npm - @lark-apaas/nestjs-authzpaas - Versions diffs - 0.1.0-alpha.0 → 0.1.0-alpha.10 - Mend

@lark-apaas/nestjs-authzpaas 0.1.0-alpha.0 → 0.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/dist/index.js CHANGED Viewed

@@ -2,144 +2,144 @@ var __defProp = Object.defineProperty;
 var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 // src/authzpaas.module.ts
-import { Module } from "@nestjs/common";
-import { APP_FILTER, APP_GUARD, Reflector as Reflector2 } from "@nestjs/core";
-// src/const.ts
-var ANONYMOUS_USER_ID = "anonymous_user_id";
-var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
-var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
-var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
-var ROLES_KEY = "authzpaas:roles";
-var PERMISSIONS_KEY = "authzpaas:permissions";
-var ENVIRONMENT_KEY = "authzpaas:environment";
-var NEED_LOGIN_KEY = "authzpaas:needLogin";
-var DEFAULT_LOGIN_PATH = "/login";
-var MOCK_ROLES_COOKIE_KEY = "mockRoles";
-var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
+import { Module as Module2 } from "@nestjs/common";
+import { APP_GUARD as APP_GUARD2, Reflector as Reflector4 } from "@nestjs/core";
 // src/services/permission.service.ts
-import { Injectable as Injectable2, Inject, Logger, HttpStatus } from "@nestjs/common";
+import { Injectable as Injectable3, Logger, HttpStatus, Inject } from "@nestjs/common";
-// src/utils/memory-cache.ts
-var MemoryCache = class {
+// ../nestjs-authnpaas/dist/index.js
+import { Module } from "@nestjs/common";
+import { APP_GUARD, Reflector as Reflector2 } from "@nestjs/core";
+import { Injectable } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+import { SetMetadata } from "@nestjs/common";
+import { SetMetadata as SetMetadata2 } from "@nestjs/common";
+var __defProp2 = Object.defineProperty;
+var __name2 = /* @__PURE__ */ __name((target, value) => __defProp2(target, "name", {
+  value,
+  configurable: true
+}), "__name");
+var AUTHNPAAS_MODULE_OPTIONS = Symbol("AUTHNPAAS_MODULE_OPTIONS");
+var NEED_LOGIN_KEY = "authnpaas:needLogin";
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+__name2(_ts_decorate, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+__name2(_ts_metadata, "_ts_metadata");
+var AuthNPaasGuard = class {
   static {
-    __name(this, "MemoryCache");
+    __name(this, "AuthNPaasGuard");
   }
-  cache;
-  accessOrder;
-  options;
-  hits = 0;
-  misses = 0;
-  constructor(options) {
-    this.cache = /* @__PURE__ */ new Map();
-    this.accessOrder = [];
-    this.options = options;
+  static {
+    __name2(this, "AuthNPaasGuard");
   }
-  /**
-  * 获取缓存值
-  */
-  get(key) {
-    if (!this.options.enabled) {
-      return void 0;
-    }
-    const item = this.cache.get(key);
-    if (!item) {
-      this.misses++;
-      return void 0;
-    }
-    if (Date.now() > item.expireAt) {
-      this.cache.delete(key);
-      this.removeFromAccessOrder(key);
-      this.misses++;
-      return void 0;
-    }
-    this.updateAccessOrder(key);
-    this.hits++;
-    return item.value;
+  reflector;
+  constructor(reflector) {
+    this.reflector = reflector;
   }
-  /**
-  * 设置缓存值
-  */
-  set(key, value) {
-    if (!this.options.enabled) {
-      return;
-    }
-    if (this.cache.size >= this.options.max && !this.cache.has(key)) {
-      this.evictLRU();
+  async canActivate(context) {
+    const http = context.switchToHttp();
+    const request = http.getRequest();
+    const response = http.getResponse();
+    const { userId, loginUrl } = request.userContext || {};
+    const needLoginMeta = this.reflector.getAllAndOverride(NEED_LOGIN_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (needLoginMeta && !userId && loginUrl) {
+      response.redirect(302, loginUrl);
+      return false;
     }
-    const expireAt = Date.now() + this.options.ttl * 1e3;
-    this.cache.set(key, {
-      value,
-      expireAt
-    });
-    this.updateAccessOrder(key);
+    return true;
   }
-  /**
-  * 删除缓存
-  */
-  delete(key) {
-    this.cache.delete(key);
-    this.removeFromAccessOrder(key);
+};
+AuthNPaasGuard = _ts_decorate([
+  Injectable(),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof Reflector === "undefined" ? Object : Reflector
+  ])
+], AuthNPaasGuard);
+function _ts_decorate2(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate2, "_ts_decorate2");
+__name2(_ts_decorate2, "_ts_decorate");
+var AuthNPaasModule = class _AuthNPaasModule {
+  static {
+    __name(this, "_AuthNPaasModule");
   }
-  /**
-  * 清空所有缓存
-  */
-  clear() {
-    this.cache.clear();
-    this.accessOrder = [];
-    this.hits = 0;
-    this.misses = 0;
+  static {
+    __name2(this, "AuthNPaasModule");
   }
-  /**
-  * 获取缓存统计信息
-  */
-  getStats() {
+  static forRoot(options) {
     return {
-      size: this.cache.size,
-      hits: this.hits,
-      misses: this.misses,
-      hitRate: this.hits / (this.hits + this.misses) || 0,
-      enabled: this.options.enabled
+      module: _AuthNPaasModule,
+      global: true,
+      controllers: [],
+      providers: [
+        // 配置提供者
+        {
+          provide: AUTHNPAAS_MODULE_OPTIONS,
+          useValue: {
+            ...options || {}
+          }
+        },
+        // 核心服务
+        Reflector2,
+        // 服务提供者
+        AuthNPaasGuard,
+        // 守卫提供者
+        {
+          provide: APP_GUARD,
+          useClass: AuthNPaasGuard
+        }
+      ],
+      exports: []
     };
   }
-  /**
-  * 更新访问顺序
-  */
-  updateAccessOrder(key) {
-    this.removeFromAccessOrder(key);
-    this.accessOrder.push(key);
-  }
-  /**
-  * 从访问顺序中移除
-  */
-  removeFromAccessOrder(key) {
-    const index = this.accessOrder.indexOf(key);
