From 754e720ba762ca323d153ddcaaa2d6f85d06a9f6 Mon Sep 17 00:00:00 2001
From: Jeason <1710884619@qq.com>
Date: Mon, 9 Mar 2026 14:05:00 +0800
Subject: [PATCH] 123
---
.kiro/specs/multi-user-signin/design.md | 566 ++++++++++++++++++
.kiro/specs/multi-user-signin/requirements.md | 138 +++++
.kiro/specs/multi-user-signin/tasks.md | 185 ++++++
README.md | 187 ++++++
backend/Dockerfile | 91 +++
backend/api_service/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 154 bytes
backend/api_service/app/__init__.py | 0
.../app/__pycache__/__init__.cpython-311.pyc | Bin 0 -> 158 bytes
.../__pycache__/dependencies.cpython-311.pyc | Bin 0 -> 2325 bytes
.../app/__pycache__/main.cpython-311.pyc | Bin 0 -> 3373 bytes
backend/api_service/app/config.py | 9 +
backend/api_service/app/dependencies.py | 50 ++
backend/api_service/app/main.py | 75 +++
backend/api_service/app/routers/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 166 bytes
.../__pycache__/accounts.cpython-311.pyc | Bin 0 -> 7346 bytes
.../__pycache__/signin_logs.cpython-311.pyc | Bin 0 -> 5061 bytes
.../routers/__pycache__/tasks.cpython-311.pyc | Bin 0 -> 9599 bytes
backend/api_service/app/routers/accounts.py | 139 +++++
.../api_service/app/routers/signin_logs.py | 83 +++
backend/api_service/app/routers/tasks.py | 196 ++++++
backend/api_service/app/schemas/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 166 bytes
.../__pycache__/account.cpython-311.pyc | Bin 0 -> 2574 bytes
.../__pycache__/signin_log.cpython-311.pyc | Bin 0 -> 1808 bytes
.../schemas/__pycache__/task.cpython-311.pyc | Bin 0 -> 2058 bytes
backend/api_service/app/schemas/account.py | 34 ++
backend/api_service/app/schemas/signin_log.py | 30 +
backend/api_service/app/schemas/task.py | 29 +
backend/auth_service/Dockerfile | 34 ++
backend/auth_service/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 155 bytes
backend/auth_service/app/__init__.py | 0
.../app/__pycache__/__init__.cpython-311.pyc | Bin 0 -> 159 bytes
.../app/__pycache__/main.cpython-311.pyc | Bin 0 -> 9283 bytes
backend/auth_service/app/config.py | 50 ++
backend/auth_service/app/main.py | 223 +++++++
backend/auth_service/app/models/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 166 bytes
.../__pycache__/database.cpython-311.pyc | Bin 0 -> 1194 bytes
backend/auth_service/app/models/database.py | 15 +
backend/auth_service/app/schemas/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 167 bytes
.../schemas/__pycache__/user.cpython-311.pyc | Bin 0 -> 4870 bytes
backend/auth_service/app/schemas/user.py | 57 ++
backend/auth_service/app/services/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 168 bytes
.../__pycache__/auth_service.cpython-311.pyc | Bin 0 -> 11764 bytes
.../auth_service/app/services/auth_service.py | 191 ++++++
backend/auth_service/app/utils/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 165 bytes
.../__pycache__/security.cpython-311.pyc | Bin 0 -> 8255 bytes
backend/auth_service/app/utils/security.py | 148 +++++
backend/auth_service/requirements.txt | 31 +
backend/requirements.txt | 33 +
backend/shared/__init__.py | 1 +
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 221 bytes
.../shared/__pycache__/config.cpython-311.pyc | Bin 0 -> 1465 bytes
.../shared/__pycache__/crypto.cpython-311.pyc | Bin 0 -> 2590 bytes
.../__pycache__/response.cpython-311.pyc | Bin 0 -> 1260 bytes
backend/shared/config.py | 31 +
backend/shared/crypto.py | 44 ++
backend/shared/models/__init__.py | 18 +
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 636 bytes
.../__pycache__/account.cpython-311.pyc | Bin 0 -> 2430 bytes
.../models/__pycache__/base.cpython-311.pyc | Bin 0 -> 1893 bytes
.../__pycache__/signin_log.cpython-311.pyc | Bin 0 -> 1864 bytes
.../models/__pycache__/task.cpython-311.pyc | Bin 0 -> 1921 bytes
.../models/__pycache__/user.cpython-311.pyc | Bin 0 -> 1976 bytes
backend/shared/models/account.py | 30 +
backend/shared/models/base.py | 33 +
backend/shared/models/signin_log.py | 23 +
backend/shared/models/task.py | 24 +
backend/shared/models/user.py | 25 +
backend/shared/response.py | 35 ++
backend/signin_executor/Dockerfile | 34 ++
backend/signin_executor/app/config.py | 56 ++
backend/signin_executor/app/main.py | 226 +++++++
.../app/models/signin_models.py | 89 +++
.../app/services/signin_service.py | 271 +++++++++
.../app/services/weibo_client.py | 167 ++++++
backend/signin_executor/requirements.txt | 23 +
backend/task_scheduler/Dockerfile | 30 +
backend/task_scheduler/app/celery_app.py | 97 +++
backend/task_scheduler/app/config.py | 47 ++
.../task_scheduler/app/tasks/signin_tasks.py | 196 ++++++
backend/task_scheduler/requirements.txt | 18 +
backend/tests/__init__.py | 0
.../__pycache__/__init__.cpython-311.pyc | Bin 0 -> 148 bytes
.../conftest.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 5547 bytes
..._api_accounts.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 27161 bytes
...i_signin_logs.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 29991 bytes
...est_api_tasks.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 21562 bytes
..._auth_service.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 43761 bytes
.../test_shared.cpython-311-pytest-8.3.3.pyc | Bin 0 -> 27171 bytes
backend/tests/conftest.py | 86 +++
backend/tests/test_api_accounts.py | 214 +++++++
backend/tests/test_api_signin_logs.py | 238 ++++++++
backend/tests/test_api_tasks.py | 226 +++++++
backend/tests/test_auth_service.py | 317 ++++++++++
backend/tests/test_shared.py | 171 ++++++
docker-compose.yml | 170 ++++++
init-db.sql | 64 ++
开发文档.txt | 292 +++++++++
105 files changed, 5890 insertions(+)
create mode 100644 .kiro/specs/multi-user-signin/design.md
create mode 100644 .kiro/specs/multi-user-signin/requirements.md
create mode 100644 .kiro/specs/multi-user-signin/tasks.md
create mode 100644 README.md
create mode 100644 backend/Dockerfile
create mode 100644 backend/api_service/__init__.py
create mode 100644 backend/api_service/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/api_service/app/__init__.py
create mode 100644 backend/api_service/app/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/api_service/app/__pycache__/dependencies.cpython-311.pyc
create mode 100644 backend/api_service/app/__pycache__/main.cpython-311.pyc
create mode 100644 backend/api_service/app/config.py
create mode 100644 backend/api_service/app/dependencies.py
create mode 100644 backend/api_service/app/main.py
create mode 100644 backend/api_service/app/routers/__init__.py
create mode 100644 backend/api_service/app/routers/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/api_service/app/routers/__pycache__/accounts.cpython-311.pyc
create mode 100644 backend/api_service/app/routers/__pycache__/signin_logs.cpython-311.pyc
create mode 100644 backend/api_service/app/routers/__pycache__/tasks.cpython-311.pyc
create mode 100644 backend/api_service/app/routers/accounts.py
create mode 100644 backend/api_service/app/routers/signin_logs.py
create mode 100644 backend/api_service/app/routers/tasks.py
create mode 100644 backend/api_service/app/schemas/__init__.py
create mode 100644 backend/api_service/app/schemas/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/api_service/app/schemas/__pycache__/account.cpython-311.pyc
create mode 100644 backend/api_service/app/schemas/__pycache__/signin_log.cpython-311.pyc
create mode 100644 backend/api_service/app/schemas/__pycache__/task.cpython-311.pyc
create mode 100644 backend/api_service/app/schemas/account.py
create mode 100644 backend/api_service/app/schemas/signin_log.py
create mode 100644 backend/api_service/app/schemas/task.py
create mode 100644 backend/auth_service/Dockerfile
create mode 100644 backend/auth_service/__init__.py
create mode 100644 backend/auth_service/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/__init__.py
create mode 100644 backend/auth_service/app/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/__pycache__/main.cpython-311.pyc
create mode 100644 backend/auth_service/app/config.py
create mode 100644 backend/auth_service/app/main.py
create mode 100644 backend/auth_service/app/models/__init__.py
create mode 100644 backend/auth_service/app/models/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/models/__pycache__/database.cpython-311.pyc
create mode 100644 backend/auth_service/app/models/database.py
create mode 100644 backend/auth_service/app/schemas/__init__.py
create mode 100644 backend/auth_service/app/schemas/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/schemas/__pycache__/user.cpython-311.pyc
create mode 100644 backend/auth_service/app/schemas/user.py
create mode 100644 backend/auth_service/app/services/__init__.py
create mode 100644 backend/auth_service/app/services/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/services/__pycache__/auth_service.cpython-311.pyc
create mode 100644 backend/auth_service/app/services/auth_service.py
create mode 100644 backend/auth_service/app/utils/__init__.py
create mode 100644 backend/auth_service/app/utils/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/auth_service/app/utils/__pycache__/security.cpython-311.pyc
create mode 100644 backend/auth_service/app/utils/security.py
create mode 100644 backend/auth_service/requirements.txt
create mode 100644 backend/requirements.txt
create mode 100644 backend/shared/__init__.py
create mode 100644 backend/shared/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/shared/__pycache__/config.cpython-311.pyc
create mode 100644 backend/shared/__pycache__/crypto.cpython-311.pyc
create mode 100644 backend/shared/__pycache__/response.cpython-311.pyc
create mode 100644 backend/shared/config.py
create mode 100644 backend/shared/crypto.py
create mode 100644 backend/shared/models/__init__.py
create mode 100644 backend/shared/models/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/shared/models/__pycache__/account.cpython-311.pyc
create mode 100644 backend/shared/models/__pycache__/base.cpython-311.pyc
create mode 100644 backend/shared/models/__pycache__/signin_log.cpython-311.pyc
create mode 100644 backend/shared/models/__pycache__/task.cpython-311.pyc
create mode 100644 backend/shared/models/__pycache__/user.cpython-311.pyc
create mode 100644 backend/shared/models/account.py
create mode 100644 backend/shared/models/base.py
create mode 100644 backend/shared/models/signin_log.py
create mode 100644 backend/shared/models/task.py
create mode 100644 backend/shared/models/user.py
create mode 100644 backend/shared/response.py
create mode 100644 backend/signin_executor/Dockerfile
create mode 100644 backend/signin_executor/app/config.py
create mode 100644 backend/signin_executor/app/main.py
create mode 100644 backend/signin_executor/app/models/signin_models.py
create mode 100644 backend/signin_executor/app/services/signin_service.py
create mode 100644 backend/signin_executor/app/services/weibo_client.py
create mode 100644 backend/signin_executor/requirements.txt
create mode 100644 backend/task_scheduler/Dockerfile
create mode 100644 backend/task_scheduler/app/celery_app.py
create mode 100644 backend/task_scheduler/app/config.py
create mode 100644 backend/task_scheduler/app/tasks/signin_tasks.py
create mode 100644 backend/task_scheduler/requirements.txt
create mode 100644 backend/tests/__init__.py
create mode 100644 backend/tests/__pycache__/__init__.cpython-311.pyc
create mode 100644 backend/tests/__pycache__/conftest.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/__pycache__/test_api_accounts.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/__pycache__/test_api_signin_logs.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/__pycache__/test_api_tasks.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/__pycache__/test_auth_service.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/__pycache__/test_shared.cpython-311-pytest-8.3.3.pyc
create mode 100644 backend/tests/conftest.py
create mode 100644 backend/tests/test_api_accounts.py
create mode 100644 backend/tests/test_api_signin_logs.py
create mode 100644 backend/tests/test_api_tasks.py
create mode 100644 backend/tests/test_auth_service.py
create mode 100644 backend/tests/test_shared.py
create mode 100644 docker-compose.yml
create mode 100644 init-db.sql
create mode 100644 开发文档.txt
diff --git a/.kiro/specs/multi-user-signin/design.md b/.kiro/specs/multi-user-signin/design.md
new file mode 100644
index 0000000..86fc65a
--- /dev/null
+++ b/.kiro/specs/multi-user-signin/design.md
@@ -0,0 +1,566 @@
+# 设计文档:Weibo-HotSign 多用户签到系统
+
+## 概述
+
+本设计文档描述 Weibo-HotSign 系统的架构重构与核心功能实现方案。核心目标是:
+
+1. 引入 `backend/shared/` 共享模块,统一 ORM 模型、数据库连接和加密工具,消除各服务间的代码重复
+2. 完善 `auth_service`,实现 Refresh Token 机制
+3. 从零实现 `api_service`,提供微博账号 CRUD、任务配置和签到日志查询 API
+4. 将 `signin_executor` 和 `task_scheduler` 中的 Mock 实现替换为真实数据库交互
+5. 所有 API 遵循统一响应格式
+
+技术栈:Python 3.11 + FastAPI + SQLAlchemy (async) + Celery + MySQL (aiomysql) + Redis
+
+## 架构
+
+### 重构后的服务架构
+
+```mermaid
+graph TD
+ subgraph "客户端"
+ FE[Web Frontend / API Client]
+ end
+
+ subgraph "后端服务层"
+ API[API_Service :8000
账号/任务/日志管理]
+ AUTH[Auth_Service :8001
注册/登录/Token刷新]
+ SCHED[Task_Scheduler
Celery Beat]
+ EXEC[Signin_Executor
Celery Worker]
+ end
+
+ subgraph "共享层"
+ SHARED[shared/
ORM Models + DB Session
+ Crypto Utils + Response Format]
+ end
+
+ subgraph "基础设施"
+ MYSQL[(MySQL)]
+ REDIS[(Redis
Cache + Message Queue)]
+ PROXY[Proxy Pool]
+ end
+
+ FE -->|REST API| API
+ FE -->|REST API| AUTH
+ API -->|导入| SHARED
+ AUTH -->|导入| SHARED
+ SCHED -->|导入| SHARED
+ EXEC -->|导入| SHARED
+ SHARED -->|aiomysql| MYSQL
+ SCHED -->|发布任务| REDIS
+ EXEC -->|消费任务| REDIS
+ EXEC -->|获取代理| PROXY
+ EXEC -->|签到请求| WEIBO[Weibo.com]
+
+```
+
+### 关键架构决策
+
+1. **共享模块而非微服务间 RPC**:各服务通过 Python 包导入 `shared/` 模块访问数据库,而非通过 HTTP 调用其他服务查询数据。这简化了部署,减少了网络延迟,适合当前规模。
+2. **API_Service 作为唯一对外网关**:所有账号管理、任务配置、日志查询 API 集中在 `api_service` 中,`auth_service` 仅负责认证。
+3. **Celery 同时承担调度和执行**:`task_scheduler` 运行 Celery Beat(调度),`signin_executor` 运行 Celery Worker(执行),通过 Redis 消息队列解耦。
+4. **Dockerfile 多阶段构建**:保持现有的多阶段 Dockerfile 结构,新增 `shared/` 目录的 COPY 步骤。
+
+### 目录结构(重构后)
+
+```
+backend/
+├── shared/ # 新增:共享模块
+│ ├── __init__.py
+│ ├── models/
+│ │ ├── __init__.py
+│ │ ├── base.py # SQLAlchemy Base + engine + session
+│ │ ├── user.py # User ORM model
+│ │ ├── account.py # Account ORM model
+│ │ ├── task.py # Task ORM model
+│ │ └── signin_log.py # SigninLog ORM model
+│ ├── crypto.py # AES-256-GCM 加密/解密工具
+│ ├── response.py # 统一响应格式工具
+│ └── config.py # 共享配置(DB URL, Redis URL 等)
+├── auth_service/
+│ └── app/
+│ ├── main.py # 重构:使用 shared models
+│ ├── config.py
+│ ├── schemas/
+│ │ └── user.py # 增加 RefreshToken schema
+│ ├── services/
+│ │ └── auth_service.py # 增加 refresh token 逻辑
+│ └── utils/
+│ └── security.py # 增加 refresh token 生成/验证
+├── api_service/
+│ └── app/
+│ ├── __init__.py
+│ ├── main.py # 新增:FastAPI 应用入口
+│ ├── config.py
+│ ├── dependencies.py # JWT 认证依赖
+│ ├── schemas/
+│ │ ├── __init__.py
+│ │ ├── account.py # 账号请求/响应 schema
+│ │ ├── task.py # 任务请求/响应 schema
+│ │ └── signin_log.py # 签到日志响应 schema
+│ └── routers/
+│ ├── __init__.py
+│ ├── accounts.py # 账号 CRUD 路由
+│ ├── tasks.py # 任务 CRUD 路由
+│ └── signin_logs.py # 签到日志查询路由
+├── signin_executor/
+│ └── app/
+│ ├── main.py
+│ ├── config.py
+│ ├── services/
+│ │ ├── signin_service.py # 重构:使用 shared models 查询真实数据
+│ │ └── weibo_client.py # 重构:实现真实加密/解密
+│ └── models/
+│ └── signin_models.py # 保留 Pydantic 请求/响应模型
+├── task_scheduler/
+│ └── app/
+│ ├── celery_app.py # 重构:从 DB 动态加载任务
+│ ├── config.py
+│ └── tasks/
+│ └── signin_tasks.py # 重构:使用真实 DB 查询
+├── Dockerfile # 更新:各阶段 COPY shared/
+└── requirements.txt
+```
+
+## 组件与接口
+
+### 1. shared 模块
+
+#### 1.1 数据库连接管理 (`shared/models/base.py`)
+
+```python
+# 提供异步 engine 和 session factory
+# 所有服务通过 get_db() 获取 AsyncSession
+async def get_db() -> AsyncGenerator[AsyncSession, None]:
+ async with AsyncSessionLocal() as session:
+ try:
+ yield session
+ finally:
+ await session.close()
+```
+
+#### 1.2 加密工具 (`shared/crypto.py`)
+
+```python
+def encrypt_cookie(plaintext: str, key: bytes) -> tuple[str, str]:
+ """AES-256-GCM 加密,返回 (密文base64, iv_base64)"""
+
+def decrypt_cookie(ciphertext_b64: str, iv_b64: str, key: bytes) -> str:
+ """AES-256-GCM 解密,返回原始 Cookie 字符串"""
+```
+
+#### 1.3 统一响应格式 (`shared/response.py`)
+
+```python
+def success_response(data: Any, message: str = "Operation successful") -> dict
+def error_response(message: str, code: str, details: list = None, status_code: int = 400) -> JSONResponse
+```
+
+### 2. Auth_Service 接口
+
+| 方法 | 路径 | 描述 | 需求 |
+|------|------|------|------|
+| POST | `/auth/register` | 用户注册 | 1.1, 1.2, 1.8 |
