first commit

.env

@@ -0,0 +1,23 @@
+# CaiYouHui_backend/.env
+# 项目配置
+PROJECT_NAME=CaiYouHui 采油会
+VERSION=1.0.0
+API_V1_PREFIX=/api/v1
+
+# 安全配置
+SECRET_KEY=your-super-secret-key-change-in-production-123456
+ALGORITHM=HS256
+ACCESS_TOKEN_EXPIRE_MINUTES=1440  # 24小时
+
+# 数据库配置
+DATABASE_URL=sqlite:///./caiyouhui.db
+
+# CORS 配置
+BACKEND_CORS_ORIGINS=http://localhost:3000,http://localhost:5173,http://localhost:8080
+
+# 调试模式
+DEBUG=True
+
+# 文件上传
+UPLOAD_DIR=./uploads
+MAX_UPLOAD_SIZE=10485760  # 10MB

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+    "python-envs.defaultEnvManager": "ms-python.python:system",
+    "python-envs.pythonProjects": []
+}

README.md

@@ -0,0 +1 @@
+这是CaiYouHui的fastapi后端实现

app/api/v1/admin.py

@@ -0,0 +1,163 @@
+# app/api/admin.py
+from fastapi import APIRouter, Depends, HTTPException
+from fastapi.responses import JSONResponse
+from sqlalchemy.orm import Session
+from sqlalchemy import text
+import json
+
+from ..dependencies.auth import get_current_user
+from ..models.user import User
+from ..database import get_db
+
+router = APIRouter(prefix="/admin", tags=["admin"])
+
+@router.get("/database/tables")
+async def get_database_tables(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    """获取所有表（需要管理员权限）"""
+    if not current_user.is_superuser:
+        raise HTTPException(status_code=403, detail="需要管理员权限")
+    
+    try:
+        # 使用 SQLAlchemy 执行原生 SQL
+        result = db.execute(text("""
+            SELECT name, type, sql 
+            FROM sqlite_master 
+            WHERE type='table' 
+            AND name NOT LIKE 'sqlite_%'
+            ORDER BY name;
+        """))
+        
+        tables = []
+        for row in result:
+            tables.append({
+                "name": row[0],
+                "type": row[1],
+                "sql": row[2]
+            })
+        
+        return JSONResponse(content={"tables": tables})
+    
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))
+
+@router.get("/database/table/{table_name}")
+async def get_table_data(
+    table_name: str,
+    limit: int = 100,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    """获取表数据（需要管理员权限）"""
+    if not current_user.is_superuser:
+        raise HTTPException(status_code=403, detail="需要管理员权限")
+    
+    try:
+        # 先验证表存在且可访问
+        result = db.execute(text(f"SELECT name FROM sqlite_master WHERE type='table' AND name='{table_name}';"))
+        if not result.fetchone():
+            raise HTTPException(status_code=404, detail="表不存在")
+        
+        # 获取表结构
+        columns_result = db.execute(text(f"PRAGMA table_info({table_name});"))
+        columns = []
+        for row in columns_result:
+            columns.append({
+                "cid": row[0],
+                "name": row[1],
+                "type": row[2],
+                "notnull": bool(row[3]),
+                "default_value": row[4],
+                "pk": bool(row[5])
+            })
+        
+        # 获取数据
+        data_result = db.execute(text(f"SELECT * FROM {table_name} LIMIT {limit};"))
+        
+        # 获取列名
+        column_names = [desc[0] for desc in data_result.cursor.description]
+        
+        # 获取数据行
+        rows = []
+        for row in data_result:
+            row_dict = {}
+            for i, value in enumerate(row):
+                # 处理特殊类型（如 datetime）
+                if hasattr(value, 'isoformat'):
+                    row_dict[column_names[i]] = value.isoformat()
+                else:
+                    row_dict[column_names[i]] = value
+            rows.append(row_dict)
+        
+        # 统计总数
+        count_result = db.execute(text(f"SELECT COUNT(*) FROM {table_name};"))
+        total_count = count_result.scalar()
+        
+        return JSONResponse(content={
+            "table": table_name,
+            "columns": columns,
+            "data": rows,
+            "total_count": total_count,
+            "showing": len(rows)
+        })
+    
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))
+
+@router.post("/database/query")
+async def execute_custom_query(
+    query: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user)
+):
+    """执行自定义查询（需要管理员权限，生产环境请谨慎）"""
+    if not current_user.is_superuser:
+        raise HTTPException(status_code=403, detail="需要管理员权限")
+    
+    # 安全限制：不允许修改操作
+    query_lower = query.strip().lower()
+    dangerous_keywords = ["drop", "delete", "update", "insert", "alter", "truncate"]
+    
+    if any(keyword in query_lower for keyword in dangerous_keywords):
+        raise HTTPException(status_code=400, detail="只允许SELECT查询")
+    
+    try:
+        result = db.execute(text(query))
+        
+        # 如果是查询语句
+        if query_lower.startswith("select"):
+            # 获取列名
+            column_names = [desc[0] for desc in result.cursor.description]
+            
+            # 获取数据
+            rows = []
+            for row in result:
+                row_dict = {}
+                for i, value in enumerate(row):
+                    if hasattr(value, 'isoformat'):
+                        row_dict[column_names[i]] = value.isoformat()
+                    else:
+                        row_dict[column_names[i]] = value
+                rows.append(row_dict)
+            
+            return JSONResponse(content={
+                "query": query,
+                "columns": column_names,
+                "data": rows,
+                "row_count": len(rows)
+            })
+        else:
+            # 非查询语句
+            db.commit()
+            return JSONResponse(content={
+                "query": query,
+                "affected_rows": result.rowcount,
+                "message": "执行成功"
+            })
+    
+    except Exception as e:
+        raise HTTPException(status_code=500, detail=str(e))

app/api/v1/auth.py

@@ -0,0 +1,330 @@
+# app/api/v1/auth.py
+from fastapi import APIRouter, HTTPException, status, Request, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlalchemy.orm import Session
+from typing import Optional
+
+from app.schemas.user import UserCreate, UserLogin
+from app.schemas.token import TokenResponse, RefreshTokenRequest
+from app.core.security import (
+    create_access_token,
+    JWTManager,
+    verify_access_token
+)
+from app.config import settings
+from app.database import get_db
+from app.models.user import User
+from app.services.user_service import UserService
+
+router = APIRouter(prefix="/auth", tags=["认证"])
+security = HTTPBearer()
+
+# 初始化 JWT 管理器
+jwt_manager = JWTManager(
+    secret_key=settings.SECRET_KEY,
+    algorithm=settings.ALGORITHM
+)
+
+import logging
+logger = logging.getLogger(__name__)
+
+@router.post("/register", response_model=TokenResponse, status_code=status.HTTP_201_CREATED)
+async def register(
+    user_data: UserCreate,
+    request: Request,
+    db: Session = Depends(get_db)
+):
+    """用户注册"""
+    user_service = UserService(db)
+    
+    try:
+        # 创建用户
+        user = await user_service.create_user(user_data)
+        
+        # 创建访问令牌
+        access_token = create_access_token(
+            data={
+                "sub": user.username,
+                "user_id": user.id,
+                "email": user.email,
+                "type": "access"
+            },
+            secret_key=settings.SECRET_KEY,
+            expires_minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES
+        )
+        
+        # 创建刷新令牌
+        refresh_token = jwt_manager.create_refresh_token(
+            {
+                "sub": user.username,
+                "user_id": user.id,
+                "type": "refresh"
+            },
+            expires_days=7
+        )
+        
+        # 构建用户响应
+        user_response = {
+            "id": user.id,
+            "username": user.username,
+            "email": user.email,
+            "full_name": user.full_name,
+            "is_active": user.is_active,
+            "is_verified": user.is_verified,
+            "is_superuser": user.is_superuser,
+            "created_at": user.created_at.isoformat() if user.created_at else None
+        }
+        
+        return TokenResponse(
+            access_token=access_token,
+            token_type="bearer",
+            expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
+            refresh_token=refresh_token,
+            user=user_response
+        )
+        
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=str(e)
+        )
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"注册失败: {str(e)}"
+        )
+
+@router.post("/login", response_model=TokenResponse)
+async def login(
+    login_data: UserLogin,
+    request: Request,
+    db: Session = Depends(get_db)
+):
+    """用户登录"""
+    user_service = UserService(db)
+
+    logger.info("✅ 用户登录")
+    
+    # 验证用户
+    user = await user_service.authenticate_user(
+        login_data.username,
+        login_data.password
+    )
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="用户名或密码错误"
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="用户账户已被禁用"
+        )
+    
+    if user.is_locked:
+        raise HTTPException(
+            status_code=status.HTTP_423_LOCKED,
+            detail="账户已被锁定，请联系管理员"
+        )
+    
+    # 创建访问令牌
+    access_token = jwt_manager.create_access_token(
+        {
+            "sub": user.username,
+            "user_id": user.id,
+            "email": user.email,
+            "type": "access"
+        },
+        expires_minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES
+    )
+    
+    # 创建刷新令牌
+    refresh_token = jwt_manager.create_refresh_token(
+        {
+            "sub": user.username,
+            "user_id": user.id,
+            "type": "refresh"
+        },
+        expires_days=7
+    )
+    
+    # 构建用户响应
+    user_response = {
+        "id": user.id,
+        "username": user.username,
+        "email": user.email,
+        "full_name": user.full_name,
+        "is_active": user.is_active,
+        "is_verified": user.is_verified,
+        "is_superuser": user.is_superuser,
+        "created_at": user.created_at.isoformat() if user.created_at else None,
+        "last_login": user.last_login.isoformat() if user.last_login else None
+    }
+    
+    return TokenResponse(
+        access_token=access_token,
+        token_type="bearer",
+        expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
+        refresh_token=refresh_token,
+        user=user_response
+    )
+
+@router.get("/me")
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+    db: Session = Depends(get_db)
+):
+    """获取当前用户信息"""
+    token = credentials.credentials
+
+    logger.info("✅ 获取当前用户信息")
+    
+    # 验证令牌
+    payload = verify_access_token(token, settings.SECRET_KEY)
+    if not payload:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="无效的令牌"
+        )
+    
+    username = payload.get("sub")
+    user_service = UserService(db)
+    user = await user_service.get_user_by_username(username)
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="用户账户已被禁用"
+        )
+    
+    return {
+        "id": user.id,
+        "username": user.username,
+        "email": user.email,
+        "full_name": user.full_name,
+        "is_active": user.is_active,
+        "is_verified": user.is_verified,
+        "is_superuser": user.is_superuser,
+        "created_at": user.created_at.isoformat() if user.created_at else None,
+        "last_login": user.last_login.isoformat() if user.last_login else None,
+        "avatar": user.avatar
+    }
+
+@router.post("/refresh")
+async def refresh_token(
+    refresh_data: RefreshTokenRequest,
+    db: Session = Depends(get_db)
+):
+    """刷新访问令牌"""
+    refresh_token = refresh_data.refresh_token
+    
+    if not refresh_token:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="缺少刷新令牌"
+        )
+    
+    # 验证刷新令牌
+    payload = jwt_manager.verify_token(refresh_token)
+    
+    if not payload or payload.get("type") != "refresh":
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="无效的刷新令牌"
+        )
+    
+    username = payload.get("sub")
+    user_service = UserService(db)
+    user = await user_service.get_user_by_username(username)
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="用户账户已被禁用"
+        )
+    
+    # 创建新的访问令牌
+    access_token = jwt_manager.create_access_token(
+        {
+            "sub": user.username,
+            "user_id": user.id,
+            "email": user.email,
+            "type": "access"
+        },
+        expires_minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES
+    )
+    
+    return {
+        "access_token": access_token,
+        "token_type": "bearer",
+        "expires_in": settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60
+    }
+
+@router.post("/logout")
+async def logout(
+    refresh_data: RefreshTokenRequest,
+    db: Session = Depends(get_db),
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+):
+    """用户登出"""
+    # 这里可以记录令牌到黑名单，或者简单返回成功
+    # 在实际应用中，可能需要将令牌存储到Redis黑名单
+    return {"message": "登出成功"}
+
+@router.get("/test-db")
+async def test_database(db: Session = Depends(get_db)):
+    """测试数据库连接和用户统计"""
+    user_service = UserService(db)
+    
+    user_count = await user_service.count_users()
+    all_users = await user_service.list_users(limit=10)
+    
+    users_info = []
+    for user in all_users:
+        users_info.append({
+            "id": user.id,
+            "username": user.username,
+            "email": user.email,
+            "is_active": user.is_active
+        })
+    
+    return {
+        "database": "SQLite",
+        "user_count": user_count,
+        "users": users_info,
+        "message": "数据库连接正常"
+    }
+
+@router.get("/test")
+async def test_auth():
+    """测试认证 API"""
+    return {
+        "message": "认证 API 正常运行（使用 SQLite 数据库）",
+        "endpoints": {
+            "POST /register": "用户注册",
+            "POST /login": "用户登录",
+            "GET /me": "获取当前用户",
+            "POST /refresh": "刷新令牌",
+            "POST /logout": "用户登出",
+            "GET /test-db": "测试数据库",
+            "GET /test": "测试接口"
+        },
+        "test_credentials": {
+            "username": "admin",
+            "password": "Admin123!"
+        }
+    }

