@dofe/infra-common 0.1.1

package/dist/guards/api-key.guard.js

@@ -0,0 +1,159 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const nest_winston_1 = require("nest-winston");
+const winston_1 = require("winston");
+const api_key_decorator_1 = require("@/common/decorators/api-key/api-key.decorator");
+const API_KEY_HEADER = 'x-api-key';
+const SERVICE_NAME_HEADER = 'x-service-name';
+/**
+ * API Key 守卫
+ * 允许使用有效的 API Key 跳过部分验证（如用户认证、租户验证等）
+ *
+ * 安全特性：
+ * 1. API Key 必须预定义在环境变量中
+ * 2. 记录所有 API Key 调用日志
+ * 3. 支持可选的租户强制验证
+ */
+let ApiKeyGuard = class ApiKeyGuard {
+    reflector;
+    logger;
+    validApiKeys;
+    enabled;
+    constructor(reflector, logger) {
+        this.reflector = reflector;
+        this.logger = logger;
+        // 从环境变量加载 API Key（支持多个，逗号分隔）
+        const apiKeyString = process.env.INTERNAL_API_KEYS || process.env.INTERNAL_API_KEY || '';
+        this.validApiKeys = new Set(apiKeyString
+            .split(',')
+            .map((k) => k.trim())
+            .filter(Boolean));
+        this.enabled = this.validApiKeys.size > 0;
+        this.logger.info('ApiKeyGuard initialized', {
+            keyCount: this.validApiKeys.size,
+        });
+    }
+    async canActivate(context) {
+        // 如果没有配置 API Key，跳过此守卫
+        if (!this.enabled) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        // 检查当前处理方法是否允许 API Key 访问
+        const allowApiKey = this.reflector.getAllAndOverride(api_key_decorator_1.ALLOW_API_KEY_KEY, [context.getHandler(), context.getClass()]);
+        if (!allowApiKey) {
+            return true; // 不允许 API Key，继续其他验证
+        }
+        const apiKey = this.extractApiKey(request);
+        if (!apiKey) {
+            return true; // 无 API Key，继续正常验证流程
+        }
+        // 验证 API Key
+        if (!this.validateApiKey(apiKey, request)) {
+            return false;
+        }
+        // 设置内部服务标识
+        this.setInternalServiceContext(request, apiKey);
+        this.logger.info('API key authenticated successfully', {
+            service: request.headers[SERVICE_NAME_HEADER] || 'unknown',
+            ip: request.ip,
+            tenantId: request.headers['x-current-tenant'] || 'none',
+        });
+        return true;
+    }
+    /**
+     * 从请求中提取 API Key
+     * 支持从 header 或 query 参数获取
+     */
+    extractApiKey(request) {
+        // 优先从 header 获取
+        const headerApiKey = request.headers[API_KEY_HEADER];
+        if (headerApiKey) {
+            return headerApiKey;
+        }
+        // 从 query 参数获取（不推荐，仅用于某些特殊场景）
+        const queryApiKey = request.query?.api_key;
+        if (queryApiKey) {
+            return queryApiKey;
+        }
+        return undefined;
+    }
+    /**
+     * 验证 API Key
+     */
+    validateApiKey(apiKey, request) {
+        // 检查 API Key 是否有效
+        if (!this.validApiKeys.has(apiKey)) {
+            this.logger.error('Invalid API key used', {
+                apiKey: this.maskApiKey(apiKey),
+                ip: request.ip,
+                userAgent: request.headers['user-agent'],
+                service: request.headers[SERVICE_NAME_HEADER],
+                path: request.url,
+            });
+            return false;
+        }
+        return true;
+    }
+    /**
+     * 设置内部服务上下文
+     */
+    setInternalServiceContext(request, apiKey) {
+        // 标记为内部服务
+        request.isInternalService = true;
+        // 设置服务名称
+        const serviceName = request.headers[SERVICE_NAME_HEADER];
+        request.internalServiceName = serviceName || 'unknown';
+        // 设置 API Key 标识（用于审计）
+        request.apiKeyId = this.getKeyId(apiKey);
+        // 跳过租户验证（但仍需解析租户用于数据隔离）
+        request.skipTenantCheck = true;
+        // 强制要求租户 Header（防止跨租户访问）
+        const headerTenantId = request.headers['x-current-tenant'];
+        if (process.env.INTERNAL_API_REQUIRE_TENANT === 'true' && !headerTenantId) {
+            this.logger.warn('API key used without required tenant header', {
+                service: serviceName,
+                path: request.url,
+            });
+            throw new Error('Tenant header (x-current-tenant) is required');
+        }
+    }
+    /**
+     * 遮蔽 API Key 用于日志记录
+     */
+    maskApiKey(apiKey) {
+        if (apiKey.length <= 8) {
+            return '****';
+        }
+        return `${apiKey.substring(0, 4)}...${apiKey.substring(apiKey.length - 4)}`;
+    }
+    /**
+     * 获取 API Key 标识符（用于区分不同的 Key）
+     */
+    getKeyId(apiKey) {
+        return this.maskApiKey(apiKey);
+    }
+};
+exports.ApiKeyGuard = ApiKeyGuard;
+exports.ApiKeyGuard = ApiKeyGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, common_1.Inject)(nest_winston_1.WINSTON_MODULE_PROVIDER)),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        winston_1.Logger])
+], ApiKeyGuard);
+//# sourceMappingURL=api-key.guard.js.map

