@lark-apaas/auth-sdk 0.1.0-alpha.0 → 0.1.0-alpha.11

package/README.md

@@ -1,8 +1,8 @@
-## @lark-apaas/auth-sdk
+# @lark-apaas/auth-sdk
 
 基于 CASL 的前端鉴权 SDK，封装了权限数据获取、Ability 初始化与 React 集成，帮助你在应用中便捷地做「功能级/按钮级/菜单级/页面级」的权限控制。
 
-### 安装
+## 安装
 
 ```bash
 npm i @lark-apaas/auth-sdk
@@ -10,22 +10,22 @@ npm i @lark-apaas/auth-sdk
 yarn add @lark-apaas/auth-sdk
 ```
 
-### 快速开始
+## 快速开始
+
+### 模版接入
 
 ```tsx
 import React from 'react';
-import { AuthProvider, Can, useAbility } from '@lark-apaas/auth-sdk';
+import { AuthProvider, CanRole, useAuthAbility } from '@lark-apaas/auth-sdk';
 
 export default function App() {
   return (
     <AuthProvider
       config={{
         permissionApi: {
-          baseUrl: 'http://localhost:3000',
-          endpoint: '/api/users/:userId/permissions',
-          // 可选：apiToken、timeout、headers、withCredentials
+          timeout: 5000,
         },
-        autoFetch: true,
+        enable: true,
         onError: (e) => console.error(e),
       }}
     >
@@ -33,173 +33,104 @@ export default function App() {
     </AuthProvider>
   );
 }
+```
+
+
+### 开发组件 - 使用 CanRole 组件
+
+```tsx
+import { CanRole } from '@lark-apaas/auth-sdk';
 
 function Home() {
-  const ability = useAbility();
   return (
     <div>
-      <Can I="read" a="Dashboard">
-        <div>可见的仪表盘</div>
-      </Can>
-      <button disabled={ability.cannot('create', 'Task')}>创建任务</button>
+      <CanRole roles={['role_admin']}>
+        <div>管理员按钮</div>
+      </CanRole>
+      <CanRole roles={['role_admin', 'role_editor']}>
+        <div>编辑按钮</div>
+      </CanRole>
     </div>
   );
 }
 ```
 
----
-
-## 核心 API
+### 开发组件 - 使用 AbilityContext 处理复杂场景
 
-### AuthProvider
-- **作用**: 提供 `Ability` 与权限状态上下文，自动/手动拉取权限。
-- **Props**:
-  - `config?: AuthSdkConfig`
-    - `noPermissionPath?: string` 无权限时的导航路径
-    - `permissionApi?: PermissionApiConfig` 拉取权限接口配置
-      - `baseUrl?: string`
-      - `endpoint?: string`，支持 `:userId` 占位
-      - `timeout?: number`，默认 5000ms
-      - `headers?: Record<string,string>`
-      - `apiToken?: string` 自动加到 Authorization 头
-      - `withCredentials?: boolean`，默认 true
-    - `autoFetch?: boolean` 是否初始化自动拉取
-    - `onError?: (error: Error) => void`
-    - `onSuccess?: (data: PermissionApiResponse) => void`
-  - `children: React.ReactNode`
-
-示例：
 ```tsx
-<AuthProvider userId="user-123" config={{
-  permissionApi: { endpoint: '/api/permissions' },
-  autoFetch: true,
-}}>
-  <App />
-  {/* Can/Hook 在其子树中生效 */}
-</AuthProvider>
+import { useContext } from 'react';
+import { AbilityContext, ROLE_SUBJECT } from '@lark-apaas/auth-sdk';
+
+function Home() {
+  const ability = useContext(AbilityContext);
+  return (
+    <div>
+      {ability.can('role_admin', ROLE_SUBJECT) || ability.can('role_editor', ROLE_SUBJECT) ? (
+        <div>可见的仪表盘</div>
+      ) : null}
+    </div>
+  );
+}
 ```
 
-### useAuth
-- **作用**: 访问权限状态与方法。
-- **返回**:
-  - `permissions: Permission[]`
-  - `roles: string[]`
-  - `userId: string | null`
-  - `setUserId(userId: string): void`
-  - `isLoading: boolean`
-  - `error: Error | null`
-  - `fetchPermissions(userId?: string): Promise<void>` 手动拉取
-  - `refetch(): Promise<void>` 按当前 `userId` 重新拉取
+### 开发组件 - 见 Client Toolkit
 
-```tsx
-const { permissions, roles, isLoading, refetch } = useAuth();
-```
+---
 
-### useAbility
-- **作用**: 获取 CASL `Ability` 实例，使用 `ability.can(action, subject)` 做任意判断。
+## 核心 API - 面向 Agent
 
-```tsx
-const ability = useAbility();
-const canCreate = ability.can('create', 'Task');
-```
+### CanRole 组件 (推荐)
 
-### Can 组件（来自 @casl/react 的 Contextual Can）
-- **作用**: 条件渲染，只有当 `I` 对 `a` 可操作时才渲染子内容；也支持 render prop。
+- **作用**: 条件渲染，只有当角色 id 包含在 `roles` 中时才渲染子内容。
 
 ```tsx
-<Can I="delete" a="Task">
+<CanRole roles={['role_admin', 'role_editor']}>
   <button>删除任务</button>
-</Can>
-
-<Can I="download" a="Report">{(allowed) => (
-  <button disabled={!allowed}>下载报表</button>
-)}</Can>
+</CanRole>
 ```
 
-### 批量权限判断：useCanPermission / CanPermission
-- `useCanPermission({ permissions, or })`：一次检查多个权限；`or=true` 表示任一满足即可，否则默认全部需要满足。
-- `CanPermission`：同上但以组件方式使用，支持 children 或 render prop。
+### AbilityContext 提供原子化的权限判断能力
 
