npm - @lark-apaas/nestjs-authzpaas - Versions diffs - 0.1.0-alpha.0 → 0.1.0-alpha.1 - Mend

@lark-apaas/nestjs-authzpaas 0.1.0-alpha.0 → 0.1.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -28,169 +28,162 @@ __export(index_exports, {
   AuthZPaasGuard: () => AuthZPaasGuard,
   AuthZPaasModule: () => AuthZPaasModule,
   CACHE_CONFIG_TOKEN: () => CACHE_CONFIG_TOKEN,
-  CanEnv: () => CanEnv,
-  CanPermission: () => CanPermission,
   CanRole: () => CanRole,
   DEFAULT_LOGIN_PATH: () => DEFAULT_LOGIN_PATH,
   ENABLE_MOCK_ROLE_KEY: () => ENABLE_MOCK_ROLE_KEY,
   ENVIRONMENT_KEY: () => ENVIRONMENT_KEY,
   MOCK_ROLES_COOKIE_KEY: () => MOCK_ROLES_COOKIE_KEY,
-  MockRoles: () => MockRoles,
-  NEED_LOGIN_KEY: () => NEED_LOGIN_KEY,
+  NEED_LOGIN_KEY: () => NEED_LOGIN_KEY2,
   PERMISSIONS_KEY: () => PERMISSIONS_KEY,
   PERMISSION_API_CONFIG_TOKEN: () => PERMISSION_API_CONFIG_TOKEN,
-  PermissionController: () => PermissionController,
   PermissionDeniedException: () => PermissionDeniedException,
   PermissionDeniedType: () => PermissionDeniedType,
-  PermissionDto: () => PermissionDto,
-  PermissionResponse: () => PermissionResponse,
   PermissionService: () => PermissionService,
   ROLES_KEY: () => ROLES_KEY,
   ROLE_SUBJECT: () => ROLE_SUBJECT,
-  RolesMiddleware: () => RolesMiddleware,
-  UserId: () => UserId
+  RolesMiddleware: () => RolesMiddleware
 });
 module.exports = __toCommonJS(index_exports);
 // src/authzpaas.module.ts
-var import_common7 = require("@nestjs/common");
-var import_core2 = require("@nestjs/core");
-// src/const.ts
-var ANONYMOUS_USER_ID = "anonymous_user_id";
-var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
-var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
-var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
-var ROLES_KEY = "authzpaas:roles";
-var PERMISSIONS_KEY = "authzpaas:permissions";
-var ENVIRONMENT_KEY = "authzpaas:environment";
-var NEED_LOGIN_KEY = "authzpaas:needLogin";
-var DEFAULT_LOGIN_PATH = "/login";
-var MOCK_ROLES_COOKIE_KEY = "mockRoles";
-var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
+var import_common11 = require("@nestjs/common");
+var import_core4 = require("@nestjs/core");
 // src/services/permission.service.ts
-var import_common3 = require("@nestjs/common");
+var import_common7 = require("@nestjs/common");
-// src/utils/memory-cache.ts
-var MemoryCache = class {
+// ../nestjs-authnpaas/dist/index.js
+var import_common = require("@nestjs/common");
+var import_core = require("@nestjs/core");
+var import_common2 = require("@nestjs/common");
+var import_core2 = require("@nestjs/core");
+var import_common3 = require("@nestjs/common");
+var import_common4 = require("@nestjs/common");
+var __defProp2 = Object.defineProperty;
+var __name2 = /* @__PURE__ */ __name((target, value) => __defProp2(target, "name", {
+  value,
+  configurable: true
+}), "__name");
+var AUTHNPAAS_MODULE_OPTIONS = Symbol("AUTHNPAAS_MODULE_OPTIONS");
+var NEED_LOGIN_KEY = "authnpaas:needLogin";
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+__name2(_ts_decorate, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+__name2(_ts_metadata, "_ts_metadata");
+var AuthNPaasGuard = class {
   static {
-    __name(this, "MemoryCache");
+    __name(this, "AuthNPaasGuard");
   }
-  cache;
-  accessOrder;
-  options;
-  hits = 0;
-  misses = 0;
-  constructor(options) {
-    this.cache = /* @__PURE__ */ new Map();
-    this.accessOrder = [];
-    this.options = options;
+  static {
+    __name2(this, "AuthNPaasGuard");
   }
-  /**
-  * 获取缓存值
-  */
-  get(key) {
-    if (!this.options.enabled) {
-      return void 0;
-    }
-    const item = this.cache.get(key);
-    if (!item) {
-      this.misses++;
-      return void 0;
-    }
-    if (Date.now() > item.expireAt) {
-      this.cache.delete(key);
-      this.removeFromAccessOrder(key);
-      this.misses++;
-      return void 0;
-    }
-    this.updateAccessOrder(key);
-    this.hits++;
-    return item.value;
+  reflector;
+  constructor(reflector) {
+    this.reflector = reflector;
   }
-  /**
-  * 设置缓存值
-  */
-  set(key, value) {
-    if (!this.options.enabled) {
-      return;
-    }
-    if (this.cache.size >= this.options.max && !this.cache.has(key)) {
-      this.evictLRU();
+  async canActivate(context) {
+    const http = context.switchToHttp();
+    const request = http.getRequest();
+    const response = http.getResponse();
+    const { userId, loginUrl } = request.userContext || {};
+    const needLoginMeta = this.reflector.getAllAndOverride(NEED_LOGIN_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (needLoginMeta && !userId && loginUrl) {
+      response.redirect(302, loginUrl);
+      return false;
     }
-    const expireAt = Date.now() + this.options.ttl * 1e3;
-    this.cache.set(key, {
-      value,
-      expireAt
-    });
-    this.updateAccessOrder(key);
+    return true;
   }
-  /**
-  * 删除缓存
-  */
-  delete(key) {
-    this.cache.delete(key);
-    this.removeFromAccessOrder(key);
+};
+AuthNPaasGuard = _ts_decorate([
+  (0, import_common2.Injectable)(),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof import_core2.Reflector === "undefined" ? Object : import_core2.Reflector
+  ])
+], AuthNPaasGuard);
+function _ts_decorate2(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate2, "_ts_decorate2");
+__name2(_ts_decorate2, "_ts_decorate");
+var AuthNPaasModule = class _AuthNPaasModule {
+  static {
+    __name(this, "_AuthNPaasModule");
   }
-  /**
-  * 清空所有缓存
-  */
-  clear() {
-    this.cache.clear();
-    this.accessOrder = [];
-    this.hits = 0;
-    this.misses = 0;
+  static {
+    __name2(this, "AuthNPaasModule");
   }
-  /**
-  * 获取缓存统计信息
-  */
-  getStats() {
+  static forRoot(options) {
     return {
-      size: this.cache.size,
-      hits: this.hits,
-      misses: this.misses,
-      hitRate: this.hits / (this.hits + this.misses) || 0,
-      enabled: this.options.enabled
+      module: _AuthNPaasModule,
+      global: true,
+      controllers: [],