package/dist/guards/api-key.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-key.guard.js","sourceRoot":"","sources":["../../src/guards/api-key.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAKwB;AACxB,uCAAyC;AACzC,+CAAuD;AACvD,qCAAiC;AAEjC,qFAAkF;AAElF,MAAM,cAAc,GAAG,WAAoB,CAAC;AAC5C,MAAM,mBAAmB,GAAG,gBAAyB,CAAC;AAEtD;;;;;;;;GAQG;AAEI,IAAM,WAAW,GAAjB,MAAM,WAAW;IAKH;IACiC;IALnC,YAAY,CAAc;IAC1B,OAAO,CAAU;IAElC,YACmB,SAAoB,EACa,MAAc;QAD/C,cAAS,GAAT,SAAS,CAAW;QACa,WAAM,GAAN,MAAM,CAAQ;QAEhE,6BAA6B;QAC7B,MAAM,YAAY,GAChB,OAAO,CAAC,GAAG,CAAC,iBAAiB,IAAI,OAAO,CAAC,GAAG,CAAC,gBAAgB,IAAI,EAAE,CAAC;QACtE,IAAI,CAAC,YAAY,GAAG,IAAI,GAAG,CACzB,YAAY;aACT,KAAK,CAAC,GAAG,CAAC;aACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;aACpB,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;QAEF,IAAI,CAAC,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC;QAE1C,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE;YAC1C,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,IAAI;SACjC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,uBAAuB;QACvB,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAkB,CAAC;QAEpE,0BAA0B;QAC1B,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAClD,qCAAiB,EACjB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC3C,CAAC;QAEF,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,IAAI,CAAC,CAAC,qBAAqB;QACpC,CAAC;QAED,MAAM,MAAM,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAE3C,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,OAAO,IAAI,CAAC,CAAC,qBAAqB;QACpC,CAAC;QAED,aAAa;QACb,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;YAC1C,OAAO,KAAK,CAAC;QACf,CAAC;QAED,WAAW;QACX,IAAI,CAAC,yBAAyB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAEhD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,oCAAoC,EAAE;YACrD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,IAAI,SAAS;YAC1D,EAAE,EAAE,OAAO,CAAC,EAAE;YACd,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAC,IAAI,MAAM;SACxD,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;OAGG;IACK,aAAa,CAAC,OAAuB;QAC3C,gBAAgB;QAChB,MAAM,YAAY,GAAG,OAAO,CAAC,OAAO,CAAC,cAAc,CAAW,CAAC;QAC/D,IAAI,YAAY,EAAE,CAAC;YACjB,OAAO,YAAY,CAAC;QACtB,CAAC;QAED,8BAA8B;QAC9B,MAAM,WAAW,GAAI,OAAO,CAAC,KAAa,EAAE,OAAiB,CAAC;QAC9D,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO,WAAW,CAAC;QACrB,CAAC;QAED,OAAO,SAAS,CAAC;IACnB,CAAC;IAED;;OAEG;IACK,cAAc,CAAC,MAAc,EAAE,OAAuB;QAC5D,kBAAkB;QAClB,IAAI,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,sBAAsB,EAAE;gBACxC,MAAM,EAAE,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC;gBAC/B,EAAE,EAAE,OAAO,CAAC,EAAE;gBACd,SAAS,EAAE,OAAO,CAAC,OAAO,CAAC,YAAY,CAAC;gBACxC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC;gBAC7C,IAAI,EAAE,OAAO,CAAC,GAAG;aAClB,CAAC,CAAC;YACH,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACK,yBAAyB,CAC/B,OAAuB,EACvB,MAAc;QAEd,UAAU;QACT,OAAe,CAAC,iBAAiB,GAAG,IAAI,CAAC;QAE1C,SAAS;QACT,MAAM,WAAW,GAAG,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAW,CAAC;QAClE,OAAe,CAAC,mBAAmB,GAAG,WAAW,IAAI,SAAS,CAAC;QAEhE,sBAAsB;QACrB,OAAe,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAElD,wBAAwB;QACvB,OAAe,CAAC,eAAe,GAAG,IAAI,CAAC;QAExC,yBAAyB;QACzB,MAAM,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,kBAAkB,CAAW,CAAC;QACrE,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,KAAK,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;YAC1E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,6CAA6C,EAAE;gBAC9D,OAAO,EAAE,WAAW;gBACpB,IAAI,EAAE,OAAO,CAAC,GAAG;aAClB,CAAC,CAAC;YACH,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;QAClE,CAAC;IACH,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,MAAc;QAC/B,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACvB,OAAO,MAAM,CAAC;QAChB,CAAC;QACD,OAAO,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,MAAM,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC;IAC9E,CAAC;IAED;;OAEG;IACK,QAAQ,CAAC,MAAc;QAC7B,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;CACF,CAAA;AAxJY,kCAAW;sBAAX,WAAW;IADvB,IAAA,mBAAU,GAAE;IAOR,WAAA,IAAA,eAAM,EAAC,sCAAuB,CAAC,CAAA;qCADJ,gBAAS;QACqB,gBAAM;GANvD,WAAW,CAwJvB"}

