#

Junjie

2 天以前 bd6b518aae61608ddc2d82b43ccc283dc95b9c54

 src/main/java/com/zy/common/web/AuthController.java

@@ -1,17 +1,21 @@
package com.zy.common.web;

import com.alibaba.fastjson.JSON;
import com.baomidou.mybatisplus.mapper.EntityWrapper;
import com.baomidou.mybatisplus.mapper.Wrapper;
import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
import com.core.annotations.ManagerAuth;
import com.core.common.Cools;
import com.core.common.R;
import com.core.exception.CoolException;
import com.zy.common.CodeRes;
import com.zy.common.auth.MfaLoginTicketManager;
import com.zy.common.auth.PasskeyChallengeManager;
import com.zy.common.i18n.I18nMessageService;
import com.zy.common.entity.Parameter;
import com.zy.common.model.PowerDto;
import com.zy.common.model.enums.HtmlNavIconType;
import com.zy.common.utils.MfaTotpUtil;
import com.zy.common.utils.PasskeyWebAuthnUtil;
import com.zy.common.utils.QrCode;
import com.zy.common.utils.RandomValidateCodeUtil;
import com.zy.system.entity.*;
import com.zy.system.service.*;
@@ -24,7 +28,11 @@
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

import javax.servlet.http.HttpServletResponse;
import jakarta.servlet.http.HttpServletResponse;
import javax.imageio.ImageIO;
import java.awt.image.BufferedImage;
import java.io.ByteArrayOutputStream;
import java.util.Base64;
import java.util.*;

/**
@@ -53,6 +61,10 @@
    private LicenseTimer licenseTimer;
    @Autowired
    private I18nMessageService i18nMessageService;
    @Autowired
    private MfaLoginTicketManager mfaLoginTicketManager;
    @Autowired
    private PasskeyChallengeManager passkeyChallengeManager;

    @RequestMapping("/login.action")
    @ManagerAuth(value = ManagerAuth.Auth.NONE, memo = "登录")
@@ -61,15 +73,16 @@
        if (!licenseTimer.getSystemSupport()){
            return new R(20001, i18nMessageService.getMessage("response.system.licenseExpired"));
        }
        if (Cools.isEmpty(mobile, password)) {
            return new R(10003, i18nMessageService.getMessage("response.user.passwordMismatch"));
        }
        if (mobile.equals("super") && password.equals(Cools.md5(superPwd))) {
            Map<String, Object> res = new HashMap<>();
            res.put("username", mobile);
            res.put("token", Cools.enToken(System.currentTimeMillis() + mobile, superPwd));
            return R.ok(res);
        }
        EntityWrapper<User> userWrapper = new EntityWrapper<>();
        userWrapper.eq("mobile", mobile);
        User user = userService.selectOne(userWrapper);
        User user = userService.getByMobileWithSecurity(mobile);
        if (Cools.isEmpty(user)){
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
@@ -79,17 +92,123 @@
        if (!user.getPassword().equals(password)){
            return new R(10003, i18nMessageService.getMessage("response.user.passwordMismatch"));
        }
        String token = Cools.enToken(System.currentTimeMillis() + mobile, user.getPassword());
        userLoginService.delete(new EntityWrapper<UserLogin>().eq("user_id", user.getId()).eq("system_type", "WCS"));
        UserLogin userLogin = new UserLogin();
        userLogin.setUserId(user.getId());
        userLogin.setToken(token);
        userLogin.setSystemType("WCS");
        userLoginService.insert(userLogin);
        Map<String, Object> res = new HashMap<>();
        res.put("username", user.getUsername());
        res.put("token", token);
        return R.ok(res);
        if (requiresMfa(user)) {
            Map<String, Object> res = new HashMap<>();
            res.put("username", user.getUsername());
            res.put("mfaRequired", true);
            res.put("mfaTicket", mfaLoginTicketManager.create(user.getId()));
            return R.ok(res);
        }
        return R.ok(buildLoginSuccess(user));
    }

