@dangao/bun-server 1.0.0 → 1.0.3

package/src/security/filter.ts

@@ -0,0 +1,162 @@
+import type { Context } from '../core/context';
+import type { Middleware } from '../middleware';
+import { SecurityContextHolder } from './context';
+import { AuthenticationManager } from './authentication-manager';
+import { RoleBasedAccessDecisionManager } from './access-decision-manager';
+import type { SecurityConfig, AuthenticationRequest } from './types';
+import {
+  UnauthorizedException,
+  ForbiddenException,
+} from '../error/http-exception';
+import { ErrorCode } from '../error/error-codes';
+import { requiresAuth, getAuthMetadata } from '../auth/decorators';
+
+/**
+ * 安全过滤器配置
+ */
+export interface SecurityFilterConfig extends SecurityConfig {
+  /**
+   * 认证管理器
+   */
+  authenticationManager: AuthenticationManager;
+  /**
+   * 访问决策器
+   */
+  accessDecisionManager?: RoleBasedAccessDecisionManager;
+  /**
+   * 令牌提取函数
+   */
+  extractToken?: (ctx: Context) => string | null;
+}
+
+/**
+ * 创建安全过滤器
+ */
+export function createSecurityFilter(config: SecurityFilterConfig): Middleware {
+  const {
+    authenticationManager,
+    accessDecisionManager = new RoleBasedAccessDecisionManager(),
+    excludePaths = [],
+    defaultAuthRequired = true,
+    extractToken,
+  } = config;
+
+  return async (ctx: Context, next) => {
+    return SecurityContextHolder.runWithContext(async () => {
+      // 检查是否在排除列表中
+      // 使用 ctx.path 而不是 ctx.request.url，因为 Context 已经解析了路径
+      const path =
+        ctx.path || ctx.request.url.split('?')[0].replace(/^https?:\/\/[^/]+/, '');
+      if (excludePaths.some((exclude) => path.startsWith(exclude))) {
+        return await next();
+      }
+
+      // 获取安全上下文（绑定到当前 AsyncLocalStorage 上下文）
+      const securityContext = SecurityContextHolder.getContext();
+
+      try {
+        // 提取令牌
+        const token = extractToken
+          ? extractToken(ctx)
+          : extractTokenFromHeader(ctx);
+
+        // 如果有令牌，尝试认证
+        if (token) {
+          const request: AuthenticationRequest = {
+            principal: '',
+            credentials: token,
+            type: 'jwt',
+          };
+
+          const authentication = await authenticationManager.authenticate(request);
+          if (authentication) {
+            securityContext.setAuthentication(authentication);
+          }
+        }
+
+        // 检查是否需要认证
+        const handler = (ctx as any).routeHandler;
+        if (handler) {
+          const controllerClass = handler.controller;
+          const controllerTarget =
+            (controllerClass && controllerClass.prototype) || controllerClass;
+          const method = handler.method;
+
+          if (requiresAuth(controllerTarget, method)) {
+            const authentication = securityContext.authentication;
+            if (!authentication || !authentication.authenticated) {
+              throw new UnauthorizedException(
+                'Authentication required',
+                undefined,
+                ErrorCode.AUTH_REQUIRED,
+              );
+            }
+
+            // 检查角色权限
+            const requiredRoles = getRequiredRoles(controllerTarget, method);
+            if (requiredRoles.length > 0) {
+              const hasAccess = accessDecisionManager.decide(
+                authentication,
+                requiredRoles,
+              );
+              if (!hasAccess) {
+                // 调试信息：输出权限检查详情
+                const userRoles = authentication.authorities || [];
+                throw new ForbiddenException(
+                  `Insufficient permissions. Required roles: ${requiredRoles.join(', ')}, User roles: ${userRoles.join(', ')}`,
+                  { requiredRoles, userRoles },
+                  ErrorCode.AUTH_INSUFFICIENT_PERMISSIONS,
+                );
+              }
+            }
+          }
+        } else if (defaultAuthRequired && !securityContext.isAuthenticated()) {
+          throw new UnauthorizedException(
+            'Authentication required',
+            undefined,
+            ErrorCode.AUTH_REQUIRED,
+          );
+        }
+
+        // 将安全上下文附加到 Context
+        (ctx as any).security = securityContext;
+        (ctx as any).auth = {
+          isAuthenticated: securityContext.isAuthenticated(),
+          user: securityContext.getPrincipal(),
+          payload: (securityContext.authentication?.details as any),
+        };
+
+        return await next();
+      } finally {
+        // 清理当前请求内的认证信息，防止泄漏到下一个请求
+        SecurityContextHolder.clearContext();
+      }
+    });
+  };
+}
+
+/**
+ * 从请求头提取令牌
+ */
+function extractTokenFromHeader(ctx: Context): string | null {
+  const authHeader = ctx.getHeader('authorization');
+  if (!authHeader) {
+    return null;
+  }
+
+  const parts = authHeader.split(' ');
+  if (parts.length !== 2 || parts[0].toLowerCase() !== 'bearer') {
+    return null;
+  }
+
+  return parts[1];
+}
+
+/**
+ * 获取需要的角色
+ */
+function getRequiredRoles(target: any, propertyKey: string | symbol): string[] {
+  const metadata = getAuthMetadata(target, propertyKey);
+  return metadata?.roles || [];
+}
+