+      providers: [
+        // 配置提供者
+        {
+          provide: AUTHNPAAS_MODULE_OPTIONS,
+          useValue: {
+            ...options || {}
+          }
+        },
+        // 核心服务
+        import_core.Reflector,
+        // 服务提供者
+        AuthNPaasGuard,
+        // 守卫提供者
+        {
+          provide: import_core.APP_GUARD,
+          useClass: AuthNPaasGuard
+        }
+      ],
+      exports: []
     };
   }
-  /**
-  * 更新访问顺序
-  */
-  updateAccessOrder(key) {
-    this.removeFromAccessOrder(key);
-    this.accessOrder.push(key);
-  }
-  /**
-  * 从访问顺序中移除
-  */
-  removeFromAccessOrder(key) {
-    const index = this.accessOrder.indexOf(key);
-    if (index > -1) {
-      this.accessOrder.splice(index, 1);
-    }
-  }
-  /**
-  * 淘汰最少使用的项
-  */
-  evictLRU() {
-    if (this.accessOrder.length > 0) {
-      const oldestKey = this.accessOrder[0];
-      this.delete(oldestKey);
-    }
-  }
 };
+AuthNPaasModule = _ts_decorate2([
+  (0, import_common.Module)({})
+], AuthNPaasModule);
+var IS_PUBLIC_KEY = "isPublic";
+var Public = /* @__PURE__ */ __name2(() => (0, import_common3.SetMetadata)(IS_PUBLIC_KEY, true), "Public");
+// src/const.ts
+var ANONYMOUS_USER_ID = "anonymous_user_id";
+var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
+var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
+var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
+var ROLES_KEY = "authzpaas:roles";
+var PERMISSIONS_KEY = "authzpaas:permissions";
+var ENVIRONMENT_KEY = "authzpaas:environment";
+var NEED_LOGIN_KEY2 = "authzpaas:needLogin";
+var DEFAULT_LOGIN_PATH = "/login";
+var MOCK_ROLES_COOKIE_KEY = "mockRoles";
+var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
 // src/casl/ability.factory.ts
-var import_common = require("@nestjs/common");
+var import_common5 = require("@nestjs/common");
 var import_ability = require("@casl/ability");
-function _ts_decorate(decorators, target, key, desc) {
+function _ts_decorate3(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate, "_ts_decorate");
+__name(_ts_decorate3, "_ts_decorate");
 var ROLE_SUBJECT = "@role";
 var AbilityFactory = class {
   static {
@@ -201,33 +194,26 @@ var AbilityFactory = class {
   */
   createForUser(permissionData) {
     const { can, build } = new import_ability.AbilityBuilder(import_ability.PureAbility);
-    for (const permission of permissionData.permissions) {
-      const { sub, actions } = permission;
-      for (const action of actions) {
-        can(action, sub);
-      }
-    }
     for (const role of permissionData.roles) {
       can(role, ROLE_SUBJECT);
     }
     return build();
   }
 };
-AbilityFactory = _ts_decorate([
-  (0, import_common.Injectable)()
+AbilityFactory = _ts_decorate3([
+  (0, import_common5.Injectable)()
 ], AbilityFactory);
 // src/exceptions/permission-denied.exception.ts
-var import_common2 = require("@nestjs/common");
+var import_common6 = require("@nestjs/common");
 var PermissionDeniedType = /* @__PURE__ */ (function(PermissionDeniedType2) {
   PermissionDeniedType2["UNAUTHENTICATED"] = "UNAUTHENTICATED";
   PermissionDeniedType2["ROLE_REQUIRED"] = "ROLE_REQUIRED";
   PermissionDeniedType2["PERMISSION_REQUIRED"] = "PERMISSION_REQUIRED";
-  PermissionDeniedType2["ENVIRONMENT_REQUIRED"] = "ENVIRONMENT_REQUIRED";
   PermissionDeniedType2["PERMISSION_CONFIG_QUERY_FAILED"] = "PERMISSION_CONFIG_QUERY_FAILED";
   return PermissionDeniedType2;
 })({});
-var PermissionDeniedException = class _PermissionDeniedException extends import_common2.HttpException {
+var PermissionDeniedException = class _PermissionDeniedException extends import_common6.HttpException {
   static {
     __name(this, "PermissionDeniedException");
   }
@@ -301,30 +287,20 @@ var PermissionDeniedException = class _PermissionDeniedException extends import_
       }
     });
   }
-  /**
-  * 创建环境不满足异常
-  */
-  static environmentRequired(requirement, message) {
-    return new _PermissionDeniedException({
-      type: "ENVIRONMENT_REQUIRED",
-      message: message || "\u4E0D\u6EE1\u8DB3\u73AF\u5883\u8981\u6C42",
-      environmentRequirement: requirement
-    });
-  }
 };
 // src/services/permission.service.ts
-function _ts_decorate2(decorators, target, key, desc) {
+function _ts_decorate4(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate2, "_ts_decorate");
-function _ts_metadata(k, v) {
+__name(_ts_decorate4, "_ts_decorate");
+function _ts_metadata2(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-__name(_ts_metadata, "_ts_metadata");
+__name(_ts_metadata2, "_ts_metadata");
 function _ts_param(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
@@ -337,91 +313,50 @@ var PermissionService = class _PermissionService {
   }
   apiConfig;
   abilityFactory;
-  logger = new import_common3.Logger(_PermissionService.name);
-  // 统一的缓存，同时缓存权限数据和 Ability 实例
-  cache;
-  // 缓存正在进行中的 Promise，避免重复请求
-  pendingRequests = /* @__PURE__ */ new Map();
-  constructor(apiConfig, cacheConfig, abilityFactory) {
+  logger = new import_common7.Logger(_PermissionService.name);
+  constructor(apiConfig, abilityFactory) {
     this.apiConfig = apiConfig;
     this.abilityFactory = abilityFactory;
-    this.cache = new MemoryCache({
-      ttl: cacheConfig.ttl || 300,
-      max: cacheConfig.max || 1e3,
-      enabled: cacheConfig.enabled !== false
-    });
-    this.logger.log(`PermissionService initialized with API: ${apiConfig?.baseUrl}`);
-  }
-  /**
-  * 构建权限/Ability 缓存 key
-  * - 若存在模拟角色：按角色集合排序拼接 + 用户维度
-  * - 否则按 userId/匿名用户
-  */
-  buildCacheKey(userId, mockRoles) {
-    if (mockRoles && mockRoles.length > 0) {
-      const sortedRoles = [
-        ...mockRoles
-      ].sort();
-      return `@roles:${sortedRoles.join("|")}#u:${userId || ANONYMOUS_USER_ID}`;
-    }
-    return userId || ANONYMOUS_USER_ID;
   }
   /**
-  * 获取用户权限数据（带缓存）
+  * 获取用户权限数据
   */
-  async getUserPermissions(userId, mockRoles) {
-    if (!this.apiConfig?.endpoint) {
-      this.logger.warn("Permission API endpoint is not configured, returning null");