-```tsx
-const allowed = useCanPermission({
-  permissions: [
-    { action: 'read', subject: 'Report' },
-    { action: 'download', subject: 'Report' },
-  ],
-  or: false,
-});
-
-<CanPermission
-  permissions={[{ action: 'manage', subject: 'Task' }, { action: 'delete', subject: 'Task' }]}>
-  <BulkActions />
-</CanPermission>
-```
-
-### 角色判断：useCanRole / CanRole
-- 角色被映射为特殊 subject `@role` 下的 action。
-- `useCanRole({ roles, and })`：是否拥有指定多个角色；`and=true` 表示需要同时具备。
-- `CanRole`：以组件形式使用。
+- **作用**: 从 React 上下文获取 CASL `Ability` 实例，使用 `ability.can(action, subject)` 做权限判断。
 
 ```tsx
-const isAdmin = useCanRole({ roles: ['admin_role'] });
+import { useContext } from 'react';
+import { AbilityContext } from '@lark-apaas/auth-sdk';
 
-<CanRole roles={[ 'admin_role', 'ops_role' ]} and>
-  <DangerZone />
-</CanRole>
+const ability = useContext(AbilityContext);
+const canCreate = ability.can('role_editor', '@role');
 ```
 
-### 路由守卫：CanRoute
-- **作用**: 路由级别的权限守卫，支持权限和角色双重检查，无权限时可自动重定向。
+## 核心 API - 面向接入方
+
+### AuthProvider
+
+- **作用**: 提供 `Ability` 与权限状态上下文，自动/手动拉取权限。
 - **Props**:
-  - `permissions?: Array<{ action: string; subject: string }>` 需要检查的权限列表
-  - `roles?: string[]` 需要检查的角色列表
-  - `children: React.ReactNode` 受保护的内容
-  - `fallback?: React.ReactNode` 无权限时渲染的内容（优先级最高）
-  - `redirectTo?: string` 无权限时重定向的路径（优先级次之）
-  - 如果既没有 `fallback` 也没有 `redirectTo`，会尝试使用 `AuthProvider` 配置的 `noPermissionPath`
-  - 如果都没有配置，则返回 `null`
+  - `config?: AuthSdkConfig`
+    - `enable?: boolean` 是否启用权限 SDK，默认 false
+    - `permissionApi?: PermissionApiConfig` 拉取权限接口配置
+      - `timeout?: number`，默认 5000ms
+      - `headers?: Record<string,string>` 自定义请求头
+    - `onError?: (error: Error) => void`
+    - `onSuccess?: (data: PermissionApiResponse) => void`
+  - `children: React.ReactNode`
+
+示例：
 
 ```tsx
-import { CanRoute } from '@lark-apaas/auth-sdk';
-import { Routes, Route } from 'react-router-dom';
-
-// 基础用法：权限检查
-<CanRoute permissions={[{ action: 'read', subject: 'Dashboard' }]}>
-  <Dashboard />
-</CanRoute>
-
-// 角色检查
-<CanRoute roles={['admin', 'manager']}>
-  <AdminPanel />
-</CanRoute>
-
-// 自定义重定向
-<CanRoute 
-  permissions={[{ action: 'manage', subject: 'User' }]}
-  redirectTo="/unauthorized"
->
-  <UserManagement />
-</CanRoute>
-
-// 自定义 fallback 内容
-<CanRoute 
-  roles={['admin']}
-  fallback={<div>您没有管理员权限</div>}
->
-  <AdminSettings />
-</CanRoute>
-
-// 在路由中使用
-<Routes>
-  <Route path="/admin" element={
-    <CanRoute permissions={[{ action: 'manage', subject: 'Task' }]}> 
-      <AdminPage />
-    </CanRoute>
-  } />
-</Routes>
+<AuthProvider config={{
+  enable: true,
+}}>
+  <App />
+  {/* Can/Hook 在其子树中生效 */}
+</AuthProvider>
 ```
 
