npm - @lark-apaas/nestjs-authzpaas - Versions diffs - 0.1.0-alpha.0 - Mend

@lark-apaas/nestjs-authzpaas 0.1.0-alpha.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.cjs ADDED Viewed

@@ -0,0 +1,1472 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ANONYMOUS_USER_ID: () => ANONYMOUS_USER_ID,
+  AUTHZPAAS_MODULE_OPTIONS: () => AUTHZPAAS_MODULE_OPTIONS,
+  AbilityFactory: () => AbilityFactory,
+  AuthZPaasExceptionFilter: () => AuthZPaasExceptionFilter,
+  AuthZPaasGuard: () => AuthZPaasGuard,
+  AuthZPaasModule: () => AuthZPaasModule,
+  CACHE_CONFIG_TOKEN: () => CACHE_CONFIG_TOKEN,
+  CanEnv: () => CanEnv,
+  CanPermission: () => CanPermission,
+  CanRole: () => CanRole,
+  DEFAULT_LOGIN_PATH: () => DEFAULT_LOGIN_PATH,
+  ENABLE_MOCK_ROLE_KEY: () => ENABLE_MOCK_ROLE_KEY,
+  ENVIRONMENT_KEY: () => ENVIRONMENT_KEY,
+  MOCK_ROLES_COOKIE_KEY: () => MOCK_ROLES_COOKIE_KEY,
+  MockRoles: () => MockRoles,
+  NEED_LOGIN_KEY: () => NEED_LOGIN_KEY,
+  PERMISSIONS_KEY: () => PERMISSIONS_KEY,
+  PERMISSION_API_CONFIG_TOKEN: () => PERMISSION_API_CONFIG_TOKEN,
+  PermissionController: () => PermissionController,
+  PermissionDeniedException: () => PermissionDeniedException,
+  PermissionDeniedType: () => PermissionDeniedType,
+  PermissionDto: () => PermissionDto,
+  PermissionResponse: () => PermissionResponse,
+  PermissionService: () => PermissionService,
+  ROLES_KEY: () => ROLES_KEY,
+  ROLE_SUBJECT: () => ROLE_SUBJECT,
+  RolesMiddleware: () => RolesMiddleware,
+  UserId: () => UserId
+});
+module.exports = __toCommonJS(index_exports);
+// src/authzpaas.module.ts
+var import_common7 = require("@nestjs/common");
+var import_core2 = require("@nestjs/core");
+// src/const.ts
+var ANONYMOUS_USER_ID = "anonymous_user_id";
+var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
+var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
+var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
+var ROLES_KEY = "authzpaas:roles";
+var PERMISSIONS_KEY = "authzpaas:permissions";
+var ENVIRONMENT_KEY = "authzpaas:environment";
+var NEED_LOGIN_KEY = "authzpaas:needLogin";
+var DEFAULT_LOGIN_PATH = "/login";
+var MOCK_ROLES_COOKIE_KEY = "mockRoles";
+var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
+// src/services/permission.service.ts
+var import_common3 = require("@nestjs/common");
+// src/utils/memory-cache.ts
+var MemoryCache = class {
+  static {
+    __name(this, "MemoryCache");
+  }
+  cache;
+  accessOrder;
+  options;
+  hits = 0;
+  misses = 0;
+  constructor(options) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.accessOrder = [];
+    this.options = options;
+  }
+  /**
+  * 获取缓存值
+  */
+  get(key) {
+    if (!this.options.enabled) {
+      return void 0;
+    }
+    const item = this.cache.get(key);
+    if (!item) {
+      this.misses++;
+      return void 0;
+    }
+    if (Date.now() > item.expireAt) {
+      this.cache.delete(key);
+      this.removeFromAccessOrder(key);
+      this.misses++;
+      return void 0;
+    }
+    this.updateAccessOrder(key);
+    this.hits++;
+    return item.value;
+  }
+  /**
+  * 设置缓存值
+  */
+  set(key, value) {
+    if (!this.options.enabled) {
+      return;
+    }
+    if (this.cache.size >= this.options.max && !this.cache.has(key)) {
+      this.evictLRU();
+    }
+    const expireAt = Date.now() + this.options.ttl * 1e3;
+    this.cache.set(key, {
+      value,
+      expireAt
+    });
+    this.updateAccessOrder(key);
+  }
+  /**
+  * 删除缓存
+  */
+  delete(key) {
+    this.cache.delete(key);
+    this.removeFromAccessOrder(key);
+  }
+  /**
+  * 清空所有缓存
+  */
+  clear() {
+    this.cache.clear();
+    this.accessOrder = [];
+    this.hits = 0;
+    this.misses = 0;
+  }
+  /**
+  * 获取缓存统计信息
+  */
+  getStats() {
+    return {
+      size: this.cache.size,
+      hits: this.hits,
+      misses: this.misses,
+      hitRate: this.hits / (this.hits + this.misses) || 0,
+      enabled: this.options.enabled
+    };
+  }
+  /**
+  * 更新访问顺序
+  */
+  updateAccessOrder(key) {
+    this.removeFromAccessOrder(key);
+    this.accessOrder.push(key);
+  }
+  /**
+  * 从访问顺序中移除
+  */
+  removeFromAccessOrder(key) {
+    const index = this.accessOrder.indexOf(key);
+    if (index > -1) {
+      this.accessOrder.splice(index, 1);
+    }
+  }
+  /**
+  * 淘汰最少使用的项
+  */
+  evictLRU() {
+    if (this.accessOrder.length > 0) {
+      const oldestKey = this.accessOrder[0];
+      this.delete(oldestKey);
+    }
+  }
+};
+// src/casl/ability.factory.ts
+var import_common = require("@nestjs/common");
+var import_ability = require("@casl/ability");
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+var ROLE_SUBJECT = "@role";
+var AbilityFactory = class {
+  static {
+    __name(this, "AbilityFactory");
+  }
+  /**
+  * 为用户创建 Ability
+  */
+  createForUser(permissionData) {
+    const { can, build } = new import_ability.AbilityBuilder(import_ability.PureAbility);
+    for (const permission of permissionData.permissions) {
+      const { sub, actions } = permission;
+      for (const action of actions) {
+        can(action, sub);
+      }
+    }
+    for (const role of permissionData.roles) {
+      can(role, ROLE_SUBJECT);
+    }
+    return build();
+  }
+};
+AbilityFactory = _ts_decorate([
+  (0, import_common.Injectable)()
+], AbilityFactory);
+// src/exceptions/permission-denied.exception.ts
+var import_common2 = require("@nestjs/common");
