权限管理接口实现

web/auth/endpoints.go

@@ -288,6 +288,7 @@ func authAuthorizationCode(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.
 
 func authClientCredential(c *fiber.Ctx, auth *AuthCtx, _ *TokenReq, now time.Time) (*m.Session, error) {
 	// todo 检查 scope
+	scopes := strings.Join(auth.Scopes, " ")
 
 	// 生成会话
 	ip, _ := orm.ParseInet(c.IP()) // 可空字段，忽略异常
@@ -298,6 +299,7 @@ func authClientCredential(c *fiber.Ctx, auth *AuthCtx, _ *TokenReq, now time.Tim
 		ClientID:           &auth.Client.ID,
 		AccessToken:        uuid.NewString(),
 		AccessTokenExpires: now.Add(time.Duration(env.SessionAccessExpire) * time.Second),
+		Scopes:             &scopes,
 	}
 
 	// 保存会话
@@ -318,6 +320,8 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 	var user *m.User
 	var admin *m.Admin
 
+	var scopes []string
+
 	pool := req.LoginPool
 	if pool == "" {
 		pool = PwdLoginAsUser
@@ -348,6 +352,10 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 		if err != nil {
 			return nil, err
 		}
+		scopes, err = adminScopes(admin)
+		if err != nil {
+			return nil, err
+		}
 
 		// 更新管理员登录时间
 		admin.LastLogin = u.P(time.Now())
@@ -363,7 +371,7 @@ func authPassword(c *fiber.Ctx, auth *AuthCtx, req *TokenReq, now time.Time) (*m
 		IP:                 ip,
 		UA:                 ua,
 		ClientID:           &auth.Client.ID,
-		Scopes:             u.X(req.Scope),
+		Scopes:             u.X(strings.Join(scopes, " ")),
 		AccessToken:        uuid.NewString(),
 		AccessTokenExpires: now.Add(time.Duration(env.SessionAccessExpire) * time.Second),
 	}