    @RequestMapping("/login/mfa.action")
    @ManagerAuth(value = ManagerAuth.Auth.NONE, memo = "MFA登录")
    public R loginMfaAction(String ticket, String code) {
        Long userId = mfaLoginTicketManager.getUserId(ticket);
        if (userId == null) {
            return new R(10004, i18nMessageService.getMessage("response.user.mfaTicketExpired"));
        }
        User user = userService.getByIdWithSecurity(userId);
        if (Cools.isEmpty(user)) {
            mfaLoginTicketManager.remove(ticket);
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (user.getStatus() != 1) {
            mfaLoginTicketManager.remove(ticket);
            return new R(10002, i18nMessageService.getMessage("response.user.disabled"));
        }
        if (!requiresMfa(user)) {
            mfaLoginTicketManager.remove(ticket);
            return new R(10005, i18nMessageService.getMessage("response.user.mfaNotEnabled"));
        }
        if (!MfaTotpUtil.verifyCode(user.getMfaSecret(), code, 1)) {
            return new R(10006, i18nMessageService.getMessage("response.user.mfaCodeMismatch"));
        }
        mfaLoginTicketManager.remove(ticket);
        return R.ok(buildLoginSuccess(user));
    }

    @RequestMapping("/login/passkey/options.action")
    @ManagerAuth(value = ManagerAuth.Auth.NONE, memo = "通行密钥登录参数")
    public R loginPasskeyOptions(String mobile) {
        if (!licenseTimer.getSystemSupport()) {
            return new R(20001, i18nMessageService.getMessage("response.system.licenseExpired"));
        }
        String origin = PasskeyWebAuthnUtil.buildOrigin(request);
        String rpId = PasskeyWebAuthnUtil.buildRpId(request);
        if (!PasskeyWebAuthnUtil.isSecureOriginAllowed(origin, rpId)) {
            return new R(10009, i18nMessageService.getMessage("response.user.passkeySecureContextRequired"));
        }
        User user = null;
        if (!Cools.isEmpty(mobile)) {
            user = userService.getByMobileWithSecurity(mobile);
            if (Cools.isEmpty(user)) {
                return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
            }
            if (user.getStatus() != 1) {
                return new R(10002, i18nMessageService.getMessage("response.user.disabled"));
            }
            if (!hasPasskeyBound(user)) {
                return new R(10010, i18nMessageService.getMessage("response.user.passkeyNotBound"));
            }
        }
        PasskeyChallengeManager.ChallengeState state = passkeyChallengeManager.createAuthentication(user == null ? null : user.getId(), origin, rpId);
        return R.ok(buildPasskeyAuthenticationOptions(state, user));
    }

    @RequestMapping("/login/passkey/verify.action")
    @ManagerAuth(value = ManagerAuth.Auth.NONE, memo = "通行密钥登录")
    public R loginPasskeyVerify(String ticket,
                                String credentialId,
                                String clientDataJSON,
                                String authenticatorData,
                                String signature) {
        if (!licenseTimer.getSystemSupport()) {
            return new R(20001, i18nMessageService.getMessage("response.system.licenseExpired"));
        }
        PasskeyChallengeManager.ChallengeState state = passkeyChallengeManager.get(ticket, PasskeyChallengeManager.Purpose.AUTHENTICATION);
        if (state == null) {
            return new R(10011, i18nMessageService.getMessage("response.user.passkeyTicketExpired"));
        }
        try {
            com.alibaba.fastjson.JSONObject clientData = PasskeyWebAuthnUtil.parseClientData(clientDataJSON);
            PasskeyWebAuthnUtil.validateClientData(clientData, "webauthn.get", state.getChallenge(), state.getOrigin());
            PasskeyWebAuthnUtil.AuthenticatorData authData = PasskeyWebAuthnUtil.validateAuthenticatorData(authenticatorData, state.getRpId(), true);
            User user = state.getUserId() == null
                    ? userService.getByPasskeyCredentialId(credentialId)
                    : userService.getByIdWithSecurity(state.getUserId());
            if (Cools.isEmpty(user)) {
                return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
            }
            if (user.getStatus() != 1) {
                return new R(10002, i18nMessageService.getMessage("response.user.disabled"));
            }
            if (!hasPasskeyBound(user) || !Cools.eq(user.getPasskeyCredentialId(), credentialId)) {
                return new R(10010, i18nMessageService.getMessage("response.user.passkeyNotBound"));
            }
            PasskeyWebAuthnUtil.verifyAssertionSignature(
                    user.getPasskeyPublicKey(),
                    user.getPasskeyAlgorithm(),
                    authenticatorData,
                    clientDataJSON,
                    signature
            );
            long nextSignCount = authData.getSignCount();
            Long currentSignCount = user.getPasskeySignCount();
            if (currentSignCount != null && currentSignCount > 0 && nextSignCount > 0 && nextSignCount <= currentSignCount) {
                return new R(10012, i18nMessageService.getMessage("response.user.passkeyCounterMismatch"));
            }
            userService.update(new com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper<User>()
                    .eq("id", user.getId())
                    .set("passkey_sign_count", nextSignCount)
                    .set("passkey_last_used_time", new Date()));
            return R.ok(buildLoginSuccess(user));
        } catch (Exception ex) {
            return new R(10013, i18nMessageService.getMessage("response.user.passkeyVerifyFailed"));
        } finally {
            passkeyChallengeManager.remove(ticket);
        }
    }