-      return null;
-    }
-    const key = this.buildCacheKey(userId, mockRoles);
-    const cached = this.cache.get(key);
-    if (cached) {
-      this.logger.debug(`Cache hit for user ${key}`);
-      return cached.permissionData;
-    }
-    const pendingRequest = this.pendingRequests.get(key);
-    if (pendingRequest) {
-      this.logger.debug(`Reusing pending request for user ${key}`);
-      return pendingRequest;
-    }
-    this.logger.debug(`Cache miss for key ${key}, fetching from API`);
+  async getUserPermissions(requestDto) {
     const requestPromise = (async () => {
+      const userId = requestDto.userId || ANONYMOUS_USER_ID;
       try {
-        const permissionData = mockRoles && mockRoles.length > 0 ? await this.getPermissionsByMockRoles(userId, mockRoles) : await this.fetchFromApi(userId);
+        const permissionData = await this.fetchFromApi(requestDto);
         const dataWithTimestamp = {
           ...permissionData,
           fetchedAt: /* @__PURE__ */ new Date()
         };
-        const ability = this.abilityFactory.createForUser(dataWithTimestamp);
-        this.cache.set(key, {
-          permissionData: dataWithTimestamp,
-          ability
-        });
         return dataWithTimestamp;
       } catch (error) {
-        this.logger.error(`Failed to fetch permissions for key ${key}:`, error);
+        this.logger.error(`Failed to fetch permissions for user ${userId}:`, error);
         throw error;
-      } finally {
-        this.pendingRequests.delete(key);
       }
     })();
-    this.pendingRequests.set(key, requestPromise);
     return requestPromise;
   }
   /**
   * 从 API 获取权限数据
   * 内置实现，用户无需配置
   */
-  async fetchFromApi(userId) {
-    const { baseUrl, apiToken, endpoint, headers = {}, timeout = 5e3 } = this.apiConfig || {};
-    const url = `${baseUrl}${endpoint}${userId ? `?userId=${userId}` : ""}`;
+  async fetchFromApi(requestDto) {
+    const { timeout = 5e3 } = this.apiConfig || {};
+    const { baseUrl, userId, appId, cookies, csrfToken } = requestDto;
+    const url = `${baseUrl}/api/apps/${appId}/management/permissions/roles`;
     const requestHeaders = {
-      "Content-Type": "application/json",
-      ...headers
+      "Content-Type": "application/json"
     };
-    if (apiToken) {
-      requestHeaders["Authorization"] = `Bearer ${apiToken}`;
+    if (cookies) {
+      const cookieString = Object.entries(cookies).map(([key, value]) => `${key}=${value}`).join("; ");
+      if (cookieString) {
+        requestHeaders.Cookie = cookieString;
+      }
+    }
+    if (csrfToken) {
+      requestHeaders["X-Suda-Csrf-Token"] = csrfToken;
     }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
@@ -438,14 +373,14 @@ var PermissionService = class _PermissionService {
           cause: error,
           type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
           message: error.message
-        }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
+        }, import_common7.HttpStatus.INTERNAL_SERVER_ERROR);
       }
       const data = await response.json();
-      const roles = (data.roles || []).map((role) => typeof role === "string" ? role : role.name);
       return {
         userId,
-        roles,
-        permissions: data.permissions || [],
+        roles: data.role_list || [],
+        // TODO: 基于权限点位设置能力
+        // permissions: data.permissions || [],
         fetchedAt: /* @__PURE__ */ new Date()
       };
     } catch (error) {
@@ -458,83 +393,31 @@ var PermissionService = class _PermissionService {
         cause: err,
         type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
         message: err.message
-      }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
-    }
-  }
-  /**
-  * 基于模拟角色获取权限数据（不使用缓存）
-  * 该方法用于前端/守卫在检测到 mockRoles 时直接按角色获取权限
-  */
-  async getPermissionsByMockRoles(userId, mockRoles) {
-    const { baseUrl, timeout = 5e3 } = this.apiConfig || {};
-    const rolesParam = encodeURIComponent(mockRoles.join(","));
-    const userParam = userId ? `&userId=${encodeURIComponent(userId)}` : "";
-    const url = `${baseUrl}/mock-api/permissions-by-roles?roles=${rolesParam}${userParam}`;
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    try {
-      const response = await fetch(url, {
-        method: "GET",
-        signal: controller.signal
-      });
-      clearTimeout(timeoutId);
-      if (!response.ok) {
-        throw new Error(`Permission API (mock by roles) returned ${response.status}: ${response.statusText}`);
-      }
-      const data = await response.json();
-      return {
-        userId,
-        roles: data.roles || [],
-        permissions: data.permissions || [],
-        fetchedAt: /* @__PURE__ */ new Date()
-      };
-    } catch (error) {
-      clearTimeout(timeoutId);
-      throw new PermissionDeniedException({
-        cause: error,
-        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
-        message: error.message
-      }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
-    }
-  }
-  /**
-  * 获取用户的 Ability 实例（带缓存）
-  * @param userId 用户ID
-  * @returns CASL Ability 实例
-  */
-  async getUserAbility(userId, mockRoles) {
-    const key = this.buildCacheKey(userId, mockRoles);
-    const cached = this.cache.get(key);
-    if (cached) {
-      return cached.ability;
-    }
-    await this.getUserPermissions(userId, mockRoles);
-    const newCached = this.cache.get(key);
-    return newCached.ability;
-  }
-  /**
-  * 清除用户权限缓存
-  */
-  clearUserCache(userId) {
-    const key = userId || ANONYMOUS_USER_ID;
-    this.cache.delete(key);
-    this.pendingRequests.delete(key);
-    this.logger.debug(`Cache cleared for user ${key}`);
-  }
-  /**
-  * 清除所有缓存
-  */
-  clearAllCache() {
-    this.cache.clear();
-    this.pendingRequests.clear();
-    this.logger.log("All permission cache cleared");
-  }
-  /**
-  * 获取缓存统计信息
-  */
-  getCacheStats() {
-    return this.cache.getStats();
-  }
+      }, import_common7.HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+  }
