重构代码结构与认证体系，集成异步任务消费者

2025-11-17 18:38:10 +08:00
parent a97c970166
commit a245229bc2
70 changed files with 2000 additions and 2334 deletions
--- a/web/auth/authenticate.go
+++ b/web/auth/authenticate.go
@@ -4,112 +4,101 @@ import (
 	"context"
 	"encoding/base64"
 	"errors"
+	"fmt"
 	"log/slog"
+	"platform/web/core"
 	client2 "platform/web/domains/client"
+	m "platform/web/models"
 	q "platform/web/queries"
-	"slices"
+	s "platform/web/services"
 	"strings"
+	"time"

 	"github.com/gofiber/fiber/v2"
 	"golang.org/x/crypto/bcrypt"
 )

-type ProtectBuilder struct {
-	c      *fiber.Ctx
-	types  []PayloadType
-	scopes []string
+func Authenticate() fiber.Handler {
+	return func(ctx *fiber.Ctx) error {
+		header := ctx.Get(fiber.HeaderAuthorization)
+		authCtx, err := authHeader(ctx.Context(), header)
+		if err != nil {
+			return err
+		}
+
+		if authCtx == nil {
+			authCtx = &AuthCtx{}
+		}
+
+		SetAuthCtx(ctx, authCtx)
+		return ctx.Next()
+	}
 }

-func NewProtect(c *fiber.Ctx) *ProtectBuilder {
-	return &ProtectBuilder{c, []PayloadType{}, []string{}}
-}
+func authHeader(ctx context.Context, header string) (*AuthCtx, error) {
+	if header == "" {
+		return nil, nil
+	}

-func (p *ProtectBuilder) Payload(types ...PayloadType) *ProtectBuilder {
-	p.types = types
-	return p
-}
-
-func (p *ProtectBuilder) Scopes(scopes ...string) *ProtectBuilder {
-	p.scopes = scopes
-	return p
-}
-
-func (p *ProtectBuilder) Do() (*Context, error) {
-	return Protect(p.c, p.types, p.scopes)
-}
-
-func Protect(c *fiber.Ctx, types []PayloadType, permissions []string) (*Context, error) {
-	// 获取令牌
-	var header = c.Get("Authorization")
 	var split = strings.Split(header, " ")
 	if len(split) != 2 {
 		slog.Debug("Authorization 头格式不正确")
-		return nil, ErrUnauthorize
+		return nil, ErrAuthenticateUnauthorize
 	}

 	var token = strings.TrimSpace(split[1])
 	if token == "" {
 		slog.Debug("提供的令牌为空")
-		return nil, ErrUnauthorize
+		return nil, ErrAuthenticateUnauthorize
 	}

-	var auth *Context
+	var authCtx *AuthCtx
 	var err error
 	switch split[0] {

 	case "Bearer":
-		auth, err = authBearer(c.Context(), token)
+		authCtx, err = authBearer(ctx, token)
 		if err != nil {
 			slog.Debug("Bearer 认证失败", "err", err)
-			return nil, ErrUnauthorize
+			return nil, ErrAuthenticateUnauthorize
 		}

 	case "Basic":
-		if !slices.Contains(types, PayloadInternalServer) {
-			slog.Debug("禁止使用 Basic 认证方式")
-			return nil, ErrUnauthorize
-		}
-		auth, err = authBasic(c.Context(), token)
+		authCtx, err = authBasic(ctx, token)
 		if err != nil {
 			slog.Debug("Basic 认证失败", "err", err)
-			return nil, ErrUnauthorize
+			return nil, ErrAuthenticateUnauthorize
 		}

 	default:
 		slog.Debug("无效的认证方式", "method", split[0])
-		return nil, ErrUnauthorize
+		return nil, ErrAuthenticateUnauthorize
 	}

-	// 检查权限
-	if !slices.Contains(types, auth.Payload.Type) {
-		slog.Debug("无效的负载类型", "except", types, "actual", auth.Payload.Type)
-		return nil, ErrForbidden
-	}
-
-	if len(permissions) > 0 && !auth.AnyPermission(permissions...) {
-		slog.Debug("无效的认证权限", "except", permissions, "actual", auth.Permissions)
-		return nil, ErrForbidden
-	}
-
-	// 保存到上下文
-	Locals(c, auth)
-	return auth, nil
+	return authCtx, err
 }