    @RequestMapping("/code/switch.action")
@@ -122,30 +241,210 @@
    @RequestMapping("/user/detail/auth")
    @ManagerAuth
    public R userDetail(){
        return R.ok(userService.selectById(getUserId()));
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return R.ok();
        }
        return R.ok(buildSafeUserDetail(user));
    }

    @RequestMapping("/user/mfa/setup/auth")
    @ManagerAuth
    public R userMfaSetup() {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (!Integer.valueOf(1).equals(user.getMfaAllow())) {
            return new R(10007, i18nMessageService.getMessage("response.user.mfaNotAllowed"));
        }
        String secret = MfaTotpUtil.generateSecret();
        String account = !Cools.isEmpty(user.getMobile())
                ? user.getMobile()
                : (!Cools.isEmpty(user.getUsername()) ? user.getUsername() : String.valueOf(user.getId()));
        String otpAuth = MfaTotpUtil.buildOtpAuthUri("WCS", account, secret);
        Map<String, Object> data = new HashMap<>();
        data.put("secret", secret);
        data.put("otpAuth", otpAuth);
        data.put("qrCode", renderQrCodeDataUri(otpAuth));
        return R.ok(data);
    }

    @RequestMapping("/user/mfa/enable/auth")
    @ManagerAuth
    @Transactional
    public R userMfaEnable(String currentPassword, String secret, String code) {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (!Integer.valueOf(1).equals(user.getMfaAllow())) {
            return new R(10007, i18nMessageService.getMessage("response.user.mfaNotAllowed"));
        }
        if (!Cools.eq(user.getPassword(), currentPassword)) {
            return new R(10008, i18nMessageService.getMessage("response.user.oldPasswordMismatch"));
        }
        String normalizedSecret = normalizeSecret(secret);
        if (Cools.isEmpty(normalizedSecret) || !MfaTotpUtil.verifyCode(normalizedSecret, code, 1)) {
            return new R(10006, i18nMessageService.getMessage("response.user.mfaCodeMismatch"));
        }
        userService.update(new com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper<User>()
                .eq("id", user.getId())
                .set("mfa_allow", 1)
                .set("mfa_enabled", 1)
                .set("mfa_secret", normalizedSecret)
                .set("mfa_bound_time", new Date()));
        return R.ok();
    }

    @RequestMapping("/user/mfa/disable/auth")
    @ManagerAuth
    @Transactional
    public R userMfaDisable(String currentPassword, String code) {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (!requiresMfa(user)) {
            return new R(10005, i18nMessageService.getMessage("response.user.mfaNotEnabled"));
        }
        if (!Cools.eq(user.getPassword(), currentPassword)) {
            return new R(10008, i18nMessageService.getMessage("response.user.oldPasswordMismatch"));
        }
        if (!MfaTotpUtil.verifyCode(user.getMfaSecret(), code, 1)) {
            return new R(10006, i18nMessageService.getMessage("response.user.mfaCodeMismatch"));
        }
        userService.update(new com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper<User>()
                .eq("id", user.getId())
                .set("mfa_enabled", 0)
                .set("mfa_secret", null)
                .set("mfa_bound_time", null));
        return R.ok();
    }

    @RequestMapping("/user/passkey/register/options/auth")
    @ManagerAuth
    public R userPasskeyRegisterOptions() {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (hasPasskeyBound(user)) {
            return new R(10014, i18nMessageService.getMessage("response.user.passkeyAlreadyBound"));
        }
        String origin = PasskeyWebAuthnUtil.buildOrigin(request);
        String rpId = PasskeyWebAuthnUtil.buildRpId(request);
        if (!PasskeyWebAuthnUtil.isSecureOriginAllowed(origin, rpId)) {
            return new R(10009, i18nMessageService.getMessage("response.user.passkeySecureContextRequired"));
        }
        PasskeyChallengeManager.ChallengeState state = passkeyChallengeManager.createRegistration(user.getId(), origin, rpId);
        return R.ok(buildPasskeyRegistrationOptions(state, user));
    }

