@lark-apaas/auth-sdk 0.1.0-alpha.8 → 0.1.0-alpha.81

package/README.md

@@ -16,7 +16,7 @@ yarn add @lark-apaas/auth-sdk
 
 ```tsx
 import React from 'react';
-import { AuthProvider, Can, useAuthAbility } from '@lark-apaas/auth-sdk';
+import { AuthProvider, CanRole, useAuth } from '@lark-apaas/auth-sdk';
 
 export default function App() {
   return (
@@ -35,7 +35,8 @@ export default function App() {
 }
 ```
 
-### 开发组件 - 使用 Can 组件
+
+### 开发组件 - 使用 CanRole 组件
 
 ```tsx
 import { CanRole } from '@lark-apaas/auth-sdk';
@@ -72,31 +73,7 @@ function Home() {
 }
 ```
 
-### 开发组件 - 进阶示例
-
-### 菜单按权限过滤
-
-```tsx
-import { useContext } from 'react';
-import { AbilityContext } from '@lark-apaas/auth-sdk';
-
-const menus = [
-  { name: 'Dashboard', path: '/dashboard', p: { action: 'role_admin', subject: '@role' } },
-  { name: 'Users', path: '/users', p: { action: 'role_editor', subject: '@role' } },
-  { name: 'Settings', path: '/settings', p: { action: 'role_admin', subject: '@role' } },
-];
-
-function Nav() {
-  const ability = useContext(AbilityContext);
-  return (
-    <nav>
-      {menus.map(m => ability.can(m.p.action, m.p.subject) && (
-        <a key={m.path} href={m.path}>{m.name}</a>
-      ))}
-    </nav>
-  );
-} 
-```
+### 开发组件 - 见 Client Toolkit
 
 ---
 

package/lib/AuthProvider.d.ts

@@ -1,6 +1,6 @@
 import React from 'react';
 import { MongoAbility } from '@casl/ability';
-import type { AuthSdkConfig } from './types';
+import type { AuthSdkConfig, PermissionPointData } from './types';
 /**
  * Ability Context - 用于在组件树中共享 Ability 实例
  */
@@ -11,6 +11,7 @@ export declare const AbilityContext: React.Context<MongoAbility<import("@casl/ab
  */
 interface AuthStateContextValue {
     ability: MongoAbility;
+    permissions: PermissionPointData[];
     isLoading: boolean;
     error: Error | null;
     fetchPermissions: (userId?: string) => Promise<void>;
@@ -33,10 +34,9 @@ export interface AuthProviderProps {
  *
  * function App() {
  *   return (
- *     <AuthProvider userId="user-123" config={{
+ *     <AuthProvider config={{
  *       permissionApi: {
- *         baseUrl: 'http://localhost:3000',
- *         endpoint: '/mock-api/users/:userId/permissions'
+ *         url: '/app/app_xxx/__runtime__/api/v1/permissions/roles',
  *       }
  *     }}>
  *       <YourApp />
@@ -46,23 +46,15 @@ export interface AuthProviderProps {
  * ```
  */
 export declare function AuthProvider({ children, config }: AuthProviderProps): import("react/jsx-runtime").JSX.Element;
-/**
- * 获取 Ability 实例
- *
- * @param permissionApiConfig - 权限 API 配置
- * @returns Ability 实例或错误
- */
-export declare function getAbility(permissionApiConfig: AuthSdkConfig['permissionApi']): Promise<Error | MongoAbility<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>;
 /**
  * useAuth Hook - 获取权限数据和加载状态
  *
  * @example
  * ```tsx
- * import { useAuth, useAbility } from '@lark-apaas/auth-sdk';
+ * import { useAuth } from '@lark-apaas/auth-sdk';
  *
  * function MyComponent() {
- *   const { permissions, isLoading } = useAuth();
- *   const ability = useAbility();
+ *   const { ability, isLoading } = useAuth();
  *
  *   if (isLoading) return <div>Loading...</div>;
  *
@@ -76,63 +68,72 @@ export declare function getAbility(permissionApiConfig: AuthSdkConfig['permissio
  */
 export declare function useAuth(): AuthStateContextValue;
 /**
- * useAuthAbility Hook - 获取 Ability 实例
+ * CanRole Component - 基于角色的条件渲染组件
+ *
+ * 支持 fallback prop，用于在权限加载期间显示自定义内容（如 Loading），
+ * 避免加载期间因 can() 返回 false 而误判为无权限。
  *
  * @example
  * ```tsx
- * import { useAuthAbility } from '@lark-apaas/auth-sdk';
+ * import { CanRole } from '@lark-apaas/auth-sdk';
  *
  * function MyComponent() {
- *   const ability = useAuthAbility();
- *
  *   return (
- *     <button disabled={ability.cannot('create', 'Task')}>
- *       Create Task
- *     </button>
+ *     <CanRole roles={['admin']} fallback={<Loading />}>
+ *       <AdminPanel />
