1. Add 登陆功能

2. 调整字体大小
3. 新增部分功能

backend/app/api/dependencies/__init__.py

@@ -0,0 +1,5 @@
+"""FastAPI dependency functions for authentication and authorisation.
+
+Import `get_current_user` or `require_role` into route modules to protect
+endpoints. Both use the shared JWTHandler wired through bootstrap.
+"""

backend/app/api/dependencies/auth.py

@@ -0,0 +1,72 @@
+"""FastAPI dependencies for JWT authentication.
+
+Usage in a route:
+    from app.api.dependencies.auth import get_current_user, require_role
+    from app.domain.auth.models import UserRole
+
+    @router.get("/protected")
+    async def protected(user: UserClaims = Depends(get_current_user)):
+        return {"user": user.username}
+
+    @router.delete("/admin-only")
+    async def admin_only(user: UserClaims = Depends(require_role(UserRole.ADMIN))):
+        ...
+"""
+
+from __future__ import annotations
+
+from fastapi import Depends, HTTPException, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+
+from app.config.settings import settings
+from app.domain.auth.models import UserClaims, UserRole
+from app.shared.bootstrap import get_jwt_handler
+
+# Use Bearer token scheme — client sends `Authorization: Bearer <token>`.
+_bearer = HTTPBearer(auto_error=False)
+
+
+async def get_current_user(
+    credentials: HTTPAuthorizationCredentials | None = Depends(_bearer),
+) -> UserClaims:
+    """Extract and validate the JWT from the Authorization header.
+
+    Returns the decoded UserClaims on success.
+    Raises HTTP 401 when the token is missing, expired, or invalid.
+    When auth_enabled=False (development), returns a synthetic admin user.
+    """
+    if not settings.auth_enabled:
+        # Development bypass — never enable this in production.
+        return UserClaims(user_id="dev", username="dev-admin", role=UserRole.ADMIN)
+
+    if credentials is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing authentication token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    try:
+        return get_jwt_handler().decode_token(credentials.credentials)
+    except ValueError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=str(exc),
+            headers={"WWW-Authenticate": "Bearer"},
+        ) from exc
+
+
+def require_role(*roles: UserRole):
+    """Return a dependency that enforces one of the given roles.
+
+    Example:
+        Depends(require_role(UserRole.ADMIN, UserRole.LEGAL))
+    """
+    async def _check(user: UserClaims = Depends(get_current_user)) -> UserClaims:
+        """Verify the user holds one of the required roles."""
+        if user.role not in roles:
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=f"Role '{user.role}' is not permitted. Required: {[r.value for r in roles]}",
+            )
+        return user
+    return _check

backend/app/api/main.py

@@ -8,6 +8,7 @@ from fastapi.middleware.cors import CORSMiddleware
 from fastapi.responses import JSONResponse
 from loguru import logger
 
+from app.api.middleware.audit import AuditMiddleware
 from app.api.models import ErrorResponse
 from app.api.routes import api_router
 from app.config.logging import setup_logging
@@ -46,14 +47,23 @@ app = FastAPI(
     redoc_url="/redoc",
 )
 
+# Tighten CORS — only allow configured origins.
+# Set CORS_ALLOW_ORIGINS in .env to the real frontend URL in production.
+_ORIGINS = [o.strip() for o in settings.cors_allow_origins.split(",") if o.strip()]
+if not _ORIGINS:
+    _ORIGINS = ["http://localhost:5173"]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=_ORIGINS,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
 
+# Audit middleware logs every authenticated API call for compliance traceability.
+app.add_middleware(AuditMiddleware)
+
 app.include_router(api_router, prefix="/api/v1")
 
 

backend/app/api/middleware/__init__.py

@@ -0,0 +1 @@
+"""HTTP middleware for cross-cutting concerns: audit logging."""

