Merge pull request #602 from chaitin/team-reset-random-password

yokowu · web-flow · commit 30935a8d3ba0 · 2026-05-20T15:09:41.000+08:00
团队成员重置密码返回随机密码
diff --git a/.github/workflows/offline-package.yml b/.github/workflows/offline-package.yml
@@ -62,6 +62,14 @@ jobs:
           ARCH: ${{ matrix.arch }}
           DOCKER_VERSION: ${{ inputs.docker_version || '29.0.4' }}
           PACKAGE_TGZ: "true"
+          AWS_ACCESS_KEY_ID: ${{ secrets.OSS_ACCESS_KEY_ID }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.OSS_ACCESS_KEY_SECRET }}
+          AWS_DEFAULT_REGION: ${{ secrets.OSS_REGION || 'us-east-1' }}
+          AWS_EC2_METADATA_DISABLED: "true"
+          AWS_REQUEST_CHECKSUM_CALCULATION: when_required
+          AWS_RESPONSE_CHECKSUM_VALIDATION: when_required
+          OSS_ENDPOINT: ${{ secrets.OSS_ENDPOINT }}
+          OSS_ADDRESSING_STYLE: ${{ secrets.OSS_ADDRESSING_STYLE || 'virtual' }}
         run: ./scripts/build-offline-package.sh
 
       - name: Upload package to private OSS
diff --git a/backend/biz/team/handler/http/v1/user.go b/backend/biz/team/handler/http/v1/user.go
@@ -63,6 +63,7 @@ func NewTeamGroupUserHandler(i *do.Injector) (*TeamGroupUserHandler, error) {
 	u.POST("/with-password", web.BindHandler(h.AddUserWithPassword), auth.TeamAuth(), adminAuth, audit.Audit("add_team_user_with_password"))
 	u.POST("", web.BindHandler(h.AddUser), auth.TeamAuth(), adminAuth, audit.Audit("add_team_user"))
 	u.GET("", web.BindHandler(h.MemberList), auth.TeamAuth(), adminAuth)
+	u.PUT("/:user_id/passwords/reset", web.BindHandler(h.ResetPassword), auth.TeamAuth(), adminAuth, audit.Audit("reset_team_user_password"))
 	u.PUT("/:user_id", web.BindHandler(h.UpdateUser), auth.TeamAuth(), adminAuth, audit.Audit("update_team_user"))
 
 	g := w.Group("/api/v1/teams/groups")
@@ -255,6 +256,28 @@ func (h *TeamGroupUserHandler) AddAdmin(c *web.Context, req domain.AddTeamAdminR
 	return c.Success(resp)
 }
 
+// ResetPassword 重置团队成员密码
+//
+//	@Summary		重置团队成员密码
+//	@Description	管理员为团队成员生成新密码，密码只在响应中返回一次
+//	@Tags			【Team 管理员】分组成员管理
+//	@Accept			json
+//	@Produce		json
+//	@Security		MonkeyCodeAITeamAuth
+//	@Param			user_id	path		string						true	"用户ID"
+//	@Success		200		{object}	web.Resp{data=domain.TeamUserPassword}	"成功"
+//	@Failure		401		{object}	web.Resp						"未授权"
+//	@Failure		500		{object}	web.Resp						"服务器内部错误"
+//	@Router			/api/v1/teams/users/{user_id}/passwords/reset [put]
+func (h *TeamGroupUserHandler) ResetPassword(c *web.Context, req domain.ResetPasswordReq) error {
+	teamUser := middleware.GetTeamUser(c)
+	resp, err := h.usecase.ResetPassword(c.Request().Context(), teamUser, &req)
+	if err != nil {
+		return err
+	}
+	return c.Success(resp)
+}
+
 // MemberList 获取团队成员列表
 //
 //	@Summary		获取团队成员列表
diff --git a/backend/biz/team/repo/user.go b/backend/biz/team/repo/user.go
@@ -203,6 +203,14 @@ func (r *TeamGroupUserRepo) CreateUsersWithPassword(ctx context.Context, teamID
 	return users, nil
 }
 
