@be-link/shield-for-tcb-node-sdk 1.0.20 → 1.0.22

package/modules/config/ShieldConfigManager.d.ts

@@ -39,6 +39,11 @@ export interface ShieldConfigManagerOptions {
     enableInfoLog?: boolean;
     /** 自定义日志函数，默认 console */
     logger?: Logger;
+    /**
+     * 是否拉取 V1 全局动态配置（设置 process.env.authorizationTokenInside），默认 true（向后兼容 V1 SDK）。
+     * 纯 V2 接入、不需要 authorizationTokenInside 的场景可设为 false 跳过该逻辑。
+     */
+    enableV1DynamicConfig?: boolean;
 }
 export interface Logger {
     info: (message: string, ...args: any[]) => void;

package/modules/config/ShieldConfigManager.js

@@ -71,7 +71,7 @@ var __classPrivateFieldGet = (this && this.__classPrivateFieldGet) || function (
     if (typeof state === "function" ? receiver !== state || !f : !state.has(receiver)) throw new TypeError("Cannot read private member from an object whose class did not declare it");
     return kind === "m" ? f : kind === "a" ? f.call(receiver) : f ? f.value : state.get(receiver);
 };
-var _ShieldConfigManager_instances, _ShieldConfigManager_serviceName, _ShieldConfigManager_env, _ShieldConfigManager_refreshIntervalMs, _ShieldConfigManager_fetchTimeoutMs, _ShieldConfigManager_enableInfoLog, _ShieldConfigManager_logger, _ShieldConfigManager_config, _ShieldConfigManager_refreshTimer, _ShieldConfigManager_isSetup, _ShieldConfigManager_setupPromise, _ShieldConfigManager_doSetup, _ShieldConfigManager_startRefreshTimer;
+var _ShieldConfigManager_instances, _ShieldConfigManager_serviceName, _ShieldConfigManager_env, _ShieldConfigManager_refreshIntervalMs, _ShieldConfigManager_fetchTimeoutMs, _ShieldConfigManager_enableInfoLog, _ShieldConfigManager_enableV1DynamicConfig, _ShieldConfigManager_logger, _ShieldConfigManager_config, _ShieldConfigManager_refreshTimer, _ShieldConfigManager_isSetup, _ShieldConfigManager_setupPromise, _ShieldConfigManager_doSetup, _ShieldConfigManager_startRefreshTimer;
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.ShieldConfigManager = void 0;
 const serviceV2_1 = require("./serviceV2");
@@ -103,6 +103,7 @@ class ShieldConfigManager {
         _ShieldConfigManager_refreshIntervalMs.set(this, void 0);
         _ShieldConfigManager_fetchTimeoutMs.set(this, void 0);
         _ShieldConfigManager_enableInfoLog.set(this, void 0);
+        _ShieldConfigManager_enableV1DynamicConfig.set(this, void 0);
         _ShieldConfigManager_logger.set(this, void 0);
         _ShieldConfigManager_config.set(this, null);
         _ShieldConfigManager_refreshTimer.set(this, null);
@@ -116,6 +117,7 @@ class ShieldConfigManager {
         __classPrivateFieldSet(this, _ShieldConfigManager_refreshIntervalMs, options.refreshIntervalMs || DEFAULT_REFRESH_INTERVAL_MS, "f");
         __classPrivateFieldSet(this, _ShieldConfigManager_fetchTimeoutMs, options.fetchTimeoutMs || DEFAULT_FETCH_TIMEOUT_MS, "f");
         __classPrivateFieldSet(this, _ShieldConfigManager_enableInfoLog, options.enableInfoLog || false, "f");
+        __classPrivateFieldSet(this, _ShieldConfigManager_enableV1DynamicConfig, options.enableV1DynamicConfig !== false, "f");
         const baseLogger = options.logger || defaultLogger;
         __classPrivateFieldSet(this, _ShieldConfigManager_logger, __classPrivateFieldGet(this, _ShieldConfigManager_enableInfoLog, "f") ? baseLogger : { ...baseLogger, info: () => { } }, "f");
     }
@@ -165,15 +167,17 @@ class ShieldConfigManager {
         catch (error) {
             __classPrivateFieldGet(this, _ShieldConfigManager_logger, "f").error(`ShieldConfigManager refresh error: ${error instanceof Error ? error.message : JSON.stringify(error)}`);
         }
-        // 兼容旧的逻辑
-        try {
-            const dynamicConfig = await withTimeout(shieldClient.backendConfigService.fetchGlobalDynamicConfig(), __classPrivateFieldGet(this, _ShieldConfigManager_fetchTimeoutMs, "f"));
-            if (dynamicConfig) {
-                process.env.authorizationTokenInside = dynamicConfig.tokenKey;
+        // 兼容旧的逻辑（V1 全局动态配置），可通过 enableV1DynamicConfig: false 跳过
+        if (__classPrivateFieldGet(this, _ShieldConfigManager_enableV1DynamicConfig, "f")) {
+            try {
+                const dynamicConfig = await withTimeout(shieldClient.backendConfigService.fetchGlobalDynamicConfig(), __classPrivateFieldGet(this, _ShieldConfigManager_fetchTimeoutMs, "f"));
+                if (dynamicConfig) {
+                    process.env.authorizationTokenInside = dynamicConfig.tokenKey;
+                }
+            }
+            catch (error) {
+                __classPrivateFieldGet(this, _ShieldConfigManager_logger, "f").error(`fetch dynamic config error: ${error instanceof Error ? error.message : JSON.stringify(error)}`);
             }
-        }
-        catch (error) {
-            __classPrivateFieldGet(this, _ShieldConfigManager_logger, "f").error(`fetch dynamic config error: ${error instanceof Error ? error.message : JSON.stringify(error)}`);
         }
         __classPrivateFieldGet(this, _ShieldConfigManager_logger, "f").info(`ShieldConfigManager config refreshed finally (config: ${JSON.stringify(__classPrivateFieldGet(this, _ShieldConfigManager_config, "f"))})`);
     }
@@ -281,7 +285,7 @@ class ShieldConfigManager {
     }
 }
 exports.ShieldConfigManager = ShieldConfigManager;
-_ShieldConfigManager_serviceName = new WeakMap(), _ShieldConfigManager_env = new WeakMap(), _ShieldConfigManager_refreshIntervalMs = new WeakMap(), _ShieldConfigManager_fetchTimeoutMs = new WeakMap(), _ShieldConfigManager_enableInfoLog = new WeakMap(), _ShieldConfigManager_logger = new WeakMap(), _ShieldConfigManager_config = new WeakMap(), _ShieldConfigManager_refreshTimer = new WeakMap(), _ShieldConfigManager_isSetup = new WeakMap(), _ShieldConfigManager_setupPromise = new WeakMap(), _ShieldConfigManager_instances = new WeakSet(), _ShieldConfigManager_doSetup = async function _ShieldConfigManager_doSetup() {
+_ShieldConfigManager_serviceName = new WeakMap(), _ShieldConfigManager_env = new WeakMap(), _ShieldConfigManager_refreshIntervalMs = new WeakMap(), _ShieldConfigManager_fetchTimeoutMs = new WeakMap(), _ShieldConfigManager_enableInfoLog = new WeakMap(), _ShieldConfigManager_enableV1DynamicConfig = new WeakMap(), _ShieldConfigManager_logger = new WeakMap(), _ShieldConfigManager_config = new WeakMap(), _ShieldConfigManager_refreshTimer = new WeakMap(), _ShieldConfigManager_isSetup = new WeakMap(), _ShieldConfigManager_setupPromise = new WeakMap(), _ShieldConfigManager_instances = new WeakSet(), _ShieldConfigManager_doSetup = async function _ShieldConfigManager_doSetup() {
     try {
         await this.refresh();
     }