+ *     </CanRole>
  *   );
  * }
  * ```
  */
-export declare function useAuthAbility(): MongoAbility;
+export declare function CanRole({ children, roles, fallback, }: {
+    children: React.ReactNode;
+    roles: string[];
+    fallback?: React.ReactNode;
+}): import("react/jsx-runtime").JSX.Element | null;
+/**
+ * useUserPermissions Hook - 获取当前用户的权限点位列表
+ */
+export declare function useUserPermissions(): PermissionPointData[];
 /**
- * Can Component - 基于 Ability 实例的条件渲染组件
+ * useCan Hook - 通过 CASL Ability 判断用户是否拥有指定权限
  *
- * @example
- * ```tsx
- * import { Can } from '@lark-apaas/auth-sdk';
+ * @param action - 操作类型，如 'read', 'create'
+ * @param subject - 资源类型，如 'Task', 'Article'；角色检查时传 '@role'
  *
- * function MyComponent() {
- *   return (
- *     <Can I="Admin" a="@role">
- *       <TaskList />
- *     </Can>
- *   );
- * }
+ * @example
+ * ```ts
+ * const { allowed: canRead, isLoading } = useCan('read', 'Task');
+ * if (isLoading) return <Loading />;
+ * if (!canRead) return <NoAccess />;
  * ```
  */
-export declare const Can: React.FunctionComponent<import("@casl/react").BoundCanProps<MongoAbility<import("@casl/ability").AbilityTuple, import("@casl/ability").MongoQuery>>>;
-export declare const useCanRole: ({ roles }: {
-    roles: string[];
-}) => boolean;
+export declare function useCan(action: string, subject: string): {
+    allowed: boolean;
+    isLoading: boolean;
+};
 /**
- * CanRole Component - 基于 Ability 实例的角色条件渲染组件
+ * Can Component - 基于 CASL Ability 的条件渲染组件
+ * 前后端统一：后端 @Can('read', 'Task')，前端 <Can action="read" subject="Task">
  *
  * @example
  * ```tsx
- * import { CanRole } from '@lark-apaas/auth-sdk';
+ * import { Can } from '@lark-apaas/auth-sdk';
  *
- * function MyComponent() {
- *   return (
- *     <CanRole role="Admin">
- *       <TaskList />
- *     </CanRole>
- *   );
- * }
+ * <Can action="read" subject="Task">
+ *   <TaskList />
+ * </Can>
+ *
+ * <Can action="delete" subject="Task" fallback={<Skeleton />}>
+ *   <DeleteButton />
+ * </Can>
  * ```
  */
-export declare function CanRole({ children, roles, }: {
+export declare function Can({ children, action, subject, fallback, }: {
     children: React.ReactNode;
-    roles: string[];
+    action: string;
+    subject: string;
+    fallback?: React.ReactNode;
 }): import("react/jsx-runtime").JSX.Element | null;
 export {};
 //# sourceMappingURL=AuthProvider.d.ts.map

package/lib/AuthProvider.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../src/AuthProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAMN,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAK7C;;GAEG;AACH,eAAO,MAAM,cAAc,uGAE1B,CAAC;AAEF;;;GAGG;AACH,UAAU,qBAAqB;IAC7B,OAAO,EAAE,YAAY,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,gBAAgB,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAOD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,2CA2DnE;AAED;;;;;GAKG;AACH,wBAAsB,UAAU,CAC9B,mBAAmB,EAAE,aAAa,CAAC,eAAe,CAAC,2GAiBpD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,OAAO,IAAI,qBAAqB,CAQ/C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,cAAc,IAAI,YAAY,CAE7C;AAED;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,GAAG,sJAA+C,CAAC;AAEhE,eAAO,MAAM,UAAU,GAAa,WAAW;IAAE,KAAK,EAAE,MAAM,EAAE,CAAA;CAAE,KAAG,OAepE,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,OAAO,CAAC,EACtB,QAAQ,EACR,KAAK,GACN,EAAE;IACD,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB,kDAIA"}
