chore:

2026-04-24 04:17:25 +08:00 · 2025-01-19 00:33:34 +08:00
parent 93b37a89c9
commit e79703e49b
9 changed files with 156 additions and 106 deletions
@@ -4,6 +4,7 @@ CREATE TABLE "cd_open_key"
  "user_id"     integer,
  "key_id"      varchar(50),
  "key_secret"  varchar(100),
+  "scope"       varchar(50),
  "disabled"    boolean  NOT NULL DEFAULT (false),
  "create_time" datetime NOT NULL DEFAULT (CURRENT_TIMESTAMP),
  "update_time" datetime NOT NULL DEFAULT (CURRENT_TIMESTAMP)
@@ -37,10 +37,9 @@ export class OpenKeyController extends CrudController<OpenKeyService> {
  }

  @Post('/add', { summary: Constants.per.authOnly })
-  async add() {
-    const bean: any = {};
-    bean.userId = this.getUserId();
-    const res = await this.service.add(bean);
+  async add(@Body(ALL) body: any) {
+    body.userId = this.getUserId();
+    const res = await this.service.add(body);
    return this.ok(res);
  }

@@ -4,8 +4,8 @@ import jwt from 'jsonwebtoken';
 import { Constants, SysPrivateSettings, SysSettingsService } from '@certd/lib-server';
 import { logger } from '@certd/basic';
 import { AuthService } from '../modules/sys/authority/service/auth-service.js';
-import { Next } from 'koa';
 import { OpenKeyService } from '../modules/open/service/open-key-service.js';
+import { RoleService } from '../modules/sys/authority/service/role-service.js';

 /**
 * 权限校验
@@ -18,6 +18,8 @@ export class AuthorityMiddleware implements IWebMiddleware {
  @Inject()
  authService: AuthService;
  @Inject()
+  roleService: RoleService;
+  @Inject()
  openKeyService: OpenKeyService;
  @Inject()
  sysSettingsService: SysSettingsService;
@@ -50,10 +52,6 @@ export class AuthorityMiddleware implements IWebMiddleware {
        return;
      }

-      if (permission === Constants.per.open) {
-        return this.doOpenHandler(ctx, next);
-      }
-
      let token = ctx.get('Authorization') || '';
      token = token.replace('Bearer ', '').trim();
      if (!token) {
@@ -64,41 +62,61 @@ export class AuthorityMiddleware implements IWebMiddleware {
        //尝试从query中获取token
        token = (ctx.query.token as string) || '';
      }
-      try {
-        ctx.user = jwt.verify(token, this.secret);
-      } catch (err) {
-        logger.error('token verify error: ', err);
-        ctx.status = 401;
-        ctx.body = Constants.res.auth;
+
+      if (token) {
+        try {
+          ctx.user = jwt.verify(token, this.secret);
+        } catch (err) {
+          logger.error('token verify error: ', err);
+          return this.notAuth(ctx);
+        }
+      } else {
+        //找找openKey
+        const openKey = await this.doOpenHandler(ctx);
+        if (!openKey) {
+          return this.notAuth(ctx);
+        }
+        if (permission === Constants.per.open) {
+          await next();
+          return;
+        } else if (openKey.scope === 'open') {
+          return this.notAuth(ctx);
+        }
+      }
+
+      if (permission === Constants.per.authOnly) {
+        await next();
        return;
      }

-      if (permission !== Constants.per.authOnly) {
-        const pass = await this.authService.checkPermission(ctx, permission);
-        if (!pass) {
-          logger.info('not permission: ', ctx.req.url);
-          ctx.status = 401;
-          ctx.body = Constants.res.permission;
-          return;
-        }
+      const pass = await this.authService.checkPermission(ctx, permission);
+      if (!pass) {
+        logger.info('not permission: ', ctx.req.url);
+        ctx.status = 401;
+        ctx.body = Constants.res.permission;
+        return;
      }
-      await next();
    };
  }

-  async doOpenHandler(ctx: IMidwayKoaContext, next: Next) {
+  private notAuth(ctx: IMidwayKoaContext) {
+    ctx.status = 401;
+    ctx.body = Constants.res.auth;
+    return;
+  }
+
+  async doOpenHandler(ctx: IMidwayKoaContext) {
    //开放接口
-    const openKey = ctx.get('x-api-token') || '';
+    const openKey = ctx.get('x-certd-token') || '';
    if (!openKey) {
-      ctx.status = 401;
-      ctx.body = Constants.res.auth;
-      return;
+      return null;
    }

    //校验 openKey
    const openKeyRes = await this.openKeyService.verifyOpenKey(openKey);
-    ctx.user = { id: openKeyRes.userId };
+    const roles = await this.roleService.getRoleIdsByUserId(openKeyRes.userId);
+    ctx.user = { id: openKeyRes.userId, roles };
    ctx.openKey = openKeyRes;
-    await next();
+    return openKeyRes;
  }
 }
@@ -14,6 +14,9 @@ export class OpenKeyEntity {
  @Column({ name: 'key_secret', comment: 'keySecret' })
  keySecret: string;

+  @Column({ name: 'scope', comment: '权限范围' })
+  scope: string; // open 仅开放接口、 user 用户所有权限
+
  @Column({ name: 'create_time', comment: '创建时间', default: () => 'CURRENT_TIMESTAMP' })
  createTime: Date;

@@ -12,6 +12,7 @@ export type OpenKey = {
  keyId: string;
  keySecret: string;
  encrypt: boolean;
+  scope: string;
 };
@Provide()
@Scope(ScopeEnum.Request, { allowDowngrade: true })
@@ -29,10 +30,10 @@ export class OpenKeyService extends BaseService<OpenKeyEntity> {
  }

  async add(bean: OpenKeyEntity) {
-    return await this.generate(bean.userId);
+    return await this.generate(bean.userId, bean.scope);
  }

-  async generate(userId: number) {
+  async generate(userId: number, scope: string) {
    const keyId = utils.id.simpleNanoId(18) + '_key';
    const secretKey = crypto.randomBytes(32);
    const keySecret = Buffer.from(secretKey).toString('hex');
@@ -40,6 +41,7 @@ export class OpenKeyService extends BaseService<OpenKeyEntity> {
    entity.userId = userId;
    entity.keyId = keyId;
    entity.keySecret = keySecret;
+    entity.scope = scope ?? 'open';
    await this.repository.save(entity);
    return entity;
  }
@@ -84,6 +86,7 @@ export class OpenKeyService extends BaseService<OpenKeyEntity> {
      keyId: entity.keyId,
      keySecret: entity.keySecret,
      encrypt: encrypt,
+      scope: entity.scope,
    };
  }