+| POST | `/auth/login` | 用户登录,返回 access_token + refresh_token | 1.3, 1.4 |
+| POST | `/auth/refresh` | 刷新 Token | 1.5, 1.6 |
+| GET | `/auth/me` | 获取当前用户信息 | 1.7 |
+
+### 3. API_Service 接口
+
+| 方法 | 路径 | 描述 | 需求 |
+|------|------|------|------|
+| POST | `/api/v1/accounts` | 添加微博账号 | 2.1, 2.7, 2.8 |
+| GET | `/api/v1/accounts` | 获取账号列表 | 2.2, 2.8 |
+| GET | `/api/v1/accounts/{id}` | 获取账号详情 | 2.3, 2.6, 2.8 |
+| PUT | `/api/v1/accounts/{id}` | 更新账号信息 | 2.4, 2.6, 2.8 |
+| DELETE | `/api/v1/accounts/{id}` | 删除账号 | 2.5, 2.6, 2.8 |
+| POST | `/api/v1/accounts/{id}/tasks` | 创建签到任务 | 4.1, 4.2, 4.6 |
+| GET | `/api/v1/accounts/{id}/tasks` | 获取任务列表 | 4.3 |
+| PUT | `/api/v1/tasks/{id}` | 启用/禁用任务 | 4.4 |
+| DELETE | `/api/v1/tasks/{id}` | 删除任务 | 4.5 |
+| GET | `/api/v1/accounts/{id}/signin-logs` | 查询签到日志 | 8.1, 8.2, 8.3, 8.4, 8.5 |
+
+### 4. Task_Scheduler 内部接口
+
+Task_Scheduler 不对外暴露 HTTP 接口,通过以下方式工作:
+
+- **启动时**:从 DB 加载 `is_enabled=True` 的任务,注册到 Celery Beat
+- **运行时**:根据 Cron 表达式触发 `execute_signin_task` Celery task
+- **动态更新**:通过 Redis pub/sub 接收任务变更通知,动态更新调度
+
+### 5. Signin_Executor 内部流程
+
+```mermaid
+sequenceDiagram
+ participant Queue as Redis Queue
+ participant Exec as Signin_Executor
+ participant DB as MySQL
+ participant Weibo as Weibo.com
+ participant Proxy as Proxy Pool
+
+ Queue->>Exec: 消费签到任务 (task_id, account_id)
+ Exec->>DB: 查询 Account (by account_id)
+ Exec->>Exec: 解密 Cookie (AES-256-GCM)
+ Exec->>Weibo: 验证 Cookie 有效性
+ alt Cookie 无效
+ Exec->>DB: 更新 account.status = "invalid_cookie"
+ Exec->>DB: 写入失败日志
+ else Cookie 有效
+ Exec->>Weibo: 获取超话列表
+ loop 每个未签到超话
+ Exec->>Proxy: 获取代理 IP
+ Exec->>Exec: 随机延迟 (1-3s)
+ Exec->>Weibo: 执行签到请求
+ Exec->>DB: 写入 signin_log
+ end
+ end
+```
+
+## 数据模型
+
+### ORM 模型定义(shared/models/)
+
+#### User 模型
+
+```python
+class User(Base):
+ __tablename__ = "users"
+ id = Column(String(36), primary_key=True, default=lambda: str(uuid4()))
+ username = Column(String(50), unique=True, nullable=False, index=True)
+ email = Column(String(255), unique=True, nullable=False, index=True)
+ hashed_password = Column(String(255), nullable=False)
+ created_at = Column(DateTime, server_default=func.now())
+ is_active = Column(Boolean, default=True)
+ # Relationships
+ accounts = relationship("Account", back_populates="user", cascade="all, delete-orphan")
+```
+
+#### Account 模型
+
+```python
+class Account(Base):
+ __tablename__ = "accounts"
+ id = Column(String(36), primary_key=True, default=lambda: str(uuid4()))
+ user_id = Column(String(36), ForeignKey("users.id", ondelete="CASCADE"), nullable=False)
+ weibo_user_id = Column(String(20), nullable=False)
+ remark = Column(String(100))
+ encrypted_cookies = Column(Text, nullable=False)
+ iv = Column(String(32), nullable=False)
+ status = Column(String(20), default="pending") # pending, active, invalid_cookie, banned
+ last_checked_at = Column(DateTime, nullable=True)
+ created_at = Column(DateTime, server_default=func.now())
+ # Relationships
+ user = relationship("User", back_populates="accounts")
+ tasks = relationship("Task", back_populates="account", cascade="all, delete-orphan")
+ signin_logs = relationship("SigninLog", back_populates="account")
+```
+
+#### Task 模型
+
+```python
+class Task(Base):
+ __tablename__ = "tasks"
+ id = Column(String(36), primary_key=True, default=lambda: str(uuid4()))
+ account_id = Column(String(36), ForeignKey("accounts.id", ondelete="CASCADE"), nullable=False)
+ cron_expression = Column(String(50), nullable=False)
+ is_enabled = Column(Boolean, default=True)
+ created_at = Column(DateTime, server_default=func.now())
+ # Relationships
+ account = relationship("Account", back_populates="tasks")
+```
+
+#### SigninLog 模型
+
+```python
+class SigninLog(Base):
+ __tablename__ = "signin_logs"
+ id = Column(BigInteger, primary_key=True, autoincrement=True)
+ account_id = Column(String(36), ForeignKey("accounts.id"), nullable=False)
+ topic_title = Column(String(100))
+ status = Column(String(20), nullable=False) # success, failed_already_signed, failed_network, failed_banned
+ reward_info = Column(JSON, nullable=True)
+ error_message = Column(Text, nullable=True)
+ signed_at = Column(DateTime, server_default=func.now())
+ # Relationships
+ account = relationship("Account", back_populates="signin_logs")
+```
+
+### Refresh Token 存储
+
+Refresh Token 使用 Redis 存储,key 格式为 `refresh_token:{token_hash}`,value 为 `user_id`,TTL 为 7 天。这避免了在数据库中增加额外的表,同时利用 Redis 的自动过期机制。
+
+```python
+# 存储
+await redis.setex(f"refresh_token:{token_hash}", 7 * 24 * 3600, user_id)
+
+# 验证
+user_id = await redis.get(f"refresh_token:{token_hash}")
+
+# 刷新时删除旧 token,生成新 token(Token Rotation)
+await redis.delete(f"refresh_token:{old_token_hash}")
+await redis.setex(f"refresh_token:{new_token_hash}", 7 * 24 * 3600, user_id)
+```
+
+## 正确性属性 (Correctness Properties)
+
+*属性(Property)是指在系统所有有效执行中都应成立的特征或行为——本质上是对系统应做什么的形式化陈述。属性是人类可读规格说明与机器可验证正确性保证之间的桥梁。*
+
+### Property 1: Cookie 加密 Round-trip
+
+*For any* 有效的 Cookie 字符串,使用 AES-256-GCM 加密后再用相同密钥和 IV 解密,应产生与原始字符串完全相同的结果。
+
+**Validates: Requirements 3.1, 3.2, 3.3**
+
+### Property 2: 用户注册后可登录获取信息
+
+*For any* 有效的注册信息(用户名、邮箱、符合强度要求的密码),注册后使用相同邮箱和密码登录应成功返回 Token,使用该 Token 调用 `/auth/me` 应返回与注册时一致的用户名和邮箱。
+
+**Validates: Requirements 1.1, 1.3, 1.7**
+
+### Property 3: 用户名/邮箱唯一性约束
+
+*For any* 已注册的用户,使用相同用户名或相同邮箱再次注册应返回 409 Conflict 错误。
+
+**Validates: Requirements 1.2**
+
+### Property 4: 无效凭证登录拒绝
+
+*For any* 不存在的邮箱或错误的密码,登录请求应返回 401 Unauthorized 错误。
+
+**Validates: Requirements 1.4**
+
+### Property 5: Refresh Token 轮换
+
+*For any* 已登录用户的有效 Refresh Token,刷新操作应返回新的 Access Token 和新的 Refresh Token,且旧的 Refresh Token 应失效(再次使用应返回 401)。
+
+**Validates: Requirements 1.5, 1.6**
+
+### Property 6: 弱密码拒绝
+
+*For any* 不满足强度要求的密码(缺少大写字母、小写字母、数字或特殊字符,或长度不足8位),注册请求应返回 400 Bad Request。
+
+**Validates: Requirements 1.8**
+
+### Property 7: 账号创建与列表一致性
+
+*For any* 用户和任意数量的有效微博账号数据,创建 N 个账号后查询列表应返回恰好 N 条记录,每条记录的状态应为 "pending",且响应中不应包含解密后的 Cookie 明文。
+
+**Validates: Requirements 2.1, 2.2, 2.7**
+
+### Property 8: 账号详情 Round-trip
+
+*For any* 已创建的微博账号,通过详情接口查询应返回与创建时一致的备注和微博用户 ID。
+
+**Validates: Requirements 2.3**
+
+### Property 9: 账号更新反映
+
+*For any* 已创建的微博账号和任意新的备注字符串,更新备注后再次查询应返回更新后的值。
+
+**Validates: Requirements 2.4**
+
+### Property 10: 账号删除级联
+
+*For any* 拥有关联 Task 和 SigninLog 的账号,删除该账号后,查询该账号的 Task 列表和 SigninLog 列表应返回空结果。
+
+**Validates: Requirements 2.5**
+
+### Property 11: 跨用户资源隔离
+
+*For any* 两个不同用户 A 和 B,用户 A 尝试访问、修改或删除用户 B 的账号、任务或签到日志时,应返回 403 Forbidden。
+
+**Validates: Requirements 2.6, 4.6, 8.5**
+
+### Property 12: 受保护接口认证要求
+
+*For any* 受保护的 API 端点(账号管理、任务管理、日志查询),不携带 JWT Token 或携带无效 Token 的请求应返回 401 Unauthorized。
+
+**Validates: Requirements 2.8, 8.4, 9.4**
+
+### Property 13: 有效 Cron 表达式创建任务
+
+*For any* 有效的 Cron 表达式和已存在的账号,创建任务应成功,且查询该账号的任务列表应包含新创建的任务。
+
+**Validates: Requirements 4.1, 4.3**
+
+### Property 14: 无效 Cron 表达式拒绝
+
+*For any* 无效的 Cron 表达式字符串,创建任务请求应返回 400 Bad Request。
+
+**Validates: Requirements 4.2**
+
+### Property 15: 任务启用/禁用切换
+
+*For any* 已创建的任务,切换 `is_enabled` 状态后查询应反映新的状态值。
+
+**Validates: Requirements 4.4**
+
+### Property 16: 任务删除
+
+*For any* 已创建的任务,删除后查询该任务应返回 404 或不在列表中出现。
+
+**Validates: Requirements 4.5**
+
+### Property 17: 调度器加载已启用任务
+
+*For any* 数据库中的任务集合,Task_Scheduler 启动时加载的任务数量应等于 `is_enabled=True` 的任务数量。
+
+**Validates: Requirements 5.1**
+
+### Property 18: 分布式锁防重复调度
+
+*For any* 签到任务,同一时刻并发触发两次应只产生一次实际执行。
+
+**Validates: Requirements 5.5**
+
+### Property 19: 签到结果持久化
+
+*For any* 签到执行结果(成功或失败),`signin_logs` 表中应存在对应的记录,且记录的 `account_id`、`status` 和 `topic_title` 与执行结果一致。
+
+**Validates: Requirements 6.1, 6.4**
+
+### Property 20: Cookie 失效时更新账号状态
+
+*For any* Cookie 已失效的账号,执行签到时应将账号状态更新为 "invalid_cookie"。
+
+**Validates: Requirements 6.5, 3.4**
+
+### Property 21: 随机延迟范围
+
+*For any* 调用反爬虫延迟函数的结果,延迟值应在配置的 `[min, max]` 范围内。
+
+**Validates: Requirements 7.1**
+
+### Property 22: User-Agent 来源
+
+*For any* 调用 User-Agent 选择函数的结果,返回的 UA 字符串应属于预定义列表中的某一个。
+
+**Validates: Requirements 7.2**
+
+### Property 23: 签到日志时间倒序
+
+*For any* 包含多条签到日志的账号,查询返回的日志列表应按 `signed_at` 降序排列。
+
+**Validates: Requirements 8.1**
+
+### Property 24: 签到日志分页
+
+*For any* 包含 N 条日志的账号和分页参数 (page, size),返回的记录数应等于 `min(size, N - (page-1)*size)` 且总记录数应等于 N。
+
+**Validates: Requirements 8.2**
+
+### Property 25: 签到日志状态过滤
+
+*For any* 状态过滤参数,返回的所有日志记录的 `status` 字段应与过滤参数一致。
+
+**Validates: Requirements 8.3**
+
+### Property 26: 统一响应格式
+
+*For any* API 调用,成功响应应包含 `success=true` 和 `data` 字段;错误响应应包含 `success=false`、`data=null` 和 `error` 字段。
+
+**Validates: Requirements 9.1, 9.2, 9.3**
+
+## 错误处理
+
+### 错误分类与处理策略
+
+| 错误类型 | HTTP 状态码 | 错误码 | 处理策略 |
+|----------|------------|--------|----------|
+| 请求参数校验失败 | 400 | VALIDATION_ERROR | 返回字段级错误详情 |
+| 未认证 | 401 | UNAUTHORIZED | 返回标准 401 响应 |
+| 权限不足 | 403 | FORBIDDEN | 返回资源不可访问提示 |
+| 资源不存在 | 404 | NOT_FOUND | 返回资源未找到提示 |
+| 资源冲突 | 409 | CONFLICT | 返回冲突字段说明 |
+| 服务器内部错误 | 500 | INTERNAL_ERROR | 记录详细日志,返回通用错误提示 |
+
+### 签到执行错误处理
+
+- **Cookie 解密失败**:标记账号为 `invalid_cookie`,记录错误日志,终止该账号签到
+- **Cookie 验证失败**(微博返回未登录):同上
+- **网络超时/连接错误**:记录 `failed_network` 日志,不更改账号状态(可能是临时问题)
+- **微博返回封禁**:标记账号为 `banned`,记录日志,发送通知
+- **代理池不可用**:降级为直连,记录警告日志
+- **Celery 任务失败**:自动重试最多3次,间隔60秒,最终失败记录日志
+
+### 全局异常处理
+
+所有 FastAPI 服务注册统一的异常处理器:
+
+```python
+@app.exception_handler(HTTPException)
+async def http_exception_handler(request, exc):
+ return error_response(exc.detail, f"HTTP_{exc.status_code}", status_code=exc.status_code)
+
+@app.exception_handler(RequestValidationError)
+async def validation_exception_handler(request, exc):
+ details = [{"field": e["loc"][-1], "message": e["msg"]} for e in exc.errors()]
+ return error_response("Validation failed", "VALIDATION_ERROR", details, 400)
+```
+
+## 测试策略
+
+### 测试框架选择
+
+- **单元测试**:`pytest` + `pytest-asyncio`(异步测试支持)
+- **属性测试**:`hypothesis`(Python 属性测试库)
+- **HTTP 测试**:`httpx` + FastAPI `TestClient`
+- **数据库测试**:使用 SQLite in-memory 或测试专用 MySQL 实例
+
+### 测试分层
+
+#### 1. 单元测试
+- 加密/解密函数的边界情况
+- 密码强度验证的各种组合
+- Cron 表达式验证
+- 响应格式化函数
+- 具体的错误场景(网络超时、解密失败等)
+
+#### 2. 属性测试(Property-Based Testing)
+- 使用 `hypothesis` 库,每个属性测试至少运行 100 次迭代
+- 每个测试用注释标注对应的设计文档属性编号
+- 标注格式:`# Feature: multi-user-signin, Property {N}: {property_text}`
+- 每个正确性属性对应一个独立的属性测试函数
+
+#### 3. 集成测试
+- API 端点的完整请求/响应流程
+- 数据库 CRUD 操作的正确性
+- 服务间通过 Redis 消息队列的交互
+- Celery 任务的调度和执行
+
+### 属性测试配置
+
+```python
+from hypothesis import given, settings, strategies as st
+
+@settings(max_examples=100)
+@given(cookie=st.text(min_size=1, max_size=1000))
+def test_cookie_encryption_roundtrip(cookie):
+ """Feature: multi-user-signin, Property 1: Cookie 加密 Round-trip"""
+ key = generate_test_key()
+ ciphertext, iv = encrypt_cookie(cookie, key)
+ decrypted = decrypt_cookie(ciphertext, iv, key)
+ assert decrypted == cookie
+```
+
+### 测试目录结构
+
+```
+backend/
+├── tests/
+│ ├── conftest.py # 共享 fixtures(DB session, test client 等)
+│ ├── unit/
+│ │ ├── test_crypto.py # 加密/解密单元测试
+│ │ ├── test_password.py # 密码验证单元测试
+│ │ └── test_cron.py # Cron 表达式验证单元测试
+│ ├── property/
+│ │ ├── test_crypto_props.py # Property 1
+│ │ ├── test_auth_props.py # Property 2-6
+│ │ ├── test_account_props.py # Property 7-12
+│ │ ├── test_task_props.py # Property 13-18
+│ │ ├── test_signin_props.py # Property 19-22
+│ │ └── test_log_props.py # Property 23-26
+│ └── integration/
+│ ├── test_auth_flow.py # 完整认证流程
+│ ├── test_account_flow.py # 账号管理流程
+│ └── test_signin_flow.py # 签到执行流程
+```
diff --git a/.kiro/specs/multi-user-signin/requirements.md b/.kiro/specs/multi-user-signin/requirements.md
new file mode 100644
index 0000000..9364151
--- /dev/null
+++ b/.kiro/specs/multi-user-signin/requirements.md
@@ -0,0 +1,138 @@
+# 需求文档:Weibo-HotSign 多用户签到系统
+
+## 简介
+
+Weibo-HotSign 是一个分布式微博超话自动签到系统,采用微服务架构(FastAPI + Celery + MySQL + Redis)。本需求文档覆盖系统的五大核心模块:用户认证(含 Token 刷新)、微博账号管理、定时签到任务配置、签到执行引擎、以及整体架构重构。目标是将当前分散的、含大量 Mock 实现的代码库重构为一个真正可运行的、模块间紧密集成的生产级系统。
+
+## 术语表
+
+- **System**: 指 Weibo-HotSign 后端系统整体
+- **Auth_Service**: 用户认证与授权服务(`backend/auth_service`)
+- **API_Service**: API 网关与账号/任务管理服务(`backend/api_service`)
+- **Task_Scheduler**: 基于 Celery Beat 的定时任务调度服务(`backend/task_scheduler`)
+- **Signin_Executor**: 签到执行 Worker 服务(`backend/signin_executor`)
+- **User**: 使用本系统的注册用户
+- **Weibo_Account**: 用户绑定到系统中的微博账号,以 Cookie 形式存储凭证
+- **Task**: 用户为某个 Weibo_Account 配置的定时签到任务
+- **Cookie**: 微博网站的登录凭证,用于模拟已登录状态
+- **Cron_Expression**: 标准 Cron 表达式,用于定义任务调度时间
+- **Signin_Log**: 每次签到执行的结果记录
+- **JWT**: JSON Web Token,用于用户身份认证
+- **Refresh_Token**: 用于在 Access Token 过期后获取新 Token 的长期凭证
+- **AES-256-GCM**: 对称加密算法,用于加密存储 Cookie
+
+## 需求
+
+### 需求 1:用户认证与 Token 管理
+
+**用户故事:** 作为用户,我希望能够注册、登录并安全地维持会话,以便长期使用系统而无需频繁重新登录。
+
+#### 验收标准
+
+1. WHEN 用户提交有效的注册信息(用户名、邮箱、密码),THE Auth_Service SHALL 创建用户账户并返回用户信息
+2. WHEN 用户提交的用户名或邮箱已存在,THE Auth_Service SHALL 返回 409 Conflict 错误并指明冲突字段
+3. WHEN 用户提交有效的邮箱和密码进行登录,THE Auth_Service SHALL 返回包含 Access Token 和 Refresh Token 的认证响应
+4. WHEN 用户提交无效的邮箱或密码进行登录,THE Auth_Service SHALL 返回 401 Unauthorized 错误
+5. WHEN 用户携带有效的 Refresh Token 请求刷新,THE Auth_Service SHALL 返回新的 Access Token 和新的 Refresh Token
+6. WHEN 用户携带过期或无效的 Refresh Token 请求刷新,THE Auth_Service SHALL 返回 401 Unauthorized 错误
+7. WHEN 用户携带有效的 Access Token 请求 `/auth/me`,THE Auth_Service SHALL 返回当前用户的完整信息
+8. IF 用户密码不满足强度要求(至少8位,含大小写字母、数字和特殊字符),THEN THE Auth_Service SHALL 返回 400 Bad Request 并说明密码强度不足
+
+### 需求 2:微博账号管理
+
+**用户故事:** 作为用户,我希望能够添加、查看、更新和删除我的微博账号,以便集中管理多个微博账号的签到。
+
+#### 验收标准
+
+1. WHEN 用户提交微博 Cookie 和备注信息,THE API_Service SHALL 使用 AES-256-GCM 加密 Cookie 后存储,并返回新创建的账号信息
+2. WHEN 用户请求获取账号列表,THE API_Service SHALL 返回该用户拥有的所有 Weibo_Account(不包含解密后的 Cookie)
+3. WHEN 用户请求获取单个账号详情,THE API_Service SHALL 返回该账号的状态、备注和最近签到信息
+4. WHEN 用户请求更新账号的备注或 Cookie,THE API_Service SHALL 更新对应字段并返回更新后的账号信息
+5. WHEN 用户请求删除一个账号,THE API_Service SHALL 级联删除该账号关联的所有 Task 和 Signin_Log,并返回成功响应
+6. IF 用户尝试操作不属于自己的账号,THEN THE API_Service SHALL 返回 403 Forbidden 错误
+7. WHEN 账号被创建时,THE API_Service SHALL 将账号状态初始化为 "pending"
+8. THE API_Service SHALL 对所有账号管理接口要求有效的 JWT Access Token 认证
+
+### 需求 3:Cookie 加密与验证
+
+**用户故事:** 作为用户,我希望我的微博 Cookie 被安全存储,并且系统能自动检测 Cookie 是否失效,以便我及时更新。
+
+#### 验收标准
+
+1. WHEN 存储 Cookie 时,THE API_Service SHALL 使用 AES-256-GCM 算法加密,并将密文和 IV 分别存储到 `encrypted_cookies` 和 `iv` 字段
+2. WHEN 读取 Cookie 用于签到时,THE Signin_Executor SHALL 使用对应的 IV 解密 Cookie 并还原为原始字符串
+3. FOR ALL 有效的 Cookie 字符串,加密后再解密 SHALL 产生与原始字符串完全相同的结果(Round-trip 属性)
+4. IF 解密过程中发生错误(密钥不匹配、数据损坏),THEN THE System SHALL 将账号状态标记为 "invalid_cookie" 并记录错误日志
+
+### 需求 4:定时签到任务配置
+
+**用户故事:** 作为用户,我希望能够为每个微博账号配置独立的签到时间计划,以便灵活控制签到频率和时间。
+
+#### 验收标准
+
+1. WHEN 用户为某个账号创建签到任务并提供有效的 Cron_Expression,THE API_Service SHALL 创建任务记录并将任务注册到 Task_Scheduler
+2. WHEN 用户提交无效的 Cron_Expression,THE API_Service SHALL 返回 400 Bad Request 并说明表达式格式错误
+3. WHEN 用户请求获取某个账号的任务列表,THE API_Service SHALL 返回该账号关联的所有 Task 及其启用状态
+4. WHEN 用户启用或禁用一个任务,THE API_Service SHALL 更新数据库中的 `is_enabled` 字段,并同步更新 Task_Scheduler 中的调度状态
+5. WHEN 用户删除一个任务,THE API_Service SHALL 从数据库删除任务记录,并从 Task_Scheduler 中移除对应的调度
+6. IF 用户尝试为不属于自己的账号创建任务,THEN THE API_Service SHALL 返回 403 Forbidden 错误
+
+### 需求 5:任务调度引擎
+
+**用户故事:** 作为系统,我需要根据用户配置的 Cron 表达式准时触发签到任务,以确保签到按时执行。
+
+#### 验收标准
+
+1. WHEN Task_Scheduler 启动时,THE Task_Scheduler SHALL 从数据库加载所有 `is_enabled=True` 的任务并注册到 Celery Beat 调度器
+2. WHEN Celery Beat 根据 Cron_Expression 触发一个任务,THE Task_Scheduler SHALL 向消息队列发送包含 `task_id` 和 `account_id` 的签到消息
+3. WHEN 新任务被创建或现有任务被更新,THE Task_Scheduler SHALL 动态更新 Celery Beat 的调度配置而无需重启服务
+4. IF 任务执行失败,THEN THE Task_Scheduler SHALL 按照配置的重试策略(最多3次,间隔60秒)进行重试
+5. WHILE Task_Scheduler 运行中,THE Task_Scheduler SHALL 使用 Redis 分布式锁确保同一任务不会被重复调度
+
+### 需求 6:签到执行引擎
+
+**用户故事:** 作为系统,我需要真正执行微博超话签到操作,并将结果持久化到数据库,以替代当前的 Mock 实现。
+
+#### 验收标准
+
+1. WHEN Signin_Executor 从消息队列接收到签到任务,THE Signin_Executor SHALL 从数据库查询对应的 Weibo_Account 信息(替代 Mock 数据)
+2. WHEN 执行签到前,THE Signin_Executor SHALL 解密 Cookie 并验证其有效性
+3. WHEN Cookie 有效时,THE Signin_Executor SHALL 获取该账号关注的超话列表并逐一执行签到
+4. WHEN 单个超话签到完成后,THE Signin_Executor SHALL 将结果(成功/失败/已签到、奖励信息、错误信息)写入 `signin_logs` 表
+5. IF Cookie 已失效,THEN THE Signin_Executor SHALL 将账号状态更新为 "invalid_cookie" 并终止该账号的签到流程
+6. IF 签到过程中遇到网络错误,THEN THE Signin_Executor SHALL 记录错误日志并将该超话的签到状态标记为 "failed_network"
+
+### 需求 7:反爬虫防护
+
+**用户故事:** 作为系统,我需要在执行签到时采取反爬虫措施,以降低被微博风控系统检测和封禁的风险。
+
+#### 验收标准
+
+1. WHEN 执行签到请求时,THE Signin_Executor SHALL 在每次请求之间插入随机延迟(1-3秒可配置)
+2. WHEN 构造 HTTP 请求时,THE Signin_Executor SHALL 从预定义的 User-Agent 列表中随机选择一个
+3. WHEN 代理池服务可用时,THE Signin_Executor SHALL 为每次签到请求分配一个代理 IP
+4. IF 代理池服务不可用,THEN THE Signin_Executor SHALL 使用直连方式继续执行签到并记录警告日志
+
+### 需求 8:签到日志与查询
+
+**用户故事:** 作为用户,我希望能够查看每个微博账号的签到历史记录,以便了解签到执行情况。