package/dist/guards/auth.guard.d.ts

@@ -0,0 +1,39 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import { Reflector } from '@nestjs/core';
+import { Logger } from 'winston';
+import { RedisService } from '@dofe/infra-redis';
+import { UserInfoService } from '@app/db';
+/**
+ * Auth Guard Token - 用于注入 AuthService
+ */
+export declare const AUTH_SERVICE_TOKEN = "AUTH_SERVICE";
+/**
+ * Auth Service Interface - 用于解耦 infra 和 domain
+ */
+export interface IAuthService {
+    extractTokenFromHeader(request: {
+        headers: Record<string, string | string[] | undefined>;
+    }): string | undefined;
+}
+/**
+ * AuthGuard - 认证守卫
+ *
+ * 位于 infra 层，通过依赖注入接收 AuthService 实现
+ * 避免直接依赖 domain 层
+ */
+export declare class AuthGuard implements CanActivate {
+    private readonly auth;
+    private readonly jwt;
+    private readonly config;
+    private readonly reflector;
+    private readonly redis;
+    private readonly user;
+    private readonly logger;
+    private readonly outOfAnonymityPathConfig;
+    private readonly outOfUserPathConfig;
+    constructor(auth: IAuthService, jwt: JwtService, config: ConfigService, reflector: Reflector, redis: RedisService, user: UserInfoService, logger: Logger);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=auth.guard.d.ts.map

package/dist/guards/auth.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.guard.d.ts","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,WAAW,EACX,gBAAgB,EAGjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAIjC,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AAO1C;;GAEG;AACH,eAAO,MAAM,kBAAkB,iBAAiB,CAAC;AAEjD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,sBAAsB,CAAC,OAAO,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAA;KAAE,GAAG,MAAM,GAAG,SAAS,CAAC;CACjH;AAED;;;;;GAKG;AACH,qBACa,SAAU,YAAW,WAAW;IAMzC,OAAO,CAAC,QAAQ,CAAC,IAAI;IACrB,OAAO,CAAC,QAAQ,CAAC,GAAG;IACpB,OAAO,CAAC,QAAQ,CAAC,MAAM;IACvB,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,KAAK;IACtB,OAAO,CAAC,QAAQ,CAAC,IAAI;IACY,OAAO,CAAC,QAAQ,CAAC,MAAM;IAX1D,OAAO,CAAC,QAAQ,CAAC,wBAAwB,CAAC;IAC1C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAC;gBAIlB,IAAI,EAAE,YAAY,EAClB,GAAG,EAAE,UAAU,EACf,MAAM,EAAE,aAAa,EACrB,SAAS,EAAE,SAAS,EACpB,KAAK,EAAE,YAAY,EACnB,IAAI,EAAE,eAAe,EACY,MAAM,EAAE,MAAM;IAc5D,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAyI/D"}