package/src/security/index.ts

@@ -0,0 +1,8 @@
+export * from './types';
+export * from './context';
+export * from './authentication-manager';
+export * from './access-decision-manager';
+export * from './filter';
+export * from './providers';
+export * from './security-module';
+

package/src/security/providers/index.ts

@@ -0,0 +1,3 @@
+export * from './jwt-provider';
+export * from './oauth2-provider';
+

package/src/security/providers/jwt-provider.ts

@@ -0,0 +1,60 @@
+import type {
+  Authentication,
+  AuthenticationProvider,
+  AuthenticationRequest,
+  Principal,
+} from '../types';
+import { JWTUtil } from '../../auth/jwt';
+
+/**
+ * JWT 认证提供者
+ */
+export class JwtAuthenticationProvider implements AuthenticationProvider {
+  public readonly supportedTypes = ['jwt', 'bearer'];
+
+  public constructor(private readonly jwtUtil: JWTUtil) {}
+
+  /**
+   * 是否支持该认证类型
+   */
+  public supports(type: string): boolean {
+    return this.supportedTypes.includes(type.toLowerCase());
+  }
+
+  /**
+   * 认证
+   */
+  public async authenticate(
+    request: AuthenticationRequest,
+  ): Promise<Authentication | null> {
+    const token = request.credentials as string;
+    if (!token) {
+      return null;
+    }
+
+    // 验证 JWT 令牌
+    const payload = this.jwtUtil.verify(token);
+    if (!payload) {
+      return null;
+    }
+
+    // 构建主体
+    const principal: Principal = {
+      id: payload.sub,
+      username: (payload.username as string) || payload.sub,
+      roles: (payload.roles as string[]) || [],
+    };
+
+    // 构建权限列表（从角色转换）
+    const authorities = principal.roles || [];
+
+    return {
+      authenticated: true,
+      principal,
+      credentials: { type: 'jwt', data: token },
+      authorities,
+      details: payload,
+    };
+  }
+}
+