+
+#### 验收标准
+
+1. WHEN 用户请求查看某个账号的签到日志,THE API_Service SHALL 返回按时间倒序排列的 Signin_Log 列表
+2. WHEN 用户请求签到日志时提供分页参数,THE API_Service SHALL 返回对应页码的日志数据和总记录数
+3. WHEN 用户请求签到日志时提供状态过滤参数,THE API_Service SHALL 仅返回匹配该状态的日志记录
+4. THE API_Service SHALL 对签到日志查询接口要求有效的 JWT Access Token 认证
+5. IF 用户尝试查看不属于自己账号的签到日志,THEN THE API_Service SHALL 返回 403 Forbidden 错误
+
+### 需求 9:统一 API 响应格式与错误处理
+
+**用户故事:** 作为 API 消费者,我希望所有接口返回统一格式的响应,以便前端能够一致地处理成功和错误情况。
+
+#### 验收标准
+
+1. THE API_Service SHALL 对所有成功响应返回 `{"success": true, "data": ..., "message": ...}` 格式
+2. THE API_Service SHALL 对所有错误响应返回 `{"success": false, "data": null, "message": ..., "error": {"code": ..., "details": [...]}}` 格式
+3. WHEN 请求参数校验失败,THE API_Service SHALL 返回 400 状态码,并在 `error.details` 中列出每个字段的具体错误
+4. WHEN 未认证用户访问受保护接口,THE API_Service SHALL 返回 401 状态码和标准错误响应
+
diff --git a/.kiro/specs/multi-user-signin/tasks.md b/.kiro/specs/multi-user-signin/tasks.md
new file mode 100644
index 0000000..5b32fe9
--- /dev/null
+++ b/.kiro/specs/multi-user-signin/tasks.md
@@ -0,0 +1,185 @@
+# 实现计划:Weibo-HotSign 多用户签到系统
+
+## 概述
+
+按照自底向上的顺序实现:先构建共享基础层,再逐步实现各微服务。每个阶段包含核心实现和对应的测试任务。
+
+## Tasks
+
+- [x] 1. 创建共享模块 (shared/)
+ - [x] 1.1 创建 `backend/shared/` 包结构和共享配置
+ - 创建 `shared/__init__.py`、`shared/config.py`
+ - 配置项包括 DATABASE_URL、REDIS_URL、JWT_SECRET_KEY、COOKIE_ENCRYPTION_KEY
+ - 使用 pydantic-settings 从环境变量加载
+ - _Requirements: 10.1, 10.2_
+ - [x] 1.2 创建共享 ORM 模型和数据库连接管理
+ - 创建 `shared/models/base.py`:AsyncEngine、AsyncSessionLocal、Base、get_db()
+ - 创建 `shared/models/user.py`:User 模型(含 accounts relationship)
+ - 创建 `shared/models/account.py`:Account 模型(含 tasks、signin_logs relationship)
+ - 创建 `shared/models/task.py`:Task 模型
+ - 创建 `shared/models/signin_log.py`:SigninLog 模型
+ - 所有模型与 `init-db.sql` 中的表结构对齐
+ - _Requirements: 10.1, 10.2, 10.3_
+ - [x] 1.3 实现 Cookie 加密/解密工具 (`shared/crypto.py`)
+ - 使用 pycryptodome 实现 AES-256-GCM 加密/解密
+ - `encrypt_cookie(plaintext, key) -> (ciphertext_b64, iv_b64)`
+ - `decrypt_cookie(ciphertext_b64, iv_b64, key) -> plaintext`
+ - 密钥从环境变量 COOKIE_ENCRYPTION_KEY 派生(使用 SHA-256 哈希为32字节)
+ - _Requirements: 3.1, 3.2, 10.4_
+ - [ ]* 1.4 编写 Cookie 加密 Round-trip 属性测试
+ - **Property 1: Cookie 加密 Round-trip**
+ - 使用 hypothesis 生成随机字符串,验证 encrypt 后 decrypt 还原
+ - **Validates: Requirements 3.1, 3.2, 3.3**
+ - [x] 1.5 实现统一响应格式工具 (`shared/response.py`)
+ - `success_response(data, message)` 返回标准成功格式
+ - `error_response(message, code, details, status_code)` 返回标准错误格式
+ - _Requirements: 9.1, 9.2_
+
+- [x] 2. 重构 Auth_Service(Token 刷新机制)
+ - [x] 2.1 重构 Auth_Service 使用 shared 模块
+ - 修改 `auth_service/app/main.py` 导入 shared models 和 get_db
+ - 删除 `auth_service/app/models/database.py` 中的重复 User 模型定义
+ - 更新 `auth_service/app/services/auth_service.py` 使用 shared User 模型
+ - _Requirements: 10.3_
+ - [x] 2.2 实现 Refresh Token 机制
+ - 在 `auth_service/app/utils/security.py` 中添加 `create_refresh_token()` 和 `verify_refresh_token()`
+ - Refresh Token 使用 Redis 存储(key: `refresh_token:{hash}`, value: `user_id`, TTL: 7天)
+ - 登录接口返回 access_token + refresh_token
+ - 实现 `/auth/refresh` 端点:验证旧 token → 删除旧 token → 生成新 token 对(Token Rotation)
+ - 更新 `auth_service/app/schemas/user.py` 添加 RefreshToken 相关 schema
+ - _Requirements: 1.3, 1.5, 1.6_
+ - [x] 2.3 为 Auth_Service 所有响应应用统一格式
+ - 注册、登录、刷新、获取用户信息接口使用 `shared/response.py` 格式化响应
+ - 注册全局异常处理器(HTTPException、RequestValidationError)
+ - _Requirements: 9.1, 9.2, 9.3, 9.4_
+ - [ ]* 2.4 编写认证流程属性测试
+ - **Property 2: 用户注册后可登录获取信息**
+ - **Property 3: 用户名/邮箱唯一性约束**
+ - **Property 4: 无效凭证登录拒绝**
+ - **Property 5: Refresh Token 轮换**
+ - **Property 6: 弱密码拒绝**
+ - **Validates: Requirements 1.1-1.8**
+
+- [x] 3. Checkpoint - 确保共享模块和认证服务测试通过
+ - 运行所有测试,确认 shared 模块和 auth_service 工作正常
+ - 如有问题请向用户确认
+
+- [x] 4. 实现 API_Service(账号管理)
+ - [x] 4.1 创建 API_Service 基础结构
+ - 创建 `api_service/app/__init__.py`、`main.py`、`config.py`、`dependencies.py`
+ - `main.py`:FastAPI 应用,注册 CORS、全局异常处理器、路由
+ - `dependencies.py`:JWT 认证依赖(`get_current_user`),复用 shared 的 JWT 验证逻辑
+ - _Requirements: 2.8, 9.1, 9.2, 9.3, 9.4_
+ - [x] 4.2 实现微博账号 CRUD 路由
+ - 创建 `api_service/app/schemas/account.py`:AccountCreate、AccountUpdate、AccountResponse
+ - 创建 `api_service/app/routers/accounts.py`:
+ - `POST /api/v1/accounts`:加密 Cookie 后存储,状态初始化为 "pending"
+ - `GET /api/v1/accounts`:返回当前用户的账号列表(不含 Cookie 明文)
+ - `GET /api/v1/accounts/{id}`:返回账号详情
+ - `PUT /api/v1/accounts/{id}`:更新备注或 Cookie(更新 Cookie 时重新加密)
+ - `DELETE /api/v1/accounts/{id}`:删除账号(级联删除 tasks 和 logs)
+ - 所有接口验证资源归属(user_id 匹配)
+ - _Requirements: 2.1-2.8_
+ - [ ]* 4.3 编写账号管理属性测试
+ - **Property 7: 账号创建与列表一致性**
+ - **Property 8: 账号详情 Round-trip**
+ - **Property 9: 账号更新反映**
+ - **Property 10: 账号删除级联**
+ - **Property 11: 跨用户资源隔离**
+ - **Property 12: 受保护接口认证要求**
+ - **Validates: Requirements 2.1-2.8, 4.6, 8.5, 8.4, 9.4**
+
+- [-] 5. 实现 API_Service(任务配置)
+ - [x] 5.1 实现签到任务 CRUD 路由
+ - 创建 `api_service/app/schemas/task.py`:TaskCreate、TaskUpdate、TaskResponse
+ - 创建 `api_service/app/routers/tasks.py`:
+ - `POST /api/v1/accounts/{id}/tasks`:验证 Cron 表达式有效性,创建任务
+ - `GET /api/v1/accounts/{id}/tasks`:获取账号的任务列表
+ - `PUT /api/v1/tasks/{id}`:更新任务(启用/禁用)
+ - `DELETE /api/v1/tasks/{id}`:删除任务
+ - 使用 `croniter` 库验证 Cron 表达式
+ - 任务创建/更新/删除时通过 Redis pub/sub 通知 Task_Scheduler
+ - _Requirements: 4.1-4.6_
+ - [ ]* 5.2 编写任务配置属性测试
+ - **Property 13: 有效 Cron 表达式创建任务**
+ - **Property 14: 无效 Cron 表达式拒绝**
+ - **Property 15: 任务启用/禁用切换**
+ - **Property 16: 任务删除**
+ - **Validates: Requirements 4.1-4.6**
+
+- [x] 6. 实现 API_Service(签到日志查询)
+ - [x] 6.1 实现签到日志查询路由
+ - 创建 `api_service/app/schemas/signin_log.py`:SigninLogResponse、PaginatedResponse
+ - 创建 `api_service/app/routers/signin_logs.py`:
+ - `GET /api/v1/accounts/{id}/signin-logs`:支持分页(page, size)和状态过滤(status)
+ - 返回按 `signed_at` 降序排列的日志
+ - 返回总记录数用于前端分页
+ - 验证账号归属权限
+ - _Requirements: 8.1-8.5_
+ - [ ]* 6.2 编写签到日志查询属性测试
+ - **Property 23: 签到日志时间倒序**
+ - **Property 24: 签到日志分页**
+ - **Property 25: 签到日志状态过滤**
+ - **Validates: Requirements 8.1-8.3**
+
+- [ ] 7. Checkpoint - 确保 API_Service 所有测试通过
+ - 运行所有测试,确认账号管理、任务配置、日志查询功能正常
+ - 如有问题请向用户确认
+
+- [ ] 8. 重构 Task_Scheduler(真实数据库交互)
+ - [ ] 8.1 重构 Task_Scheduler 使用 shared 模块
+ - 修改 `task_scheduler/app/celery_app.py` 导入 shared models
+ - 实现 `load_scheduled_tasks()`:从 DB 查询 `is_enabled=True` 的 Task,动态注册到 Celery Beat
+ - 实现 Redis pub/sub 监听:接收任务变更通知,动态更新调度
+ - 替换 `signin_tasks.py` 中的 mock 账号列表为真实 DB 查询
+ - _Requirements: 5.1, 5.2, 5.3_
+ - [ ] 8.2 实现分布式锁和重试机制
+ - 使用 Redis SETNX 实现分布式锁,防止同一任务重复调度
+ - 配置 Celery 任务重试:`max_retries=3`、`default_retry_delay=60`
+ - _Requirements: 5.4, 5.5_
+ - [ ]* 8.3 编写调度器属性测试
+ - **Property 17: 调度器加载已启用任务**
+ - **Property 18: 分布式锁防重复调度**
+ - **Validates: Requirements 5.1, 5.5**
+
+- [ ] 9. 重构 Signin_Executor(真实数据库交互)
+ - [ ] 9.1 重构 Signin_Executor 使用 shared 模块
+ - 修改 `signin_service.py` 中的 `_get_account_info()` 从 DB 查询真实 Account 数据
+ - 修改 `weibo_client.py` 中的 `_decrypt_cookies()` 使用 `shared/crypto.py`
+ - 实现签到结果写入 `signin_logs` 表(替代 mock)
+ - 实现 Cookie 失效时更新 `account.status = "invalid_cookie"`
+ - _Requirements: 6.1, 6.2, 6.4, 6.5_
+ - [ ] 9.2 实现反爬虫防护模块
+ - 实现随机延迟函数:返回 `[min, max]` 范围内的随机值
+ - 实现 User-Agent 轮换:从预定义列表中随机选择
+ - 实现代理池集成:调用 proxy pool 服务获取代理,不可用时降级为直连
+ - _Requirements: 7.1, 7.2, 7.3, 7.4_
+ - [ ]* 9.3 编写签到执行属性测试
+ - **Property 19: 签到结果持久化**
+ - **Property 20: Cookie 失效时更新账号状态**
+ - **Property 21: 随机延迟范围**
+ - **Property 22: User-Agent 来源**
+ - **Validates: Requirements 6.1, 6.4, 6.5, 7.1, 7.2**
+
+- [ ] 10. 更新 Dockerfile 和集成配置
+ - [ ] 10.1 更新 `backend/Dockerfile`
+ - 在每个构建阶段添加 `COPY shared/ ./shared/`
+ - 确保 shared 模块在所有服务容器中可用
+ - _Requirements: 10.1, 10.3_
+ - [ ] 10.2 更新 `backend/requirements.txt`
+ - 添加 `croniter`(Cron 表达式解析)
+ - 添加 `hypothesis`(属性测试)
+ - 添加 `pytest`、`pytest-asyncio`(测试框架)
+ - 确认 `pycryptodome`、`redis`、`celery` 等已存在
+
+- [ ] 11. 最终 Checkpoint - 全量测试
+ - 运行所有单元测试和属性测试
+ - 验证各服务可独立启动
+ - 如有问题请向用户确认
+
+## 备注
+
+- 标记 `*` 的任务为可选测试任务,可跳过以加快 MVP 进度
+- 每个任务引用了具体的需求编号以确保可追溯性
+- 属性测试使用 `hypothesis` 库,每个测试至少运行 100 次迭代
+- Checkpoint 任务用于阶段性验证,确保增量开发的正确性
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..6febbcd
--- /dev/null
+++ b/README.md
@@ -0,0 +1,187 @@
+# Weibo-HotSign - 微博超话智能签到系统
+
+基于开发文档实现的分布式微博超话智能签到系统,具备多账户管理、高稳定性反爬虫、Web可视化管理等核心功能。
+
+## 🏗️ 项目架构
+
+本项目采用微服务架构,包含以下核心服务:
+
+- **认证服务** (auth_service) - 用户注册、登录、JWT认证
+- **API网关** (api_service) - 统一API入口和路由
+- **任务调度** (task_scheduler) - 基于Celery Beat的定时任务
+- **签到执行** (signin_executor) - 核心签到业务逻辑
+- **浏览器自动化** (browser_automation_service) - 处理复杂JS加密
+- **通知中心** (notification_hub) - 多渠道通知分发
+- **前端应用** (frontend) - React可视化界面
+
+## 🚀 快速启动
+
+### 环境要求
+- Docker & Docker Compose
+- Python 3.11+
+- Node.js 18+
+
+### 启动步骤
+
+1. **克隆项目**
+ ```bash
+ cd d:/code/weibo
+ ```
+
+2. **启动所有服务**
+ ```bash
+ docker-compose up -d
+ ```
+
+3. **查看服务状态**
+ ```bash
+ docker-compose ps
+ ```
+
+4. **访问服务**
+ - 前端界面: http://localhost:3000
+ - API文档: http://localhost:8000/docs
+ - 认证服务: http://localhost:8001/docs
+ - 健康检查: http://localhost:8000/health
+
+## 📋 已实现功能
+
+### ✅ 认证服务 (auth_service)
+- [x] 用户注册 (`POST /auth/register`)
+- [x] 用户登录 (`POST /auth/login`)
+- [x] JWT Token生成和验证
+- [x] 密码强度验证和bcrypt哈希
+- [x] CORS跨域支持
+- [x] 数据库连接管理
+- [x] 完整的错误处理和日志记录
+
+### ✅ 任务调度服务 (task_scheduler)
+- [x] Celery Beat定时任务调度
+- [x] Cron表达式解析和动态任务加载
+- [x] 任务队列管理 (Redis)
+- [x] 任务重试和错误处理
+- [x] 调用签到执行服务
+
+### ✅ 签到执行服务 (signin_executor)
+- [x] 微博超话签到核心逻辑
+- [x] 动态IP代理池集成 (模拟)
+- [x] 浏览器指纹模拟 (模拟)
+- [x] Cookie管理和验证 (模拟)
+- [x] 完整的签到工作流和状态管理
+- [x] 反爬虫保护机制 (随机延迟)
+
+### ✅ 基础设施
+- [x] Docker容器化配置
+- [x] PostgreSQL数据库初始化
+- [x] Redis缓存配置
+- [x] Nginx反向代理配置
+- [x] 微服务网络通信
+
+### 🔄 待实现功能
+
+#### API网关服务 (api_service)
+- 请求路由和负载均衡
+- API组合和聚合
+- 速率限制和熔断
+
+#### 浏览器自动化服务 (browser_automation_service)
+- Playwright无头浏览器
+- JS加密参数逆向
+- 网络请求拦截和提取
+
+#### 前端React应用 (frontend)
+- 用户登录注册界面
+- 账号管理面板
+- 任务配置界面
+- 签到日志查看
+- 实时状态监控
+
+#### 通知中心服务 (notification_hub)
+- 多渠道通知分发 (Server酱, Email等)
+
+## 🛠️ 技术栈
+
+### 后端
+- **Web框架**: FastAPI (Python)
+- **数据库**: PostgreSQL + SQLAlchemy
+- **缓存**: Redis
+- **任务队列**: Celery + Redis
+- **认证**: JWT + bcrypt
+- **浏览器自动化**: Playwright
+
+### 前端
+- **框架**: React 18 + Vite
+- **状态管理**: Zustand
+- **UI库**: Ant Design
+- **HTTP客户端**: Axios
+
+### 基础设施
+- **容器化**: Docker + Docker Compose
+- **反向代理**: Nginx
+- **监控**: Prometheus + Grafana
+- **日志**: ELK Stack
+
+## 📊 数据库设计
+
+系统包含以下核心数据表:
+
+- `users` - 用户信息
+- `accounts` - 微博账号管理
+- `tasks` - 签到任务配置
+- `signin_logs` - 签到历史记录
+
+详细表结构见 `init-db.sql`
+
+## 🔧 配置说明
+
+### 环境变量
+主要配置通过环境变量设置:
+
+```bash
+# 数据库
+DATABASE_URL=postgresql+asyncpg://user:pass@postgres:5432/dbname
+REDIS_URL=redis://redis:6379
+
+# JWT
+JWT_SECRET_KEY=your-super-secret-jwt-key
+JWT_EXPIRATION_HOURS=24
+
+# 应用
+DEBUG=true
+HOST=0.0.0.0
+PORT=8000
+```
+
+## 📝 API规范
+
+遵循RESTful设计规范:
+
+- **协议**: HTTPS
+- **数据格式**: JSON
+- **认证**: Bearer Token (JWT)
+- **版本控制**: URL路径 (`/api/v1/`)
+- **通用响应结构**:
+ ```json
+ {
+ "success": true,
+ "data": {...},
+ "message": "Operation successful",
+ "error": null
+ }
+ ```
+
+## 🤝 贡献指南
+
+1. Fork项目
+2. 创建特性分支
+3. 提交代码变更
+4. 推送到分支
+5. 创建Pull Request
+
+## 📄 许可证
+
+MIT License
+
+## 🙏 致谢
+
+感谢开发文档提供的详细技术规范和架构指导,本实现严格遵循文档中的各项技术要求。
diff --git a/backend/Dockerfile b/backend/Dockerfile
new file mode 100644
index 0000000..ac2e1e2
--- /dev/null
+++ b/backend/Dockerfile
@@ -0,0 +1,91 @@
+# Base stage for all Python services
+FROM python:3.11-slim AS base
+
+# Set working directory
+WORKDIR /app
+
+# Install common system dependencies for MySQL
+RUN apt-get update && apt-get install -y \
+ gcc \
+ default-libmysqlclient-dev \
+ && rm -rf /var/lib/apt/lists/*
+
+# Copy and install unified requirements
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Create non-root user for security
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
+
+# --- API Gateway Service Stage ---
+FROM base AS api_gateway
+
+# Copy application code
+COPY api_service/app/ ./app/
+
+# Switch to non-root user
+USER appuser
+
+# Expose port
+EXPOSE 8000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+ CMD curl -f http://localhost:8000/health || exit 1
+
+# Start application
+CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
+
+
+# --- Auth Service Stage ---
+FROM base AS auth_service
+
+# Copy application code
+COPY auth_service/app/ ./app/
+
+# Switch to non-root user
+USER appuser
+
+# Expose port
+EXPOSE 8000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+ CMD curl -f http://localhost:8000/health || exit 1
+
+# Start application
+CMD ["python", "-m", "app.main"]
+
+
+# --- Task Scheduler Service Stage ---
+FROM base AS task_scheduler
+
+# Copy application code
+COPY task_scheduler/app/ ./app/
+
+# Switch to non-root user
+USER appuser
+
+# Start Celery Beat scheduler
+CMD ["celery", "-A", "app.celery_app", "beat", "--loglevel=info"]
+
+
+# --- Sign-in Executor Service Stage ---
+FROM base AS signin_executor
+
+# Copy application code
+COPY signin_executor/app/ ./app/
+
+# Switch to non-root user
+USER appuser
+
+# Expose port
+EXPOSE 8000
+
+# Health check
+HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
+ CMD curl -f http://localhost:8000/health || exit 1
+
+# Start application
+CMD ["python", "-m", "app.main"]
diff --git a/backend/api_service/__init__.py b/backend/api_service/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/api_service/__pycache__/__init__.cpython-311.pyc b/backend/api_service/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..24d46597345ae7f5850cf4695c7e1ddeafbf3849
GIT binary patch
literal 154
zcmZ3^%ge<81R+uDGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF2X#0(Sz0NYt3OaK4?
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/__init__.py b/backend/api_service/app/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/api_service/app/__pycache__/__init__.cpython-311.pyc b/backend/api_service/app/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..fd18599ebe87f269af9e3d1fe3ec40185099e577
GIT binary patch
literal 158
zcmZ3^%ge<81ffyuGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YFyY
z#Za=Up@wtW?a69}7Sa(nmhClqLptilvk4=SO&ZB?uDE^KexqMNA|lE?@N~cB9~lF%
zCX<1C0<6N@Xs{-dMCaOyh*hHE9-?85Bv+z1_F=>r#J%$<6)zHPe$}D`>zL$;hlyu9
z#Mf7HRG+*&qt6q%;n+l{xk5nvw04>1HXIBBZ@;^6dfD|+;>!$?PJLzwE_B`=@um4xU#I$T1q|G3=PCOQ~+t!!}(osr+0`+XMnO6RR3P88ueFBL`myiIb9_-~Ep%Pl#
zn|0>@hFB8IM}r7A(r5v<)og2Wi^AfM(mk+!f6wa&LP^}-r`M812+Ie2NF~YtKRzN|
zd(jXoZSMvyf0lvcchQx8*)kB
zjf%fou3
zjC4SV-UNis>rkJ&@{aC!Q0ksd(zC_k8E=ED>Hs^knRhrI!^(sLjx_*b@~UM~OajYs
zndBFii-%fTp{Sm>w%nYBi;2*KmkR*J1rHaGhI6QQm<77y1JW%!a5f-LoJvx@dCGT3
zc_C6>3G5Jun|Wq*%v_wETwHi-?#hfYonaDSi78|guo@7`PnGi2vdHySLJ1Qc%m#eh
zaxH4+JYwdk>A{x`G_9R6XXh5o3v-LJ8P?hZHXiScS;ynL~yB+54*CyqWI9;ptW
zsSTd4N2H|oCxYQGKGc!aqt!v}@Mr6vuHSueC!tppI_Sj)>PU`g`&3{057nW=cgDXQ
z|90iOg|FRj+(#p$4@X9S9s1?SgNqNx&hLz5sw0`5!RhMYbR~YUmoL;}{f}ZNAI47Z
z#7Rtf+ynjISBsXvzhNtQT
z*etl@98JTNU+n%rFw`YM5bB~N$Z)tYXh?XYf+n8bYiPRCt=G^imCjy6&sRG8E;?1|
z)@$g^N@w4V9r}3ulZo3CWwoxNv9mv`4~BO}r>dh
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/__pycache__/main.cpython-311.pyc b/backend/api_service/app/__pycache__/main.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..d7fb92daed318327a74455cc509e0bd4a4d4dc1d
GIT binary patch
literal 3373
zcmbUjU2NON`ACYQELpNFIa2Ky9Rnv>95}M-E6?SHPMo4
zlE87vOjvSF4(ACoX(=@&oXcj)8mOhidD6^SgS9~`Tg!&HV&<%&+K`p6<*nh`uz*BF
zM4Z9{IE^#U2DcLkJ%tgqT7eXv6nogwFHvw7=Ncj&!uf{4$Ft#W8E9cdO+Y|9(!-8^
zNqSp=lQ5!&3q-<2l3q*Tkw=MbSbW;sLbWq5Z$$gCySjpa6S-CU+o=)0aC}5a(I=W6Ar%s8}
zwp$KiIl`%9d{SbmuB;A|xr7eOM6%VnYzLz+HO7JbTBTa4uFKQd)}8g_G$k;ZOaL3h
zH3?Jh5$b>#EXDWh9cr?H@Ccu-pJ}>o`}*{>Y3rKVv>o^Q>(y#?y?A2zT6Kj9mw|0o
zGfn$`-KIvvXgO>+LUmvX)-^QK>7B5M+q7|vHi?Eo5~k3|rc5I5={l5>xbZao0LK0T
zfbSy#ii{g4Btj2`cVi3-fW@@GLBAD`;?Klw2@)1Y)F7m!1txQ^)WJO&$JN}9Q`c=w
zCM7xmhgcF5S2IjH4#=cPdHzuz#16kiRS&M*yuQlMuiocDx%!T#-z6=)s@SyZ-!0jAo`wam9g5L)EXJ*t-Wj;*%sdJms){vJv
z2i+ejZ!HE&VlcUf0KDKJKnXdy4|J%{YDriKt=5D|WHl^20&6`1{ABA-)|HiDzKjAZZ9Z(F4y1
zvw?&r&Oe#|-6gN^#^$-r`K?PI&umR?PJK4;XYH@@Uz%QO5qco?NJ3(&0=M}n`$2EV!!N!~aNuj|pKXukm
zjrsX9L~Jl1^LPdDf`b6baxzr(K$zBndEDYe=Y~C*==@&=mOg>N+lK6W8mBprgaw)f
z8kz&Zjnd6Mng@Kn(0v|M!%=Cc1$DjgsX$Zw{3Hh|2Rs^Bg4(uAuflW=hI0`>FB#AJ
zBh!C+(@Wii?x)80WQnT-0Q}ZfXI+_wVrII{KBf2{ln-F+UjlHtQijm~07i8w8I>cZ
zL`)x0UK@@}JQ!`(^(N8p(l_7)k4J~6ODy@vKYsGS8-HylGqanS@e(tk!V8n*OsUtQ
z_Sfr7S%WtdY8K`3LAk`N&|Rv;#mb@FKdju_u;Qn!qTAG=yx_1A;6qK~y5uM!|BJ{<
z%e}3>XOIm!O?V!0rS}F#o(ZdO`A8kDKpm}6yW_%RLHWN?n&DuOvzB0w(Vg2x+K@8&Z%*LgEWl_#74dM8Pj!_NL~%!gu`Am|rYyUI;;uK|*m4B?TY?
z5QLzFMEMJ$^tn*-%2#%T%C1leL|I7w;p>pwLejgo5PlEAo`l5d-YK~D6!Nr?{7eZD
ze7qYg;r9?6lEZfJYAp5UwXJXMpov{H;h_m1Ns%s_SGQ(&kh+Uh52=T%-`p);*g+R}
z(M1nk1Q&_&FU!9u|El=&@kir User:
+ """Validate JWT and return the current User ORM instance."""
