重构鉴权逻辑，新增中间件刷新令牌，授权接口统一后处理无授权跳转

2025-04-26 14:18:08 +08:00
parent 5c88cd7f32
commit 6db037204c
20 changed files with 303 additions and 318 deletions
--- a/src/actions/base.ts
+++ b/src/actions/base.ts
@@ -1,184 +1,13 @@
 'use server'
-import {API_BASE_URL, CLIENT_ID, CLIENT_SECRET, ApiResponse, UnauthorizedError} from '@/lib/api'
+import {API_BASE_URL, ApiResponse, CLIENT_ID, CLIENT_SECRET} from '@/lib/api'
 import {cookies, headers} from 'next/headers'
-import {redirect} from 'next/navigation'
 import {cache} from 'react'
+import {redirect} from 'next/navigation'

 // ======================
-// region device token
+// public
 // ======================

-async function callByDevice<R = undefined>(
-  endpoint: string,
-  data: unknown,
-): Promise<ApiResponse<R>> {
-  return _callByDevice(endpoint, data ? JSON.stringify(data) : undefined)
-}
-
-// 通用的API调用函数
-const _callByDevice = cache(async <R = undefined>(
-  endpoint: string,
-  data?: string,
-): Promise<ApiResponse<R>> => {
-  try {
-    // 获取设备令牌
-    if (!CLIENT_ID || !CLIENT_SECRET) {
-      throw new Error('缺少CLIENT_ID或CLIENT_SECRET环境变量')
-    }
-    const token = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64url')
-
-    // 构造请求
-    const url = `${API_BASE_URL}${endpoint}`
-    const request = {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Basic ${token}`,
-      },
-      body: data,
-    }
-
-    // 发送请求
-    const response = await fetch(`${API_BASE_URL}${endpoint}`, request)
-
-    // 检查响应状态
-    return handleResponse(response)
-  }
-  catch (e) {
-    throw new Error('服务调用失败', {cause: e})
-  }
-})
-
-// endregion
-
-// ======================
-// region user token
-// ======================
-
-async function getUserToken(refresh = false): Promise<string> {
-  // 从 cookie 中获取用户令牌
-  const cookie = await cookies()
-  const userToken = cookie.get('auth_token')?.value
-  const userRefresh = cookie.get('auth_refresh')?.value
-
-  // 检查缓存的令牌是否可用
-  if (!refresh && userToken) {
-    return userToken
-  }
-
-  // 如果没有刷新令牌，抛出异常
-  if (!userRefresh) {
-    throw UnauthorizedError
-  }
-
-  // 请求刷新访问令牌
-  const addr = `${API_BASE_URL}/api/auth/token`
-  const body = {
-    grant_type: 'refresh_token',
-    client_id: CLIENT_ID,
-    client_secret: CLIENT_SECRET,
-    refresh_token: userRefresh,
-  }
-
-  const response = await fetch(addr, {
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify(body),
-  })
-
-  if (!response.ok) {
-    console.log('刷新令牌失败', `status=${response.status}`, await response.text())
-    throw UnauthorizedError
-  }
-
-  // 保存新的用户令牌到 cookie
-  const data = await response.json()
-  const nextAccessToken = data.access_token
-  const nextRefreshToken = data.refresh_token
-  const expiresIn = data.expires_in
-
-  cookie.set('auth_token', nextAccessToken, {
-    httpOnly: true,
-    sameSite: 'strict',
-    maxAge: Math.max(expiresIn, 0),
-  })
-  cookie.set('auth_refresh', nextRefreshToken, {
-    httpOnly: true,
-    sameSite: 'strict',
-    maxAge: 7 * 24 * 3600, // 7天
-  })
-
-  return nextAccessToken
-}
-
-// 使用用户令牌的API调用函数
-async function callByUser<R = undefined>(
-  endpoint: string,
-  data?: unknown,
-): Promise<ApiResponse<R>> {
-  return _callByUser(endpoint, data ? JSON.stringify(data) : undefined)
-}
-
-const _callByUser = cache(async <R = undefined>(
-  endpoint: string,
-  data?: string,
-): Promise<ApiResponse<R>> => {
-  const header = await headers()
-  try {
-    let token = await getUserToken()
-
-    // 构造请求
-    const request = {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-        'Authorization': `Bearer ${token}`,
-      } as Record<string, string>,
-      body: data,
-    }
-
-    const userIp = header.get('x-forwarded-for')
-    if (userIp) {
-      request.headers['X-Forwarded-For'] = userIp
-    }
-
-    // 发送请求
-    let response = await fetch(`${API_BASE_URL}${endpoint}`, request)
-    if (response.status === 401) {
-      token = await getUserToken(true)
-      request.headers['Authorization'] = `Bearer ${token}`
-      response = await fetch(`${API_BASE_URL}${endpoint}`, request)
-    }
-
-    if (response.status === 401) {
-      throw UnauthorizedError
-    }
-
-    return handleResponse(response)
-  }
-  catch (e) {
-    if (e === UnauthorizedError) {
-      const referer = header.get('referer')
-      let redirectUrl = '/login'
-      if (referer) {
-        const url = new URL(referer)
-        redirectUrl = `/login?redirect=${encodeURIComponent(url.pathname)}`
-      }
-      return redirect(redirectUrl)
-    }
-    throw new Error('服务调用失败', {cause: e})
-  }
-})
-
-// endregion
-
-// ======================
-// region no token
-// ======================
-
-// 不需要令牌的公共API调用函数
 async function callPublic<R = undefined>(
  endpoint: string,
  data?: unknown,
@@ -190,33 +19,106 @@ const _callPublic = cache(async <R = undefined>(
  endpoint: string,
  data?: string,
 ): Promise<ApiResponse<R>> => {
-  try {
-    const url = `${API_BASE_URL}${endpoint}`
-    const request: RequestInit = {
+  return call(`${API_BASE_URL}${endpoint}`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      body: data,
-    }
-
-    const response = await fetch(url, request)
-    return handleResponse(response)
-  }
-  catch (e) {
-    throw new Error('服务调用失败', {cause: e})
-  }
+    },
+  )
 })

