100 lines
4.6 KiB
Python
100 lines
4.6 KiB
Python
from flask import Blueprint, render_template, request, redirect, url_for, flash, current_app
|
||
from flask_login import login_user, logout_user, login_required, current_user
|
||
from ldap_utils import authenticate_ldap_user
|
||
from models import User, db
|
||
from datetime import datetime
|
||
import logging
|
||
|
||
auth_bp = Blueprint('auth', __name__)
|
||
|
||
@auth_bp.route('/login', methods=['GET', 'POST'])
|
||
def login():
|
||
if current_user.is_authenticated:
|
||
return redirect(url_for('temp_spec.spec_list'))
|
||
|
||
if request.method == 'POST':
|
||
username = request.form['username'].strip()
|
||
password = request.form['password']
|
||
|
||
# 記錄登入嘗試
|
||
print(f"[DEBUG] 登入嘗試 - 帳號: {username}")
|
||
current_app.logger.info(f"Login attempt for user: {username}")
|
||
|
||
# 驗證帳號格式
|
||
if '@' not in username:
|
||
print(f"[DEBUG] 帳號格式錯誤 - 缺少 @ 符號: {username}")
|
||
current_app.logger.warning(f"Invalid username format (missing @): {username}")
|
||
flash('請使用完整的 AD 帳號格式 (包含 @domain)', 'warning')
|
||
return render_template('login.html')
|
||
|
||
try:
|
||
# Step 1: Authenticate against LDAP
|
||
print(f"[DEBUG] 準備進行 LDAP 驗證: {username}")
|
||
current_app.logger.info(f"Attempting LDAP authentication for: {username}")
|
||
|
||
user_info = authenticate_ldap_user(username, password)
|
||
print(f"[DEBUG] LDAP 驗證結果: {user_info}")
|
||
|
||
if user_info:
|
||
print(f"[DEBUG] LDAP 驗證成功: {username}")
|
||
current_app.logger.info(f"LDAP authentication successful for: {username}")
|
||
|
||
# Step 2: User authenticated successfully, find or create local user
|
||
local_user = User.query.filter_by(username=user_info['username']).first()
|
||
|
||
if not local_user:
|
||
print(f"[DEBUG] 建立新的本地使用者帳號: {user_info['username']}")
|
||
current_app.logger.info(f"Creating new local user account: {user_info['username']}")
|
||
|
||
# Create a new user in the local database
|
||
# 預設權限為 viewer,特殊帳號設為 admin
|
||
default_role = 'viewer' # 預設權限
|
||
|
||
# 特殊處理:設定特定帳號為管理員權限
|
||
if user_info['username'].lower() == 'ymirliu@panjit.com.tw':
|
||
default_role = 'admin'
|
||
print(f"[DEBUG] 特殊帳號:{user_info['username']} 設定為管理員權限")
|
||
|
||
local_user = User(
|
||
username=user_info['username'],
|
||
# password_hash is no longer needed for login, can be empty or random
|
||
password_hash='ldap_authenticated',
|
||
role=default_role
|
||
)
|
||
db.session.add(local_user)
|
||
print(f"[DEBUG] 新使用者建立完成,權限: {default_role}")
|
||
current_app.logger.info(f"New user created with role: {default_role}")
|
||
else:
|
||
print(f"[DEBUG] 找到現有使用者: {user_info['username']}")
|
||
current_app.logger.info(f"Existing user found: {user_info['username']}")
|
||
|
||
# Update last_login time
|
||
local_user.last_login = datetime.now()
|
||
db.session.commit()
|
||
|
||
# Step 3: Log in the user with Flask-Login
|
||
login_user(local_user)
|
||
print(f"[DEBUG] 使用者登入成功: {username}")
|
||
current_app.logger.info(f"User successfully logged in: {username}")
|
||
return redirect(url_for('temp_spec.spec_list'))
|
||
|
||
else:
|
||
# LDAP 驗證失敗
|
||
print(f"[DEBUG] LDAP 驗證失敗: {username}")
|
||
current_app.logger.warning(f"LDAP authentication failed for: {username}")
|
||
flash('AD帳號或密碼錯誤,請檢查後重新輸入', 'danger')
|
||
|
||
except Exception as e:
|
||
# 系統錯誤
|
||
print(f"[DEBUG] 系統錯誤: {str(e)}")
|
||
current_app.logger.error(f"Login system error for user {username}: {str(e)}")
|
||
flash('系統登入發生錯誤,請稍後再試或聯繫系統管理員', 'danger')
|
||
|
||
return render_template('login.html')
|
||
|
||
@auth_bp.route('/logout')
|
||
@login_required
|
||
def logout():
|
||
logout_user()
|
||
return redirect(url_for('auth.login'))
|