lanhu/web
2
0
Fork 0
Code Issues Actions Packages Releases 13 Activity

重构鉴权逻辑,新增中间件刷新令牌,授权接口统一后处理无授权跳转

Browse Source
This commit is contained in:
luorijun
2025-04-26 14:18:08 +08:00
parent 5c88cd7f32
commit 6db037204c
20 changed files with 303 additions and 318 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
src/actions/auth/auth.ts → src/actions/auth.ts
View File

@@ -1,19 +1,10 @@
'use server'
import {cookies} from 'next/headers'
import {ApiResponse, UnauthorizedError} from '@/lib/api'
import {AuthContext} from '@/lib/auth'
import {User} from '@/lib/models'
import {callByDevice, callByUser, callPublic, getUserToken} from '@/actions/base'
import {redirect} from 'next/navigation'
import {cache} from 'react'
import {callByDevice, callByUser} from '@/actions/base'
export interface LoginParams {
username: string
password: string
remember: boolean
}
type LoginResp = {
type TokenResp = {
access_token: string
refresh_token: string
expires_in: number
@@ -21,9 +12,14 @@ type LoginResp = {
scope?: string
}
export async function login(props: LoginParams): Promise<ApiResponse> {
export async function login(props: {
username: string
password: string
remember: boolean
}): Promise<ApiResponse> {
// 尝试登录
const result = await callByDevice<LoginResp>('/api/auth/token', {
const result = await callByDevice<TokenResp>('/api/auth/token', {
...props,
grant_type: 'password',
login_type: 'phone_code',
@@ -44,14 +40,6 @@ export async function login(props: LoginParams): Promise<ApiResponse> {
httpOnly: true,
sameSite: 'strict',
})
// cookieStore.set('auth_info', JSON.stringify(data.auth), {
// httpOnly: true,
// sameSite: 'strict',
// })
// cookieStore.set('auth_profile', JSON.stringify(data.profile), {
// httpOnly: true,
// sameSite: 'strict',
// })
return {
success: true,
@@ -91,19 +79,49 @@ export async function logout() {
}
export async function getProfile() {
try {
const token = await getUserToken()
const result = await callPublic<User>('/api/user/get/token', {token})
return await callByUser<User>('/api/auth/introspect')
}
if (!result.success) {
throw new Error('获取用户信息失败')
}
return result.data
export async function refreshAuth() {
const cookie = await cookies()
const userRefresh = cookie.get('auth_refresh')?.value
if (!userRefresh) {
throw UnauthorizedError
}
catch (e) {
if (e === UnauthorizedError) {
return null
}
throw e
// 请求刷新访问令牌
const resp = await callByDevice<TokenResp>(`/api/auth/token`, {
grant_type: 'refresh_token',
refresh_token: userRefresh,
})
// 处理请求
if (!resp.success) {
cookie.delete('auth_refresh')
throw UnauthorizedError
}
// 解析响应
const data = resp.data
const nextAccessToken = data.access_token
const nextRefreshToken = data.refresh_token
const expiresIn = data.expires_in
// 保存令牌到 cookies
cookie.set('auth_token', nextAccessToken, {
httpOnly: true,
sameSite: 'strict',
maxAge: Math.max(expiresIn, 0),
})
cookie.set('auth_refresh', nextRefreshToken, {
httpOnly: true,
sameSite: 'strict',
})
// 返回新的访问令牌
return {
access_token: nextAccessToken,
refresh_token: nextRefreshToken,
}
}

22
src/actions/auth/identify.ts
View File

@@ -1,22 +0,0 @@
'use server'
import {callByUser, callPublic} from '@/actions/base'
export async function Identify(props: {
type: number
name: string
iden_no: string
}) {
return await callByUser<{
identified: boolean
target: string
}>('/api/user/identify', props)
}
export async function IdentifyCallback(props: {
id: string
}) {
return await callPublic<{
success: boolean
message: string
}>('/api/user/identify/callback', props)
}

