g0v0-server/app/service/verification_service.py

"""
邮件验证管理服务
"""

from datetime import timedelta
import secrets
import string
from typing import Literal

from app.config import settings
from app.database.auth import OAuthToken
from app.database.verification import EmailVerification, LoginSession, TrustedDevice
from app.log import logger
from app.models.model import UserAgentInfo
from app.service.email_queue import email_queue
from app.utils import utcnow

from redis.asyncio import Redis
from sqlmodel import col, exists, select
from sqlmodel.ext.asyncio.session import AsyncSession


class EmailVerificationService:
    """邮件验证服务"""

    @staticmethod
    def generate_verification_code() -> str:
        """生成8位验证码"""
        return "".join(secrets.choice(string.digits) for _ in range(8))

    @staticmethod
    async def send_verification_email_via_queue(
        email: str, code: str, username: str, user_id: int, country_code: str | None = None
    ) -> dict[str, str]:
        """使用邮件队列发送验证邮件

        Args:
            email: 接收验证码的邮箱地址
            code: 验证码
            username: 用户名
            user_id: 用户ID
            country_code: 国家代码（用于选择邮件语言）

        Returns:
            返回格式为 {'id': 'message_id'} 的字典，如果使用 SMTP 则返回 email_id
        """
        try:
            from app.service.email_template_service import get_email_template_service

            # 使用模板服务生成邮件内容
            template_service = get_email_template_service()
            subject, html_content, plain_content = template_service.render_verification_email(
                username=username,
                code=code,
                country_code=country_code,
                expiry_minutes=10,
            )
            # 准备元数据
            metadata = {"type": "email_verification", "user_id": user_id, "code": code, "country": country_code}

            # 如果使用 MailerSend，直接发送并返回 message_id
            if settings.email_provider == "mailersend":
                from app.service.mailersend_service import get_mailersend_service

                mailersend_service = get_mailersend_service()
                response = await mailersend_service.send_email(
                    to_email=email,
                    subject=subject,
                    content=plain_content,
                    html_content=html_content,
                    metadata=metadata,
                )
                return response
            else:
                # 使用 SMTP 队列发送
                email_id = await email_queue.enqueue_email(
                    to_email=email,
                    subject=subject,
                    content=plain_content,
                    html_content=html_content,
                    metadata=metadata,
                )
                return {"id": email_id}

        except Exception as e:
            logger.error(f"Failed to enqueue email: {e}")
            return {"id": ""}

    @staticmethod
    def generate_session_token() -> str:
        """生成会话令牌"""
        return secrets.token_urlsafe(32)

    @staticmethod
    async def create_verification_record(
        db: AsyncSession,
        redis: Redis,
        user_id: int,
        email: str,
        ip_address: str | None = None,
        user_agent: str | None = None,
    ) -> tuple[EmailVerification, str]:
        """创建邮件验证记录"""

        # 检查是否有未过期的验证码
        existing_result = await db.exec(
            select(EmailVerification).where(
                EmailVerification.user_id == user_id,
                EmailVerification.is_used == False,  # noqa: E712
                EmailVerification.expires_at > utcnow(),
            )
        )
        existing = existing_result.first()

        if existing:
            # 如果有未过期的验证码，直接返回
            return existing, existing.verification_code

        # 生成新的验证码
        code = EmailVerificationService.generate_verification_code()

        # 创建验证记录
        verification = EmailVerification(
            user_id=user_id,
            email=email,
            verification_code=code,
            expires_at=utcnow() + timedelta(minutes=10),  # 10分钟过期
            ip_address=ip_address,
            user_agent=user_agent,
        )

        db.add(verification)
        await db.commit()
        await db.refresh(verification)

        # 存储到 Redis（用于快速验证）
        await redis.setex(
            f"email_verification:{user_id}:{code}",
            600,  # 10分钟过期
            str(verification.id) if verification.id else "0",
        )

        logger.info(f"Created verification code for user {user_id}: {code}")
        return verification, code