app/api/v1/users.py

@@ -0,0 +1,263 @@
+# app/api/v1/users.py
+from fastapi import APIRouter, Depends, HTTPException, status, Query
+from sqlalchemy.orm import Session
+from typing import List, Optional
+from datetime import datetime
+
+from app.schemas.user import UserProfile, UserUpdate, PasswordChange
+from app.database import get_db
+from app.services.user_service import UserService
+from app.core.security import password_validator
+
+# 依赖：获取当前用户
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from app.core.security import verify_access_token
+from app.config import settings
+
+router = APIRouter(prefix="/users", tags=["用户管理"])
+security = HTTPBearer()
+
+def get_current_user(
+    credentials: HTTPAuthorizationCredentials = Depends(security),
+    db: Session = Depends(get_db)
+):
+    """获取当前用户依赖"""
+    token = credentials.credentials
+    
+    # 验证令牌
+    payload = verify_access_token(token, settings.SECRET_KEY)
+    if not payload:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="无效的令牌"
+        )
+    
+    username = payload.get("sub")
+    user_service = UserService(db)
+    user = user_service.get_user_by_username(username)
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    if not user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="用户账户已被禁用"
+        )
+    
+    return user
+
+@router.get("/me", response_model=UserProfile)
+async def get_my_profile(
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """获取我的资料"""
+    user_service = UserService(db)
+    user = await user_service.get_user_by_id(current_user.id)
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    return UserProfile(
+        id=user.id,
+        username=user.username,
+        email=user.email,
+        full_name=user.full_name,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        last_login=user.last_login,
+        avatar=user.avatar
+    )
+
+@router.put("/me", response_model=UserProfile)
+async def update_my_profile(
+    user_data: UserUpdate,
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """更新我的资料"""
+    user_service = UserService(db)
+    
+    update_dict = user_data.dict(exclude_unset=True)
+    
+    # 如果更新邮箱，需要验证新邮箱是否已被使用
+    if user_data.email and user_data.email != current_user.email:
+        existing_user = await user_service.get_user_by_email(user_data.email)
+        if existing_user and existing_user.id != current_user.id:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="邮箱已被使用"
+            )
+    
+    updated_user = await user_service.update_user(current_user.id, update_dict)
+    
+    if not updated_user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    return UserProfile(
+        id=updated_user.id,
+        username=updated_user.username,
+        email=updated_user.email,
+        full_name=updated_user.full_name,
+        is_active=updated_user.is_active,
+        is_verified=updated_user.is_verified,
+        created_at=updated_user.created_at,
+        last_login=updated_user.last_login,
+        avatar=updated_user.avatar
+    )
+
+@router.post("/me/change-password")
+async def change_password(
+    password_data: PasswordChange,
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """修改密码"""
+    user_service = UserService(db)
+    
+    try:
+        success = await user_service.change_password(
+            current_user.id,
+            password_data.current_password,
+            password_data.new_password
+        )
+        
+        if not success:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="当前密码错误"
+            )
+        
+        return {"message": "密码修改成功"}
+        
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=str(e)
+        )
+
+@router.get("/", response_model=List[UserProfile])
+async def list_users(
+    skip: int = Query(0, ge=0),
+    limit: int = Query(100, ge=1, le=100),
+    active_only: bool = Query(True),
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """获取用户列表（需要管理员权限）"""
+    if not current_user.is_superuser:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="需要管理员权限"
+        )
+    
+    user_service = UserService(db)
+    users = await user_service.list_users(skip, limit, active_only)
+    
+    return [
+        UserProfile(
+            id=user.id,
+            username=user.username,
+            email=user.email,
+            full_name=user.full_name,
+            is_active=user.is_active,
+            is_verified=user.is_verified,
+            created_at=user.created_at,
+            last_login=user.last_login,
+            avatar=user.avatar
+        )
+        for user in users
+    ]
+
+@router.get("/{user_id}", response_model=UserProfile)
+async def get_user(
+    user_id: int,
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """获取单个用户信息（需要管理员权限查看其他用户）"""
+    user_service = UserService(db)
+    
+    # 普通用户只能查看自己的信息
+    if not current_user.is_superuser and user_id != current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="只能查看自己的用户信息"
+        )
+    
+    user = await user_service.get_user_by_id(user_id)
+    
+    if not user:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    return UserProfile(
+        id=user.id,
+        username=user.username,
+        email=user.email,
+        full_name=user.full_name,
+        is_active=user.is_active,
+        is_verified=user.is_verified,
+        created_at=user.created_at,
+        last_login=user.last_login,
+        avatar=user.avatar
+    )
+
+@router.delete("/{user_id}")
+async def delete_user(
+    user_id: int,
+    current_user = Depends(get_current_user),
+    db: Session = Depends(get_db)
+):
+    """删除用户（需要管理员权限）"""
+    if not current_user.is_superuser:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="需要管理员权限"
+        )
+    
+    # 不能删除自己
+    if user_id == current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="不能删除自己的账户"
+        )
+    
+    user_service = UserService(db)
+    success = await user_service.delete_user(user_id)
+    
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="用户不存在"
+        )
+    
+    return {"message": "用户已禁用"}
+
+@router.get("/test")
+async def test_users():
+    """测试用户管理 API"""
+    return {
+        "message": "用户管理 API 正常运行（使用 SQLite 数据库）",
+        "endpoints": {
+            "GET /me": "获取我的资料",
+            "PUT /me": "更新我的资料",
+            "POST /me/change-password": "修改密码",
+            "GET /": "获取用户列表（管理员）",
+            "GET /{user_id}": "获取单个用户",
+            "DELETE /{user_id}": "删除用户（管理员）"
+        }
+    }