+## 核心 API - 面向 SDK 开发者
+
 ### PermissionClient
+
 - **作用**: 独立的权限数据获取客户端，供非 React 场景（或自定义状态管理）使用。
 - **方法**:
   - `constructor(config?: PermissionApiConfig)`
@@ -215,6 +146,7 @@ const data = await client.fetchPermissions('user-123');
 ```
 
 ### 能力工厂（与 CASL 交互）
+
 - `createAbility({ permissions?: Permission[], roles?: string[] }): Ability`
 - `updateAbility(ability: Ability, { permissions?: Permission[], roles?: string[] }): void`
 - `convertPermissionsToRules(permissions: Permission[], roles: string[]): CaslRule[]`
@@ -232,120 +164,20 @@ updateAbility(ability, { permissions: [{ id: 'p1', name: 'Task Read', sub: 'Task
 ---
 
 ## 类型与再导出
-- 从本包导出的类型：`Action`、`Subject`、`Permission`、`UserRole`、`PermissionApiResponse`、`PermissionApiConfig`、`AuthSdkConfig`、`CaslRule`。
-- 便捷再导出：`Ability`、`AbilityBuilder`、`AbilityClass`（来自 `@casl/ability`）。
 
----
+- 从本包导出的类型：`PermissionApiResponse`、`PermissionApiConfig`、`AuthSdkConfig`、`CaslRule`。
+- 最终用户代码中仅需要使用到的 API 有：
+  - `CanRole` 组件: 条件渲染，只有当角色 id 包含在 `roles` 中时才渲染子内容。
+  - `AbilityContext`: 从 React 上下文获取 CASL `Ability` 实例，用于权限判断。
+  - `ROLE_SUBJECT`: 特殊 subject `@role` 常量，用于角色判断。
 
 ## 集成建议与最佳实践
-- **权限接口返回**：`{ userId, roles: (string|UserRole)[], permissions: Permission[] }`，其中 `roles` 支持字符串或对象；SDK 会标准化为字符串数组。
-- **错误处理**：实现 `onError` 上报或提示；`onSuccess` 可做埋点。
-- **渲染时机**：根据 `useAuth()` 的 `isLoading`/`error` 渲染 Loading/Error 页，避免闪烁。
-- **与路由结合**：使用 `CanRoute` 组件做页面级访问控制，支持自动重定向和自定义 fallback 内容。
-- **路由守卫最佳实践**：
-  - 优先使用 `fallback` 属性展示友好的无权限提示
-  - 使用 `redirectTo` 重定向到专门的错误页面
-  - 在 `AuthProvider` 中配置全局的 `noPermissionPath` 作为兜底
-
----
-
-## 进阶示例
-
-### 菜单按权限过滤
-```tsx
-import { useAbility } from '@lark-apaas/auth-sdk';
-
-const menus = [
-  { name: 'Dashboard', path: '/dashboard', p: { action: 'read', subject: 'Dashboard' } },
-  { name: 'Users', path: '/users', p: { action: 'read', subject: 'User' } },
-  { name: 'Settings', path: '/settings', p: { action: 'manage', subject: 'Settings' } },
-];
-
-function Nav() {
-  const ability = useAbility();
-  return (
-    <nav>
-      {menus.map(m => ability.can(m.p.action, m.p.subject) && (
-        <a key={m.path} href={m.path}>{m.name}</a>
-      ))}
-    </nav>
-  );
-}
-```
-
-### 批量操作区
-```tsx
-import { BatchCan } from '@lark-apaas/auth-sdk';
-
-<BatchCan permissions={[{ action: 'delete', subject: 'Task' }, { action: 'manage', subject: 'Task' }]}>
-  <div className="bulk-actions">
-    <button>批量删除</button>
-    <button>导出全部</button>
-  </div>
-</BatchCan>
-```
-
-### 路由级权限控制
-```tsx
-import { CanRoute } from '@lark-apaas/auth-sdk';
-import { Routes, Route, Navigate } from 'react-router-dom';
 
-function App() {
-  return (
-    <Routes>
-      {/* 公开路由 */}
-      <Route path="/" element={<HomePage />} />
-      <Route path="/login" element={<LoginPage />} />
-      
-      {/* 受保护的路由 */}
-      <Route path="/dashboard" element={
-        <CanRoute permissions={[{ action: 'read', subject: 'Dashboard' }]}> 
-          <Dashboard />
-        </CanRoute>
-      } />
-      
-      {/* 管理员路由 */}
-      <Route path="/admin" element={
-        <CanRoute 
-          roles={['admin']}
-          fallback={<Navigate to="/unauthorized" replace />}
-        >
-          <AdminPanel />
-        </CanRoute>
-      } />
-      
-      {/* 多权限检查 */}
-      <Route path="/reports" element={
-        <CanRoute 
-          permissions={[
-            { action: 'read', subject: 'Report' },
-            { action: 'export', subject: 'Report' }
-          ]}
-          redirectTo="/no-access"
-        >
-          <ReportsPage />
-        </CanRoute>
-      } />
-      
-      {/* 错误页面 */}
-      <Route path="/unauthorized" element={<UnauthorizedPage />} />
-      <Route path="/no-access" element={<NoAccessPage />} />
-    </Routes>
-  );
-}
-```
-
----
-
-## 常见问题（FAQ）
-- **如何做角色判断？** 使用 `useCanRole`/`CanRole`；角色被映射为对特殊 subject `@role` 的 action。
-- **如何使用路由守卫？** 使用 `CanRoute` 组件包装需要保护的路由内容，支持权限和角色双重检查。
-- **CanRoute 的重定向优先级？** `fallback` > `redirectTo` > `noPermissionPath`（AuthProvider 配置）> `null`。
-- **CanRoute 需要 react-router-dom 依赖吗？** 是的，因为使用了 `Navigate` 和 `useLocation`，请确保项目中已安装。
+- **直接使用组件**：`CanRole` 组件是直接使用的主要入口，可以使用 `AbilityContext` 获取 `Ability` 实例，在特殊场景下手动判断权限。
+- **与路由结合**：页面级的访问控制需要结合路由库（如 `react-router-dom`）和 `AbilityContext` 来自行实现。
 
 ---
 
 ## 许可
-MIT
-
 
+MIT

package/lib/AuthProvider.d.ts

@@ -1,59 +1,19 @@
 import React from 'react';
-import { Ability } from '@casl/ability';
-import type { AuthSdkConfig, Permission } from './types';
+import { MongoAbility } from '@casl/ability';
+import type { AuthSdkConfig } from './types';
 /**
  * Ability Context - 用于在组件树中共享 Ability 实例
  */
-export declare const AbilityContext: React.Context<Ability<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>;
-/** 权限点位鉴权相关的 Hooks 和组件 */
-/**
- * Can 组件 - 基于 Context 的条件渲染组件
- * 使用 @casl/react 的 createContextualCan 创建，复用 CASL 的官方实现
- */
-export declare const Can: React.FunctionComponent<import("@casl/react").BoundCanProps<Ability<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>>;
-export interface UseCanPermissionProps {
-    permissions?: Array<{
-        action: string;
-        subject: string;
-    }>;
-    or?: boolean;
-}
-export interface CanPermissionProps extends UseCanPermissionProps {
-    children: React.ReactNode | ((allowed: boolean) => React.ReactNode);
-}
-export declare const useCanPermission: ({ permissions, or }: UseCanPermissionProps) => boolean;
-export declare function CanPermission({ permissions, children, or }: {
-    permissions: Array<{
-        action: string;
-        subject: string;
-    }>;
-    children: React.ReactNode | ((allowed: boolean) => React.ReactNode);
-    or?: boolean;
-}): import("react/jsx-runtime").JSX.Element | null;
-/** 角色鉴权相关的 Hooks 和组件 */
-export interface UseCanRoleProps {
-    roles?: string[];
-    and?: boolean;
-}
-export declare const useCanRole: ({ roles, and }: UseCanRoleProps) => boolean;
-export interface CanRoleProps extends UseCanRoleProps {
-    children: React.ReactNode | ((allowed: boolean) => React.ReactNode);
-}
-export declare const CanRole: ({ roles, and, children }: CanRoleProps) => import("react/jsx-runtime").JSX.Element | null;
+export declare const AbilityContext: React.Context<MongoAbility<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>;
 /**
  * Auth 状态 Context 类型定义
  * 存储权限数据和加载状态
  */
 interface AuthStateContextValue {
-    noPermissionPath?: string;
-    permissions: Permission[];
-    roles: string[];
-    userId: string | null;
-    setUserId: (userId: string) => void;
+    ability: MongoAbility;
     isLoading: boolean;
     error: Error | null;
     fetchPermissions: (userId?: string) => Promise<void>;
-    refetch: () => Promise<void>;
 }
 /**
  * Auth Provider Props
@@ -61,7 +21,6 @@ interface AuthStateContextValue {
 export interface AuthProviderProps {
     children: React.ReactNode;
     config?: AuthSdkConfig;
-    userId?: string;
 }
 /**
  * Auth Provider 组件
@@ -87,6 +46,13 @@ export interface AuthProviderProps {
  * ```
  */
 export declare function AuthProvider({ children, config }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
+/**
+ * 获取 Ability 实例
+ *
+ * @param permissionApiConfig - 权限 API 配置
+ * @returns Ability 实例或错误
+ */
+export declare function getAbility(permissionApiConfig: AuthSdkConfig['permissionApi']): Promise<Error | MongoAbility<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>;
 /**
  * useAuth Hook - 获取权限数据和加载状态
  *
@@ -110,14 +76,14 @@ export declare function AuthProvider({ children, config }: AuthProviderProps): i
  */
 export declare function useAuth(): AuthStateContextValue;
 /**
- * useAbility Hook - 获取 Ability 实例
+ * useAuthAbility Hook - 获取 Ability 实例
  *
  * @example
  * ```tsx
- * import { useAbility } from '@lark-apaas/auth-sdk';
+ * import { useAuthAbility } from '@lark-apaas/auth-sdk';
  *
  * function MyComponent() {
- *   const ability = useAbility();
+ *   const ability = useAuthAbility();
  *
  *   return (
  *     <button disabled={ability.cannot('create', 'Task')}>
@@ -127,32 +93,46 @@ export declare function useAuth(): AuthStateContextValue;
  * }
  * ```
  */
-export declare function useAbility(): Ability;
+export declare function useAuthAbility(): MongoAbility;
 /**
- * usePermissions Hook - 获取权限列表
+ * Can Component - 基于 Ability 实例的条件渲染组件
  *
  * @example
  * ```tsx
+ * import { Can } from '@lark-apaas/auth-sdk';
+ *
  * function MyComponent() {
- *   const permissions = usePermissions();
- *   return <div>You have {permissions.length} permissions</div>;
+ *   return (
+ *     <Can I="Admin" a="@role">
+ *       <TaskList />
+ *     </Can>
+ *   );
  * }
  * ```
  */
-export declare function usePermissions(): Permission[];
+export declare const Can: React.FunctionComponent<import("@casl/react").BoundCanProps<MongoAbility<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>>;
+export declare const useCanRole: ({ roles }: {
+    roles: string[];
+}) => boolean;
 /**
- * useRoles Hook - 获取角色列表
+ * CanRole Component - 基于 Ability 实例的角色条件渲染组件
  *
  * @example
  * ```tsx
+ * import { CanRole } from '@lark-apaas/auth-sdk';
+ *
  * function MyComponent() {
- *   const roles = useRoles();
- *   return <div>Your roles: {roles.join(', ')}</div>;
+ *   return (
+ *     <CanRole roles={['role_admin', 'role_editor']}>
+ *       <TaskList />
+ *     </CanRole>
+ *   );
  * }
  * ```
  */
-export declare function useRoles(): string[];
-export declare function useUserId(): [string | null, (userId: string) => void];
-export declare function useNoPermissionPath(): string | undefined;
+export declare function CanRole({ children, roles, }: {
+    children: React.ReactNode;
+    roles: string[];
+}): import("react/jsx-runtime").JSX.Element | null;
 export {};
 //# sourceMappingURL=AuthProvider.d.ts.map