backend/app/api/middleware/audit.py

@@ -0,0 +1,56 @@
+"""Audit logging middleware.
+
+Logs every API request with method, path, status code, response time,
+and the authenticated user identity (extracted from the JWT when present).
+Log lines are structured so they can be ingested by ELK / Loki.
+"""
+
+from __future__ import annotations
+
+import time
+
+from fastapi import Request, Response
+from loguru import logger
+from starlette.middleware.base import BaseHTTPMiddleware
+
+
+class AuditMiddleware(BaseHTTPMiddleware):
+    """Log all API calls. Skips health/docs paths to reduce noise."""
+
+    # Paths that produce no audit log entry.
+    _SKIP_PREFIXES = ("/health", "/docs", "/redoc", "/openapi.json")
+
+    async def dispatch(self, request: Request, call_next) -> Response:
+        """Intercept the request, call the handler, and log the outcome."""
+        path = request.url.path
+        if path == "/" or any(path == p or path.startswith(p + "/") for p in self._SKIP_PREFIXES):
+            return await call_next(request)
+
+        start = time.perf_counter()
+        response = await call_next(request)
+        elapsed_ms = int((time.perf_counter() - start) * 1000)
+
+        # Extract user identity from JWT header for structured audit records.
+        # The token is not re-validated here — auth dependencies do that upstream.
+        user_id = "anonymous"
+        username = "anonymous"
+        auth_header = request.headers.get("authorization", "")
+        if auth_header.startswith("Bearer "):
+            try:
+                from app.shared.bootstrap import get_jwt_handler
+                claims = get_jwt_handler().decode_token(auth_header[7:])
+                user_id = claims.user_id
+                username = claims.username
+            except Exception:
+                pass
+
+        logger.info(
+            "AUDIT method={} path={} status={} elapsed_ms={} user_id={} username={}",
+            request.method,
+            path,
+            response.status_code,
+            elapsed_ms,
+            user_id,
+            username,
+        )
+        return response

backend/app/api/routes/__init__.py

@@ -1,6 +1,7 @@
 """Initialize the app.api.routes package."""
 
 from fastapi import APIRouter
+from .auth import router as auth_router
 from .compliance import router as compliance_router
 from .documents import router as documents_router
 from .knowledge import router as knowledge_router
@@ -14,7 +15,8 @@ from .rag import router as rag_router
 # Keep package boundaries explicit so backend imports stay predictable.
 api_router = APIRouter()
 
-# Keep package boundaries explicit so backend imports stay predictable.
+# Auth routes first so /auth/token is easy to discover.
+api_router.include_router(auth_router)
 api_router.include_router(documents_router)
 api_router.include_router(knowledge_router)
 api_router.include_router(agent_router)
@@ -25,6 +27,7 @@ api_router.include_router(rag_router)
 
 __all__ = [
     "api_router",
+    "auth_router",
     "documents_router",
     "knowledge_router",
     "agent_router",

backend/app/api/routes/auth.py

@@ -0,0 +1,63 @@
+"""Authentication routes — token issuance only.
+
+POST /auth/token  — exchange username + password for a JWT.
+GET  /auth/me     — return the current user identity (requires token).
+"""
+
+from __future__ import annotations
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi.security import OAuth2PasswordRequestForm
+from pydantic import BaseModel
+
+from app.api.dependencies.auth import get_current_user
+from app.config.settings import settings
+from app.domain.auth.models import UserClaims
+from app.shared.bootstrap import get_jwt_handler, get_user_store
+
+
+router = APIRouter(prefix="/auth", tags=["认证"])
+
+
+class TokenResponse(BaseModel):
+    """JWT token response body."""
+
+    access_token: str
+    token_type: str = "bearer"
+    expires_in: int
+
+
+@router.post("/token", response_model=TokenResponse)
+async def login(form: OAuth2PasswordRequestForm = Depends()):
+    """Issue a JWT for valid username + password credentials.
+
+    Uses standard OAuth2 password grant form fields — compatible with
+    Swagger UI Authorize button.
+    """
+    user = get_user_store().authenticate(form.username, form.password)
+    if user is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect username or password",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    token = get_jwt_handler().create_access_token(
+        user_id=user.id,
+        username=user.username,
+        role=user.role,
+    )
+    return TokenResponse(
+        access_token=token,
+        token_type="bearer",
+        expires_in=settings.auth_token_expire_minutes * 60,
+    )
+
+
+@router.get("/me")
+async def get_me(current_user: UserClaims = Depends(get_current_user)):
+    """Return the identity of the currently authenticated user."""
+    return {
+        "user_id": current_user.user_id,
+        "username": current_user.username,
+        "role": current_user.role.value,
+    }

backend/app/api/routes/compliance.py

@@ -7,10 +7,12 @@ import json
 from pathlib import Path
 from typing import AsyncGenerator, Optional
 