+var PermissionDeniedType = /* @__PURE__ */ (function(PermissionDeniedType2) {
+  PermissionDeniedType2["UNAUTHENTICATED"] = "UNAUTHENTICATED";
+  PermissionDeniedType2["ROLE_REQUIRED"] = "ROLE_REQUIRED";
+  PermissionDeniedType2["PERMISSION_REQUIRED"] = "PERMISSION_REQUIRED";
+  PermissionDeniedType2["ENVIRONMENT_REQUIRED"] = "ENVIRONMENT_REQUIRED";
+  PermissionDeniedType2["PERMISSION_CONFIG_QUERY_FAILED"] = "PERMISSION_CONFIG_QUERY_FAILED";
+  return PermissionDeniedType2;
+})({});
+var PermissionDeniedException = class _PermissionDeniedException extends import_common2.HttpException {
+  static {
+    __name(this, "PermissionDeniedException");
+  }
+  type;
+  details;
+  constructor(details, httpStatusCode = 403) {
+    super({
+      statusCode: httpStatusCode,
+      cause: details.cause,
+      type: details.type,
+      message: details.message,
+      ...details.requiredRoles && {
+        requiredRoles: details.requiredRoles
+      },
+      ...details.requiredPermissions && {
+        requiredPermissions: details.requiredPermissions
+      },
+      ...details.environmentRequirement && {
+        environmentRequirement: details.environmentRequirement
+      },
+      ...details.metadata && {
+        metadata: details.metadata
+      }
+    }, httpStatusCode);
+    this.type = details.type;
+    this.details = details;
+    this.name = "PermissionDeniedException";
+  }
+  /**
+  * 创建用户未认证异常
+  */
+  static unauthenticated(message = "\u7528\u6237\u672A\u8BA4\u8BC1") {
+    return new _PermissionDeniedException({
+      type: "UNAUTHENTICATED",
+      message
+    });
+  }
+  /**
+  * 创建角色不足异常
+  */
+  static roleRequired(requiredRoles, and = false) {
+    const message = and ? `\u9700\u8981\u6240\u6709\u89D2\u8272: ${requiredRoles.join(", ")}` : `\u9700\u8981\u4EE5\u4E0B\u4EFB\u4E00\u89D2\u8272: ${requiredRoles.join(", ")}`;
+    return new _PermissionDeniedException({
+      type: "ROLE_REQUIRED",
+      message,
+      requiredRoles,
+      metadata: {
+        and
+      }
+    });
+  }
+  /**
+  * 创建权限不足异常
+  */
+  static permissionRequired(requiredPermissions, or = false, customMessage) {
+    let message;
+    if (customMessage) {
+      message = customMessage;
+    } else if (requiredPermissions.length === 1) {
+      const perm = requiredPermissions[0];
+      message = or ? `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u5BF9 ${perm.subject} \u6267\u884C\u4EE5\u4E0B\u4EFB\u4E00\u64CD\u4F5C [${perm.actions.join(", ")}]` : `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u5BF9 ${perm.subject} \u6267\u884C\u6240\u6709\u64CD\u4F5C [${perm.actions.join(", ")}]`;
+    } else {
+      message = or ? `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u6EE1\u8DB3\u4EE5\u4E0B\u4EFB\u4E00\u6743\u9650\u8981\u6C42: ${requiredPermissions.map(({ actions, subject }) => `\u5BF9 ${subject} \u6267\u884C\u4EE5\u4E0B\u4EFB\u4E00\u64CD\u4F5C [${actions.join(", ")}]`).join(", ")}` : `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u6EE1\u8DB3\u4EE5\u4E0B\u6240\u6709\u6743\u9650\u8981\u6C42: ${requiredPermissions.map(({ actions, subject }) => `\u5BF9 ${subject} \u6267\u884C\u6240\u6709\u64CD\u4F5C [${actions.join(", ")}]`).join(", ")}`;
+    }
+    return new _PermissionDeniedException({
+      type: "PERMISSION_REQUIRED",
+      message,
+      requiredPermissions,
+      metadata: {
+        or
+      }
+    });
+  }
+  /**
+  * 创建环境不满足异常
+  */
+  static environmentRequired(requirement, message) {
+    return new _PermissionDeniedException({
+      type: "ENVIRONMENT_REQUIRED",
+      message: message || "\u4E0D\u6EE1\u8DB3\u73AF\u5883\u8981\u6C42",
+      environmentRequirement: requirement
+    });
+  }
+};
+// src/services/permission.service.ts
+function _ts_decorate2(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate2, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+function _ts_param(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param, "_ts_param");
+var PermissionService = class _PermissionService {
+  static {
+    __name(this, "PermissionService");
+  }
+  apiConfig;
+  abilityFactory;
+  logger = new import_common3.Logger(_PermissionService.name);
+  // 统一的缓存，同时缓存权限数据和 Ability 实例
+  cache;
+  // 缓存正在进行中的 Promise，避免重复请求
+  pendingRequests = /* @__PURE__ */ new Map();
+  constructor(apiConfig, cacheConfig, abilityFactory) {
+    this.apiConfig = apiConfig;
+    this.abilityFactory = abilityFactory;
+    this.cache = new MemoryCache({
+      ttl: cacheConfig.ttl || 300,
+      max: cacheConfig.max || 1e3,
+      enabled: cacheConfig.enabled !== false
+    });
+    this.logger.log(`PermissionService initialized with API: ${apiConfig?.baseUrl}`);
+  }
+  /**
+  * 构建权限/Ability 缓存 key
+  * - 若存在模拟角色：按角色集合排序拼接 + 用户维度
+  * - 否则按 userId/匿名用户
+  */
+  buildCacheKey(userId, mockRoles) {
+    if (mockRoles && mockRoles.length > 0) {
+      const sortedRoles = [
+        ...mockRoles
+      ].sort();
+      return `@roles:${sortedRoles.join("|")}#u:${userId || ANONYMOUS_USER_ID}`;
+    }
+    return userId || ANONYMOUS_USER_ID;
+  }
+  /**
+  * 获取用户权限数据（带缓存）
+  */
+  async getUserPermissions(userId, mockRoles) {
+    if (!this.apiConfig?.endpoint) {
+      this.logger.warn("Permission API endpoint is not configured, returning null");
+      return null;
+    }
+    const key = this.buildCacheKey(userId, mockRoles);