package/src/security/providers/oauth2-provider.ts

@@ -0,0 +1,70 @@
+import type {
+  Authentication,
+  AuthenticationProvider,
+  AuthenticationRequest,
+  Principal,
+} from '../types';
+import { OAuth2Service } from '../../auth/oauth2';
+import { JWTUtil } from '../../auth/jwt';
+import type { OAuth2TokenRequest } from '../../auth/types';
+
+/**
+ * OAuth2 认证提供者
+ */
+export class OAuth2AuthenticationProvider implements AuthenticationProvider {
+  public readonly supportedTypes = ['oauth2', 'authorization_code'];
+
+  public constructor(
+    private readonly oauth2Service: OAuth2Service,
+    private readonly jwtUtil: JWTUtil,
+  ) {}
+
+  /**
+   * 是否支持该认证类型
+   */
+  public supports(type: string): boolean {
+    return this.supportedTypes.includes(type.toLowerCase());
+  }
+
+  /**
+   * 认证（通过授权码交换令牌）
+   */
+  public async authenticate(
+    request: AuthenticationRequest,
+  ): Promise<Authentication | null> {
+    const credentials = request.credentials as OAuth2TokenRequest;
+    if (!credentials || credentials.grantType !== 'authorization_code') {
+      return null;
+    }
+
+    // 交换授权码获取令牌
+    const tokenResponse = await this.oauth2Service.exchangeCodeForToken(credentials);
+    if (!tokenResponse) {
+      return null;
+    }
+
+    // 从访问令牌中解析用户信息
+    const payload = this.jwtUtil.verify(tokenResponse.accessToken);
+    if (!payload || !payload.sub) {
+      return null;
+    }
+
+    const principal: Principal = {
+      id: payload.sub,
+      username: (payload.username as string) || payload.sub,
+      roles: (payload.roles as string[]) || [],
+    };
+
+    return {
+      authenticated: true,
+      principal,
+      credentials: {
+        type: 'oauth2',
+        data: tokenResponse,
+      },
+      authorities: principal.roles || [],
+      details: tokenResponse,
+    };
+  }
+}
+

