const express = require('express'); const router = express.Router(); const jwt = require('jsonwebtoken'); const rateLimit = require('express-rate-limit'); const User = require('../models/User'); const UserRole = require('../models/UserRole'); const Role = require('../models/Role'); const { comparePassword } = require('../utils/password'); // 登录限流 const loginLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 10, message: { success: false, message: '登录尝试过于频繁' } }); router.post('/login', loginLimiter, async (req, res) => { try { const { username, password } = req.body; if (!username || !password) { return res.status(400).json({ success: false, message: '用户名和密码不能为空' }); } // 从 User 表查 store 类型账号 const user = await User.findOne({ username, type: 'store' }).select('+password'); // 查关联的门店 const Store = require('../models/Store'); const store = await Store.findOne({ storeId: user.storeId }); if (!user || user.status !== 'active') { return res.status(401).json({ success: false, message: '用户名或密码错误' }); } const isMatch = await comparePassword(password, user.password); if (!isMatch) { return res.status(401).json({ success: false, message: '用户名或密码错误' }); } const token = jwt.sign( { id: user._id, role: 'store', type: 'store', storeId: user.storeId || null, permissions: ['store:read', 'store:write', 'orders:read', 'orders:write', 'vehicles:read', 'vehicles:write', 'vehicleTypes:read'], jti: Math.random().toString(36) }, process.env.JWT_SECRET, { expiresIn: process.env.JWT_EXPIRES_IN || '24h' } ); res.json({ success: true, data: { id: store ? store._id : user._id, // 门店的 MongoDB _id storeId: user.storeId, // 门店编号如 STORE001 username: user.username, name: user.name, role: 'store', token } }); } catch (error) { res.status(500).json({ success: false, message: '服务器内部错误' }); } }); module.exports = router;