法正常工作") self.LOG.error("未提供Robot实例Dashboard无法正常工作")
raise ValueError("必须提供Robot实例") raise ValueError("必须提供Robot实例")

128
admin/dashboard/templates/base.html
View File

@@ -224,6 +224,18 @@
transition: all .18s ease !important; transition: all .18s ease !important;
} }
.account-btn {
color: var(--text-soft) !important;
padding: 10px 14px !important;
border-radius: 999px !important;
transition: all .18s ease !important;
}
.account-btn:hover {
color: var(--primary) !important;
background: var(--primary-soft) !important;
}
.logout-btn:hover { .logout-btn:hover {
color: var(--primary) !important; color: var(--primary) !important;
background: var(--primary-soft) !important; background: var(--primary-soft) !important;
@@ -699,6 +711,13 @@
display: none; display: none;
} }
} }
.password-dialog-tip {
margin-top: 8px;
color: var(--text-faint);
font-size: 12px;
line-height: 1.7;
}
</style> </style>
<link rel="stylesheet" href="/static/css/element-ui/theme-chalk/index.min.css"> <link rel="stylesheet" href="/static/css/element-ui/theme-chalk/index.min.css">
@@ -741,7 +760,10 @@
</div> </div>
<div class="user-pill"> <div class="user-pill">
<span class="user-dot"></span> <span class="user-dot"></span>
<span>管理员已登录</span> <span>{{ session.get('username', '管理员') }} 已登录</span>
</div>
<el-button type="text" class="account-btn" @click="openPasswordDialog">
<i class="el-icon-lock"></i> 修改密码
</div> </div>
<el-button type="text" class="logout-btn" @click="logout"> <el-button type="text" class="logout-btn" @click="logout">
<i class="el-icon-switch-button"></i> 退出 <i class="el-icon-switch-button"></i> 退出
@@ -785,6 +807,35 @@
</div> </div>
</main> </main>
</div> </div>
<el-dialog
title="修改后台登录密码"
:visible.sync="passwordDialogVisible"
width="460px"
:close-on-click-modal="false">
<el-form
ref="passwordFormRef"
:model="passwordForm"
:rules="passwordRules"
label-width="96px">
<el-form-item label="旧密码" prop="old_password">
<el-input v-model="passwordForm.old_password" type="password" show-password autocomplete="off" placeholder="请输入当前密码"></el-input>
</el-form-item>
<el-form-item label="新密码" prop="new_password">
<el-input v-model="passwordForm.new_password" type="password" show-password autocomplete="off" placeholder="至少6位"></el-input>
</el-form-item>
<el-form-item label="确认新密码" prop="confirm_password">
<el-input v-model="passwordForm.confirm_password" type="password" show-password autocomplete="off" placeholder="请再次输入新密码"></el-input>
</el-form-item>
</el-form>
<div class="password-dialog-tip">
提示:修改成功后将立即生效,建议使用强密码(字母、数字、符号组合)。
</div>
<span slot="footer" class="dialog-footer">
<el-button @click="passwordDialogVisible = false">取消</el-button>
<el-button type="primary" :loading="passwordSubmitting" @click="submitPasswordChange">确认修改</el-button>
</span>
</el-dialog>
</div> </div>
<script> <script>
@@ -870,7 +921,37 @@
currentView: '1', currentView: '1',
timeRange: '7', timeRange: '7',
showTimeRangeSelector: false, showTimeRangeSelector: false,
navGroups: NAV_GROUPS navGroups: NAV_GROUPS,
// 账号密码修改弹窗状态。
passwordDialogVisible: false,
passwordSubmitting: false,
passwordForm: {
old_password: '',
new_password: '',
confirm_password: ''
},
passwordRules: {
old_password: [
{ required: true, message: '请输入旧密码', trigger: 'blur' }
],
new_password: [
{ required: true, message: '请输入新密码', trigger: 'blur' },
{ min: 6, message: '新密码长度至少6位', trigger: 'blur' }
],
confirm_password: [
{ required: true, message: '请再次输入新密码', trigger: 'blur' },
{
validator: (rule, value, callback) => {
if (value !== this.passwordForm.new_password) {
callback(new Error('两次输入的新密码不一致'));
return;
}
callback();
},
trigger: 'blur'
}
]
}
} }
}, },
computed: { computed: {
@@ -948,6 +1029,49 @@
}).then(() => { }).then(() => {
window.location.href = '/logout'; window.location.href = '/logout';
}); });
},
openPasswordDialog() {
// 打开弹窗前重置表单,避免上次输入残留。
this.passwordDialogVisible = true;
this.passwordSubmitting = false;
this.passwordForm = {
old_password: '',
new_password: '',
confirm_password: ''
};
this.$nextTick(() => {
if (this.$refs.passwordFormRef) {
this.$refs.passwordFormRef.clearValidate();
}
});
},
submitPasswordChange() {
if (!this.$refs.passwordFormRef) {
return;
}
this.$refs.passwordFormRef.validate((valid) => {
if (!valid) {
return;
}
this.passwordSubmitting = true;
axios.post('/api/auth/change_password', this.passwordForm)
.then((response) => {
const data = response.data || {};
if (!data.success) {
this.$message.error(data.error || '修改密码失败');
return;
}
this.$message.success(data.message || '密码修改成功');
this.passwordDialogVisible = false;
})
.catch((error) => {
const errorMsg = error?.response?.data?.error || '修改密码失败,请稍后重试';
this.$message.error(errorMsg);
})
.finally(() => {
this.passwordSubmitting = false;
});
});
} }
} }
}; };