+ payload = decode_access_token(credentials.credentials)
+ if payload is None:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid or expired token",
+ )
+
+ user_id = payload.get("sub")
+ if not user_id:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid token payload",
+ )
+
+ result = await db.execute(select(User).where(User.id == user_id))
+ user = result.scalar_one_or_none()
+
+ if user is None:
+ raise HTTPException(
+ status_code=status.HTTP_404_NOT_FOUND,
+ detail="User not found",
+ )
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is deactivated",
+ )
+
+ return user
diff --git a/backend/api_service/app/main.py b/backend/api_service/app/main.py
new file mode 100644
index 0000000..489a5b3
--- /dev/null
+++ b/backend/api_service/app/main.py
@@ -0,0 +1,75 @@
+"""
+Weibo-HotSign API Service
+Main FastAPI application entry point — account management, task config, signin logs.
+"""
+
+from fastapi import FastAPI, Request
+from fastapi.exceptions import RequestValidationError
+from fastapi.middleware.cors import CORSMiddleware
+from starlette.exceptions import HTTPException as StarletteHTTPException
+
+from shared.response import success_response, error_response
+from api_service.app.routers import accounts, tasks, signin_logs
+
+app = FastAPI(
+ title="Weibo-HotSign API Service",
+ version="1.0.0",
+ docs_url="/docs",
+ redoc_url="/redoc",
+)
+
+# CORS
+app.add_middleware(
+ CORSMiddleware,
+ allow_origins=["http://localhost:3000", "http://localhost:80"],
+ allow_credentials=True,
+ allow_methods=["*"],
+ allow_headers=["*"],
+)
+
+
+# ---- Global exception handlers (unified response format) ----
+
+@app.exception_handler(StarletteHTTPException)
+async def http_exception_handler(request: Request, exc: StarletteHTTPException):
+ return error_response(
+ exc.detail,
+ f"HTTP_{exc.status_code}",
+ status_code=exc.status_code,
+ )
+
+
+@app.exception_handler(RequestValidationError)
+async def validation_exception_handler(request: Request, exc: RequestValidationError):
+ details = [
+ {"field": e["loc"][-1] if e["loc"] else "unknown", "message": e["msg"]}
+ for e in exc.errors()
+ ]
+ return error_response(
+ "Validation failed",
+ "VALIDATION_ERROR",
+ details=details,
+ status_code=400,
+ )
+
+
+# ---- Routers ----
+
+app.include_router(accounts.router)
+app.include_router(tasks.router)
+app.include_router(signin_logs.router)
+
+
+# ---- Health / root ----
+
+@app.get("/")
+async def root():
+ return success_response(
+ {"service": "Weibo-HotSign API Service", "version": "1.0.0"},
+ "Service is running",
+ )
+
+
+@app.get("/health")
+async def health_check():
+ return success_response({"status": "healthy"})
diff --git a/backend/api_service/app/routers/__init__.py b/backend/api_service/app/routers/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/api_service/app/routers/__pycache__/__init__.cpython-311.pyc b/backend/api_service/app/routers/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..c9ee81f7ec719f687a862a4e5f1d5f1e6894c2fc
GIT binary patch
literal 166
zcmZ3^%ge<81YuF@GC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YFfrpQX*)@M=JHJ%11u>IcrVCY9u72DpLEmi1sI6J@?M;?9AGb()8}k
z*>mqb_ntZDp2xlS4}pLmLHTXuPl<1W2>qQ@Duwny<;gJ)p&Lj-5hO7Zn`BaKgiUb~
zF2zUqlq=$5NIREwr#ul4#rdQ+<%{?z?n?SoLPVgrJ6V?sL;@)>BBp|oAZ_y`>r)Mp
zhE!vuG1U}lqHW$}bE+lMLUCWRHPserOKpj4p>=<n0
zOC2k&+dzJ|G6+Ss!xx0Dstu9aoO3+~&$65#d*=pzJD$p~>wo5F(=Eu@y@BUTz;mZf
zGz*n}9M5*S+tRI9>e;~er@(i>VrD~rB;SgD-BRxco`X{81Pb>p$^O%F;#?*)5|3x*
z(`x9@^r_Jh&djSa9`KJOlOZ`RWiyGis)Vro{(J(YULj>|x%WabHyxtNx*GMC5>`2R_S3iF0<q%5fF2x)EhD9X}x}3Q&-`*^@{oGchU58SYtGjY{VXPgx3sKc&bR
zIz%}g$BS7t8qZ`dBxFOBWJldE$vCkfM=!{WFl|toi(y%cDzd63(z8mKHR_f5cpUgf
zL8@#ft-usA#u;qYVOTxk9-qe;6cU{`83)Q=atO;YRW>TsQ(1{rgXP}o@}x`kgRyL4
zaN*^_n7Is!;jLis5$-IOXA+kTUX9Hvh8xT3JWj`Lc7h--()Y;_AUBX|c{@U?6?qUk
zZ{bcK0!v^f!yJadi*P*vqvg=l)Wp%T=-A|;>35HxJUTTQofv!fOY{Uf(f9jCUq2Ji
zNb;GB#CFb{i^VU%Ql0@BKzDc{5tjkao-xfxIa3j3AiHP;qva)ml_YA%A(*foUZn{@
z9z7IVex1=<-zW&fx-hKq!?*|94NrNFxJ|OE)YCxXl={3ymqSij*DM{tAgf5sJ=RGF
zI^iY_{=7mhj!%KOprKY6VTh!Xj4s5I3A&tqvo6i2vS9}I0f|D`hj1^Uu8)?#J*sA+
zQX;Nm60f@n)iwY`b217}teyjUP94;IGV+kPM#K
znZZiu;$-P7#SO@Z@IE;U{3j3tO3ATnm0ricY8$8W)h?$J)@)Q&8aw@YYitf(psIDw
z;H-TJ3Hk%>9dv{H1;5PYxHVUG)+**qJ2e(MD)7k>Jzl`RL7_|0Yo<8Up#aadO4a}fJN<%OYPZ~-F9%wi~^hR(^!3`CKT
znh8O$43#59h^*Ye(IpU@>YG?*xuLPbhn86Ril_VQ(NmgTtDB{@zav}ZKtg@u3qbw>zdS0{q2|^bum9@xFJ^v!`Zt+dnFl?4)_eB+`N&t}
zU+-8SI#%d;Tkmz+Q%(^sMT+n^>!3SvYTBbql-6dLoBrkg=5#AFv>
z@aHnpqQk$4tx^A)v;4~*YHRG4v-?=i7JPFxc6tWRXT*6l7QEuir3OHmQUHo)Xwf4rM6UQ
z)wU{LJ4&k24R{(qX?Vz10a9|639l`pCI0O_YLK$eAg3l!5~MDuGbXBh*6-S8^k05F~9-*rgn
zDEK>de`o&C!^nMo!@rtymPwHwO8-jtG)VGK{%=lM>YN^^{Kc$=MqDuPPEf<
zq8zgZjT?*If$T}gX~xf&q^hp;U!^O{@RwO|7R$-(-|BRh&0Wt)v&^Z)e#%8+R#1)`
zt#LYubtW^qA8~AdNK7D`rY9s?-9WP_hu&*gX6z9u$2e8>8GEhq1j1zV0a1>cFKe&^
zy9_3#kTois<@f&KWI|EF=CcQu`UqMvP-S2^nSuPG8~~(3@(zqth<)dg<{dPjwT5qf
z?Kk@hzAoL@WwlakSZXY%K60c`aY9~ztmeby1XRsvc#u?yvr~UGJZ4r?z#WrG>V09p
z>T`H6AtYf%;Q>_rE8zHe{5EtRBUHBllyi~4oQocM#a~|hICw4iz}vm5
zS8eM(uNA!ebnm{$9NP>|1fYai@#!Fcxa3Clt)Kqq8@xP
z|JFmHvq+V+HV0}ccn5XwVA0$4*u~Ys>;OuLbGc1L1qMGTZ!I9oEjv;XS$yh6X+X@a
zo@3!rj>)mNVViRoUbEN(GFYJ14rc@_y+D%SoF*eN8|;v^?Ov)Y$k9w+4UAv%H9H40
z1UlD8Ap3=~jQBWw=X>xfBnn!=ucd!&>Hg4P8Vk+Cdh@U*);{?opi)Ql87~MEx-g;f
z6K3=wEGxy*8`0LLdSgKYPuCj{i5W(k;9mCR+`z|Lubc;JR#buw^`?p6$~lz5
zAf=ppP41TYkyB&>UZnt_Y^$an}}^rk1SXCE6BU4
zEBrtRfrMxoJWOGg+7RM29T;V~hBX9`XBny8fh0IXI$Z-&BZMT&sNifatB_K7YEp2Mdi)Z^&89jJPVbMb
zvGGiLCNXPXCzWs31}e8`rUy5Y$+~Q}MgwqbG$7G?LDFaGhIJVU7@)gST#83{Fw8X&QVsqo_tbJ@xM1^>Xyk^w`MBu~AI&
zkHJA|q8kR9mkcgDuVNA+@JRxQfzW*vT^t%vzV{A;zUGti0ZhUOaSf#a3smA5hAFWe
z!$WEZ;77~>4efvSQ$*dG^C_Z1&G{5jzvg@%ISDqlbe>e0KTs%Oy`UGtQI{fkl5?i6aPQN!v}H
zRT7i%F^AY!$h<7=*-f~1Tt%7xaz*P`>a_
Xr6i4}kdTqgsh{Py8M3tDnV;F
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/routers/__pycache__/signin_logs.cpython-311.pyc b/backend/api_service/app/routers/__pycache__/signin_logs.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..7b213ca67dcc428302b40161845e0cacd2136646
GIT binary patch
literal 5061
zcmcgvUu+b|8K1k``@4JR`(q6D9cGO!;0U!%Y*3-#h+-f%#34XJbRs^TZ|CfV`^W4a
z;LBN@Qq-nVrI08UP6h4tAv6`VvZ7YyrBxpLxNB|Y(@K$$`cmF5qIt~#;zJxEwCwTVm%nCVw!q57yY#`T@=*a~W
z!CWX2%7qhQHtx
zJXT2zNPZlZ0yr%7V80Z^!Hh==-Qp54JW$)-r0V>a!uMfs58$y1$aYH+`1L;Aa^C?n
z@N~@d!OT`^+r$3*9L&MfF*hJZrP#ym&v7|%-*am?aZmSH#>q4v#DmffctmW+(f+1*
z)Z9@^YUU|&WmRXi{jN1Cd(ozlvGSceaEs{5$C01
zLC&j+NbuE?Ot3h6@q(BtsY^Jo%ITCU7xH2%4@>7W1(L=nNuG)e9HSp16_5jLdYtLDex`ikebOO56@T
zoW*I?gRPm|n+hht6I4p+
zG;kzA(PAO5U^+(m(j`J*PstLcvzwt7>$y!rGjuk!DCbiumYPH5;8?0Ck6qh8maTl1hO|XEW%bw=AWPj-BcG35274EXPIbX50b-lv&MZQ}q
z11icXaW9ezPT(w0zJ-aLSr*l$lnMCTsgF9XJWpf
ziW#st2@Hp~%r%)VNZ52qSWU^qs&`rvyDmsi&IKj)pT#}Q=yk9((>(*>BE<(>X)u#d7*G=A(g%YzIh4E
zJP9jYlhYXb#Y+}OD3>g2Pf}|iEiRk=$!qK+lbeE*EfgTTVTlMl$~|cQ1-~k42&lL3
z&f$*_-^+Y<@zcWH!p7jl`ryQ$PyK23%f0K9XY|3>jKSCR$eadAVbcO$TS
zJ+NC3#En3_daCXYRBwJ2i2lK4>^Y{*zM}=^^}xIlnAbe>Fn8d4*Q>+T`VJ=CQ7
z`+MJ{7;PcC&s+&?}Zk2}a-m^1BJOkRS{
z9J}gr@T8mtBM}#t#TE)WQ&~BsFe;NPf)XZ2Wtsj>!^<$1G_{vzaYKip$=|?REHqJD
z!3&`Zs&Ex&cL?hAZyWl5Va$rF;vmBn*Y`lH7T#1GFG8yoSC`Hmm~)w)1}oj@)QxYo
z78*6F=|5=JLZQy_|0Ze0U2)c0DAdVSad)rTdFCsgil+vt)$^r$traimBs@=rP#3nh
z_FwBj+%{LY%x8m*FtTn?Oyj@YT@=wyVp&#B2>JR;|hy^gs*sEpFrB$GsMC?B&{ocm15Xtk+@r^
zB21%hNx*BX*em{r&iimu4_Y?55>Vq!PB_OvZA<&D-IH7opRowZ(;WvPT6xRA^--i|
z$&qNml1T9vA`lT%qEf_ZIU}cAG3>gmE{T8>G<9iaYZg?97F5Xj#Ze~m9Lqx#OPW$3
zkm)ewfs6)ANeGRQCQ?X)fB-yVfk+hk^7uMdApXfjQR9}NIYM_!XcCd`z!^l(gT{cT
z2cfxx76EzQ>07aNV$tOmeZ|&&`ybhVvGqLqJ&M~2y;C!ggD{m%UIRFkASt7mJ34MU
z=uyyxMUm`+zi)j9;LLv@^?Z%
zSs+(tDTL`^x0GC1HobJ?>>f>y-lFL$WHJg?O=nil$&d_K9E#~kWwV4{6QTZV`mA%7
zO1WaZ$I_&=LGm&sYbO>?rh&;b{gT#;V4Z=La*!WUhLg0RXKZqG`{W4idN*wpOA197
zYU3S+U8dRd%mtFOK)DkhhWL@%>>9VWp!*IPzC#-Kg8GdM`6ItPqzl^(
zVf%(KyeA%-|ci_|5-IyNUWrTNagkN3{zr1$fFH>Jk=@Z9|iQ{^B+6YfqPuKgS
zzZv+|K<%{NKW_AoYmsMb^-NvZwju0T7k22vkRc2)9sJ=B=RTObcgTp2ZbT>6qZ4}c
zfDt{Q3kMD1VD&^j5WfA!&zDw5bpIeEMMCJqGasB;?b8L(5X22(*SfH)rs~2zL)gc}
zSvl7#)*~ZEWJL2nTR{dN`f%!lDV>iRd~}1~vCi+%`5}WJs!qd^>_7O(_Jw!Nd;7rZ
zSYXr@|
zX;Yo~CWwUC>dZ!Ld_6Y4meFG4dhDnXJF30%md;-^_=_5M(Q-A>bSINiA)QQ`E_JyG
zFhuAFfa%Vp0Mm*xp&(8u&R7XEjrCU6>{G60Q`z(q&MjNs#XPC6JvxeSsG}+RMJX2u
zjl7UiEu{#SMwtUBghpAGsuSjz)JV;qO%kwf_BCm_Ospea9))yyRAOJa7(`=*(5PkZ
ze3nF^s-=|CHaszyV~z+3yY;E;P*lPI!gPQqm=5?dXD&bvP~9jPS)k`R0y>wnc#6!!
z7=={D1EAP&*lf0j-C^Szh&DcCi)kp@S?g$8`+l{KhP4;fIvUfu>tl3S`(L$=_G#U<
zjt*(vwT{kfFRG8d;rIKsfqiSQt-YdokL%v!hWB{Y)o=;6NIe*7IN<-WFVJwpKiIE#
zOT$fj9^~>jytIe9n?Ypv{A}R80ZrJg+x8f?J-`&|yY0N4T0N${^r{w|(StKaa0WmD
z1{YS}s7+{-Gg@#~56&9F+4}IF+JVn|*WT7nzoQM$>%;TL@O(YA?e9K
c))nZUI^TWl0pny%`uzPHQm8^%}4=Gwrt0Xs`DEQ3iKhJ-kYG0CPw=xw^nb~}A>PE})Y
z+CvXPGXxP0vpXX^T9Ev(lO+l>;vpmPI2rB3K2}>L(JBcAX%%Vqtr0U)lzrL%Kh<4b
z)wUtoec9^MfBkjt=hXlGms9`N)Z}O2%KzgZQh(mWF#m}UwTqU(!?Tc+VQw=b6JtbH
zbfnpgBj(6BW6lg0<1((8i^Y6r+MV&lJe23s-i$Biqr5Ba&-i10%DdBnOfc3|<@p#7
z?L6t`Oehx0w8UC6t+CcjTda+id(-Wij#vlfed$e^&R8eq{prn_u2>i41L^KePpl`?
z8|%&V#rjyr!AK4{-F17e%hCbmmH
z$ZwhUiXD(YC~mUlw?cj=Lw-nfL;Egx-X?a#bC0xz=DEdQ$lEUUuk5IeXuXSl
zl51{fE$4o}eQq#or_}Ws3-g7)anZbxJ#X4U=e$Mgsm&YaCR}rU22H-GHDqGDU>0HX
z(ZYy*_Wpk0xYfOyc8ddR#@r2K?y(GIvf|+XdQ5x|TclpgTDPtlcQ1_lBXckd^M4$-
zzSeDP#*B#WGfa5lFDU;L{@}~(>aoqpqiY^Ba>UmN<^Mb%}4zIg-Z%^x^L{w
zQJ7l`pMMPo8y;~(mZyhyJaPz?N5e1XdN#V^gQ@$BtehQbLgo{_MPnd=T>|t8EuOLy7s+(8c|_OMz@T
z?9kowM4C=r(m5qDBO`_BxQV3XNj7OB12zQo5&b`#1m-rQSjy&1zQEWeZ^hIF(8#<*
z_P)bj58kbFLg(gWx?@}>CrV)_X@eFzj}Phi#Y8$q*W)*y#e8Ny%#u#1BIEGFcYhZh
zJ(q;K=N6>Yh1|IdiR1_H%Fe-hVLQpiR8j(d{+uB$@;SQx$oyr!DUNJh$;HJ~QXyNQ
zvu^Bl8;~ONIMAsDcC09+z+Nq|_fg>BYT)3*x7EPGQXr}YqAC}C2K5--pDQ6qU^Z6p9hcP-3HMA97~8m)3Nkxr0!E-S@zB%Xyk!EGie9eOKjm-xuO
zk@&|DT$
z^kaEz990J@J276ZLJmLy7Rq;l`~`kRrV?b@H{Blnr_sC9zkBDmxjVT>{llyM!+$*a
z<*R?%y*hHb)c?BH|9YuyLTj5)n;KK`M44}Y#P3|?cb53D#)pe1%O1XX03G#gta2QH`yO1P4=aTHDOwJEWH#
zSN5kB%ZRo53}frZoX7V>t)+T;8>fh85qI_Fp)vS9;dSDTtb{!
z)ZoixKj!a7g02_Y
zi^K#lLAQuRkPHC{yU8%}COnO<_hBA2TqrOUoK{I?4hzU*CUX|Np
zO;6f75Uh{A{HMw%!JEOaeW4qjw|Z~&-WBhpOD%h}mOUlkUd^}nYaf53<5T74!t&15
z=7ExLQ1cBw^>FR(zcN57499OwiYF?5CfNEYux&N4trXY+X0aG8djiEm4YBI0F_nL>
z#J{KU@2TGRDsILbyjIXWJb26)q4?ebpo!=a1X(@kW4}Wvjg59Eks8#vevs+p7j;U;Ox3G(I{0*4gnhQ@T@D
zNZ3IRVGpb%<1W?gLzn4j#myICOqCpiYEk&h86aRHIJe9H*c-alRr2;|-X67OuNO^E8H$Cl*?K+-Jry%muJsE&TVn!lAhO$Oa
zs|B1poL}6WA9)L^y@6H#0;H2Uq#Qm7{+g`EvB(OlkOpHhiMQpVau1s&}1K
z=DQ#9!YVJ6_(6>yRJ|LfZyyKRD~!W+xK6(DHmUrf2MHjMO5Rb;JF2diD0p4a7Qwq2
z7JF?hGB(0|HR3+wy_KW}mYzt}reb5w^us&e4#E)C(^hv=8=fW|s^Atzo=
zT7hN)`<@AGYd{JBbpX_Cu(d@uoHfD%-^ElKji9ia2#8nAIau4Qqas`zMNb7+;|Nd_
zSF`3?19LMr1J&SM--~SQ-MVI$QCjMQh&Gkb*lvwlvW#u>8ZBz2u@AAqa|Ex>y*O+f
zPzVVjD=i4Jag>Aa8Vw;0#N>G?nVN=Bsus6JCZ^yhU;w7BH#e9h-Jg=wOwQi`XK1dQP)j(CPZwN%VbgjWjF)@n>kR
z4o4<<=3#N;s1vxZ2Ny5~rbh}S2CYQ+%l{3;!291?nU0++iw{N~wwBtDXzfQ-zA+U~
z{>{y}`j(TP&UTyQx%>LPZKd8Jt#{}_e<^TG3mj9qW7M;=MQbL0V;kX@
zEjXToUo^bXa_yyC@t59Ex{jba+(
zH{D~L$H<@!(rFvy2cejrsTd(24cgETl~Jm!L7Tt643dPhYgp+kAXUVNz6atVR5H$6
z%nD-Oo6j&
z1A8mQa(*H@tZsZ`yXRU-^JE0{kR=po>|%dCqy=@O1rIul>WmpX~regGoCvfeG>KQC|_um=1&fRQ&^8eN(;qpI*|1g|-$?RfXm<;r
z%h8ocDX?D)>{q${RC|VpbWc1k=92Na?wL-&7lio~!B7SiG#ITFz>$Bo#!0L}L)#|fb7F*kGLs2@H=$o73@;c}lwPZn
z%w?xjGe)Rf{R$ZYhnRkGq;^s7wR}m7z?Za$NWY0fJfD(ef=3Q(t6=P#Nyrg29R$M<
z(uxE<3;0xFd|Tzr&u-)>79K!Ch3Ob_C_*|npOY0mL{GC0?AsrIWpaFMYCK9kY~2Z;
zG^pj(o%4Bxpsq4R5QT@lk3>L%-#EVW9)Zn(lZ&I|BX~snB7Xz#qvB*)w&HNI99TXe
zeuh1&GJpU4RA%~Adnz+Ssy(e&M^G7CDl>s1{XJn`QeTwHOjxz2GP75;r!sR$wWo@M
zV;yi7_X9|f@wZ*?S`ObkcrUE_MoPXB%{NkXSKKT+&Mw0~;e7?p2=KlR^#<9ta;UB1
zg!>aeUva@5oDyG0#e13cK(VFImS*RUeSP>~ERNxzwT|Kxy03Pt!QCZxkH+qSE!c2uPb&)^8xT4&-08kyrm^3(Vp<1B
z+KU}JFgs$7(_dn@XzZ5fuCbM_5h;B`$j~*?d}EE2HP%R3m=^8}QXE;pAz)<4qeJ&y
s?Ni}P1Usm)gU?-JGkc)I0HFiJoh}hGjV0EKX&oGBD|YCxWm7fqKlH15nE(I)
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/routers/accounts.py b/backend/api_service/app/routers/accounts.py
new file mode 100644
index 0000000..59193b9
--- /dev/null
+++ b/backend/api_service/app/routers/accounts.py
@@ -0,0 +1,139 @@
+"""
+Weibo Account CRUD router.