    @staticmethod
    async def send_verification_email(
        db: AsyncSession,
        redis: Redis,
        user_id: int,
        username: str,
        email: str,
        ip_address: str | None = None,
        user_agent: UserAgentInfo | None = None,
        country_code: str | None = None,
    ) -> dict[str, str]:
        """发送验证邮件

        Args:
            db: 数据库会话
            redis: Redis 客户端
            user_id: 用户ID
            username: 用户名
            email: 邮箱地址
            ip_address: IP 地址
            user_agent: 用户代理信息
            country_code: 国家代码（用于选择邮件语言）

        Returns:
            返回格式为 {'id': 'message_id'} 的字典
        """
        try:
            # 检查是否启用邮件验证功能
            if not settings.enable_email_verification:
                logger.debug(f"Email verification is disabled, skipping for user {user_id}")
                return {"id": "disabled"}  # 返回特殊ID表示功能已禁用

            # 检测客户端信息
            logger.info(f"Detected client for user {user_id}: {user_agent}")

            # 创建验证记录
            (
                _,
                code,
            ) = await EmailVerificationService.create_verification_record(
                db, redis, user_id, email, ip_address, user_agent.raw_ua if user_agent else None
            )

            # 使用邮件队列发送验证邮件
            response = await EmailVerificationService.send_verification_email_via_queue(
                email, code, username, user_id, country_code
            )

            if response and response.get("id"):
                logger.info(
                    f"Successfully sent verification email to {email} (user: {username}), message_id: {response['id']}"
                )
                return response
            else:
                logger.error(f"Failed to send verification email: {email} (user: {username})")
                return {"id": ""}

        except Exception as e:
            logger.error(f"Exception during sending verification email: {e}")
            return {"id": ""}

    @staticmethod
    async def verify_email_code(
        db: AsyncSession,
        redis: Redis,
        user_id: int,
        code: str,
    ) -> tuple[bool, str]:
        """验证邮箱验证码"""
        try:
            # 检查是否启用邮件验证功能
            if not settings.enable_email_verification:
                logger.debug(f"Email verification is disabled, auto-approving for user {user_id}")
                return True, "验证成功（邮件验证功能已禁用）"

            # 先从 Redis 检查
            verification_id = await redis.get(f"email_verification:{user_id}:{code}")
            if not verification_id:
                return False, "验证码无效或已过期"

            # 从数据库获取验证记录
            result = await db.exec(
                select(EmailVerification).where(
                    EmailVerification.id == int(verification_id),
                    EmailVerification.user_id == user_id,
                    EmailVerification.verification_code == code,
                    EmailVerification.is_used == False,  # noqa: E712
                    EmailVerification.expires_at > utcnow(),
                )
            )

            verification = result.first()
            if not verification:
                return False, "验证码无效或已过期"

            # 标记为已使用
            verification.is_used = True
            verification.used_at = utcnow()

            await db.commit()

            # 删除 Redis 记录
            await redis.delete(f"email_verification:{user_id}:{code}")

            logger.info(f"User {user_id} verification code verified successfully")
            return True, "验证成功"

        except Exception as e:
            logger.error(f"Exception during verification code validation: {e}")
            return False, "验证过程中发生错误"

    @staticmethod
    async def resend_verification_code(
        db: AsyncSession,
        redis: Redis,
        user_id: int,
        username: str,
        email: str,
        ip_address: str | None = None,
        user_agent: UserAgentInfo | None = None,
        country_code: str | None = None,
    ) -> tuple[bool, str, dict[str, str]]:
        """重新发送验证码

        Args:
            db: 数据库会话
            redis: Redis 客户端
            user_id: 用户ID
            username: 用户名
            email: 邮箱地址
            ip_address: IP 地址
            user_agent: 用户代理信息
            country_code: 国家代码（用于选择邮件语言）