package/lib/AuthProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../src/AuthProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAAsE,MAAM,OAAO,CAAC;AAC3F,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAExC,OAAO,KAAK,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAIzD;;GAEG;AACH,eAAO,MAAM,cAAc,kGAAsE,CAAC;AAElG,0BAA0B;AAC1B;;;GAGG;AACH,eAAO,MAAM,GAAG,iJAA+C,CAAC;AAGhE,MAAM,WAAW,qBAAqB;IACpC,WAAW,CAAC,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzD,EAAE,CAAC,EAAE,OAAO,CAAC;CACd;AAED,MAAM,WAAW,kBAAmB,SAAQ,qBAAqB;IAC/D,QAAQ,EAAE,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;CACrE;AAED,eAAO,MAAM,gBAAgB,GAAY,qBAAqB,qBAAqB,KAAG,OAYrF,CAAC;AAGF,wBAAgB,aAAa,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,EAAE,EAAE,EAAE;IAAE,WAAW,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAAC,EAAE,CAAC,EAAC,OAAO,CAAA;CAAE,kDASzM;AAED,wBAAwB;AACxB,MAAM,WAAW,eAAe;IAC9B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,GAAG,CAAC,EAAE,OAAO,CAAC;CACf;AAED,eAAO,MAAM,UAAU,GAAa,gBAAgB,eAAe,KAAG,OASrE,CAAC;AAEF,MAAM,WAAW,YAAa,SAAQ,eAAe;IACnD,QAAQ,EAAE,KAAK,CAAC,SAAS,GAAG,CAAC,CAAC,OAAO,EAAE,OAAO,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;CACrE;AAED,eAAO,MAAM,OAAO,GAAa,0BAA0B,YAAY,mDAMtE,CAAC;AAEF;;;GAGG;AACH,UAAU,qBAAqB;IAC7B,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,SAAS,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC;IACpC,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,gBAAgB,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACrD,OAAO,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9B;AAOD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,2CAkFnE;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,OAAO,IAAI,qBAAqB,CAQ/C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,UAAU,IAAI,OAAO,CAEpC;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,cAAc,IAAI,UAAU,EAAE,CAG7C;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,QAAQ,IAAI,MAAM,EAAE,CAGnC;AAED,wBAAgB,SAAS,IAAI,CAAC,MAAM,GAAG,IAAI,EAAE,CAAC,MAAM,EAAE,MAAM,KAAK,IAAI,CAAC,CAGrE;AAED,wBAAgB,mBAAmB,IAAI,MAAM,GAAG,SAAS,CAGxD"}
+{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../src/AuthProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAMN,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAK7C;;GAEG;AACH,eAAO,MAAM,cAAc,uGAE1B,CAAC;AAEF;;;GAGG;AACH,UAAU,qBAAqB;IAC7B,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,gBAAgB,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAOD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,2CA2DnE;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,mBAAmB,EAAE,aAAa,CAAC,eAAe,CAAC,2GAiBpD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,OAAO,IAAI,qBAAqB,CAQ/C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI,YAAY,CAE7C;AAED;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,GAAG,sJAA+C,CAAC;AAEhE,eAAO,MAAM,UAAU,GAAa,WAAW;IAAE,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,KAAG,OASpE,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,OAAO,CAAC,EACtB,QAAQ,EACR,KAAK,GACN,EAAE;IACD,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB,kDAIA"}

