futu_backend/auth/

refresh.rs

//! v1.4.92 P1-D Tier A1: in-process relogin trigger.
//!
//! 用途: 让 gateway 的 `qot_logined` self-heal loop (`run_qot_login_health_loop`,
//! 30s tick) 在 `should_attempt_relogin()` 触发时**真**调一次 in-process relogin
//! 而不只 loud warn (v1.4.91 observability-only) — 与 v1.4.34 daemon-reload
//! 路径同语义.
//!
//! **设计**: 抽象成 `AuthRefresher` trait + `DefaultAuthRefresher` 默认实装,
//! 这样 unit test 可以 mock (success / HTTP fail / TCP fail / cipher reject)
//! 而 production 复用现有 [`crate::auth::refresh_credentials_on_disk`] 的 HTTP
//! /authority/ POST → remember-login → save credentials 路径.
//!
//! **不做 (v1.4.92 边界)**:
//! - 不重建 TCP — 现有连接复用 (CMD 6001 InitConnect 留作未来真 TCP 重建场景)
//! - 不刷 per-broker cipher (CMD 2900) — 那个绑用户显式 `unlock-trade` action
//! - 不做交互式 SMS — daemon 运行时不可能交互, refresh 失败必 fall-through
//!   到 v1.4.91 行为 (loud warn + counter), 等 supervisor restart 介入
//!
//! **错误语义**: 任何步骤失败 (HTTP 超时 / tgtgt 过期 / backend 拒) → 返
//! `Err`, 调用方 (`run_qot_login_health_loop`) 按 `record_relogin_failure()`
//! 推 backoff. 连续 5 次失败后 (Tier A2 circuit-breaker) 跳 10 min.
//!
//! **超时**: 整个 `refresh_qot_login()` honor 10 秒预算
//! ([`REFRESH_TIMEOUT`]) — 不能阻塞 polling loop.

use std::sync::Arc;
use std::time::Duration;

use anyhow::{Context, Result};
use futu_cache::login_cache::{LoginCache, LoginState};
use tokio::time::timeout;

use crate::auth::UserAttribution;

/// 整个 `refresh_qot_login` 的超时预算 (10 秒). 超时即视为失败.
pub const REFRESH_TIMEOUT: Duration = Duration::from_secs(10);

/// In-process qot login refresh 抽象.
///
/// 实装方负责: HTTP /authority/ POST 刷 tgtgt → 写回 disk credentials →
/// 把 [`LoginCache`] 置为 `is_logged_in=true`.
///
/// 调用方 (`run_qot_login_health_loop`) 会在调本 fn 之外维护
/// `record_relogin_attempt()` / `record_relogin_success()` /
/// `record_relogin_failure()` (per QotLoginHealth API).
///
/// **MUST**:
/// - honor 10s 超时, 用 [`tokio::time::timeout`] 包裹各 network step
/// - **不**要 mutate per-broker cipher 状态 (绑用户显式 `unlock-trade`)
/// - 失败 loud `Err` (caller 推 backoff)
#[async_trait::async_trait]
pub trait AuthRefresher: Send + Sync + std::fmt::Debug {
    /// 尝试 refresh qot login. 成功 → `Ok(())`, 失败 → `Err`.
    async fn refresh_qot_login(&self) -> Result<()>;
}

/// Production 实装 — 通过 `refresh_credentials_on_disk` 走 v1.4.34 daemon-reload
/// 的 HTTP /authority/ POST 路径.
///
/// 字段持有 `Arc<...>` 以方便从 `bridge::ReloadState` 派生克隆 (constructor
/// 不耦合 bridge 内部生命期).
///
/// **Note**: `Debug` 手工实装而非 derive — `LoginCache` 没 derive Debug
/// (含 `parking_lot::RwLock` / atomic 等无 Debug 字段), derive 会报 E0277.
pub struct DefaultAuthRefresher {
    /// 复用 bridge 创建的 reqwest::Client (含 webpki-roots TLS 配置 + 15s 默认 timeout).
    pub http: reqwest::Client,
    /// 归一化后的 account 字符串 (无区号前缀, e.g. "13900000000" 而非 "+86-13900000000").
    pub account: String,
    /// device_id (16-hex hash, 来自磁盘文件).
    pub device_id: String,
    /// region_code, 手机号账号有, 邮箱/数字 ID 是 None.
    pub region_code: Option<String>,
    /// user_attribution — 决定派生 auth domain (auth.futunn.com vs auth.moomoo.com).
    pub attribution: UserAttribution,
    /// LoginCache 共享指针 — refresh 成功后写 LoginState.is_logged_in=true.
    pub login_cache: Arc<LoginCache>,
    /// region (来自 LoginState — refresh 后写回保持一致).
    pub region: String,
    /// server_addr (来自 LoginState — refresh 后写回保持一致).
    pub server_addr: String,
    /// user_id (来自 LoginState — refresh 后写回保持一致).
    pub user_id: u32,
}

impl std::fmt::Debug for DefaultAuthRefresher {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_struct("DefaultAuthRefresher")
            .field("account", &self.account)
            .field("device_id", &self.device_id)
            .field("region_code", &self.region_code)
            .field("attribution", &self.attribution)
            .field("region", &self.region)
            .field("server_addr", &self.server_addr)
            .field("user_id", &self.user_id)
            .finish_non_exhaustive()
    }
}