310
src/actions/base.ts
View File

@@ -1,184 +1,13 @@
'use server'
import {API_BASE_URL, CLIENT_ID, CLIENT_SECRET, ApiResponse, UnauthorizedError} from '@/lib/api'
import {API_BASE_URL, ApiResponse, CLIENT_ID, CLIENT_SECRET} from '@/lib/api'
import {cookies, headers} from 'next/headers'
import {redirect} from 'next/navigation'
import {cache} from 'react'
import {redirect} from 'next/navigation'
// ======================
// region device token
// public
// ======================
async function callByDevice<R = undefined>(
endpoint: string,
data: unknown,
): Promise<ApiResponse<R>> {
return _callByDevice(endpoint, data ? JSON.stringify(data) : undefined)
}
// 通用的API调用函数
const _callByDevice = cache(async <R = undefined>(
endpoint: string,
data?: string,
): Promise<ApiResponse<R>> => {
try {
// 获取设备令牌
if (!CLIENT_ID || !CLIENT_SECRET) {
throw new Error('缺少CLIENT_ID或CLIENT_SECRET环境变量')
}
const token = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64url')
// 构造请求
const url = `${API_BASE_URL}${endpoint}`
const request = {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Basic ${token}`,
},
body: data,
}
// 发送请求
const response = await fetch(`${API_BASE_URL}${endpoint}`, request)
// 检查响应状态
return handleResponse(response)
}
catch (e) {
throw new Error('服务调用失败', {cause: e})
}
})
// endregion
// ======================
// region user token
// ======================
async function getUserToken(refresh = false): Promise<string> {
// 从 cookie 中获取用户令牌
const cookie = await cookies()
const userToken = cookie.get('auth_token')?.value
const userRefresh = cookie.get('auth_refresh')?.value
// 检查缓存的令牌是否可用
if (!refresh && userToken) {
return userToken
}
// 如果没有刷新令牌,抛出异常
if (!userRefresh) {
throw UnauthorizedError
}
// 请求刷新访问令牌
const addr = `${API_BASE_URL}/api/auth/token`
const body = {
grant_type: 'refresh_token',
client_id: CLIENT_ID,
client_secret: CLIENT_SECRET,
refresh_token: userRefresh,
}
const response = await fetch(addr, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify(body),
})
if (!response.ok) {
console.log('刷新令牌失败', `status=${response.status}`, await response.text())
throw UnauthorizedError
}
// 保存新的用户令牌到 cookie
const data = await response.json()
const nextAccessToken = data.access_token
const nextRefreshToken = data.refresh_token
const expiresIn = data.expires_in
cookie.set('auth_token', nextAccessToken, {
httpOnly: true,
sameSite: 'strict',
maxAge: Math.max(expiresIn, 0),
})
cookie.set('auth_refresh', nextRefreshToken, {
httpOnly: true,
sameSite: 'strict',
maxAge: 7 * 24 * 3600, // 7天
})
return nextAccessToken
}
// 使用用户令牌的API调用函数
async function callByUser<R = undefined>(
endpoint: string,
data?: unknown,
): Promise<ApiResponse<R>> {
return _callByUser(endpoint, data ? JSON.stringify(data) : undefined)
}
const _callByUser = cache(async <R = undefined>(
endpoint: string,
data?: string,
): Promise<ApiResponse<R>> => {
const header = await headers()
try {
let token = await getUserToken()
// 构造请求
const request = {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${token}`,
} as Record<string, string>,
body: data,
}
const userIp = header.get('x-forwarded-for')
if (userIp) {
request.headers['X-Forwarded-For'] = userIp
}
// 发送请求
let response = await fetch(`${API_BASE_URL}${endpoint}`, request)
if (response.status === 401) {
token = await getUserToken(true)
request.headers['Authorization'] = `Bearer ${token}`
response = await fetch(`${API_BASE_URL}${endpoint}`, request)
}
if (response.status === 401) {
throw UnauthorizedError
}
return handleResponse(response)
}
catch (e) {
if (e === UnauthorizedError) {
const referer = header.get('referer')
let redirectUrl = '/login'
if (referer) {
const url = new URL(referer)
redirectUrl = `/login?redirect=${encodeURIComponent(url.pathname)}`
}
return redirect(redirectUrl)
}
throw new Error('服务调用失败', {cause: e})
}
})
// endregion
// ======================
// region no token
// ======================
// 不需要令牌的公共API调用函数
async function callPublic<R = undefined>(
endpoint: string,
data?: unknown,
@@ -190,33 +19,106 @@ const _callPublic = cache(async <R = undefined>(
endpoint: string,
data?: string,
): Promise<ApiResponse<R>> => {
try {
const url = `${API_BASE_URL}${endpoint}`
const request: RequestInit = {
return call(`${API_BASE_URL}${endpoint}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: data,
}
const response = await fetch(url, request)
return handleResponse(response)
}
catch (e) {
throw new Error('服务调用失败', {cause: e})
}
},
)
})
// endregion
// ======================
// device
// ======================
// 统一响应解析
async function handleResponse<R = undefined>(response: Response): Promise<ApiResponse<R>> {
async function callByDevice<R = undefined>(
endpoint: string,
data: unknown,
): Promise<ApiResponse<R>> {
return _callByDevice(endpoint, data ? JSON.stringify(data) : undefined)
}
const _callByDevice = cache(async <R = undefined>(
endpoint: string,
data?: string,
): Promise<ApiResponse<R>> => {
// 获取设备令牌
if (!CLIENT_ID || !CLIENT_SECRET) {
return {
success: false,
status: 401,
message: '未配置 CLIENT_ID 或 CLIENT_SECRET',
}
}
const token = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64url')
// 发起请求
return call(`${API_BASE_URL}${endpoint}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Basic ${token}`,
},
body: data,
})
})
// ======================
// user
// ======================
async function callByUser<R = undefined>(
endpoint: string,
data?: unknown,
): Promise<ApiResponse<R>> {
return postCall(_callByUser(endpoint, data ? JSON.stringify(data) : undefined))
}
const _callByUser = cache(async <R = undefined>(
endpoint: string,
data?: string,
): Promise<ApiResponse<R>> => {
const header = await headers()
// 获取用户令牌
const cookie = await cookies()
const token = cookie.get('auth_token')?.value
if (!token) {
return {
success: false,
status: 401,
message: '会话已失效',
}
}
// 发起请求
return await call<R>(`${API_BASE_URL}${endpoint}`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'Authorization': `Bearer ${token}`,
'X-Forwarded-For': header.get('x-forwarded-for') || '[web]unknown',
'User-Agent': header.get('user-agent') || '[web]unknown',
} as Record<string, string>,
body: data,
})
})
// ======================
// call
// ======================
async function call<R = undefined>(url: string, request: RequestInit): Promise<ApiResponse<R>> {
const response = await fetch(url, request)
const type = response.headers.get('Content-Type') ?? 'text/plain'
if (type.indexOf('application/json') !== -1) {
const json = await response.json()
if (!response.ok) {
console.log('响应不成功', `status=${response.status}`, json)
console.log('后端请求失败', url, `status=${response.status}`, json)
return {
success: false,
status: response.status,
@@ -231,7 +133,7 @@ async function handleResponse<R = undefined>(response: Response): Promise<ApiRes
else if (type.indexOf('text/plain') !== -1) {
const text = await response.text()
if (!response.ok) {
console.log('响应不成功', `status=${response.status}`, text)
console.log('后端请求失败', url, `status=${response.status}`, text)
return {
success: false,
status: response.status,
@@ -239,23 +141,37 @@ async function handleResponse<R = undefined>(response: Response): Promise<ApiRes
}
}
console.log('响应成功', `type=text`, `text=${text}`)
console.log('未处理的响应成功', `type=text`, `text=${text}`)
return {
success: true,
data: undefined as R, // 强转类型,考虑优化
}
}
else {
throw new Error(`无法解析响应数据,未处理的 Content-Type: ${type}`)
}
throw new Error(`无法解析响应数据,未处理的 Content-Type: ${type}`)
}
// 预定义错误
async function postCall<R = undefined>(rawResp: Promise<ApiResponse<R>>) {
const header = await headers()
const pathname = header.get('x-pathname') || '/'
const resp = await rawResp
// 重定向到登录页
const match = [
RegExp(`^/admin.*`),
].some(item => item.test(pathname))
if (match && !resp.success && resp.status === 401) {
redirect(pathname === '/' ? '/login' : `/login?redirect=${pathname}`)
}
return resp
}
// 导出
export {
getUserToken,
callPublic,
callByDevice,
callByUser,
callPublic,
}

