权限管理接口实现

web/auth/account.go

@@ -17,6 +17,7 @@ func authClient(clientId string, clientSecrets ...string) (*m.Client, error) {
 
 	// 获取客户端信息
 	client, err := q.Client.
+		Preload(q.Client.Permissions).
 		Where(
 			q.Client.ClientID.Eq(clientId),
 			q.Client.Status.Eq(1)).
@@ -36,8 +37,6 @@ func authClient(clientId string, clientSecrets ...string) (*m.Client, error) {
 		}
 	}
 
-	// todo 查询客户端关联权限
-
 	// 组织授权信息（一次性请求）
 	return client, nil
 }
@@ -154,3 +153,33 @@ func authAdminByPassword(tx *q.Query, username, password string) (*m.Admin, erro
 
 	return admin, nil
 }
+
+func adminScopes(admin *m.Admin) ([]string, error) {
+	count, err := q.Admin.
+		LeftJoin(q.LinkAdminRole, q.LinkAdminRole.AdminID.EqCol(q.Admin.ID)).
+		LeftJoin(q.LinkAdminRolePermission, q.LinkAdminRolePermission.RoleID.EqCol(q.LinkAdminRole.RoleID)).
+		LeftJoin(q.Permission, q.Permission.ID.EqCol(q.LinkAdminRolePermission.PermissionID)).
+		Where(q.Admin.ID.Eq(admin.ID)).
+		Select(q.Permission.Name).
+		Count()
+	if err != nil {
+		return nil, err
+	}
+	if count == 0 {
+		return nil, nil
+	}
+
+	scopes := make([]string, 0, count)
+	err = q.Admin.
+		LeftJoin(q.LinkAdminRole, q.LinkAdminRole.AdminID.EqCol(q.Admin.ID)).
+		LeftJoin(q.LinkAdminRolePermission, q.LinkAdminRolePermission.RoleID.EqCol(q.LinkAdminRole.RoleID)).
+		LeftJoin(q.Permission, q.Permission.ID.EqCol(q.LinkAdminRolePermission.PermissionID)).
+		Where(q.Admin.ID.Eq(admin.ID)).
+		Select(q.Permission.Name).
+		Scan(&scopes)
+	if err != nil {
+		return nil, err
+	}
+
+	return scopes, nil
+}

web/auth/check.go

@@ -69,7 +69,8 @@ func (a *AuthCtx) checkScopes(scopes ...string) bool {
 		return true
 	}
 	if len(a.smap) == 0 && len(a.Scopes) > 0 {
-		for _, scope := range scopes {
+		a.smap = make(map[string]struct{}, len(a.Scopes))
+		for _, scope := range a.Scopes {
 			a.smap[scope] = struct{}{}
 		}
 	}

web/auth/endpoints.go

@@ -288,6 +288,7 @@ func authAuthorizationCode(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.
 
 func authClientCredential(c *fiber.Ctx, auth *AuthCtx, _ *TokenReq, now time.Time) (*m.Session, error) {
 	// todo 检查 scope
+	scopes := strings.Join(auth.Scopes, " ")
 
 	// 生成会话
 	ip, _ := orm.ParseInet(c.IP()) // 可空字段，忽略异常
@@ -298,6 +299,7 @@ func authClientCredential(c *fiber.Ctx, auth *AuthCtx, _ *TokenReq, now time.Tim
 		ClientID:           &auth.Client.ID,
 		AccessToken:        uuid.NewString(),
 		AccessTokenExpires: now.Add(time.Duration(env.SessionAccessExpire) * time.Second),
+		Scopes:             &scopes,
 	}
 
 	// 保存会话
@@ -318,6 +320,8 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 	var user *m.User
 	var admin *m.Admin
 
+	var scopes []string
+
 	pool := req.LoginPool
 	if pool == "" {
 		pool = PwdLoginAsUser
@@ -348,6 +352,10 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 		if err != nil {
 			return nil, err
 		}
+		scopes, err = adminScopes(admin)
+		if err != nil {
+			return nil, err
+		}
 
 		// 更新管理员登录时间
 		admin.LastLogin = u.P(time.Now())
@@ -363,7 +371,7 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 		IP:                 ip,
 		UA:                 ua,
 		ClientID:           &auth.Client.ID,
-		Scopes:             u.X(req.Scope),
+		Scopes:             u.X(strings.Join(scopes, " ")),
 		AccessToken:        uuid.NewString(),
 		AccessTokenExpires: now.Add(time.Duration(env.SessionAccessExpire) * time.Second),
 	}

web/auth/middleware.go

@@ -113,8 +113,14 @@ func authBasic(_ context.Context, token string) (*AuthCtx, error) {
 		return nil, fmt.Errorf("客户端认证失败：%w", err)
 	}
 
+	scopes := []string{}
+	if client.Permissions != nil {
+		for _, p := range client.Permissions {
+			scopes = append(scopes, p.Name)
+		}
+	}
 	return &AuthCtx{
 		Client: client,
-		Scopes: []string{},
+		Scopes: scopes,
 	}, nil
 }