+    const cached = this.cache.get(key);
+    if (cached) {
+      this.logger.debug(`Cache hit for user ${key}`);
+      return cached.permissionData;
+    }
+    const pendingRequest = this.pendingRequests.get(key);
+    if (pendingRequest) {
+      this.logger.debug(`Reusing pending request for user ${key}`);
+      return pendingRequest;
+    }
+    this.logger.debug(`Cache miss for key ${key}, fetching from API`);
+    const requestPromise = (async () => {
+      try {
+        const permissionData = mockRoles && mockRoles.length > 0 ? await this.getPermissionsByMockRoles(userId, mockRoles) : await this.fetchFromApi(userId);
+        const dataWithTimestamp = {
+          ...permissionData,
+          fetchedAt: /* @__PURE__ */ new Date()
+        };
+        const ability = this.abilityFactory.createForUser(dataWithTimestamp);
+        this.cache.set(key, {
+          permissionData: dataWithTimestamp,
+          ability
+        });
+        return dataWithTimestamp;
+      } catch (error) {
+        this.logger.error(`Failed to fetch permissions for key ${key}:`, error);
+        throw error;
+      } finally {
+        this.pendingRequests.delete(key);
+      }
+    })();
+    this.pendingRequests.set(key, requestPromise);
+    return requestPromise;
+  }
+  /**
+  * 从 API 获取权限数据
+  * 内置实现，用户无需配置
+  */
+  async fetchFromApi(userId) {
+    const { baseUrl, apiToken, endpoint, headers = {}, timeout = 5e3 } = this.apiConfig || {};
+    const url = `${baseUrl}${endpoint}${userId ? `?userId=${userId}` : ""}`;
+    const requestHeaders = {
+      "Content-Type": "application/json",
+      ...headers
+    };
+    if (apiToken) {
+      requestHeaders["Authorization"] = `Bearer ${apiToken}`;
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: requestHeaders,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const error = new Error(`Permission API returned ${response.status}: ${response.statusText}`);
+        throw new PermissionDeniedException({
+          cause: error,
+          type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+          message: error.message
+        }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
+      }
+      const data = await response.json();
+      const roles = (data.roles || []).map((role) => typeof role === "string" ? role : role.name);
+      return {
+        userId,
+        roles,
+        permissions: data.permissions || [],
+        fetchedAt: /* @__PURE__ */ new Date()
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      let err = error;
+      if (error.name === "AbortError") {
+        err = new Error(`Permission API request timeout after ${timeout}ms`);
+      }
+      throw new PermissionDeniedException({
+        cause: err,
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: err.message
+      }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+  }
+  /**
+  * 基于模拟角色获取权限数据（不使用缓存）
+  * 该方法用于前端/守卫在检测到 mockRoles 时直接按角色获取权限
+  */
+  async getPermissionsByMockRoles(userId, mockRoles) {
+    const { baseUrl, timeout = 5e3 } = this.apiConfig || {};
+    const rolesParam = encodeURIComponent(mockRoles.join(","));
+    const userParam = userId ? `&userId=${encodeURIComponent(userId)}` : "";
+    const url = `${baseUrl}/mock-api/permissions-by-roles?roles=${rolesParam}${userParam}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        throw new Error(`Permission API (mock by roles) returned ${response.status}: ${response.statusText}`);
+      }
+      const data = await response.json();
+      return {
+        userId,
+        roles: data.roles || [],
+        permissions: data.permissions || [],
+        fetchedAt: /* @__PURE__ */ new Date()
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      throw new PermissionDeniedException({
+        cause: error,
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: error.message
+      }, import_common3.HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+  }
+  /**
+  * 获取用户的 Ability 实例（带缓存）
+  * @param userId 用户ID
+  * @returns CASL Ability 实例
+  */
+  async getUserAbility(userId, mockRoles) {
+    const key = this.buildCacheKey(userId, mockRoles);
+    const cached = this.cache.get(key);
+    if (cached) {
+      return cached.ability;
+    }
+    await this.getUserPermissions(userId, mockRoles);
+    const newCached = this.cache.get(key);
+    return newCached.ability;
+  }
+  /**
+  * 清除用户权限缓存
+  */
+  clearUserCache(userId) {
+    const key = userId || ANONYMOUS_USER_ID;
+    this.cache.delete(key);
+    this.pendingRequests.delete(key);
+    this.logger.debug(`Cache cleared for user ${key}`);
+  }
+  /**
+  * 清除所有缓存
+  */
+  clearAllCache() {
+    this.cache.clear();
+    this.pendingRequests.clear();
+    this.logger.log("All permission cache cleared");
+  }
+  /**
+  * 获取缓存统计信息
+  */
+  getCacheStats() {
+    return this.cache.getStats();
+  }
+  /**
+  * 检查角色要求
+  * 使用 CASL Ability 统一鉴权方式
+  * @param requirement 角色要求
+  * @param userId 用户ID,匿名用户时为空
+  * @returns 用户权限数据
+  * @throws PermissionDeniedException 当角色不满足时
+  */
+  async checkRoles(requirement, userId, mockRoles) {
+    const permissionData = await this.getUserPermissions(userId, mockRoles);
+    if (!permissionData) {
+      throw new PermissionDeniedException({
+        cause: new Error("Permission data fetch api is not configured"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "Permission data fetch api is not configured"