+{"version":3,"file":"AuthProvider.d.ts","sourceRoot":"","sources":["../src/AuthProvider.tsx"],"names":[],"mappings":"AAAA,OAAO,KAMN,MAAM,OAAO,CAAC;AACf,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,KAAK,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAIlE;;GAEG;AACH,eAAO,MAAM,cAAc,uGAE1B,CAAC;AAOF;;;GAGG;AACH,UAAU,qBAAqB;IAC7B,OAAO,EAAE,YAAY,CAAC;IACtB,WAAW,EAAE,mBAAmB,EAAE,CAAC;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,gBAAgB,EAAE,CAAC,MAAM,CAAC,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACtD;AAOD;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,YAAY,CAAC,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAiB,2CAkFnE;AAGD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,OAAO,IAAI,qBAAqB,CAQ/C;AAqBD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,OAAO,CAAC,EACtB,QAAQ,EACR,KAAK,EACL,QAAe,GAChB,EAAE;IACD,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;CAC5B,kDAKA;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,mBAAmB,EAAE,CAE1D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAgB,MAAM,CACpB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,MAAM,GACd;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,SAAS,EAAE,OAAO,CAAA;CAAE,CAM1C;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,GAAG,CAAC,EAClB,QAAQ,EACR,MAAM,EACN,OAAO,EACP,QAAe,GAChB,EAAE;IACD,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC;CAC5B,kDAIA"}

package/lib/AuthProvider.js

@@ -1,27 +1,37 @@
 import { Fragment, jsx } from "react/jsx-runtime";
 import { createContext, useCallback, useContext, useEffect, useState } from "react";
-import { ROLE_SUBJECT, createAbility, updateAbility } from "./ability-factory.js";
+import { ROLE_SUBJECT, createAbility } from "./ability-factory.js";
 import { PermissionClient } from "./permission-client.js";
-import { createContextualCan } from "@casl/react";
 const AbilityContext = /*#__PURE__*/ createContext(createAbility({
-    permissions: [],
-    roles: []
+    roles: [],
+    permissionPoints: []
 }));
+const PermissionsContext = /*#__PURE__*/ createContext([]);
 const AuthStateContext = /*#__PURE__*/ createContext(null);
 function AuthProvider({ children, config }) {
-    const [ability] = useState(()=>createAbility({}));
-    const [isLoading, setIsLoading] = useState(false);
+    const [ability, setAbility] = useState(()=>createAbility({}));
+    const [permissions, setPermissions] = useState([]);
+    const [client] = useState(()=>config?.permissionApi ? new PermissionClient(config.permissionApi) : null);
+    const [isLoading, setIsLoading] = useState(()=>config?.enable !== false && null !== client);
     const [error, setError] = useState(null);
-    const [client] = useState(()=>new PermissionClient(config?.permissionApi));
     const fetchPermissions = useCallback(async ()=>{
+        if (!client) return;
         setIsLoading(true);
         setError(null);
         try {
             const data = await client.fetchPermissions();
-            updateAbility(ability, {
-                roles: data.roles
-            });
-            config?.onSuccess?.(data);
+            let permissionPoints;
+            if (config?.permissionPointsFetcher) try {
+                permissionPoints = await config.permissionPointsFetcher();
+                setPermissions(permissionPoints);
+            } catch  {}
+            const rawConfig = {
+                roles: data.roles,
+                permissionPoints
+            };
+            const newAbility = createAbility(rawConfig);
+            setAbility(newAbility);
+            config?.onSuccess?.(rawConfig);
         } catch (err) {
             const error = err instanceof Error ? err : new Error(String(err));
             setError(error);
@@ -30,7 +40,6 @@ function AuthProvider({ children, config }) {
             setIsLoading(false);
         }
     }, [
-        ability,
         client,
         config
     ]);
@@ -42,54 +51,67 @@ function AuthProvider({ children, config }) {
     ]);
     const stateContextValue = {
         ability,
+        permissions,
         isLoading,
         error,
         fetchPermissions
     };
     return /*#__PURE__*/ jsx(AbilityContext.Provider, {
         value: ability,
-        children: /*#__PURE__*/ jsx(AuthStateContext.Provider, {
-            value: stateContextValue,
-            children: children
+        children: /*#__PURE__*/ jsx(PermissionsContext.Provider, {
+            value: permissions,