app/config.py

@@ -0,0 +1,44 @@
+# app/config.py
+import os
+from typing import List
+import secrets
+from dotenv import load_dotenv
+
+# 加载环境变量
+load_dotenv()
+
+class Settings:
+    # 项目配置
+    PROJECT_NAME: str = os.getenv("PROJECT_NAME", "CaiYouHui 采油会")
+    VERSION: str = os.getenv("VERSION", "1.0.0")
+    API_V1_PREFIX: str = os.getenv("API_V1_PREFIX", "/api/v1")
+    
+    # 安全配置
+    SECRET_KEY: str = os.getenv("SECRET_KEY", secrets.token_urlsafe(32))
+    ALGORITHM: str = os.getenv("ALGORITHM", "HS256")
+    ACCESS_TOKEN_EXPIRE_MINUTES: int = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "1440"))  # 24小时
+    
+    # 数据库配置 - SQLite
+    DATABASE_URL: str = os.getenv("DATABASE_URL", "sqlite:///./caiyouhui.db")
+    
+    # CORS 配置
+    BACKEND_CORS_ORIGINS: List[str] = os.getenv(
+        "BACKEND_CORS_ORIGINS", 
+        "http://localhost:3000,http://localhost:5173"
+    ).split(",")
+    
+    # 调试模式
+    DEBUG: bool = os.getenv("DEBUG", "True").lower() == "true"
+    
+    # 文件上传
+    UPLOAD_DIR: str = os.getenv("UPLOAD_DIR", "./uploads")
+    MAX_UPLOAD_SIZE: int = int(os.getenv("MAX_UPLOAD_SIZE", "10485760"))  # 10MB
+    
+    # 邮箱验证（可选，后续添加）
+    SMTP_ENABLED: bool = os.getenv("SMTP_ENABLED", "False").lower() == "true"
+    SMTP_HOST: str = os.getenv("SMTP_HOST", "")
+    SMTP_PORT: int = int(os.getenv("SMTP_PORT", "587"))
+    SMTP_USER: str = os.getenv("SMTP_USER", "")
+    SMTP_PASSWORD: str = os.getenv("SMTP_PASSWORD", "")
+
+settings = Settings()

app/core/__init__.py

@@ -0,0 +1,38 @@
+# app/core/__init__.py
+from .security import (
+    # 便捷函数
+    create_access_token,
+    verify_access_token,
+    verify_password,
+    get_password_hash,
+    
+    # 类
+    PasswordHasher,
+    JWTManager,
+    PasswordValidator,
+    TokenUtils,
+    
+    # 实例
+    password_hasher,
+    password_validator,
+    token_utils,
+)
+
+__all__ = [
+    # 便捷函数
+    "create_access_token",
+    "verify_access_token",
+    "verify_password",
+    "get_password_hash",
+    
+    # 类
+    "PasswordHasher",
+    "JWTManager",
+    "PasswordValidator",
+    "TokenUtils",
+    
+    # 实例
+    "password_hasher",
+    "password_validator",
+    "token_utils",
+]

app/core/auth.py

@@ -0,0 +1,91 @@
+from passlib.context import CryptContext
+from jose import JWTError, jwt
+from datetime import datetime, timedelta
+from typing import Optional, Dict, Any, Union
+import secrets
+import string
+import re
+from ..config import settings
+
+# 密码上下文
+pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
+
+def verify_password(plain_password: str, hashed_password: str) -> bool:
+    """验证密码"""
+    return pwd_context.verify(plain_password, hashed_password)
+
+def get_password_hash(password: str) -> str:
+    """生成密码哈希"""
+    return pwd_context.hash(password)
+
+def create_access_token(data: dict, expires_delta: Optional[timedelta] = None) -> str:
+    """创建访问令牌"""
+    to_encode = data.copy()
+    
+    if expires_delta:
+        expire = datetime.utcnow() + expires_delta
+    else:
+        expire = datetime.utcnow() + timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES)
+    
+    to_encode.update({"exp": expire, "type": "access"})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+def create_refresh_token(data: dict) -> str:
+    """创建刷新令牌"""
+    to_encode = data.copy()
+    expire = datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS)
+    
+    to_encode.update({"exp": expire, "type": "refresh"})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+def create_verification_token(email: str) -> str:
+    """创建验证令牌"""
+    to_encode = {"email": email, "type": "verify"}
+    expire = datetime.utcnow() + timedelta(hours=settings.VERIFICATION_TOKEN_EXPIRE_HOURS)
+    
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+def create_reset_token(email: str) -> str:
+    """创建密码重置令牌"""
+    to_encode = {"email": email, "type": "reset"}
+    expire = datetime.utcnow() + timedelta(minutes=settings.RESET_TOKEN_EXPIRE_MINUTES)
+    
+    to_encode.update({"exp": expire})
+    encoded_jwt = jwt.encode(to_encode, settings.SECRET_KEY, algorithm=settings.ALGORITHM)
+    return encoded_jwt
+
+def decode_token(token: str) -> Optional[Dict[str, Any]]:
+    """解码令牌"""
+    try:
+        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+        return payload
+    except JWTError:
+        return None
+
+def generate_verification_code(length: int = 6) -> str:
+    """生成验证码"""
+    digits = string.digits
+    return ''.join(secrets.choice(digits) for _ in range(length))
+
+def validate_password_strength(password: str) -> tuple[bool, str]:
+    """验证密码强度"""
+    if len(password) < 8:
+        return False, "Password must be at least 8 characters long"
+    
+    if not re.search(r"[A-Z]", password):
+        return False, "Password must contain at least one uppercase letter"
+    
+    if not re.search(r"[a-z]", password):
+        return False, "Password must contain at least one lowercase letter"
+    
+    if not re.search(r"\d", password):
+        return False, "Password must contain at least one digit"
+    
+    if not re.search(r"[!@#$%^&*(),.?\":{}|<>]", password):
+        return False, "Password must contain at least one special character"
+    
+    return True, "Password is strong"

app/core/email.py

@@ -0,0 +1,159 @@
+from fastapi import BackgroundTasks
+from typing import Optional
+import smtplib
+from email.mime.text import MIMEText
+from email.mime.multipart import MIMEMultipart
+from jinja2 import Template
+import aiosmtplib
+from ..config import settings
+import os
+
+class EmailService:
+    def __init__(self):
+        self.smtp_host = settings.SMTP_HOST
+        self.smtp_port = settings.SMTP_PORT
+        self.smtp_user = settings.SMTP_USER
+        self.smtp_password = settings.SMTP_PASSWORD
+        self.from_email = settings.EMAILS_FROM_EMAIL
+        self.from_name = settings.EMAILS_FROM_NAME
+        
+    async def send_email_async(
+        self,
+        email_to: str,
+        subject: str,
+        html_content: str,
+        text_content: Optional[str] = None
+    ) -> bool:
+        """异步发送邮件"""
+        message = MIMEMultipart("alternative")
+        message["Subject"] = subject
+        message["From"] = f"{self.from_name} <{self.from_email}>"
+        message["To"] = email_to
+        
+        # 添加纯文本版本
+        if text_content:
+            part1 = MIMEText(text_content, "plain")
+            message.attach(part1)
+        
+        # 添加HTML版本
+        part2 = MIMEText(html_content, "html")
+        message.attach(part2)
+        
+        try:
+            await aiosmtplib.send(
+                message,
+                hostname=self.smtp_host,
+                port=self.smtp_port,
+                username=self.smtp_user,
+                password=self.smtp_password,
+                use_tls=True,
+            )
+            return True
+        except Exception as e:
+            print(f"Error sending email: {e}")
+            return False
+    
+    def send_email_sync(
+        self,
+        email_to: str,
+        subject: str,
+        html_content: str,
+        text_content: Optional[str] = None
+    ) -> bool:
+        """同步发送邮件"""
+        message = MIMEMultipart("alternative")
+        message["Subject"] = subject
+        message["From"] = f"{self.from_name} <{self.from_email}>"
+        message["To"] = email_to
+        
+        if text_content:
+            part1 = MIMEText(text_content, "plain")
+            message.attach(part1)
+        
+        part2 = MIMEText(html_content, "html")
+        message.attach(part2)
+        
+        try:
+            with smtplib.SMTP(self.smtp_host, self.smtp_port) as server:
+                server.starttls()
+                server.login(self.smtp_user, self.smtp_password)
+                server.send_message(message)
+            return True
+        except Exception as e:
+            print(f"Error sending email: {e}")
+            return False
+    
+    async def send_verification_email(
+        self,
+        email_to: str,
+        username: str,
+        verification_url: str,
+        verification_code: Optional[str] = None
+    ) -> bool:
+        """发送验证邮件"""
+        # 加载模板
+        template_path = os.path.join("templates", "email", "verify_email.html")
+        with open(template_path, "r") as f:
+            template_str = f.read()
+        
+        template = Template(template_str)
+        html_content = template.render(
+            username=username,
+            verification_url=verification_url,
+            verification_code=verification_code,
+            frontend_url=settings.FRONTEND_URL
+        )
+        
+        subject = "Verify Your Email Address"
+        text_content = f"Hello {username},\n\nPlease verify your email by clicking: {verification_url}"
+        
+        if verification_code:
+            text_content += f"\n\nOr use this verification code: {verification_code}"
+        
+        return await self.send_email_async(email_to, subject, html_content, text_content)
+    
+    async def send_password_reset_email(
+        self,
+        email_to: str,
+        username: str,
+        reset_url: str
+    ) -> bool:
+        """发送密码重置邮件"""
+        template_path = os.path.join("templates", "email", "reset_password.html")
+        with open(template_path, "r") as f:
+            template_str = f.read()
+        
+        template = Template(template_str)
+        html_content = template.render(
+            username=username,
+            reset_url=reset_url,
+            frontend_url=settings.FRONTEND_URL
+        )
+        
+        subject = "Password Reset Request"
+        text_content = f"Hello {username},\n\nClick here to reset your password: {reset_url}"
+        
+        return await self.send_email_async(email_to, subject, html_content, text_content)
+    
+    async def send_welcome_email(
+        self,
+        email_to: str,
+        username: str
+    ) -> bool:
+        """发送欢迎邮件"""
+        template_path = os.path.join("templates", "email", "welcome.html")
+        with open(template_path, "r") as f:
+            template_str = f.read()
+        
+        template = Template(template_str)
+        html_content = template.render(
+            username=username,
+            frontend_url=settings.FRONTEND_URL
+        )
+        
+        subject = "Welcome to Our Platform!"
+        text_content = f"Welcome {username}! We're glad to have you on board."
+        
+        return await self.send_email_async(email_to, subject, html_content, text_content)
+
+email_service = EmailService()