+      }, import_common3.HttpStatus.BAD_REQUEST);
+    }
+    const ability = await this.getUserAbility(userId, mockRoles);
+    const { roles, and } = requirement;
+    const checkResults = roles.map((role) => ability.can(role, ROLE_SUBJECT));
+    const hasRole = and ? checkResults.every((result) => result) : checkResults.some((result) => result);
+    if (!hasRole) {
+      const userRoles = permissionData.roles;
+      this.logger.warn(`\u89D2\u8272\u68C0\u67E5\u5931\u8D25: \u7528\u6237 ${userId}, \u7528\u6237\u89D2\u8272 [${userRoles.join(", ")}], \u9700\u8981 [${roles.join(", ")}]`);
+      throw PermissionDeniedException.roleRequired(roles, and);
+    }
+    return permissionData;
+  }
+  /**
+  * 检查权限要求
+  * @param requirements 权限要求列表
+  * @param userId 用户ID
+  * @returns 用户权限数据
+  * @throws PermissionDeniedException 当权限不满足时
+  */
+  async checkPermissions(params, userId, mockRoles) {
+    const permissionData = await this.getUserPermissions(userId, mockRoles);
+    if (!permissionData) {
+      throw new PermissionDeniedException({
+        cause: new Error("Permission data fetch api is not configured"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "Permission data fetch api is not configured"
+      }, import_common3.HttpStatus.BAD_REQUEST);
+    }
+    const { requirements, or } = params;
+    if (!requirements || requirements.length === 0) {
+      return permissionData;
+    }
+    const ability = await this.getUserAbility(userId, mockRoles);
+    const failedRequirements = [];
+    for (const requirement of requirements) {
+      const { actions, subject, or: or2 = false } = requirement;
+      const checkResults = actions.map((action) => ability.can(action, subject));
+      const hasPermission = or2 ? checkResults.some((result) => result) : checkResults.every((result) => result);
+      if (!hasPermission) {
+        failedRequirements.push({
+          actions,
+          subject: String(subject),
+          or: or2
+        });
+      }
+    }
+    if (failedRequirements.length > 0) {
+      if (or && failedRequirements.length === requirements.length) {
+        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
+          actions,
+          subject: String(subject)
+        })), true);
+      } else if (!or) {
+        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
+          actions,
+          subject: String(subject)
+        })), false);
+      }
+    }
+    return permissionData;
+  }
+  async getAbility(userId) {
+    return this.getUserAbility(userId);
+  }
+};
+PermissionService = _ts_decorate2([
+  (0, import_common3.Injectable)(),
+  _ts_param(0, (0, import_common3.Inject)(PERMISSION_API_CONFIG_TOKEN)),
+  _ts_param(1, (0, import_common3.Inject)(CACHE_CONFIG_TOKEN)),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof PermissionApiConfig === "undefined" ? Object : PermissionApiConfig,
+    typeof CacheConfig === "undefined" ? Object : CacheConfig,
+    typeof AbilityFactory === "undefined" ? Object : AbilityFactory
+  ])
+], PermissionService);
+// src/guards/authzpaas.guard.ts
+var import_common4 = require("@nestjs/common");
+var import_core = require("@nestjs/core");
+// src/utils/index.ts
+function getMockRolesFromCookie(request) {
+  const mockRoles = request.cookies?.[MOCK_ROLES_COOKIE_KEY];
+  return mockRoles ? mockRoles.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+}
+__name(getMockRolesFromCookie, "getMockRolesFromCookie");
+// src/guards/authzpaas.guard.ts
+function _ts_decorate3(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate3, "_ts_decorate");
+function _ts_metadata2(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata2, "_ts_metadata");
+function _ts_param2(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param2, "_ts_param");
+var AuthZPaasGuard = class {
+  static {
+    __name(this, "AuthZPaasGuard");
+  }
+  reflector;
+  permissionService;
+  moduleOptions;
+  constructor(reflector, permissionService, moduleOptions) {
+    this.reflector = reflector;
+    this.permissionService = permissionService;
+    this.moduleOptions = moduleOptions;
+  }
+  async canActivate(context) {
+    const http = context.switchToHttp();
+    const request = http.getRequest();
+    request[ENABLE_MOCK_ROLE_KEY] = this.moduleOptions?.enableMockRole;
+    const userId = this.extractUserId(request);
+    const mockRoles = this.moduleOptions?.enableMockRole ? getMockRolesFromCookie(request) : void 0;
+    const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (checkRoleRequirement) {
+      await this.checkRoleRequirement(checkRoleRequirement, userId, mockRoles);
+    }
+    const checkPermissionParams = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (checkPermissionParams) {
+      await this.checkPermissionRequirement(checkPermissionParams, userId, mockRoles);
+    }
+    const envRequirement = this.reflector.getAllAndOverride(ENVIRONMENT_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (envRequirement) {
+      const envContext = this.extractEnvironmentContext(request);
+      await this.checkEnvironmentRequirement(envRequirement, envContext, request);
+    }
+    return true;
+  }
+  /**
+  * 从请求中提取用户ID
+  * 子类可以重写此方法以适应不同的认证策略
+  */
+  extractUserId(request) {
+    const mockUserId = request.cookies?.mockUserId;
