2025-04-08 09:35:19 +08:00
|
|
|
package auth
|
2025-03-18 17:57:07 +08:00
|
|
|
|
|
|
|
|
import (
|
2025-03-31 09:09:05 +08:00
|
|
|
"context"
|
|
|
|
|
"encoding/base64"
|
|
|
|
|
"errors"
|
|
|
|
|
"log/slog"
|
|
|
|
|
q "platform/web/queries"
|
2025-03-29 11:13:10 +08:00
|
|
|
"slices"
|
2025-03-18 17:57:07 +08:00
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"platform/web/services"
|
|
|
|
|
|
|
|
|
|
"github.com/gofiber/fiber/v2"
|
2025-04-28 10:05:44 +08:00
|
|
|
"golang.org/x/crypto/bcrypt"
|
2025-03-18 17:57:07 +08:00
|
|
|
)
|
|
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (*services.AuthContext, error) {
|
|
|
|
|
// 获取令牌
|
|
|
|
|
var header = c.Get("Authorization")
|
|
|
|
|
var split = strings.Split(header, " ")
|
|
|
|
|
if len(split) != 2 {
|
2025-04-24 10:52:13 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
2025-03-18 17:57:07 +08:00
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
var token = split[1]
|
|
|
|
|
if token == "" {
|
2025-04-24 10:52:13 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var auth *services.AuthContext
|
|
|
|
|
var err error
|
|
|
|
|
switch split[0] {
|
2025-04-26 17:59:34 +08:00
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
case "Bearer":
|
|
|
|
|
auth, err = authBearer(c.Context(), token)
|
2025-04-26 17:59:34 +08:00
|
|
|
if err != nil {
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("Bearer 认证失败")
|
2025-04-26 17:59:34 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
case "Basic":
|
|
|
|
|
if !slices.Contains(types, services.PayloadClientConfidential) {
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("禁止使用 Basic 认证方式")
|
|
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
|
|
|
|
auth, err = authBasic(c.Context(), token)
|
2025-04-26 17:59:34 +08:00
|
|
|
if err != nil {
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("Basic 认证失败")
|
2025-04-26 17:59:34 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
|
|
|
|
|
}
|
|
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
default:
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("无效的认证方式")
|
|
|
|
|
return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 检查权限
|
|
|
|
|
if !slices.Contains(types, auth.Payload.Type) {
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("无效的认证主体")
|
2025-04-24 10:52:13 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusForbidden, "没有权限")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
2025-04-28 10:05:44 +08:00
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
if len(permissions) > 0 && !auth.AnyPermission(permissions...) {
|
2025-04-28 10:05:44 +08:00
|
|
|
slog.Debug("无效的认证权限")
|
2025-04-24 10:52:13 +08:00
|
|
|
return nil, fiber.NewError(fiber.StatusForbidden, "没有权限")
|
2025-04-23 19:01:08 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return auth, nil
|
2025-03-31 09:09:05 +08:00
|
|
|
}
|
2025-03-18 17:57:07 +08:00
|
|
|
|
2025-03-31 09:09:05 +08:00
|
|
|
func authBearer(ctx context.Context, token string) (*services.AuthContext, error) {
|
|
|
|
|
auth, err := services.Session.Find(ctx, token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
slog.Debug(err.Error())
|
|
|
|
|
return nil, err
|
2025-03-18 17:57:07 +08:00
|
|
|
}
|
2025-03-31 09:09:05 +08:00
|
|
|
return auth, nil
|
2025-03-18 17:57:07 +08:00
|
|
|
}
|
2025-03-28 15:01:30 +08:00
|
|
|
|
2025-04-23 19:01:08 +08:00
|
|
|
func authBasic(_ context.Context, token string) (*services.AuthContext, error) {
|
2025-03-28 15:01:30 +08:00
|
|
|
|
2025-03-31 09:09:05 +08:00
|
|
|
// 解析 Basic 认证信息
|
|
|
|
|
var base, err = base64.URLEncoding.DecodeString(token)
|
|
|
|
|
if err != nil {
|
|
|
|
|
slog.Debug(err.Error())
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2025-03-28 15:01:30 +08:00
|
|
|
|
2025-03-31 09:09:05 +08:00
|
|
|
var split = strings.Split(string(base), ":")
|
|
|
|
|
if len(split) != 2 {
|
|
|
|
|
msg := "无法解析 Basic 认证信息"
|
|
|
|
|
slog.Debug(msg)
|
|
|
|
|
return nil, errors.New(msg)
|
|
|
|
|
}
|
2025-03-28 15:01:30 +08:00
|
|
|
|
2025-03-31 09:09:05 +08:00
|
|
|
var clientID = split[0]
|
|
|
|
|
|
|
|
|
|
// 获取客户端信息
|
|
|
|
|
client, err := q.Client.
|
|
|
|
|
Where(
|
|
|
|
|
q.Client.ClientID.Eq(clientID),
|
|
|
|
|
q.Client.Spec.Eq(0),
|
|
|
|
|
q.Client.GrantClient.Is(true),
|
|
|
|
|
q.Client.Status.Eq(1)).
|
|
|
|
|
Take()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
2025-03-28 15:01:30 +08:00
|
|
|
}
|
2025-03-31 09:09:05 +08:00
|
|
|
|
2025-04-28 10:05:44 +08:00
|
|
|
// 检查客户端状态
|
|
|
|
|
if client.Status != 1 {
|
|
|
|
|
return nil, errors.New("客户端已被禁用")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 检查客户端类型
|
|
|
|
|
if client.Spec != 0 {
|
|
|
|
|
return nil, errors.New("客户端类型错误")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// 检查客户端密钥
|
|
|
|
|
var clientSecret = split[1]
|
|
|
|
|
if bcrypt.CompareHashAndPassword([]byte(client.ClientSecret), []byte(clientSecret)) != nil {
|
|
|
|
|
return nil, errors.New("客户端密钥错误")
|
|
|
|
|
}
|
|
|
|
|
|
2025-03-31 09:09:05 +08:00
|
|
|
// todo 查询客户端关联权限
|
|
|
|
|
|
|
|
|
|
// 组织授权信息(一次性请求)
|
|
|
|
|
return &services.AuthContext{
|
|
|
|
|
Payload: services.Payload{
|
|
|
|
|
Id: client.ID,
|
|
|
|
|
Type: services.PayloadClientConfidential,
|
|
|
|
|
Name: client.Name,
|
|
|
|
|
Avatar: client.Icon,
|
|
|
|
|
},
|
|
|
|
|
Permissions: nil,
|
|
|
|
|
Metadata: nil,
|
|
|
|
|
}, nil
|
2025-03-28 15:01:30 +08:00
|
|
|
}
|