    @RequestMapping("/user/passkey/register/finish/auth")
    @ManagerAuth
    @Transactional
    public R userPasskeyRegisterFinish(String ticket,
                                       String currentPassword,
                                       String name,
                                       String credentialId,
                                       String clientDataJSON,
                                       String authenticatorData,
                                       String publicKey,
                                       Integer publicKeyAlgorithm,
                                       String transports) {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (!Cools.eq(user.getPassword(), currentPassword)) {
            return new R(10008, i18nMessageService.getMessage("response.user.oldPasswordMismatch"));
        }
        if (hasPasskeyBound(user)) {
            return new R(10014, i18nMessageService.getMessage("response.user.passkeyAlreadyBound"));
        }
        PasskeyChallengeManager.ChallengeState state = passkeyChallengeManager.get(ticket, PasskeyChallengeManager.Purpose.REGISTRATION);
        if (state == null || !Objects.equals(state.getUserId(), user.getId())) {
            return new R(10011, i18nMessageService.getMessage("response.user.passkeyTicketExpired"));
        }
        try {
            com.alibaba.fastjson.JSONObject clientData = PasskeyWebAuthnUtil.parseClientData(clientDataJSON);
            PasskeyWebAuthnUtil.validateClientData(clientData, "webauthn.create", state.getChallenge(), state.getOrigin());
            PasskeyWebAuthnUtil.AuthenticatorData authData = PasskeyWebAuthnUtil.validateAuthenticatorData(authenticatorData, state.getRpId(), true);
            PasskeyWebAuthnUtil.ensurePublicKeyMaterial(publicKey, publicKeyAlgorithm);
            if (Cools.isEmpty(credentialId)) {
                return new R(10013, i18nMessageService.getMessage("response.user.passkeyRegisterFailed"));
            }
            User exist = userService.getByPasskeyCredentialId(credentialId);
            if (!Cools.isEmpty(exist) && !Objects.equals(exist.getId(), user.getId())) {
                return new R(10015, i18nMessageService.getMessage("response.user.passkeyCredentialExists"));
            }
            userService.update(new com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper<User>()
                    .eq("id", user.getId())
                    .set("passkey_name", normalizePasskeyName(name))
                    .set("passkey_credential_id", credentialId)
                    .set("passkey_public_key", publicKey)
                    .set("passkey_algorithm", publicKeyAlgorithm)
                    .set("passkey_sign_count", authData.getSignCount())
                    .set("passkey_transports", normalizePasskeyTransports(transports))
                    .set("passkey_bound_time", new Date())
                    .set("passkey_last_used_time", null));
            return R.ok();
        } catch (Exception ex) {
            return new R(10016, i18nMessageService.getMessage("response.user.passkeyRegisterFailed"));
        } finally {
            passkeyChallengeManager.remove(ticket);
        }
    }

    @RequestMapping("/user/passkey/remove/auth")
    @ManagerAuth
    @Transactional
    public R userPasskeyRemove(String currentPassword) {
        User user = userService.getByIdWithSecurity(getUserId());
        if (Cools.isEmpty(user)) {
            return new R(10001, i18nMessageService.getMessage("response.user.notFound"));
        }
        if (!hasPasskeyBound(user)) {
            return new R(10010, i18nMessageService.getMessage("response.user.passkeyNotBound"));
        }
        if (!Cools.eq(user.getPassword(), currentPassword)) {
            return new R(10008, i18nMessageService.getMessage("response.user.oldPasswordMismatch"));
        }
        userService.update(new com.baomidou.mybatisplus.core.conditions.update.UpdateWrapper<User>()
                .eq("id", user.getId())
                .set("passkey_name", null)
                .set("passkey_credential_id", null)
                .set("passkey_public_key", null)
                .set("passkey_algorithm", null)
                .set("passkey_sign_count", 0)
                .set("passkey_transports", null)
                .set("passkey_bound_time", null)
                .set("passkey_last_used_time", null));
        return R.ok();
    }