+All endpoints require JWT authentication and enforce resource ownership.
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy.orm import selectinload
+
+from shared.models import get_db, Account, User
+from shared.crypto import encrypt_cookie, decrypt_cookie, derive_key
+from shared.config import shared_settings
+from shared.response import success_response, error_response
+from api_service.app.dependencies import get_current_user
+from api_service.app.schemas.account import (
+ AccountCreate,
+ AccountUpdate,
+ AccountResponse,
+)
+
+router = APIRouter(prefix="/api/v1/accounts", tags=["accounts"])
+
+
+def _encryption_key() -> bytes:
+ return derive_key(shared_settings.COOKIE_ENCRYPTION_KEY)
+
+
+def _account_to_dict(account: Account) -> dict:
+ return AccountResponse.model_validate(account).model_dump(mode="json")
+
+
+async def _get_owned_account(
+ account_id: str,
+ user: User,
+ db: AsyncSession,
+) -> Account:
+ """Fetch an account and verify it belongs to the current user."""
+ result = await db.execute(select(Account).where(Account.id == account_id))
+ account = result.scalar_one_or_none()
+ if account is None:
+ raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Account not found")
+ if account.user_id != user.id:
+ raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+ return account
+
+
+# ---- CREATE ----
+
+@router.post("", status_code=status.HTTP_201_CREATED)
+async def create_account(
+ body: AccountCreate,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ key = _encryption_key()
+ ciphertext, iv = encrypt_cookie(body.cookie, key)
+
+ account = Account(
+ user_id=user.id,
+ weibo_user_id=body.weibo_user_id,
+ remark=body.remark,
+ encrypted_cookies=ciphertext,
+ iv=iv,
+ status="pending",
+ )
+ db.add(account)
+ await db.commit()
+ await db.refresh(account)
+
+ return success_response(_account_to_dict(account), "Account created")
+
+
+# ---- LIST ----
+
+@router.get("")
+async def list_accounts(
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ result = await db.execute(
+ select(Account).where(Account.user_id == user.id)
+ )
+ accounts = result.scalars().all()
+ return success_response(
+ [_account_to_dict(a) for a in accounts],
+ "Accounts retrieved",
+ )
+
+
+# ---- DETAIL ----
+
+@router.get("/{account_id}")
+async def get_account(
+ account_id: str,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ account = await _get_owned_account(account_id, user, db)
+ return success_response(_account_to_dict(account), "Account retrieved")
+
+
+# ---- UPDATE ----
+
+@router.put("/{account_id}")
+async def update_account(
+ account_id: str,
+ body: AccountUpdate,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ account = await _get_owned_account(account_id, user, db)
+
+ if body.remark is not None:
+ account.remark = body.remark
+
+ if body.cookie is not None:
+ key = _encryption_key()
+ ciphertext, iv = encrypt_cookie(body.cookie, key)
+ account.encrypted_cookies = ciphertext
+ account.iv = iv
+
+ await db.commit()
+ await db.refresh(account)
+ return success_response(_account_to_dict(account), "Account updated")
+
+
+# ---- DELETE ----
+
+@router.delete("/{account_id}")
+async def delete_account(
+ account_id: str,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ account = await _get_owned_account(account_id, user, db)
+ await db.delete(account)
+ await db.commit()
+ return success_response(None, "Account deleted")
diff --git a/backend/api_service/app/routers/signin_logs.py b/backend/api_service/app/routers/signin_logs.py
new file mode 100644
index 0000000..5a4c636
--- /dev/null
+++ b/backend/api_service/app/routers/signin_logs.py
@@ -0,0 +1,83 @@
+"""
+Signin Log query router.
+All endpoints require JWT authentication and enforce resource ownership.
+"""
+
+from typing import Optional
+from fastapi import APIRouter, Depends, HTTPException, Query, status
+from sqlalchemy import select, func
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from shared.models import get_db, Account, SigninLog, User
+from shared.response import success_response
+from api_service.app.dependencies import get_current_user
+from api_service.app.schemas.signin_log import SigninLogResponse, PaginatedResponse
+
+router = APIRouter(prefix="/api/v1/accounts", tags=["signin-logs"])
+
+
+async def _verify_account_ownership(
+ account_id: str,
+ user: User,
+ db: AsyncSession,
+) -> Account:
+ """Verify that the account belongs to the current user."""
+ result = await db.execute(select(Account).where(Account.id == account_id))
+ account = result.scalar_one_or_none()
+ if account is None:
+ raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Account not found")
+ if account.user_id != user.id:
+ raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+ return account
+
+
+@router.get("/{account_id}/signin-logs")
+async def get_signin_logs(
+ account_id: str,
+ page: int = Query(1, ge=1, description="Page number (starts from 1)"),
+ size: int = Query(20, ge=1, le=100, description="Page size (max 100)"),
+ status_filter: Optional[str] = Query(None, alias="status", description="Filter by status"),
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ """
+ Query signin logs for a specific account with pagination and status filtering.
+ Returns logs sorted by signed_at in descending order (newest first).
+ """
+ # Verify account ownership
+ await _verify_account_ownership(account_id, user, db)
+
+ # Build base query
+ query = select(SigninLog).where(SigninLog.account_id == account_id)
+
+ # Apply status filter if provided
+ if status_filter:
+ query = query.where(SigninLog.status == status_filter)
+
+ # Get total count
+ count_query = select(func.count()).select_from(query.subquery())
+ total_result = await db.execute(count_query)
+ total = total_result.scalar()
+
+ # Apply ordering and pagination
+ query = query.order_by(SigninLog.signed_at.desc())
+ offset = (page - 1) * size
+ query = query.offset(offset).limit(size)
+
+ # Execute query
+ result = await db.execute(query)
+ logs = result.scalars().all()
+
+ # Calculate total pages
+ total_pages = (total + size - 1) // size if total > 0 else 0
+
+ # Build response
+ paginated = PaginatedResponse(
+ items=[SigninLogResponse.model_validate(log) for log in logs],
+ total=total,
+ page=page,
+ size=size,
+ total_pages=total_pages,
+ )
+
+ return success_response(paginated.model_dump(mode="json"), "Signin logs retrieved")
diff --git a/backend/api_service/app/routers/tasks.py b/backend/api_service/app/routers/tasks.py
new file mode 100644
index 0000000..e4fa910
--- /dev/null
+++ b/backend/api_service/app/routers/tasks.py
@@ -0,0 +1,196 @@
+"""
+Signin Task CRUD router.
+All endpoints require JWT authentication and enforce resource ownership.
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from croniter import croniter
+import redis.asyncio as aioredis
+import json
+
+from shared.models import get_db, Account, Task, User
+from shared.config import shared_settings
+from shared.response import success_response
+from api_service.app.dependencies import get_current_user
+from api_service.app.schemas.task import (
+ TaskCreate,
+ TaskUpdate,
+ TaskResponse,
+)
+
+router = APIRouter(prefix="/api/v1", tags=["tasks"])
+
+
+def _task_to_dict(task: Task) -> dict:
+ return TaskResponse.model_validate(task).model_dump(mode="json")
+
+
+async def _get_owned_account(
+ account_id: str,
+ user: User,
+ db: AsyncSession,
+) -> Account:
+ """Fetch an account and verify it belongs to the current user."""
+ result = await db.execute(select(Account).where(Account.id == account_id))
+ account = result.scalar_one_or_none()
+ if account is None:
+ raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Account not found")
+ if account.user_id != user.id:
+ raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+ return account
+
+
+async def _get_owned_task(
+ task_id: str,
+ user: User,
+ db: AsyncSession,
+) -> Task:
+ """Fetch a task and verify it belongs to the current user."""
+ from sqlalchemy.orm import selectinload
+
+ result = await db.execute(
+ select(Task)
+ .options(selectinload(Task.account))
+ .where(Task.id == task_id)
+ )
+ task = result.scalar_one_or_none()
+ if task is None:
+ raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="Task not found")
+
+ # Verify ownership through account
+ if task.account.user_id != user.id:
+ raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+ return task
+
+
+def _validate_cron_expression(cron_expr: str) -> None:
+ """Validate cron expression format using croniter."""
+ try:
+ croniter(cron_expr)
+ except (ValueError, KeyError) as e:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail=f"Invalid cron expression: {str(e)}"
+ )
+
+
+async def _notify_scheduler(action: str, task_data: dict) -> None:
+ """Notify Task_Scheduler via Redis pub/sub about task changes."""
+ try:
+ redis_client = aioredis.from_url(
+ shared_settings.REDIS_URL,
+ encoding="utf-8",
+ decode_responses=True
+ )
+ message = {
+ "action": action, # "create", "update", "delete"
+ "task": task_data
+ }
+ await redis_client.publish("task_updates", json.dumps(message))
+ await redis_client.close()
+ except Exception as e:
+ # Log but don't fail the request if notification fails
+ print(f"Warning: Failed to notify scheduler: {e}")
+
+
+# ---- CREATE TASK ----
+
+@router.post("/accounts/{account_id}/tasks", status_code=status.HTTP_201_CREATED)
+async def create_task(
+ account_id: str,
+ body: TaskCreate,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ """Create a new signin task for the specified account."""
+ # Verify account ownership
+ account = await _get_owned_account(account_id, user, db)
+
+ # Validate cron expression
+ _validate_cron_expression(body.cron_expression)
+
+ # Create task
+ task = Task(
+ account_id=account.id,
+ cron_expression=body.cron_expression,
+ is_enabled=True,
+ )
+ db.add(task)
+ await db.commit()
+ await db.refresh(task)
+
+ # Notify scheduler
+ await _notify_scheduler("create", _task_to_dict(task))
+
+ return success_response(_task_to_dict(task), "Task created")
+
+
+# ---- LIST TASKS FOR ACCOUNT ----
+
+@router.get("/accounts/{account_id}/tasks")
+async def list_tasks(
+ account_id: str,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ """Get all tasks for the specified account."""
+ # Verify account ownership
+ account = await _get_owned_account(account_id, user, db)
+
+ # Fetch tasks
+ result = await db.execute(
+ select(Task).where(Task.account_id == account.id)
+ )
+ tasks = result.scalars().all()
+
+ return success_response(
+ [_task_to_dict(t) for t in tasks],
+ "Tasks retrieved",
+ )
+
+
+# ---- UPDATE TASK ----
+
+@router.put("/tasks/{task_id}")
+async def update_task(
+ task_id: str,
+ body: TaskUpdate,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ """Update task (enable/disable)."""
+ task = await _get_owned_task(task_id, user, db)
+
+ if body.is_enabled is not None:
+ task.is_enabled = body.is_enabled
+
+ await db.commit()
+ await db.refresh(task)
+
+ # Notify scheduler
+ await _notify_scheduler("update", _task_to_dict(task))
+
+ return success_response(_task_to_dict(task), "Task updated")
+
+
+# ---- DELETE TASK ----
+
+@router.delete("/tasks/{task_id}")
+async def delete_task(
+ task_id: str,
+ user: User = Depends(get_current_user),
+ db: AsyncSession = Depends(get_db),
+):
+ """Delete a task."""
+ task = await _get_owned_task(task_id, user, db)
+ task_data = _task_to_dict(task)
+
+ await db.delete(task)
+ await db.commit()
+
+ # Notify scheduler
+ await _notify_scheduler("delete", task_data)
+
+ return success_response(None, "Task deleted")
diff --git a/backend/api_service/app/schemas/__init__.py b/backend/api_service/app/schemas/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/api_service/app/schemas/__pycache__/__init__.cpython-311.pyc b/backend/api_service/app/schemas/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..f2e6748ac7d305c4e456e3a267f40604aa75e014
GIT binary patch
literal 166
zcmZ3^%ge<81YuF@GC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF7fK6y9Br9slAqkbuFY3n~IjZKR4;MHQkdp`;PPkT_8#E75A>8N&*D*UYX<
zl9Q=u#i55BD&b3|o+yZ@>ajjUoy%Fvz2S0)GLZVVpqB2z~a#b$MGU}m@dF`6hyx#Z60@%!6UHyxv-
z+NFoAs@rPW;_7$I*tFEIOC_srI_mt&+AY$~
z?%C%#gCp+Dt+2;+W;^PpMYlzSN(dO{165Z|_M{syJqXy`+`bH3?Vkd%lL}&4w;5L#
zZ{j-d`&`
z0Zw=dgdYi@{5}A5Pa=L21!nBEbO2I%f9=+n>m{JVx;WALre1o)
zOuDYu3=IzVy-{MI*Veo2TknOiw#}os6$&gW`v(w>BOi}kbICO?GuxbQ+OHn}weq*-
zW;R-xjdo_Ead-EsOEzG($c8s{diPQ@^h$QWxbIFax2BfcQ_GFp&*xpT46{X+z3heN
zH@|)K=he6O-0W&AyV}mKg2A`Dg`e-bWEEyhNKp8>-b)Qpx?kK|0RKOw_eRTC5c&uS
zqcqZ|twJa0IJsj;?x7We=v0AnPV{NJR>R8N`D~1~bp!-$O_gmKw$KBH_9CC>F*wA|
zg*?!@OSUUdj7mk_WGZK$FtfzBYYwA1p2k>+tbc$jl7Uw$2*;-oL^kB&91DR@qnJT)
z8iin!Sd47pXHej|0tTH$O~g8j+H6mtBO60MOobaRxzWqwr|wPWX3MQ?xt%Q!(pYv$
zxkbu7tE+GGZnn_M7TVduz^LGoLW`h;8Td!nL%GJ+#c|LCF`8>eSePo9L!pKG8WCEA
zkt4Ya({LXbc^}DbIB0caPoubM(A-}t&?MmsMll++c0b*1VJpn8LDyzGU)`^7R-n;y
zR^!ZOW>C4RRfZlmL;>}RY4uWHtLTR5uq`Jy=PL&FC%P?3Gy;(;KVrj9b=yx@blcJ3
zR|G1YYP#dcMUxczPz13#;y6H#3?hi_U+_5eerDv|=jJW5Y&=-a=g0_|{B)UHRqzJ=
zaI@|(n-5dRj|5BkW$<+YE*m*HV2^ip_IVmVLAG-M=5w(TCjnyz6cvmOfhkA(5szHO
zXDE>8_OBoY?i!Lu7G1LFMH7vM#=_GDFE!a%YAiin@=ngU1ZRuPc*#>i@5#6%(;^u!
znQq)^+QCaRnlW
WNAYArhJcQXUE>`-Jv;^yA^i^;p?NX@
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/schemas/__pycache__/signin_log.cpython-311.pyc b/backend/api_service/app/schemas/__pycache__/signin_log.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..ead641594a23328f4d501d4732d7c3f70bb00f8a
GIT binary patch
literal 1808
zcmah}O>f&q5M4@3ijwRqu9G^S4(p-^wSg~1a%j^6ZGsxMQ`Vy^;;#xJ|KQE(FiYd;IT$YqBQ9YEtMrY)a18_PYQGXx-D*Hx8knvbSgw`(X}=cO
zt{v3fxA9>&_
zXD5=*Q_%}W=sb#g&a(lRLnn&4^b-+`2i?!tDJI^RqjKC
zTVPdltH!NsmgFf0bp7(6v_sd9YM@9j>IFVv|kZ|=o
zIl{M|eDUz}P8TZM+2vw8>TLVnpLobRek?r2<#W;HV8@-Zw>kwW9+0ve54BY!Auq#D
zc&T}S^z4^iU;L$oKY1Pe@+QDWyD6{W%?Ahz0J`RREb2nSRS_n-<#~P>MnxeMdQ~DN
zwwSaKP#yVB5<8^W_y$_dQ$WS4UjZhGq$H#FM)Y20H`A4LWq&2RG@ov!oBNyD+_i&`
zUfdedMVN*@Ob`cz>4#=(OZUyi5)^N>1OYhgrj9@2#|HO$*%G7WFgcYHyh
z$Qx5W*9iD=IF6nGOd4ULq_e_1u=<6Cuc+ooV3H
zGZ)C9(1o)rq3B%ZN6AD7YFV2i;epa-0u_RzBF3(!O6+kI1Gqf&sExM$PL<^?_#%l%
zW>KiyXe}bVQ^qCqAzXz^Jq9>m#=9eWH*2;=mp=Tvxiq3U59w0Yd@o%~*Y?-4#%#Kp
zuI{f+jJeArit{i>FbeYV9UJYLA~7UhTgfmMVXtVmJk`A8Y8bQQ@|2Y}+{!va-f?-p
z=fB~^zF&y&EBOgLhw4^;0*tGMVT>ykgN_M;O^n46x%KwU$eq#u&5V3Jx@eBArU6|z
c4F~l%=sliM3gmTjU1A{8V)c^nh
literal 0
HcmV?d00001
diff --git a/backend/api_service/app/schemas/__pycache__/task.cpython-311.pyc b/backend/api_service/app/schemas/__pycache__/task.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..d0090443fe2183564883169a7e00b0c6edcc2c84
GIT binary patch
literal 2058
zcmZ`)&rjS&6!wqtuGc^y1zN&3)S$M}su5Bu5h+#FL!m{gR5nTikyfi(Ue5qlytWy8
zo3NK|q^jzXL#1%!L{&AadhDO!l{jpDt$N_L2u_^x-gpVivK^1#e)ikmTnBFl(XPpPXFRbb+gx>nKZxk^r!