package/src/security/security-module.ts

@@ -0,0 +1,145 @@
+import { Module, MODULE_METADATA_KEY } from '../di/module';
+import { AuthenticationManager } from './authentication-manager';
+import { JwtAuthenticationProvider } from './providers/jwt-provider';
+import { OAuth2AuthenticationProvider } from './providers/oauth2-provider';
+import { createSecurityFilter } from './filter';
+import { JWTUtil } from '../auth/jwt';
+import { OAuth2Service } from '../auth/oauth2';
+import { OAuth2Controller, OAUTH2_SERVICE_TOKEN, JWT_UTIL_TOKEN } from '../auth/controller';
+import type { JWTConfig, OAuth2Client, UserInfo } from '../auth/types';
+
+/**
+ * 安全模块配置
+ */
+export interface SecurityModuleConfig {
+  /**
+   * JWT 配置
+   */
+  jwt: JWTConfig;
+  /**
+   * OAuth2 客户端列表
+   */
+  oauth2Clients?: OAuth2Client[];
+  /**
+   * 用户提供者（可选）
+   */
+  userProvider?: {
+    findById(userId: string): Promise<UserInfo | null>;
+  };
+  /**
+   * 是否启用 OAuth2 端点
+   * @default true
+   */
+  enableOAuth2Endpoints?: boolean;
+  /**
+   * OAuth2 端点前缀
+   * @default '/oauth2'
+   */
+  oauth2Prefix?: string;
+  /**
+   * 排除的路径列表（不需要认证）
+   */
+  excludePaths?: string[];
+  /**
+   * 默认认证要求
+   * @default false
+   */
+  defaultAuthRequired?: boolean;
+}
+
+/**
+ * 安全模块
+ */
+@Module({
+  controllers: [],
+  providers: [],
+  middlewares: [],
+})
+export class SecurityModule {
+  /**
+   * 创建安全模块
+   * @param config - 模块配置
+   */
+  public static forRoot(config: SecurityModuleConfig): typeof SecurityModule {
+    // 创建 JWT 工具
+    const jwtUtil = new JWTUtil(config.jwt);
+
+    // 创建 OAuth2 服务
+    const userProvider = config.userProvider
+      ? async (userId: string) => config.userProvider!.findById(userId)
+      : undefined;
+    const oauth2Service = new OAuth2Service(
+      jwtUtil,
+      config.oauth2Clients || [],
+      {},
+      userProvider,
+    );
+
+    // 创建认证管理器
+    const authenticationManager = new AuthenticationManager();
+    authenticationManager.registerProvider(new JwtAuthenticationProvider(jwtUtil));
+    authenticationManager.registerProvider(
+      new OAuth2AuthenticationProvider(oauth2Service, jwtUtil),
+    );
+
+    // 创建安全过滤器
+    const securityFilter = createSecurityFilter({
+      authenticationManager,
+      excludePaths: [
+        ...(config.excludePaths || []),
+        ...(config.enableOAuth2Endpoints !== false
+          ? [config.oauth2Prefix || '/oauth2']
+          : []),
+      ],
+      defaultAuthRequired: config.defaultAuthRequired ?? false,
+    });
+
+    const controllers: any[] = [];
+    const providers: any[] = [];
+    const middlewares: any[] = [];
+
+    // 如果启用 OAuth2 端点，添加控制器
+    if (config.enableOAuth2Endpoints !== false) {
+      controllers.push(OAuth2Controller);
+    }
+
+    // 注册服务提供者
+    providers.push(
+      {
+        provide: JWT_UTIL_TOKEN,
+        useValue: jwtUtil,
+      },
+      {
+        provide: OAUTH2_SERVICE_TOKEN,
+        useValue: oauth2Service,
+      },
+      {
+        provide: AuthenticationManager,
+        useValue: authenticationManager,
+      },
+    );
+
+    // 添加安全过滤器中间件
+    middlewares.push(securityFilter);
+
+    // 动态更新模块元数据
+    const existingMetadata = Reflect.getMetadata(MODULE_METADATA_KEY, SecurityModule) || {};
+    const metadata = {
+      ...existingMetadata,
+      controllers: [...(existingMetadata.controllers || []), ...controllers],
+      providers: [...(existingMetadata.providers || []), ...providers],
+      middlewares: [...(existingMetadata.middlewares || []), ...middlewares],
+      // 导出服务，让其他模块可以使用
+      exports: [
+        ...(existingMetadata.exports || []),
+        JWT_UTIL_TOKEN,
+        OAUTH2_SERVICE_TOKEN,
+        AuthenticationManager,
+      ],
+    };
+    Reflect.defineMetadata(MODULE_METADATA_KEY, metadata, SecurityModule);
+
+    return SecurityModule;
+  }
+}
+