-// endregion
+// ======================
+// device
+// ======================

-// 统一响应解析
-async function handleResponse<R = undefined>(response: Response): Promise<ApiResponse<R>> {
+async function callByDevice<R = undefined>(
+  endpoint: string,
+  data: unknown,
+): Promise<ApiResponse<R>> {
+  return _callByDevice(endpoint, data ? JSON.stringify(data) : undefined)
+}
+
+const _callByDevice = cache(async <R = undefined>(
+  endpoint: string,
+  data?: string,
+): Promise<ApiResponse<R>> => {
+
+  // 获取设备令牌
+  if (!CLIENT_ID || !CLIENT_SECRET) {
+    return {
+      success: false,
+      status: 401,
+      message: '未配置 CLIENT_ID 或 CLIENT_SECRET',
+    }
+  }
+  const token = Buffer.from(`${CLIENT_ID}:${CLIENT_SECRET}`).toString('base64url')
+
+  // 发起请求
+  return call(`${API_BASE_URL}${endpoint}`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Basic ${token}`,
+    },
+    body: data,
+  })
+})
+
+// ======================
+// user
+// ======================
+
+async function callByUser<R = undefined>(
+  endpoint: string,
+  data?: unknown,
+): Promise<ApiResponse<R>> {
+  return postCall(_callByUser(endpoint, data ? JSON.stringify(data) : undefined))
+}
+
+const _callByUser = cache(async <R = undefined>(
+  endpoint: string,
+  data?: string,
+): Promise<ApiResponse<R>> => {
+  const header = await headers()
+
+  // 获取用户令牌
+  const cookie = await cookies()
+  const token = cookie.get('auth_token')?.value
+  if (!token) {
+    return {
+      success: false,
+      status: 401,
+      message: '会话已失效',
+    }
+  }
+
+  // 发起请求
+  return await call<R>(`${API_BASE_URL}${endpoint}`, {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Authorization': `Bearer ${token}`,
+      'X-Forwarded-For': header.get('x-forwarded-for') || '[web]unknown',
+      'User-Agent': header.get('user-agent') || '[web]unknown',
+    } as Record<string, string>,
+    body: data,
+  })
+})
+
+
+// ======================
+// call
+// ======================
+
+async function call<R = undefined>(url: string, request: RequestInit): Promise<ApiResponse<R>> {
+  const response = await fetch(url, request)
  const type = response.headers.get('Content-Type') ?? 'text/plain'
  if (type.indexOf('application/json') !== -1) {
    const json = await response.json()
    if (!response.ok) {
-      console.log('响应不成功', `status=${response.status}`, json)
+      console.log('后端请求失败', url, `status=${response.status}`, json)
      return {
        success: false,
        status: response.status,
@@ -231,7 +133,7 @@ async function handleResponse<R = undefined>(response: Response): Promise<ApiRes
  else if (type.indexOf('text/plain') !== -1) {
    const text = await response.text()
    if (!response.ok) {
-      console.log('响应不成功', `status=${response.status}`, text)
+      console.log('后端请求失败', url, `status=${response.status}`, text)
      return {
        success: false,
        status: response.status,
@@ -239,23 +141,37 @@ async function handleResponse<R = undefined>(response: Response): Promise<ApiRes
      }
    }

-    console.log('响应成功', `type=text`, `text=${text}`)
+    console.log('未处理的响应成功', `type=text`, `text=${text}`)
    return {
      success: true,
      data: undefined as R, // 强转类型，考虑优化
    }
  }
-  else {
-    throw new Error(`无法解析响应数据，未处理的 Content-Type: ${type}`)
-  }
+
+  throw new Error(`无法解析响应数据，未处理的 Content-Type: ${type}`)
 }

-// 预定义错误
+
+async function postCall<R = undefined>(rawResp: Promise<ApiResponse<R>>) {
+  const header = await headers()
+  const pathname = header.get('x-pathname') || '/'
+  const resp = await rawResp
+
+  // 重定向到登录页
+  const match = [
+    RegExp(`^/admin.*`),
+  ].some(item => item.test(pathname))
+
+  if (match && !resp.success && resp.status === 401) {
+    redirect(pathname === '/' ? '/login' : `/login?redirect=${pathname}`)
+  }
+
+  return resp
+}

 // 导出
 export {
-  getUserToken,
+  callPublic,
  callByDevice,
  callByUser,
-  callPublic,
 }