-    if (index > -1) {
-      this.accessOrder.splice(index, 1);
-    }
-  }
-  /**
-  * 淘汰最少使用的项
-  */
-  evictLRU() {
-    if (this.accessOrder.length > 0) {
-      const oldestKey = this.accessOrder[0];
-      this.delete(oldestKey);
-    }
-  }
 };
+AuthNPaasModule = _ts_decorate2([
+  Module({})
+], AuthNPaasModule);
+var IS_PUBLIC_KEY = "isPublic";
+var Public = /* @__PURE__ */ __name2(() => SetMetadata(IS_PUBLIC_KEY, true), "Public");
+// src/const.ts
+var ANONYMOUS_USER_ID = "anonymous_user_id";
+var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
+var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
+var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
+var ROLES_KEY = "authzpaas:roles";
+var PERMISSIONS_KEY = "authzpaas:permissions";
+var ENVIRONMENT_KEY = "authzpaas:environment";
+var NEED_LOGIN_KEY2 = "authzpaas:needLogin";
+var DEFAULT_LOGIN_PATH = "/login";
+var MOCK_ROLES_COOKIE_KEY = "mockRoles";
+var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
 // src/casl/ability.factory.ts
-import { Injectable } from "@nestjs/common";
+import { Injectable as Injectable2 } from "@nestjs/common";
 import { AbilityBuilder, PureAbility } from "@casl/ability";
-function _ts_decorate(decorators, target, key, desc) {
+function _ts_decorate3(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate, "_ts_decorate");
+__name(_ts_decorate3, "_ts_decorate");
 var ROLE_SUBJECT = "@role";
 var AbilityFactory = class {
   static {
@@ -150,20 +150,14 @@ var AbilityFactory = class {
   */
   createForUser(permissionData) {
     const { can, build } = new AbilityBuilder(PureAbility);
-    for (const permission of permissionData.permissions) {
-      const { sub, actions } = permission;
-      for (const action of actions) {
-        can(action, sub);
-      }
-    }
     for (const role of permissionData.roles) {
       can(role, ROLE_SUBJECT);
     }
     return build();
   }
 };
-AbilityFactory = _ts_decorate([
-  Injectable()
+AbilityFactory = _ts_decorate3([
+  Injectable2()
 ], AbilityFactory);
 // src/exceptions/permission-denied.exception.ts
@@ -172,7 +166,6 @@ var PermissionDeniedType = /* @__PURE__ */ (function(PermissionDeniedType2) {
   PermissionDeniedType2["UNAUTHENTICATED"] = "UNAUTHENTICATED";
   PermissionDeniedType2["ROLE_REQUIRED"] = "ROLE_REQUIRED";
   PermissionDeniedType2["PERMISSION_REQUIRED"] = "PERMISSION_REQUIRED";
-  PermissionDeniedType2["ENVIRONMENT_REQUIRED"] = "ENVIRONMENT_REQUIRED";
   PermissionDeniedType2["PERMISSION_CONFIG_QUERY_FAILED"] = "PERMISSION_CONFIG_QUERY_FAILED";
   return PermissionDeniedType2;
 })({});
@@ -250,30 +243,20 @@ var PermissionDeniedException = class _PermissionDeniedException extends HttpExc
       }
     });
   }
-  /**
-  * 创建环境不满足异常
-  */
-  static environmentRequired(requirement, message) {
-    return new _PermissionDeniedException({
-      type: "ENVIRONMENT_REQUIRED",
-      message: message || "\u4E0D\u6EE1\u8DB3\u73AF\u5883\u8981\u6C42",
-      environmentRequirement: requirement
-    });
-  }
 };
 // src/services/permission.service.ts
-function _ts_decorate2(decorators, target, key, desc) {
+function _ts_decorate4(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate2, "_ts_decorate");
-function _ts_metadata(k, v) {
+__name(_ts_decorate4, "_ts_decorate");
+function _ts_metadata2(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-__name(_ts_metadata, "_ts_metadata");
+__name(_ts_metadata2, "_ts_metadata");
 function _ts_param(paramIndex, decorator) {
   return function(target, key) {
     decorator(target, key, paramIndex);
@@ -287,96 +270,53 @@ var PermissionService = class _PermissionService {
   apiConfig;
   abilityFactory;
   logger = new Logger(_PermissionService.name);
-  // 统一的缓存，同时缓存权限数据和 Ability 实例
-  cache;
-  // 缓存正在进行中的 Promise，避免重复请求
-  pendingRequests = /* @__PURE__ */ new Map();
-  constructor(apiConfig, cacheConfig, abilityFactory) {
+  constructor(apiConfig, abilityFactory) {
     this.apiConfig = apiConfig;
     this.abilityFactory = abilityFactory;
-    this.cache = new MemoryCache({
-      ttl: cacheConfig.ttl || 300,
-      max: cacheConfig.max || 1e3,
-      enabled: cacheConfig.enabled !== false
-    });
-    this.logger.log(`PermissionService initialized with API: ${apiConfig?.baseUrl}`);
   }
   /**
-  * 构建权限/Ability 缓存 key
-  * - 若存在模拟角色：按角色集合排序拼接 + 用户维度
-  * - 否则按 userId/匿名用户
+  * 获取用户权限数据
   */
-  buildCacheKey(userId, mockRoles) {
-    if (mockRoles && mockRoles.length > 0) {
-      const sortedRoles = [
-        ...mockRoles
-      ].sort();
-      return `@roles:${sortedRoles.join("|")}#u:${userId || ANONYMOUS_USER_ID}`;
-    }
-    return userId || ANONYMOUS_USER_ID;
-  }
-  /**
-  * 获取用户权限数据（带缓存）
-  */
-  async getUserPermissions(userId, mockRoles) {
-    if (!this.apiConfig?.endpoint) {
-      this.logger.warn("Permission API endpoint is not configured, returning null");
-      return null;
-    }
-    const key = this.buildCacheKey(userId, mockRoles);
-    const cached = this.cache.get(key);
-    if (cached) {
-      this.logger.debug(`Cache hit for user ${key}`);
-      return cached.permissionData;
-    }
-    const pendingRequest = this.pendingRequests.get(key);
-    if (pendingRequest) {
-      this.logger.debug(`Reusing pending request for user ${key}`);
-      return pendingRequest;
-    }
-    this.logger.debug(`Cache miss for key ${key}, fetching from API`);
+  async getUserPermissions(requestDto) {
     const requestPromise = (async () => {
+      const userId = requestDto.userId || ANONYMOUS_USER_ID;
       try {
-        const permissionData = mockRoles && mockRoles.length > 0 ? await this.getPermissionsByMockRoles(userId, mockRoles) : await this.fetchFromApi(userId);