package/dist/guards/auth.guard.js

@@ -0,0 +1,178 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthGuard = exports.AUTH_SERVICE_TOKEN = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const config_1 = require("@nestjs/config");
+const core_1 = require("@nestjs/core");
+const nest_winston_1 = require("nest-winston");
+const winston_1 = require("winston");
+const infra_contracts_1 = require("@dofe/infra-contracts");
+const infra_contracts_2 = require("@dofe/infra-contracts");
+const infra_redis_1 = require("@dofe/infra-redis");
+const db_1 = require("@app/db");
+const string_util_1 = __importDefault(require("@dofe/infra-utils/string.util"));
+const environment_util_1 = __importDefault(require("@dofe/infra-utils/environment.util"));
+const env_config_service_1 = require("@/config/env-config.service");
+const api_exception_1 = require("@/filter/exception/api.exception");
+/**
+ * Auth Guard Token - 用于注入 AuthService
+ */
+exports.AUTH_SERVICE_TOKEN = 'AUTH_SERVICE';
+/**
+ * AuthGuard - 认证守卫
+ *
+ * 位于 infra 层，通过依赖注入接收 AuthService 实现
+ * 避免直接依赖 domain 层
+ */
+let AuthGuard = class AuthGuard {
+    auth;
+    jwt;
+    config;
+    reflector;
+    redis;
+    user;
+    logger;
+    outOfAnonymityPathConfig;
+    outOfUserPathConfig;
+    constructor(auth, jwt, config, reflector, redis, user, logger) {
+        this.auth = auth;
+        this.jwt = jwt;
+        this.config = config;
+        this.reflector = reflector;
+        this.redis = redis;
+        this.user = user;
+        this.logger = logger;
+        // 这两个配置在早期版本的 YAML 中存在，但当前模板中是可选的
+        // 为了在本地/开发环境下更好地降级，这里给出空对象默认值
+        this.outOfAnonymityPathConfig =
+            this.config.get('outOfAnonymityPath') ?? {};
+        this.outOfUserPathConfig =
+            this.config.get('outOfUserPath') ?? {};
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        const _response = context.switchToHttp().getResponse();
+        const requestMethod = request.method.toLowerCase();
+        const requestPath = string_util_1.default.trimSlashes(string_util_1.default.splitString(request.url, '?')[0]);
+        // 检查是否在白名单路径中
+        if (this.outOfUserPathConfig[requestMethod]?.some((path) => new RegExp(`^${path.replace(/:\w+/g, '[^/]+')}$`).test(requestPath.replace('api/', '')))) {
+            return true;
+        }
+        // 检查是否标记为公开端点（@Public() 装饰器）
+        const isPublic = this.reflector.getAllAndOverride(infra_contracts_2.PUBLIC_ENDPOINT_KEY, [context.getHandler(), context.getClass()]);
+        if (isPublic)
+            return true;
+        // 从方法处理器获取元数据
+        let authTypes = this.reflector.get('auths', context.getHandler());
+        if (!authTypes) {
+            authTypes = this.reflector.get('auths', context.getClass());
+        }
+        const [authType = 'api', guardType = 'api'] = authTypes || ['api', 'api'];
+        const isMpTest = request.headers[infra_contracts_2.MPTRAIL_HEADER] === 'true';
+        let userId, isAdmin = false, isAnonymity = false;
+        if (!env_config_service_1.featureConfig.modeUserId) {
+            let access;
+            if (guardType === 'sse') {
+                access = decodeURIComponent(request.query['access_token']);
+            }
+            else {
+                access = this.auth.extractTokenFromHeader(request);
+                if (!access) {
+                    throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+                }
+            }
+            if (!access) {
+                throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+            }
+            let payload;
+            try {
+                const jwtConfig = this.config.getOrThrow('jwt');
+                payload = await this.jwt.verifyAsync(access, {
+                    secret: jwtConfig.secret,
+                });
+            }
+            catch (_error) {
+                throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+            }
+            userId = payload?.sub;
+            isAnonymity = payload?.isAnonymity;
+            isAdmin = payload?.isAdmin;
+            if (isAnonymity) {
+                throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+            }
+            // 将 JWT payload 中的用户信息设置到 request 中
+            request.userInfo = {
+                id: userId,
+                nickname: payload?.nickname,
+                code: payload?.code,
+                headerImg: payload?.headerImg,
+                sex: payload?.sex,
+                isAdmin: isAdmin,
+                isAnonymity: isAnonymity,
+            };
+        }
+        else {
+            if ((0, env_config_service_1.isProduction)()) {
+                this.logger.error('CRITICAL SECURITY ERROR: MODE_USER_ID is set in prod environment!');
+                throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+            }
+            this.logger.warn('Auth Guard is running in insecure bypass mode. DO NOT USE IN PROD.');
+            this.logger.warn(`Bypass mode activated with userId: ${env_config_service_1.featureConfig.modeUserId}`);
+            userId = env_config_service_1.featureConfig.modeUserId;
+            isAdmin = true;
+            isAnonymity = false;
+        }
+        if (!userId) {
+            throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+        }
+        if (request.method.toLowerCase() === 'post' &&
+            process.env?.PREVIEW_MODE === 'true' &&
+            environment_util_1.default.isWeChatMiniProgram(request) &&
+            isMpTest &&
+            process.env?.PREVIEW_USER_ID) {
+            throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+        }
+        if (authType === 'admin' && !isAdmin) {
+            throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+        }
+        // 检查匿名用户访问限制
+        if (this.outOfAnonymityPathConfig[requestMethod]?.some((path) => new RegExp(`^${path.replace(/:\w+/g, '[^/]+')}$`).test(requestPath.replace('api/', ''))) &&
+            request.isAnonymity) {
+            throw (0, api_exception_1.apiError)(infra_contracts_1.CommonErrorCode.UnAuthorized);
+        }
+        // 将用户信息设置到request对象中
+        request.userId = userId;
+        request.isAnonymity = isAnonymity;
+        request.isAdmin = isAdmin;
+        return true;
+    }
+};
+exports.AuthGuard = AuthGuard;
+exports.AuthGuard = AuthGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(0, (0, common_1.Inject)(exports.AUTH_SERVICE_TOKEN)),
+    __param(6, (0, common_1.Inject)(nest_winston_1.WINSTON_MODULE_PROVIDER)),
+    __metadata("design:paramtypes", [Object, jwt_1.JwtService,
+        config_1.ConfigService,
+        core_1.Reflector,
+        infra_redis_1.RedisService,
+        db_1.UserInfoService,
+        winston_1.Logger])
+], AuthGuard);
+//# sourceMappingURL=auth.guard.js.map