-from fastapi import APIRouter, File, Form, UploadFile
+from fastapi import APIRouter, Depends, File, Form, UploadFile
 from fastapi.responses import StreamingResponse
 from loguru import logger
 
+from app.api.dependencies.auth import get_current_user
+from app.domain.auth.models import UserClaims
 from app.schemas.compliance import (
     AnalyzeResponse,
     ComplianceChatRequest,
@@ -75,6 +77,7 @@ async def analyze_stream(
     file: Optional[UploadFile] = File(None),
     domains: Optional[str] = Form(None),
     title: Optional[str] = Form(None),
+    current_user: UserClaims = Depends(get_current_user),
 ):
     """Stream compliance analysis as SSE events.
 

backend/app/api/routes/documents.py

@@ -5,12 +5,15 @@ from __future__ import annotations
 from io import BytesIO
 from urllib.parse import quote
 
-from fastapi import APIRouter, File, Form, HTTPException, UploadFile
+from fastapi import APIRouter, BackgroundTasks, Depends, File, Form, HTTPException, UploadFile
 from fastapi.responses import StreamingResponse
 from loguru import logger
 
+from app.api.dependencies.auth import get_current_user
 from app.api.models import DocumentUploadResponse
 from app.application.documents import DocumentProcessResult
+from app.config.settings import settings
+from app.domain.auth.models import UserClaims
 from app.shared.bootstrap import get_document_command_service, get_document_query_service
 # Keep route handlers close to their transport-layer wiring for easier auditing.
 
@@ -31,16 +34,60 @@ def _document_response(result: DocumentProcessResult) -> DocumentUploadResponse:
     )
 
 
+def _run_process_in_background(
+    *,
+    doc_id: str,
+    file_name: str,
+    final_doc_name: str,
+    content: bytes,
+    regulation_type: str,
+    version: str,
+    generate_summary: bool,
+    run_id: str | None,
+) -> None:
+    """Run document processing synchronously inside a FastAPI BackgroundTask thread.
+
+    FastAPI executes BackgroundTasks in a threadpool executor, so blocking I/O
+    (parser API calls, embedding, Milvus upsert) is safe here.
+    """
+    try:
+        svc = get_document_command_service()
+        svc._process_document(
+            doc_id=doc_id,
+            file_name=file_name,
+            final_doc_name=final_doc_name,
+            content=content,
+            regulation_type=regulation_type,
+            version=version,
+            generate_summary=generate_summary,
+            run_id=run_id,
+        )
+    except Exception:
+        logger.exception("BackgroundTask document processing failed: doc_id={}", doc_id)
+
+
 @router.post("/upload", response_model=DocumentUploadResponse)
 async def upload_document(
+    background_tasks: BackgroundTasks,
     file: UploadFile = File(..., description="上传的文档文件"),
     doc_id: str | None = Form(None, description="客户端预分配的文档ID，不传则自动生成"),
     doc_name: str | None = Form(None, description="文档名称"),
     regulation_type: str | None = Form(None, description="法规类型"),
     version: str | None = Form(None, description="文档版本"),
     generate_summary: bool = Form(False, description="是否生成摘要"),
+    sync: bool = Form(False, description="同步处理（演示/测试用，默认异步处理）"),
+    current_user: UserClaims = Depends(get_current_user),
 ):
-    """Handle upload document."""
+    """Upload a document and process it asynchronously.
+
+    Default path (sync=false):
+      1. Store binary to MinIO immediately — returns within seconds.
+      2. Schedule parse→embed→index as a FastAPI BackgroundTask (same process,
+         threadpool) OR enqueue to Celery workers when USE_CELERY_WORKER=true.
+      3. Poll GET /documents/status/{doc_id} for progress.
+
+    sync=true path: full inline processing, blocks until complete (demo / CI use).
+    """
     content = await file.read()
     if not file.filename:
         raise HTTPException(status_code=400, detail="文件名不能为空")
@@ -48,19 +95,73 @@ async def upload_document(
         raise HTTPException(status_code=400, detail="上传文件为空")
 