+            children: /*#__PURE__*/ jsx(AuthStateContext.Provider, {
+                value: stateContextValue,
+                children: children
+            })
         })
     });
 }
-async function getAbility(permissionApiConfig) {
-    const ability = createAbility({});
-    const client = new PermissionClient(permissionApiConfig);
-    try {
-        const data = await client.fetchPermissions();
-        updateAbility(ability, {
-            roles: data.roles
-        });
-    } catch (err) {
-        const error = err instanceof Error ? err : new Error(String(err));
-        return error;
-    }
-    return ability;
-}
 function useAuth() {
     const context = useContext(AuthStateContext);
     if (!context) throw new Error('useAuth must be used within an AuthProvider');
     return context;
 }
-function useAuthAbility() {
-    return useContext(AbilityContext);
-}
-const Can = createContextualCan(AbilityContext.Consumer);
-const useCanRole = function({ roles }) {
-    const context = useContext(AuthStateContext);
-    if (!context) return false;
-    const { ability } = context;
+function useCanRole({ roles }) {
+    const ability = useContext(AbilityContext);
+    const authState = useContext(AuthStateContext);
     const allowed = !roles || 0 === roles.length || roles.length > 0 && roles.some((role)=>ability.can(role, ROLE_SUBJECT));
-    return !!allowed;
-};
-function CanRole({ children, roles }) {
-    const allowed = useCanRole({
+    return {
+        allowed: !!allowed,
+        isLoading: authState?.isLoading ?? false
+    };
+}
+function CanRole({ children, roles, fallback = null }) {
+    const { allowed, isLoading } = useCanRole({
         roles
     });
+    if (isLoading) return /*#__PURE__*/ jsx(Fragment, {
+        children: fallback
+    });
+    return allowed ? /*#__PURE__*/ jsx(Fragment, {
+        children: children
+    }) : null;
+}
+function useUserPermissions() {
+    return useContext(PermissionsContext);
+}
+function useCan(action, subject) {
+    const ability = useContext(AbilityContext);
+    const authState = useContext(AuthStateContext);
+    const isLoading = authState?.isLoading ?? false;
+    const allowed = !isLoading && ability.can(action, subject);
+    return {
+        allowed,
+        isLoading
+    };
+}
+function Can({ children, action, subject, fallback = null }) {
+    const { allowed, isLoading } = useCan(action, subject);
+    if (isLoading) return /*#__PURE__*/ jsx(Fragment, {
+        children: fallback
+    });
     return allowed ? /*#__PURE__*/ jsx(Fragment, {
         children: children
     }) : null;
 }
-export { AbilityContext, AuthProvider, Can, CanRole, getAbility, useAuth, useAuthAbility, useCanRole };
+export { AbilityContext, AuthProvider, Can, CanRole, useAuth, useCan, useUserPermissions };

package/lib/ability-factory.d.ts

@@ -1,22 +1,22 @@
 import { MongoAbility as Ability } from '@casl/ability';
-import type { Permission, CaslRule } from './types';
+import type { CaslRule, PermissionPointData } from './types';
 export declare const ROLE_SUBJECT = "@role";
 /**
- * 将权限数据转换为 CASL 规则
+ * 将角色和权限点位转换为 CASL 规则
  */
-export declare function convertPermissionsToRules(permissions: Permission[], roles: string[]): CaslRule[];
+export declare function convertPermissionsToRules(roles: string[], permissionPoints?: PermissionPointData[]): CaslRule[];
 /**
  * 创建 MongoAbility 实例
  */
-export declare function createAbility({ permissions, roles, }: {
-    permissions?: Permission[];
+export declare function createAbility({ roles, permissionPoints, }: {
     roles?: string[];
+    permissionPoints?: PermissionPointData[];
 }): Ability;
 /**
  * 更新已存在的 Ability 实例
  */
-export declare function updateAbility(ability: Ability, { permissions, roles }: {
-    permissions?: Permission[];
+export declare function updateAbility(ability: Ability, { roles, permissionPoints }: {
     roles?: string[];
+    permissionPoints?: PermissionPointData[];