+  // /**
+  //  * 获取用户的 Ability 实例（带缓存）
+  //  * @param userId 用户ID
+  //  * @returns CASL Ability 实例
+  //  */
+  // private async getUserAbility(
+  //   userId?: string,
+  //   mockRoles?: string[]
+  // ): Promise<AppAbility> {
+  //   // 计算缓存 key
+  //   const key = this.buildCacheKey(userId, mockRoles);
+  //   // 尝试从缓存获取
+  //   const cached = this.cache.get(key);
+  //   if (cached) {
+  //     return cached.ability;
+  //   }
+  //   // 缓存未命中，调用 getUserPermissions 会创建并缓存
+  //   await this.getUserPermissions(userId, mockRoles);
+  //   // 再次从缓存获取（此时一定存在）
+  //   const newCached = this.cache.get(key);
+  //   return newCached!.ability;
+  // }
   /**
   * 检查角色要求
   * 使用 CASL Ability 统一鉴权方式
@@ -543,16 +426,23 @@ var PermissionService = class _PermissionService {
   * @returns 用户权限数据
   * @throws PermissionDeniedException 当角色不满足时
   */
-  async checkRoles(requirement, userId, mockRoles) {
-    const permissionData = await this.getUserPermissions(userId, mockRoles);
+  async checkRoles(requirement, userContext) {
+    const userId = userContext?.userId || ANONYMOUS_USER_ID;
+    const permissionData = await this.getUserPermissions({
+      baseUrl: userContext?.baseUrl || "",
+      userId,
+      appId: userContext?.appId || "",
+      cookies: userContext?.cookies || {},
+      csrfToken: userContext?.csrfToken || ""
+    });
     if (!permissionData) {
       throw new PermissionDeniedException({
         cause: new Error("Permission data fetch api is not configured"),
         type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
         message: "Permission data fetch api is not configured"
-      }, import_common3.HttpStatus.BAD_REQUEST);
+      }, import_common7.HttpStatus.BAD_REQUEST);
     }
-    const ability = await this.getUserAbility(userId, mockRoles);
+    const ability = this.abilityFactory.createForUser(permissionData);
     const { roles, and } = requirement;
     const checkResults = roles.map((role) => ability.can(role, ROLE_SUBJECT));
     const hasRole = and ? checkResults.every((result) => result) : checkResults.some((result) => result);
@@ -563,312 +453,117 @@ var PermissionService = class _PermissionService {
     }
     return permissionData;
   }
-  /**
-  * 检查权限要求
-  * @param requirements 权限要求列表
-  * @param userId 用户ID
-  * @returns 用户权限数据
-  * @throws PermissionDeniedException 当权限不满足时
-  */
-  async checkPermissions(params, userId, mockRoles) {
-    const permissionData = await this.getUserPermissions(userId, mockRoles);
-    if (!permissionData) {
-      throw new PermissionDeniedException({
-        cause: new Error("Permission data fetch api is not configured"),
-        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
-        message: "Permission data fetch api is not configured"
-      }, import_common3.HttpStatus.BAD_REQUEST);
-    }
-    const { requirements, or } = params;
-    if (!requirements || requirements.length === 0) {
-      return permissionData;
-    }
-    const ability = await this.getUserAbility(userId, mockRoles);
-    const failedRequirements = [];
-    for (const requirement of requirements) {
-      const { actions, subject, or: or2 = false } = requirement;
-      const checkResults = actions.map((action) => ability.can(action, subject));
-      const hasPermission = or2 ? checkResults.some((result) => result) : checkResults.every((result) => result);
-      if (!hasPermission) {
-        failedRequirements.push({
-          actions,
-          subject: String(subject),
-          or: or2
-        });
-      }
-    }
-    if (failedRequirements.length > 0) {
-      if (or && failedRequirements.length === requirements.length) {
-        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
-          actions,
-          subject: String(subject)
-        })), true);
-      } else if (!or) {
-        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
-          actions,
-          subject: String(subject)
-        })), false);
-      }
-    }
-    return permissionData;
-  }
-  async getAbility(userId) {
-    return this.getUserAbility(userId);
-  }
 };
-PermissionService = _ts_decorate2([
-  (0, import_common3.Injectable)(),
-  _ts_param(0, (0, import_common3.Inject)(PERMISSION_API_CONFIG_TOKEN)),
-  _ts_param(1, (0, import_common3.Inject)(CACHE_CONFIG_TOKEN)),
-  _ts_metadata("design:type", Function),
-  _ts_metadata("design:paramtypes", [
+PermissionService = _ts_decorate4([
+  (0, import_common7.Injectable)(),
+  Public(),
+  _ts_param(0, (0, import_common7.Inject)(PERMISSION_API_CONFIG_TOKEN)),
+  _ts_metadata2("design:type", Function),
+  _ts_metadata2("design:paramtypes", [
     typeof PermissionApiConfig === "undefined" ? Object : PermissionApiConfig,
-    typeof CacheConfig === "undefined" ? Object : CacheConfig,
     typeof AbilityFactory === "undefined" ? Object : AbilityFactory
   ])
 ], PermissionService);
 // src/guards/authzpaas.guard.ts
-var import_common4 = require("@nestjs/common");
-var import_core = require("@nestjs/core");
-// src/utils/index.ts
-function getMockRolesFromCookie(request) {
-  const mockRoles = request.cookies?.[MOCK_ROLES_COOKIE_KEY];
-  return mockRoles ? mockRoles.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
-}
-__name(getMockRolesFromCookie, "getMockRolesFromCookie");
-// src/guards/authzpaas.guard.ts
-function _ts_decorate3(decorators, target, key, desc) {
+var import_common8 = require("@nestjs/common");
+var import_core3 = require("@nestjs/core");
+function _ts_decorate5(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate3, "_ts_decorate");
-function _ts_metadata2(k, v) {
+__name(_ts_decorate5, "_ts_decorate");
+function _ts_metadata3(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-__name(_ts_metadata2, "_ts_metadata");
-function _ts_param2(paramIndex, decorator) {
-  return function(target, key) {
-    decorator(target, key, paramIndex);
-  };
-}
-__name(_ts_param2, "_ts_param");
+__name(_ts_metadata3, "_ts_metadata");