package/modules/config/serviceV2.d.ts

@@ -6,6 +6,7 @@ import BaseService from '../BaseService';
  */
 export declare class ConfigServiceV2 extends BaseService implements ServiceV2.ConfigController {
     protected prefixUrl: string;
+    private callEncryptedConfig;
     /**
      * 获取单个配置
      * @param req 请求参数

package/modules/config/serviceV2.js

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.backendConfigServiceV2 = exports.ConfigServiceV2 = void 0;
 const http_1 = require("../../utils/http");
 const cloudFunctionHttp_1 = require("../../utils/cloudFunctionHttp");
+const encryption_1 = require("../../utils/encryption");
 const BaseService_1 = __importDefault(require("../BaseService"));
 /**
  * V2 配置服务
@@ -16,15 +17,32 @@ class ConfigServiceV2 extends BaseService_1.default {
         super(...arguments);
         this.prefixUrl = '/shield/v2/config';
     }
+    async callEncryptedConfig(path, req, fallbackData) {
+        const keyId = (0, encryption_1.getKeyId)();
+        const enhancedReq = keyId ? { ...req, encryption: { version: 1, keyId } } : req;
+        const response = await (0, http_1.callApiFull)(this.getApiUrlV2(path), enhancedReq).catch(() => ({
+            success: false,
+            data: fallbackData,
+            requestId: '',
+            message: '',
+            errorType: '',
+            encryption: undefined,
+        }));
+        if (response.encryption?.version && typeof response.data === 'string') {
+            return (0, encryption_1.decryptPayload)(response.data);
+        }
+        if ((0, encryption_1.isEncryptionAvailable)()) {
+            throw new Error('Encrypted response required but server returned plaintext');
+        }
+        return response.data;
+    }
     /**
      * 获取单个配置
      * @param req 请求参数
      * @returns 配置数据，如果配置不存在返回 null
      */
     fetchConfig(req) {
-        return (0, http_1.callApi)(this.getApiUrlV2('/fetch'), req, {
-            skipErrorHandling: true,
-        }).catch(() => null);
+        return this.callEncryptedConfig('/fetch', req, null);
     }
     /**
      * 批量获取配置
@@ -32,7 +50,7 @@ class ConfigServiceV2 extends BaseService_1.default {
      * @returns 配置数据映射
      */
     fetchConfigs(req) {
-        return (0, http_1.callApi)(this.getApiUrlV2('/fetch-batch'), req).catch(() => ({}));
+        return this.callEncryptedConfig('/fetch-batch', req, {});
     }
     /**
      * 云函数单 Key 配置读取