app/core/security.py

@@ -0,0 +1,394 @@
+# app/core/security.py
+import hashlib
+import secrets
+import base64
+import hmac
+import time
+import json
+from typing import Optional, Dict, Any, Tuple
+from datetime import datetime, timedelta
+import re
+
+# 密码哈希工具
+class PasswordHasher:
+    """密码哈希和验证工具（使用 PBKDF2）"""
+    
+    @staticmethod
+    def hash_password(password: str) -> str:
+        """哈希密码"""
+        # 生成随机盐（16字节）
+        salt = secrets.token_bytes(16)
+        
+        # 使用 PBKDF2-HMAC-SHA256
+        dk = hashlib.pbkdf2_hmac(
+            'sha256',
+            password.encode('utf-8'),
+            salt,
+            100000  # 迭代次数
+        )
+        
+        # 组合 salt + hash，然后 base64 编码
+        combined = salt + dk
+        return base64.b64encode(combined).decode('utf-8')
+    
+    @staticmethod
+    def verify_password(password: str, hashed_password: str) -> bool:
+        """验证密码"""
+        try:
+            # 解码 base64
+            decoded = base64.b64decode(hashed_password.encode('utf-8'))
+            
+            # 提取 salt (前16字节) 和存储的 hash
+            salt = decoded[:16]
+            stored_hash = decoded[16:]
+            
+            # 用相同的盐计算输入密码的 hash
+            dk = hashlib.pbkdf2_hmac(
+                'sha256',
+                password.encode('utf-8'),
+                salt,
+                100000
+            )
+            
+            # 使用常量时间比较防止时序攻击
+            return secrets.compare_digest(dk, stored_hash)
+            
+        except Exception:
+            return False
+
+# JWT 管理器
+class JWTManager:
+    """JWT 令牌管理工具"""
+    
+    def __init__(self, secret_key: str, algorithm: str = "HS256"):
+        self.secret_key = secret_key
+        self.algorithm = algorithm
+    
+    def create_access_token(
+        self, 
+        data: Dict[str, Any], 
+        expires_delta: Optional[timedelta] = None,
+        expires_minutes: Optional[int] = None
+    ) -> str:
+        """创建访问令牌
+        
+        Args:
+            data: 要编码的数据
+            expires_delta: 过期时间差
+            expires_minutes: 过期分钟数
+            
+        Returns:
+            str: JWT 令牌
+        """
+        return self.create_token(data, expires_delta, expires_minutes, token_type="access")
+    
+    def create_refresh_token(
+        self,
+        data: Dict[str, Any],
+        expires_delta: Optional[timedelta] = None,
+        expires_days: int = 7
+    ) -> str:
+        """创建刷新令牌
+        
+        Args:
+            data: 要编码的数据
+            expires_delta: 过期时间差
+            expires_days: 过期天数
+            
+        Returns:
+            str: JWT 刷新令牌
+        """
+        if expires_delta is None:
+            expires_delta = timedelta(days=expires_days)
+        return self.create_token(data, expires_delta, token_type="refresh")
+    
+    def create_verification_token(
+        self,
+        data: Dict[str, Any],
+        expires_delta: Optional[timedelta] = None,
+        expires_hours: int = 24
+    ) -> str:
+        """创建验证令牌（用于邮箱验证等）
+        
+        Args:
+            data: 要编码的数据
+            expires_delta: 过期时间差
+            expires_hours: 过期小时数
+            
+        Returns:
+            str: JWT 验证令牌
+        """
+        if expires_delta is None:
+            expires_delta = timedelta(hours=expires_hours)
+        return self.create_token(data, expires_delta, token_type="verify")
+    
+    def create_reset_token(
+        self,
+        data: Dict[str, Any],
+        expires_delta: Optional[timedelta] = None,
+        expires_minutes: int = 30
+    ) -> str:
+        """创建密码重置令牌
+        
+        Args:
+            data: 要编码的数据
+            expires_delta: 过期时间差
+            expires_minutes: 过期分钟数
+            
+        Returns:
+            str: JWT 重置令牌
+        """
+        if expires_delta is None:
+            expires_delta = timedelta(minutes=expires_minutes)
+        return self.create_token(data, expires_delta, token_type="reset")
+    
+    def create_token(
+        self, 
+        data: Dict[str, Any], 
+        expires_delta: Optional[timedelta] = None,
+        expires_minutes: Optional[int] = None,
+        token_type: str = "access"
+    ) -> str:
+        """创建 JWT 令牌（通用方法）
+        
+        Args:
+            data: 要编码的数据
+            expires_delta: 过期时间差
+            expires_minutes: 过期分钟数
+            token_type: 令牌类型
+            
+        Returns:
+            str: JWT 令牌
+        """
+        # 复制数据以避免修改原始数据
+        payload = data.copy()
+        
+        # 设置过期时间
+        if expires_delta:
+            expire = datetime.utcnow() + expires_delta
+        elif expires_minutes:
+            expire = datetime.utcnow() + timedelta(minutes=expires_minutes)
+        else:
+            expire = datetime.utcnow() + timedelta(minutes=30)  # 默认30分钟
+        
+        # 添加标准声明
+        payload.update({
+            "exp": int(expire.timestamp()),
+            "iat": int(datetime.utcnow().timestamp()),
+            "iss": "caiyouhui-api",
+            "type": token_type
+        })
+        
+        # 编码 header 和 payload
+        header = json.dumps({"alg": self.algorithm, "typ": "JWT"})
+        payload_str = json.dumps(payload)
+        
+        header_b64 = base64.urlsafe_b64encode(header.encode()).decode().rstrip('=')
+        payload_b64 = base64.urlsafe_b64encode(payload_str.encode()).decode().rstrip('=')
+        
+        # 创建签名
+        message = f"{header_b64}.{payload_b64}"
+        signature = hmac.new(
+            self.secret_key.encode(),
+            message.encode(),
+            hashlib.sha256
+        ).digest()
+        signature_b64 = base64.urlsafe_b64encode(signature).decode().rstrip('=')
+        
+        return f"{header_b64}.{payload_b64}.{signature_b64}"
+    
+    def verify_token(self, token: str) -> Optional[Dict[str, Any]]:
+        """验证 JWT 令牌
+        
+        Args:
+            token: JWT 令牌
+            
+        Returns:
+            Optional[Dict]: 解码后的数据，如果令牌无效则返回 None
+        """
+        try:
+            parts = token.split('.')
+            if len(parts) != 3:
+                return None
+            
+            header_b64, payload_b64, signature_b64 = parts
+            
+            # 验证签名
+            message = f"{header_b64}.{payload_b64}"
+            expected_signature = hmac.new(
+                self.secret_key.encode(),
+                message.encode(),
+                hashlib.sha256
+            ).digest()
+            expected_signature_b64 = base64.urlsafe_b64encode(expected_signature).decode().rstrip('=')
+            
+            # 使用常量时间比较
+            if not secrets.compare_digest(signature_b64, expected_signature_b64):
+                return None
+            
+            # 解码 payload
+            payload_json = base64.urlsafe_b64decode(payload_b64 + '=' * (4 - len(payload_b64) % 4)).decode()
+            payload = json.loads(payload_json)
+            
+            # 检查过期时间
+            if 'exp' in payload and payload['exp'] < int(time.time()):
+                return None
+            
+            return payload
+            
+        except Exception:
+            return None
+    
+    def decode_token(self, token: str) -> Optional[Dict[str, Any]]:
+        """解码令牌（不验证签名，用于调试）
+        
+        Args:
+            token: JWT 令牌
+            
+        Returns:
+            Optional[Dict]: 解码后的数据
+        """
+        try:
+            parts = token.split('.')
+            if len(parts) != 3:
+                return None
+            
+            _, payload_b64, _ = parts
+            
+            # 解码 payload
+            payload_json = base64.urlsafe_b64decode(payload_b64 + '=' * (4 - len(payload_b64) % 4)).decode()
+            return json.loads(payload_json)
+            
+        except Exception:
+            return None
+
+# 密码验证工具
+class PasswordValidator:
+    """密码强度验证工具"""
+    
+    @staticmethod
+    def validate_password_strength(password: str) -> Tuple[bool, str]:
+        """验证密码强度"""
+        # 检查最小长度
+        if len(password) < 8:
+            return False, "密码必须至少8个字符"
+        
+        # 检查最大长度
+        if len(password) > 100:
+            return False, "密码不能超过100个字符"
+        
+        # 检查是否包含大写字母
+        if not re.search(r'[A-Z]', password):
+            return False, "密码必须包含至少一个大写字母"
+        
+        # 检查是否包含小写字母
+        if not re.search(r'[a-z]', password):
+            return False, "密码必须包含至少一个小写字母"
+        
+        # 检查是否包含数字
+        if not re.search(r'\d', password):
+            return False, "密码必须包含至少一个数字"
+        
+        # 检查是否包含特殊字符
+        if not re.search(r'[!@#$%^&*(),.?":{}|<>]', password):
+            return False, "密码必须包含至少一个特殊字符"
+        
+        return True, "密码强度足够"
+
+# 令牌工具
+class TokenUtils:
+    """令牌相关工具"""
+    
+    @staticmethod
+    def generate_verification_code(length: int = 6) -> str:
+        """生成数字验证码"""
+        digits = '0123456789'
+        return ''.join(secrets.choice(digits) for _ in range(length))
+    
+    @staticmethod
+    def generate_reset_token(length: int = 32) -> str:
+        """生成密码重置令牌"""
+        return secrets.token_urlsafe(length)
+    
+    @staticmethod
+    def generate_api_key(length: int = 32) -> str:
+        """生成 API 密钥"""
+        import string
+        alphabet = string.ascii_letters + string.digits
+        return ''.join(secrets.choice(alphabet) for _ in range(length))
+
+# 导出的便捷函数
+def create_access_token(
+    data: Dict[str, Any],
+    secret_key: str,
+    expires_delta: Optional[timedelta] = None,
+    expires_minutes: int = 30,
+    algorithm: str = "HS256"
+) -> str:
+    """创建访问令牌（便捷函数）
+    
+    Args:
+        data: 要编码的数据
+        secret_key: 密钥
+        expires_delta: 过期时间差
+        expires_minutes: 过期分钟数
+        algorithm: 算法
+        
+    Returns:
+        str: JWT 令牌
+    """
+    jwt_manager = JWTManager(secret_key, algorithm)
+    return jwt_manager.create_access_token(data, expires_delta, expires_minutes)
+
+def verify_access_token(token: str, secret_key: str, algorithm: str = "HS256") -> Optional[Dict[str, Any]]:
+    """验证访问令牌（便捷函数）
+    
+    Args:
+        token: JWT 令牌
+        secret_key: 密钥
+        algorithm: 算法
+        
+    Returns:
+        Optional[Dict]: 解码后的数据
+    """
+    jwt_manager = JWTManager(secret_key, algorithm)
+    return jwt_manager.verify_token(token)
+
+def get_password_hash(password: str) -> str:
+    """哈希密码（便捷函数）
+    
+    Args:
+        password: 明文密码
+        
+    Returns:
+        str: 哈希后的密码
+    """
+    return PasswordHasher.hash_password(password)
+
+# 创建全局实例
+password_hasher = PasswordHasher()
+password_validator = PasswordValidator()
+token_utils = TokenUtils()
+
+# 导出函数（保持向后兼容）
+verify_password = password_hasher.verify_password
+
+# 导出的函数和类
+__all__ = [
+    # 便捷函数
+    "create_access_token",
+    "verify_access_token",
+    "verify_password",
+    "get_password_hash",
+    
+    # 类
+    "PasswordHasher",
+    "JWTManager",
+    "PasswordValidator",
+    "TokenUtils",
+    
+    # 实例
+    "password_hasher",
+    "password_validator",
+    "token_utils",
+]