+    if (mockUserId) return mockUserId;
+    return request.userContext?.userId;
+  }
+  /**
+  * 从请求中提取环境上下文
+  */
+  extractEnvironmentContext(request) {
+    const regionHeader = request.headers["x-region"];
+    const osHeader = request.headers["x-os"];
+    const uaHeader = request.headers["user-agent"];
+    const region = Array.isArray(regionHeader) ? regionHeader[0] : regionHeader;
+    const os = Array.isArray(osHeader) ? osHeader[0] : osHeader;
+    const userAgent = Array.isArray(uaHeader) ? uaHeader[0] : uaHeader;
+    return {
+      network: {
+        ip: request.ip || request.connection?.remoteAddress,
+        region
+      },
+      device: {
+        type: this.detectDeviceType(userAgent),
+        os,
+        browser: userAgent
+      },
+      custom: {
+        headers: request.headers,
+        query: request.query
+      }
+    };
+  }
+  /**
+  * 检测设备类型
+  */
+  detectDeviceType(userAgent) {
+    if (!userAgent) return "desktop";
+    const ua = userAgent.toLowerCase();
+    if (/(tablet|ipad|playbook|silk)|(android(?!.*mobile))/i.test(ua)) {
+      return "tablet";
+    }
+    if (/mobile|iphone|ipod|android|blackberry|opera mini|iemobile/i.test(ua)) {
+      return "mobile";
+    }
+    return "desktop";
+  }
+  /**
+  * 检查角色要求
+  */
+  async checkRoleRequirement(requirement, userId, mockRoles) {
+    return this.permissionService.checkRoles(requirement, userId, mockRoles);
+  }
+  /**
+  * 检查权限要求
+  */
+  async checkPermissionRequirement(params, userId, mockRoles) {
+    return this.permissionService.checkPermissions(params, userId, mockRoles);
+  }
+  /**
+  * 检查环境要求
+  */
+  async checkEnvironmentRequirement(requirement, envContext, request) {
+    if (requirement.network) {
+      await this.checkNetworkRequirement(requirement.network, envContext);
+    }
+    if (requirement.device) {
+      await this.checkDeviceRequirement(requirement.device, envContext);
+    }
+    if (requirement.custom) {
+      const result = await requirement.custom(request);
+      if (!result) {
+        throw PermissionDeniedException.environmentRequired("custom", "\u4E0D\u6EE1\u8DB3\u81EA\u5B9A\u4E49\u73AF\u5883\u8981\u6C42");
+      }
+    }
+  }
+  /**
+  * 检查网络要求
+  */
+  async checkNetworkRequirement(requirement, envContext) {
+    const ip = envContext.network?.ip;
+    if (requirement.allowedIPs && ip) {
+      const isAllowed = this.checkIPMatch(ip, requirement.allowedIPs);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("network.allowedIPs", `IP \u5730\u5740\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${ip}`);
+      }
+    }
+    if (requirement.blockedIPs && ip) {
+      const isBlocked = this.checkIPMatch(ip, requirement.blockedIPs);
+      if (isBlocked) {
+        throw PermissionDeniedException.environmentRequired("network.blockedIPs", `IP \u5730\u5740\u88AB\u7981\u6B62\u8BBF\u95EE: ${ip}`);
+      }
+    }
+    if (requirement.allowedRegions && envContext.network?.region) {
+      const isAllowed = requirement.allowedRegions.includes(envContext.network.region);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("network.allowedRegions", `\u5730\u533A\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${envContext.network.region}`);
+      }
+    }
+  }
+  /**
+  * 检查设备要求
+  */
+  async checkDeviceRequirement(requirement, envContext) {
+    if (requirement.types && envContext.device?.type) {
+      const isAllowed = requirement.types.includes(envContext.device.type);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("device.types", `\u4E0D\u5141\u8BB8\u7684\u8BBE\u5907\u7C7B\u578B: ${envContext.device.type}`);
+      }
+    }
+  }
+  /**
+  * 检查 IP 是否匹配
+  * 简化版本，仅支持精确匹配
+  * 生产环境建议使用 ipaddr.js 等库
+  */
+  checkIPMatch(ip, patterns) {
+    return patterns.some((pattern) => {
+      if (pattern === ip) return true;
+      return false;
+    });
+  }
+};
+AuthZPaasGuard = _ts_decorate3([
+  (0, import_common4.Injectable)(),
+  _ts_param2(2, (0, import_common4.Inject)(AUTHZPAAS_MODULE_OPTIONS)),
+  _ts_metadata2("design:type", Function),
+  _ts_metadata2("design:paramtypes", [
+    typeof import_core.Reflector === "undefined" ? Object : import_core.Reflector,
+    typeof PermissionService === "undefined" ? Object : PermissionService,
+    typeof AuthZPaasModuleOptions === "undefined" ? Object : AuthZPaasModuleOptions
+  ])
+], AuthZPaasGuard);
+// src/middlewares/roles.middleware.ts
+var import_common5 = require("@nestjs/common");
+function _ts_decorate4(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate4, "_ts_decorate");
+function _ts_metadata3(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata3, "_ts_metadata");
+var RolesMiddleware = class _RolesMiddleware {
+  static {
+    __name(this, "RolesMiddleware");
+  }
+  permissionService;
+  logger = new import_common5.Logger(_RolesMiddleware.name);
+  constructor(permissionService) {
+    this.permissionService = permissionService;
+  }
+  async use(req, _res, next) {
+    try {
+      const userId = req.userContext?.userId;
+      const mockRoles = req[ENABLE_MOCK_ROLE_KEY] ? getMockRolesFromCookie(req) : void 0;
+      this.logger.debug(`Fetching roles for user: ${userId}`);
+      const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+      let roles;
+      if (permissionData) {
+        roles = permissionData.roles;
+      }
+      req.userContext.userRoles = roles;
