重构认证授权模块，统一到 auth 包下

2025-12-29 10:18:01 +08:00
parent bf8f001a30
commit 1262a8dae4
8 changed files with 407 additions and 269 deletions
--- a/web/auth/middleware.go
+++ b/web/auth/middleware.go
@@ -0,0 +1,120 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"log/slog"
+	"strings"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Authenticate() fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		header := ctx.Get(fiber.HeaderAuthorization)
+		authCtx, err := authHeader(ctx.Context(), header)
+		if err != nil {
+			return err
+		}
+
+		if authCtx == nil {
+			authCtx = &AuthCtx{}
+		}
+
+		SetAuthCtx(ctx, authCtx)
+		return ctx.Next()
+	}
+}
+
+func authHeader(ctx context.Context, header string) (*AuthCtx, error) {
+	if header == "" {
+		return nil, nil
+	}
+
+	var split = strings.Split(header, " ")
+	if len(split) != 2 {
+		slog.Debug("Authorization 头格式不正确")
+		return nil, ErrAuthenticateUnauthorize
+	}
+
+	var token = strings.TrimSpace(split[1])
+	if token == "" {
+		slog.Debug("提供的令牌为空")
+		return nil, ErrAuthenticateUnauthorize
+	}
+
+	var authCtx *AuthCtx
+	var err error
+	switch split[0] {
+
+	case "Bearer":
+		authCtx, err = authBearer(ctx, token)
+		if err != nil {
+			slog.Debug("Bearer 认证失败", "err", err)
+			return nil, ErrAuthenticateUnauthorize
+		}
+
+	case "Basic":
+		authCtx, err = authBasic(ctx, token)
+		if err != nil {
+			slog.Debug("Basic 认证失败", "err", err)
+			return nil, ErrAuthenticateUnauthorize
+		}
+
+	default:
+		slog.Debug("无效的认证方式", "method", split[0])
+		return nil, ErrAuthenticateUnauthorize
+	}
+
+	return authCtx, err
+}
+
+func authBearer(_ context.Context, token string) (*AuthCtx, error) {
+	session, err := FindSession(token, time.Now())
+	if err != nil {
+		slog.Debug("Bearer 认证失败", "err", err)
+		return nil, ErrAuthenticateUnauthorize
+	}
+
+	scopes := []string{}
+	if session.Scopes != nil {
+		scopes = strings.Split(*session.Scopes, " ")
+	}
+	return &AuthCtx{
+		User:    session.User,
+		Admin:   session.Admin,
+		Client:  session.Client,
+		Scopes:  scopes,
+		Session: session,
+	}, nil
+}
+
+func authBasic(_ context.Context, token string) (*AuthCtx, error) {
+
+	// 解析 Basic 认证信息
+	var base, err = base64.RawURLEncoding.DecodeString(token)
+	if err != nil {
+		base, err = base64.URLEncoding.DecodeString(token)
+		if err != nil {
+			return nil, errors.New("令牌格式错误，无法解析令牌")
+		}
+	}
+
+	var split = strings.Split(string(base), ":")
+	if len(split) != 2 {
+		return nil, errors.New("令牌格式错误，必须是 <client_id>:<client_secret> 格式")
+	}
+
+	client, err := authClient(split[0], split[1])
+	if err != nil {
+		return nil, fmt.Errorf("客户端认证失败：%w", err)
+	}
+
+	return &AuthCtx{
+		Client: client,
+		Scopes: []string{},
+	}, nil
+}