app/database.py

@@ -0,0 +1,64 @@
+# app/database.py
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker, Session
+from sqlalchemy.ext.declarative import declarative_base
+from contextlib import contextmanager
+from typing import Generator
+import os
+
+from .config import settings
+
+# 创建数据库引擎
+engine = create_engine(
+    settings.DATABASE_URL,
+    connect_args={"check_same_thread": False} if "sqlite" in settings.DATABASE_URL else {},
+    echo=settings.DEBUG
+)
+
+# 创建会话工厂
+SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+# 声明基类
+Base = declarative_base()
+
+def get_db() -> Generator[Session, None, None]:
+    """数据库会话依赖注入"""
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()
+
+def init_db():
+    """初始化数据库表"""
+    from .models.user import User
+    Base.metadata.create_all(bind=engine)
+    print("✅ 数据库表创建完成")
+    
+    # 创建默认管理员用户
+    db = SessionLocal()
+    try:
+        # 检查是否已存在管理员
+        admin = db.query(User).filter(User.username == "admin").first()
+        if not admin:
+            from .core.security import password_hasher
+            admin_user = User(
+                username="admin",
+                email="admin@caiyouhui.com",
+                hashed_password=password_hasher.hash_password("Admin123!"),
+                full_name="系统管理员",
+                is_active=True,
+                is_verified=True,
+                is_superuser=True
+            )
+            db.add(admin_user)
+            db.commit()
+            print("✅ 默认管理员用户已创建")
+    except Exception as e:
+        print(f"⚠️  创建管理员用户时出错: {e}")
+        db.rollback()
+    finally:
+        db.close()
+
+# 导出
+__all__ = ["Base", "engine", "SessionLocal", "get_db", "init_db"]

app/dependencies/auth.py

@@ -0,0 +1,110 @@
+from fastapi import Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordBearer
+from sqlalchemy.orm import Session
+from jose import JWTError, jwt
+from typing import Optional
+
+from ..database import get_db
+from ..models.user import User
+from ..schemas.token import TokenData
+from ..config import settings
+
+oauth2_scheme = OAuth2PasswordBearer(
+    tokenUrl=f"{settings.API_V1_PREFIX}/auth/login",
+    auto_error=False
+)
+
+async def get_current_user(
+    token: Optional[str] = Depends(oauth2_scheme),
+    db: Session = Depends(get_db)
+) -> Optional[User]:
+    """获取当前用户"""
+    if not token:
+        print("dfsfdsfdfdsfd")
+        return None
+    
+    credentials_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    try:
+        payload = jwt.decode(token, settings.SECRET_KEY, algorithms=[settings.ALGORITHM])
+        username: str = payload.get("sub")
+        token_type: str = payload.get("type")
+        
+        if username is None or token_type != "access":
+            raise credentials_exception
+        
+        token_data = TokenData(username=username)
+    except JWTError:
+        raise credentials_exception
+    
+    user = db.query(User).filter(
+        User.username == token_data.username,
+        User.is_active == True
+    ).first()
+    
+    if user is None:
+        raise credentials_exception
+    
+    return user
+
+async def get_current_active_user(
+    current_user: User = Depends(get_current_user)
+) -> User:
+    """获取当前活跃用户"""
+    if not current_user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated"
+        )
+    
+    if not current_user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Inactive user"
+        )
+    
+    return current_user
+
+async def get_current_superuser(
+    current_user: User = Depends(get_current_user)
+) -> User:
+    """获取超级用户"""
+    if not current_user or not current_user.is_superuser:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Not enough permissions"
+        )
+    
+    return current_user
+
+def require_auth(current_user: Optional[User] = Depends(get_current_user)) -> User:
+    """要求认证的依赖"""
+    if not current_user:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated"
+        )
+    return current_user
+
+# 权限检查装饰器
+def require_permission(permission: str):
+    """权限检查装饰器"""
+    def permission_dependency(
+        current_user: User = Depends(get_current_active_user)
+    ) -> User:
+        # 这里实现具体的权限检查逻辑
+        # 可以从数据库或缓存中获取用户权限
+        if not current_user.is_superuser:
+            # 检查用户是否有特定权限
+            user_permissions = []  # 从数据库获取
+            if permission not in user_permissions:
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="Insufficient permissions"
+                )
+        return current_user
+    return permission_dependency

app/dependencies/database.py

@@ -0,0 +1,15 @@
+# app/dependencies/database.py
+from sqlalchemy.orm import Session
+from contextlib import contextmanager
+from typing import Generator
+
+# ✅ 正确导入方式
+from app.database import SessionLocal
+
+def get_db() -> Generator[Session, None, None]:
+    """数据库会话依赖注入"""
+    db = SessionLocal()
+    try:
+        yield db
+    finally:
+        db.close()

app/logging_config.py

@@ -0,0 +1,89 @@
+# app/logging_config.py
+import logging
+import logging.handlers  # ✅ 这里导入 handlers
+import os
+from datetime import datetime
+
+def setup_logging_with_rotation():
+    """配置带轮转的日志系统"""
+    
+    # 创建日志目录
+    log_dir = "logs"
+    os.makedirs(log_dir, exist_ok=True)
+    
+    # 主日志文件
+    main_log_file = os.path.join(log_dir, "app.log")
+    
+    # 配置根日志记录器
+    root_logger = logging.getLogger()
+    root_logger.setLevel(logging.INFO)
+    
+    # 清除现有的处理器
+    root_logger.handlers.clear()
+    
+    # 1. 控制台处理器
+    console_handler = logging.StreamHandler()
+    console_handler.setLevel(logging.INFO)
+    
+    # 2. 文件处理器 - 轮转，最大10MB，保留5个备份
+    file_handler = logging.handlers.RotatingFileHandler(  # ✅ 使用完整的路径
+        main_log_file,
+        maxBytes=10 * 1024 * 1024,  # 10MB
+        backupCount=5,
+        encoding='utf-8'
+    )
+    file_handler.setLevel(logging.DEBUG)
+    
+    # 3. 错误日志处理器 - 单独记录错误
+    error_log_file = os.path.join(log_dir, "error.log")
+    error_handler = logging.handlers.RotatingFileHandler(
+        error_log_file,
+        maxBytes=5 * 1024 * 1024,  # 5MB
+        backupCount=3,
+        encoding='utf-8'
+    )
+    error_handler.setLevel(logging.ERROR)
+    
+    # 设置日志格式
+    detailed_formatter = logging.Formatter(
+        '%(asctime)s - %(name)s - %(levelname)s - [%(filename)s:%(lineno)d] - %(message)s',
+        datefmt='%Y-%m-%d %H:%M:%S'
+    )
+    
+    simple_formatter = logging.Formatter(
+        '%(asctime)s - %(levelname)s - %(message)s',
+        datefmt='%H:%M:%S'
+    )
+    
+    console_handler.setFormatter(simple_formatter)
+    file_handler.setFormatter(detailed_formatter)
+    error_handler.setFormatter(detailed_formatter)
+    
+    # 添加过滤器到错误处理器
+    class ErrorFilter(logging.Filter):
+        def filter(self, record):
+            return record.levelno >= logging.ERROR
+    
+    error_handler.addFilter(ErrorFilter())
+    
+    # 添加处理器
+    root_logger.addHandler(console_handler)
+    root_logger.addHandler(file_handler)
+    root_logger.addHandler(error_handler)
+    
+    # 配置第三方库的日志级别
+    logging.getLogger("uvicorn").setLevel(logging.WARNING)
+    logging.getLogger("uvicorn.access").setLevel(logging.WARNING)
+    logging.getLogger("sqlalchemy.engine").setLevel(logging.WARNING)
+    logging.getLogger("sqlalchemy.orm").setLevel(logging.WARNING)
+
+    # 配置我们应用的日志级别
+    logging.getLogger("app").setLevel(logging.DEBUG)
+    logging.getLogger("app.api.v1").setLevel(logging.DEBUG)
+    logging.getLogger("app.core.security").setLevel(logging.DEBUG)
+    
+    root_logger.info(f"✅ 轮转日志系统初始化完成")
+    root_logger.info(f"   主日志文件: {main_log_file}")
+    root_logger.info(f"   错误日志文件: {error_log_file}")
+    
+    return root_logger