+func (r *TeamGroupUserRepo) ResetPassword(ctx context.Context, userID uuid.UUID, newPassword string) error {
+	hashedPassword, err := crypto.HashPassword(newPassword)
+	if err != nil {
+		return errcode.ErrPasswordHashFailed
+	}
+	return r.db.User.UpdateOneID(userID).SetPassword(hashedPassword).Exec(ctx)
+}
+
 // CreateAdmin 创建团队管理员
 func (r *TeamGroupUserRepo) CreateAdmin(ctx context.Context, teamID uuid.UUID, req *domain.AddTeamAdminReq) (*db.User, error) {
 	// 检查邮箱是否已注册
@@ -439,7 +447,7 @@ func (r *TeamGroupUserRepo) InitTeam(ctx context.Context, email string, name str
 			initTeam, err = tx.Team.Create().
 				SetID(uuid.New()).
 				SetName(name).
-				SetMemberLimit(1000).
+				SetMemberLimit(5).
 				Save(ctx)
 			if err != nil {
 				return err
diff --git a/backend/biz/team/repo/user_test.go b/backend/biz/team/repo/user_test.go
@@ -196,3 +196,45 @@ func TestCreateUsersWithPasswordStoresHashedPassword(t *testing.T) {
 		t.Fatalf("verify password failed: %v", err)
 	}
 }
+
+func TestResetPasswordStoresHashedPassword(t *testing.T) {
+	ctx := context.Background()
+	client := newTeamRepoTestDB(t)
+	repo := &TeamGroupUserRepo{
+		db:     client,
+		logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+	}
+	userID := uuid.New()
+	oldPassword, err := crypto.HashPassword("old-password")
+	if err != nil {
+		t.Fatal(err)
+	}
+	if _, err := client.User.Create().
+		SetID(userID).
+		SetName("member").
+		SetEmail("member@example.com").
+		SetPassword(oldPassword).
+		SetRole(consts.UserRoleSubAccount).
+		SetStatus(consts.UserStatusActive).
+		Save(ctx); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := repo.ResetPassword(ctx, userID, "NewPassword123456"); err != nil {
+		t.Fatal(err)
+	}
+
+	updated, err := client.User.Get(ctx, userID)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if updated.Password == "" || updated.Password == "NewPassword123456" {
+		t.Fatalf("password should be hashed, got %q", updated.Password)
+	}
+	if err := crypto.VerifyPassword(updated.Password, "NewPassword123456"); err != nil {
+		t.Fatalf("verify new password failed: %v", err)
+	}
+	if err := crypto.VerifyPassword(updated.Password, "old-password"); err == nil {
+		t.Fatal("old password should not remain valid")
+	}
+}
diff --git a/backend/biz/team/usecase/user.go b/backend/biz/team/usecase/user.go
@@ -167,6 +167,22 @@ func (u *TeamGroupUserUsecase) AddUserWithPassword(ctx context.Context, teamUser
 	}, nil
 }
 