z6lqnW+D{VAG3^li{sDJ3DtV#HgHFGu(}k`8I^&wIKu4ZPrP1bHNQ_X0s+3UeP419DkZ@&Ty
z9kyLa4cy=|XRwdv-N$UF!J^o#1$0;J-a&=yZ<)5~vlnLMZuzcn#$d9zcr1gL&&uJ!?NlDI7B>ZSvw8e>uK_qMFYpOI3|YQ0FkOu%+qnpvVA{@v#eXz@6svg
zr1PbfFRBhCxB7y)wV+zFo#)J_RXcR8i18m>hXD?&JsPVb+;Erc=p6-?W`sFx^<5ou
zKOy%!MRR}YVDhhYtDY{+cl4wP{`Dc
z1dO+tD1eg8$6&$Ka3hO}f6-EbkHafIf#N2L_fQB{W)Wd!PzD=or$T0;B1qr&cw|A%+bU`LU6XpLYK(eM_uW>P{wCAAY(d13PUi1CZpdS7kQetv;YF&ryk0@&FAkgB{FKt1RJ$Tp
ZpmvZ2#r#0x12ZEd;|B&9QN#=s0{{RkBd!1d
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/__init__.py b/backend/auth_service/app/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/auth_service/app/__pycache__/__init__.cpython-311.pyc b/backend/auth_service/app/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..8402defe014f733651014f0ada231276af76b647
GIT binary patch
literal 159
zcmZ3^%ge<81a4vLGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF&ryk0@&FAkgB{FKt1
dRJ$Tppb;QTiur-W2WCb_#t#fIqKFwN1^~UyB~$TC+WYt3Hf*Ys9a7X^UZ%)3HcQf
zNR$YiU`cYaC2EnaQLAi=+GKmwE<2(Q4(qH*r|gQlSl*Uwklj(Y?1_5Vw>{~V8>5XZ
z?@0ROrf3t(JCn`PX5e)u{ZT)Aw?tdu?MepZU^FPVMq3$OL$Xb7kG8YCJJ}(3Mmy!M
zXqVg_?Us9@J#uffSMH1Uv3gH(pUg*jmiH$2%P&P=lKZ3m@`309c_2C<4@L*&gVBQ=
zu@JFk`A}uR;?P}=kk8=Jujnw;TZBfzCo~Dof`7B+t{v*(G3pPChc}K?zN+7%O9%+T
zMT^iXv@LS@Y_`|(vbNoKf$1}oF**Y6ImD6LUO<^u4Azz{ScDGIBXo+5LYLUR;1Ie$
zvPVPEo3JUYDkJpNatpm5k-C;6z{dN{P5CrBnQjNN-9B(S12CrT7bRMIC$RA|GE_NmdAe
zmag+FX(^?;|A;d=WY?Sqq2`AVOZRO`V!_AO1N4C~rB6$R{QJgES;cT8DNC1ylL
z0r~LlP{gE|P^UnQV^LIN!n|g?s)+PHr!^+17+1xZ8lO*!%8)~IV+DwVLahPwm(q(;
zO7miNT2xljDMi%mv+4K5l-9sr6LB@J1*XLXDk@8?WLo_3s;H>YvIl!PqfZ+MZ@MW`
zX<73M1WB=)(&q>E
zvbLEEZ^lzF>k7XL1Lotk3IJ8C$eee6Ax-&Oxyrhtit=;&(NH85$=Jg}I-z77VOXGa
z0@T5-N@`NnJc6hssHAIv6GnkcrMZwewn~#)1Ea@mrgceGS4P9(WI7Q~E~OQ9^mrr^
z$pp3)pNh9rX25|&QU{Q4(MU`0nN6tW09gc_++EQxUedZKx%NiCo)
z4l1gvG?g&%0aV)o&rjj`=HI|#yiGW;ky)|~1^RW%qMB$$NY+xj7jId!)?A-z+7d!k
zlxJMawn|R02v)%+ahvv9{QHp0S~se=EA)g2j=Gj?S(~z#mYln_q&99z&vJFr?OFRq
z#Z%ZKgIv~DOZijq5dPeHjr_{`Gutgk){*Ppb@Z-^Ai=fSP>ahjZpU&%rC!-x2J>r>
zPH=CRp|)2f5VGv8#t+fK(I!N8cq2G%fRQU7v+Y
zfCa`emFc*cx*1PO0uMVxe1Am(?bGWs&DXDAAE|;?QFG|PHe}U2IvB|RY
z9L7?+4uwu*befa31kHF6l48&-S|ZJc#R@7QE)!hOLldKOIC*nxXvya0;|W+2VXm5M
z4oudZ3^pvZvaU7bFpSk?!=dLv+A(;Pe%RRm1%EkG_L0VpqPIUc`P8?6W1!$WRP-In
zz46TH%YE?F*Zs7kuh?;-6c{PB9=z9)4<0K!ZB6d42_)ZQQYN+rciBst+Wz*vzk2Tu
z@bg6
zzjG7MoSs~^BK~M8&|kJ&v1gEci%FSSp=WO5ZT|Qy^m3~!KpWYK_B){MD0=vfV8Jt3
z^bF>0gWteh5zPsTOV!nt1b$U6#7l;eIG;L3s-}NU>b%fugh1aN_Mas)a4{vJS(h>*
zFMy$)k1Hat8*3gs5~I;6+5`>UCv+TMbPN)$(Wr`vH_kpIY*a0f(MJU*7KYTHTA|nWDcT1$nv<@kQc`M>?t?Gb+fGAk
z*#@I8K_R_hCR;tX(R5m+m!KvNkHSM@XrY4yM@uc;r9c-bnAZUd#uB@Obu;4(15PB>
zrJBx~OW*@JTb-3~daYCXUPpWZzV#iuWOxMnz*x=k`{X8%>#BK(@9
zF7fITm?;rZI?2bA;EoIHU`0Wn6nY#wlxaiCR9qI#S~U(ppJ~4U9L&=4y2H$x8Rfys
zF{|ZgYOLEWU7luVt!OS(N0eA)1pS6hdo?zGW$MDEi{rD*H^c)2QZoZaUxWT=4O{1#
zKE`x15{X@$nw^}U8oLymnVh~hIUSpvp1v}zSrwInt@|@zqiE~sITYY#y
zo+`GU$~V>Dw{1_Gx{FN*Hf9S=!^NiIylePRPd!1_##U0XZD&e>lfRyM;J<%u^IAS|
z67HSa{u5kfE0{TWD;+RZU%VVTKR|vz;2z&+{eAfGc$f8GyX=t9cytU);^A+IqwnAn
zxY<{18)6|MFvJQ1etchuRl9$yQ3}rv;Q3a0-Kyy^13sCjf}QZG#+N6{ri`q0*_2U>
zY5(7rK%$ADFOXp(tFQwmR{QBSIAmQm&m^_;1g)Z-W0zq6)UsKJShs8{8e`+yo6Oo4
zYF5Io?ytzg6HnGIIN6y6JcQ58GaMLNcP7FRuG;B0@DEPZ`r&fh0iv_w=j$j4$B0VU
zfI%R|z!`Y?=vvXMnCCPb>ZazHXJL{*Hp5ihw}Ho89b9Ov2?}U#=4Z#$^%W5yh#gau
z7^uA8fXiwppY?;zVteK}fntb`;#SgJmF{UxOL1jM6wELOeHDpDF+poWqeyO%1lDZ|
zfoDR|HVrvw4D%)^(%12G5tAiI6x?X&?uU?RU=KTzYuvE8!1v{>U8Ofg6Rujbh+N?h<&i-Qiy=4^BLM<$iWETj)An
z>^hwf*5A3y|LJK4+C9SE#umo%-R-e
zX2+rSR%Ai1>{-XISoe1f>%bveil-LALF4r}hygr$5QGH|bw5ytC;l+tAk#L3U?nb5
z{?IH&RQTyMgorVg8)Bkomqb3DMBuDu0Dn=BdkVZH%c3BGo0eSHIi@mv1x>5MF*W?U
zU)g&VJy0`>g29`rSP6~86wrB01WZIs79bgFqCJ>Ln5qXy^gHP*m@pW`S=@p_n!-;t!Ye!%@8b?-u;;7X9z$-g??`1iZrF!}j}gn{$PZ(PGDF
zzNP-oz0GiOU#V^X|Avb$9T#O$^H#@<66O|%xyC$m2hq3D-N7sYCxFWgGVOh%K71&p
zAc`(C1!n~87!FRSiVKI*40G37AF2XF4V*WDLPJvYe2ho|Mrrc4c6J^g8r7V!7(~`%
zG0nLEzuLqh7-_JE?FL0iHh+ByCDK%(=pSm$m0HF4t%jnLM{%TDoATpi
zJPGG3c|9b)uZH6IBaD=$2w$3etCAvWK|l`zcxjr_ENMk^f@ckm_98@Wmf#m2A;iK2
z3PmrE;;=OKvqL597lHtuK@zG2g=jO9^;XCE7@2|{iYp=JBp@zRjN0fYH*`8EVl8ch
zL>t`BtcMwuP<4&&8SSesVlAzzQc?+-6N5gHzRy`?m3cV~BM<K5((#P?-J?F*WM-K%dx)_X~?lZv*Z~W%|rA)rR#6h@od2+V;#@T{4zQ4pv+}*d^iw#|OP8Avs6dMlY9B`%wtX?d+BcwZ!yVP%PoYnJs~ZRNlVGrQVI;`kBsG8&X?M{N`bad23S(|
z5H0{r95P|YF=-**w%emWKmGCPoD14I`sxGM=N*N}`C{aJslD%$wL3R|@xd=YDBBNl
z2g?MKl7FOZh4(X8P%m^4M@!jRsb(~KG7J9$VgJjX4|{G)1+JsWb>Nb8;gWQHZ6%gY
zv&4mT?H{(^4*aC&qn@(G&Y`EuIgrX%DezT@ItyH&$OXz4j@w@*kRVymEO8)R$A=wx
zch|kskFFIb=W-nd?naTjQ96I|(ZR0heChE0aw|A
zq-PDOw@2>TQC_IXg-Yixe7^SR=D&RKyAR6bAodxOjZXG@;N2=>Ig}R$rm_Vor`gm%
zFK>tM4WPV8k&BcrTz<6p)xsC)FVkhhqdZ9ReMi~*L3XQ*J;3`{?bb<-QIqcfF
xlxr_=P<6C)X5#bf`N^w=GuMh|uED_tmH?A`$*nxgp{!%TP_|S^STQp${{z6oj{
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/config.py b/backend/auth_service/app/config.py
new file mode 100644
index 0000000..4b4190d
--- /dev/null
+++ b/backend/auth_service/app/config.py
@@ -0,0 +1,50 @@
+"""
+Configuration settings for Authentication Service
+Loads environment variables and provides configuration object
+"""
+
+import os
+from pydantic_settings import BaseSettings
+from typing import Optional
+
+class Settings(BaseSettings):
+ """Application settings using Pydantic BaseSettings"""
+
+ # Database settings
+ DATABASE_URL: str = os.getenv(
+ "DATABASE_URL",
+ # If DATABASE_URL is not set, raise an error to force proper configuration
+ # For development, you can create a .env file with DATABASE_URL=mysql+aiomysql://user:password@host/dbname
+ )
+
+ # JWT settings
+ JWT_SECRET_KEY: str = os.getenv(
+ "JWT_SECRET_KEY",
+ # If JWT_SECRET_KEY is not set, raise an error to force proper configuration
+ # For development, you can create a .env file with JWT_SECRET_KEY=your-secret-key
+ )
+ JWT_ALGORITHM: str = "HS256"
+ JWT_EXPIRATION_HOURS: int = 24
+
+ # Security settings
+ BCRYPT_ROUNDS: int = 12
+
+ # Application settings
+ APP_NAME: str = "Weibo-HotSign Authentication Service"
+ DEBUG: bool = os.getenv("DEBUG", "False").lower() == "true"
+ HOST: str = os.getenv("HOST", "0.0.0.0")
+ PORT: int = int(os.getenv("PORT", 8000))
+
+ # CORS settings
+ ALLOWED_ORIGINS: list = [
+ "http://localhost:3000",
+ "http://localhost:80",
+ "http://127.0.0.1:3000"
+ ]
+
+ class Config:
+ case_sensitive = True
+ env_file = ".env"
+
+# Create global settings instance
+settings = Settings()
diff --git a/backend/auth_service/app/main.py b/backend/auth_service/app/main.py
new file mode 100644
index 0000000..5564cf5
--- /dev/null
+++ b/backend/auth_service/app/main.py
@@ -0,0 +1,223 @@
+"""
+Weibo-HotSign Authentication Service
+Main FastAPI application entry point
+"""
+
+from fastapi import FastAPI, Depends, HTTPException, status, Security
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select
+import uvicorn
+import os
+import logging
+
+from shared.models import get_db, User
+from auth_service.app.models.database import create_tables
+from auth_service.app.schemas.user import (
+ UserCreate, UserLogin, UserResponse, Token, TokenData, RefreshTokenRequest,
+)
+from auth_service.app.services.auth_service import AuthService
+from auth_service.app.utils.security import (
+ verify_password, create_access_token, decode_access_token,
+ create_refresh_token, verify_refresh_token, revoke_refresh_token,
+)
+
+# Configure logger
+logger = logging.getLogger(__name__)
+
+# Initialize FastAPI app
+app = FastAPI(
+ title="Weibo-HotSign Authentication Service",
+ description="Handles user authentication and authorization for Weibo-HotSign system",
+ version="1.0.0",
+ docs_url="/docs",
+ redoc_url="/redoc"
+)
+
+# CORS middleware configuration
+app.add_middleware(
+ CORSMiddleware,
+ allow_origins=["http://localhost:3000", "http://localhost:80"],
+ allow_credentials=True,
+ allow_methods=["*"],
+ allow_headers=["*"],
+)
+
+# Security scheme for JWT
+security = HTTPBearer()
+
+async def get_current_user(
+ credentials: HTTPAuthorizationCredentials = Security(security),
+ db: AsyncSession = Depends(get_db)
+) -> UserResponse:
+ """
+ Dependency to get current user from JWT token
+ """
+ token = credentials.credentials
+ payload = decode_access_token(token)
+
+ if payload is None:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid or expired token",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ user_id = payload.get("sub")
+ if not user_id:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid token payload",
+ headers={"WWW-Authenticate": "Bearer"},
+ )
+
+ auth_service = AuthService(db)
+ user = await auth_service.get_user_by_id(user_id)
+
+ if user is None:
+ raise HTTPException(
+ status_code=status.HTTP_404_NOT_FOUND,
+ detail="User not found",
+ )
+
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is deactivated",
+ )
+
+ return UserResponse.from_orm(user)
+
+@app.on_event("startup")
+async def startup_event():
+ """Initialize database tables on startup"""
+ await create_tables()
+
+@app.get("/")
+async def root():
+ return {
+ "service": "Weibo-HotSign Authentication Service",
+ "status": "running",
+ "version": "1.0.0"
+ }
+
+@app.get("/health")
+async def health_check():
+ return {"status": "healthy"}
+
+@app.post("/auth/register", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
+async def register_user(user_data: UserCreate, db: AsyncSession = Depends(get_db)):
+ """
+ Register a new user account
+ """
+ auth_service = AuthService(db)
+
+ # Check if user already exists - optimized with single query
+ email_user, username_user = await auth_service.check_user_exists(user_data.email, user_data.username)
+
+ if email_user:
+ raise HTTPException(
+ status_code=status.HTTP_409_CONFLICT,
+ detail="User with this email already exists"
+ )
+
+ if username_user:
+ raise HTTPException(
+ status_code=status.HTTP_409_CONFLICT,
+ detail="Username already taken"
+ )
+
+ # Create new user
+ try:
+ user = await auth_service.create_user(user_data)
+ return UserResponse.from_orm(user)
+ except Exception as e:
+ raise HTTPException(
+ status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+ detail=f"Failed to create user: {str(e)}"
+ )
+
+@app.post("/auth/login", response_model=Token)
+async def login_user(login_data: UserLogin, db: AsyncSession = Depends(get_db)):
+ """
+ Authenticate user and return JWT token
+ """
+ auth_service = AuthService(db)
+
+ # Find user by email
+ user = await auth_service.get_user_by_email(login_data.email)
+ if not user:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid email or password"
+ )
+
+ # Verify password
+ if not verify_password(login_data.password, user.hashed_password):
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid email or password"
+ )
+
+ # Check if user is active
+ if not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_403_FORBIDDEN,
+ detail="User account is deactivated"
+ )
+
+ # Create access token
+ access_token = create_access_token(data={"sub": str(user.id), "username": user.username})
+
+ # Create refresh token (stored in Redis)
+ refresh_token = await create_refresh_token(str(user.id))
+
+ return Token(
+ access_token=access_token,
+ refresh_token=refresh_token,
+ token_type="bearer",
+ expires_in=3600 # 1 hour
+ )
+
+@app.post("/auth/refresh", response_model=Token)
+async def refresh_token(body: RefreshTokenRequest, db: AsyncSession = Depends(get_db)):
+ """
+ Exchange a valid refresh token for a new access + refresh token pair (Token Rotation).
+ The old refresh token is revoked immediately.
+ """
+ # Verify the incoming refresh token
+ user_id = await verify_refresh_token(body.refresh_token)
+ if user_id is None:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Invalid or expired refresh token",
+ )
+
+ # Ensure the user still exists and is active
+ auth_service = AuthService(db)
+ user = await auth_service.get_user_by_id(user_id)
+ if user is None or not user.is_active:
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="User not found or deactivated",
+ )
+
+ # Revoke old token, issue new pair
+ await revoke_refresh_token(body.refresh_token)
+ new_access = create_access_token(data={"sub": str(user.id), "username": user.username})
+ new_refresh = await create_refresh_token(str(user.id))
+
+ return Token(
+ access_token=new_access,
+ refresh_token=new_refresh,
+ token_type="bearer",
+ expires_in=3600,
+ )
+
+@app.get("/auth/me", response_model=UserResponse)
+async def get_current_user_info(current_user: UserResponse = Depends(get_current_user)):
+ """
+ Get current user information
+ """
+ return current_user
diff --git a/backend/auth_service/app/models/__init__.py b/backend/auth_service/app/models/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/auth_service/app/models/__pycache__/__init__.cpython-311.pyc b/backend/auth_service/app/models/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..39dbf16259f0026d68ecb6b02f10a64a2f1c995a
GIT binary patch
literal 166
zcmZ3^%ge<81c71eGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF&+S!?BzMpsA_j&hip`aruAFjRk
zkc7||G3ghWr)9SS-70dCiCpYTJ`N;P3S?6b6jKRQQw=mz!>EB==?yk>uKX04c~_~S
zlDhC*pCB=*6HbjFa;eV^61s*Hg&}ofFA9x-grq?O8pg(hh#A${cpAo@L(<(EWsf|E
zmi0UI9Gz=MEanEECXBj*Zq}zj6*Qv|uJH7Joj4C$gb5Qt6FBOg@5S?F{k!m_q$bK$
zcuJx*Xl%RnM5AHD3u!V`<@2FaqnyK&Zbc696Xhg>KnQ^zJgC}a}6grRoT;)njnv6DMJQrRV`xhrJSq|ic
z)uLWKvV?LpbS(lIU_GoHGI%|)c6;YU>P{wCAAY(d13PUi1CZpdS7kQetv;YF&ryk0@&
lFAkgB{FKt1RJ$Tppiv;piur-W2WCb_#t#fIqKFwN1^`n*D6Ieh
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/schemas/__pycache__/user.cpython-311.pyc b/backend/auth_service/app/schemas/__pycache__/user.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..74d031d79af2ad97bc331becd51617be231534dc
GIT binary patch
literal 4870
zcmbVP&2JmW72hR?yQ`6j_S`PBDjD2hu`Mv>L<6<0(0XE!+4Rh=qVDY{=&v9%7u=9Q6;vBmG*k~U%!m$Kk7yGdDH2FkIe^e{0
zYcHu$te82?&h4^-VQbqZOIx>@b;DwLqr#|0jf$b!6|0)7R4rz!8MbW}nXOsu+bXjw
z)6iBf6>X*!N|fcr1V**8%WztwVwQ>;E7EewELLpwEh;e`^rG{I&A!3`o^ronnE59a
z%L^@vH7oRP;mtj{WDfkB_XjmaZ(?m%+6UR
zKe?xz45*DhGx8?YfEzQf8I*#$?H^?;4zqh9-nx=jJw?}XdR_NaT?Znnd925D{oAUM
zZzB<1r=^^(Tj(d&2u=_LUcI=k8^vO&!nv{mzkoPu>PP7vNa_7dW_B|NWNm)O%&pSq
zmXZ4gDBVPsbvW2_GsiZKa(T0DLz}qysq#w;U6qR=sMwnz>Ro>=GU<@XRwC87zd!kp
zkADg{%YSqdSvQewCbISAy_`d`P+XF2B`-JF{(^I3-bpUF$%STep?-hwmO~bxxLiWT
zx^%Lf&qO-6!YsgNo5(?^$CrhHggN;UAYbv+bvW08#lRqISD$cyIc45rJ0@sT7<}6|
zrryF8CDksk8Mggh$)ehI;9k3><#r9r$W@qSr_%vz7`M&&RLbp+D`~|V#pVQxizt#P
zICEF9_7RFP6e$$^=$ElJej<=y8_(?5`IJMZIy!f5KXVcrZepXE*bo}uaL9&BP(l&Y
z;*36xqG{ms4jDa5qX(qNnS?$=sL!^;h5PylhvQC370`Lqi=xgSmUhfyZM;|Id2Bwp
zho))??0U`iyNY!l*5eipz9{e$C0nRSaGtX@-Ejn==~Kn`==@_`0|nA$e+|N~^J@;d
z*0JFQCz)}RnPxI0Y&hePj7u_YPMpv0IEgtoG1pAY2}b4|GUpPMPy{2ml#h{)jn@D<
zixEl&+c+LZJWQd&-UHbvT#u>`5v&BVLx9A5h{Am&!1>}nvR=kZyLP3Qu(DO!HuG>B
za@=0A@LsTDAWq!i95$fka>~4@Y3tx9=5v-FKAR@qA0t7RSDaFJ6#$QHl}hrE|`irePS)0H&oA<>I(TcrZ5QL)UeYK7T76nSAW)cPD2`V@XP-ioIzwJuHU
z#qm$5^ag+{>1fX);_AekSh#TnYdD#O{d-olu3;Mr^mcm-#OZQ%sYSRiE3x`=efj(4
z*2tJcu()Kb6(6my)>pq@JtT7I%AwRRjd!eT#$PH@KU9SJ-##60=t#DPh
zQ^o7z>Yj#{ZD`z0Pt``Sn~}>wdLw%Co7;gtBd;ny-jRtMd7D#A?^>b*-wg7iF^@#WCyDAi~%zS1MB5Q#r2k4uij;^cdH~9KH6u$@I1tAgcHM(g;QCx?g{ThVd=x#gYc57^WKeV57
zrtdjp^X}Mub8No;umLI5JQSDAw^9@P7x!)F=Ax5Ya#Ksq)KdMc#%~?61jQvwJOKT$
z{L`McNiiKWsoSWmVtGL5N4uCX#Ft6e~otanR$t)Deu8kEx
zMV~q3vknETPHN3ftu<3?f`T=Nthodw6yfbS!(bgg2jrLN@B>*@$J?m_ksZ9YD}G04
zl>0B{TdEi3s?R_e@adg`3sCqN6#6e4FY_gXPSwsosc!w5n1;swEdKIArkfOB`b4Ug(`*v3Qq4AyYlLVY~f#q8EXfsSQ=17ZLt@x)%W
z@x=MnZ6`kK#%G)H+4{oXs6%F{whbp(6HytFNRl@EGGM<@VRK6@+H~3B^-(FANurS=w)Fbv7|&ma$jvMe74f-*UjP^gl8(~+jnDlO@<
z<1Z~~-0_!|bkXsbLlTrTGA=Mk?!7$X$Z
f;UKx6#uGk*5na7t-xIj+UV$fsR@`?l#I5dsl%jpJ
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/schemas/user.py b/backend/auth_service/app/schemas/user.py
new file mode 100644
index 0000000..89b3152
--- /dev/null
+++ b/backend/auth_service/app/schemas/user.py
@@ -0,0 +1,57 @@
+"""
+Pydantic schemas for User-related data structures
+Defines request/response models for authentication endpoints
+"""
+
+from pydantic import BaseModel, EmailStr, Field
+from typing import Optional
+from datetime import datetime
+from uuid import UUID
+
+class UserBase(BaseModel):
+ """Base schema for user data"""
+ username: str = Field(..., min_length=3, max_length=50, description="Unique username")
+ email: EmailStr = Field(..., description="Valid email address")
+
+class UserCreate(UserBase):
+ """Schema for user registration request"""
+ password: str = Field(..., min_length=8, description="Password (min 8 characters)")
+
+class UserLogin(BaseModel):
+ """Schema for user login request"""
+ email: EmailStr = Field(..., description="User's email address")
+ password: str = Field(..., description="User's password")
+
+class UserUpdate(BaseModel):
+ """Schema for user profile updates"""
+ username: Optional[str] = Field(None, min_length=3, max_length=50)
+ email: Optional[EmailStr] = None
+ is_active: Optional[bool] = None
+
+class UserResponse(UserBase):
+ """Schema for user response data"""
+ id: UUID
+ created_at: datetime
+ is_active: bool
+
+ class Config:
+ from_attributes = True # Enable ORM mode
+
+class Token(BaseModel):
+ """Schema for JWT token response (login / refresh)"""
+ access_token: str = Field(..., description="JWT access token")
+ refresh_token: str = Field(..., description="Opaque refresh token")
+ token_type: str = Field(default="bearer", description="Token type")
+ expires_in: int = Field(..., description="Access token expiration time in seconds")
+
+
+class RefreshTokenRequest(BaseModel):
+ """Schema for token refresh request"""
+ refresh_token: str = Field(..., description="The refresh token to exchange")
+
+
+class TokenData(BaseModel):
+ """Schema for decoded token payload"""
+ sub: str = Field(..., description="Subject (user ID)")
+ username: str = Field(..., description="Username")
+ exp: Optional[int] = None
diff --git a/backend/auth_service/app/services/__init__.py b/backend/auth_service/app/services/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/auth_service/app/services/__pycache__/__init__.cpython-311.pyc b/backend/auth_service/app/services/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..d972cd94b07f912d179d7e6ebe62663a1edd0d5a