app/main.py

@@ -0,0 +1,83 @@
+# app/main.py - 简化版本
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from app.logging_config import setup_logging_with_rotation
+import logging
+import os
+
+# 配置
+from .config import settings
+
+# 配置日志
+logging.basicConfig(
+    level=logging.INFO,
+    # format='%(asctime)s - %(name)s - %(levelname)s - %(message)s',
+    # datefmt='%Y-%m-%d %H:%M:%S',
+    # handlers=[
+    #     logging.StreamHandler(),  # 控制台
+    #     logging.FileHandler('app/logs/app.log', encoding='utf-8')  # 文件
+    # ]
+)
+# 为特定模块设置更详细的日志
+logging.getLogger("app.api.v1").setLevel(logging.DEBUG)
+logging.getLogger("app.core.security").setLevel(logging.DEBUG)
+
+logger = logging.getLogger(__name__)
+logger.info("✅ 日志配置完成")
+
+# logger = setup_logging_with_rotation
+
+
+
+# 创建 FastAPI 应用
+app = FastAPI(
+    title=settings.PROJECT_NAME,
+    version=settings.VERSION,
+    docs_url="/docs" if settings.DEBUG else None,
+    redoc_url="/redoc" if settings.DEBUG else None
+)
+
+# 配置CORS
+if settings.BACKEND_CORS_ORIGINS:
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=settings.BACKEND_CORS_ORIGINS,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+
+# 导入并注册路由
+try:
+    # 导入所有路由模块
+    # from .api.v1.admin import router as admin_router
+    from .api.v1.auth import router as auth_router
+    from .api.v1.users import router as users_router
+    # from .api.v1.verify import router as verify_router
+    
+    # 注册路由
+    app.include_router(auth_router, prefix=settings.API_V1_PREFIX)
+    app.include_router(users_router, prefix=settings.API_V1_PREFIX)
+    # app.include_router(verify_router, prefix=settings.API_V1_PREFIX)
+    
+    logger.info("✅ API 路由注册成功")
+    
+except ImportError as e:
+    logger.warning(f"⚠️  部分路由模块未找到: {e}")
+
+# 系统级路由
+@app.get("/health")
+async def health_check():
+    return {"status": "healthy", "service": settings.PROJECT_NAME}
+
+@app.get("/")
+async def root():
+    return {
+        "message": f"Welcome to {settings.PROJECT_NAME} API",
+        "version": settings.VERSION,
+        "docs": "/docs"
+    }
+
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=10003, reload=settings.DEBUG)

app/models/token.py

@@ -0,0 +1,31 @@
+from sqlalchemy import Column, Integer, String, DateTime, Boolean, ForeignKey
+from sqlalchemy.orm import relationship
+from sqlalchemy.sql import func
+from datetime import datetime
+from ..database import Base
+
+class Token(Base):
+    __tablename__ = "tokens"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    
+    # Token信息
+    token = Column(String(500), nullable=False, index=True)
+    token_type = Column(String(50), nullable=False)  # access, refresh, verify, reset
+    expires_at = Column(DateTime, nullable=False)
+    is_revoked = Column(Boolean, default=False)
+    
+    # 用户关联
+    user_id = Column(Integer, ForeignKey("users.id"), nullable=False)
+    user = relationship("User", back_populates="tokens")
+    
+    # 额外信息
+    ip_address = Column(String(45), nullable=True)
+    user_agent = Column(String(500), nullable=True)
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    
+    def is_expired(self):
+        return datetime.utcnow() > self.expires_at
+    
+    def __repr__(self):
+        return f"<Token {self.token_type} for user {self.user_id}>"

app/models/user.py

@@ -0,0 +1,39 @@
+# app/models/user.py
+from sqlalchemy import Column, Integer, String, Boolean, DateTime, Text
+from sqlalchemy.sql import func
+from ..database import Base
+
+class User(Base):
+    __tablename__ = "users"
+    
+    id = Column(Integer, primary_key=True, index=True)
+    username = Column(String(50), unique=True, index=True, nullable=False)
+    email = Column(String(100), unique=True, index=True, nullable=False)
+    hashed_password = Column(String(255), nullable=False)
+    
+    # 用户状态
+    is_active = Column(Boolean, default=True)
+    is_verified = Column(Boolean, default=False)
+    is_superuser = Column(Boolean, default=False)
+    is_locked = Column(Boolean, default=False)
+    
+    # 个人信息
+    full_name = Column(String(100), nullable=True)
+    phone = Column(String(20), nullable=True)
+    avatar = Column(Text, nullable=True)
+    
+    # 时间戳
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())
+    last_login = Column(DateTime, nullable=True)
+    last_password_change = Column(DateTime, nullable=True)
+    
+    # 安全相关
+    failed_login_attempts = Column(Integer, default=0)
+    verification_token = Column(String(255), nullable=True)
+    verification_token_expires = Column(DateTime, nullable=True)
+    reset_token = Column(String(255), nullable=True)
+    reset_token_expires = Column(DateTime, nullable=True)
+    
+    def __repr__(self):
+        return f"<User {self.username}>"

app/schemas/__init__.py

@@ -0,0 +1,42 @@
+# app/schemas/__init__.py
+# 导出所有 schemas
+
+# Token 相关
+from .token import (
+    Token,
+    TokenResponse,
+    TokenData,
+    TokenPayload,
+    RefreshTokenRequest,
+    TokenCreate
+)
+
+# User 相关
+from .user import (
+    UserBase,
+    UserCreate,
+    UserLogin,
+    UserUpdate,
+    UserResponse,
+    UserProfile,
+    PasswordChange
+)
+
+__all__ = [
+    # Token
+    "Token",
+    "TokenResponse",
+    "TokenData",
+    "TokenPayload",
+    "RefreshTokenRequest",
+    "TokenCreate",
+    
+    # User
+    "UserBase",
+    "UserCreate",
+    "UserLogin",
+    "UserUpdate",
+    "UserResponse",
+    "UserProfile",
+    "PasswordChange",
+]

app/schemas/auth.py

@@ -0,0 +1,41 @@
+from pydantic import BaseModel, Field
+from typing import Optional
+from datetime import datetime
+from .user import UserResponse
+
+class TokenBase(BaseModel):
+    access_token: str
+    refresh_token: Optional[str] = None
+    token_type: str = "bearer"
+    expires_in: int
+
+class TokenResponse(TokenBase):
+    user: UserResponse
+
+class LoginRequest(BaseModel):
+    username: str = Field(..., min_length=1)
+    password: str = Field(..., min_length=1)
+
+class EmailVerifyRequest(BaseModel):
+    email: str
+
+class ResetPasswordRequest(BaseModel):
+    token: str
+    new_password: str = Field(..., min_length=8, max_length=100)
+    confirm_password: str
+    
+    class Config:
+        schema_extra = {
+            "example": {
+                "username": "john_doe",
+                "email": "user@example.com"
+            }
+        }
+
+class RefreshTokenRequest(BaseModel):
+    refresh_token: str
+
+class OAuth2Request(BaseModel):
+    provider: str  # google, github, facebook
+    code: str
+    redirect_uri: str

app/schemas/token.py

@@ -0,0 +1,48 @@
+# app/schemas/token.py
+from pydantic import BaseModel, Field
+from typing import Optional
+from datetime import datetime
+
+class Token(BaseModel):
+    """令牌响应模型"""
+    access_token: str
+    token_type: str = "bearer"
+    expires_in: Optional[int] = None
+    refresh_token: Optional[str] = None
+
+class TokenResponse(Token):
+    """带用户信息的令牌响应"""
+    user: dict
+
+class TokenData(BaseModel):
+    """令牌数据模型"""
+    username: Optional[str] = None
+    user_id: Optional[int] = None
+    email: Optional[str] = None
+    exp: Optional[int] = None
+    iat: Optional[int] = None
+
+class TokenPayload(BaseModel):
+    """令牌载荷"""
+    sub: Optional[str] = None
+    exp: Optional[datetime] = None
+
+class RefreshTokenRequest(BaseModel):
+    """刷新令牌请求"""
+    refresh_token: str
+
+class TokenCreate(BaseModel):
+    """创建令牌请求"""
+    user_id: int
+    username: str
+    email: str
+
+# 导出所有模型
+__all__ = [
+    "Token",
+    "TokenResponse",
+    "TokenData",
+    "TokenPayload",
+    "RefreshTokenRequest",
+    "TokenCreate"
+]

app/schemas/user.py

@@ -0,0 +1,68 @@
+# app/schemas/user.py
+from pydantic import BaseModel, EmailStr, Field, validator
+from typing import Optional
+from datetime import datetime
+
+class UserBase(BaseModel):
+    """用户基础模型"""
+    username: str = Field(..., min_length=3, max_length=50, example="john_doe")
+    email: EmailStr = Field(..., example="user@example.com")
+    full_name: Optional[str] = Field(None, example="John Doe")
+
+class UserCreate(UserBase):
+    """创建用户模型"""
+    password: str = Field(..., min_length=6, example="password123")
+    password_confirm: str = Field(..., example="password123")
+    
+    @validator('password_confirm')
+    def passwords_match(cls, v, values, **kwargs):
+        if 'password' in values and v != values['password']:
+            raise ValueError('密码不匹配')
+        return v
+
+class UserLogin(BaseModel):
+    """用户登录模型"""
+    username: str = Field(..., example="john_doe")
+    password: str = Field(..., example="password123")
+
+class UserUpdate(BaseModel):
+    """更新用户模型"""
+    full_name: Optional[str] = None
+    email: Optional[EmailStr] = None
+
+class UserResponse(UserBase):
+    """用户响应模型"""
+    id: int
+    is_active: bool = True
+    is_verified: bool = False
+    created_at: datetime
+    
+    class Config:
+        from_attributes = True
+
+class UserProfile(UserResponse):
+    """用户详情模型"""
+    last_login: Optional[datetime] = None
+    avatar: Optional[str] = None
+
+class PasswordChange(BaseModel):
+    """修改密码模型"""
+    current_password: str
+    new_password: str = Field(..., min_length=6)
+    confirm_password: str
+    
+    @validator('confirm_password')
+    def passwords_match(cls, v, values, **kwargs):
+        if 'new_password' in values and v != values['new_password']:
+            raise ValueError('新密码不匹配')
+        return v
+
+__all__ = [
+    "UserBase",
+    "UserCreate",
+    "UserLogin",
+    "UserUpdate",
+    "UserResponse",
+    "UserProfile",
+    "PasswordChange"
+]