    @RequestMapping("/menu/auth")
    @ManagerAuth(memo = "首页菜单")
    public R menu(){
        // 获取所有一级菜单
        List<Resource> oneLevel = resourceService.selectList(new EntityWrapper<Resource>().eq("level", 1).eq("status", 1).orderBy("sort"));
        List<Resource> oneLevel = resourceService.list(new QueryWrapper<Resource>().eq("level", 1).eq("status", 1).orderBy(true, true, "sort"));
        User user = null;
        Wrapper<Resource> resourceWrapper;
        QueryWrapper<Resource> resourceWrapper;
        if (getUserId() == 9527) {
            resourceWrapper = new EntityWrapper<Resource>().eq("level", 2).eq("status", 1).orderBy("sort");
            resourceWrapper = new QueryWrapper<Resource>().eq("level", 2).eq("status", 1).orderBy(true, true, "sort");
        } else {
            // 获取当前用户的所有二级菜单
            user = userService.selectById(getUserId());
            List<RoleResource> roleResources = roleResourceService.selectList(new EntityWrapper<RoleResource>().eq("role_id", user.getRoleId()));
            user = userService.getById(getUserId());
            List<RoleResource> roleResources = roleResourceService.list(new QueryWrapper<RoleResource>().eq("role_id", user.getRoleId()));
            List<Long> resourceIds = new ArrayList<>();
            roleResources.forEach(roleResource -> resourceIds.add(roleResource.getResourceId()));
            if (resourceIds.isEmpty()){
                return R.ok();
            }
            resourceWrapper = new EntityWrapper<Resource>().in("id", resourceIds).eq("level", 2).eq("status", 1).orderBy("sort");
            resourceWrapper = new QueryWrapper<Resource>().in("id", resourceIds).eq("level", 2).eq("status", 1).orderBy(true, true, "sort");
        }
        List<Resource> twoLevel = resourceService.selectList(resourceWrapper);
        List<Resource> twoLevel = resourceService.list(resourceWrapper);
        List<Map<String, Object>> result = new ArrayList<>();
        for (Resource menu : oneLevel) {
            Map<String, Object> map = new HashMap<>();
@@ -157,12 +456,14 @@

                    // 是否拥有查看权限
                    if (getUserId() != 9527) {
                        Resource view = resourceService.selectOne(new EntityWrapper<Resource>().eq("resource_id", resource.getId()).like("code", "view"));
                        Resource view = firstResource(new QueryWrapper<Resource>()
                                .eq("resource_id", resource.getId())
                                .like("code", "view"));
                        if (!Cools.isEmpty(view)){
                            RoleResource param = new RoleResource();
                            param.setResourceId(view.getId());
                            param.setRoleId(user.getRoleId());
                            if (null == roleResourceService.selectOne(new EntityWrapper<>(param))){
                            if (!existsRoleResource(new QueryWrapper<>(param))){
                                continue;
                            }
                        }
@@ -189,7 +490,7 @@
    @RequestMapping("/power/list/auth")
    @ManagerAuth
    public R powerList(){
        List<Resource> oneLevels = resourceService.selectList(new EntityWrapper<Resource>().eq("level", 1).eq("status", 1).orderBy("sort"));
        List<Resource> oneLevels = resourceService.list(new QueryWrapper<Resource>().eq("level", 1).eq("status", 1).orderBy(true, true, "sort"));
        List<Map> result = new ArrayList<>();
        // 一级
        for (Resource oneLevel : oneLevels){
@@ -199,7 +500,7 @@
            oneLevelMap.put("id", oneLevel.getId());
            oneLevelMap.put("spread", true);
            oneLevelMap.put("children", twoLevelsList);
            List<Resource> twoLevels = resourceService.selectList(new EntityWrapper<Resource>().eq("resource_id", oneLevel.getId()).eq("level", 2).eq("status", 1).orderBy("sort"));
            List<Resource> twoLevels = resourceService.list(new QueryWrapper<Resource>().eq("resource_id", oneLevel.getId()).eq("level", 2).eq("status", 1).orderBy(true, true, "sort"));
            // 二级
            for (Resource twoLevel : twoLevels){
                Map<String, Object> twoLevelMap = new HashMap<>();
@@ -210,7 +511,7 @@
                List<Map> threeLevelsList = new ArrayList<>();
                twoLevelMap.put("children", threeLevelsList);
                // 三级
                List<Resource> threeLevels = resourceService.selectList(new EntityWrapper<Resource>().eq("resource_id", twoLevel.getId()).eq("level", 3).eq("status", 1).orderBy("sort"));
                List<Resource> threeLevels = resourceService.list(new QueryWrapper<Resource>().eq("resource_id", twoLevel.getId()).eq("level", 3).eq("status", 1).orderBy(true, true, "sort"));
                for (Resource threeLevel : threeLevels){
                    Map<String, Object> threeLevelMap = new HashMap<>();
                    threeLevelMap.put("title", localizeResourceName(threeLevel));
@@ -231,7 +532,7 @@
        functions.put("spread", true);
        List<Map> funcs = new ArrayList<>();
        functions.put("children", funcs);
        List<Permission> permissions = permissionService.selectList(new EntityWrapper<Permission>().eq("status", 1));
        List<Permission> permissions = permissionService.list(new QueryWrapper<Permission>().eq("status", 1));
        for (Permission permission : permissions) {
            Map<String, Object> func = new HashMap<>();
            func.put("title", i18nMessageService.resolvePermissionText(permission.getName(), permission.getAction(), permission.getId()));
@@ -244,6 +545,187 @@
        return R.ok(result);
    }