package/lib/AuthProvider.js

@@ -1,70 +1,25 @@
 import { Fragment, jsx } from "react/jsx-runtime";
 import { createContext, useCallback, useContext, useEffect, useState } from "react";
-import { createContextualCan } from "@casl/react";
 import { ROLE_SUBJECT, createAbility, updateAbility } from "./ability-factory.js";
 import { PermissionClient } from "./permission-client.js";
+import { createContextualCan } from "@casl/react";
 const AbilityContext = /*#__PURE__*/ createContext(createAbility({
     permissions: [],
     roles: []
 }));
-const Can = createContextualCan(AbilityContext.Consumer);
-const useCanPermission = function({ permissions, or }) {
-    const ability = useAbility();
-    let allowed = false;
-    allowed = or ? !permissions || !permissions.length || permissions.length > 0 && permissions.some(({ action, subject })=>ability.can(action, subject)) : !permissions || !permissions.length || permissions.length > 0 && permissions.every(({ action, subject })=>ability.can(action, subject));
-    return !!allowed;
-};
-function CanPermission({ permissions, children, or }) {
-    const allowed = useCanPermission({
-        permissions,
-        or
-    });
-    if ('function' == typeof children) return /*#__PURE__*/ jsx(Fragment, {
-        children: children(allowed)
-    });
-    return allowed ? /*#__PURE__*/ jsx(Fragment, {
-        children: children
-    }) : null;
-}
-const useCanRole = function({ roles, and }) {
-    const ability = useAbility();
-    let allowed = false;
-    allowed = and ? !roles || 0 === roles.length || roles.length > 0 && roles.every((role)=>ability.can(role, ROLE_SUBJECT)) : !roles || 0 === roles.length || roles.length > 0 && roles.some((role)=>ability.can(role, ROLE_SUBJECT));
-    return !!allowed;
-};
-const CanRole = function({ roles, and, children }) {
-    const allowed = useCanRole({
-        roles,
-        and
-    });
-    if ('function' == typeof children) return /*#__PURE__*/ jsx(Fragment, {
-        children: children(allowed)
-    });
-    return allowed ? /*#__PURE__*/ jsx(Fragment, {
-        children: children
-    }) : null;
-};
 const AuthStateContext = /*#__PURE__*/ createContext(null);
 function AuthProvider({ children, config }) {
     const [ability] = useState(()=>createAbility({}));
-    const [permissions, setPermissions] = useState([]);
-    const [roles, setRoles] = useState([]);
-    const [userId, setUserId] = useState(null);
     const [isLoading, setIsLoading] = useState(false);
     const [error, setError] = useState(null);
     const [client] = useState(()=>new PermissionClient(config?.permissionApi));
-    const fetchPermissions = useCallback(async (uid)=>{
+    const fetchPermissions = useCallback(async ()=>{
         setIsLoading(true);
         setError(null);
         try {
-            const data = await client.fetchPermissions(uid);
-            const normalizedRoles = data.roles.map((role)=>'string' == typeof role ? role : role.name);
-            setPermissions(data.permissions);
-            setRoles(normalizedRoles);
-            setUserId(data.userId);
+            const data = await client.fetchPermissions();
             updateAbility(ability, {
-                permissions: data.permissions,
-                roles: normalizedRoles
+                roles: data.roles
             });
             config?.onSuccess?.(data);
         } catch (err) {
@@ -79,28 +34,17 @@ function AuthProvider({ children, config }) {
         client,
         config
     ]);
-    const refetch = useCallback(async ()=>{
-        await fetchPermissions(userId);
-    }, [
-        userId,
-        fetchPermissions
-    ]);
     useEffect(()=>{
-        if (config?.autoFetch !== false) fetchPermissions();
+        if (config?.enable !== false) fetchPermissions();
     }, [
-        config?.autoFetch,
+        config?.enable,
         fetchPermissions
     ]);
     const stateContextValue = {
-        permissions,
-        roles,
-        userId,
-        setUserId,
-        noPermissionPath: config?.noPermissionPath,
+        ability,
         isLoading,
         error,
-        fetchPermissions,
-        refetch
+        fetchPermissions
     };
     return /*#__PURE__*/ jsx(AbilityContext.Provider, {
         value: ability,
@@ -110,31 +54,40 @@ function AuthProvider({ children, config }) {
         })
     });
 }
+async function getAbility(permissionApiConfig) {
+    const ability = createAbility({});
+    const client = new PermissionClient(permissionApiConfig);
+    try {
+        const data = await client.fetchPermissions();
+        updateAbility(ability, {
+            roles: data.roles
+        });
+    } catch (err) {
+        const error = err instanceof Error ? err : new Error(String(err));
+        return error;
+    }
+    return ability;
+}
 function useAuth() {
     const context = useContext(AuthStateContext);
     if (!context) throw new Error('useAuth must be used within an AuthProvider');
     return context;
 }
-function useAbility() {
+function useAuthAbility() {
     return useContext(AbilityContext);
 }
-function usePermissions() {
-    const { permissions } = useAuth();
-    return permissions;
-}
-function useRoles() {
-    const { roles } = useAuth();
-    return roles;
-}
-function useUserId() {
-    const { userId, setUserId } = useAuth();
-    return [
-        userId,
-        setUserId
-    ];
-}
-function useNoPermissionPath() {
-    const { noPermissionPath } = useAuth();
-    return noPermissionPath;
+const Can = createContextualCan(AbilityContext.Consumer);
+const useCanRole = function({ roles }) {
+    const ability = useContext(AbilityContext);
+    const allowed = !roles || 0 === roles.length || roles.length > 0 && roles.some((role)=>ability.can(role, ROLE_SUBJECT));
+    return !!allowed;
+};
+function CanRole({ children, roles }) {
+    const allowed = useCanRole({
+        roles
+    });
+    return allowed ? /*#__PURE__*/ jsx(Fragment, {
+        children: children
+    }) : null;
 }
-export { AbilityContext, AuthProvider, Can, CanPermission, CanRole, useAbility, useAuth, useCanPermission, useCanRole, useNoPermissionPath, usePermissions, useRoles, useUserId };
+export { AbilityContext, AuthProvider, Can, CanRole, getAbility, useAuth, useAuthAbility, useCanRole };