#[async_trait::async_trait]
impl AuthRefresher for DefaultAuthRefresher {
    async fn refresh_qot_login(&self) -> Result<()> {
        // Step 1: HTTP /authority/ POST — refresh disk credentials.
        //
        // refresh_credentials_on_disk 内部:
        // - load_credentials → 读磁盘 tgtgt + rand_key + device_sig
        // - remember_login → POST /authority/ with cached tgtgt
        // - save_credentials_from_response → 写回新 tgtgt + rand_key_new
        //
        // 失败 (tgtgt 过期 / 服务端拒 / SMS required) → 返 Err.
        //
        // **不做 password fallback** — daemon 运行时不可能交互输入 SMS.
        let report = timeout(
            REFRESH_TIMEOUT,
            crate::auth::refresh_credentials_on_disk(
                &self.http,
                &self.account,
                &self.device_id,
                self.region_code.as_deref(),
                self.attribution,
            ),
        )
        .await
        .context("v1.4.92 P1-D: refresh_credentials_on_disk timed out (10s budget)")?
        .context("v1.4.92 P1-D: refresh_credentials_on_disk failed")?;

        // v1.4.106 codex 0558 F2+F3: log fingerprint 替代 raw account/uid
        tracing::info!(
            account_fp = %crate::auth::redact::account_log_fingerprint(&self.account),
            uid_fp = %crate::auth::redact::uid_log_fingerprint(report.uid),
            credentials_refreshed = report.credentials_refreshed,
            "v1.4.92 P1-D: disk credentials refreshed"
        );

        // Step 2: mark LoginCache state as healthy.
        //
        // **设计选择**: 即使 `credentials_refreshed=false` (服务端说"老凭据仍
        // 有效, 没下发新的") 也算成功. 唯一 hard fail = HTTP error / load_credentials
        // 找不到 disk file. 这两个都已经 ? 上抛了.
        //
        // 复用 LoginState 字段 (region / server_addr / user_id) 来自 constructor
        // 时从 bridge LoginCache get_login_state() 拿到的快照 — 这些字段在
        // refresh 路径**不会变** (uid 服务端 sanity check 保证一致, region
        // 是用户启动时设的, server_addr 是当前 TCP 连接).
        self.login_cache.set_login_state(LoginState {
            user_id: self.user_id,
            is_logged_in: true,
            login_account: self.account.clone(),
            region: self.region.clone(),
            user_attribution: Some(self.attribution as i32),
            server_addr: self.server_addr.clone(),
        });

        Ok(())
    }
}

// ============================================================================
// Test-only AuthRefresher impls — let unit test exercise success/fail paths
// without standing up real HTTP server / TCP backend.
// ============================================================================

#[cfg(any(test, feature = "test-util"))]
pub mod test_util {
    //! Test fixtures for v1.4.92 P1-D AuthRefresher.
    //!
    //! Used by `gateway/src/bridge/push_health.rs` tests + future
    //! `tests/integration_qot_login_health.rs`. Gated behind `test-util`
    //! feature so production builds don't pull these in.

    use std::sync::Arc;
    use std::sync::atomic::{AtomicU64, Ordering};

    use anyhow::{Result, anyhow};

    /// Always-success refresher — increments a counter so test can assert
    /// "refresh_qot_login was called N times".
    #[derive(Debug, Default)]
    pub struct AlwaysOkRefresher {
        pub call_count: AtomicU64,
    }

    impl AlwaysOkRefresher {
        pub fn new() -> Arc<Self> {
            Arc::new(Self::default())
        }

        pub fn count(&self) -> u64 {
            self.call_count.load(Ordering::Relaxed)
        }
    }

    #[async_trait::async_trait]
    impl super::AuthRefresher for AlwaysOkRefresher {
        async fn refresh_qot_login(&self) -> Result<()> {
            self.call_count.fetch_add(1, Ordering::Relaxed);
            Ok(())
        }
    }

    /// Always-fail refresher — increments counter + returns canned error.
    #[derive(Debug, Default)]
    pub struct AlwaysErrRefresher {
        pub call_count: AtomicU64,
    }

    impl AlwaysErrRefresher {
        pub fn new() -> Arc<Self> {
            Arc::new(Self::default())
        }

        pub fn count(&self) -> u64 {
            self.call_count.load(Ordering::Relaxed)
        }
    }

    #[async_trait::async_trait]
    impl super::AuthRefresher for AlwaysErrRefresher {
        async fn refresh_qot_login(&self) -> Result<()> {
            self.call_count.fetch_add(1, Ordering::Relaxed);
            Err(anyhow!("v1.4.92 test: simulated refresh failure"))
        }
    }

    /// Slow refresher — sleeps before returning. Use to test overlapping
    /// `try_begin_attempt()` race protection.
    #[derive(Debug)]
    pub struct SlowOkRefresher {
        pub call_count: AtomicU64,
        pub sleep_ms: u64,
    }

    impl SlowOkRefresher {
        pub fn new(sleep_ms: u64) -> Arc<Self> {
            Arc::new(Self {
                call_count: AtomicU64::new(0),
                sleep_ms,
            })
        }

        pub fn count(&self) -> u64 {
            self.call_count.load(Ordering::Relaxed)
        }
    }

    #[async_trait::async_trait]
    impl super::AuthRefresher for SlowOkRefresher {
        async fn refresh_qot_login(&self) -> Result<()> {
            self.call_count.fetch_add(1, Ordering::Relaxed);
            tokio::time::sleep(std::time::Duration::from_millis(self.sleep_ms)).await;
            Ok(())
        }
    }
}

#[cfg(test)]
mod tests;