GIT binary patch
literal 168
zcmZ3^%ge<81aV>OGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF2
hKczG$)vkyYXcow}Vtyd;ftit!@dE>lC}IYR0RWJ)DK!89
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/services/__pycache__/auth_service.cpython-311.pyc b/backend/auth_service/app/services/__pycache__/auth_service.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..b421c7768eabf3737378d2def492bcee99cccce8
GIT binary patch
literal 11764
zcmeG?TWl0pmepO=PnT`n4?nRfz!*327{ZVQ445&t39pz0n><>~_BLH*yP+RWRT*%n
zjiL=&d80^SqwEsROf;TVlJzFc$}2@$e`F;C(JUYHQEin(t0W|(Riw?&sv{C9%GaKA
ztE;-I-A;&<$=BSzeeV0#y|>Q$*1y)*`zZ)_M*lteFPkaqf3RQ#rkr`S3YnV}Pem!-
z!8=oqv@_~-V4hCVX(q~~T~QY)Gbwl46ZMe1E9Fi5qQ100>L+D)sxDdwV>~G~T_3F{
zb>37%x-r@ac^~gjZAv#qo6>=3fRyV}!E`7ZN{6H2baS-XK{+X*?qZ9vIHC0;2St4X
ze?3IooYb=v&t9ka`j4E@0{?PLJMSK+A`Q7||In;FEo9_mA}%Mh8BP+!%gKbmU6_@U
z89|b`RCX$v@E?z7_>>@Vv(V0o!c($I60$~T#TYajW0&^ujzWl9}+@*82&CHY}=um
zZ@%t|HbZ>?PND^RxA3iiZS7heBHOr*VYz+f43|j33*jcSA{V#gVhxniocx7^iN^;EEW83cw5oux*kQBpk?b-yInlIG@P!!ucyg@BE9W1%scbcMT65(i!P(LHO)KiW8MJX_Zs~ob(8*kW}eQ|i*9Rg
zBmWU(J~0aLa<)@)gIT1yDe;MUM&4AZSu`lEQUy8QnRon_;^{o|Tk3trz77ZV3an(F
zxyJC0@pA5p;|g_^eucW?h%mYKV@ZQkU6|v@8{pzRF9Jsz%XJd2!%YfuVmg_b(ixiB
z?K|fH7x9aDG9roy&2?p35Cst_iy)Qe5v~e}SztQ>DG^V_#aK2Y#DKG9Ak};pE(Tn6
zN)Q192$yq-VVnZz0Th+fGU9|Zo02t$AmQrQzt^b}a2)4c7{f~#gz+jL%*PI|H6NC8-4p3
z?r0}{r_%*_&5MVSiKm6X63)*;IAI&%7>7TW<2IlfqX#E~5=B|*M(l(Nu@?dIWw8sv
z76crEtq8UOh?MDq^xTfM-3WF7sHTdL743~D=eUgs!{~wY{V;8$m#?n%94Q2Ur3QcX
z7om+)E60_#QxNYt^t8a9R@u`EdwN6K5O>1TH4knimgN6R0zV50G}%bt+_@7YW4ZPX
z(Er5928gdYll-
z{6%nmWO+(y8-cjmq^AXTRAomMcJv2u-A8a8)b)66Y`*|IvNW#65{KE|>}V+2LnwK34(T!sc$HJYuA
zspP7kXdf@5+EEUR79G#111-*-cU?430rWW!l+BZXviJS0Dc$&kRa
z>#>cm|4EJ`ft_yWkeO-;~NAa$C_ciwwhumlMqEMgbe};Fn>G9spW9+MG<9(SH
zL?9Q@T?<^C%LrF=6Cs{RWM{$QaV05Fb7ijrcq?+j=gYnZPR?ezD?r$`I1sBo{*E5g|S@6_-rBp_R8dJDmBL?h@(Sy
zz6@|VC)fL(Ba-Vf9Vr~KG4yVxO+$1tEr2XlBGv>d(y>dzT(0F@S*_;cDVUiD8|f-|
zdnBzyp+0hryjgC)<$e)NsS9t@vJx7COsJRo_bUG<(9#NPCvuv6us2Y>Z
zfXf19h2|BrsT6t+h}NpnuqlnnipeRhsr-k_66UKXNqXkF}{We
zfh`XUkwnj9q-tm=)
zIsn%1IL7B+&@%;gLS-iucA^9a)BT~e^yICl|M1!euPKdtAwFo{{($RIx&6hCeQ>@l
z0XW~50Gw|NEQ4+el)O}6`-h38t+#sqaOs0fO4E}NErXt_HRu~Z)zVF-9W8b|SE~ma
z-q34PTZwY};7uCfM{amx<$!wdIi+m^;|pi?jCraC4h@fYO!}U=3Z~xGi;}QB^#07Cu8QNDObl|Iz>bRK7Eu
zu^eoEG*d@2{AjjTQ>V;3%U(7hwTchkt`UG9N?kNH&qd1EyT@##lfd|bEf6&NAs9$fM_vXD7P1xA0=*)XTx_d9K+b3!9yw#a^=RK27
zqOqAe4bcjE=Y29dv&vzyrhW-tJ|Ak__C1&Vd%kNvo+kc1$l3gR2ZyJH#3e2{smmN)
zcyXo=54_CCHc{Mh$qdMFxaOEj3EZo*f;cyp+cJs{IWB>7n1Y4OA!HH)3h%M8NPWcx
zsJk-o1avQ8FXm9`BTfy?qq_kmjgF^Mgtc3|8~%#dPnSE}aa=b5%|&Fb=GTQS7PNX}
z*@UNyqu6%`013^3GVh0^>?9-`(A|Xk3D}*4>zZYp2`->aCt;JXtJ+DJ_+$62T`R7&
zU5Ecm{%l@({^hkJFBf`VQF~q~1fyy&`ncv|sQu>HJ7a}Vw;JlcAL?BT^%g?A)X=Vl
z(T8oF3nz=4xrOH*wgTg2>LUc)V1OIHJFpmD3-&0%p5oRWH%?;B;l<YH&O>COCDT#QfV86SYVH+>=A`MQVe$97%+Z>1%U&y3t13x
zKps6j?4<5G{loj{yKLw1Zu;(S7vwcRUX5j9>nu{_3WWc3oBStFEkfn`u(7>pqirYH
zsBpV9PFZzW7)u*7=A9M#wA-ipIA}*4B|++zE%a8K(*W%`D|T}&DkQ71&Qp{3fREl;
zv0Q7-lL!6)UU}leE?+|mI^}|*!edQ51&;Y{a)rmmWm!ni$mFt!7l=L#*LSAw+g(wN
ztM8KVdI>3rc<_7RAar^~TT$GP097h+AA+p_G|!c|m;nwT9>yvp>jljub`AK;E
z6_SfrF0TY#@3Q&j*ERnGPVq4SUHf_%Zo40TVlDi{(n+=NP$7I+4Ifq-tK$OmurXMo
z9KKfKEkVs{%X>L>%iiS?b>Hzq;|aC#M5P(^i_lxwh)W*vf9%aMrDJTh`}19pKrFCl
zRQ8O*o*|Qc;ca-k?#((SbaG|iXNMtySn!@wy{8oKsbXVrp-x14ActfVxG1&=!ryxg
zgtxPE8=Awlk%6vxItFv;fw(_Fbn0QzM0%qJQ@a4O&PrSvmC>fiwvPTj!Rnx7i^HY%
zwHA;IZF3I*+ShUqLfS(l=-INX$?`beO^IuTuwI;{~=
zc@T?-5FqJQC{7ocgIKo>fN>o_+@ge1kqT>G2L#BYbut9w3BMS~by=;T_3gidxuhL{
zbQW^#T?_XvwG_fns^KS<#_G7h08vzk?P1$CxZZ6jIlVxfKbggXWJ@fTu_fkKz0x`c
zarJ|AT$Hex&Yxa0RX(4ni!jhg9~E!X6@g!FDz0fw>LI`0>z=qnoHZ
zoBYFD={xO*hBwo9H@hG&A~Ju;1AyDiOUW6{l}dsEZQ~gzjtI{{XYEgM!JT*5IZJIm
zQGIPq)NYd}Y;e{6LuxnjzjeV*v9-mly-y9^5Se$$fy&giUBAG6T(zisib^;Mg}bhS
z+Z5D!NG+-|o$Gm4khv5%cev~%xN%ZMKuTP1oKJ&lJUN>Ie-pSjgeZe66F!&)+CJLb9(>;NF)$%2H1
zpzF2uc-;XjCGu6uwOL8p*7Qdl{TYDDrFXMMpX~una#1b>`_y3H{ovlU;NIn@e(asc
z&B1pD3&HJbaQpq>&b8pqLNKBRBMKWal+R|AyE-tH&w=Gvm9_zh1@@rI9#q(a#b9{h
zMCE6wpUp^QczD-`jvQsEJBH`&j2c@-DW{;{GMYmUI_N8
z!CtV)h#>kQw-{mb2HJuH$m!F8iMEGV;G>Ph5DV;}$_^^*U@_Qw<0<23AZ?o=8Lkg`
zhU%%?_5PtF^zD|;p#l2#fD7_t5hoE2;smTe(uyBX5yx{(^T%T8EI*qPVlj=4#a^9_
zr^+p!Sd7mmVlfeqPsH!3#3Kk$Ptu*XJ($~tfG8Gdm59dxXfAnnCMAf^VFlj4i7#L+
zb0M2eiQ|~1!S}2&$jHQ3u>CxMf1`9Yw;3yt`4SLCZ?aKbuka(F
zk|d4QU{{kXv_DraB(GuYx#RSmXzUBD*+
zEWr>+R`g_*zqjx6i=?I+z?rozO<*lx>IOi6jray59pc|YqBTpers64}s`OmHa8>S)
z3EkoEnT&%{Ig_+pEO_vXF3@!~w>&q4b|a#vRxeG*
z!Hn$()D}{bE+bh97Z8{F(Hs>CvLbG34YP7GCG|`20U3V(s$WXrMTUs>g60GH21YPA
z|HWTpvS^<`5hr>~F(hhhX2>g^|k3#LX#v-*%
zsTGS`+qztfvW%j
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/services/auth_service.py b/backend/auth_service/app/services/auth_service.py
new file mode 100644
index 0000000..d30a5ff
--- /dev/null
+++ b/backend/auth_service/app/services/auth_service.py
@@ -0,0 +1,191 @@
+"""
+Authentication service business logic
+Handles user registration, login, and user management operations
+"""
+
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlalchemy import select, or_
+from sqlalchemy.exc import IntegrityError
+from fastapi import HTTPException, status
+import logging
+from typing import Optional
+
+from shared.models import User
+from ..schemas.user import UserCreate, UserLogin
+from ..utils.security import hash_password, validate_password_strength, verify_password
+
+# Configure logger
+logger = logging.getLogger(__name__)
+
+class AuthService:
+ """Service class for authentication and user management"""
+
+ def __init__(self, db: AsyncSession):
+ self.db = db
+
+ async def get_user_by_email(self, email: str) -> Optional[User]:
+ """Find user by email address"""
+ try:
+ stmt = select(User).where(User.email == email)
+ result = await self.db.execute(stmt)
+ return result.scalar_one_or_none()
+ except Exception as e:
+ logger.error(f"Error fetching user by email {email}: {e}")
+ return None
+
+ async def get_user_by_username(self, username: str) -> Optional[User]:
+ """Find user by username"""
+ try:
+ stmt = select(User).where(User.username == username)
+ result = await self.db.execute(stmt)
+ return result.scalar_one_or_none()
+ except Exception as e:
+ logger.error(f"Error fetching user by username {username}: {e}")
+ return None
+
+ async def get_user_by_id(self, user_id: str) -> Optional[User]:
+ """Find user by UUID"""
+ try:
+ # For MySQL, user_id is already a string, no need to convert to UUID
+ stmt = select(User).where(User.id == user_id)
+ result = await self.db.execute(stmt)
+ return result.scalar_one_or_none()
+ except Exception as e:
+ logger.error(f"Error fetching user by ID {user_id}: {e}")
+ return None
+
+ async def create_user(self, user_data: UserCreate) -> User:
+ """Create a new user account with validation"""
+
+ # Validate password strength
+ is_strong, message = validate_password_strength(user_data.password)
+ if not is_strong:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail=f"Password too weak: {message}"
+ )
+
+ # Hash password
+ hashed_password = hash_password(user_data.password)
+
+ # Create user instance
+ user = User(
+ username=user_data.username,
+ email=user_data.email,
+ hashed_password=hashed_password,
+ is_active=True
+ )
+
+ try:
+ self.db.add(user)
+ await self.db.commit()
+ await self.db.refresh(user)
+
+ logger.info(f"Successfully created user: {user.username} ({user.email})")
+ return user
+
+ except IntegrityError as e:
+ await self.db.rollback()
+ logger.error(f"Integrity error creating user {user_data.username}: {e}")
+
+ # Check which constraint was violated
+ if "users_username_key" in str(e.orig):
+ raise HTTPException(
+ status_code=status.HTTP_409_CONFLICT,
+ detail="Username already exists"
+ )
+ elif "users_email_key" in str(e.orig):
+ raise HTTPException(
+ status_code=status.HTTP_409_CONFLICT,
+ detail="Email already registered"
+ )
+ else:
+ raise HTTPException(
+ status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+ detail="Failed to create user due to database constraint"
+ )
+
+ except Exception as e:
+ await self.db.rollback()
+ logger.error(f"Unexpected error creating user {user_data.username}: {e}")
+ raise HTTPException(
+ status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+ detail="Internal server error during user creation"
+ )
+
+ async def check_user_exists(self, email: str, username: str) -> tuple[Optional[User], Optional[User]]:
+ """Check if user exists by email or username in a single query"""
+ try:
+ stmt = select(User).where(or_(User.email == email, User.username == username))
+ result = await self.db.execute(stmt)
+ users = result.scalars().all()
+
+ email_user = None
+ username_user = None
+
+ for user in users:
+ if user.email == email:
+ email_user = user
+ if user.username == username:
+ username_user = user
+
+ return email_user, username_user
+ except Exception as e:
+ logger.error(f"Error checking user existence: {e}")
+ return None, None
+
+ async def authenticate_user(self, login_data: UserLogin) -> Optional[User]:
+ """Authenticate user credentials"""
+ user = await self.get_user_by_email(login_data.email)
+
+ if not user:
+ return None
+
+ # Verify password
+ if not verify_password(login_data.password, user.hashed_password):
+ return None
+
+ # Check if user is active
+ if not user.is_active:
+ logger.warning(f"Login attempt for deactivated user: {user.email}")
+ return None
+
+ logger.info(f"Successful authentication for user: {user.username}")
+ return user
+
+ async def update_user_status(self, user_id: str, is_active: bool) -> Optional[User]:
+ """Update user active status"""
+ user = await self.get_user_by_id(user_id)
+ if not user:
+ return None
+
+ user.is_active = is_active
+ try:
+ await self.db.commit()
+ await self.db.refresh(user)
+ logger.info(f"Updated user {user.username} status to: {is_active}")
+ return user
+ except Exception as e:
+ await self.db.rollback()
+ logger.error(f"Error updating user status: {e}")
+ return None
+
+ async def get_all_users(self, skip: int = 0, limit: int = 100) -> list[User]:
+ """Get list of all users (admin function)"""
+ try:
+ stmt = select(User).offset(skip).limit(limit)
+ result = await self.db.execute(stmt)
+ return result.scalars().all()
+ except Exception as e:
+ logger.error(f"Error fetching users list: {e}")
+ return []
+
+ async def check_database_health(self) -> bool:
+ """Check if database connection is healthy"""
+ try:
+ stmt = select(User).limit(1)
+ await self.db.execute(stmt)
+ return True
+ except Exception as e:
+ logger.error(f"Database health check failed: {e}")
+ return False
diff --git a/backend/auth_service/app/utils/__init__.py b/backend/auth_service/app/utils/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/backend/auth_service/app/utils/__pycache__/__init__.cpython-311.pyc b/backend/auth_service/app/utils/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..bba665dbba9b906f0317a8c2eb8c0d7fa25a9f85
GIT binary patch
literal 165
zcmZ3^%ge<81j%9RGC}lX5CH>>P{wCAAY(d13PUi1CZpdS7kQetv;YF-vz7GrR?k^Y`6GRw5fPqDT%Qr1_3mE=%
zRXrrdq3nYe$Q^LaVRcV;S3jz%tE+1MB^(YCNTI>sr2eg*kU!!}Ir&P3%>qZr19Fwf
zWSq#H>`HUv9LrtfE|$B;-7M$FdC1*qPsTIu$#}=T9QNnazKnm|&&sZJAQK!HSlN>f
zWy0fOD0{~vvTr;pyQE!;UlFG3%1dY|7l=|X`_I6e9H?%eaLK`s`0)l=P-4&$o8aXT
zyf?~Wc#p8UrU|bcg}UAHUU`?&EZ4yd-mP&NmRGL-$TQv|H!uvp(!A9UBgO!`Rc@@z
z&;;*or5X1qO)#s=(SJ9z?=6jmD{6-KeR4|$zZKqJsmv8~;I=`VXt&8Oz}*Ay?Xqi>
z#P`j=6&zKPd79Ga#JrwLr}UJfi4!UnbCRabs8klGByB2{ofM_4EWY#8F;Q1oBPH
zeF$(B*$n#9)AAN2wR0HiT1)pNt??i#SvVom{hY_C5e0M
z9v*|u?UI$GDl4!LEvIHRMT>i=ALg?BQc7i;v-}fO%_Qs?DU}T{G;%MUP$k110
z6Ib=Tr@!|G4sv5gN!?O!+>(+&ZTW_j*QbDJ^lmDt+>mm)8^|o}hF0QTcW%xKOe(rf
zLJEhDG{awe9l(FWuR#9nCH_Xkw`aXsG@Ik=p*Azr@tEImyIO*OA^`pi!BQByg<1^0
zneGBi%U>3PBplXC@<0jcytxVhI8fC#T`B7oIur6W_a)Rnsht_9Z$u4-GV#RQ(Z=SPAfqzfR{z}E5(#k__>ek)1maysi^b6ykmDTSQ@
zMc(QxX($mo1r*j7nD3=(J}Ya_J$Zeit0(TYy!Kd@Z&Jx>Qd+mdZ}p8_zcQ8>xqNlF
zf7J5g!OG28UL}hRx4gFW#ND(3_F?f1hjmh94QT|6rl`cMFk&XkE2pnOT|4}>0RX`1
zAPLpqJNLz2LpW9xj+w%-LjQWW;oi;Vo?pN5t2Z8=F1DRA+fJ>H6~nz|xVJF4Ce(d;
z_LH;AyNg1*DYP4WyUqPbE-j_9m3gcvP77zZJaMvea9~~(XI$jw=Kvm%z)QpeSX_+-
zeeERIh{yuBvwluN7$pZt^2k
zdKH5wp-$7G)!uZa#UUDFG_Q!MiAtjeYEe&49Tf+qw5EtEhz^}eX$nK4O|aF$I8S#&
zZuyc^O7eDYhPL5bU|=?>FfAE(Q4wk=V
zpM)AW20VzGH!VN!_i3=8=
zRC99_N4C6qJ(*Q!DC%7MI*P%7iGiP8xj1ru?BeC&#D&XOM?g{Kb9k{^?&%rb7S{;&
z8y)By85m1k8n|wS@%{YJ+m}Z!j$L>cZoOA=$U`_uKvxrG1!v2NCD`wB0>;yj_Mq6x
zQr?hcdrR26O0Zqg)6fV1+Q$Gu(*2~a@j>91fqxJ_6ABlf`eGo(p7*%*x|YvgDc0>b
z>-MkQEY_V|@-BJ5+p7EG`oAa4*RLBLU%OL&81aIMxDsej*7!-wpI~>NCqn+sSU?{^aL!O?m>X7qbCuZ0$?=`
zFx4WDrY5rzn1jjyr7E@RE@s*AV<_~j3e;u~BKS%x(5h8uL&+|42-P|0J_vs;1He|F
zF`MgGzqo83eCwMl3G+(ExSTcW)ndJB)~idtwP@2)bf0c1ROa1Z89M0svH@=oEeK
za@tS}T(ts}-Cy%gi>daSjCC
ze*>0f@%mg&`5tsUp>Y6EjpvnVmQoj{5*%FF3w9BkyK<%3W0nqmKMXJmf2|7uJM>L$
z#=+MN;dOYxq7n8j>t9@7{fW_Wy4Z2r1Ss^FLXW}su!HHKA)X>eL+}@YhSk>R0&!AG
z=59l0Si1|21}9ZN0_yjZFQIkovT|Z;E*TWH1Ix1`EN=~#Z%0`E8mz#Mu!5sR7T`Jw
z&EI4)aIJj6%e)mcilS?1-zwQjeM+RtojhFd=qkQB$!Cfnza|I7(A_G?uxP@`n
z>wCQY;;zB@BUj44WF`+b)h$pZx|miZDEEj-a0sQOu24-(tJz5h-;igh2R8Ar+Wy`G
zx!Jr3nr{VawkIcVu8{{ENA9)AAV^%N1A~~C*
z=jOZEw%}lF31^uc-DlEj670Kk-IeZ1Sji^ZVz#ekM7rQvzO!`a)45OPK7Rk+`*uw=
zWI~F>Iprh{_>?-DqZJCF{$y)TN?=l^!EaXR{}z!b>KL0$X>|rz`VPETlZd_x6@MXd
zCIE#FBS4>Wr(0(8|KDy|PEDrtA7sm^ZCmc#0hihQFJ|pN7_cJ$ew2Ti+$AOX4#;2!
z#9i~P?Qb49*zwn|9`1}Mj&z-U@8(jR1RX&6ZB1W=asJ|oh%
z`je$QM(nr|Jq|B5PlfHT?SKYaPD!Su^p;kLyT<10D~J$ufnx}20-{asw34;lQg$xR
zF^^fp>!;))x4!)N(reJ|J>0~90ATL2Us&q-`Qk^5_wPLMH5wP>Fa?fXuM*avpy
z0_4R=mkChlGKDU@)Q7mW=p`e1>4)fb9>#jph`!0jLh?QC1W=6hnE-`8Q|QAP--TX7
zMs(<@&|wH2+b_9_uZ8BG^OD;N%k0$uc3x{MsED^Er?O=t_~X$F=eth6{#VRv7S#z+
zg3Dt9Oogc`yF!yDlu`ukwlW6{RVmyV-ON9Z^Og@i?sV#w<%N(Nj8*cGr<7SZAd02~
zyV2CEX19=F5fR&4K;9w=G*rk1@|^&|kmZhFAN|$Qm6>AeF|!q-BF9bP__spu6QQ>#
zoH2zn27iVT)biya$d*XSj$??F{Sf|}e*jPlJEE|a(iU}VqZnYMReVcAAZ!I#k1Cjp
zu4<3eNzD%-X7Roo4!Ha8_(k`Edj(CHZAo@7xc-s+lS{97jxY;xx(U@Iaj*vFNB%v#
zpsS2O7WPsnsg#>a!R3~o6Dh=d)r^yUM;Wsqe*t$Qhdw!E)E`^v1pv=CC*Jzq+r{9J85}bB7d&giuENmv6OJoqa(E94+vTvrx`dxe;@vOc6U4o7FyNh&RnC}qj4F4*
z+XoksT_+_c5si`iP9}Z#7o5t@Pdbf;<16m~fTtKdVFpha{7WCkB-=*bZ}}1lSxqJq
zESyV!28*!67=ME$Ja^3dwY=aN0|_YJ16G)Q1nOqrkW#AUD-|ey1hc~S7p89T047qC
zb|eHpCtRcu#@`x=6xeT#1Pkm}RnuvZ7d&gE&2TVrzCDTpA9dmYk>J;?FOlX
zmm|jt;icJS|K|}iddMK%@Dxe+hS$fnEH{6?Z-YRg7S#K={mWowLAGLNtXu`^1+EdB
zAbWg(WxszpmDyGPpFd#5
zTF~m@e)O4q
literal 0
HcmV?d00001
diff --git a/backend/auth_service/app/utils/security.py b/backend/auth_service/app/utils/security.py
new file mode 100644
index 0000000..8f5f294
--- /dev/null
+++ b/backend/auth_service/app/utils/security.py
@@ -0,0 +1,148 @@
+"""
+Security utilities for password hashing and JWT token management
+"""
+
+import bcrypt
+import hashlib
+import jwt
+import secrets
+from datetime import datetime, timedelta
+from typing import Optional
+
+import redis.asyncio as aioredis
+
+from shared.config import shared_settings
+
+# Auth-specific defaults
+BCRYPT_ROUNDS = 12
+REFRESH_TOKEN_TTL = 7 * 24 * 3600 # 7 days in seconds
+
+# Lazy-initialised async Redis client
+_redis_client: Optional[aioredis.Redis] = None
+
+
+async def get_redis() -> aioredis.Redis:
+ """Return a shared async Redis connection."""
+ global _redis_client
+ if _redis_client is None:
+ _redis_client = aioredis.from_url(
+ shared_settings.REDIS_URL, decode_responses=True
+ )
+ return _redis_client
+
+def hash_password(password: str) -> str:
+ """
+ Hash a password using bcrypt
+ Returns the hashed password as a string
+ """
+ salt = bcrypt.gensalt(rounds=BCRYPT_ROUNDS)
+ hashed = bcrypt.hashpw(password.encode('utf-8'), salt)
+ return hashed.decode('utf-8')
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+ """
+ Verify a plain text password against a hashed password
+ Returns True if passwords match, False otherwise
+ """
+ try:
+ return bcrypt.checkpw(
+ plain_password.encode('utf-8'),
+ hashed_password.encode('utf-8')
+ )
+ except Exception:
+ return False
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+ """
+ Create a JWT access token
+ """
+ to_encode = data.copy()
+
+ if expires_delta:
+ expire = datetime.utcnow() + expires_delta
+ else:
+ expire = datetime.utcnow() + timedelta(hours=shared_settings.JWT_EXPIRATION_HOURS)
+
+ to_encode.update({"exp": expire})
+ encoded_jwt = jwt.encode(to_encode, shared_settings.JWT_SECRET_KEY, algorithm=shared_settings.JWT_ALGORITHM)
+ return encoded_jwt
+
+def decode_access_token(token: str) -> Optional[dict]:
+ """
+ Decode and validate a JWT access token
+ Returns the payload if valid, None otherwise
+ """
+ try:
+ payload = jwt.decode(token, shared_settings.JWT_SECRET_KEY, algorithms=[shared_settings.JWT_ALGORITHM])
+ return payload
+ except jwt.ExpiredSignatureError:
+ return None
+ except jwt.InvalidTokenError:
+ return None
+
+def generate_password_reset_token(email: str) -> str:
+ """
+ Generate a secure token for password reset
+ """
+ data = {"email": email, "type": "password_reset"}
+ return create_access_token(data, timedelta(hours=1))
+
+# Password strength validation
+def validate_password_strength(password: str) -> tuple[bool, str]:
+ """
+ Validate password meets strength requirements
+ Returns (is_valid, error_message)
+ """
+ if len(password) < 8:
+ return False, "Password must be at least 8 characters long"
+
+ if not any(c.isupper() for c in password):
+ return False, "Password must contain at least one uppercase letter"
+
+ if not any(c.islower() for c in password):
+ return False, "Password must contain at least one lowercase letter"
+
+ if not any(c.isdigit() for c in password):
+ return False, "Password must contain at least one digit"
+
+ if not any(c in "!@#$%^&*()_+-=[]{}|;:,.<>?" for c in password):
+ return False, "Password must contain at least one special character"
+
+ return True, "Password is strong"
+
+
+# --------------- Refresh Token helpers ---------------
+
+def _hash_token(token: str) -> str:
+ """SHA-256 hash of a refresh token for safe Redis key storage."""