+      req.userContext.userId = userId;
+      this.logger.debug(`User ${userId} roles loaded: [${roles?.join(", ")}]`);
+      next();
+    } catch (error) {
+      this.logger.warn(`Failed to fetch roles for request: ${error instanceof Error ? error.message : "Unknown error"}`);
+      next();
+    }
+  }
+};
+RolesMiddleware = _ts_decorate4([
+  (0, import_common5.Injectable)(),
+  _ts_metadata3("design:type", Function),
+  _ts_metadata3("design:paramtypes", [
+    typeof PermissionService === "undefined" ? Object : PermissionService
+  ])
+], RolesMiddleware);
+// src/filters/authzpaas-exception.filter.ts
+var import_common6 = require("@nestjs/common");
+function _ts_decorate5(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate5, "_ts_decorate");
+var AuthZPaasExceptionFilter = class {
+  static {
+    __name(this, "AuthZPaasExceptionFilter");
+  }
+  catch(exception, host) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+    const status = exception.getStatus();
+    const exceptionResponse = exception.getResponse();
+    const errorResponse = {
+      statusCode: status,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      cause: exception.cause,
+      type: exception.type,
+      message: typeof exceptionResponse === "string" ? exceptionResponse : exceptionResponse.message || "\u6743\u9650\u4E0D\u8DB3"
+    };
+    if (exception.details.requiredRoles) {
+      errorResponse.requiredRoles = exception.details.requiredRoles;
+    }
+    if (exception.details.requiredPermissions) {
+      errorResponse.requiredPermissions = exception.details.requiredPermissions;
+    }
+    if (exception.details.environmentRequirement) {
+      errorResponse.environmentRequirement = exception.details.environmentRequirement;
+    }
+    if (exception.details.metadata) {
+      errorResponse.metadata = exception.details.metadata;
+    }
+    response.status(status).json(errorResponse);
+  }
+};
+AuthZPaasExceptionFilter = _ts_decorate5([
+  (0, import_common6.Catch)(PermissionDeniedException)
+], AuthZPaasExceptionFilter);
+// src/authzpaas.module.ts
+function _ts_decorate6(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate6, "_ts_decorate");
+var AuthZPaasModule = class _AuthZPaasModule {
+  static {
+    __name(this, "AuthZPaasModule");
+  }
+  static forRoot(options) {
+    const { permissionApi, cache = {
+      ttl: 300,
+      max: 1e3,
+      enabled: true
+    }, isGlobal = true } = options;
+    return {
+      module: _AuthZPaasModule,
+      global: isGlobal,
+      controllers: [],
+      providers: [
+        // 配置提供者
+        {
+          provide: AUTHZPAAS_MODULE_OPTIONS,
+          useValue: {
+            ...options,
+            loginPath: options.loginPath || DEFAULT_LOGIN_PATH
+          }
+        },
+        {
+          provide: PERMISSION_API_CONFIG_TOKEN,
+          useValue: permissionApi
+        },
+        {
+          provide: CACHE_CONFIG_TOKEN,
+          useValue: cache
+        },
+        // 核心服务
+        import_core2.Reflector,
+        // 服务提供者
+        PermissionService,
+        AbilityFactory,
+        AuthZPaasGuard,
+        RolesMiddleware,
+        // 守卫提供者
+        {
+          provide: import_core2.APP_GUARD,
+          useClass: AuthZPaasGuard
+        },
+        {
+          provide: import_core2.APP_FILTER,
+          useClass: AuthZPaasExceptionFilter
+        }
+      ],
+      exports: [
+        PermissionService,
+        AbilityFactory,
+        RolesMiddleware
+      ]
+    };
+  }
+  /**
+  * 异步注册 AuthZPaas 模块（根模块）
+  * 用于需要从配置服务获取设置的场景
+  *
+  * @param options 异步配置选项
+  * @returns 动态模块
+  *
+  * @example
+  * ```typescript
+  * @Module({
+  *   imports: [
+  *     AuthZPaasModule.forRootAsync({
+  *       imports: [ConfigModule],
+  *       inject: [ConfigService],
+  *       useFactory: async (configService: ConfigService) => ({
+  *         permissionApi: {
+  *           baseUrl: configService.get('PERMISSION_API_URL'),
+  *           apiToken: configService.get('PERMISSION_API_TOKEN'),
+  *         },
+  *         cache: {
+  *           ttl: configService.get('CACHE_TTL', 300),
+  *           max: configService.get('CACHE_MAX', 1000),
+  *         },
+  *       }),
+  *     }),
+  *   ],
+  * })
+  * export class AppModule {}
+  * ```
+  */
+  static forRootAsync(options) {
+    const { imports = [], inject = [], useFactory, isGlobal = true } = options;
+    return {
+      module: _AuthZPaasModule,
+      global: isGlobal,
+      imports,
+      controllers: [],
+      providers: [
+        // 异步配置提供者
+        {
+          provide: AUTHZPAAS_MODULE_OPTIONS,
+          useFactory,
+          inject
+        },
+        // 权限 API 配置提供者
+        {
+          provide: PERMISSION_API_CONFIG_TOKEN,
+          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
+            return moduleOptions.permissionApi;
+          }, "useFactory"),
+          inject: [
+            AUTHZPAAS_MODULE_OPTIONS
+          ]
+        },
+        // 缓存配置提供者
+        {
+          provide: CACHE_CONFIG_TOKEN,
+          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
+            return moduleOptions.cache || {
+              ttl: 300,
+              max: 1e3,
+              enabled: true
+            };
+          }, "useFactory"),
+          inject: [
+            AUTHZPAAS_MODULE_OPTIONS
+          ]
+        },