+        const permissionData = await this.fetchFromApi(requestDto);
         const dataWithTimestamp = {
           ...permissionData,
           fetchedAt: /* @__PURE__ */ new Date()
         };
-        const ability = this.abilityFactory.createForUser(dataWithTimestamp);
-        this.cache.set(key, {
-          permissionData: dataWithTimestamp,
-          ability
-        });
         return dataWithTimestamp;
       } catch (error) {
-        this.logger.error(`Failed to fetch permissions for key ${key}:`, error);
+        this.logger.error(`Failed to fetch permissions for user ${userId}:`, error);
         throw error;
-      } finally {
-        this.pendingRequests.delete(key);
       }
     })();
-    this.pendingRequests.set(key, requestPromise);
     return requestPromise;
   }
   /**
   * 从 API 获取权限数据
   * 内置实现，用户无需配置
   */
-  async fetchFromApi(userId) {
-    const { baseUrl, apiToken, endpoint, headers = {}, timeout = 5e3 } = this.apiConfig || {};
-    const url = `${baseUrl}${endpoint}${userId ? `?userId=${userId}` : ""}`;
+  async fetchFromApi(requestDto) {
+    const { timeout = 5e3 } = this.apiConfig || {};
+    const { baseUrl, userId, appId, cookie, csrfToken } = requestDto;
+    const url = `${baseUrl}/spark/app/${appId}/runtime/api/v1/permissions/roles`;
     const requestHeaders = {
-      "Content-Type": "application/json",
-      ...headers
+      "Content-Type": "application/json"
     };
-    if (apiToken) {
-      requestHeaders["Authorization"] = `Bearer ${apiToken}`;
+    if (cookie) {
+      requestHeaders.Cookie = cookie;
+    }
+    if (csrfToken) {
+      requestHeaders["X-Suda-Csrf-Token"] = csrfToken;
     }
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
       const response = await fetch(url, {
-        method: "GET",
+        method: "POST",
+        credentials: "include",
         headers: requestHeaders,
         signal: controller.signal
       });
@@ -390,14 +330,15 @@ var PermissionService = class _PermissionService {
         }, HttpStatus.INTERNAL_SERVER_ERROR);
       }
       const data = await response.json();
-      const roles = (data.roles || []).map((role) => typeof role === "string" ? role : role.name);
       return {
         userId,
-        roles,
-        permissions: data.permissions || [],
+        roles: data.data?.roleList || [],
+        // TODO: 基于权限点位设置能力
+        // permissions: data.permissions || [],
         fetchedAt: /* @__PURE__ */ new Date()
       };
     } catch (error) {
+      console.log("error", error);
       clearTimeout(timeoutId);
       let err = error;
       if (error.name === "AbortError") {
@@ -410,80 +351,28 @@ var PermissionService = class _PermissionService {
       }, HttpStatus.INTERNAL_SERVER_ERROR);
     }
   }
-  /**
-  * 基于模拟角色获取权限数据（不使用缓存）
-  * 该方法用于前端/守卫在检测到 mockRoles 时直接按角色获取权限
-  */
-  async getPermissionsByMockRoles(userId, mockRoles) {
-    const { baseUrl, timeout = 5e3 } = this.apiConfig || {};
-    const rolesParam = encodeURIComponent(mockRoles.join(","));
-    const userParam = userId ? `&userId=${encodeURIComponent(userId)}` : "";
-    const url = `${baseUrl}/mock-api/permissions-by-roles?roles=${rolesParam}${userParam}`;
-    const controller = new AbortController();
-    const timeoutId = setTimeout(() => controller.abort(), timeout);
-    try {
-      const response = await fetch(url, {
-        method: "GET",
-        signal: controller.signal
-      });
-      clearTimeout(timeoutId);
-      if (!response.ok) {
-        throw new Error(`Permission API (mock by roles) returned ${response.status}: ${response.statusText}`);
-      }
-      const data = await response.json();
-      return {
-        userId,
-        roles: data.roles || [],
-        permissions: data.permissions || [],
-        fetchedAt: /* @__PURE__ */ new Date()
-      };
-    } catch (error) {
-      clearTimeout(timeoutId);
-      throw new PermissionDeniedException({
-        cause: error,
-        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
-        message: error.message
-      }, HttpStatus.INTERNAL_SERVER_ERROR);
-    }
-  }
-  /**
-  * 获取用户的 Ability 实例（带缓存）
-  * @param userId 用户ID
-  * @returns CASL Ability 实例
-  */
-  async getUserAbility(userId, mockRoles) {
-    const key = this.buildCacheKey(userId, mockRoles);
-    const cached = this.cache.get(key);
-    if (cached) {
-      return cached.ability;
-    }
-    await this.getUserPermissions(userId, mockRoles);
-    const newCached = this.cache.get(key);
-    return newCached.ability;
-  }
-  /**
-  * 清除用户权限缓存
-  */
-  clearUserCache(userId) {
-    const key = userId || ANONYMOUS_USER_ID;
-    this.cache.delete(key);
-    this.pendingRequests.delete(key);
-    this.logger.debug(`Cache cleared for user ${key}`);
-  }
-  /**
-  * 清除所有缓存
-  */
-  clearAllCache() {
-    this.cache.clear();
-    this.pendingRequests.clear();
-    this.logger.log("All permission cache cleared");
-  }
-  /**
-  * 获取缓存统计信息
-  */
-  getCacheStats() {
-    return this.cache.getStats();
-  }
+  // /**
+  //  * 获取用户的 Ability 实例（带缓存）
+  //  * @param userId 用户ID
+  //  * @returns CASL Ability 实例
+  //  */
+  // private async getUserAbility(
+  //   userId?: string,
+  //   mockRoles?: string[]
+  // ): Promise<AppAbility> {
+  //   // 计算缓存 key
+  //   const key = this.buildCacheKey(userId, mockRoles);
+  //   // 尝试从缓存获取
+  //   const cached = this.cache.get(key);
+  //   if (cached) {
+  //     return cached.ability;
+  //   }
+  //   // 缓存未命中，调用 getUserPermissions 会创建并缓存
+  //   await this.getUserPermissions(userId, mockRoles);
+  //   // 再次从缓存获取（此时一定存在）