     try:
-        result = get_document_command_service().upload_and_process(
-            doc_id=doc_id,
-            file_name=file.filename,
-            content=content,
-            content_type=file.content_type or "application/octet-stream",
-            doc_name=doc_name,
-            regulation_type=regulation_type or "",
-            version=version or "",
-            generate_summary=generate_summary,
-        )
+        svc = get_document_command_service()
+
+        if sync:
+            # Synchronous fallback: full inline processing.
+            result = svc.upload_and_process(
+                doc_id=doc_id,
+                file_name=file.filename,
+                content=content,
+                content_type=file.content_type or "application/octet-stream",
+                doc_name=doc_name,
+                regulation_type=regulation_type or "",
+                version=version or "",
+                generate_summary=generate_summary,
+            )
+        else:
+            # Step 1: store binary and create the document record (fast, sync).
+            stored_doc_id, run_id = svc.store_document(
+                doc_id=doc_id,
+                file_name=file.filename,
+                content=content,
+                content_type=file.content_type or "application/octet-stream",
+                doc_name=doc_name,
+                regulation_type=regulation_type or "",
+                version=version or "",
+                generate_summary=generate_summary,
+            )
+            final_doc_name = doc_name or file.filename
+
+            # Step 2: schedule processing via Celery worker OR FastAPI BackgroundTask.
+            if settings.use_celery_worker:
+                from app.infrastructure.tasks.document_tasks import process_document_task
+                process_document_task.delay(
+                    doc_id=stored_doc_id,
+                    file_name=file.filename,
+                    doc_name=final_doc_name,
+                    regulation_type=regulation_type or "",
+                    version=version or "",
+                    generate_summary=generate_summary,
+                    run_id=run_id,
+                )
+                processing_note = "已入 Celery 队列，由 Worker 处理。"
+            else:
+                # Default: run in FastAPI's threadpool — no external worker needed.
+                background_tasks.add_task(
+                    _run_process_in_background,
+                    doc_id=stored_doc_id,
+                    file_name=file.filename,
+                    final_doc_name=final_doc_name,
+                    content=content,
+                    regulation_type=regulation_type or "",
+                    version=version or "",
+                    generate_summary=generate_summary,
+                    run_id=run_id,
+                )
+                processing_note = "正在后台处理。"
+
+            result = DocumentProcessResult(
+                doc_id=stored_doc_id,
+                doc_name=final_doc_name,
+                status="stored",
+                message=f"文件已存储，{processing_note}请轮询 GET /documents/status/{{doc_id}} 查看进度。",
+            )
+
         if result.status == "failed":
             raise HTTPException(status_code=500, detail=result.message)
         return _document_response(result)
+
     except HTTPException:
         raise
     except Exception as exc:
@@ -106,7 +207,7 @@ async def download_document(doc_id: str):
 
 
 @router.get("/list")
-async def list_documents():
+async def list_documents(current_user: UserClaims = Depends(get_current_user)):
     """List documents."""
     documents = get_document_query_service().list_documents()
     return {
@@ -148,7 +249,7 @@ async def get_document_management_list():
 
 
 @router.delete("/{doc_id}")
-async def delete_document(doc_id: str):
+async def delete_document(doc_id: str, current_user: UserClaims = Depends(get_current_user)):
     """Delete a document and its associated data."""
     deleted = get_document_command_service().delete(doc_id)
     if not deleted:

backend/app/api/routes/rag.py

@@ -5,10 +5,12 @@ from __future__ import annotations
 import json
 from typing import AsyncGenerator
 
-from fastapi import APIRouter
+from fastapi import APIRouter, Depends
 from fastapi.responses import StreamingResponse
 
+from app.api.dependencies.auth import get_current_user
 from app.config.settings import settings
+from app.domain.auth.models import UserClaims
 from app.schemas.rag import RagChatRequest, QuickQuestionsResponse, QuickQuestion
 from app.shared.async_utils import iter_in_thread
 from app.shared.bootstrap import get_agent_conversation_service
@@ -27,7 +29,10 @@ _DEFAULT_QUICK_QUESTIONS = [
 
 
 @router.post("/chat")
-async def rag_chat(request: RagChatRequest):
+async def rag_chat(
+    request: RagChatRequest,
+    current_user: UserClaims = Depends(get_current_user),
+):
     """Stream RAG Q&A using the real agent service."""
     session_id, event_stream = get_agent_conversation_service().stream_chat(
         query=request.query,