 var AuthZPaasGuard = class {
   static {
     __name(this, "AuthZPaasGuard");
   }
   reflector;
   permissionService;
-  moduleOptions;
-  constructor(reflector, permissionService, moduleOptions) {
+  constructor(reflector, permissionService) {
     this.reflector = reflector;
     this.permissionService = permissionService;
-    this.moduleOptions = moduleOptions;
   }
   async canActivate(context) {
     const http = context.switchToHttp();
     const request = http.getRequest();
-    request[ENABLE_MOCK_ROLE_KEY] = this.moduleOptions?.enableMockRole;
-    const userId = this.extractUserId(request);
-    const mockRoles = this.moduleOptions?.enableMockRole ? getMockRolesFromCookie(request) : void 0;
+    const userContext = request.userContext;
     const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
       context.getHandler(),
       context.getClass()
     ]);
     if (checkRoleRequirement) {
-      await this.checkRoleRequirement(checkRoleRequirement, userId, mockRoles);
-    }
-    const checkPermissionParams = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [
-      context.getHandler(),
-      context.getClass()
-    ]);
-    if (checkPermissionParams) {
-      await this.checkPermissionRequirement(checkPermissionParams, userId, mockRoles);
-    }
-    const envRequirement = this.reflector.getAllAndOverride(ENVIRONMENT_KEY, [
-      context.getHandler(),
-      context.getClass()
-    ]);
-    if (envRequirement) {
-      const envContext = this.extractEnvironmentContext(request);
-      await this.checkEnvironmentRequirement(envRequirement, envContext, request);
+      await this.checkRoleRequirement(checkRoleRequirement, userContext);
     }
     return true;
   }
   /**
-  * 从请求中提取用户ID
-  * 子类可以重写此方法以适应不同的认证策略
-  */
-  extractUserId(request) {
-    const mockUserId = request.cookies?.mockUserId;
-    if (mockUserId) return mockUserId;
-    return request.userContext?.userId;
-  }
-  /**
-  * 从请求中提取环境上下文
-  */
-  extractEnvironmentContext(request) {
-    const regionHeader = request.headers["x-region"];
-    const osHeader = request.headers["x-os"];
-    const uaHeader = request.headers["user-agent"];
-    const region = Array.isArray(regionHeader) ? regionHeader[0] : regionHeader;
-    const os = Array.isArray(osHeader) ? osHeader[0] : osHeader;
-    const userAgent = Array.isArray(uaHeader) ? uaHeader[0] : uaHeader;
-    return {
-      network: {
-        ip: request.ip || request.connection?.remoteAddress,
-        region
-      },
-      device: {
-        type: this.detectDeviceType(userAgent),
-        os,
-        browser: userAgent
-      },
-      custom: {
-        headers: request.headers,
-        query: request.query
-      }
-    };
-  }
-  /**
-  * 检测设备类型
-  */
-  detectDeviceType(userAgent) {
-    if (!userAgent) return "desktop";
-    const ua = userAgent.toLowerCase();
-    if (/(tablet|ipad|playbook|silk)|(android(?!.*mobile))/i.test(ua)) {
-      return "tablet";
-    }
-    if (/mobile|iphone|ipod|android|blackberry|opera mini|iemobile/i.test(ua)) {
-      return "mobile";
-    }
-    return "desktop";
-  }
-  /**
   * 检查角色要求
   */
-  async checkRoleRequirement(requirement, userId, mockRoles) {
-    return this.permissionService.checkRoles(requirement, userId, mockRoles);
-  }
-  /**
-  * 检查权限要求
-  */
-  async checkPermissionRequirement(params, userId, mockRoles) {
-    return this.permissionService.checkPermissions(params, userId, mockRoles);
-  }
-  /**
-  * 检查环境要求
-  */
-  async checkEnvironmentRequirement(requirement, envContext, request) {
-    if (requirement.network) {
-      await this.checkNetworkRequirement(requirement.network, envContext);
-    }
-    if (requirement.device) {
-      await this.checkDeviceRequirement(requirement.device, envContext);
-    }
-    if (requirement.custom) {
-      const result = await requirement.custom(request);
-      if (!result) {
-        throw PermissionDeniedException.environmentRequired("custom", "\u4E0D\u6EE1\u8DB3\u81EA\u5B9A\u4E49\u73AF\u5883\u8981\u6C42");
-      }
-    }
-  }
-  /**
-  * 检查网络要求
-  */
-  async checkNetworkRequirement(requirement, envContext) {
-    const ip = envContext.network?.ip;
-    if (requirement.allowedIPs && ip) {
-      const isAllowed = this.checkIPMatch(ip, requirement.allowedIPs);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("network.allowedIPs", `IP \u5730\u5740\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${ip}`);
-      }
-    }
-    if (requirement.blockedIPs && ip) {
-      const isBlocked = this.checkIPMatch(ip, requirement.blockedIPs);
-      if (isBlocked) {
-        throw PermissionDeniedException.environmentRequired("network.blockedIPs", `IP \u5730\u5740\u88AB\u7981\u6B62\u8BBF\u95EE: ${ip}`);
-      }
-    }
-    if (requirement.allowedRegions && envContext.network?.region) {
-      const isAllowed = requirement.allowedRegions.includes(envContext.network.region);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("network.allowedRegions", `\u5730\u533A\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${envContext.network.region}`);
-      }
-    }
-  }
-  /**
-  * 检查设备要求
-  */
-  async checkDeviceRequirement(requirement, envContext) {
-    if (requirement.types && envContext.device?.type) {
-      const isAllowed = requirement.types.includes(envContext.device.type);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("device.types", `\u4E0D\u5141\u8BB8\u7684\u8BBE\u5907\u7C7B\u578B: ${envContext.device.type}`);
-      }
-    }
-  }
-  /**
-  * 检查 IP 是否匹配
-  * 简化版本，仅支持精确匹配
-  * 生产环境建议使用 ipaddr.js 等库
-  */
-  checkIPMatch(ip, patterns) {
-    return patterns.some((pattern) => {
-      if (pattern === ip) return true;
-      return false;
-    });
+  async checkRoleRequirement(requirement, userContext) {
+    return this.permissionService.checkRoles(requirement, userContext);
   }
 };
-AuthZPaasGuard = _ts_decorate3([
-  (0, import_common4.Injectable)(),
-  _ts_param2(2, (0, import_common4.Inject)(AUTHZPAAS_MODULE_OPTIONS)),