+  //   const newCached = this.cache.get(key);
+  //   return newCached!.ability;
+  // }
   /**
   * 检查角色要求
   * 使用 CASL Ability 统一鉴权方式
@@ -492,8 +381,23 @@ var PermissionService = class _PermissionService {
   * @returns 用户权限数据
   * @throws PermissionDeniedException 当角色不满足时
   */
-  async checkRoles(requirement, userId, mockRoles) {
-    const permissionData = await this.getUserPermissions(userId, mockRoles);
+  async checkRoles(requirement, userContext, cookie, csrfToken) {
+    const userId = userContext?.userId || ANONYMOUS_USER_ID;
+    if (!csrfToken) {
+      throw new PermissionDeniedException({
+        cause: new Error("CSRF token is required"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "CSRF token is required"
+      }, HttpStatus.BAD_REQUEST);
+    }
+    const permissionData = await this.getUserPermissions({
+      // FIXME: 使用 request 的 base url
+      baseUrl: userContext?.baseUrl || "",
+      userId,
+      appId: userContext?.appId || "",
+      csrfToken,
+      cookie
+    });
     if (!permissionData) {
       throw new PermissionDeniedException({
         cause: new Error("Permission data fetch api is not configured"),
@@ -501,7 +405,7 @@ var PermissionService = class _PermissionService {
         message: "Permission data fetch api is not configured"
       }, HttpStatus.BAD_REQUEST);
     }
-    const ability = await this.getUserAbility(userId, mockRoles);
+    const ability = this.abilityFactory.createForUser(permissionData);
     const { roles, and } = requirement;
     const checkResults = roles.map((role) => ability.can(role, ROLE_SUBJECT));
     const hasRole = and ? checkResults.every((result) => result) : checkResults.some((result) => result);
@@ -512,371 +416,68 @@ var PermissionService = class _PermissionService {
     }
     return permissionData;
   }
-  /**
-  * 检查权限要求
-  * @param requirements 权限要求列表
-  * @param userId 用户ID
-  * @returns 用户权限数据
-  * @throws PermissionDeniedException 当权限不满足时
-  */
-  async checkPermissions(params, userId, mockRoles) {
-    const permissionData = await this.getUserPermissions(userId, mockRoles);
-    if (!permissionData) {
-      throw new PermissionDeniedException({
-        cause: new Error("Permission data fetch api is not configured"),
-        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
-        message: "Permission data fetch api is not configured"
-      }, HttpStatus.BAD_REQUEST);
-    }
-    const { requirements, or } = params;
-    if (!requirements || requirements.length === 0) {
-      return permissionData;
-    }
-    const ability = await this.getUserAbility(userId, mockRoles);
-    const failedRequirements = [];
-    for (const requirement of requirements) {
-      const { actions, subject, or: or2 = false } = requirement;
-      const checkResults = actions.map((action) => ability.can(action, subject));
-      const hasPermission = or2 ? checkResults.some((result) => result) : checkResults.every((result) => result);
-      if (!hasPermission) {
-        failedRequirements.push({
-          actions,
-          subject: String(subject),
-          or: or2
-        });
-      }
-    }
-    if (failedRequirements.length > 0) {
-      if (or && failedRequirements.length === requirements.length) {
-        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
-          actions,
-          subject: String(subject)
-        })), true);
-      } else if (!or) {
-        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
-          actions,
-          subject: String(subject)
-        })), false);
-      }
-    }
-    return permissionData;
-  }
-  async getAbility(userId) {
-    return this.getUserAbility(userId);
-  }
 };
-PermissionService = _ts_decorate2([
-  Injectable2(),
+PermissionService = _ts_decorate4([
+  Injectable3(),
+  Public(),
   _ts_param(0, Inject(PERMISSION_API_CONFIG_TOKEN)),
-  _ts_param(1, Inject(CACHE_CONFIG_TOKEN)),
-  _ts_metadata("design:type", Function),
-  _ts_metadata("design:paramtypes", [
+  _ts_metadata2("design:type", Function),
+  _ts_metadata2("design:paramtypes", [
     typeof PermissionApiConfig === "undefined" ? Object : PermissionApiConfig,
-    typeof CacheConfig === "undefined" ? Object : CacheConfig,
     typeof AbilityFactory === "undefined" ? Object : AbilityFactory
   ])
 ], PermissionService);
 // src/guards/authzpaas.guard.ts
-import { Injectable as Injectable3, Inject as Inject2 } from "@nestjs/common";
-import { Reflector } from "@nestjs/core";
-// src/utils/index.ts
-function getMockRolesFromCookie(request) {
-  const mockRoles = request.cookies?.[MOCK_ROLES_COOKIE_KEY];
-  return mockRoles ? mockRoles.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
-}
-__name(getMockRolesFromCookie, "getMockRolesFromCookie");
-// src/guards/authzpaas.guard.ts
-function _ts_decorate3(decorators, target, key, desc) {
+import { Injectable as Injectable4 } from "@nestjs/common";
+import { Reflector as Reflector3 } from "@nestjs/core";
+function _ts_decorate5(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
   else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
-__name(_ts_decorate3, "_ts_decorate");
-function _ts_metadata2(k, v) {
+__name(_ts_decorate5, "_ts_decorate");
+function _ts_metadata3(k, v) {
   if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 }
-__name(_ts_metadata2, "_ts_metadata");
-function _ts_param2(paramIndex, decorator) {
-  return function(target, key) {
-    decorator(target, key, paramIndex);
-  };
-}
-__name(_ts_param2, "_ts_param");
+__name(_ts_metadata3, "_ts_metadata");
 var AuthZPaasGuard = class {
   static {
     __name(this, "AuthZPaasGuard");
   }