 }): void;
 //# sourceMappingURL=ability-factory.d.ts.map

package/lib/ability-factory.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ability-factory.d.ts","sourceRoot":"","sources":["../src/ability-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,IAAI,OAAO,EAGxB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAEpD,eAAO,MAAM,YAAY,UAAU,CAAC;AACpC;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,WAAW,EAAE,UAAU,EAAE,EACzB,KAAK,EAAE,MAAM,EAAE,GACd,QAAQ,EAAE,CAmBZ;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,EAC5B,WAAW,EACX,KAAK,GACN,EAAE;IACD,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;CAClB,GAAG,OAAO,CAkBV;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,OAAO,EAChB,EAAE,WAAW,EAAE,KAAK,EAAE,EAAE;IAAE,WAAW,CAAC,EAAE,UAAU,EAAE,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;CAAE,GACvE,IAAI,CAGN"}
+{"version":3,"file":"ability-factory.d.ts","sourceRoot":"","sources":["../src/ability-factory.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,IAAI,OAAO,EAGxB,MAAM,eAAe,CAAC;AACvB,OAAO,KAAK,EAAE,QAAQ,EAAE,mBAAmB,EAAE,MAAM,SAAS,CAAC;AAE7D,eAAO,MAAM,YAAY,UAAU,CAAC;AACpC;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,KAAK,EAAE,MAAM,EAAE,EACf,gBAAgB,CAAC,EAAE,mBAAmB,EAAE,GACvC,QAAQ,EAAE,CAkBZ;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,EAC5B,KAAK,EACL,gBAAgB,GACjB,EAAE;IACD,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IACjB,gBAAgB,CAAC,EAAE,mBAAmB,EAAE,CAAC;CAC1C,GAAG,OAAO,CAiBV;AAED;;GAEG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,OAAO,EAChB,EAAE,KAAK,EAAE,gBAAgB,EAAE,EAAE;IAAE,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;IAAC,gBAAgB,CAAC,EAAE,mBAAmB,EAAE,CAAA;CAAE,GAC1F,IAAI,CAGN"}

package/lib/ability-factory.js

@@ -1,26 +1,26 @@
 import { AbilityBuilder, createMongoAbility } from "@casl/ability";
 const ROLE_SUBJECT = '@role';
-function convertPermissionsToRules(permissions, roles) {
+function convertPermissionsToRules(roles, permissionPoints) {
     const rules = [];
-    for (const permission of permissions)for (const action of permission.actions)rules.push({
-        action,
-        subject: permission.sub
-    });
     for (const role of roles)rules.push({
         action: role,
         subject: ROLE_SUBJECT
     });
+    if (permissionPoints) for (const { action, subject } of permissionPoints)rules.push({
+        action,
+        subject
+    });
     return rules;
 }
-function createAbility({ permissions, roles }) {
+function createAbility({ roles, permissionPoints }) {
     const { build, can } = new AbilityBuilder(createMongoAbility);
-    const rules = convertPermissionsToRules(permissions || [], roles || []);
+    const rules = convertPermissionsToRules(roles || [], permissionPoints);
     for (const rule of rules)if (Array.isArray(rule.action)) for (const action of rule.action)can(action, rule.subject, rule.fields);
     else can(rule.action, rule.subject, rule.fields);
     return build();
 }
-function updateAbility(ability, { permissions, roles }) {
-    const rules = convertPermissionsToRules(permissions || [], roles || []);
+function updateAbility(ability, { roles, permissionPoints }) {
+    const rules = convertPermissionsToRules(roles || [], permissionPoints);
     ability.update(rules);
 }
 export { ROLE_SUBJECT, convertPermissionsToRules, createAbility, updateAbility };

package/lib/index.d.ts

@@ -4,9 +4,9 @@
  * 基于 CASL 的前端鉴权 SDK
  * 封装了权限数据获取和 Ability 初始化逻辑
  */
-export type { PermissionApiResponse, PermissionApiConfig, AuthSdkConfig, } from './types';
+export type { PermissionApiResponse, PermissionApiConfig, PermissionPointData, AuthSdkConfig, } from './types';
 export { ROLE_SUBJECT } from './ability-factory';
 export { PermissionClient } from './permission-client';
-export { AuthProvider, useAuth, CanRole, AbilityContext } from './AuthProvider';
+export { AuthProvider, useAuth, Can, CanRole, useCan, AbilityContext, useUserPermissions, } from './AuthProvider';