+        // 核心服务
+        import_core2.Reflector,
+        // 服务提供者
+        PermissionService,
+        AbilityFactory,
+        AuthZPaasGuard,
+        RolesMiddleware,
+        // 守卫提供者
+        {
+          provide: import_core2.APP_GUARD,
+          useClass: AuthZPaasGuard
+        },
+        {
+          provide: import_core2.APP_FILTER,
+          useClass: AuthZPaasExceptionFilter
+        }
+      ],
+      exports: [
+        PermissionService,
+        AbilityFactory,
+        RolesMiddleware
+      ]
+    };
+  }
+};
+AuthZPaasModule = _ts_decorate6([
+  (0, import_common7.Module)({})
+], AuthZPaasModule);
+// src/decorators/can-role.decorator.ts
+var import_common8 = require("@nestjs/common");
+var CanRole = /* @__PURE__ */ __name((role, and = false) => {
+  let requirement;
+  if (!Array.isArray(role) && typeof role === "string") {
+    requirement = {
+      roles: [
+        role
+      ],
+      and
+    };
+  } else if (Array.isArray(role) && role.some((role2) => typeof role2 === "string")) {
+    requirement = {
+      roles: role,
+      and
+    };
+  } else {
+    throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
+  }
+  return (0, import_common8.SetMetadata)(ROLES_KEY, requirement);
+}, "CanRole");
+// src/decorators/can-permission.decorator.ts
+var import_common9 = require("@nestjs/common");
+var CanPermission = /* @__PURE__ */ __name((permission, or) => {
+  let requirements;
+  if (Array.isArray(permission)) {
+    requirements = permission;
+  } else if (typeof permission === "object" && "subject" in permission) {
+    requirements = [
+      permission
+    ];
+  } else {
+    throw new Error("Invalid CanPermission parameter: " + JSON.stringify(permission));
+  }
+  return (0, import_common9.SetMetadata)(PERMISSIONS_KEY, {
+    requirements,
+    or: or ?? false
+  });
+}, "CanPermission");
+// src/decorators/can-env.decorator.ts
+var import_common10 = require("@nestjs/common");
+var CanEnv = /* @__PURE__ */ __name((requirement) => {
+  return (0, import_common10.SetMetadata)(ENVIRONMENT_KEY, requirement);
+}, "CanEnv");
+// src/decorators/user-id.decorator.ts
+var import_common11 = require("@nestjs/common");
+var UserId = (0, import_common11.createParamDecorator)((_data, ctx) => {
+  const request = ctx.switchToHttp().getRequest();
+  return request.userContext?.userId;
+});
+// src/decorators/mock-roles.decorator.ts
+var import_common12 = require("@nestjs/common");
+var MockRoles = (0, import_common12.createParamDecorator)((_data, ctx) => {
+  const request = ctx.switchToHttp().getRequest();
+  const mockRoles = getMockRolesFromCookie(request);
+  return request[ENABLE_MOCK_ROLE_KEY] ? mockRoles : void 0;
+});
+// src/controllers/permission.controller.ts
+var import_common13 = require("@nestjs/common");
+var import_swagger = require("@nestjs/swagger");
+function _ts_decorate7(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate7, "_ts_decorate");
+function _ts_metadata4(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata4, "_ts_metadata");
+function _ts_param3(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param3, "_ts_param");
+var PermissionDto = class {
+  static {
+    __name(this, "PermissionDto");
+  }
+  sub;
+  actions;
+  id;
+  name;
+  conditions;
+};
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u8D44\u6E90\u7C7B\u578B",
+    example: "task"
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "sub", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u64CD\u4F5C\u7C7B\u578B\u5217\u8868",
+    example: [
+      "create",
+      "read",
+      "update",
+      "delete"
+    ],
+    type: [
+      String
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionDto.prototype, "actions", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u6743\u9650ID",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "id", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u6743\u9650\u540D\u79F0",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "name", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u6743\u9650\u6761\u4EF6",
+    required: false,
+    type: "object"
+  }),
+  _ts_metadata4("design:type", typeof Record === "undefined" ? Object : Record)
+], PermissionDto.prototype, "conditions", void 0);
+var PermissionResponse = class {
+  static {
+    __name(this, "PermissionResponse");
+  }
+  userId;
+  roles;
+  permissions;
+  fetchedAt;
+};
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u7528\u6237ID",
+    example: "user123",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionResponse.prototype, "userId", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u7528\u6237\u89D2\u8272\u5217\u8868",
+    example: [
+      "admin",
+      "user"
+    ],
+    type: [
+      String
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionResponse.prototype, "roles", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u7528\u6237\u6743\u9650\u70B9\u4F4D\u5217\u8868",
+    type: [
+      PermissionDto
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionResponse.prototype, "permissions", void 0);
+_ts_decorate7([
+  (0, import_swagger.ApiProperty)({
+    description: "\u6570\u636E\u83B7\u53D6\u65F6\u95F4",
+    example: "2025-10-14T00:00:00.000Z"
+  }),
+  _ts_metadata4("design:type", typeof Date === "undefined" ? Object : Date)
+], PermissionResponse.prototype, "fetchedAt", void 0);