    private Map<String, Object> buildLoginSuccess(User user) {
        String token = Cools.enToken(System.currentTimeMillis() + user.getMobile(), user.getPassword());
        userLoginService.remove(new QueryWrapper<UserLogin>().eq("user_id", user.getId()).eq("system_type", "WCS"));
        UserLogin userLogin = new UserLogin();
        userLogin.setUserId(user.getId());
        userLogin.setToken(token);
        userLogin.setSystemType("WCS");
        userLoginService.save(userLogin);
        Map<String, Object> result = new HashMap<>();
        result.put("username", user.getUsername());
        result.put("token", token);
        result.put("mfaRequired", false);
        return result;
    }

    private boolean requiresMfa(User user) {
        return user != null
                && Integer.valueOf(1).equals(user.getMfaAllow())
                && Integer.valueOf(1).equals(user.getMfaEnabled())
                && !Cools.isEmpty(user.getMfaSecret());
    }

    private boolean hasPasskeyBound(User user) {
        return user != null
                && !Cools.isEmpty(user.getPasskeyCredentialId())
                && !Cools.isEmpty(user.getPasskeyPublicKey());
    }

    private Map<String, Object> buildSafeUserDetail(User user) {
        Map<String, Object> result = new HashMap<>();
        result.put("id", user.getId());
        result.put("roleName", user.getRoleName());
        result.put("username", user.getUsername());
        result.put("mobile", user.getMobile());
        result.put("createTime$", user.getCreateTime$());
        result.put("mfaAllow", user.getMfaAllow());
        result.put("mfaAllow$", user.getMfaAllow$());
        result.put("mfaEnabled", user.getMfaEnabled());
        result.put("mfaEnabled$", user.getMfaEnabled$());
        result.put("mfaBoundTime$", user.getMfaBoundTime$());
        result.put("mfaMaskedSecret", MfaTotpUtil.maskSecret(user.getMfaSecret()));
        result.put("passkeyBound", hasPasskeyBound(user));
        result.put("passkeyName", user.getPasskeyName());
        result.put("passkeyBoundTime$", user.getPasskeyBoundTime$());
        result.put("passkeyLastUsedTime$", user.getPasskeyLastUsedTime$());
        result.put("passkeyTransports", user.getPasskeyTransports());
        return result;
    }

    private Map<String, Object> buildPasskeyRegistrationOptions(PasskeyChallengeManager.ChallengeState state, User user) {
        Map<String, Object> data = new HashMap<>();
        data.put("ticket", state.getTicket());
        data.put("challenge", state.getChallenge());
        data.put("rpId", state.getRpId());
        data.put("rpName", "WCS");
        data.put("userId", Base64.getUrlEncoder().withoutPadding().encodeToString(PasskeyWebAuthnUtil.buildUserHandle(user.getId())));
        data.put("userName", resolvePasskeyUserName(user));
        data.put("userDisplayName", resolvePasskeyDisplayName(user));
        data.put("timeout", 60000);
        data.put("attestation", "none");
        data.put("pubKeyCredParams", buildPasskeyAlgorithms());
        Map<String, Object> authenticatorSelection = new HashMap<>();
        authenticatorSelection.put("residentKey", "preferred");
        authenticatorSelection.put("userVerification", "required");
        data.put("authenticatorSelection", authenticatorSelection);
        data.put("excludeCredentials", Collections.emptyList());
        return data;
    }

    private Map<String, Object> buildPasskeyAuthenticationOptions(PasskeyChallengeManager.ChallengeState state, User user) {
        Map<String, Object> data = new HashMap<>();
        data.put("ticket", state.getTicket());
        data.put("challenge", state.getChallenge());
        data.put("rpId", state.getRpId());
        data.put("timeout", 60000);
        data.put("userVerification", "required");
        if (user == null) {
            data.put("allowCredentials", Collections.emptyList());
        } else {
            data.put("allowCredentials", Collections.singletonList(buildPasskeyDescriptor(user.getPasskeyCredentialId(), user.getPasskeyTransports())));
        }
        return data;
    }

    private List<Map<String, Object>> buildPasskeyAlgorithms() {
        List<Map<String, Object>> result = new ArrayList<>();
        result.add(buildPasskeyAlgorithm(-7));
        result.add(buildPasskeyAlgorithm(-257));
        result.add(buildPasskeyAlgorithm(-8));
        return result;
    }