 export type { AuthProviderProps } from './AuthProvider';
 //# sourceMappingURL=index.d.ts.map

package/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EACV,qBAAqB,EACrB,mBAAmB,EACnB,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAGvD,OAAO,EAAE,YAAY,EAAE,OAAO,EAAE,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAEhF,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,YAAY,EACV,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,EACnB,aAAa,GACd,MAAM,SAAS,CAAC;AAGjB,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAEjD,OAAO,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAGvD,OAAO,EACL,YAAY,EACZ,OAAO,EACP,GAAG,EACH,OAAO,EACP,MAAM,EACN,cAAc,EACd,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC"}

package/lib/index.js

@@ -1,4 +1,4 @@
 import { ROLE_SUBJECT } from "./ability-factory.js";
 import { PermissionClient } from "./permission-client.js";
-import { AbilityContext, AuthProvider, CanRole, useAuth } from "./AuthProvider.js";
-export { AbilityContext, AuthProvider, CanRole, PermissionClient, ROLE_SUBJECT, useAuth };
+import { AbilityContext, AuthProvider, Can, CanRole, useAuth, useCan, useUserPermissions } from "./AuthProvider.js";
+export { AbilityContext, AuthProvider, Can, CanRole, PermissionClient, ROLE_SUBJECT, useAuth, useCan, useUserPermissions };

package/lib/permission-client.d.ts

@@ -4,7 +4,7 @@ import type { PermissionApiConfig, PermissionApiResponse } from './types';
  */
 export declare class PermissionClient {
     private config;
-    constructor(config?: PermissionApiConfig);
+    constructor(config: PermissionApiConfig);
     /**
      * 获取用户权限数据
      */

package/lib/permission-client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permission-client.d.ts","sourceRoot":"","sources":["../src/permission-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAU1E;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,CAAC,EAAE,mBAAmB;IAOxC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,qBAAqB,CAAC;IAyDxD;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI;IAOxD;;OAEG;IACH,SAAS,IAAI,mBAAmB;CAGjC"}
+{"version":3,"file":"permission-client.d.ts","sourceRoot":"","sources":["../src/permission-client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,qBAAqB,EAAE,MAAM,SAAS,CAAC;AAG1E;;GAEG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,MAAM,CAAsB;gBAExB,MAAM,EAAE,mBAAmB;IAIvC;;OAEG;IACG,gBAAgB,IAAI,OAAO,CAAC,qBAAqB,CAAC;IAqDxD;;OAEG;IACH,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,mBAAmB,CAAC,GAAG,IAAI;IAOxD;;OAEG;IACH,SAAS,IAAI,mBAAmB;CAGjC"}

package/lib/permission-client.js

@@ -1,22 +1,14 @@
-const DEFAULT_CONFIG = {
-    baseUrl: '',
-    timeout: 5000
-};
+import { slardar } from "@lark-apaas/internal-slardar";
 class PermissionClient {
     constructor(config){
-        this.config = {
-            ...DEFAULT_CONFIG,
-            ...config
-        };
+        this.config = config;
     }
     async fetchPermissions() {
-        const { timeout = DEFAULT_CONFIG.timeout, headers = {} } = this.config;
-        const { appId } = window;
-        if (!appId) throw new Error('appId is required');
-        const url = `/spark/app/${appId}/runtime/api/v1/permissions/roles`;
+        const { url, timeout = 5000, headers = {} } = this.config;
         const requestHeaders = {
+            ...headers,
             'Content-Type': 'application/json',
-            ...headers
+            'X-Suda-Csrf-Token': window.csrfToken || ''
         };
         const controller = new AbortController();
         const timeoutId = setTimeout(()=>controller.abort(), timeout);
@@ -36,7 +28,17 @@ class PermissionClient {
             };
         } catch (error) {
             clearTimeout(timeoutId);
-            if (error instanceof Error && 'AbortError' === error.name) throw new Error(`Permission API request timeout after ${timeout}ms`);
+            if (error instanceof Error && 'AbortError' === error.name) {