   reflector;
   permissionService;
-  moduleOptions;
-  constructor(reflector, permissionService, moduleOptions) {
+  constructor(reflector, permissionService) {
     this.reflector = reflector;
     this.permissionService = permissionService;
-    this.moduleOptions = moduleOptions;
   }
   async canActivate(context) {
     const http = context.switchToHttp();
     const request = http.getRequest();
-    request[ENABLE_MOCK_ROLE_KEY] = this.moduleOptions?.enableMockRole;
-    const userId = this.extractUserId(request);
-    const mockRoles = this.moduleOptions?.enableMockRole ? getMockRolesFromCookie(request) : void 0;
+    const cookie = request.headers.cookie;
+    const csrfToken = request.csrfToken;
+    const baseUrl = `${request.protocol}://${request.get("host")}`;
+    const userContext = request.userContext;
+    userContext.baseUrl = baseUrl;
     const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
       context.getHandler(),
       context.getClass()
     ]);
     if (checkRoleRequirement) {
-      await this.checkRoleRequirement(checkRoleRequirement, userId, mockRoles);
-    }
-    const checkPermissionParams = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [
-      context.getHandler(),
-      context.getClass()
-    ]);
-    if (checkPermissionParams) {
-      await this.checkPermissionRequirement(checkPermissionParams, userId, mockRoles);
-    }
-    const envRequirement = this.reflector.getAllAndOverride(ENVIRONMENT_KEY, [
-      context.getHandler(),
-      context.getClass()
-    ]);
-    if (envRequirement) {
-      const envContext = this.extractEnvironmentContext(request);
-      await this.checkEnvironmentRequirement(envRequirement, envContext, request);
+      await this.permissionService.checkRoles(checkRoleRequirement, userContext, cookie, csrfToken);
     }
     return true;
   }
-  /**
-  * 从请求中提取用户ID
-  * 子类可以重写此方法以适应不同的认证策略
-  */
-  extractUserId(request) {
-    const mockUserId = request.cookies?.mockUserId;
-    if (mockUserId) return mockUserId;
-    return request.userContext?.userId;
-  }
-  /**
-  * 从请求中提取环境上下文
-  */
-  extractEnvironmentContext(request) {
-    const regionHeader = request.headers["x-region"];
-    const osHeader = request.headers["x-os"];
-    const uaHeader = request.headers["user-agent"];
-    const region = Array.isArray(regionHeader) ? regionHeader[0] : regionHeader;
-    const os = Array.isArray(osHeader) ? osHeader[0] : osHeader;
-    const userAgent = Array.isArray(uaHeader) ? uaHeader[0] : uaHeader;
-    return {
-      network: {
-        ip: request.ip || request.connection?.remoteAddress,
-        region
-      },
-      device: {
-        type: this.detectDeviceType(userAgent),
-        os,
-        browser: userAgent
-      },
-      custom: {
-        headers: request.headers,
-        query: request.query
-      }
-    };
-  }
-  /**
-  * 检测设备类型
-  */
-  detectDeviceType(userAgent) {
-    if (!userAgent) return "desktop";
-    const ua = userAgent.toLowerCase();
-    if (/(tablet|ipad|playbook|silk)|(android(?!.*mobile))/i.test(ua)) {
-      return "tablet";
-    }
-    if (/mobile|iphone|ipod|android|blackberry|opera mini|iemobile/i.test(ua)) {
-      return "mobile";
-    }
-    return "desktop";
-  }
-  /**
-  * 检查角色要求
-  */
-  async checkRoleRequirement(requirement, userId, mockRoles) {
-    return this.permissionService.checkRoles(requirement, userId, mockRoles);
-  }
-  /**
-  * 检查权限要求
-  */
-  async checkPermissionRequirement(params, userId, mockRoles) {
-    return this.permissionService.checkPermissions(params, userId, mockRoles);
-  }
-  /**
-  * 检查环境要求
-  */
-  async checkEnvironmentRequirement(requirement, envContext, request) {
-    if (requirement.network) {
-      await this.checkNetworkRequirement(requirement.network, envContext);
-    }
-    if (requirement.device) {
-      await this.checkDeviceRequirement(requirement.device, envContext);
-    }
-    if (requirement.custom) {
-      const result = await requirement.custom(request);
-      if (!result) {
-        throw PermissionDeniedException.environmentRequired("custom", "\u4E0D\u6EE1\u8DB3\u81EA\u5B9A\u4E49\u73AF\u5883\u8981\u6C42");
-      }
-    }
-  }
-  /**
-  * 检查网络要求
-  */
-  async checkNetworkRequirement(requirement, envContext) {
-    const ip = envContext.network?.ip;
-    if (requirement.allowedIPs && ip) {
-      const isAllowed = this.checkIPMatch(ip, requirement.allowedIPs);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("network.allowedIPs", `IP \u5730\u5740\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${ip}`);
-      }
-    }
-    if (requirement.blockedIPs && ip) {
-      const isBlocked = this.checkIPMatch(ip, requirement.blockedIPs);
-      if (isBlocked) {
-        throw PermissionDeniedException.environmentRequired("network.blockedIPs", `IP \u5730\u5740\u88AB\u7981\u6B62\u8BBF\u95EE: ${ip}`);
-      }
-    }
-    if (requirement.allowedRegions && envContext.network?.region) {
-      const isAllowed = requirement.allowedRegions.includes(envContext.network.region);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("network.allowedRegions", `\u5730\u533A\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${envContext.network.region}`);
-      }
-    }
-  }
-  /**
-  * 检查设备要求
-  */
-  async checkDeviceRequirement(requirement, envContext) {
-    if (requirement.types && envContext.device?.type) {
-      const isAllowed = requirement.types.includes(envContext.device.type);
-      if (!isAllowed) {
-        throw PermissionDeniedException.environmentRequired("device.types", `\u4E0D\u5141\u8BB8\u7684\u8BBE\u5907\u7C7B\u578B: ${envContext.device.type}`);
-      }
-    }