    private Map<String, Object> buildPasskeyAlgorithm(int alg) {
        Map<String, Object> item = new HashMap<>();
        item.put("type", "public-key");
        item.put("alg", alg);
        return item;
    }

    private Map<String, Object> buildPasskeyDescriptor(String credentialId, String transports) {
        Map<String, Object> item = new HashMap<>();
        item.put("type", "public-key");
        item.put("id", credentialId);
        item.put("transports", parsePasskeyTransports(transports));
        return item;
    }

    private String renderQrCodeDataUri(String content) {
        try {
            BufferedImage image = QrCode.createImg(content, 220);
            ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
            ImageIO.write(image, "jpg", outputStream);
            return "data:image/jpeg;base64," + Base64.getEncoder().encodeToString(outputStream.toByteArray());
        } catch (Exception e) {
            return "";
        }
    }

    private String normalizeSecret(String secret) {
        if (Cools.isEmpty(secret)) {
            return "";
        }
        return String.valueOf(secret)
                .trim()
                .replace(" ", "")
                .replace("-", "")
                .toUpperCase(Locale.ROOT);
    }

    private String resolvePasskeyUserName(User user) {
        if (!Cools.isEmpty(user.getMobile())) {
            return user.getMobile();
        }
        if (!Cools.isEmpty(user.getUsername())) {
            return user.getUsername();
        }
        return String.valueOf(user.getId());
    }

    private String resolvePasskeyDisplayName(User user) {
        if (!Cools.isEmpty(user.getUsername())) {
            return user.getUsername();
        }
        return resolvePasskeyUserName(user);
    }

    private String normalizePasskeyName(String name) {
        String value = Cools.isEmpty(name) ? "" : String.valueOf(name).trim();
        if (value.length() > 100) {
            value = value.substring(0, 100);
        }
        if (!Cools.isEmpty(value)) {
            return value;
        }
        return "通行密钥-" + new java.text.SimpleDateFormat("yyyyMMddHHmmss").format(new Date());
    }

    private String normalizePasskeyTransports(String transports) {
        List<String> values = parsePasskeyTransports(transports);
        return values.isEmpty() ? null : JSON.toJSONString(values);
    }

    private List<String> parsePasskeyTransports(String transports) {
        if (Cools.isEmpty(transports)) {
            return Collections.emptyList();
        }
        try {
            List<String> values = JSON.parseArray(transports, String.class);
            return values == null ? Collections.emptyList() : values;
        } catch (Exception ignored) {
        }
        List<String> result = new ArrayList<>();
        for (String value : String.valueOf(transports).split(",")) {
            String item = value == null ? "" : value.trim();
            if (!item.isEmpty()) {
                result.add(item);
            }
        }
        return result;
    }