+                slardar.captureException(error, {
+                    source: 'auth-sdk',
+                    type: 'timeout'
+                });
+                throw new Error(`Permission API request timeout after ${timeout}ms`);
+            }
+            slardar.captureException(error, {
+                source: 'auth-sdk',
+                type: 'fetch'
+            });
             throw error;
         }
     }

package/lib/types.d.ts

@@ -1,3 +1,10 @@
+declare global {
+    interface Window {
+        appId?: string;
+        csrfToken?: string;
+        userID?: string;
+    }
+}
 /**
  * 权限操作类型
  */
@@ -7,13 +14,12 @@ export type Action = 'create' | 'read' | 'update' | 'delete' | 'manage' | string
  */
 export type Subject = string;
 /**
- * 单个权限定义
+ * 权限点位数据（action + subject 分离模式）
+ * 由 permissionPointsFetcher 返回，注册到 CASL Ability
  */
-export interface Permission {
-    id: string;
-    name: string;
-    sub: Subject;
-    actions: Action[];
+export interface PermissionPointData {
+    action: string;
+    subject: string;
 }
 /**
  * 用户角色定义
@@ -28,6 +34,8 @@ export interface UserRole {
  */
 export interface PermissionApiResponse {
     roles: string[];
+    /** 用户的有效权限点位列表 */
+    permissions?: string[];
     fetchedAt?: string | Date;
 }
 /**
@@ -35,10 +43,9 @@ export interface PermissionApiResponse {
  */
 export interface PermissionApiConfig {
     /**
-     * API 基础 URL
-     * @default ''
+     * 权限接口完整 URL，由上层注入，不在 SDK 内部硬编码
      */
-    baseUrl?: string;
+    url: string;
     /**
      * 请求超时时间（毫秒）
      * @default 5000
@@ -57,6 +64,10 @@ export interface AuthSdkConfig {
      * 权限 API 配置
      */
     permissionApi?: PermissionApiConfig;
+    /**
+     * 权限点位数据结构（action + subject 分离模式）
+     */
+    permissionPointsFetcher?: () => Promise<PermissionPointData[]>;
     /**
      * 是否在初始化时使用获取权限
      * @default false

package/lib/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,MAAM,MAAM,GACd,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,MAAM,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAE7B;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,OAAO,CAAC;IACb,OAAO,EAAE,MAAM,EAAE,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,qBAAqB,KAAK,IAAI,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,CAAC,MAAM,CAAC;IACb,UAAU,MAAM;QACd,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,SAAS,CAAC,EAAE,MAAM,CAAC;QACnB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB;CACF;AAED;;GAEG;AACH,MAAM,MAAM,MAAM,GACd,QAAQ,GACR,MAAM,GACN,QAAQ,GACR,QAAQ,GACR,QAAQ,GACR,MAAM,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,OAAO,GAAG,MAAM,CAAC;AAE7B;;;GAGG;AACH,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,kBAAkB;IAClB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,aAAa,CAAC,EAAE,mBAAmB,CAAC;IAEpC;;OAEG;IACH,uBAAuB,CAAC,EAAE,MAAM,OAAO,CAAC,mBAAmB,EAAE,CAAC,CAAC;IAE/D;;;OAGG;IACH,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB;;OAEG;IACH,OAAO,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,KAAK,IAAI,CAAC;IAEjC;;OAEG;IACH,SAAS,CAAC,EAAE,CAAC,IAAI,EAAE,qBAAqB,KAAK,IAAI,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAC1B,OAAO,EAAE,OAAO,GAAG,OAAO,EAAE,CAAC;IAC7B,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAClB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lark-apaas/auth-sdk",
-  "version": "0.1.0-alpha.8",
+  "version": "0.1.0-alpha.81",
   "description": "基于 CASL 的前端鉴权 SDK",
   "types": "./lib/index.d.ts",
   "main": "./lib/index.js",
@@ -15,11 +15,13 @@
   "scripts": {
     "build": "rslib build",
     "dev": "rslib build --watch",
-    "type-check": "tsc --noEmit"
+    "type-check": "tsc --noEmit",
+    "prepublishOnly": "npm run build"
   },
   "dependencies": {
-    "@casl/ability": "^6.7.1",
-    "@casl/react": "^4.0.0"
+    "@casl/ability": "^6.7.5",
+    "@casl/react": "^5.0.0",
+    "@lark-apaas/internal-slardar": "^0.0.3"
   },
   "devDependencies": {
     "@rsbuild/core": "~1.4.13",