-  }
-  /**
-  * 检查 IP 是否匹配
-  * 简化版本，仅支持精确匹配
-  * 生产环境建议使用 ipaddr.js 等库
-  */
-  checkIPMatch(ip, patterns) {
-    return patterns.some((pattern) => {
-      if (pattern === ip) return true;
-      return false;
-    });
-  }
-};
-AuthZPaasGuard = _ts_decorate3([
-  Injectable3(),
-  _ts_param2(2, Inject2(AUTHZPAAS_MODULE_OPTIONS)),
-  _ts_metadata2("design:type", Function),
-  _ts_metadata2("design:paramtypes", [
-    typeof Reflector === "undefined" ? Object : Reflector,
-    typeof PermissionService === "undefined" ? Object : PermissionService,
-    typeof AuthZPaasModuleOptions === "undefined" ? Object : AuthZPaasModuleOptions
-  ])
-], AuthZPaasGuard);
-// src/middlewares/roles.middleware.ts
-import { Injectable as Injectable4, Logger as Logger2 } from "@nestjs/common";
-function _ts_decorate4(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate4, "_ts_decorate");
-function _ts_metadata3(k, v) {
-  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-}
-__name(_ts_metadata3, "_ts_metadata");
-var RolesMiddleware = class _RolesMiddleware {
-  static {
-    __name(this, "RolesMiddleware");
-  }
-  permissionService;
-  logger = new Logger2(_RolesMiddleware.name);
-  constructor(permissionService) {
-    this.permissionService = permissionService;
-  }
-  async use(req, _res, next) {
-    try {
-      const userId = req.userContext?.userId;
-      const mockRoles = req[ENABLE_MOCK_ROLE_KEY] ? getMockRolesFromCookie(req) : void 0;
-      this.logger.debug(`Fetching roles for user: ${userId}`);
-      const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
-      let roles;
-      if (permissionData) {
-        roles = permissionData.roles;
-      }
-      req.userContext.userRoles = roles;
-      req.userContext.userId = userId;
-      this.logger.debug(`User ${userId} roles loaded: [${roles?.join(", ")}]`);
-      next();
-    } catch (error) {
-      this.logger.warn(`Failed to fetch roles for request: ${error instanceof Error ? error.message : "Unknown error"}`);
-      next();
-    }
-  }
 };
-RolesMiddleware = _ts_decorate4([
+AuthZPaasGuard = _ts_decorate5([
   Injectable4(),
   _ts_metadata3("design:type", Function),
   _ts_metadata3("design:paramtypes", [
+    typeof Reflector3 === "undefined" ? Object : Reflector3,
     typeof PermissionService === "undefined" ? Object : PermissionService
   ])
-], RolesMiddleware);
-// src/filters/authzpaas-exception.filter.ts
-import { Catch } from "@nestjs/common";
-function _ts_decorate5(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate5, "_ts_decorate");
-var AuthZPaasExceptionFilter = class {
-  static {
-    __name(this, "AuthZPaasExceptionFilter");
-  }
-  catch(exception, host) {
-    const ctx = host.switchToHttp();
-    const response = ctx.getResponse();
-    const status = exception.getStatus();
-    const exceptionResponse = exception.getResponse();
-    const errorResponse = {
-      statusCode: status,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      cause: exception.cause,
-      type: exception.type,
-      message: typeof exceptionResponse === "string" ? exceptionResponse : exceptionResponse.message || "\u6743\u9650\u4E0D\u8DB3"
-    };
-    if (exception.details.requiredRoles) {
-      errorResponse.requiredRoles = exception.details.requiredRoles;
-    }
-    if (exception.details.requiredPermissions) {
-      errorResponse.requiredPermissions = exception.details.requiredPermissions;
-    }
-    if (exception.details.environmentRequirement) {
-      errorResponse.environmentRequirement = exception.details.environmentRequirement;
-    }
-    if (exception.details.metadata) {
-      errorResponse.metadata = exception.details.metadata;
-    }
-    response.status(status).json(errorResponse);
-  }
-};
-AuthZPaasExceptionFilter = _ts_decorate5([
-  Catch(PermissionDeniedException)
-], AuthZPaasExceptionFilter);
+], AuthZPaasGuard);
 // src/authzpaas.module.ts
 function _ts_decorate6(decorators, target, key, desc) {
@@ -891,53 +492,38 @@ var AuthZPaasModule = class _AuthZPaasModule {
     __name(this, "AuthZPaasModule");
   }
   static forRoot(options) {
-    const { permissionApi, cache = {
-      ttl: 300,
-      max: 1e3,
-      enabled: true
-    }, isGlobal = true } = options;
+    const { permissionApi = {} } = options || {};
     return {
       module: _AuthZPaasModule,
-      global: isGlobal,
+      global: true,
       controllers: [],
       providers: [
         // 配置提供者
         {
           provide: AUTHZPAAS_MODULE_OPTIONS,
           useValue: {
-            ...options,
-            loginPath: options.loginPath || DEFAULT_LOGIN_PATH
+            ...options
           }
         },
         {
           provide: PERMISSION_API_CONFIG_TOKEN,
           useValue: permissionApi
         },
-        {
-          provide: CACHE_CONFIG_TOKEN,
-          useValue: cache
-        },
         // 核心服务
-        Reflector2,
+        Reflector4,
         // 服务提供者
         PermissionService,
         AbilityFactory,
         AuthZPaasGuard,
-        RolesMiddleware,
         // 守卫提供者
         {
-          provide: APP_GUARD,
+          provide: APP_GUARD2,
           useClass: AuthZPaasGuard
-        },
-        {
-          provide: APP_FILTER,
-          useClass: AuthZPaasExceptionFilter
         }
       ],
       exports: [
         PermissionService,
-        AbilityFactory,
-        RolesMiddleware
+        AbilityFactory
       ]
     };
   }
@@ -972,10 +558,10 @@ var AuthZPaasModule = class _AuthZPaasModule {
   * ```
   */
   static forRootAsync(options) {
-    const { imports = [], inject = [], useFactory, isGlobal = true } = options;