package/lib/ability-factory.d.ts

@@ -1,4 +1,4 @@
-import { Ability } from '@casl/ability';
+import { MongoAbility as Ability } from '@casl/ability';
 import type { Permission, CaslRule } from './types';
 export declare const ROLE_SUBJECT = "@role";
 /**
@@ -6,9 +6,9 @@ export declare const ROLE_SUBJECT = "@role";
  */
 export declare function convertPermissionsToRules(permissions: Permission[], roles: string[]): CaslRule[];
 /**
- * 创建 Ability 实例
+ * 创建 MongoAbility 实例
  */
-export declare function createAbility({ permissions, roles }: {
+export declare function createAbility({ permissions, roles, }: {
     permissions?: Permission[];
     roles?: string[];
 }): Ability;

package/lib/ability-factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ability-factory.d.ts","sourceRoot":"","sources":["../src/ability-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAgC,MAAM,eAAe,CAAC;AACtE,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEpD,eAAO,MAAM,YAAY,UAAU,CAAC;AACpC;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,WAAW,EAAE,UAAU,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,QAAQ,EAAE,CAoBhG;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,EAAC,WAAW,EAAE,KAAK,EAAC,EAAE;IAAC,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAC,GAAG,OAAO,CAkB3G;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,EAAC,WAAW,EAAE,KAAK,EAAC,EAAE;IAAC,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAC,GAAG,IAAI,CAG1H"}
+{"version":3,"file":"ability-factory.d.ts","sourceRoot":"","sources":["../src/ability-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,IAAI,OAAO,EAGxB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEpD,eAAO,MAAM,YAAY,UAAU,CAAC;AACpC;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,WAAW,EAAE,UAAU,EAAE,EACzB,KAAK,EAAE,MAAM,EAAE,GACd,QAAQ,EAAE,CAmBZ;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,EAC5B,WAAW,EACX,KAAK,GACN,EAAE;IACD,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB,GAAG,OAAO,CAkBV;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,OAAO,EAChB,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE;IAAE,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GACvE,IAAI,CAGN"}

package/lib/ability-factory.js

@@ -1,4 +1,4 @@
-import { Ability, AbilityBuilder } from "@casl/ability";
+import { AbilityBuilder, createMongoAbility } from "@casl/ability";
 const ROLE_SUBJECT = '@role';
 function convertPermissionsToRules(permissions, roles) {
     const rules = [];
@@ -13,7 +13,7 @@ function convertPermissionsToRules(permissions, roles) {
     return rules;
 }
 function createAbility({ permissions, roles }) {
-    const { build, can } = new AbilityBuilder(Ability);
+    const { build, can } = new AbilityBuilder(createMongoAbility);
     const rules = convertPermissionsToRules(permissions || [], roles || []);
     for (const rule of rules)if (Array.isArray(rule.action)) for (const action of rule.action)can(action, rule.subject, rule.fields);
     else can(rule.action, rule.subject, rule.fields);

package/lib/index.d.ts

@@ -4,12 +4,9 @@
  * 基于 CASL 的前端鉴权 SDK
  * 封装了权限数据获取和 Ability 初始化逻辑
  */
-export type { Action, Subject, Permission, UserRole, PermissionApiResponse, PermissionApiConfig, AuthSdkConfig, CaslRule, } from './types';
-export { createAbility, updateAbility, convertPermissionsToRules, } from './ability-factory';
+export type { PermissionApiResponse, PermissionApiConfig, AuthSdkConfig, } from './types';
+export { ROLE_SUBJECT } from './ability-factory';
 export { PermissionClient } from './permission-client';
-export { AuthProvider, Can, useCanPermission, CanPermission, useCanRole, CanRole, useAuth, useAbility, usePermissions, useRoles, AbilityContext, useUserId, useNoPermissionPath, } from './AuthProvider';
-export { CanRoute } from './CanRoute';
-export type { AuthProviderProps, UseCanPermissionProps, UseCanRoleProps, CanPermissionProps, CanRoleProps, } from './AuthProvider';
-export type { CanRouteProps } from './CanRoute';
-export { Ability, AbilityBuilder, type AbilityClass } from '@casl/ability';
+export { AuthProvider, useAuth, CanRole, AbilityContext } from './AuthProvider';
+export type { AuthProviderProps } from './AuthProvider';
 //# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EACV,MAAM,EACN,OAAO,EACP,UAAU,EACV,QAAQ,EACR,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,EACb,QAAQ,GACT,MAAM,SAAS,CAAC;AAGjB,OAAO,EACL,aAAa,EACb,aAAa,EACb,yBAAyB,GAC1B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAGvD,OAAO,EACL,YAAY,EACZ,GAAG,EACH,gBAAgB,EAChB,aAAa,EACb,UAAU,EACV,OAAO,EACP,OAAO,EACP,UAAU,EACV,cAAc,EACd,QAAQ,EACR,cAAc,EACd,SAAS,EACT,mBAAmB,GACpB,MAAM,gBAAgB,CAAC;AAGxB,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAEtC,YAAY,EACV,iBAAiB,EACjB,qBAAqB,EACrB,eAAe,EACf,kBAAkB,EAClB,YAAY,GACb,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAGhD,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,YAAY,EAAE,MAAM,eAAe,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EACV,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhF,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}

package/lib/index.js

@@ -1,6 +1,4 @@
-import { convertPermissionsToRules, createAbility, updateAbility } from "./ability-factory.js";
+import { ROLE_SUBJECT } from "./ability-factory.js";
 import { PermissionClient } from "./permission-client.js";
-import { AbilityContext, AuthProvider, Can, CanPermission, CanRole, useAbility, useAuth, useCanPermission, useCanRole, useNoPermissionPath, usePermissions, useRoles, useUserId } from "./AuthProvider.js";
-import { CanRoute } from "./CanRoute.js";
-import { Ability, AbilityBuilder } from "@casl/ability";
-export { Ability, AbilityBuilder, AbilityContext, AuthProvider, Can, CanPermission, CanRole, CanRoute, PermissionClient, convertPermissionsToRules, createAbility, updateAbility, useAbility, useAuth, useCanPermission, useCanRole, useNoPermissionPath, usePermissions, useRoles, useUserId };
+import { AbilityContext, AuthProvider, CanRole, useAuth } from "./AuthProvider.js";
+export { AbilityContext, AuthProvider, CanRole, PermissionClient, ROLE_SUBJECT, useAuth };