46
admin/dashboard/templates/login.html
View File

@@ -36,7 +36,8 @@
display: flex; display: flex;
align-items: center; align-items: center;
justify-content: center; justify-content: center;
overflow: hidden; overflow-x: hidden;
overflow-y: auto;
} }
.login-shell { .login-shell {
width: min(1120px, calc(100vw - 48px)); width: min(1120px, calc(100vw - 48px));
@@ -200,12 +201,53 @@
width: 8px; height: 8px; border-radius: 50%; background: #10b981; box-shadow: 0 0 0 4px rgba(16,185,129,0.12); width: 8px; height: 8px; border-radius: 50%; background: #10b981; box-shadow: 0 0 0 4px rgba(16,185,129,0.12);
} }
@media (max-width: 960px) { @media (max-width: 960px) {
.login-shell { grid-template-columns: 1fr; min-height: auto; } body { align-items: flex-start; padding: 18px 14px; }
.login-shell { grid-template-columns: 1fr; min-height: auto; width: 100%; border-radius: 24px; }
.login-showcase { padding: 34px 28px; } .login-showcase { padding: 34px 28px; }
.hero-title { font-size: 34px; } .hero-title { font-size: 34px; }
.showcase-metrics { grid-template-columns: 1fr; } .showcase-metrics { grid-template-columns: 1fr; }
.login-panel { padding: 32px 24px; } .login-panel { padding: 32px 24px; }
} }
@media (max-width: 768px) {
.login-shell {
box-shadow: 0 16px 32px rgba(15, 23, 42, 0.12);
border-radius: 18px;
min-height: 0;
}
.login-showcase {
display: none;
}
.login-panel {
padding: 22px 16px;
}
.login-card {
max-width: none;
}
.panel-title {
font-size: 24px;
}
.panel-desc {
font-size: 13px;
margin-bottom: 18px;
}
.el-input__inner,
.login-button {
height: 44px;
border-radius: 12px;
}
.panel-footer {
flex-direction: column;
align-items: flex-start;
gap: 6px;
}
}
@media (max-width: 420px) {
body { padding: 12px; }
.login-shell { width: 100%; }
.login-panel { padding: 16px 12px; }
.panel-eyebrow { margin-bottom: 12px; }
.panel-title { font-size: 22px; }
}
</style> </style>
</head> </head>
<body> <body>