-  _ts_metadata2("design:type", Function),
-  _ts_metadata2("design:paramtypes", [
-    typeof import_core.Reflector === "undefined" ? Object : import_core.Reflector,
-    typeof PermissionService === "undefined" ? Object : PermissionService,
-    typeof AuthZPaasModuleOptions === "undefined" ? Object : AuthZPaasModuleOptions
+AuthZPaasGuard = _ts_decorate5([
+  (0, import_common8.Injectable)(),
+  _ts_metadata3("design:type", Function),
+  _ts_metadata3("design:paramtypes", [
+    typeof import_core3.Reflector === "undefined" ? Object : import_core3.Reflector,
+    typeof PermissionService === "undefined" ? Object : PermissionService
   ])
 ], AuthZPaasGuard);
 // src/middlewares/roles.middleware.ts
-var import_common5 = require("@nestjs/common");
-function _ts_decorate4(decorators, target, key, desc) {
+var import_common9 = require("@nestjs/common");
+function _ts_decorate6(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate4, "_ts_decorate");
-function _ts_metadata3(k, v) {
+__name(_ts_decorate6, "_ts_decorate");
+function _ts_metadata4(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-__name(_ts_metadata3, "_ts_metadata");
+__name(_ts_metadata4, "_ts_metadata");
 var RolesMiddleware = class _RolesMiddleware {
   static {
     __name(this, "RolesMiddleware");
   }
   permissionService;
-  logger = new import_common5.Logger(_RolesMiddleware.name);
+  logger = new import_common9.Logger(_RolesMiddleware.name);
   constructor(permissionService) {
     this.permissionService = permissionService;
   }
   async use(req, _res, next) {
     try {
-      const userId = req.userContext?.userId;
-      const mockRoles = req[ENABLE_MOCK_ROLE_KEY] ? getMockRolesFromCookie(req) : void 0;
+      const baseUrl = `${req.protocol}://${req.get("host")}`;
+      const userId = req.userContext?.userId ?? "";
+      const appId = req.userContext?.appId ?? "";
+      const cookies = req.cookies ?? {};
+      const csrfToken = req.headers["x-suda-csrf-token"] ?? "";
       this.logger.debug(`Fetching roles for user: ${userId}`);
-      const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+      const permissionData = await this.permissionService.getUserPermissions({
+        baseUrl,
+        userId,
+        appId,
+        cookies,
+        csrfToken
+      });
       let roles;
       if (permissionData) {
         roles = permissionData.roles;
       }
+      req.userContext.baseUrl = baseUrl;
       req.userContext.userRoles = roles;
       req.userContext.userId = userId;
+      req.userContext.cookies = cookies;
+      req.userContext.csrfToken = csrfToken;
       this.logger.debug(`User ${userId} roles loaded: [${roles?.join(", ")}]`);
       next();
     } catch (error) {
@@ -877,23 +572,23 @@ var RolesMiddleware = class _RolesMiddleware {
     }
   }
 };
-RolesMiddleware = _ts_decorate4([
-  (0, import_common5.Injectable)(),
-  _ts_metadata3("design:type", Function),
-  _ts_metadata3("design:paramtypes", [
+RolesMiddleware = _ts_decorate6([
+  (0, import_common9.Injectable)(),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
     typeof PermissionService === "undefined" ? Object : PermissionService
   ])
 ], RolesMiddleware);
 // src/filters/authzpaas-exception.filter.ts
-var import_common6 = require("@nestjs/common");
-function _ts_decorate5(decorators, target, key, desc) {
+var import_common10 = require("@nestjs/common");
+function _ts_decorate7(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate5, "_ts_decorate");
+__name(_ts_decorate7, "_ts_decorate");
 var AuthZPaasExceptionFilter = class {
   static {
     __name(this, "AuthZPaasExceptionFilter");
@@ -916,60 +611,48 @@ var AuthZPaasExceptionFilter = class {
     if (exception.details.requiredPermissions) {
       errorResponse.requiredPermissions = exception.details.requiredPermissions;
     }
-    if (exception.details.environmentRequirement) {
-      errorResponse.environmentRequirement = exception.details.environmentRequirement;
-    }
     if (exception.details.metadata) {
       errorResponse.metadata = exception.details.metadata;
     }
     response.status(status).json(errorResponse);
   }
 };
-AuthZPaasExceptionFilter = _ts_decorate5([
-  (0, import_common6.Catch)(PermissionDeniedException)
+AuthZPaasExceptionFilter = _ts_decorate7([
+  (0, import_common10.Catch)(PermissionDeniedException)
 ], AuthZPaasExceptionFilter);
 // src/authzpaas.module.ts
-function _ts_decorate6(decorators, target, key, desc) {
+function _ts_decorate8(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate6, "_ts_decorate");
+__name(_ts_decorate8, "_ts_decorate");
 var AuthZPaasModule = class _AuthZPaasModule {
   static {
     __name(this, "AuthZPaasModule");
   }
   static forRoot(options) {
-    const { permissionApi, cache = {
-      ttl: 300,
-      max: 1e3,
-      enabled: true
-    }, isGlobal = true } = options;
+    const { permissionApi } = options;
     return {
       module: _AuthZPaasModule,
-      global: isGlobal,
+      global: true,
       controllers: [],
       providers: [
         // 配置提供者
         {
           provide: AUTHZPAAS_MODULE_OPTIONS,
           useValue: {
-            ...options,
-            loginPath: options.loginPath || DEFAULT_LOGIN_PATH
+            ...options
           }
         },
         {
           provide: PERMISSION_API_CONFIG_TOKEN,
           useValue: permissionApi
         },
-        {
-          provide: CACHE_CONFIG_TOKEN,
-          useValue: cache
-        },
         // 核心服务
-        import_core2.Reflector,
+        import_core4.Reflector,
         // 服务提供者
         PermissionService,
         AbilityFactory,
@@ -977,11 +660,11 @@ var AuthZPaasModule = class _AuthZPaasModule {
         RolesMiddleware,
         // 守卫提供者
         {
-          provide: import_core2.APP_GUARD,
+          provide: import_core4.APP_GUARD,
           useClass: AuthZPaasGuard
         },
         {
-          provide: import_core2.APP_FILTER,
+          provide: import_core4.APP_FILTER,