+func (u *TeamGroupUserUsecase) ResetPassword(ctx context.Context, teamUser *domain.TeamUser, req *domain.ResetPasswordReq) (*domain.TeamUserPassword, error) {
+	member, err := u.repo.GetMember(ctx, teamUser.GetTeamID(), req.UserID)
+	if err != nil {
+		return nil, err
+	}
+	password := random.String(16)
+	if err := u.repo.ResetPassword(ctx, req.UserID, password); err != nil {
+		return nil, err
+	}
+	resp := &domain.TeamUserPassword{Password: password}
+	if member.Edges.User != nil {
+		resp.Email = member.Edges.User.Email
+	}
+	return resp, nil
+}
+
 // AddAdmin 创建团队管理员
 func (u *TeamGroupUserUsecase) AddAdmin(ctx context.Context, teamUser *domain.TeamUser, req *domain.AddTeamAdminReq) (*domain.AddTeamAdminResp, error) {
 	user, err := u.repo.CreateAdmin(ctx, teamUser.GetTeamID(), req)
diff --git a/backend/biz/team/usecase/user_reset_password_test.go b/backend/biz/team/usecase/user_reset_password_test.go
@@ -0,0 +1,95 @@
+package usecase
+
+import (
+	"context"
+	"io"
+	"log/slog"
+	"testing"
+
+	"github.com/google/uuid"
+
+	"github.com/chaitin/MonkeyCode/backend/db"
+	"github.com/chaitin/MonkeyCode/backend/domain"
+	"github.com/chaitin/MonkeyCode/backend/errcode"
+)
+
+func TestResetPasswordReturnsGeneratedPasswordAndUpdatesTeamMember(t *testing.T) {
+	ctx := context.Background()
+	teamID := uuid.New()
+	userID := uuid.New()
+	repo := &resetPasswordRepoStub{
+		member: &db.TeamMember{
+			TeamID: teamID,
+			UserID: userID,
+			Edges: db.TeamMemberEdges{
+				User: &db.User{
+					ID:    userID,
+					Email: "member@example.com",
+				},
+			},
+		},
+	}
+	u := &TeamGroupUserUsecase{
+		repo:   repo,
+		logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+	}
+
+	resp, err := u.ResetPassword(ctx, &domain.TeamUser{Team: &domain.Team{ID: teamID}}, &domain.ResetPasswordReq{UserID: userID})
+	if err != nil {
+		t.Fatal(err)
+	}
+	if resp.Email != "member@example.com" {
+		t.Fatalf("email = %q, want member@example.com", resp.Email)
+	}
+	if len(resp.Password) != 16 {
+		t.Fatalf("password length = %d, want 16", len(resp.Password))
+	}
+	if repo.resetUserID != userID {
+		t.Fatalf("reset user id = %s, want %s", repo.resetUserID, userID)
+	}
+	if repo.resetPassword != resp.Password {
+		t.Fatal("response password should match stored password input")
+	}
+}
+
+func TestResetPasswordRejectsUserOutsideTeam(t *testing.T) {
+	ctx := context.Background()
+	teamID := uuid.New()
+	userID := uuid.New()
+	repo := &resetPasswordRepoStub{getMemberErr: errcode.ErrNotFound}
+	u := &TeamGroupUserUsecase{
+		repo:   repo,
+		logger: slog.New(slog.NewTextHandler(io.Discard, nil)),
+	}
+
+	_, err := u.ResetPassword(ctx, &domain.TeamUser{Team: &domain.Team{ID: teamID}}, &domain.ResetPasswordReq{UserID: userID})
+	if err == nil {
+		t.Fatal("expected error")
+	}
+	if repo.resetCalled {
+		t.Fatal("password should not be reset when user is outside team")
+	}
+}
+
+type resetPasswordRepoStub struct {
+	domain.TeamGroupUserRepo
+	member        *db.TeamMember
+	getMemberErr  error
+	resetCalled   bool
+	resetUserID   uuid.UUID
+	resetPassword string
+}
+
+func (s *resetPasswordRepoStub) GetMember(ctx context.Context, teamID, userID uuid.UUID) (*db.TeamMember, error) {
+	if s.getMemberErr != nil {
+		return nil, s.getMemberErr
+	}
+	return s.member, nil
+}
+
+func (s *resetPasswordRepoStub) ResetPassword(ctx context.Context, userID uuid.UUID, newPassword string) error {
+	s.resetCalled = true
+	s.resetUserID = userID
+	s.resetPassword = newPassword
+	return nil
+}
diff --git a/backend/domain/team.go b/backend/domain/team.go
@@ -19,6 +19,7 @@ type TeamGroupUserUsecase interface {
 	Add(ctx context.Context, teamUser *TeamUser, req *AddTeamGroupReq) (*TeamGroup, error)
 	AddUser(ctx context.Context, teamUser *TeamUser, req *AddTeamUserReq) (*AddTeamUserResp, error)
 	AddUserWithPassword(ctx context.Context, teamUser *TeamUser, req *AddTeamUserReq) (*AddTeamUserWithPasswordResp, error)
+	ResetPassword(ctx context.Context, teamUser *TeamUser, req *ResetPasswordReq) (*TeamUserPassword, error)
 	AddAdmin(ctx context.Context, teamUser *TeamUser, req *AddTeamAdminReq) (*AddTeamAdminResp, error)
 	Update(ctx context.Context, req *UpdateTeamGroupReq) (*TeamGroup, error)
 	Delete(ctx context.Context, teamUser *TeamUser, req *DeleteTeamGroupReq) error
@@ -38,6 +39,7 @@ type TeamGroupUserRepo interface {
 	Create(ctx context.Context, teamID uuid.UUID, req *AddTeamGroupReq) (*db.TeamGroup, error)
 	CreateUsers(ctx context.Context, teamID uuid.UUID, req *AddTeamUserReq) ([]*db.User, error)
 	CreateUsersWithPassword(ctx context.Context, teamID uuid.UUID, req *AddTeamUserWithPasswordReq) ([]*db.User, error)
+	ResetPassword(ctx context.Context, userID uuid.UUID, newPassword string) error
 	CreateAdmin(ctx context.Context, teamID uuid.UUID, req *AddTeamAdminReq) (*db.User, error)
 	Update(ctx context.Context, req *UpdateTeamGroupReq) (*db.TeamGroup, error)
 	Delete(ctx context.Context, teamID, groupID uuid.UUID) error
@@ -277,6 +279,10 @@ type AddTeamUserWithPasswordResp struct {
 	Passwords []*TeamUserPassword `json:"passwords"`
 }
 
+type ResetPasswordReq struct {
+	UserID uuid.UUID `param:"user_id" validate:"required" json:"-" swaggerignore:"true"`
+}
+
 // AddTeamAdminReq 创建团队管理员请求
 type AddTeamAdminReq struct {
 	Email string `json:"email" validate:"required,email"` // 邮箱
@@ -337,11 +343,6 @@ type UpdateTeamUserResp struct {
 	User *User `json:"user"`
 }
 