+    const { imports = [], inject = [], useFactory } = options;
     return {
       module: _AuthZPaasModule,
-      global: isGlobal,
+      global: true,
       imports,
       controllers: [],
       providers: [
@@ -995,51 +581,31 @@ var AuthZPaasModule = class _AuthZPaasModule {
             AUTHZPAAS_MODULE_OPTIONS
           ]
         },
-        // 缓存配置提供者
-        {
-          provide: CACHE_CONFIG_TOKEN,
-          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
-            return moduleOptions.cache || {
-              ttl: 300,
-              max: 1e3,
-              enabled: true
-            };
-          }, "useFactory"),
-          inject: [
-            AUTHZPAAS_MODULE_OPTIONS
-          ]
-        },
         // 核心服务
-        Reflector2,
+        Reflector4,
         // 服务提供者
         PermissionService,
         AbilityFactory,
         AuthZPaasGuard,
-        RolesMiddleware,
         // 守卫提供者
         {
-          provide: APP_GUARD,
+          provide: APP_GUARD2,
           useClass: AuthZPaasGuard
-        },
-        {
-          provide: APP_FILTER,
-          useClass: AuthZPaasExceptionFilter
         }
       ],
       exports: [
         PermissionService,
-        AbilityFactory,
-        RolesMiddleware
+        AbilityFactory
       ]
     };
   }
 };
 AuthZPaasModule = _ts_decorate6([
-  Module({})
+  Module2({})
 ], AuthZPaasModule);
 // src/decorators/can-role.decorator.ts
-import { SetMetadata } from "@nestjs/common";
+import { SetMetadata as SetMetadata3 } from "@nestjs/common";
 var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   let requirement;
   if (!Array.isArray(role) && typeof role === "string") {
@@ -1057,364 +623,27 @@ var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   } else {
     throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
   }
-  return SetMetadata(ROLES_KEY, requirement);
+  return SetMetadata3(ROLES_KEY, requirement);
 }, "CanRole");
-// src/decorators/can-permission.decorator.ts
-import { SetMetadata as SetMetadata2 } from "@nestjs/common";
-var CanPermission = /* @__PURE__ */ __name((permission, or) => {
-  let requirements;
-  if (Array.isArray(permission)) {
-    requirements = permission;
-  } else if (typeof permission === "object" && "subject" in permission) {
-    requirements = [
-      permission
-    ];
-  } else {
-    throw new Error("Invalid CanPermission parameter: " + JSON.stringify(permission));
-  }
-  return SetMetadata2(PERMISSIONS_KEY, {
-    requirements,
-    or: or ?? false
-  });
-}, "CanPermission");
-// src/decorators/can-env.decorator.ts
-import { SetMetadata as SetMetadata3 } from "@nestjs/common";
-var CanEnv = /* @__PURE__ */ __name((requirement) => {
-  return SetMetadata3(ENVIRONMENT_KEY, requirement);
-}, "CanEnv");
-// src/decorators/user-id.decorator.ts
-import { createParamDecorator } from "@nestjs/common";
-var UserId = createParamDecorator((_data, ctx) => {
-  const request = ctx.switchToHttp().getRequest();
-  return request.userContext?.userId;
-});
-// src/decorators/mock-roles.decorator.ts
-import { createParamDecorator as createParamDecorator2 } from "@nestjs/common";
-var MockRoles = createParamDecorator2((_data, ctx) => {
-  const request = ctx.switchToHttp().getRequest();
-  const mockRoles = getMockRolesFromCookie(request);
-  return request[ENABLE_MOCK_ROLE_KEY] ? mockRoles : void 0;
-});
-// src/controllers/permission.controller.ts
-import { Controller, Get, Post, Res, Body } from "@nestjs/common";
-import { ApiOperation, ApiResponse, ApiTags, ApiProperty } from "@nestjs/swagger";
-function _ts_decorate7(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate7, "_ts_decorate");
-function _ts_metadata4(k, v) {
-  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-}
-__name(_ts_metadata4, "_ts_metadata");
-function _ts_param3(paramIndex, decorator) {
-  return function(target, key) {
-    decorator(target, key, paramIndex);
-  };
-}
-__name(_ts_param3, "_ts_param");
-var PermissionDto = class {
-  static {
-    __name(this, "PermissionDto");
-  }
-  sub;
-  actions;
-  id;
-  name;
-  conditions;
-};
-_ts_decorate7([
-  ApiProperty({
-    description: "\u8D44\u6E90\u7C7B\u578B",
-    example: "task"
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "sub", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u64CD\u4F5C\u7C7B\u578B\u5217\u8868",
-    example: [
-      "create",
-      "read",
-      "update",
-      "delete"
-    ],
-    type: [
-      String
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionDto.prototype, "actions", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u6743\u9650ID",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "id", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u6743\u9650\u540D\u79F0",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionDto.prototype, "name", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u6743\u9650\u6761\u4EF6",
-    required: false,
-    type: "object"
-  }),
-  _ts_metadata4("design:type", typeof Record === "undefined" ? Object : Record)
-], PermissionDto.prototype, "conditions", void 0);
-var PermissionResponse = class {
-  static {
-    __name(this, "PermissionResponse");
-  }
-  userId;
-  roles;
-  permissions;
-  fetchedAt;
-};
-_ts_decorate7([
-  ApiProperty({
-    description: "\u7528\u6237ID",
-    example: "user123",
-    required: false
-  }),
-  _ts_metadata4("design:type", String)
-], PermissionResponse.prototype, "userId", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u7528\u6237\u89D2\u8272\u5217\u8868",
-    example: [
-      "admin",
-      "user"
-    ],
-    type: [
-      String