           useClass: AuthZPaasExceptionFilter
         }
       ],
@@ -1023,10 +706,10 @@ var AuthZPaasModule = class _AuthZPaasModule {
   * ```
   */
   static forRootAsync(options) {
-    const { imports = [], inject = [], useFactory, isGlobal = true } = options;
+    const { imports = [], inject = [], useFactory } = options;
     return {
       module: _AuthZPaasModule,
-      global: isGlobal,
+      global: true,
       imports,
       controllers: [],
       providers: [
@@ -1046,22 +729,8 @@ var AuthZPaasModule = class _AuthZPaasModule {
             AUTHZPAAS_MODULE_OPTIONS
           ]
         },
-        // 缓存配置提供者
-        {
-          provide: CACHE_CONFIG_TOKEN,
-          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
-            return moduleOptions.cache || {
-              ttl: 300,
-              max: 1e3,
-              enabled: true
-            };
-          }, "useFactory"),
-          inject: [
-            AUTHZPAAS_MODULE_OPTIONS
-          ]
-        },
         // 核心服务
-        import_core2.Reflector,
+        import_core4.Reflector,
         // 服务提供者
         PermissionService,
         AbilityFactory,
@@ -1069,11 +738,11 @@ var AuthZPaasModule = class _AuthZPaasModule {
         RolesMiddleware,
         // 守卫提供者
         {
-          provide: import_core2.APP_GUARD,
+          provide: import_core4.APP_GUARD,
           useClass: AuthZPaasGuard
         },
         {
-          provide: import_core2.APP_FILTER,
+          provide: import_core4.APP_FILTER,
           useClass: AuthZPaasExceptionFilter
         }
       ],
@@ -1085,12 +754,12 @@ var AuthZPaasModule = class _AuthZPaasModule {
     };
   }
 };
-AuthZPaasModule = _ts_decorate6([
-  (0, import_common7.Module)({})
+AuthZPaasModule = _ts_decorate8([
+  (0, import_common11.Module)({})
 ], AuthZPaasModule);
 // src/decorators/can-role.decorator.ts
-var import_common8 = require("@nestjs/common");
+var import_common12 = require("@nestjs/common");
 var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   let requirement;
   if (!Array.isArray(role) && typeof role === "string") {
@@ -1108,336 +777,8 @@ var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   } else {
     throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
   }
-  return (0, import_common8.SetMetadata)(ROLES_KEY, requirement);
+  return (0, import_common12.SetMetadata)(ROLES_KEY, requirement);
 }, "CanRole");
-// src/decorators/can-permission.decorator.ts
-var import_common9 = require("@nestjs/common");
-var CanPermission = /* @__PURE__ */ __name((permission, or) => {
-  let requirements;
-  if (Array.isArray(permission)) {
-    requirements = permission;
-  } else if (typeof permission === "object" && "subject" in permission) {
-    requirements = [
-      permission
-    ];
-  } else {
-    throw new Error("Invalid CanPermission parameter: " + JSON.stringify(permission));
-  }
-  return (0, import_common9.SetMetadata)(PERMISSIONS_KEY, {
-    requirements,
-    or: or ?? false
-  });
-}, "CanPermission");
-// src/decorators/can-env.decorator.ts
-var import_common10 = require("@nestjs/common");
-var CanEnv = /* @__PURE__ */ __name((requirement) => {
-  return (0, import_common10.SetMetadata)(ENVIRONMENT_KEY, requirement);
-}, "CanEnv");
-// src/decorators/user-id.decorator.ts
-var import_common11 = require("@nestjs/common");
-var UserId = (0, import_common11.createParamDecorator)((_data, ctx) => {
-  const request = ctx.switchToHttp().getRequest();
-  return request.userContext?.userId;
-});
-// src/decorators/mock-roles.decorator.ts
-var import_common12 = require("@nestjs/common");
-var MockRoles = (0, import_common12.createParamDecorator)((_data, ctx) => {
-  const request = ctx.switchToHttp().getRequest();
-  const mockRoles = getMockRolesFromCookie(request);
-  return request[ENABLE_MOCK_ROLE_KEY] ? mockRoles : void 0;
-});
-// src/controllers/permission.controller.ts
-var import_common13 = require("@nestjs/common");
-var import_swagger = require("@nestjs/swagger");
-function _ts_decorate7(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate7, "_ts_decorate");
-function _ts_metadata4(k, v) {
-  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-}
-__name(_ts_metadata4, "_ts_metadata");
-function _ts_param3(paramIndex, decorator) {
-  return function(target, key) {
-    decorator(target, key, paramIndex);
-  };
-}
-__name(_ts_param3, "_ts_param");
-var PermissionDto = class {
-  static {
-    __name(this, "PermissionDto");
-  }
-  sub;
-  actions;
-  id;
-  name;
-  conditions;
-};
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u8D44\u6E90\u7C7B\u578B",
-    example: "task"
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "sub", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u64CD\u4F5C\u7C7B\u578B\u5217\u8868",
-    example: [
-      "create",
-      "read",
-      "update",
-      "delete"
-    ],
-    type: [
-      String
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionDto.prototype, "actions", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u6743\u9650ID",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "id", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u6743\u9650\u540D\u79F0",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "name", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u6743\u9650\u6761\u4EF6",
-    required: false,
-    type: "object"
-  }),
-  _ts_metadata4("design:type", typeof Record === "undefined" ? Object : Record)
-], PermissionDto.prototype, "conditions", void 0);
-var PermissionResponse = class {
-  static {
-    __name(this, "PermissionResponse");
-  }
-  userId;
-  roles;
-  permissions;
-  fetchedAt;
-};
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u7528\u6237ID",
-    example: "user123",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionResponse.prototype, "userId", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u7528\u6237\u89D2\u8272\u5217\u8868",
-    example: [
-      "admin",
-      "user"
-    ],
-    type: [
-      String