166
db/admin_account_db.py Normal file
View File

@@ -0,0 +1,166 @@
# -*- coding: utf-8 -*-
"""
后台管理员账号数据访问层。
设计目标:
1. 用数据库表承载后台账号,替代“固定配置文件账号密码”;
2. 提供安全的密码散列存储与校验能力;
3. 支持登录成功后的登录信息回写与在线修改密码。
"""
import base64
import hashlib
import hmac
import secrets
from typing import Any, Dict, Optional
from db.base import BaseDBOperator
class AdminAccountDBOperator(BaseDBOperator):
"""后台管理员账号数据访问对象。"""
# 口令哈希算法版本前缀,便于将来平滑升级算法。
HASH_SCHEME = "pbkdf2_sha256"
# PBKDF2 迭代次数:在安全性与计算开销之间做平衡。
HASH_ITERATIONS = 150_000
def init_tables(self) -> bool:
"""初始化后台管理员表。
表名使用 t_admin_ 前缀,满足后台账号体系命名约定。
"""
sql = """
CREATE TABLE IF NOT EXISTS t_admin_accounts (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(64) NOT NULL COMMENT '登录用户名',
password_hash VARCHAR(255) NOT NULL COMMENT '口令哈希',
display_name VARCHAR(64) NULL COMMENT '展示名称',
status TINYINT NOT NULL DEFAULT 1 COMMENT '状态1启用0禁用',
last_login_at DATETIME NULL COMMENT '最近登录时间',
last_login_ip VARCHAR(64) NULL COMMENT '最近登录IP',
create_time DATETIME DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
update_time DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新时间',
UNIQUE KEY uk_admin_username (username)
) COMMENT='后台管理员账号表'
"""
return self.execute_update(sql)
def get_admin_by_username(self, username: str) -> Optional[Dict[str, Any]]:
"""按用户名读取管理员信息。"""
return self.execute_query(
"""
SELECT id, username, password_hash, display_name, status, last_login_at, last_login_ip
FROM t_admin_accounts
WHERE username = %s
LIMIT 1
""",
(str(username or "").strip(),),
fetch_one=True,
)
def ensure_default_admin(self, username: str, password: str, display_name: str = "系统管理员") -> bool:
"""确保默认管理员存在。
行为约束:
1. 若用户名已存在,不覆盖既有密码;
2. 仅在“表里不存在该账号”时创建初始账号;
3. 方便从旧配置平滑迁移到数据库账号体系。
"""
normalized_username = str(username or "").strip()
normalized_password = str(password or "").strip()
if not normalized_username or not normalized_password:
return False
existing = self.get_admin_by_username(normalized_username)
if existing:
return True
password_hash = self.hash_password(normalized_password)
return self.execute_update(
"""
INSERT INTO t_admin_accounts (username, password_hash, display_name, status)
VALUES (%s, %s, %s, 1)
""",
(normalized_username, password_hash, str(display_name or "").strip() or normalized_username),
)
def verify_admin_password(self, username: str, password: str) -> bool:
"""校验账号口令是否正确。"""
row = self.get_admin_by_username(username)
if not row:
return False
if int(row.get("status") or 0) != 1:
return False
password_hash = str(row.get("password_hash") or "")
return self.verify_password(password, password_hash)
def mark_login_success(self, username: str, login_ip: str = "") -> bool:
"""记录登录成功信息。"""
return self.execute_update(
"""
UPDATE t_admin_accounts
SET last_login_at = NOW(),
last_login_ip = %s
WHERE username = %s
""",
(str(login_ip or "").strip(), str(username or "").strip()),
)
def update_password(self, username: str, new_password: str) -> bool:
"""更新指定用户口令。"""
password_hash = self.hash_password(new_password)
return self.execute_update(
"""
UPDATE t_admin_accounts
SET password_hash = %s
WHERE username = %s
AND status = 1
""",
(password_hash, str(username or "").strip()),
)
@classmethod
def hash_password(cls, raw_password: str) -> str:
"""生成口令哈希。
存储格式:
pbkdf2_sha256$迭代次数$盐(HEX)$哈希(base64)
"""
password_text = str(raw_password or "")
salt_bytes = secrets.token_bytes(16)
digest = hashlib.pbkdf2_hmac(
"sha256",
password_text.encode("utf-8"),
salt_bytes,
cls.HASH_ITERATIONS,
)
salt_hex = salt_bytes.hex()
digest_b64 = base64.b64encode(digest).decode("utf-8")
return f"{cls.HASH_SCHEME}${cls.HASH_ITERATIONS}${salt_hex}${digest_b64}"
@classmethod
def verify_password(cls, raw_password: str, stored_hash: str) -> bool:
"""校验口令哈希。
安全细节:
1. 使用 hmac.compare_digest避免时序侧信道问题
2. 对格式异常统一返回 False避免抛错打断登录流程。
"""
try:
scheme, iterations_text, salt_hex, digest_b64 = str(stored_hash or "").split("$", 3)
if scheme != cls.HASH_SCHEME:
return False
iterations = int(iterations_text)
salt_bytes = bytes.fromhex(salt_hex)
expected_digest = base64.b64decode(digest_b64.encode("utf-8"))
actual_digest = hashlib.pbkdf2_hmac(
"sha256",
str(raw_password or "").encode("utf-8"),
salt_bytes,
iterations,
)
return hmac.compare_digest(actual_digest, expected_digest)
except Exception:
return False

19
db/scripts/migrations/20260423_add_admin_account_table.sql Normal file
View File

@@ -0,0 +1,19 @@
-- 后台管理员账号体系:数据库账号表
-- 说明:
-- 1. 使用 t_admin_ 前缀,便于后台管理相关表快速定位;
-- 2. 密码字段保存的是哈希值(非明文);
-- 3. status 可用于后续封禁/停用后台账号。
CREATE TABLE IF NOT EXISTS message_archive.t_admin_accounts (
id BIGINT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(64) NOT NULL COMMENT '登录用户名',
password_hash VARCHAR(255) NOT NULL COMMENT '口令哈希',
display_name VARCHAR(64) NULL COMMENT '展示名称',
status TINYINT NOT NULL DEFAULT 1 COMMENT '状态1启用0禁用',
last_login_at DATETIME NULL COMMENT '最近登录时间',
last_login_ip VARCHAR(64) NULL COMMENT '最近登录IP',
create_time DATETIME DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
update_time DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新时间',
UNIQUE KEY uk_admin_username (username)
) COMMENT='后台管理员账号表';