        Returns:
            (是否成功, 消息, {'id': 'message_id'})
        """
        try:
            # 避免未使用参数警告
            _ = user_agent
            # 检查是否启用邮件验证功能
            if not settings.enable_email_verification:
                logger.debug(f"Email verification is disabled, skipping resend for user {user_id}")
                return True, "验证码已发送（邮件验证功能已禁用）", {"id": "disabled"}

            # 检查重发频率限制（60秒内只能发送一次）
            rate_limit_key = f"email_verification_rate_limit:{user_id}"
            if await redis.get(rate_limit_key):
                return False, "请等待60秒后再重新发送", {"id": ""}

            # 设置频率限制
            await redis.setex(rate_limit_key, 60, "1")

            # 生成新的验证码
            response = await EmailVerificationService.send_verification_email(
                db, redis, user_id, username, email, ip_address, user_agent, country_code
            )

            if response and response.get("id"):
                return True, "验证码已重新发送", response
            else:
                return False, "重新发送失败，请稍后再试", {"id": ""}

        except Exception as e:
            logger.error(f"Exception during resending verification code: {e}")
            return False, "重新发送过程中发生错误", {"id": ""}


class LoginSessionService:
    """登录会话服务"""

    # Session verification interface methods
    @staticmethod
    async def find_for_verification(db: AsyncSession, token: str) -> LoginSession | None:
        """根据会话ID查找会话用于验证"""
        try:
            result = await db.exec(
                select(LoginSession).where(
                    col(LoginSession.token).has(col(OAuthToken.access_token) == token),
                    LoginSession.expires_at > utcnow(),
                )
            )
            return result.first()
        except Exception:
            return None

    @staticmethod
    def get_key_for_event(session_id: str) -> str:
        """获取用于事件广播的会话密钥"""
        return f"g0v0:{session_id}"

    @staticmethod
    async def create_session(
        db: AsyncSession,
        user_id: int,
        token_id: int,
        ip_address: str,
        user_agent: str | None = None,
        is_new_device: bool = False,
        web_uuid: str | None = None,
        is_verified: bool = False,
    ) -> LoginSession:
        """创建登录会话"""
        session = LoginSession(
            user_id=user_id,
            token_id=token_id,
            ip_address=ip_address,
            user_agent=user_agent,
            is_new_device=is_new_device,
            expires_at=utcnow() + timedelta(hours=24),  # 24小时过期
            is_verified=is_verified,
            web_uuid=web_uuid,
        )

        db.add(session)
        await db.commit()
        await db.refresh(session)

        logger.info(f"Created session for user {user_id} (new device: {is_new_device})")
        return session

    @classmethod
    def _session_verify_redis_key(cls, user_id: int, token_id: int) -> str:
        return f"session_verification_method:{user_id}:{token_id}"

    @classmethod
    async def get_login_method(cls, user_id: int, token_id: int, redis: Redis) -> Literal["totp", "mail"] | None:
        return await redis.get(cls._session_verify_redis_key(user_id, token_id))

    @classmethod
    async def set_login_method(cls, user_id: int, token_id: int, method: Literal["totp", "mail"], redis: Redis) -> None:
        await redis.set(cls._session_verify_redis_key(user_id, token_id), method)

    @classmethod
    async def clear_login_method(cls, user_id: int, token_id: int, redis: Redis) -> None:
        await redis.delete(cls._session_verify_redis_key(user_id, token_id))

    @staticmethod
    async def check_trusted_device(
        db: AsyncSession, user_id: int, ip_address: str, user_agent: UserAgentInfo, web_uuid: str | None = None
    ) -> bool:
        if user_agent.is_client:
            query = select(exists()).where(
                TrustedDevice.user_id == user_id,
                TrustedDevice.client_type == "client",
                TrustedDevice.ip_address == ip_address,
                TrustedDevice.expires_at > utcnow(),
            )
        else:
            if web_uuid is None:
                return False
            query = select(exists()).where(
                TrustedDevice.user_id == user_id,
                TrustedDevice.client_type == "web",
                TrustedDevice.web_uuid == web_uuid,
                TrustedDevice.expires_at > utcnow(),
            )
        return (await db.exec(query)).first() or False