package/dist/guards/auth.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.guard.js","sourceRoot":"","sources":["../../src/guards/auth.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;AAAA,2CAKwB;AACxB,qCAAyC;AACzC,2CAA+C;AAC/C,uCAAyC;AACzC,+CAAuD;AACvD,qCAAiC;AAEjC,2DAAwD;AACxD,2DAA4E;AAC5E,mDAAiD;AACjD,gCAA0C;AAE1C,gFAAuD;AACvD,0FAAgE;AAChE,oEAA0E;AAC1E,oEAA4D;AAE5D;;GAEG;AACU,QAAA,kBAAkB,GAAG,cAAc,CAAC;AASjD;;;;;GAKG;AAEI,IAAM,SAAS,GAAf,MAAM,SAAS;IAMD;IACA;IACA;IACA;IACA;IACA;IACiC;IAXnC,wBAAwB,CAAC;IACzB,mBAAmB,CAAC;IAErC,YAEmB,IAAkB,EAClB,GAAe,EACf,MAAqB,EACrB,SAAoB,EACpB,KAAmB,EACnB,IAAqB,EACY,MAAc;QAN/C,SAAI,GAAJ,IAAI,CAAc;QAClB,QAAG,GAAH,GAAG,CAAY;QACf,WAAM,GAAN,MAAM,CAAe;QACrB,cAAS,GAAT,SAAS,CAAW;QACpB,UAAK,GAAL,KAAK,CAAc;QACnB,SAAI,GAAJ,IAAI,CAAiB;QACY,WAAM,GAAN,MAAM,CAAQ;QAEhE,kCAAkC;QAClC,8BAA8B;QAC9B,IAAI,CAAC,wBAAwB;YAC1B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,oBAAoB,CAEvB,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,mBAAmB;YACrB,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,eAAe,CAElB,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAkB,CAAC;QACpE,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,WAAW,EAAgB,CAAC;QACrE,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;QACnD,MAAM,WAAW,GAAG,qBAAU,CAAC,WAAW,CACxC,qBAAU,CAAC,WAAW,CAAC,OAAO,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC,CAC5C,CAAC;QAEF,cAAc;QACd,IACE,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CACrD,IAAI,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CACpD,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAChC,CACF,EACD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,6BAA6B;QAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAC/C,qCAAmB,EACnB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC3C,CAAC;QACF,IAAI,QAAQ;YAAE,OAAO,IAAI,CAAC;QAE1B,cAAc;QACd,IAAI,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAW,OAAO,EAAE,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;QAC5E,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAW,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC;QACxE,CAAC;QAED,MAAM,CAAC,QAAQ,GAAG,KAAK,EAAE,SAAS,GAAG,KAAK,CAAC,GAAG,SAAS,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;QAC1E,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,gCAAc,CAAC,KAAK,MAAM,CAAC;QAC5D,IAAI,MAAM,EACR,OAAO,GAAG,KAAK,EACf,WAAW,GAAG,KAAK,CAAC;QAEtB,IAAI,CAAC,kCAAa,CAAC,UAAU,EAAE,CAAC;YAC9B,IAAI,MAAM,CAAC;YACX,IAAI,SAAS,KAAK,KAAK,EAAE,CAAC;gBACxB,MAAM,GAAG,kBAAkB,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,CAAW,CAAC,CAAC;YACvE,CAAC;iBAAM,CAAC;gBACN,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