2ND

routes/auth.py

@@ -1,11 +1,9 @@
-from flask import Blueprint, render_template, request, redirect, url_for, flash
+from flask import Blueprint, render_template, request, redirect, url_for, flash, current_app
 from flask_login import login_user, logout_user, login_required, current_user
-from werkzeug.security import check_password_hash
 from ldap_utils import authenticate_ldap_user
 from models import User, db
 from datetime import datetime
-from werkzeug.security import check_password_hash
-from ldap_utils import authenticate_ldap_user, generate_password_hash
+import logging
 
 auth_bp = Blueprint('auth', __name__)
 
@@ -15,35 +13,82 @@ def login():
         return redirect(url_for('temp_spec.spec_list'))
 
     if request.method == 'POST':
-        username = request.form['username']
+        username = request.form['username'].strip()
         password = request.form['password']
         
-        # Step 1: Authenticate against LDAP
-        user_info = authenticate_ldap_user(username, password)
-
-        if user_info:
-            # Step 2: User authenticated successfully, find or create local user
-            local_user = User.query.filter_by(username=user_info['username']).first()
-
-            if not local_user:
-                # Create a new user in the local database
-                local_user = User(
-                    username=user_info['username'],
-                    # password_hash is no longer needed for login, can be empty or random
-                    password_hash='ldap_authenticated',
-                    role='viewer'  # Default role for new users
-                )
-                db.session.add(local_user)
+        # 記錄登入嘗試
+        print(f"[DEBUG] 登入嘗試 - 帳號: {username}")
+        current_app.logger.info(f"Login attempt for user: {username}")
+        
+        # 驗證帳號格式
+        if '@' not in username:
+            print(f"[DEBUG] 帳號格式錯誤 - 缺少 @ 符號: {username}")
+            current_app.logger.warning(f"Invalid username format (missing @): {username}")
+            flash('請使用完整的 AD 帳號格式 (包含 @domain)', 'warning')
+            return render_template('login.html')
+        
+        try:
+            # Step 1: Authenticate against LDAP
+            print(f"[DEBUG] 準備進行 LDAP 驗證: {username}")
+            current_app.logger.info(f"Attempting LDAP authentication for: {username}")
             
-            # Update last_login time
-            local_user.last_login = datetime.now()
-            db.session.commit()
+            user_info = authenticate_ldap_user(username, password)
+            print(f"[DEBUG] LDAP 驗證結果: {user_info}")
 
-            # Step 3: Log in the user with Flask-Login
-            login_user(local_user)
-            return redirect(url_for('temp_spec.spec_list'))
-        else:
-            flash('帳號或密碼錯誤，請重新輸入', 'danger')
+            if user_info:
+                print(f"[DEBUG] LDAP 驗證成功: {username}")
+                current_app.logger.info(f"LDAP authentication successful for: {username}")
+                
+                # Step 2: User authenticated successfully, find or create local user
+                local_user = User.query.filter_by(username=user_info['username']).first()
+
+                if not local_user:
+                    print(f"[DEBUG] 建立新的本地使用者帳號: {user_info['username']}")
+                    current_app.logger.info(f"Creating new local user account: {user_info['username']}")
+                    
+                    # Create a new user in the local database
+                    # 預設權限為 viewer，特殊帳號設為 admin
+                    default_role = 'viewer'  # 預設權限
+                    
+                    # 特殊處理：設定特定帳號為管理員權限
+                    if user_info['username'].lower() == 'ymirliu@panjit.com.tw':
+                        default_role = 'admin'
+                        print(f"[DEBUG] 特殊帳號：{user_info['username']} 設定為管理員權限")
+                    
+                    local_user = User(
+                        username=user_info['username'],
+                        # password_hash is no longer needed for login, can be empty or random
+                        password_hash='ldap_authenticated',
+                        role=default_role
+                    )
+                    db.session.add(local_user)
+                    print(f"[DEBUG] 新使用者建立完成，權限: {default_role}")
+                    current_app.logger.info(f"New user created with role: {default_role}")
+                else:
+                    print(f"[DEBUG] 找到現有使用者: {user_info['username']}")
+                    current_app.logger.info(f"Existing user found: {user_info['username']}")
+                
+                # Update last_login time
+                local_user.last_login = datetime.now()
+                db.session.commit()
+
+                # Step 3: Log in the user with Flask-Login
+                login_user(local_user)
+                print(f"[DEBUG] 使用者登入成功: {username}")
+                current_app.logger.info(f"User successfully logged in: {username}")
+                return redirect(url_for('temp_spec.spec_list'))
+                
+            else:
+                # LDAP 驗證失敗
+                print(f"[DEBUG] LDAP 驗證失敗: {username}")
+                current_app.logger.warning(f"LDAP authentication failed for: {username}")
+                flash('AD帳號或密碼錯誤，請檢查後重新輸入', 'danger')
+                
+        except Exception as e:
+            # 系統錯誤
+            print(f"[DEBUG] 系統錯誤: {str(e)}")
+            current_app.logger.error(f"Login system error for user {username}: {str(e)}")
+            flash('系統登入發生錯誤，請稍後再試或聯繫系統管理員', 'danger')
 
     return render_template('login.html')