app/services/auth_service.py

@@ -0,0 +1,498 @@
+from typing import Optional, Dict, Any, Tuple
+from datetime import datetime, timedelta
+from sqlalchemy.orm import Session
+from fastapi import HTTPException, status, BackgroundTasks
+import secrets
+import string
+
+from ..models.user import User
+from ..models.token import Token
+from ..schemas.auth import LoginRequest, TokenResponse
+from ..core.security import (
+    verify_password,
+    create_access_token,
+    create_refresh_token,
+    create_verification_token,
+    create_reset_token,
+    decode_token,
+    generate_verification_code
+)
+from ..core.email import email_service
+from ..config import settings
+
+class AuthService:
+    def __init__(self, db: Session):
+        self.db = db
+    
+    async def register_user(
+        self,
+        user_data: Dict[str, Any],
+        background_tasks: BackgroundTasks,
+        ip_address: Optional[str] = None,
+        user_agent: Optional[str] = None
+    ) -> User:
+        """注册新用户"""
+        # 检查用户是否存在
+        existing_user = self.db.query(User).filter(
+            (User.username == user_data["username"]) | 
+            (User.email == user_data["email"])
+        ).first()
+        
+        if existing_user:
+            if existing_user.username == user_data["username"]:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail="Username already registered"
+                )
+            else:
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail="Email already registered"
+                )
+        
+        # 创建用户
+        from ..core.security import get_password_hash
+        hashed_password = get_password_hash(user_data["password"])
+        
+        user = User(
+            username=user_data["username"],
+            email=user_data["email"],
+            hashed_password=hashed_password,
+            first_name=user_data.get("first_name"),
+            last_name=user_data.get("last_name"),
+            is_active=False,  # 需要邮箱验证
+            is_verified=False
+        )
+        
+        # 生成验证码
+        verification_code = generate_verification_code()
+        user.verification_code = verification_code
+        user.verification_code_expires = datetime.utcnow() + timedelta(hours=24)
+        
+        self.db.add(user)
+        self.db.commit()
+        self.db.refresh(user)
+        
+        # 发送验证邮件（后台任务）
+        verification_token = create_verification_token(user.email)
+        verification_url = f"{settings.FRONTEND_URL}/verify-email?token={verification_token}"
+        
+        background_tasks.add_task(
+            email_service.send_verification_email,
+            user.email,
+            user.username,
+            verification_url,
+            verification_code
+        )
+        
+        return user
+    
+    async def login(
+        self,
+        login_data: LoginRequest,
+        ip_address: Optional[str] = None,
+        user_agent: Optional[str] = None
+    ) -> Tuple[TokenResponse, User]:
+        """用户登录"""
+        user = self.db.query(User).filter(
+            (User.username == login_data.username) | 
+            (User.email == login_data.username)
+        ).first()
+        
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Incorrect username or password"
+            )
+        
+        # 检查账户是否被锁定
+        if user.is_locked and user.locked_until and user.locked_until > datetime.utcnow():
+            raise HTTPException(
+                status_code=status.HTTP_423_LOCKED,
+                detail=f"Account is locked until {user.locked_until}"
+            )
+        
+        # 验证密码
+        if not verify_password(login_data.password, user.hashed_password):
+            # 记录失败尝试
+            user.failed_login_attempts += 1
+            
+            # 如果失败次数超过5次，锁定账户
+            if user.failed_login_attempts >= 5:
+                user.is_locked = True
+                user.locked_until = datetime.utcnow() + timedelta(minutes=30)
+            
+            self.db.commit()
+            
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Incorrect username or password"
+            )
+        
+        # 检查邮箱是否已验证
+        if not user.is_verified:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Email not verified"
+            )
+        
+        # 检查账户是否激活
+        if not user.is_active:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail="Account is not active"
+            )
+        
+        # 重置失败尝试次数
+        user.failed_login_attempts = 0
+        user.last_login = datetime.utcnow()
+        user.is_locked = False
+        user.locked_until = None
+        self.db.commit()
+        
+        # 创建令牌
+        access_token = create_access_token({"sub": user.username, "user_id": user.id})
+        refresh_token = create_refresh_token({"sub": user.username, "user_id": user.id})
+        
+        # 保存刷新令牌到数据库
+        refresh_token_entry = Token(
+            token=refresh_token,
+            token_type="refresh",
+            expires_at=datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS),
+            user_id=user.id,
+            ip_address=ip_address,
+            user_agent=user_agent
+        )
+        
+        self.db.add(refresh_token_entry)
+        self.db.commit()
+        
+        # 构建响应
+        token_response = TokenResponse(
+            access_token=access_token,
+            refresh_token=refresh_token,
+            expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
+            user=user
+        )
+        
+        return token_response, user
+    
+    async def verify_email(
+        self,
+        token: str,
+        code: Optional[str] = None
+    ) -> bool:
+        """验证邮箱"""
+        payload = decode_token(token)
+        
+        if not payload or payload.get("type") != "verify":
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid verification token"
+            )
+        
+        email = payload.get("email")
+        if not email:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid token payload"
+            )
+        
+        user = self.db.query(User).filter(User.email == email).first()
+        
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="User not found"
+            )
+        
+        if user.is_verified:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email already verified"
+            )
+        
+        # 验证码验证
+        if code:
+            if (not user.verification_code or 
+                user.verification_code != code or
+                not user.verification_code_expires or
+                user.verification_code_expires < datetime.utcnow()):
+                raise HTTPException(
+                    status_code=status.HTTP_400_BAD_REQUEST,
+                    detail="Invalid or expired verification code"
+                )
+        
+        # 更新用户状态
+        user.is_verified = True
+        user.is_active = True
+        user.verification_code = None
+        user.verification_code_expires = None
+        self.db.commit()
+        
+        # 发送欢迎邮件
+        await email_service.send_welcome_email(user.email, user.username)
+        
+        return True
+    
+    async def resend_verification_email(
+        self,
+        email: str,
+        background_tasks: BackgroundTasks
+    ) -> bool:
+        """重新发送验证邮件"""
+        user = self.db.query(User).filter(User.email == email).first()
+        
+        if not user:
+            # 出于安全考虑，即使用户不存在也返回成功
+            return True
+        
+        if user.is_verified:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Email already verified"
+            )
+        
+        # 生成新的验证码
+        verification_code = generate_verification_code()
+        user.verification_code = verification_code
+        user.verification_code_expires = datetime.utcnow() + timedelta(hours=24)
+        
+        self.db.commit()
+        
+        # 发送验证邮件
+        verification_token = create_verification_token(user.email)
+        verification_url = f"{settings.FRONTEND_URL}/verify-email?token={verification_token}"
+        
+        background_tasks.add_task(
+            email_service.send_verification_email,
+            user.email,
+            user.username,
+            verification_url,
+            verification_code
+        )
+        
+        return True
+    
+    async def request_password_reset(
+        self,
+        email: str,
+        background_tasks: BackgroundTasks
+    ) -> bool:
+        """请求密码重置"""
+        user = self.db.query(User).filter(User.email == email).first()
+        
+        if not user:
+            # 出于安全考虑，即使用户不存在也返回成功
+            return True
+        
+        if not user.is_active:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Account is not active"
+            )
+        
+        # 生成重置令牌
+        reset_token = create_reset_token(user.email)
+        reset_url = f"{settings.FRONTEND_URL}/reset-password?token={reset_token}"
+        
+        # 保存重置令牌到数据库
+        reset_token_entry = Token(
+            token=reset_token,
+            token_type="reset",
+            expires_at=datetime.utcnow() + timedelta(minutes=settings.RESET_TOKEN_EXPIRE_MINUTES),
+            user_id=user.id
+        )
+        
+        self.db.add(reset_token_entry)
+        self.db.commit()
+        
+        # 发送重置邮件
+        background_tasks.add_task(
+            email_service.send_password_reset_email,
+            user.email,
+            user.username,
+            reset_url
+        )
+        
+        return True
+    
+    async def reset_password(
+        self,
+        token: str,
+        new_password: str
+    ) -> bool:
+        """重置密码"""
+        # 验证令牌
+        payload = decode_token(token)
+        
+        if not payload or payload.get("type") != "reset":
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid reset token"
+            )
+        
+        email = payload.get("email")
+        if not email:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid token payload"
+            )
+        
+        # 检查令牌是否在数据库中且未过期
+        token_entry = self.db.query(Token).filter(
+            Token.token == token,
+            Token.token_type == "reset",
+            Token.is_revoked == False,
+            Token.expires_at > datetime.utcnow()
+        ).first()
+        
+        if not token_entry:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid or expired reset token"
+            )
+        
+        user = self.db.query(User).filter(User.email == email).first()
+        
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail="User not found"
+            )
+        
+        if not user.is_active:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Account is not active"
+            )
+        
+        # 更新密码
+        from ..core.security import get_password_hash
+        user.hashed_password = get_password_hash(new_password)
+        user.last_password_change = datetime.utcnow()
+        
+        # 撤销所有现有令牌
+        self.db.query(Token).filter(
+            Token.user_id == user.id,
+            Token.token_type.in_(["access", "refresh"])
+        ).update({"is_revoked": True})
+        
+        # 标记重置令牌为已使用
+        token_entry.is_revoked = True
+        
+        self.db.commit()
+        
+        return True
+    
+    async def refresh_token(
+        self,
+        refresh_token: str,
+        ip_address: Optional[str] = None,
+        user_agent: Optional[str] = None
+    ) -> TokenResponse:
+        """刷新访问令牌"""
+        # 验证刷新令牌
+        payload = decode_token(refresh_token)
+        
+        if not payload or payload.get("type") != "refresh":
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid refresh token"
+            )
+        
+        # 检查令牌是否在数据库中且有效
+        token_entry = self.db.query(Token).filter(
+            Token.token == refresh_token,
+            Token.token_type == "refresh",
+            Token.is_revoked == False,
+            Token.expires_at > datetime.utcnow()
+        ).first()
+        
+        if not token_entry:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid refresh token"
+            )
+        
+        username = payload.get("sub")
+        user_id = payload.get("user_id")
+        
+        if not username or not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token payload"
+            )
+        
+        user = self.db.query(User).filter(
+            User.id == user_id,
+            User.username == username,
+            User.is_active == True
+        ).first()
+        
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="User not found or inactive"
+            )
+        
+        # 创建新的访问令牌
+        access_token = create_access_token({"sub": user.username, "user_id": user.id})
+        
+        # 可选：创建新的刷新令牌（刷新令牌轮换）
+        new_refresh_token = create_refresh_token({"sub": user.username, "user_id": user.id})
+        
+        # 保存新的刷新令牌
+        new_refresh_token_entry = Token(
+            token=new_refresh_token,
+            token_type="refresh",
+            expires_at=datetime.utcnow() + timedelta(days=settings.REFRESH_TOKEN_EXPIRE_DAYS),
+            user_id=user.id,
+            ip_address=ip_address,
+            user_agent=user_agent
+        )
+        
+        # 标记旧令牌为已撤销
+        token_entry.is_revoked = True
+        
+        self.db.add(new_refresh_token_entry)
+        self.db.commit()
+        
+        # 构建响应
+        return TokenResponse(
+            access_token=access_token,
+            refresh_token=new_refresh_token,
+            expires_in=settings.ACCESS_TOKEN_EXPIRE_MINUTES * 60,
+            user=user
+        )
+    
+    async def logout(
+        self,
+        refresh_token: str
+    ) -> bool:
+        """用户登出"""
+        # 撤销刷新令牌
+        token_entry = self.db.query(Token).filter(
+            Token.token == refresh_token,
+            Token.token_type == "refresh"
+        ).first()
+        
+        if token_entry:
+            token_entry.is_revoked = True
+            self.db.commit()
+        
+        return True
+    
+    async def logout_all(
+        self,
+        user_id: int
+    ) -> bool:
+        """撤销用户的所有令牌"""
+        self.db.query(Token).filter(
+            Token.user_id == user_id,
+            Token.token_type.in_(["access", "refresh"]),
+            Token.is_revoked == False
+        ).update({"is_revoked": True})
+        
+        self.db.commit()
+        return True

