完成白名单接口

2025-04-08 09:35:19 +08:00
parent eca58c7032
commit e1c4bb5c03
14 changed files with 290 additions and 21 deletions
--- a/web/auth/auth.go
+++ b/web/auth/auth.go
@@ -0,0 +1,218 @@
+package auth
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"log/slog"
+	"platform/web/common"
+	q "platform/web/queries"
+	"slices"
+	"strings"
+
+	"platform/web/services"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+func Permit(types []services.PayloadType, permissions ...string) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		// 获取令牌
+		var header = c.Get("Authorization")
+		var split = strings.Split(header, " ")
+		if len(split) != 2 {
+			return c.Status(fiber.StatusBadRequest).JSON(common.ErrResp{
+				Error:   true,
+				Message: "无效的令牌",
+			})
+		}
+
+		var token = split[1]
+		if token == "" {
+			return c.Status(fiber.StatusBadRequest).JSON(common.ErrResp{
+				Error:   true,
+				Message: "无效的令牌",
+			})
+		}
+
+		var auth *services.AuthContext
+		var err error
+		switch split[0] {
+		case "Bearer":
+			auth, err = authBearer(c.Context(), token)
+		case "Basic":
+			if !slices.Contains(types, services.PayloadClientConfidential) {
+				return c.Status(fiber.StatusUnauthorized).JSON(common.ErrResp{
+					Error:   true,
+					Message: "没有权限",
+				})
+			}
+			auth, err = authBasic(c.Context(), token)
+		}
+		if err != nil {
+			return c.Status(fiber.StatusUnauthorized).JSON(common.ErrResp{
+				Error:   true,
+				Message: "没有权限",
+			})
+		}
+
+		// 检查权限
+		if !slices.Contains(types, auth.Payload.Type) {
+			return c.Status(fiber.StatusForbidden).JSON(common.ErrResp{
+				Error:   true,
+				Message: "拒绝访问",
+			})
+		}
+		if len(permissions) > 0 && !auth.AnyPermission(permissions...) {
+			return c.Status(fiber.StatusForbidden).JSON(common.ErrResp{
+				Error:   true,
+				Message: "拒绝访问",
+			})
+		}
+
+		// 将认证信息存储在上下文中
+		c.Locals("auth", auth)
+		c.Locals("access_token", token) // 存储原始令牌，便于后续操作
+
+		return c.Next()
+	}
+
+}
+
+func PermitAll(permissions ...string) fiber.Handler {
+	return Permit([]services.PayloadType{
+		services.PayloadClientPublic,
+		services.PayloadClientConfidential,
+		services.PayloadUser,
+		services.PayloadAdmin,
+	}, permissions...)
+}
+
+// PermitUser 创建针对单个路由的鉴权中间件
+func PermitUser(permissions ...string) fiber.Handler {
+	return Permit([]services.PayloadType{
+		services.PayloadUser,
+		services.PayloadAdmin,
+	}, permissions...)
+}
+
+func PermitDevice(permissions ...string) fiber.Handler {
+	return Permit([]services.PayloadType{
+		services.PayloadClientPublic,
+		services.PayloadClientConfidential,
+		services.PayloadAdmin,
+	}, permissions...)
+}
+
+func PermitPublic(permissions ...string) fiber.Handler {
+	return Permit([]services.PayloadType{
+		services.PayloadClientPublic,
+		services.PayloadAdmin,
+	}, permissions...)
+}
+
+func PermitConfidential(permissions ...string) fiber.Handler {
+	return Permit([]services.PayloadType{
+		services.PayloadClientConfidential,
+		services.PayloadAdmin,
+	}, permissions...)
+}
+
+func authBearer(ctx context.Context, token string) (*services.AuthContext, error) {
+	auth, err := services.Session.Find(ctx, token)
+	if err != nil {
+		slog.Debug(err.Error())
+		return nil, err
+	}
+	return auth, nil
+}
+
+func authBasic(ctx context.Context, token string) (*services.AuthContext, error) {
+
+	// 解析 Basic 认证信息
+	var base, err = base64.URLEncoding.DecodeString(token)
+	if err != nil {
+		slog.Debug(err.Error())
+		return nil, err
+	}
+
+	var split = strings.Split(string(base), ":")
+	if len(split) != 2 {
+		msg := "无法解析 Basic 认证信息"
+		slog.Debug(msg)
+		return nil, errors.New(msg)
+	}
+
+	var clientID = split[0]
+
+	// 获取客户端信息
+	client, err := q.Client.
+		Where(
+			q.Client.ClientID.Eq(clientID),
+			q.Client.Spec.Eq(0),
+			q.Client.GrantClient.Is(true),
+			q.Client.Status.Eq(1)).
+		Take()
+	if err != nil {
+		return nil, err
+	}
+
+	// todo 查询客户端关联权限
+
+	// 组织授权信息（一次性请求）
+	return &services.AuthContext{
+		Payload: services.Payload{
+			Id:     client.ID,
+			Type:   services.PayloadClientConfidential,
+			Name:   client.Name,
+			Avatar: client.Icon,
+		},
+		Permissions: nil,
+		Metadata:    nil,
+	}, nil
+}
+
+func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (*services.AuthContext, error) {
+	// 获取令牌
+	var header = c.Get("Authorization")
+	var split = strings.Split(header, " ")
+	if len(split) != 2 {
+		return nil, fiber.NewError(fiber.StatusBadRequest, "无效的令牌")
+	}
+
+	var token = split[1]
+	if token == "" {
+		return nil, fiber.NewError(fiber.StatusBadRequest, "无效的令牌")
+	}
+
+	var auth *services.AuthContext
+	var err error
+	switch split[0] {
+	case "Bearer":
+		auth, err = authBearer(c.Context(), token)
+	case "Basic":
+		if !slices.Contains(types, services.PayloadClientConfidential) {
+			return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+		}
+		auth, err = authBasic(c.Context(), token)
+	default:
+		return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+	}
+	if err != nil {
+		return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+	}
+
+	// 检查权限
+	if !slices.Contains(types, auth.Payload.Type) {
+		return nil, fiber.NewError(fiber.StatusForbidden, "拒绝访问")
+	}
+	if len(permissions) > 0 && !auth.AnyPermission(permissions...) {
+		return nil, fiber.NewError(fiber.StatusForbidden, "拒绝访问")
+	}
+
+	// 将认证信息存储在上下文中
+	c.Locals("auth", auth)
+	c.Locals("access_token", token) // 存储原始令牌，便于后续操作
+
+	return auth, nil
+}