;gBACnD,IAAI,CAAC,MAAM,EAAE,CAAC;oBACZ,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;gBAC/C,CAAC;YACH,CAAC;YACD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,OAAO,CAAC;YACZ,IAAI,CAAC;gBACH,MAAM,SAAS,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,CAAY,KAAK,CAAC,CAAC;gBAC3D,OAAO,GAAG,MAAM,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC,MAAM,EAAE;oBAC3C,MAAM,EAAE,SAAS,CAAC,MAAM;iBACzB,CAAC,CAAC;YACL,CAAC;YAAC,OAAO,MAAM,EAAE,CAAC;gBAChB,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;YAC/C,CAAC;YAED,MAAM,GAAG,OAAO,EAAE,GAAG,CAAC;YACtB,WAAW,GAAG,OAAO,EAAE,WAAW,CAAC;YACnC,OAAO,GAAG,OAAO,EAAE,OAAO,CAAC;YAE3B,IAAI,WAAW,EAAE,CAAC;gBAChB,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;YAC/C,CAAC;YAED,oCAAoC;YACnC,OAAe,CAAC,QAAQ,GAAG;gBAC1B,EAAE,EAAE,MAAM;gBACV,QAAQ,EAAE,OAAO,EAAE,QAAQ;gBAC3B,IAAI,EAAE,OAAO,EAAE,IAAI;gBACnB,SAAS,EAAE,OAAO,EAAE,SAAS;gBAC7B,GAAG,EAAE,OAAO,EAAE,GAAG;gBACjB,OAAO,EAAE,OAAO;gBAChB,WAAW,EAAE,WAAW;aACzB,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,IAAI,IAAA,iCAAY,GAAE,EAAE,CAAC;gBACnB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,mEAAmE,CACpE,CAAC;gBACF,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;YAC/C,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,oEAAoE,CACrE,CAAC;YACF,IAAI,CAAC,MAAM,CAAC,IAAI,CACd,sCAAsC,kCAAa,CAAC,UAAU,EAAE,CACjE,CAAC;YAEF,MAAM,GAAG,kCAAa,CAAC,UAAU,CAAC;YAClC,OAAO,GAAG,IAAI,CAAC;YACf,WAAW,GAAG,KAAK,CAAC;QACtB,CAAC;QAED,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QAED,IACE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,MAAM;YACvC,OAAO,CAAC,GAAG,EAAE,YAAY,KAAK,MAAM;YACpC,0BAAc,CAAC,mBAAmB,CAAC,OAAO,CAAC;YAC3C,QAAQ;YACR,OAAO,CAAC,GAAG,EAAE,eAAe,EAC5B,CAAC;YACD,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QAED,IAAI,QAAQ,KAAK,OAAO,IAAI,CAAC,OAAO,EAAE,CAAC;YACrC,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QAED,aAAa;QACb,IACE,IAAI,CAAC,wBAAwB,CAAC,aAAa,CAAC,EAAE,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC1D,IAAI,MAAM,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CACpD,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAChC,CACF;YACA,OAAe,CAAC,WAAW,EAC5B,CAAC;YACD,MAAM,IAAA,wBAAQ,EAAC,iCAAe,CAAC,YAAY,CAAC,CAAC;QAC/C,CAAC;QAED,qBAAqB;QACpB,OAAe,CAAC,MAAM,GAAG,MAAM,CAAC;QAChC,OAAe,CAAC,WAAW,GAAG,WAAW,CAAC;QAC1C,OAAe,CAAC,OAAO,GAAG,OAAO,CAAC;QAEnC,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AAnKY,8BAAS;oBAAT,SAAS;IADrB,IAAA,mBAAU,GAAE;IAMR,WAAA,IAAA,eAAM,EAAC,0BAAkB,CAAC,CAAA;IAO1B,WAAA,IAAA,eAAM,EAAC,sCAAuB,CAAC,CAAA;6CALV,gBAAU;QACP,sBAAa;QACV,gBAAS;QACb,0BAAY;QACb,oBAAe;QACoB,gBAAM;GAZvD,SAAS,CAmKrB"}