package/modules/config/typesV2.d.ts

@@ -18,6 +18,10 @@ export declare namespace ServiceV2 {
         }
     }
     namespace Request {
+        interface EncryptionRequest {
+            version: number;
+            keyId: string;
+        }
         /**
          * 获取单个配置请求参数
          */
@@ -25,6 +29,7 @@ export declare namespace ServiceV2 {
             service: string;
             key: string;
             env?: string;
+            encryption?: EncryptionRequest;
         }
         /**
          * 批量获取配置请求参数
@@ -33,6 +38,7 @@ export declare namespace ServiceV2 {
             service: string;
             keys?: string[];
             env?: string;
+            encryption?: EncryptionRequest;
         }
         /**
          * 获取服务列表请求参数

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@be-link/shield-for-tcb-node-sdk",
-  "version": "1.0.20",
+  "version": "1.0.22",
   "description": "ShieldForTCB Node.js SDK",
   "main": "index.js",
   "types": "index.d.ts",

package/utils/encryption.d.ts

@@ -0,0 +1,3 @@
+export declare function isEncryptionAvailable(): boolean;
+export declare function getKeyId(): string | null;
+export declare function decryptPayload(encryptedBase64: string): any;

package/utils/encryption.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isEncryptionAvailable = isEncryptionAvailable;
+exports.getKeyId = getKeyId;
+exports.decryptPayload = decryptPayload;
+const crypto_1 = __importDefault(require("crypto"));
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+function getDecryptionKey() {
+    const keyB64 = process.env.SHIELD_ENCRYPTION_KEY;
+    if (!keyB64)
+        return null;
+    return Buffer.from(keyB64, 'base64');
+}
+function isEncryptionAvailable() {
+    return !!process.env.SHIELD_ENCRYPTION_KEY;
+}
+function getKeyId() {
+    const key = getDecryptionKey();
+    if (!key)
+        return null;
+    return crypto_1.default.createHash('sha256').update(key).digest('hex').slice(0, 8);
+}
+function decryptPayload(encryptedBase64) {
+    const key = getDecryptionKey();
+    if (!key)
+        throw new Error('SHIELD_ENCRYPTION_KEY not configured');
+    const data = Buffer.from(encryptedBase64, 'base64');
+    const iv = data.subarray(0, IV_LENGTH);
+    const authTag = data.subarray(data.length - AUTH_TAG_LENGTH);
+    const ciphertext = data.subarray(IV_LENGTH, data.length - AUTH_TAG_LENGTH);
+    const decipher = crypto_1.default.createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return JSON.parse(decrypted.toString('utf8'));
+}

package/utils/http.d.ts

@@ -1,10 +1,22 @@
-type CallApiOptions = {
+export type ResponseData = {
+    data: any;
+    success: boolean;
+    requestId: string;
+    message: string;
+    errorType: string;
+    encryption?: {
+        version: number;
+        keyId: string;
+    };
+};
+export type CallApiOptions = {
     skipErrorHandling?: boolean;
 };
 type GetApiOptions = {
     skipErrorHandling?: boolean;
 };
 export declare function callApi<T extends (args: any) => Promise<any>>(url: string, request?: Parameters<T>[0], options?: CallApiOptions): Promise<Awaited<ReturnType<T>>>;
+export declare function callApiFull<TRequest = any>(url: string, request?: TRequest, options?: CallApiOptions): Promise<ResponseData>;
 /**
  * GET 请求 API
  */

package/utils/http.js

@@ -37,6 +37,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.callApi = callApi;
+exports.callApiFull = callApiFull;
 exports.getApi = getApi;
 const axios_1 = __importDefault(require("axios"));
 const uuid_1 = require("uuid");
@@ -100,6 +101,32 @@ async function callApi(url, request, options) {
         throw error;
     }
 }
+async function callApiFull(url, request, options) {
+    const requestId = (0, uuid_1.v4)();
+    try {
+        console.info(`准备发起shield-for-tcb请求[${requestId}]: ${url}, 参数: ${JSON.stringify(request)}`);
+        const response = await axios_1.default.post(url, request || {}, {
+            headers: { 'x-request-id': requestId, 'content-type': 'application/json' },
+        });
+        return response.data;
+    }
+    catch (error) {
+        if (options && options.skipErrorHandling) {
+            throw error;
+        }
+        const axiosError = error;
+        if (axiosError.response) {
+            const response = axiosError.response;
+            const data = response.data;
+            console.error(`shield-for-tcb 异常: ${axiosError.message}, requestId: ${requestId}`);
+            console.info('响应信息', data.message);
+            console.error('异常堆栈', JSON.stringify(error.stack));
+            throw axiosError;
+        }
+        console.error(`shield-for-tcb 未知异常: ${axiosError.message}`, error.stack);
+        throw error;
+    }
+}
 /**
  * GET 请求 API
  */