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionResponse.prototype, "roles", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u7528\u6237\u6743\u9650\u70B9\u4F4D\u5217\u8868",
-    type: [
-      PermissionDto
-    ]
-  }),
-  _ts_metadata4("design:type", Array)
-], PermissionResponse.prototype, "permissions", void 0);
-_ts_decorate7([
-  ApiProperty({
-    description: "\u6570\u636E\u83B7\u53D6\u65F6\u95F4",
-    example: "2025-10-14T00:00:00.000Z"
-  }),
-  _ts_metadata4("design:type", typeof Date === "undefined" ? Object : Date)
-], PermissionResponse.prototype, "fetchedAt", void 0);
-var PermissionController = class {
-  static {
-    __name(this, "PermissionController");
-  }
-  permissionService;
-  constructor(permissionService) {
-    this.permissionService = permissionService;
-  }
-  /**
-  * 获取当前用户的权限数据
-  *
-  * @param userId 当前用户ID（从请求上下文中获取）
-  * @returns 用户权限数据
-  *
-  * @example
-  * GET /api/permissions
-  *
-  * Response:
-  * {
-  *   "userId": "user123",
-  *   "roles": ["admin", "user"],
-  *   "permissions": [
-  *     { "sub": "task", "actions": ["create", "read", "update", "delete"] }
-  *   ],
-  *   "fetchedAt": "2025-10-14T00:00:00.000Z"
-  * }
-  */
-  async getUserPermissions(userId, mockRoles) {
-    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
-    return {
-      userId: permissionData?.userId,
-      roles: permissionData?.roles || [],
-      permissions: permissionData?.permissions || [],
-      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date()
-    };
-  }
-  /**
-  * 开启角色模拟：将传入的 userId 写入 cookie，服务端优先使用该值请求权限
-  */
-  async enableMock(res, roles) {
-    if (!Array.isArray(roles) || roles.length === 0) {
-      return {
-        success: false,
-        message: "roles \u4E0D\u80FD\u4E3A\u7A7A"
-      };
-    }
-    const val = roles.join(",");
-    res.cookie(MOCK_ROLES_COOKIE_KEY, val, {
-      httpOnly: false,
-      sameSite: "lax",
-      maxAge: 24 * 60 * 60 * 1e3,
-      path: "/"
-    });
-    return {
-      success: true,
-      roles
-    };
-  }
-  /**
-  * 关闭角色模拟：清除 cookie
-  */
-  async disableMock(res) {
-    res.clearCookie(MOCK_ROLES_COOKIE_KEY, {
-      path: "/"
-    });
-    return {
-      success: true
-    };
-  }
-  async getMockRoles(mockRoles, userId) {
-    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
-    return {
-      mocking: !!mockRoles,
-      roles: permissionData?.roles || [],
-      permissions: permissionData?.permissions || [],
-      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date(),
-      userId
-    };
-  }
-};
-_ts_decorate7([
-  Get(),
-  ApiOperation({
-    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u6743\u9650\u6570\u636E"
-  }),
-  ApiResponse({
-    status: 200,
-    description: "\u6210\u529F\u8FD4\u56DE\u7528\u6237\u6743\u9650\u6570\u636E",
-    type: PermissionResponse
-  }),
-  ApiResponse({
-    status: 400,
-    description: "\u7528\u6237\u672A\u8BA4\u8BC1"
-  }),
-  _ts_param3(0, UserId()),
-  _ts_param3(1, MockRoles()),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    String,
-    Array
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "getUserPermissions", null);
-_ts_decorate7([
-  Post("mock/enable"),
-  ApiOperation({
-    summary: "\u5F00\u542F\u89D2\u8272\u6A21\u62DF\uFF08\u5199\u5165 cookie: mockRoles\uFF09"
-  }),
-  ApiResponse({
-    status: 200,
-    description: "\u6A21\u62DF\u5DF2\u5F00\u542F"
-  }),
-  _ts_param3(0, Res({
-    passthrough: true
-  })),
-  _ts_param3(1, Body("roles")),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof Response === "undefined" ? Object : Response,
-    Array
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "enableMock", null);
-_ts_decorate7([
-  Post("mock/disable"),
-  ApiOperation({
-    summary: "\u5173\u95ED\u89D2\u8272\u6A21\u62DF\uFF08\u6E05\u9664 cookie: mockRoles\uFF09"
-  }),
-  ApiResponse({
-    status: 200,
-    description: "\u6A21\u62DF\u5DF2\u5173\u95ED"
-  }),
-  _ts_param3(0, Res({
-    passthrough: true
-  })),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof Response === "undefined" ? Object : Response
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "disableMock", null);
-_ts_decorate7([
-  Get("mock/status"),
-  ApiOperation({
-    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u89D2\u8272\u6A21\u62DF\u72B6\u6001"
-  }),
-  ApiResponse({
-    status: 200,
-    description: "\u6210\u529F\u8FD4\u56DE\u89D2\u8272\u6A21\u62DF\u6570\u636E"
-  }),
-  _ts_param3(0, MockRoles()),
-  _ts_param3(1, UserId()),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    Object,
-    String
-  ]),
-  _ts_metadata4("design:returntype", Promise)
-], PermissionController.prototype, "getMockRoles", null);
-PermissionController = _ts_decorate7([
-  ApiTags("\u6743\u9650\u7BA1\u7406"),
-  Controller("api/permissions"),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof PermissionService === "undefined" ? Object : PermissionService
-  ])
-], PermissionController);
 export {
   ANONYMOUS_USER_ID,
   AUTHZPAAS_MODULE_OPTIONS,
   AbilityFactory,
-  AuthZPaasExceptionFilter,
   AuthZPaasGuard,
   AuthZPaasModule,
   CACHE_CONFIG_TOKEN,
-  CanEnv,
-  CanPermission,
   CanRole,
   DEFAULT_LOGIN_PATH,
   ENABLE_MOCK_ROLE_KEY,
   ENVIRONMENT_KEY,
   MOCK_ROLES_COOKIE_KEY,
-  MockRoles,
-  NEED_LOGIN_KEY,
+  NEED_LOGIN_KEY2 as NEED_LOGIN_KEY,
   PERMISSIONS_KEY,
   PERMISSION_API_CONFIG_TOKEN,
-  PermissionController,
   PermissionDeniedException,
   PermissionDeniedType,
-  PermissionDto,
-  PermissionResponse,
   PermissionService,
   ROLES_KEY,
-  ROLE_SUBJECT,
-  RolesMiddleware,
-  UserId
+  ROLE_SUBJECT
 };
 //# sourceMappingURL=index.js.map