-func Locals(c *fiber.Ctx, auth *Context) {
-	c.Locals("auth", auth)
-}
-
-func authBearer(ctx context.Context, token string) (*Context, error) {
-	auth, err := FindSession(ctx, token)
+func authBearer(_ context.Context, token string) (*AuthCtx, error) {
+	session, err := FindSession(token, time.Now())
 	if err != nil {
-		slog.Debug(err.Error())
-		return nil, err
+		slog.Debug("Bearer 认证失败", "err", err)
+		return nil, ErrAuthenticateUnauthorize
 	}
-	return auth, nil
+
+	scopes := []string{}
+	if session.Scopes_ != nil {
+		scopes = strings.Split(*session.Scopes_, " ")
+	}
+	return &AuthCtx{
+		User:    session.User,
+		Admin:   session.Admin,
+		Client:  session.Client,
+		Scopes:  scopes,
+		Session: session,
+	}, nil
 }

-func authBasic(_ context.Context, token string) (*Context, error) {
+func authBasic(_ context.Context, token string) (*AuthCtx, error) {

 	// 解析 Basic 认证信息
 	var base, err = base64.RawURLEncoding.DecodeString(token)
@@ -125,14 +114,23 @@ func authBasic(_ context.Context, token string) (*Context, error) {
 		return nil, errors.New("令牌格式错误，必须是 <client_id>:<client_secret> 格式")
 	}

-	var clientID = split[0]
+	client, err := authClient(split[0], split[1])
+	if err != nil {
+		return nil, fmt.Errorf("客户端认证失败：%w", err)
+	}
+
+	return &AuthCtx{
+		Client: client,
+		Scopes: []string{},
+	}, nil
+}
+
+func authClient(clientId, clientSecret string) (*m.Client, error) {

 	// 获取客户端信息
 	client, err := q.Client.
 		Where(
-			q.Client.ClientID.Eq(clientID),
-			q.Client.Spec.In(int32(client2.SpecWeb), int32(client2.SpecTrusted)),
-			q.Client.GrantClient.Is(true),
+			q.Client.ClientID.Eq(clientId),
 			q.Client.Status.Eq(1)).
 		Take()
 	if err != nil {
@@ -140,33 +138,57 @@ func authBasic(_ context.Context, token string) (*Context, error) {
 	}

 	// 检查客户端密钥
-	var clientSecret = split[1]
-	if bcrypt.CompareHashAndPassword([]byte(client.ClientSecret), []byte(clientSecret)) != nil {
-		return nil, errors.New("客户端密钥错误")
+	spec := client2.Spec(client.Spec)
+	if spec == client2.SpecWeb || spec == client2.SpecApi {
+		if bcrypt.CompareHashAndPassword([]byte(client.ClientSecret), []byte(clientSecret)) != nil {
+			return nil, errors.New("客户端密钥错误")
+		}
 	}

 	// todo 查询客户端关联权限

 	// 组织授权信息（一次性请求）
-	return &Context{
-		Payload: Payload{
-			Id:     client.ID,
-			Type:   PayloadTypeFromClientSpec(client2.Spec(client.Spec)),
-			Name:   client.Name,
-			Avatar: client.Icon,
-		},
-		Permissions: nil,
-		Metadata:    nil,
-	}, nil
+	return client, nil
 }

-type AuthenticationErr string
+func authUserBySms(tx *q.Query, username, code string) (*m.User, error) {
+	// 验证验证码
+	err := s.Verifier.VerifySms(context.Background(), username, code)
+	if err != nil {
+		if errors.Is(err, s.ErrVerifierServiceInvalid) {
+			return nil, ErrAuthorizeInvalidRequest
+		}
+		return nil, err
+	}

-func (e AuthenticationErr) Error() string {
-	return string(e)
+	// 查找用户
+	return tx.User.Where(tx.User.Phone.Eq(username)).Take()
 }

-var (
-	ErrUnauthorize = AuthenticationErr("令牌无效")
-	ErrForbidden   = AuthenticationErr("没有权限")
-)
+func authUserByEmail(tx *q.Query, username, code string) (*m.User, error) {
+	return nil, core.NewServErr("邮箱登录不可用")
+}
+
+func authUserByPassword(tx *q.Query, username, password string) (*m.User, error) {
+	user, err := tx.User.
+		Where(tx.User.Phone.Eq(username)).
+		Or(tx.User.Email.Eq(username)).
+		Or(tx.User.Username.Eq(username)).
+		Take()
+	if err != nil {
+		slog.Debug("查找用户失败", "error", err)
+		return nil, core.NewBizErr("用户不存在或密码错误")
+	}
+
+	// 验证密码
+	if user.Password == nil || *user.Password == "" {
+		slog.Debug("用户未设置密码", "username", username)
+		return nil, core.NewBizErr("用户不存在或密码错误")
+	}
+	if bcrypt.CompareHashAndPassword([]byte(*user.Password), []byte(password)) != nil {
+		slog.Debug("密码验证失败", "username", username)
+		return nil, core.NewBizErr("用户不存在或密码错误")
+	}
+
+	return user, nil
+}