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionResponse.prototype, "roles", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u7528\u6237\u6743\u9650\u70B9\u4F4D\u5217\u8868",
-    type: [
-      PermissionDto
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionResponse.prototype, "permissions", void 0);
-_ts_decorate7([
-  (0, import_swagger.ApiProperty)({
-    description: "\u6570\u636E\u83B7\u53D6\u65F6\u95F4",
-    example: "2025-10-14T00:00:00.000Z"
-  }),
-  _ts_metadata4("design:type", typeof Date === "undefined" ? Object : Date)
-], PermissionResponse.prototype, "fetchedAt", void 0);
-var PermissionController = class {
-  static {
-    __name(this, "PermissionController");
-  }
-  permissionService;
-  constructor(permissionService) {
-    this.permissionService = permissionService;
-  }
-  /**
-  * 获取当前用户的权限数据
-  *
-  * @param userId 当前用户ID（从请求上下文中获取）
-  * @returns 用户权限数据
-  *
-  * @example
-  * GET /api/permissions
-  *
-  * Response:
-  * {
-  *   "userId": "user123",
-  *   "roles": ["admin", "user"],
-  *   "permissions": [
-  *     { "sub": "task", "actions": ["create", "read", "update", "delete"] }
-  *   ],
-  *   "fetchedAt": "2025-10-14T00:00:00.000Z"
-  * }
-  */
-  async getUserPermissions(userId, mockRoles) {
-    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
-    return {
-      userId: permissionData?.userId,
-      roles: permissionData?.roles || [],
-      permissions: permissionData?.permissions || [],
-      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date()
-    };
-  }
-  /**
-  * 开启角色模拟：将传入的 userId 写入 cookie，服务端优先使用该值请求权限
-  */
-  async enableMock(res, roles) {
-    if (!Array.isArray(roles) || roles.length === 0) {
-      return {
-        success: false,
-        message: "roles \u4E0D\u80FD\u4E3A\u7A7A"
-      };
-    }
-    const val = roles.join(",");
-    res.cookie(MOCK_ROLES_COOKIE_KEY, val, {
-      httpOnly: false,
-      sameSite: "lax",
-      maxAge: 24 * 60 * 60 * 1e3,
-      path: "/"
-    });
-    return {
-      success: true,
-      roles
-    };
-  }
-  /**
-  * 关闭角色模拟：清除 cookie
-  */
-  async disableMock(res) {
-    res.clearCookie(MOCK_ROLES_COOKIE_KEY, {
-      path: "/"
-    });
-    return {
-      success: true
-    };
-  }
-  async getMockRoles(mockRoles, userId) {
-    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
-    return {
-      mocking: !!mockRoles,
-      roles: permissionData?.roles || [],
-      permissions: permissionData?.permissions || [],
-      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date(),
-      userId
-    };
-  }
-};
-_ts_decorate7([
-  (0, import_common13.Get)(),
-  (0, import_swagger.ApiOperation)({
-    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u6743\u9650\u6570\u636E"
-  }),
-  (0, import_swagger.ApiResponse)({
-    status: 200,
-    description: "\u6210\u529F\u8FD4\u56DE\u7528\u6237\u6743\u9650\u6570\u636E",
-    type: PermissionResponse
-  }),
-  (0, import_swagger.ApiResponse)({
-    status: 400,
-    description: "\u7528\u6237\u672A\u8BA4\u8BC1"
-  }),
-  _ts_param3(0, UserId()),
-  _ts_param3(1, MockRoles()),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    String,
-    Array
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "getUserPermissions", null);
-_ts_decorate7([
-  (0, import_common13.Post)("mock/enable"),
-  (0, import_swagger.ApiOperation)({
-    summary: "\u5F00\u542F\u89D2\u8272\u6A21\u62DF\uFF08\u5199\u5165 cookie: mockRoles\uFF09"
-  }),
-  (0, import_swagger.ApiResponse)({
-    status: 200,
-    description: "\u6A21\u62DF\u5DF2\u5F00\u542F"
-  }),
-  _ts_param3(0, (0, import_common13.Res)({
-    passthrough: true
-  })),
-  _ts_param3(1, (0, import_common13.Body)("roles")),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof Response === "undefined" ? Object : Response,
-    Array
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "enableMock", null);
-_ts_decorate7([
-  (0, import_common13.Post)("mock/disable"),
-  (0, import_swagger.ApiOperation)({
-    summary: "\u5173\u95ED\u89D2\u8272\u6A21\u62DF\uFF08\u6E05\u9664 cookie: mockRoles\uFF09"
-  }),
-  (0, import_swagger.ApiResponse)({
-    status: 200,
-    description: "\u6A21\u62DF\u5DF2\u5173\u95ED"
-  }),
-  _ts_param3(0, (0, import_common13.Res)({
-    passthrough: true
-  })),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof Response === "undefined" ? Object : Response
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "disableMock", null);
-_ts_decorate7([
-  (0, import_common13.Get)("mock/status"),
-  (0, import_swagger.ApiOperation)({
-    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u89D2\u8272\u6A21\u62DF\u72B6\u6001"
-  }),
-  (0, import_swagger.ApiResponse)({
-    status: 200,
-    description: "\u6210\u529F\u8FD4\u56DE\u89D2\u8272\u6A21\u62DF\u6570\u636E"
-  }),
-  _ts_param3(0, MockRoles()),
-  _ts_param3(1, UserId()),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    Object,
-    String
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "getMockRoles", null);
-PermissionController = _ts_decorate7([
-  (0, import_swagger.ApiTags)("\u6743\u9650\u7BA1\u7406"),
-  (0, import_common13.Controller)("api/permissions"),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof PermissionService === "undefined" ? Object : PermissionService
-  ])
-], PermissionController);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ANONYMOUS_USER_ID,
@@ -1447,26 +788,19 @@ PermissionController = _ts_decorate7([
   AuthZPaasGuard,
   AuthZPaasModule,
   CACHE_CONFIG_TOKEN,
-  CanEnv,
-  CanPermission,
   CanRole,
   DEFAULT_LOGIN_PATH,
   ENABLE_MOCK_ROLE_KEY,
   ENVIRONMENT_KEY,
   MOCK_ROLES_COOKIE_KEY,
-  MockRoles,
   NEED_LOGIN_KEY,
   PERMISSIONS_KEY,
   PERMISSION_API_CONFIG_TOKEN,
-  PermissionController,
   PermissionDeniedException,
   PermissionDeniedType,
-  PermissionDto,
-  PermissionResponse,
   PermissionService,
   ROLES_KEY,
   ROLE_SUBJECT,
-  RolesMiddleware,
-  UserId
+  RolesMiddleware
 });
 //# sourceMappingURL=index.cjs.map