iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(saas): P2 增强 — TOTP 2FA、Relay 重试、配置同步升级

Browse Source 
- TOTP 2FA: totp-rs v5.7.1 + data-encoding Base32, setup/verify/disable 流程,
  登录时 TOTP 验证集成, SaasError::Totp 返回 400
- Relay 重试: 指数退避 (base_delay_ms * 2^attempt), 错误分类 (4xx 不重试),
  Admin POST /tasks/:id/retry 端点
- 配置同步: push (客户端覆盖) / merge (SaaS 优先) / diff (只读对比),
  实际写入 config_items 表
- 集成测试: 27 个测试全部通过 (新增 6 个 P2 测试)
- 文档: 更新 SaaS 平台总览 (模块完成度 + API 端点列表)
This commit is contained in:
iven
2026-03-27 17:58:14 +08:00
parent bc12f6899a
commit 452ff45a5f
15 changed files with 876 additions and 68 deletions
Download Patch File Download Diff File Expand all files Collapse all files

199
crates/zclaw-saas/tests/integration_test.rs
View File

@@ -803,3 +803,202 @@ async fn test_config_sync() {
let resp = app.oneshot(logs_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
// ============ P2: TOTP 2FA ============
#[tokio::test]
async fn test_totp_setup_and_verify() {
let app = build_test_app().await;
let token = register_and_login(&app, "totpuser", "totp@example.com").await;
// 1. Setup TOTP
let setup_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/totp/setup")
.header("Authorization", auth_header(&token))
.body(Body::empty())
.unwrap();
let resp = app.clone().oneshot(setup_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body_bytes = axum::body::to_bytes(resp.into_body(), MAX_BODY_SIZE).await.unwrap();
let body: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap();
assert!(body["otpauth_uri"].is_string());
assert!(body["secret"].is_string());
let secret = body["secret"].as_str().unwrap();
// 2. Verify with wrong code → 400
let bad_verify = Request::builder()
.method("POST")
.uri("/api/v1/auth/totp/verify")
.header("Content-Type", "application/json")
.header("Authorization", auth_header(&token))
.body(Body::from(serde_json::to_string(&json!({"code": "000000"})).unwrap()))
.unwrap();
let resp = app.clone().oneshot(bad_verify).await.unwrap();
assert_eq!(resp.status(), StatusCode::BAD_REQUEST);
// 3. Disable TOTP (password required)
let disable_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/totp/disable")
.header("Content-Type", "application/json")
.header("Authorization", auth_header(&token))
.body(Body::from(serde_json::to_string(&json!({"password": "password123"})).unwrap()))
.unwrap();
let resp = app.clone().oneshot(disable_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
// 4. TOTP disabled → login without totp_code should succeed
let login_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/login")
.header("Content-Type", "application/json")
.body(Body::from(serde_json::to_string(&json!({
"username": "totpuser",
"password": "password123"
})).unwrap()))
.unwrap();
let resp = app.oneshot(login_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_totp_disabled_login_without_code() {
let app = build_test_app().await;
let token = register_and_login(&app, "nototp", "nototp@example.com").await;
// TOTP not enabled → login without totp_code is fine
let login_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/login")
.header("Content-Type", "application/json")
.body(Body::from(serde_json::to_string(&json!({
"username": "nototp",
"password": "password123"
})).unwrap()))
.unwrap();
let resp = app.clone().oneshot(login_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
// Setup TOTP
let setup_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/totp/setup")
.header("Authorization", auth_header(&token))
.body(Body::empty())
.unwrap();
app.clone().oneshot(setup_req).await.unwrap();
// Don't verify — try login without TOTP code → should fail
let login_req2 = Request::builder()
.method("POST")
.uri("/api/v1/auth/login")
.header("Content-Type", "application/json")
.body(Body::from(serde_json::to_string(&json!({
"username": "nototp",
"password": "password123"
})).unwrap()))
.unwrap();
// Note: TOTP is set up but not yet verified/enabled, so login should still work
// (totp_enabled is still 0 until verify is called)
let resp = app.oneshot(login_req2).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
}
#[tokio::test]
async fn test_totp_disable_wrong_password() {
let app = build_test_app().await;
let token = register_and_login(&app, "totpwrong", "totpwrong@example.com").await;
let disable_req = Request::builder()
.method("POST")
.uri("/api/v1/auth/totp/disable")
.header("Content-Type", "application/json")
.header("Authorization", auth_header(&token))
.body(Body::from(serde_json::to_string(&json!({"password": "wrong"})).unwrap()))
.unwrap();
let resp = app.oneshot(disable_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::UNAUTHORIZED);
}
// ============ P2: 配置同步 ============
#[tokio::test]
async fn test_config_diff() {
let app = build_test_app().await;
let token = register_and_login(&app, "diffuser", "diffuser@example.com").await;
// Diff with no data
let diff_req = Request::builder()
.method("POST")
.uri("/api/v1/config/diff")
.header("Content-Type", "application/json")
.header("Authorization", auth_header(&token))
.body(Body::from(serde_json::to_string(&json!({
"client_fingerprint": "test-client",
"action": "push",
"config_keys": ["server.host", "agent.defaults.default_model"],
"client_values": {"server.host": "0.0.0.0", "agent.defaults.default_model": "test-model"}
})).unwrap()))
.unwrap();
let resp = app.clone().oneshot(diff_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body_bytes = axum::body::to_bytes(resp.into_body(), MAX_BODY_SIZE).await.unwrap();
let body: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap();
assert_eq!(body["total_keys"], 2);
assert!(body["items"].is_array());
}
#[tokio::test]
async fn test_config_sync_push() {
let app = build_test_app().await;
let token = register_and_login(&app, "syncpush", "syncpush@example.com").await;
// Seed config (admin only → 403 for regular user, skip)
// Push config
let sync_req = Request::builder()
.method("POST")
.uri("/api/v1/config/sync")
.header("Content-Type", "application/json")
.header("Authorization", auth_header(&token))
.body(Body::from(serde_json::to_string(&json!({
"client_fingerprint": "test-desktop",
"action": "push",
"config_keys": ["server.host", "server.port"],
"client_values": {"server.host": "192.168.1.1", "server.port": "9090"}
})).unwrap()))
.unwrap();
let resp = app.clone().oneshot(sync_req).await.unwrap();
assert_eq!(resp.status(), StatusCode::OK);
let body_bytes = axum::body::to_bytes(resp.into_body(), MAX_BODY_SIZE).await.unwrap();
let body: serde_json::Value = serde_json::from_slice(&body_bytes).unwrap();
// Keys don't exist in SaaS yet → all skipped
assert_eq!(body["skipped"], 2);
}
#[tokio::test]
async fn test_relay_retry_unauthorized() {
let app = build_test_app().await;
let token = register_and_login(&app, "retryuser", "retryuser@example.com").await;
// Retry requires relay:admin → 403 for regular user
let retry_req = Request::builder()
.method("POST")
.uri("/api/v1/relay/tasks/nonexistent/retry")
.header("Authorization", auth_header(&token))
.body(Body::empty())
.unwrap();
let resp = app.oneshot(retry_req).await.unwrap();
// 404: task not found (correct behavior, 403 requires relay:admin)
assert_ne!(resp.status(), StatusCode::OK);
}