app/services/user_service.py

@@ -0,0 +1,169 @@
+# app/services/user_service.py
+from sqlalchemy.orm import Session
+from sqlalchemy import or_
+from typing import Optional, List
+from datetime import datetime
+
+from ..models.user import User
+from ..core.security import password_hasher, password_validator
+from ..schemas.user import UserCreate, UserUpdate, UserResponse
+
+class UserService:
+    """用户服务"""
+    
+    def __init__(self, db: Session):
+        self.db = db
+    
+    async def create_user(self, user_data: UserCreate) -> User:
+        """创建用户"""
+        # 验证密码强度
+        is_valid, error_msg = password_validator.validate_password_strength(user_data.password)
+        if not is_valid:
+            raise ValueError(error_msg)
+        
+        # 检查用户是否已存在
+        existing_user = self.db.query(User).filter(
+            or_(
+                User.username == user_data.username,
+                User.email == user_data.email
+            )
+        ).first()
+        
+        if existing_user:
+            if existing_user.username == user_data.username:
+                raise ValueError("用户名已存在")
+            else:
+                raise ValueError("邮箱已被注册")
+        
+        # 哈希密码
+        hashed_password = password_hasher.hash_password(user_data.password)
+        
+        # 创建用户
+        user = User(
+            username=user_data.username,
+            email=user_data.email,
+            hashed_password=hashed_password,
+            full_name=user_data.full_name,
+            is_active=True,
+            is_verified=False
+        )
+        
+        self.db.add(user)
+        self.db.commit()
+        self.db.refresh(user)
+        
+        return user
+    
+    async def get_user_by_id(self, user_id: int) -> Optional[User]:
+        """通过ID获取用户"""
+        return self.db.query(User).filter(User.id == user_id).first()
+    
+    async def get_user_by_username(self, username: str) -> Optional[User]:
+        """通过用户名获取用户"""
+        return self.db.query(User).filter(User.username == username).first()
+    
+    async def get_user_by_email(self, email: str) -> Optional[User]:
+        """通过邮箱获取用户"""
+        return self.db.query(User).filter(User.email == email).first()
+    
+    async def authenticate_user(self, username: str, password: str) -> Optional[User]:
+        """验证用户"""
+        # 通过用户名或邮箱查找用户
+        user = self.db.query(User).filter(
+            or_(
+                User.username == username,
+                User.email == username
+            )
+        ).first()
+        
+        if not user:
+            return None
+        
+        if not password_hasher.verify_password(password, user.hashed_password):
+            # 记录失败尝试
+            user.failed_login_attempts += 1
+            if user.failed_login_attempts >= 5:
+                user.is_locked = True
+            self.db.commit()
+            return None
+        
+        # 重置失败尝试
+        user.failed_login_attempts = 0
+        user.last_login = datetime.now()
+        user.is_locked = False
+        self.db.commit()
+        
+        return user
+    
+    async def update_user(self, user_id: int, update_data: dict) -> Optional[User]:
+        """更新用户信息"""
+        user = await self.get_user_by_id(user_id)
+        if not user:
+            return None
+        
+        for key, value in update_data.items():
+            if hasattr(user, key) and value is not None:
+                setattr(user, key, value)
+        
+        user.updated_at = datetime.now()
+        self.db.commit()
+        self.db.refresh(user)
+        
+        return user
+    
+    async def change_password(self, user_id: int, current_password: str, new_password: str) -> bool:
+        """修改密码"""
+        user = await self.get_user_by_id(user_id)
+        if not user:
+            return False
+        
+        # 验证当前密码
+        if not password_hasher.verify_password(current_password, user.hashed_password):
+            return False
+        
+        # 验证新密码强度
+        is_valid, error_msg = password_validator.validate_password_strength(new_password)
+        if not is_valid:
+            raise ValueError(error_msg)
+        
+        # 更新密码
+        user.hashed_password = password_hasher.hash_password(new_password)
+        user.last_password_change = datetime.now()
+        self.db.commit()
+        
+        return True
+    
+    async def list_users(
+        self, 
+        skip: int = 0, 
+        limit: int = 100,
+        active_only: bool = True
+    ) -> List[User]:
+        """列出用户"""
+        query = self.db.query(User)
+        
+        if active_only:
+            query = query.filter(User.is_active == True)
+        
+        return query.offset(skip).limit(limit).all()
+    
+    async def delete_user(self, user_id: int) -> bool:
+        """删除用户（软删除）"""
+        user = await self.get_user_by_id(user_id)
+        if not user:
+            return False
+        
+        user.is_active = False
+        user.updated_at = datetime.now()
+        self.db.commit()
+        
+        return True
+    
+    async def count_users(self, active_only: bool = True) -> int:
+        """统计用户数量"""
+        query = self.db.query(User)
+        
+        if active_only:
+            query = query.filter(User.is_active == True)
+        
+        return query.count()

init_db.py

@@ -0,0 +1,13 @@
+# init_db.py
+import sys
+import os
+
+# 添加项目根目录到 Python 路径
+sys.path.append(os.path.dirname(os.path.abspath(__file__)))
+
+from app.database import init_db
+
+if __name__ == "__main__":
+    print("🔄 正在初始化数据库...")
+    init_db()
+    print("✅ 数据库初始化完成！")

requirements.txt

@@ -0,0 +1,7 @@
+# fastapi==0.104.1
+# uvicorn[standard]==0.24.0
+# sqlalchemy==2.0.23
+# pydantic==2.5.0
+# python-dotenv==1.0.0
+# python-multipart==0.0.6
+# werkzeug==3.0.1  # 替代 passlib

templates/email/verify_email.html

@@ -0,0 +1,86 @@
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Verify Your Email</title>
+    <style>
+        body {
+            font-family: Arial, sans-serif;
+            line-height: 1.6;
+            color: #333;
+            max-width: 600px;
+            margin: 0 auto;
+            padding: 20px;
+        }
+        .container {
+            background-color: #f9f9f9;
+            border-radius: 10px;
+            padding: 30px;
+            margin-top: 20px;
+        }
+        .header {
+            text-align: center;
+            margin-bottom: 30px;
+        }
+        .logo {
+            max-width: 150px;
+            margin-bottom: 20px;
+        }
+        .button {
+            display: inline-block;
+            background-color: #4CAF50;
+            color: white;
+            padding: 12px 24px;
+            text-decoration: none;
+            border-radius: 5px;
+            margin: 20px 0;
+        }
+        .code {
+            background-color: #f0f0f0;
+            padding: 10px;
+            border-radius: 5px;
+            font-family: monospace;
+            font-size: 18px;
+            text-align: center;
+            margin: 20px 0;
+        }
+        .footer {
+            margin-top: 30px;
+            text-align: center;
+            color: #777;
+            font-size: 12px;
+        }
+    </style>
+</head>
+<body>
+    <div class="container">
+        <div class="header">
+            <h1>Verify Your Email Address</h1>
+        </div>
+        
+        <p>Hello <strong>{{ username }}</strong>,</p>
+        
+        <p>Thank you for registering! Please verify your email address by clicking the button below:</p>
+        
+        <div style="text-align: center;">
+            <a href="{{ verification_url }}" class="button">Verify Email Address</a>
+        </div>
+        
+        {% if verification_code %}
+        <p>Or enter this verification code on the verification page:</p>
+        <div class="code">{{ verification_code }}</div>
+        {% endif %}
+        
+        <p>This link will expire in 24 hours. If you didn't create an account, you can safely ignore this email.</p>
+        
+        <p>If the button doesn't work, copy and paste this URL into your browser:</p>
+        <p><small>{{ verification_url }}</small></p>
+        
+        <div class="footer">
+            <p>© 2024 Your Company. All rights reserved.</p>
+            <p>This is an automated message, please do not reply to this email.</p>
+        </div>
+    </div>
+</body>
+</html>