package/lib/permission-client.d.ts

@@ -7,9 +7,8 @@ export declare class PermissionClient {
     constructor(config?: PermissionApiConfig);
     /**
      * 获取用户权限数据
-     * @param userId - 用户ID（可选，用于向后兼容。如果端点包含 :userId，则会替换）
      */
-    fetchPermissions(userId?: string): Promise<PermissionApiResponse>;
+    fetchPermissions(): Promise<PermissionApiResponse>;
     /**
      * 更新配置
      */

package/lib/permission-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permission-client.d.ts","sourceRoot":"","sources":["../src/permission-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAY1E;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,CAAC,EAAE,mBAAmB;IAOxC;;;OAGG;IACG,gBAAgB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,qBAAqB,CAAC;IAsEvE;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI;IAOxD;;OAEG;IACH,SAAS,IAAI,mBAAmB;CAGjC"}
+{"version":3,"file":"permission-client.d.ts","sourceRoot":"","sources":["../src/permission-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAU1E;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,CAAC,EAAE,mBAAmB;IAOxC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,qBAAqB,CAAC;IA0DxD;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI;IAOxD;;OAEG;IACH,SAAS,IAAI,mBAAmB;CAGjC"}

package/lib/permission-client.js

@@ -1,8 +1,6 @@
 const DEFAULT_CONFIG = {
     baseUrl: '',
-    endpoint: '/api/permissions',
-    timeout: 5000,
-    withCredentials: true
+    timeout: 5000
 };
 class PermissionClient {
     constructor(config){
@@ -11,35 +9,35 @@ class PermissionClient {
             ...config
         };
     }
-    async fetchPermissions(userId) {
-        const { baseUrl = DEFAULT_CONFIG.baseUrl, endpoint = DEFAULT_CONFIG.endpoint, timeout = DEFAULT_CONFIG.timeout, headers = {}, apiToken, withCredentials = DEFAULT_CONFIG.withCredentials } = this.config;
-        let finalEndpoint = endpoint;
-        if (userId) finalEndpoint = endpoint.includes(':userId') ? endpoint.replace(':userId', userId) : `${endpoint}?mockUserId=${userId}`;
-        const url = `${baseUrl}${finalEndpoint}`;
+    async fetchPermissions() {
+        const { timeout = DEFAULT_CONFIG.timeout, headers = {} } = this.config;
+        const { appId } = window;
+        if (!appId) throw new Error('appId is required');
+        const url = `/spark/app/${appId}/runtime/api/v1/permissions/roles`;
         const requestHeaders = {
+            ...headers,
             'Content-Type': 'application/json',
-            ...headers
+            'X-Suda-Csrf-Token': window.csrfToken || ''
         };
-        if (apiToken) requestHeaders['Authorization'] = `Bearer ${apiToken}`;
         const controller = new AbortController();
         const timeoutId = setTimeout(()=>controller.abort(), timeout);
         try {
             const response = await fetch(url, {
-                method: 'GET',
+                method: 'POST',
                 headers: requestHeaders,
                 signal: controller.signal,
-                credentials: withCredentials ? 'include' : 'same-origin'
+                credentials: 'include'
             });
             clearTimeout(timeoutId);
             if (!response.ok) throw new Error(`Permission API returned ${response.status}: ${response.statusText}`);
             const data = await response.json();
             return {
-                ...data,
-                fetchedAt: data.fetchedAt || new Date().toISOString()
+                roles: data.data?.roleList || [],
+                fetchedAt: new Date()
             };
         } catch (error) {
             clearTimeout(timeoutId);
-            if ('AbortError' === error.name) throw new Error(`Permission API request timeout after ${timeout}ms`);
+            if (error instanceof Error && 'AbortError' === error.name) throw new Error(`Permission API request timeout after ${timeout}ms`);
             throw error;
         }
     }

package/lib/types.d.ts

@@ -1,3 +1,8 @@
+declare global {
+    interface Window {
+        csrfToken?: string;
+    }
+}
 /**
  * 权限操作类型
  */
@@ -27,9 +32,7 @@ export interface UserRole {
  * 权限 API 响应数据
  */
 export interface PermissionApiResponse {
-    userId: string;
-    roles: (string | UserRole)[];
-    permissions: Permission[];
+    roles: string[];
     fetchedAt?: string | Date;
 }
 /**
@@ -41,11 +44,6 @@ export interface PermissionApiConfig {
      * @default ''
      */
     baseUrl?: string;
-    /**
-     * API 端点路径
-     * @default '/api/permissions'
-     */
-    endpoint?: string;
     /**
      * 请求超时时间（毫秒）
      * @default 5000
@@ -55,34 +53,20 @@ export interface PermissionApiConfig {
      * 自定义请求头
      */
     headers?: Record<string, string>;
-    /**
-     * API Token，会自动添加到 Authorization header
-     */
-    apiToken?: string;
-    /**
-     * 是否携带凭证（cookies）
-     * @default true
-     */
-    withCredentials?: boolean;
 }
 /**
  * Auth SDK 配置选项
  */
 export interface AuthSdkConfig {
-    /**
-     * 无权限路径
-     * @default '/no-access'
-     */
-    noPermissionPath?: string;
     /**
      * 权限 API 配置
      */
     permissionApi?: PermissionApiConfig;
     /**
-     * 是否在初始化时自动获取权限
+     * 是否在初始化时使用获取权限
      * @default false
      */
-    autoFetch?: boolean;
+    enable?: boolean;
     /**
      * 获取权限失败时的错误处理
      */

package/lib/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,MAAM,GAAG,QAAQ,GAAG,MAAM,GAAG,QAAQ,GAAG,QAAQ,GAAG,QAAQ,GAAG,MAAM,CAAC;AAEjF;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,CAAC,MAAM,GAAG,QAAQ,CAAC,EAAE,CAAC;IAC7B,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAEjC;;OAEG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;;OAGG;IACH,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;OAEG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC;;;OAGG;IACH,SAAS,CAAC,EAAE,OAAO,CAAC;IAEpB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,qBAAqB,KAAK,IAAI,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,SAAS,CAAC,EAAE,MAAM,CAAC;KACpB;CACF;AAED;;GAEG;AACH,MAAM,MAAM,MAAM,GACd,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,MAAM,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,qBAAqB,KAAK,IAAI,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lark-apaas/auth-sdk",
-  "version": "0.1.0-alpha.0",
+  "version": "0.1.0-alpha.11",
   "description": "基于 CASL 的前端鉴权 SDK",
   "types": "./lib/index.d.ts",
   "main": "./lib/index.js",

