refactor: 员工同步复用钉钉免密登录配置

- 移除员工同步独立的 API 凭证配置
- 复用 dingtalk 配置组的 CorpId、AppKey、AppSecret
- 简化前端界面，只保留开关和测试连接

backend/app/api/v1/system_settings.py

@@ -41,10 +41,7 @@ class DingtalkConfigResponse(BaseModel):
 
 
 class EmployeeSyncConfigUpdate(BaseModel):
-    """员工同步配置更新请求（钉钉 API 方式）"""
-    corp_id: Optional[str] = Field(None, description="钉钉企业 CorpId")
-    client_id: Optional[str] = Field(None, description="应用 ClientId (AppKey)")
-    client_secret: Optional[str] = Field(None, description="应用 ClientSecret (AppSecret)")
+    """员工同步配置更新请求（复用钉钉免密登录配置）"""
     enabled: Optional[bool] = Field(None, description="是否启用自动同步")
 
 
@@ -291,7 +288,7 @@ async def get_employee_sync_config(
     db: AsyncSession = Depends(get_db),
 ) -> ResponseModel:
     """
-    获取员工同步配置（钉钉 API 方式）
+    获取员工同步配置（复用钉钉免密登录配置）
     
     仅限管理员访问
     """
@@ -299,31 +296,22 @@ async def get_employee_sync_config(
     
     tenant_id = await get_or_create_tenant_id(db)
     
-    # 从数据库获取钉钉 API 配置
-    corp_id = await get_system_config(db, tenant_id, 'employee_sync', 'CORP_ID')
-    client_id = await get_system_config(db, tenant_id, 'employee_sync', 'CLIENT_ID')
-    client_secret = await get_system_config(db, tenant_id, 'employee_sync', 'CLIENT_SECRET')
+    # 从 dingtalk 配置组读取（与免密登录共用）
+    corp_id = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_CORP_ID')
+    app_key = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_APP_KEY')
+    app_secret = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_APP_SECRET')
     enabled = await get_feature_switch(db, tenant_id, 'employee_sync')
+    dingtalk_enabled = await get_feature_switch(db, tenant_id, 'dingtalk_login')
     
-    # 脱敏处理 client_secret
-    client_secret_masked = None
-    if client_secret:
-        if len(client_secret) > 8:
-            client_secret_masked = client_secret[:4] + '****' + client_secret[-4:]
-        else:
-            client_secret_masked = '****'
-    
-    # 检查配置是否完整
-    configured = bool(corp_id and client_id and client_secret)
+    # 检查钉钉配置是否完整
+    configured = bool(corp_id and app_key and app_secret)
     
     return ResponseModel(
         message="获取成功",
         data={
-            "corp_id": corp_id,
-            "client_id": client_id,
-            "client_secret_masked": client_secret_masked,
             "enabled": enabled,
             "configured": configured,
+            "dingtalk_enabled": dingtalk_enabled,  # 免密登录是否启用
         }
     )
 
@@ -335,7 +323,7 @@ async def update_employee_sync_config(
     db: AsyncSession = Depends(get_db),
 ) -> ResponseModel:
     """
-    更新员工同步配置（钉钉 API 方式）
+    更新员工同步配置（仅开关，API 凭证复用钉钉免密登录）
     
     仅限管理员访问
     """
@@ -344,15 +332,6 @@ async def update_employee_sync_config(
     tenant_id = await get_or_create_tenant_id(db)
     
     try:
-        if config.corp_id is not None:
-            await set_system_config(db, tenant_id, 'employee_sync', 'CORP_ID', config.corp_id)
-        
-        if config.client_id is not None:
-            await set_system_config(db, tenant_id, 'employee_sync', 'CLIENT_ID', config.client_id)
-        
-        if config.client_secret is not None:
-            await set_system_config(db, tenant_id, 'employee_sync', 'CLIENT_SECRET', config.client_secret)
-        
         if config.enabled is not None:
             await set_feature_switch(db, tenant_id, 'employee_sync', config.enabled)
         
@@ -381,7 +360,7 @@ async def test_employee_sync_connection(
     db: AsyncSession = Depends(get_db),
 ) -> ResponseModel:
     """
-    测试钉钉 API 连接
+    测试钉钉 API 连接（复用免密登录配置）
     
     仅限管理员访问
     """
@@ -389,15 +368,15 @@ async def test_employee_sync_connection(
     
     tenant_id = await get_or_create_tenant_id(db)
     
-    # 获取钉钉配置
-    corp_id = await get_system_config(db, tenant_id, 'employee_sync', 'CORP_ID')
-    client_id = await get_system_config(db, tenant_id, 'employee_sync', 'CLIENT_ID')
-    client_secret = await get_system_config(db, tenant_id, 'employee_sync', 'CLIENT_SECRET')
+    # 从 dingtalk 配置组读取（与免密登录共用）
+    corp_id = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_CORP_ID')
+    client_id = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_APP_KEY')
+    client_secret = await get_system_config(db, tenant_id, 'dingtalk', 'DINGTALK_APP_SECRET')
     
     if not all([corp_id, client_id, client_secret]):
         return ResponseModel(
             code=400,
-            message="钉钉 API 配置不完整，请先填写 CorpId、ClientId、ClientSecret"
+            message="请先在「钉钉免密登录」页签配置 CorpId、AppKey、AppSecret"
         )
     
     try:

backend/app/services/employee_sync_service.py

@@ -29,17 +29,18 @@ class EmployeeSyncService:
         self._dingtalk_config = None
     
     async def _get_dingtalk_config(self) -> Dict[str, str]:
-        """从数据库获取钉钉 API 配置"""
+        """从数据库获取钉钉 API 配置（复用免密登录配置）"""
         if self._dingtalk_config:
             return self._dingtalk_config
         
         try:
+            # 从 dingtalk 配置组读取（与免密登录共用）
             result = await self.db.execute(
                 text("""
                     SELECT config_key, config_value 
                     FROM tenant_configs 
                     WHERE tenant_id = :tenant_id 
-                    AND config_group = 'employee_sync'
+                    AND config_group = 'dingtalk'
                 """),
                 {"tenant_id": self.tenant_id}
             )
@@ -47,7 +48,13 @@ class EmployeeSyncService:
             
             config = {}
             for key, value in rows:
-                config[key] = value
+                # 转换 key 名称以匹配 DingTalkService 需要的格式
+                if key == 'DINGTALK_CORP_ID':
+                    config['CORP_ID'] = value
+                elif key == 'DINGTALK_APP_KEY':
+                    config['CLIENT_ID'] = value
+                elif key == 'DINGTALK_APP_SECRET':
+                    config['CLIENT_SECRET'] = value
             
             self._dingtalk_config = config
             return config