22
src/actions/user.ts
View File

@@ -1,6 +1,6 @@
'use server'
import {callByUser} from '@/actions/base'
import {callByUser, callPublic} from '@/actions/base'
export async function RechargeByAlipay(props: {
amount: number
@@ -31,3 +31,23 @@ export async function RechargeByWechatConfirm(props: {
}) {
return callByUser('/api/user/recharge/confirm/wechat', props)
}
export async function Identify(props: {
type: number
name: string
iden_no: string
}) {
return await callByUser<{
identified: boolean
target: string
}>('/api/user/identify', props)
}
export async function IdentifyCallback(props: {
id: string
}) {
return await callPublic<{
success: boolean
message: string
}>('/api/user/identify/callback', props)
}

17
src/actions/auth/verify.ts → src/actions/verify.ts
View File

@@ -1,16 +1,13 @@
'use server'
import {ApiResponse} from '@/lib/api'
import {callByDevice} from '@/actions/base'
import {cookies} from 'next/headers'
import crypto from 'crypto'
import {ApiResponse} from '@/lib/api'
import { callByDevice } from '@/actions/base'
export interface VerifyParams {
export async function sendSMS(props: {
phone: string
captcha: string // 添加验证码字段
}
export default async function verify(props: VerifyParams): Promise<ApiResponse> {
captcha: string
}): Promise<ApiResponse> {
try {
// 人机验证
if (!props.captcha?.length) {
@@ -20,7 +17,7 @@ export default async function verify(props: VerifyParams): Promise<ApiResponse>
message: '请输入验证码',
}
}
const valid = await verifyCaptcha(props.captcha)
const valid = await checkCaptcha(props.captcha)
if (!valid) {
return {
success: false,
@@ -41,7 +38,7 @@ export default async function verify(props: VerifyParams): Promise<ApiResponse>
}
}
async function verifyCaptcha(userInput: string): Promise<boolean> {
export async function checkCaptcha(userInput: string): Promise<boolean> {
const cookieStore = await cookies()
const hash = cookieStore.get('captcha_hash')?.value
const salt = cookieStore.get('captcha_salt')?.value