package/lib/CanRoute.d.ts

@@ -1,42 +0,0 @@
-import { type ReactNode } from 'react';
-/**
- * CanRoute 组件 Props
- */
-export interface CanRouteProps {
-    permissions?: Array<{
-        action: string;
-        subject: string;
-    }>;
-    roles?: string[];
-    children: ReactNode;
-    redirectTo?: string;
-    fallback?: ReactNode;
-}
-/**
- * CanRoute 组件 - 路由级别的权限守卫
- *
- * 基于权限和角色进行路由级别的访问控制
- * 当权限或角色检查失败时，会渲染 fallback 内容或返回 null
- *
- * @example
- * ```tsx
- * import { CanRoute } from '@lark-apaas/auth-sdk';
- * import { Navigate, useLocation } from 'react-router-dom';
- *
- * function ProtectedRoute() {
- *   const location = useLocation();
- *
- *   return (
- *     <CanRoute
- *       permissions={[{ action: 'read', subject: 'Task' }]}
- *       roles={['admin']}
- *       fallback={<Navigate to="/forbidden" replace state={{ from: location }} />}
- *     >
- *       <TaskList />
- *     </CanRoute>
- *   );
- * }
- * ```
- */
-export declare function CanRoute({ permissions, roles, children, fallback, redirectTo }: CanRouteProps): import("react/jsx-runtime").JSX.Element | null;
-//# sourceMappingURL=CanRoute.d.ts.map

package/lib/CanRoute.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"CanRoute.d.ts","sourceRoot":"","sources":["../src/CanRoute.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAC,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAItC;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,WAAW,CAAC,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,QAAQ,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAe,EAAE,UAAe,EAAE,EAAE,aAAa,kDAezG"}

package/lib/CanRoute.js

@@ -1,27 +0,0 @@
-import { Fragment, jsx } from "react/jsx-runtime";
-import { Navigate, useLocation } from "react-router-dom";
-import { useCanPermission, useCanRole, useNoPermissionPath } from "./AuthProvider.js";
-function CanRoute({ permissions, roles, children, fallback = null, redirectTo = '' }) {
-    const noPermissionPath = useNoPermissionPath();
-    const location = useLocation();
-    let allPass = true;
-    if (!useCanPermission({
-        permissions
-    })) allPass = false;
-    if (!useCanRole({
-        roles
-    })) allPass = false;
-    if (!allPass) return fallback ? /*#__PURE__*/ jsx(Fragment, {
-        children: fallback
-    }) : redirectTo || noPermissionPath ? /*#__PURE__*/ jsx(Navigate, {
-        to: redirectTo || noPermissionPath,
-        replace: true,
-        state: {
-            from: location
-        }
-    }) : null;
-    return /*#__PURE__*/ jsx(Fragment, {
-        children: children
-    });
-}
-export { CanRoute };

package/lib/RouteGuard.d.ts

@@ -1,42 +0,0 @@
-import { type ReactNode } from 'react';
-/**
- * RouteGuard 组件 Props
- */
-export interface RouteGuardProps {
-    permissions?: Array<{
-        action: string;
-        subject: string;
-    }>;
-    roles?: string[];
-    children: ReactNode;
-    redirectTo?: string;
-    fallback?: ReactNode;
-}
-/**
- * RouteGuard 组件 - 路由级别的权限守卫
- *
- * 基于权限和角色进行路由级别的访问控制
- * 当权限或角色检查失败时，会渲染 fallback 内容或返回 null
- *
- * @example
- * ```tsx
- * import { RouteGuard } from '@lark-apaas/auth-sdk';
- * import { Navigate, useLocation } from 'react-router-dom';
- *
- * function ProtectedRoute() {
- *   const location = useLocation();
- *
- *   return (
- *     <RouteGuard
- *       permissions={[{ action: 'read', subject: 'Task' }]}
- *       roles={['admin']}
- *       fallback={<Navigate to="/forbidden" replace state={{ from: location }} />}
- *     >
- *       <TaskList />
- *     </RouteGuard>
- *   );
- * }
- * ```
- */
-export declare function RouteGuard({ permissions, roles, children, fallback, redirectTo }: RouteGuardProps): import("react/jsx-runtime").JSX.Element | null;
-//# sourceMappingURL=RouteGuard.d.ts.map

package/lib/RouteGuard.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"RouteGuard.d.ts","sourceRoot":"","sources":["../src/RouteGuard.tsx"],"names":[],"mappings":"AAAA,OAAO,EAAC,KAAK,SAAS,EAAE,MAAM,OAAO,CAAC;AAGtC;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IACzD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,QAAQ,EAAE,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,EAAE,SAAS,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,UAAU,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAe,EAAE,UAAe,EAAE,EAAE,eAAe,kDAe7G"}

package/lib/RouteGuard.js

@@ -1,27 +0,0 @@
-import { Fragment, jsx } from "react/jsx-runtime";
-import { Navigate, useLocation } from "react-router-dom";
-import { useCanPermission, useCanRole, useNoPermissionPath } from "./AuthProvider.js";
-function RouteGuard({ permissions, roles, children, fallback = null, redirectTo = '' }) {
-    const noPermissionPath = useNoPermissionPath();
-    const location = useLocation();
-    let allPass = true;
-    if (!useCanPermission({
-        permissions
-    })) allPass = false;
-    if (!useCanRole({
-        roles
-    })) allPass = false;
-    if (!allPass) return fallback ? /*#__PURE__*/ jsx(Fragment, {
-        children: fallback
-    }) : redirectTo || noPermissionPath ? /*#__PURE__*/ jsx(Navigate, {
-        to: redirectTo || noPermissionPath,
-        replace: true,
-        state: {
-            from: location
-        }
-    }) : null;
-    return /*#__PURE__*/ jsx(Fragment, {
-        children: children
-    });
-}
-export { RouteGuard };