+var PermissionController = class {
+  static {
+    __name(this, "PermissionController");
+  }
+  permissionService;
+  constructor(permissionService) {
+    this.permissionService = permissionService;
+  }
+  /**
+  * 获取当前用户的权限数据
+  *
+  * @param userId 当前用户ID（从请求上下文中获取）
+  * @returns 用户权限数据
+  *
+  * @example
+  * GET /api/permissions
+  *
+  * Response:
+  * {
+  *   "userId": "user123",
+  *   "roles": ["admin", "user"],
+  *   "permissions": [
+  *     { "sub": "task", "actions": ["create", "read", "update", "delete"] }
+  *   ],
+  *   "fetchedAt": "2025-10-14T00:00:00.000Z"
+  * }
+  */
+  async getUserPermissions(userId, mockRoles) {
+    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+    return {
+      userId: permissionData?.userId,
+      roles: permissionData?.roles || [],
+      permissions: permissionData?.permissions || [],
+      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date()
+    };
+  }
+  /**
+  * 开启角色模拟：将传入的 userId 写入 cookie，服务端优先使用该值请求权限
+  */
+  async enableMock(res, roles) {
+    if (!Array.isArray(roles) || roles.length === 0) {
+      return {
+        success: false,
+        message: "roles \u4E0D\u80FD\u4E3A\u7A7A"
+      };
+    }
+    const val = roles.join(",");
+    res.cookie(MOCK_ROLES_COOKIE_KEY, val, {
+      httpOnly: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      path: "/"
+    });
+    return {
+      success: true,
+      roles
+    };
+  }
+  /**
+  * 关闭角色模拟：清除 cookie
+  */
+  async disableMock(res) {
+    res.clearCookie(MOCK_ROLES_COOKIE_KEY, {
+      path: "/"
+    });
+    return {
+      success: true
+    };
+  }
+  async getMockRoles(mockRoles, userId) {
+    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+    return {
+      mocking: !!mockRoles,
+      roles: permissionData?.roles || [],
+      permissions: permissionData?.permissions || [],
+      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date(),
+      userId
+    };
+  }
+};
+_ts_decorate7([
+  (0, import_common13.Get)(),
+  (0, import_swagger.ApiOperation)({
+    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u6743\u9650\u6570\u636E"
+  }),
+  (0, import_swagger.ApiResponse)({
+    status: 200,
+    description: "\u6210\u529F\u8FD4\u56DE\u7528\u6237\u6743\u9650\u6570\u636E",
+    type: PermissionResponse
+  }),
+  (0, import_swagger.ApiResponse)({
+    status: 400,
+    description: "\u7528\u6237\u672A\u8BA4\u8BC1"
+  }),
+  _ts_param3(0, UserId()),
+  _ts_param3(1, MockRoles()),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    String,
+    Array
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "getUserPermissions", null);
+_ts_decorate7([
+  (0, import_common13.Post)("mock/enable"),
+  (0, import_swagger.ApiOperation)({
+    summary: "\u5F00\u542F\u89D2\u8272\u6A21\u62DF\uFF08\u5199\u5165 cookie: mockRoles\uFF09"
+  }),
+  (0, import_swagger.ApiResponse)({
+    status: 200,
+    description: "\u6A21\u62DF\u5DF2\u5F00\u542F"
+  }),
+  _ts_param3(0, (0, import_common13.Res)({
+    passthrough: true
+  })),
+  _ts_param3(1, (0, import_common13.Body)("roles")),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof Response === "undefined" ? Object : Response,
+    Array
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "enableMock", null);
+_ts_decorate7([
+  (0, import_common13.Post)("mock/disable"),
+  (0, import_swagger.ApiOperation)({
+    summary: "\u5173\u95ED\u89D2\u8272\u6A21\u62DF\uFF08\u6E05\u9664 cookie: mockRoles\uFF09"
+  }),
+  (0, import_swagger.ApiResponse)({
+    status: 200,
+    description: "\u6A21\u62DF\u5DF2\u5173\u95ED"
+  }),
+  _ts_param3(0, (0, import_common13.Res)({
+    passthrough: true
+  })),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof Response === "undefined" ? Object : Response
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "disableMock", null);
+_ts_decorate7([
+  (0, import_common13.Get)("mock/status"),
+  (0, import_swagger.ApiOperation)({
+    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u89D2\u8272\u6A21\u62DF\u72B6\u6001"
+  }),
+  (0, import_swagger.ApiResponse)({
+    status: 200,
+    description: "\u6210\u529F\u8FD4\u56DE\u89D2\u8272\u6A21\u62DF\u6570\u636E"
+  }),
+  _ts_param3(0, MockRoles()),
+  _ts_param3(1, UserId()),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    Object,
+    String
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "getMockRoles", null);
+PermissionController = _ts_decorate7([
+  (0, import_swagger.ApiTags)("\u6743\u9650\u7BA1\u7406"),
+  (0, import_common13.Controller)("api/permissions"),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof PermissionService === "undefined" ? Object : PermissionService
+  ])
+], PermissionController);
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ANONYMOUS_USER_ID,
+  AUTHZPAAS_MODULE_OPTIONS,
+  AbilityFactory,
+  AuthZPaasExceptionFilter,
+  AuthZPaasGuard,
+  AuthZPaasModule,
+  CACHE_CONFIG_TOKEN,
+  CanEnv,
+  CanPermission,
+  CanRole,
+  DEFAULT_LOGIN_PATH,
+  ENABLE_MOCK_ROLE_KEY,
+  ENVIRONMENT_KEY,
+  MOCK_ROLES_COOKIE_KEY,
+  MockRoles,
+  NEED_LOGIN_KEY,
+  PERMISSIONS_KEY,
+  PERMISSION_API_CONFIG_TOKEN,
+  PermissionController,
+  PermissionDeniedException,
+  PermissionDeniedType,
+  PermissionDto,
+  PermissionResponse,
+  PermissionService,
+  ROLES_KEY,
+  ROLE_SUBJECT,
+  RolesMiddleware,
+  UserId
+});
+//# sourceMappingURL=index.cjs.map