+ return hashlib.sha256(token.encode("utf-8")).hexdigest()
+
+
+async def create_refresh_token(user_id: str) -> str:
+ """
+ Generate a cryptographically random refresh token, store its hash in Redis
+ with a 7-day TTL, and return the raw token string.
+ """
+ token = secrets.token_urlsafe(48)
+ token_hash = _hash_token(token)
+ r = await get_redis()
+ await r.setex(f"refresh_token:{token_hash}", REFRESH_TOKEN_TTL, user_id)
+ return token
+
+
+async def verify_refresh_token(token: str) -> Optional[str]:
+ """
+ Verify a refresh token by looking up its hash in Redis.
+ Returns the associated user_id if valid, None otherwise.
+ """
+ token_hash = _hash_token(token)
+ r = await get_redis()
+ user_id = await r.get(f"refresh_token:{token_hash}")
+ return user_id
+
+
+async def revoke_refresh_token(token: str) -> None:
+ """Delete a refresh token from Redis (used during rotation)."""
+ token_hash = _hash_token(token)
+ r = await get_redis()
+ await r.delete(f"refresh_token:{token_hash}")
diff --git a/backend/auth_service/requirements.txt b/backend/auth_service/requirements.txt
new file mode 100644
index 0000000..f31887f
--- /dev/null
+++ b/backend/auth_service/requirements.txt
@@ -0,0 +1,31 @@
+# Weibo-HotSign Authentication Service Requirements
+# Web Framework
+fastapi==0.104.1
+uvicorn[standard]==0.24.0
+pydantic-settings==2.0.3
+
+# Database
+sqlalchemy==2.0.23
+aiomysql==0.2.0
+PyMySQL==1.1.0
+
+# Security
+bcrypt==4.1.2
+PyJWT[crypto]==2.8.0
+
+# Validation and Serialization
+pydantic==2.5.0
+python-multipart==0.0.6
+
+# Utilities
+python-dotenv==1.0.0
+requests==2.31.0
+
+# Logging and Monitoring
+structlog==23.2.0
+
+# Development tools (optional)
+# pytest==7.4.3
+# pytest-asyncio==0.21.1
+# black==23.11.0
+# flake8==6.1.0
diff --git a/backend/requirements.txt b/backend/requirements.txt
new file mode 100644
index 0000000..fc0c210
--- /dev/null
+++ b/backend/requirements.txt
@@ -0,0 +1,33 @@
+# Weibo-HotSign Unified Backend Requirements
+
+# Web Framework & Server
+fastapi==0.104.1
+uvicorn[standard]==0.24.0
+
+# Task Queue
+celery==5.3.6
+redis==5.0.1
+
+# Database
+sqlalchemy==2.0.23
+aiomysql==0.2.0
+PyMySQL==1.1.0
+
+# Configuration, Validation, and Serialization
+pydantic-settings==2.0.3
+pydantic==2.5.0
+python-multipart==0.0.6
+
+# Security
+bcrypt==4.1.2
+PyJWT[crypto]==2.8.0
+pycryptodome==3.19.0
+
+# HTTP & Utilities
+httpx==0.25.2
+requests==2.31.0
+python-dotenv==1.0.0
+croniter==2.0.1
+
+# Logging and Monitoring
+structlog==23.2.0
diff --git a/backend/shared/__init__.py b/backend/shared/__init__.py
new file mode 100644
index 0000000..980d9ff
--- /dev/null
+++ b/backend/shared/__init__.py
@@ -0,0 +1 @@
+"""Shared module for Weibo-HotSign backend services."""
diff --git a/backend/shared/__pycache__/__init__.cpython-311.pyc b/backend/shared/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..057a5fc582860066c15756e4d5369340244edaa2
GIT binary patch
literal 221
zcmZ3^%ge<81jo$RWm*F1#~=<2FhUuhK}x1Gq%cG=q%a0EXfjn924^G|rKTw4=BJeA
zq$;H47b%3NW+vt9dgPY`XQt;VBqb(ir{<+76sH!IWhSQ<>-lLi-eQlBPsvY?k6+2~
z8D#P=Ll>)<m~xQb7^t3@lGNgo;ut->m}0OcG4b)4d6^~g@p=W7zc_3lR@xP@
b0ZjlouvidCd|+l|WW2#(egTGxSb(Ac^PD~d
literal 0
HcmV?d00001
diff --git a/backend/shared/__pycache__/config.cpython-311.pyc b/backend/shared/__pycache__/config.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..2d6f344035987083f8b6b8732e970b17f742a677
GIT binary patch
literal 1465
zcmZux&2Jh<6rWuNj0qo!T_+}0)h#`_2@usSQE60_U>cJ+-~v{f71DIQJGNI{cAc5E
zBXgov4?c2B{sLE3r1t;l38Ws-UVF-o$T|7cHv`zU+}YX3`@N50-tW!MZ;3<dArs@ggzJYf#^pJ{Z=mfx<
znF;CG3OCV8r2BKMxo0qHX{P7y*t-YJ@NLi4c08sTj-x%J_O_Q@_xz^4>uTGE`4e?5
zjZ=1Lo0R8b8=hftz`k$0yIk90UPq(uq0KzELtS4xG?;B{JCth&93r&+Bg=4o+sw{V
za$
zC2>}jW|++5TvB+2v~Hnu#9ugf4BL}RF`s9i=NI=4&R=@W`quGG!`bt=pMNRnCwrdH
zf&L)AR%(?VmYNl^)!67RL)UB$$>-t4!s`96^7n%IMrEzqltH)5J;U9l*$&OxZg!t}
z)`2M+93&qJB~-w#pBi)kdjR
zt=GtUeXG$7mdf?|lWK)jYURfBP3eGjF7-{B(sp_il#9O2x@LudOMJF;naf;R9>i7`
z=ingKR>DD)5ZCBXLV_3}9jL$&dYq6K2Zl5CBuzLxgj1K>zI{l8DCCkI+o8XsQ?ZM)
z{93VXdKPUw0+8b-p=LPTz&-*BEEv${!tK_?1QBs`!>8>aM3$|M(K}^lcUA-
zaa24^RLDd`Z6(RB3vfe-1rWg;A(m$n!Xg5NxX*$VA%^REzWmrYxaLH3R0weau(*u0
zU7sZc6brK@A>{wu5}LRUq?iYV{|Vw^b3HV|g#j*%BPjj7(%a~NI>4JShj0&uO2hX4Qo
literal 0
HcmV?d00001
diff --git a/backend/shared/__pycache__/crypto.cpython-311.pyc b/backend/shared/__pycache__/crypto.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..8f093533bd1935d535d5e638f8f4d48fd821546e
GIT binary patch
literal 2590
zcmbVO%}*Ow5Z`Ybua`PdLxH5-w5G%a3?Y;xfTAFvX^=vs5~UKdWUal=VTt2KZ`V+e
zUAby|%ORB_#cEU4hlo;9RUCTY81*mkqLqkNLW)}T&>K?JOD^fWwY@P;$)V5o%=?%(
zZ{EE5&G;ut3Q(k7{8c;PDe6ymP$T{te~zK^kW#5dN~KjMLod=UXBHXYY=*tdEpjxa
za)?)XB&0c2_?lbvsXiF{kpOdk#3MeG+F9SzASo5JfWrlx1*Az4MB3;P`(
zR@M@C(7GdFWae--MSFHo6kM8O;rHAG@{lqc)|S0~o+>j9d%UhnZ-UIWCwFvICVF3M
zn=rHO&B8UAjma5=wN)f5^7)a$WqIP*#nbAZWy6u{h|!NR7Mh)nhB`PC#|7B%Z_)s1S*+ejr8aFR|_3O+OkmZ
z<@u&C@YPoudGlEX;TUbqavg`%|I+Kr3wd9f;EBn71r`KkXtPxeLByr1psIz|nr1G^
z4Va4sT=7p`+!*8Tfb2h$(pHubCU2NXj*Sk;+A85u`H$iQIjMt^q++14(ZOm2s`j%R)cp!$*PHJ++vcV9HFYwX@PURxJGV#^I1Kc
zLQy|{3j}ed`X@515Ah%7B$<~HRQ11xU>lnoI#9-2Jkmzl#n^*N4
zeh((efyTE$iqt=?RO^X*pWR>h;e$s5meglUeZ`NTcAVVr7~1O?+G*JzzOpxbVC
ze9a!dW_8Tj9dlpaD9+typLIvdhSl9);W`h(J$AUa^5G>bJZ^`__rp_r;i)HmR(Q@1
z&lTqnq;^|6RZ2g~SkhTrI=e58>`5a#7c6PQmL}jhv8yyz5l>gR)3_C^!lwv%7f6aY
zyxu&dwY>>xO)*zsk4cbCiIAX#)QE2yaz4yJy=a^%2!J7CN3AV;_T?F~0inxYKhOQb
zZi3XdCt2|2edPunbzKyd=kr2SM)2qTWe=yXBq^v}N3jKH;Wxf_gLS4_VdQ40tYEaN
z={X~_Uav?Z$RmD^WWMrmd(JF-IwZoS$UqVKI2d+`YlMjcX@8SdWLS}dIh1-ZgJ6UO~9p^%8
z6_R;+9e2V4AkhnvDtcI`m{rZ)WOolCq3k{jKr6SG7s@xwHy?N1XNz+O
zQmBrnEmV<4Eos!2Mj^^W9s8l^UMRZNzmu{;<92AgcNeVql^1!e(%+*dSAcSZz`1{pwuq^
z9X})hpUq(|rJ1q2fyN79&<18PyKfEbwml$iGN5g086W981Gnv>eT2E(W*+yL&;6du
z3eTK&p#TM7)!bXcn=+@IaR21I4jfvn!iyN`_KIu)BTI}vfX3p+`QoD_?!}x1*YEur
z2rh?dB6-kD#UNC{NX7kF#auRvUrf#h(d2qE*7R;HmG)PMDo&HI|JKsw+YeS(?$5$k
z_UfxcE<$q~$Wat=DSM;7rYuyU_6B$i*SU5DS0j-`_CdP<6m4V+b{7zk8EXO)WM+$C
zw`Ak&{X8NF1F6D|0a
zC}q6!Cy&?C&RQ5f<_YU4E|u&wn;rRkC^+lPnQ0Ekx;jhUojXMpbD0wI6v9);T&OQ?
zSL@qHmotx+-3<1@ad+_^zHC|mnwqNGV_b!CU+NN0q(-u9ypdsHE-o55BUjNdj4<19
zGO>r&IxwiA{D{68*JWML9&iwLQzL(
zP*E}V0hijzWAM!}^lL9l6U7rHOtTFqr~5E^{|#MB*;qRGATT11n81ZR%^{J?=rmR3
z4Fn{z3iXrwMD8G?Cr)oZdG%A~kXkVV0|mc^=oh9bj|3p_PSk`M%}J<)p!^u>%tH$4C}%)s26)7u45QC=Np#7GkzkKz`r<-
zRK9XeVw~CZEX?nkSIg(x^REt4HtO@1ID;2vHS!}uMl8$9Y}=w481TV5H-)qR_wB%i
z>Gxmex)x51@bXfw{vo-V{`M%>|Ai&^xv_m>IV)7HYZ)MHSE?C7y;H1Yj&ZuMaD0=!
g{N?!{pDJfE&$xW39ovs6f?LZ<#%E%G1o_Ng0fH4hsQ>@~
literal 0
HcmV?d00001
diff --git a/backend/shared/config.py b/backend/shared/config.py
new file mode 100644
index 0000000..7a80a83
--- /dev/null
+++ b/backend/shared/config.py
@@ -0,0 +1,31 @@
+"""
+Shared configuration for all Weibo-HotSign backend services.
+Loads settings from environment variables using pydantic-settings.
+"""
+
+from pydantic_settings import BaseSettings
+
+
+class SharedSettings(BaseSettings):
+ """Shared settings across all backend services."""
+
+ # Database
+ DATABASE_URL: str = "mysql+aiomysql://root:password@localhost/weibo_hotsign"
+
+ # Redis
+ REDIS_URL: str = "redis://localhost:6379/0"
+
+ # JWT
+ JWT_SECRET_KEY: str = "change-me-in-production"
+ JWT_ALGORITHM: str = "HS256"
+ JWT_EXPIRATION_HOURS: int = 24
+
+ # Cookie encryption
+ COOKIE_ENCRYPTION_KEY: str = "change-me-in-production"
+
+ class Config:
+ case_sensitive = True
+ env_file = ".env"
+
+
+shared_settings = SharedSettings()
diff --git a/backend/shared/crypto.py b/backend/shared/crypto.py
new file mode 100644
index 0000000..9ff196a
--- /dev/null
+++ b/backend/shared/crypto.py
@@ -0,0 +1,44 @@
+"""
+AES-256-GCM Cookie encryption / decryption utilities.
+"""
+
+import base64
+import hashlib
+
+from Crypto.Cipher import AES
+
+
+def derive_key(raw_key: str) -> bytes:
+ """Derive a 32-byte key from an arbitrary string using SHA-256."""
+ return hashlib.sha256(raw_key.encode("utf-8")).digest()
+
+
+def encrypt_cookie(plaintext: str, key: bytes) -> tuple[str, str]:
+ """
+ Encrypt a cookie string with AES-256-GCM.
+
+ Returns:
+ (ciphertext_b64, iv_b64) — both base64-encoded strings.
+ """
+ cipher = AES.new(key, AES.MODE_GCM)
+ ciphertext, tag = cipher.encrypt_and_digest(plaintext.encode("utf-8"))
+ # Append the 16-byte tag to the ciphertext so decryption can verify it
+ ciphertext_with_tag = ciphertext + tag
+ ciphertext_b64 = base64.b64encode(ciphertext_with_tag).decode("utf-8")
+ iv_b64 = base64.b64encode(cipher.nonce).decode("utf-8")
+ return ciphertext_b64, iv_b64
+
+
+def decrypt_cookie(ciphertext_b64: str, iv_b64: str, key: bytes) -> str:
+ """
+ Decrypt a cookie string previously encrypted with encrypt_cookie.
+
+ Raises ValueError on decryption failure (wrong key, corrupted data, etc.).
+ """
+ raw = base64.b64decode(ciphertext_b64)
+ nonce = base64.b64decode(iv_b64)
+ # Last 16 bytes are the GCM tag
+ ciphertext, tag = raw[:-16], raw[-16:]
+ cipher = AES.new(key, AES.MODE_GCM, nonce=nonce)
+ plaintext = cipher.decrypt_and_verify(ciphertext, tag)
+ return plaintext.decode("utf-8")
diff --git a/backend/shared/models/__init__.py b/backend/shared/models/__init__.py
new file mode 100644
index 0000000..d8c6290
--- /dev/null
+++ b/backend/shared/models/__init__.py
@@ -0,0 +1,18 @@
+"""Shared ORM models for Weibo-HotSign."""
+
+from .base import Base, get_db, engine, AsyncSessionLocal
+from .user import User
+from .account import Account
+from .task import Task
+from .signin_log import SigninLog
+
+__all__ = [
+ "Base",
+ "get_db",
+ "engine",
+ "AsyncSessionLocal",
+ "User",
+ "Account",
+ "Task",
+ "SigninLog",
+]
diff --git a/backend/shared/models/__pycache__/__init__.cpython-311.pyc b/backend/shared/models/__pycache__/__init__.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..8f360034fbdb0de2a8120ea156dbfb97f1637752
GIT binary patch
literal 636
zcmah_J!>2>5FPF6_Tw%WV@y(|xImgU7^lh)
zNblZ_Nt55Q<)JhNSMCnnxr!vm#epHx@bokqy&2y5csvBV{=E2IO9XJ~E_W;VN3Mw_
zr@(*!Lo5(T1|*On2_+_24#)txd?+Frlh|`C5}A_J^MM%35gBv&
zys7Gjo6TK)(v&lGbI2CV69%
z3&D5VM^?z0rhi&kg$SV~Z1=Ez0k8W1#S$L(>#>9<{d(M2^R$PxSmAUOtl$oQ#BR4+
GcA&rOE35AS
literal 0
HcmV?d00001
diff --git a/backend/shared/models/__pycache__/account.cpython-311.pyc b/backend/shared/models/__pycache__/account.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..3d114785585520cea169825eac768ced83987be3
GIT binary patch
literal 2430
zcma)7O-vg{6rQ!$KkGkY#~6d!)M+CnPACUTNQ)>EzmXups3a6^Ev**M01mreXLg+w
zw+A0`;AkYIxN0hKqEtZ@t#ZhvQY)qRwd8}fC#3emjf$Rf>YKH3VkeP0JNrEEXWz_w
z?|b7PgFzpH@%N3Nvl@@kUyL~$uIA!22aCrDBN1T^I}}dj;Mb`*RHx`vd68FLqDys)
zZq*}tIA+5uUR4kUd+kzus$cZO+KoL*Kn;pP4mr?GguRat7D#ZH88~Jp^GTQGp460rnzOu9vO(@-Rbu&OG)l5-xjC|FxfczZ
z&8=Dd9rCr2FkB}J0y#TyE
z%hLp&<&_%<)Q>O0S?;uf1bPKA%$`mFd5nw}6c936SVrhxtF-MQwI>(0<>r%4%c&dG
z;tPc=wp@%3{e(`zJ$iX#Y9yV37DzuN*%d9lB4;*84yO&G8+v+RAg!;^q3ND2Lx`Sa3?tAF&r=&z2YYGbJqqTQfKIxK&l
zW>uMPN*mBu9!yr{f?^cC1)WfR0FLRI9ABIqpPGh7@@hHgQDTr8#^ef$BCjaqnC)
z6Ep_Y@=6jVc`8Y-YI7!eAM|}1g(V;Kp+t1FPkQtPQlFO+T{30+&UvKt<{
z?c4F~^X71hO<|!bEYyUB(nLKJ-C8X#m6s|L+v1M6+qc`dKl^*Hd2z0Kajtf8&RqJ+
z45h1~bS;!F-Ki5VZN#)oS0A(QW}x1VeGt|?rr3fF4FH8@er&*1j#&g{Nm1_!Ib
z!CG(-oW3h~^hDWR6(OP)4G<)Rl
z*&405_lu@~r0O53`A14q^+0^gy7%{sblw$D2Hz-*sKC}y_L6L*AT8GAe3!vENsf8U|EGx{HUB6EWP
literal 0
HcmV?d00001
diff --git a/backend/shared/models/__pycache__/base.cpython-311.pyc b/backend/shared/models/__pycache__/base.cpython-311.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..aa1acf73343de79b30a90ebc3006b895f215e58e
GIT binary patch
literal 1893
zcmbVM&2QsG6rZsjJ6}!um2R_J7Prgp5~-VNr3xrofl?JX5caU$g4T+#T+gI6^+&MX
zrYRsQ6(LS2AVlGUazI6>E3`+r(f`0jk%)YXgplYhs2rj_AfA(^N~N+zjGxDE-p6m=
zjDIuV4GcsPv@e%_&}u9~zXgL{3!Ny(2qUzMmJmS_BA75bHW-P)fzIlz!AYDEl0uy^
zr}Ks&2}W27!#G5EJz_+qDChzSYgmfWI2|C7I{;0hH2O}WH`xZZ$7!sV?2Y@sBu3(7
z;9+79D%^*++c07f4fSIbv4&{uTl^`O2EixLLCTTv!{pgKX$XAbJpkG7K_O|F3{nQ7
zhl))4)LLZ7@JF09LWUMmW@KwFx}dnqvf@yYnk$+~r$vW4j%Jx+QBhsXu1t%HNkl?b
zU9lBc+n{0)osAv^kQwYJa!$omU!x`kw`FG-Ki;t{c47Px)uxI|WhDrcyORV#C({_p
z8nykwK72XAKVrJ*NoQ5DDUluOx|+G-_#9PNtylfT36i{4R%|fy&bzwi(xXvGJGu(p
z{S50zN|vR|jfcEI*yV}OHt(u{dD?i;Sg7#$Z%|$bD(xZ{_|$7>|HCZW!34j@zKM3(kGT&}1ig>mLNLM@
zv|3+YFCU?^2s^;aUOqZPagd
zxH8j4z~}+2IXD}@A!h6L0xeOKP*bgl?yBO76^-h|0p5t6pDvOf#ZLZt_AYGsP(MrZ
zma6D}NYyQe0;hzNKquH7@$u}!iv`spv{0tnvQ=1C)HRr|;8MqR3fXL-%aMWsA-V%@
zpl7M#^DESq$+CSJFs{JsWB~0Cc(&2+N%1f_RZmW}5Er_jtF5#cHZs*1PJi-7_h}BN
zcW-@u>$90JX1w_1xzeuQyfCEQhSXN%OaXre_55{lQU9UtCx^7#?I#B~*I~G
zEZuao9WrQ^&4JSnE@D5?7h&0k9h@s$2t2%MnMG~Ijs%uiVBv_Sx_(lY71Oj_xQQ&&
zff?fqx%;{K+~O+o^-4iIKtr!U#h
z!Z2W(GYNf*#Td6326HWR+JzCG^3Y_zG|_^0o;1*$cb+uSGu~Ngj$f^XsvmAAs+@;z
zfE=P54K`MNxjr)Ev4J$W;a|D*FI>7d|LES&uE(VhxqO|=dtAO5neZYLU&-~S=DbKA
z^jOo^FsC2k6e
zV2X;!F`uZBFeOC_c-}~wDJ2Db495-GOe<*)MbJHjh35#1B)tvi?!pr;C4&?5s35K9
z=JjPuw?4L)#~yw9aLlwZF^WgbsUY~meaj`wg!=KaZ8S~G7iTq>Ea)cjr8%1t2z@}-
ze7-XOsOrb(U8-BlKEFVoxdqNoQDSJWZd=ZZ-T;|jYFhOpj%5bnuI7+>c$bjIPlb~T
zxV%6FDIBySf;lA`L4+qU9Kn&j=(#fD%m$Bu`E7{XW$A+jIuXYPbvV8!oQqHNJxxb)|#%ZTXjlI
zV!21-aPoRmtJm$Op)=gxv$V;;KKDC!V!@B{vb!ck3m6vbv=EjU($6Q
zPp?Zi#vE63o6hvadUT>N1C>Q|?8ieT8#jj-OAgC5_WJhh?OGkiytYd8MZ3oCM=V@}
z%ehXiSgbiK8YQ?Eya`V2O~ZdNbg()(n7sVd5ix+@G@oC
z`?n6JLXJ_fe8LK>7Ot>tmSz%F^(9q>^O^?ZQ>yy3sTrphSyf%u?@**Xgi_WsI?9O1
z2zzsU=@cjx>Q1_LL$9l@?iz%?&0GZLlB8r+qgd6gC7ULgMkbWnR5gj?Xz-ddJZO>`
zqL#htCs^$StC~yM*UJ}9kD#o^pAa2`Kl%