重构迁移核心数据结构到认证模块；完善中间件初始化逻辑以及 logger 记录过程

2025-05-08 13:18:54 +08:00
parent c93d0bf467
commit e2cc318560
24 changed files with 353 additions and 215 deletions
--- a/web/auth/authenticate.go
+++ b/web/auth/authenticate.go
@@ -9,13 +9,11 @@ import (
 	"slices"
 	"strings"

-	"platform/web/services"
-
 	"github.com/gofiber/fiber/v2"
 	"golang.org/x/crypto/bcrypt"
 )

-func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (*services.AuthContext, error) {
+func Protect(c *fiber.Ctx, types []PayloadType, permissions []string) (*Context, error) {
 	// 获取令牌
 	var header = c.Get("Authorization")
 	var split = strings.Split(header, " ")
@@ -28,7 +26,7 @@ func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (
 		return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 	}

-	var auth *services.AuthContext
+	var auth *Context
 	var err error
 	switch split[0] {

@@ -36,23 +34,23 @@ func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (
 		auth, err = authBearer(c.Context(), token)
 		if err != nil {
 			slog.Debug("Bearer 认证失败", "err", err)
-			return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+			return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 		}

 	case "Basic":
-		if !slices.Contains(types, services.PayloadClientConfidential) {
+		if !slices.Contains(types, PayloadClientConfidential) {
 			slog.Debug("禁止使用 Basic 认证方式")
-			return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+			return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 		}
 		auth, err = authBasic(c.Context(), token)
 		if err != nil {
 			slog.Debug("Basic 认证失败", "err", err)
-			return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+			return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 		}

 	default:
 		slog.Debug("无效的认证方式")
-		return nil, fiber.NewError(fiber.StatusUnauthorized, "没有权限")
+		return nil, fiber.NewError(fiber.StatusUnauthorized, "无效的令牌")
 	}

 	// 检查权限
@@ -67,15 +65,18 @@ func Protect(c *fiber.Ctx, types []services.PayloadType, permissions []string) (
 	}

 	// 保存到上下文
-	c.Locals("auth", auth)
-	c.Locals("authid", auth.Payload.Id)
-	c.Locals("authtype", auth.Payload.Type.Name())
-
+	Locals(c, auth)
 	return auth, nil
 }

-func authBearer(ctx context.Context, token string) (*services.AuthContext, error) {
-	auth, err := services.Session.Find(ctx, token)
+func Locals(c *fiber.Ctx, auth *Context) {
+	c.Locals("auth", auth)
+	c.Locals("authtype", auth.Payload.Type.ToStr())
+	c.Locals("authid", auth.Payload.Id)
+}
+
+func authBearer(ctx context.Context, token string) (*Context, error) {
+	auth, err := find(ctx, token)
 	if err != nil {
 		slog.Debug(err.Error())
 		return nil, err
@@ -83,7 +84,7 @@ func authBearer(ctx context.Context, token string) (*services.AuthContext, error
 	return auth, nil
 }

-func authBasic(_ context.Context, token string) (*services.AuthContext, error) {
+func authBasic(_ context.Context, token string) (*Context, error) {

 	// 解析 Basic 认证信息
 	var base, err = base64.RawURLEncoding.DecodeString(token)
@@ -122,10 +123,10 @@ func authBasic(_ context.Context, token string) (*services.AuthContext, error) {
 	// todo 查询客户端关联权限

 	// 组织授权信息（一次性请求）
-	return &services.AuthContext{
-		Payload: services.Payload{
+	return &Context{
+		Payload: Payload{
 			Id:     client.ID,
-			Type:   services.PayloadClientConfidential,
+			Type:   PayloadClientConfidential,
 			Name:   client.Name,
 			Avatar: client.Icon,
 		},
--- a/web/auth/context.go
+++ b/web/auth/context.go
@@ -0,0 +1,78 @@
+package auth
+
+import "platform/pkg/u"
+
+// Context 定义认证信息
+type Context struct {
+	Payload     Payload                `json:"payload"`
+	Agent       Agent                  `json:"agent,omitempty"`
+	Permissions map[string]struct{}    `json:"permissions,omitempty"`
+	Metadata    map[string]interface{} `json:"metadata,omitempty"`
+}
+
+// AnyPermission 检查认证是否包含指定权限
+func (a *Context) AnyPermission(requiredPermission ...string) bool {
+	if a == nil || a.Permissions == nil {
+		return false
+	}
+	for _, permission := range requiredPermission {
+		if _, ok := a.Permissions[permission]; ok {
+			return true
+		}
+	}
+	return false
+}
+
+// Payload 定义负载信息
+type Payload struct {
+	Id     int32       `json:"id,omitempty"`
+	Type   PayloadType `json:"type,omitempty"`
+	Name   string      `json:"name,omitempty"`
+	Avatar string      `json:"avatar,omitempty"`
+}
+
+type Agent struct {
+	Id   int32  `json:"id,omitempty"`
+	Addr string `json:"addr,omitempty"`
+}
+
+type PayloadType int
+
+const (
+	// PayloadUser 用户类型
+	PayloadUser PayloadType = iota + 1
+	// PayloadAdmin 管理员类型
+	PayloadAdmin
+	// PayloadClientPublic 公共客户端类型
+	PayloadClientPublic
+	// PayloadClientConfidential 机密客户端类型
+	PayloadClientConfidential
+)
+
+func (t PayloadType) ToStr() string {
+	switch t {
+	case PayloadUser:
+		return "user"
+	case PayloadAdmin:
+		return "admn"
+	case PayloadClientPublic:
+		return "cpub"
+	case PayloadClientConfidential:
+		return "ccnf"
+	}
+	return "none"
+}
+
+func PayloadTypeFromStr(name string) *PayloadType {
+	switch name {
+	case "user":
+		return u.P(PayloadUser)
+	case "admn":
+		return u.P(PayloadAdmin)
+	case "cpub":
+		return u.P(PayloadClientPublic)
+	case "ccnf":
+		return u.P(PayloadClientConfidential)
+	}
+	return nil
+}
--- a/web/auth/session.go
+++ b/web/auth/session.go
@@ -0,0 +1,34 @@
+package auth
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"github.com/redis/go-redis/v9"
+	"platform/pkg/rds"
+)
+
+func find(ctx context.Context, token string) (*Context, error) {
+
+	// 读取认证数据
+	authJSON, err := rds.Client.Get(ctx, accessKey(token)).Result()
+	if err != nil {
+		if errors.Is(err, redis.Nil) {
+			return nil, errors.New("invalid_token")
+		}
+		return nil, err
+	}
+
+	// 反序列化
+	auth := new(Context)
+	if err := json.Unmarshal([]byte(authJSON), auth); err != nil {
+		return nil, err
+	}
+
+	return auth, nil
+}
+
+func accessKey(token string) string {
+	return fmt.Sprintf("session:%s", token)
+}