package/dist/guards/data-visibility.guard.d.ts

@@ -0,0 +1,18 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Logger } from 'winston';
+import { OrganizationPermissionService } from '@app/tenant-management/organization-permission';
+/**
+ * 数据可见性 Guard
+ *
+ * 根据用户角色自动解析数据可见范围，并注入到 request.dataScope 中
+ * 供后续 Service 层使用
+ */
+export declare class DataVisibilityGuard implements CanActivate {
+    private readonly reflector;
+    private readonly permissionService;
+    private readonly logger;
+    constructor(reflector: Reflector, permissionService: OrganizationPermissionService, logger: Logger);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=data-visibility.guard.d.ts.map

package/dist/guards/data-visibility.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-visibility.guard.d.ts","sourceRoot":"","sources":["../../src/guards/data-visibility.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAEjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,OAAO,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AAI/F;;;;;GAKG;AACH,qBACa,mBAAoB,YAAW,WAAW;IAEnD,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IACD,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAFvC,SAAS,EAAE,SAAS,EACpB,iBAAiB,EAAE,6BAA6B,EACf,MAAM,EAAE,MAAM;IAG5D,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAoD/D"}

package/dist/guards/data-visibility.guard.js

@@ -0,0 +1,84 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataVisibilityGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const nest_winston_1 = require("nest-winston");
+const winston_1 = require("winston");
+const organization_permission_1 = require("@app/tenant-management/organization-permission");
+const data_visibility_1 = require("@/common/decorators/data-visibility");
+/**
+ * 数据可见性 Guard
+ *
+ * 根据用户角色自动解析数据可见范围，并注入到 request.dataScope 中
+ * 供后续 Service 层使用
+ */
+let DataVisibilityGuard = class DataVisibilityGuard {
+    reflector;
+    permissionService;
+    logger;
+    constructor(reflector, permissionService, logger) {
+        this.reflector = reflector;
+        this.permissionService = permissionService;
+        this.logger = logger;
+    }
+    async canActivate(context) {
+        const request = context.switchToHttp().getRequest();
+        // 获取资源类型
+        const resourceType = this.reflector.getAllAndOverride(data_visibility_1.DATA_VISIBILITY_KEY, [context.getHandler(), context.getClass()]);
+        // 如果没有设置资源类型，不需要处理可见性
+        if (!resourceType) {
+            return true;
+        }
+        // 获取用户信息
+        const userId = request.userId;
+        const tenantId = request.tenantId;
+        const isAdmin = request.isAdmin;
+        // 如果没有用户信息（公共端点），跳过可见性注入
+        if (!userId || !tenantId) {
+            this.logger.debug('No user context, skipping data visibility resolution', {
+                resourceType,
+            });
+            return true;
+        }
+        // 解析数据可见范围
+        const dataScope = await this.permissionService.resolveDataScope({
+            userId,
+            tenantId,
+            resourceType,
+            isSystemAdmin: isAdmin,
+        });
+        // 注入到请求上下文
+        request.dataScope = dataScope;
+        this.logger.debug('Data visibility resolved', {
+            userId,
+            tenantId,
+            resourceType,
+            scopeType: dataScope.type,
+            departmentCount: dataScope.departmentIds?.length ?? 0,
+            teamCount: dataScope.teamIds?.length ?? 0,
+        });
+        return true;
+    }
+};
+exports.DataVisibilityGuard = DataVisibilityGuard;
+exports.DataVisibilityGuard = DataVisibilityGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(2, (0, common_1.Inject)(nest_winston_1.WINSTON_MODULE_PROVIDER)),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        organization_permission_1.OrganizationPermissionService,
+        winston_1.Logger])
+], DataVisibilityGuard);
+//# sourceMappingURL=data-visibility.guard.js.map