package/src/security/types.ts

@@ -0,0 +1,165 @@
+/**
+ * Security 核心类型定义
+ */
+
+/**
+ * 认证主体（Principal）
+ */
+export interface Principal {
+  /**
+   * 用户 ID
+   */
+  id: string;
+  /**
+   * 用户名
+   */
+  username?: string;
+  /**
+   * 角色列表
+   */
+  roles?: string[];
+  /**
+   * 其他属性
+   */
+  [key: string]: unknown;
+}
+
+/**
+ * 认证凭据（Credentials）
+ */
+export interface Credentials {
+  /**
+   * 凭据类型
+   */
+  type: string;
+  /**
+   * 凭据数据
+   */
+  data: unknown;
+}
+
+/**
+ * 认证信息
+ */
+export interface Authentication {
+  /**
+   * 是否已认证
+   */
+  authenticated: boolean;
+  /**
+   * 主体
+   */
+  principal: Principal | null;
+  /**
+   * 凭据
+   */
+  credentials: Credentials | null;
+  /**
+   * 权限列表
+   */
+  authorities: string[];
+  /**
+   * 详细信息
+   */
+  details?: unknown;
+}
+
+/**
+ * 认证请求
+ */
+export interface AuthenticationRequest {
+  /**
+   * 主体标识（如用户名）
+   */
+  principal: string;
+  /**
+   * 凭据（如密码）
+   */
+  credentials: unknown;
+  /**
+   * 认证类型
+   */
+  type?: string;
+}
+
+/**
+ * 认证提供者接口
+ */
+export interface AuthenticationProvider {
+  /**
+   * 支持的认证类型
+   */
+  readonly supportedTypes: string[];
+
+  /**
+   * 认证
+   * @param request - 认证请求
+   * @returns 认证信息
+   */
+  authenticate(request: AuthenticationRequest): Promise<Authentication | null>;
+
+  /**
+   * 是否支持该认证类型
+   * @param type - 认证类型
+   */
+  supports(type: string): boolean;
+}
+
+/**
+ * 授权决策器接口
+ */
+export interface AccessDecisionManager {
+  /**
+   * 决定是否授权
+   * @param authentication - 认证信息
+   * @param requiredAuthorities - 需要的权限
+   * @returns 是否授权
+   */
+  decide(
+    authentication: Authentication,
+    requiredAuthorities: string[],
+  ): boolean;
+}
+
+/**
+ * 安全配置
+ */
+export interface SecurityConfig {
+  /**
+   * 是否启用安全
+   * @default true
+   */
+  enabled?: boolean;
+  /**
+   * 排除的路径列表
+   */
+  excludePaths?: string[];
+  /**
+   * 默认认证要求
+   * @default true
+   */
+  defaultAuthRequired?: boolean;
+}
+
+/**
+ * 安全上下文
+ */
+export interface SecurityContext {
+  /**
+   * 当前认证信息
+   */
+  authentication: Authentication | null;
+  /**
+   * 是否已认证
+   */
+  isAuthenticated(): boolean;
+  /**
+   * 获取主体
+   */
+  getPrincipal(): Principal | null;
+  /**
+   * 获取权限
+   */
+  getAuthorities(): string[];
+}
+

package/src/session/decorators.ts

@@ -0,0 +1,45 @@
+import 'reflect-metadata';
+import type { Context } from '../core/context';
+import { SessionService } from './service';
+import { SESSION_SERVICE_TOKEN } from './types';
+import { Container } from '../di/container';
+import { ParamType, createParamDecorator } from '../controller/decorators';
+
+/**
+ * Session 参数装饰器
+ * 用于在控制器方法中注入 Session 对象
+ */
+export function Session() {
+  return createParamDecorator(ParamType.SESSION);
+}
+
+/**
+ * 获取 Session 对象（用于参数绑定）
+ * @param context - 请求上下文
+ * @param container - DI 容器
+ * @returns Session 对象，如果不存在则返回 undefined
+ */
+export async function getSessionFromContext(
+  context: Context,
+  container: Container,
+): Promise<unknown | undefined> {
+  // 从 Context 中获取 Session（由中间件设置）
+  const session = (context as unknown as { session?: unknown }).session;
+  if (session) {
+    return session;
+  }
+
+  // 如果没有 Session，尝试创建新 Session
+  const sessionService = container.resolve<SessionService>(
+    SESSION_SERVICE_TOKEN,
+  );
+  if (sessionService) {
+    const newSession = await sessionService.create();
+    (context as unknown as { session: typeof newSession }).session =
+      newSession;
+    (context as unknown as { sessionId: string }).sessionId = newSession.id;
+    return newSession;
+  }
+
+  return undefined;
+}

package/src/session/index.ts

@@ -0,0 +1,19 @@
+export { SessionModule } from './session-module';
+export { SessionService } from './service';
+export { createSessionMiddleware } from './middleware';
+export { Session as SessionDecorator, getSessionFromContext } from './decorators';
+export {
+  MemorySessionStore,
+  RedisSessionStore,
+  SESSION_SERVICE_TOKEN,
+  SESSION_OPTIONS_TOKEN,
+} from './types';
+export type {
+  SessionStore,
+} from './types';
+export type {
+  SessionModuleOptions,
+  Session,
+  SessionData,
+  RedisSessionStoreOptions,
+} from './types';