    private String localizeResourceName(Resource resource) {
        return i18nMessageService.resolveResourceText(resource.getName(), resource.getCode(), resource.getId());
    }
@@ -253,9 +735,9 @@
    public R get(@PathVariable("roleId") Long roleId) {
        List<Object> result = new ArrayList<>();
        // 菜单
        List<RoleResource> roleResources = roleResourceService.selectList(new EntityWrapper<RoleResource>().eq("role_id", roleId));
        List<RoleResource> roleResources = roleResourceService.list(new QueryWrapper<RoleResource>().eq("role_id", roleId));
        for (RoleResource roleResource : roleResources){
            Resource resource = resourceService.selectById(roleResource.getResourceId());
            Resource resource = resourceService.getById(roleResource.getResourceId());
            if (!Cools.isEmpty(resource)){
                if (resource.getLevel() == 3){
                    result.add(resource.getId());
@@ -263,9 +745,9 @@
            }
        }
        // 功能
        List<RolePermission> rolePermissions = rolePermissionService.selectList(new EntityWrapper<RolePermission>().eq("role_id", roleId));
        List<RolePermission> rolePermissions = rolePermissionService.list(new QueryWrapper<RolePermission>().eq("role_id", roleId));
        for (RolePermission rolePermission : rolePermissions){
            Permission permission = permissionService.selectById(rolePermission.getPermissionId());
            Permission permission = permissionService.getById(rolePermission.getPermissionId());
            if (!Cools.isEmpty(permission)){
                result.add(permission.getAction());
            }
@@ -277,18 +759,18 @@
    @ManagerAuth(memo = "授权")
    @Transactional
    public R power(Long roleId, String powers){
        Role role = roleService.selectById(roleId);
        Role role = roleService.getById(roleId);
        Long leaderId = role.getLeader();
        roleResourceService.delete(new EntityWrapper<RoleResource>().eq("role_id", roleId));
        rolePermissionService.delete(new EntityWrapper<RolePermission>().eq("role_id", roleId));
        roleResourceService.remove(new QueryWrapper<RoleResource>().eq("role_id", roleId));
        rolePermissionService.remove(new QueryWrapper<RolePermission>().eq("role_id", roleId));
        if (!Cools.isEmpty(powers)){
            List<PowerDto> dtos = JSON.parseArray(powers, PowerDto.class);
            for (PowerDto dto : dtos) {
                Resource resource = resourceService.selectOne(new EntityWrapper<Resource>().eq("id", dto.getTwo()).eq("level", 2));
                Resource resource = resourceService.getOne(new QueryWrapper<Resource>().eq("id", dto.getTwo()).eq("level", 2));
                if (!Cools.isEmpty(resource)) {
                    // 校验上级权限
                    if (leaderId != null) {
                        RoleResource roleResource = roleResourceService.selectOne(new EntityWrapper<RoleResource>().eq("role_id", leaderId).eq("resource_id", resource.getId()));
                        RoleResource roleResource = roleResourceService.getOne(new QueryWrapper<RoleResource>().eq("role_id", leaderId).eq("resource_id", resource.getId()));
                        if (null == roleResource) {
                            throw new CoolException(resource.getName().concat("无法授权给").concat(role.getName()));
                        }
@@ -296,22 +778,22 @@
                    RoleResource roleResource = new RoleResource();
                    roleResource.setRoleId(roleId);
                    roleResource.setResourceId(resource.getId());
                    roleResourceService.insert(roleResource);
                    roleResourceService.save(roleResource);
                } else {
                    Permission permission = permissionService.selectOne(new EntityWrapper<Permission>().eq("action", dto.getTwo()));
                    Permission permission = permissionService.getOne(new QueryWrapper<Permission>().eq("action", dto.getTwo()));
                    if (!Cools.isEmpty(permission)){
                        RolePermission rolePermission = new RolePermission();
                        rolePermission.setRoleId(roleId);
                        rolePermission.setPermissionId(permission.getId());
                        rolePermissionService.insert(rolePermission);
                        rolePermissionService.save(rolePermission);
                    }
                }
                for (String three : dto.getThree()){
                    Resource resource1 = resourceService.selectOne(new EntityWrapper<Resource>().eq("id", three).eq("level", 3));
                    Resource resource1 = resourceService.getOne(new QueryWrapper<Resource>().eq("id", three).eq("level", 3));
                    if (!Cools.isEmpty(resource1)) {
                        // 校验上级权限
                        if (leaderId != null) {
                            RoleResource roleResource = roleResourceService.selectOne(new EntityWrapper<RoleResource>().eq("role_id", leaderId).eq("resource_id", resource1.getId()));
                            RoleResource roleResource = roleResourceService.getOne(new QueryWrapper<RoleResource>().eq("role_id", leaderId).eq("resource_id", resource1.getId()));
                            if (null == roleResource) {
                                throw new CoolException(resource.getName().concat("的").concat(resource1.getName().concat("无法授权给").concat(role.getName())));
                            }
@@ -319,7 +801,7 @@
                        RoleResource roleResource = new RoleResource();
                        roleResource.setRoleId(roleId);
                        roleResource.setResourceId(resource1.getId());
                        roleResourceService.insert(roleResource);
                        roleResourceService.save(roleResource);
                    }
                }
            }
@@ -332,7 +814,7 @@
    public R buttonResource(@PathVariable("resourceId") Long resourceId) {
        List<Resource> resources;
        if (getUserId() == 9527) {
            resources = resourceService.selectList(new EntityWrapper<Resource>().eq("level", 3).eq("resource_id", resourceId));
            resources = resourceService.list(new QueryWrapper<Resource>().eq("level", 3).eq("resource_id", resourceId));
        } else {
            resources = roleResourceService.getMenuButtomResource(resourceId, getUserId());
        }
@@ -342,5 +824,16 @@
        return R.ok(resources);
    }

    private Resource firstResource(QueryWrapper<Resource> wrapper) {
        wrapper.last("limit 1");
        List<Resource> list = resourceService.list(wrapper);
        return list.isEmpty() ? null : list.get(0);
    }

    private boolean existsRoleResource(QueryWrapper<RoleResource> wrapper) {
        wrapper.last("limit 1");
        return !roleResourceService.list(wrapper).isEmpty();
    }


}