-// ResetPasswordReq 重置密码请求
-type ResetPasswordReq struct {
-	UserIDs []uuid.UUID `json:"user_ids" validate:"required"` // 用户ID列表
-}
-
 // InviteLinkToken 邀请链接令牌
 type InviteLinkToken struct {
 	TeamID  uuid.UUID `json:"team_id"`
diff --git a/backend/scripts/build-offline-package.sh b/backend/scripts/build-offline-package.sh
@@ -5,6 +5,10 @@ ARCH="${ARCH:-amd64}"
 DOCKER_VERSION="${DOCKER_VERSION:-29.4.3}"
 DOCKER_COMPOSE_VERSION="${DOCKER_COMPOSE_VERSION:-v5.1.3}"
 PROJECT_TPL_URL="${PROJECT_TPL_URL:-https://baizhiyun.oss-cn-hangzhou.aliyuncs.com/codingmatrix/project-tpl/codingmatrix-project-tpl.master.zip}"
+FIREFACTORY_OFFLINE_OSS_URI="${FIREFACTORY_OFFLINE_OSS_URI:-s3://monkeycode-release/firefactory/firefactory-offline_1.0.0+g741818d_amd64.tgz}"
+FIREFACTORY_OFFLINE_FILE="${FIREFACTORY_OFFLINE_FILE:-firefactory-offline_1.0.0+g741818d_amd64.tgz}"
+FIREFACTORY_OSS_ENDPOINT="${FIREFACTORY_OSS_ENDPOINT:-${OSS_ENDPOINT:-}}"
+OSS_ADDRESSING_STYLE="${OSS_ADDRESSING_STYLE:-virtual}"
 OUT_DIR="${OUT_DIR:-dist/offline}"
 PACKAGE_NAME="monkeycode-offline-linux-$ARCH"
 PACKAGE_DIR="$OUT_DIR/$PACKAGE_NAME"
@@ -109,6 +113,15 @@ if [ -d static ]; then
   cp -R static/. "$PACKAGE_DIR/static/"
 fi
 curl -fL "$PROJECT_TPL_URL" -o "$PACKAGE_DIR/static/project-tpl.zip"
+for required in AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY FIREFACTORY_OSS_ENDPOINT; do
+  eval "value=\${$required:-}"
+  if [ -z "$value" ]; then
+    echo "$required is required"
+    exit 1
+  fi
+done
+aws configure set default.s3.addressing_style "$OSS_ADDRESSING_STYLE"
+aws s3 cp "$FIREFACTORY_OFFLINE_OSS_URI" "$PACKAGE_DIR/static/$FIREFACTORY_OFFLINE_FILE" --endpoint-url "$FIREFACTORY_OSS_ENDPOINT" --only-show-errors
 
 docker build \
   -f build/Dockerfile \
diff --git a/backend/scripts/check-offline-package.sh b/backend/scripts/check-offline-package.sh
@@ -19,6 +19,7 @@ images/redis.tar.gz
 images/clickhouse.tar.gz
 images/rustfs.tar.gz
 static/project-tpl.zip
+static/firefactory-offline_1.0.0+g741818d_amd64.tgz
 static/installer/x86_64/installer
 static/installer/x86_64/docker.tgz
 static/installer/x86_64/host.tgz
diff --git a/frontend/src/api/Api.ts b/frontend/src/api/Api.ts
@@ -3452,6 +3452,30 @@ export class Api<SecurityDataType extends unknown> extends HttpClient<SecurityDa
         ...params,
       }),
 
+    /**
+     * @description 管理员为团队成员生成新密码，密码只在响应中返回一次
+     *
+     * @tags 【Team 管理员】分组成员管理
+     * @name V1TeamsUsersPasswordsResetUpdate
+     * @summary 重置团队成员密码
+     * @request PUT:/api/v1/teams/users/{user_id}/passwords/reset
+     * @secure
+     */
+    v1TeamsUsersPasswordsResetUpdate: (userId: string, params: RequestParams = {}) =>
+      this.request<
+        GithubComGoYokoWebResp & {
+          data?: DomainTeamUserPassword;
+        },
+        GithubComGoYokoWebResp
+      >({
+        path: `/api/v1/teams/users/${userId}/passwords/reset`,
+        method: "PUT",
+        secure: true,
+        type: ContentType.Json,
+        format: "json",
+        ...params,
+      }),
+
     /**
      * @description 获取团队用户登录状态
      *
diff --git a/frontend/src/components/manager/team-members-card.tsx b/frontend/src/components/manager/team-members-card.tsx
diff --git a/frontend/src/pages/console/manager/manager.tsx b/frontend/src/pages/console/manager/manager.tsx