    @staticmethod
    async def create_trusted_device(
        db: AsyncSession,
        user_id: int,
        ip_address: str,
        user_agent: UserAgentInfo,
        web_uuid: str | None = None,
    ) -> TrustedDevice:
        device = TrustedDevice(
            user_id=user_id,
            ip_address=ip_address,
            user_agent=user_agent.raw_ua,
            client_type="client" if user_agent.is_client else "web",
            web_uuid=web_uuid if not user_agent.is_client else None,
            expires_at=utcnow() + timedelta(days=settings.device_trust_duration_days),
        )
        db.add(device)
        await db.commit()
        await db.refresh(device)
        return device

    @staticmethod
    async def get_or_create_trusted_device(
        db: AsyncSession,
        user_id: int,
        ip_address: str,
        user_agent: UserAgentInfo,
        web_uuid: str | None = None,
    ) -> TrustedDevice:
        if user_agent.is_client:
            query = select(TrustedDevice).where(
                TrustedDevice.user_id == user_id,
                TrustedDevice.client_type == "client",
                TrustedDevice.ip_address == ip_address,
            )
        else:
            if web_uuid is None:
                raise ValueError("web_uuid is required for web clients")
            query = select(TrustedDevice).where(
                TrustedDevice.user_id == user_id,
                TrustedDevice.client_type == "web",
                TrustedDevice.web_uuid == web_uuid,
            )

        device = (await db.exec(query)).first()
        if device is None:
            device = await LoginSessionService.create_trusted_device(db, user_id, ip_address, user_agent, web_uuid)
        else:
            device.last_used_at = utcnow()
            device.expires_at = utcnow() + timedelta(days=settings.device_trust_duration_days)
            await db.commit()
            await db.refresh(device)
        return device

    @staticmethod
    async def mark_session_verified(
        db: AsyncSession,
        redis: Redis,
        user_id: int,
        token_id: int,
        ip_address: str,
        user_agent: UserAgentInfo,
        web_uuid: str | None = None,
    ) -> bool:
        """标记用户的未验证会话为已验证"""
        device_info: TrustedDevice | None = None
        if user_agent.is_client or web_uuid:
            device_info = await LoginSessionService.get_or_create_trusted_device(
                db, user_id, ip_address, user_agent, web_uuid
            )

        try:
            # 查找用户所有未验证且未过期的会话
            result = await db.exec(
                select(LoginSession).where(
                    LoginSession.user_id == user_id,
                    LoginSession.is_verified == False,  # noqa: E712
                    LoginSession.expires_at > utcnow(),
                    LoginSession.token_id == token_id,
                )
            )
            sessions = result.all()

            # 标记所有会话为已验证
            for session in sessions:
                session.is_verified = True
                session.verified_at = utcnow()
                if device_info:
                    session.device_id = device_info.id

            if sessions:
                logger.info(f"Marked {len(sessions)} session(s) as verified for user {user_id}")

            await LoginSessionService.clear_login_method(user_id, token_id, redis)
            await db.commit()

            return len(sessions) > 0

        except Exception as e:
            logger.error(f"Exception during marking sessions as verified: {e}")
            return False

    @staticmethod
    async def check_is_need_verification(db: AsyncSession, user_id: int, token_id: int) -> bool:
        """检查用户是否需要验证（有未验证的会话）"""
        if settings.enable_totp_verification or settings.enable_email_verification:
            unverified_session = (
                await db.exec(
                    select(exists()).where(
                        LoginSession.user_id == user_id,
                        col(LoginSession.is_verified).is_(False),  # pyright: ignore[reportAttributeAccessIssue]
                        LoginSession.expires_at > utcnow(),
                        LoginSession.token_id == token_id,
                    )
                )
            ).first()
            return unverified_session or False
        return False