package/dist/guards/data-visibility.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-visibility.guard.js","sourceRoot":"","sources":["../../src/guards/data-visibility.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;AAAA,2CAKwB;AACxB,uCAAyC;AACzC,+CAAuD;AACvD,qCAAiC;AAEjC,4FAA+F;AAC/F,yEAA0E;AAG1E;;;;;GAKG;AAEI,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAEX;IACA;IACiC;IAHpD,YACmB,SAAoB,EACpB,iBAAgD,EACf,MAAc;QAF/C,cAAS,GAAT,SAAS,CAAW;QACpB,sBAAiB,GAAjB,iBAAiB,CAA+B;QACf,WAAM,GAAN,MAAM,CAAQ;IAC/D,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAkB,CAAC;QAEpE,SAAS;QACT,MAAM,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CACnD,qCAAmB,EACnB,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAC3C,CAAC;QAEF,sBAAsB;QACtB,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,SAAS;QACT,MAAM,MAAM,GAAI,OAAe,CAAC,MAAM,CAAC;QACvC,MAAM,QAAQ,GAAI,OAAe,CAAC,QAAQ,CAAC;QAC3C,MAAM,OAAO,GAAI,OAAe,CAAC,OAAO,CAAC;QAEzC,yBAAyB;QACzB,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzB,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,sDAAsD,EACtD;gBACE,YAAY;aACb,CACF,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;QAED,WAAW;QACX,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,gBAAgB,CAAC;YAC9D,MAAM;YACN,QAAQ;YACR,YAAY;YACZ,aAAa,EAAE,OAAO;SACvB,CAAC,CAAC;QAEH,WAAW;QACV,OAAe,CAAC,SAAS,GAAG,SAAS,CAAC;QAEvC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,0BAA0B,EAAE;YAC5C,MAAM;YACN,QAAQ;YACR,YAAY;YACZ,SAAS,EAAE,SAAS,CAAC,IAAI;YACzB,eAAe,EAAE,SAAS,CAAC,aAAa,EAAE,MAAM,IAAI,CAAC;YACrD,SAAS,EAAE,SAAS,CAAC,OAAO,EAAE,MAAM,IAAI,CAAC;SAC1C,CAAC,CAAC;QAEH,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AA3DY,kDAAmB;8BAAnB,mBAAmB;IAD/B,IAAA,mBAAU,GAAE;IAKR,WAAA,IAAA,eAAM,EAAC,sCAAuB,CAAC,CAAA;qCAFJ,gBAAS;QACD,uDAA6B;QACP,gBAAM;GAJvD,mBAAmB,CA2D/B"}

package/dist/guards/index.d.ts

@@ -0,0 +1,7 @@
+export * from './version.guard';
+export * from './tenant-context.guard';
+export * from './permission.guard';
+export * from './auth.guard';
+export * from './api-key.guard';
+export * from './data-visibility.guard';
+//# sourceMappingURL=index.d.ts.map

package/dist/guards/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/guards/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,wBAAwB,CAAC;AACvC,cAAc,oBAAoB,CAAC;AACnC,cAAc,cAAc,CAAC;AAC7B,cAAc,iBAAiB,CAAC;AAChC,cAAc,yBAAyB,CAAC"}

package/dist/guards/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./version.guard"), exports);
+__exportStar(require("./tenant-context.guard"), exports);
+__exportStar(require("./permission.guard"), exports);
+__exportStar(require("./auth.guard"), exports);
+__exportStar(require("./api-key.guard"), exports);
+__exportStar(require("./data-visibility.guard"), exports);
+//# sourceMappingURL=index.js.map

package/dist/guards/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/guards/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,kDAAgC;AAChC,yDAAuC;AACvC,qDAAmC;AACnC,+CAA6B;AAC7B,kDAAgC;AAChC,0DAAwC"}

package/dist/guards/permission.guard.d.ts

@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Logger } from 'winston';
+import { JwtService } from '@nestjs/jwt';
+import { ConfigService } from '@nestjs/config';
+import { OrganizationPermissionService } from '@app/tenant-management/organization-permission';
+export declare class PermissionGuard implements CanActivate {
+    private readonly reflector;
+    private readonly permissionService;
+    private readonly jwtService;
+    private readonly configService;
+    private readonly logger;
+    constructor(reflector: Reflector, permissionService: OrganizationPermissionService, jwtService: JwtService, configService: ConfigService, logger: Logger);
+    /**
+     * 从 Authorization header 中提取并验证 JWT token
+     */
+    private extractUserFromToken;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+}
+//# sourceMappingURL=permission.guard.d.ts.map

package/dist/guards/permission.guard.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permission.guard.d.ts","sourceRoot":"","sources":["../../src/guards/permission.guard.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,WAAW,EACX,gBAAgB,EAIjB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAC/C,OAAO,EAAE,6BAA6B,EAAE,MAAM,gDAAgD,CAAC;AAQ/F,qBACa,eAAgB,YAAW,WAAW;IAE/C,OAAO,CAAC,QAAQ,CAAC,SAAS;IAC1B,OAAO,CAAC,QAAQ,CAAC,iBAAiB;IAClC,OAAO,CAAC,QAAQ,CAAC,UAAU;IAC3B,OAAO,CAAC,QAAQ,CAAC,aAAa;IACG,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAJvC,SAAS,EAAE,SAAS,EACpB,iBAAiB,EAAE,6BAA6B,EAChD,UAAU,EAAE,UAAU,EACtB,aAAa,EAAE,aAAa,EACK,MAAM,EAAE,MAAM;IAGlE;;OAEG;YACW,oBAAoB;IA6B5B,WAAW,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,OAAO,CAAC;CAsF/D"}