@lark-apaas/nestjs-authzpaas 0.1.0-alpha.0

package/dist/index.js

@@ -0,0 +1,1420 @@
+var __defProp = Object.defineProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+
+// src/authzpaas.module.ts
+import { Module } from "@nestjs/common";
+import { APP_FILTER, APP_GUARD, Reflector as Reflector2 } from "@nestjs/core";
+
+// src/const.ts
+var ANONYMOUS_USER_ID = "anonymous_user_id";
+var PERMISSION_API_CONFIG_TOKEN = Symbol("PERMISSION_API_CONFIG");
+var CACHE_CONFIG_TOKEN = Symbol("CACHE_CONFIG");
+var AUTHZPAAS_MODULE_OPTIONS = Symbol("AUTHZPAAS_MODULE_OPTIONS");
+var ROLES_KEY = "authzpaas:roles";
+var PERMISSIONS_KEY = "authzpaas:permissions";
+var ENVIRONMENT_KEY = "authzpaas:environment";
+var NEED_LOGIN_KEY = "authzpaas:needLogin";
+var DEFAULT_LOGIN_PATH = "/login";
+var MOCK_ROLES_COOKIE_KEY = "mockRoles";
+var ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
+
+// src/services/permission.service.ts
+import { Injectable as Injectable2, Inject, Logger, HttpStatus } from "@nestjs/common";
+
+// src/utils/memory-cache.ts
+var MemoryCache = class {
+  static {
+    __name(this, "MemoryCache");
+  }
+  cache;
+  accessOrder;
+  options;
+  hits = 0;
+  misses = 0;
+  constructor(options) {
+    this.cache = /* @__PURE__ */ new Map();
+    this.accessOrder = [];
+    this.options = options;
+  }
+  /**
+  * 获取缓存值
+  */
+  get(key) {
+    if (!this.options.enabled) {
+      return void 0;
+    }
+    const item = this.cache.get(key);
+    if (!item) {
+      this.misses++;
+      return void 0;
+    }
+    if (Date.now() > item.expireAt) {
+      this.cache.delete(key);
+      this.removeFromAccessOrder(key);
+      this.misses++;
+      return void 0;
+    }
+    this.updateAccessOrder(key);
+    this.hits++;
+    return item.value;
+  }
+  /**
+  * 设置缓存值
+  */
+  set(key, value) {
+    if (!this.options.enabled) {
+      return;
+    }
+    if (this.cache.size >= this.options.max && !this.cache.has(key)) {
+      this.evictLRU();
+    }
+    const expireAt = Date.now() + this.options.ttl * 1e3;
+    this.cache.set(key, {
+      value,
+      expireAt
+    });
+    this.updateAccessOrder(key);
+  }
+  /**
+  * 删除缓存
+  */
+  delete(key) {
+    this.cache.delete(key);
+    this.removeFromAccessOrder(key);
+  }
+  /**
+  * 清空所有缓存
+  */
+  clear() {
+    this.cache.clear();
+    this.accessOrder = [];
+    this.hits = 0;
+    this.misses = 0;
+  }
+  /**
+  * 获取缓存统计信息
+  */
+  getStats() {
+    return {
+      size: this.cache.size,
+      hits: this.hits,
+      misses: this.misses,
+      hitRate: this.hits / (this.hits + this.misses) || 0,
+      enabled: this.options.enabled
+    };
+  }
+  /**
+  * 更新访问顺序
+  */
+  updateAccessOrder(key) {
+    this.removeFromAccessOrder(key);
+    this.accessOrder.push(key);
+  }
+  /**
+  * 从访问顺序中移除
+  */
+  removeFromAccessOrder(key) {
+    const index = this.accessOrder.indexOf(key);
+    if (index > -1) {
+      this.accessOrder.splice(index, 1);
+    }
+  }
+  /**
+  * 淘汰最少使用的项
+  */
+  evictLRU() {
+    if (this.accessOrder.length > 0) {
+      const oldestKey = this.accessOrder[0];
+      this.delete(oldestKey);
+    }
+  }
+};
+
+// src/casl/ability.factory.ts
+import { Injectable } from "@nestjs/common";
+import { AbilityBuilder, PureAbility } from "@casl/ability";
+function _ts_decorate(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate, "_ts_decorate");
+var ROLE_SUBJECT = "@role";
+var AbilityFactory = class {
+  static {
+    __name(this, "AbilityFactory");
+  }
+  /**
+  * 为用户创建 Ability
+  */
+  createForUser(permissionData) {
+    const { can, build } = new AbilityBuilder(PureAbility);
+    for (const permission of permissionData.permissions) {
+      const { sub, actions } = permission;
+      for (const action of actions) {
+        can(action, sub);
+      }
+    }
+    for (const role of permissionData.roles) {
+      can(role, ROLE_SUBJECT);
+    }
+    return build();
+  }
+};
+AbilityFactory = _ts_decorate([
+  Injectable()
+], AbilityFactory);
+
+// src/exceptions/permission-denied.exception.ts
+import { HttpException } from "@nestjs/common";
+var PermissionDeniedType = /* @__PURE__ */ (function(PermissionDeniedType2) {
+  PermissionDeniedType2["UNAUTHENTICATED"] = "UNAUTHENTICATED";
+  PermissionDeniedType2["ROLE_REQUIRED"] = "ROLE_REQUIRED";
+  PermissionDeniedType2["PERMISSION_REQUIRED"] = "PERMISSION_REQUIRED";
+  PermissionDeniedType2["ENVIRONMENT_REQUIRED"] = "ENVIRONMENT_REQUIRED";
+  PermissionDeniedType2["PERMISSION_CONFIG_QUERY_FAILED"] = "PERMISSION_CONFIG_QUERY_FAILED";
+  return PermissionDeniedType2;
+})({});
+var PermissionDeniedException = class _PermissionDeniedException extends HttpException {
+  static {
+    __name(this, "PermissionDeniedException");
+  }
+  type;
+  details;
+  constructor(details, httpStatusCode = 403) {
+    super({
+      statusCode: httpStatusCode,
+      cause: details.cause,
+      type: details.type,
+      message: details.message,
+      ...details.requiredRoles && {
+        requiredRoles: details.requiredRoles
+      },
+      ...details.requiredPermissions && {
+        requiredPermissions: details.requiredPermissions
+      },
+      ...details.environmentRequirement && {
+        environmentRequirement: details.environmentRequirement
+      },
+      ...details.metadata && {
+        metadata: details.metadata
+      }
+    }, httpStatusCode);
+    this.type = details.type;
+    this.details = details;
+    this.name = "PermissionDeniedException";
+  }
+  /**
+  * 创建用户未认证异常
+  */
+  static unauthenticated(message = "\u7528\u6237\u672A\u8BA4\u8BC1") {
+    return new _PermissionDeniedException({
+      type: "UNAUTHENTICATED",
+      message
+    });
+  }
+  /**
+  * 创建角色不足异常
+  */
+  static roleRequired(requiredRoles, and = false) {
+    const message = and ? `\u9700\u8981\u6240\u6709\u89D2\u8272: ${requiredRoles.join(", ")}` : `\u9700\u8981\u4EE5\u4E0B\u4EFB\u4E00\u89D2\u8272: ${requiredRoles.join(", ")}`;
+    return new _PermissionDeniedException({
+      type: "ROLE_REQUIRED",
+      message,
+      requiredRoles,
+      metadata: {
+        and
+      }
+    });
+  }
+  /**
+  * 创建权限不足异常
+  */
+  static permissionRequired(requiredPermissions, or = false, customMessage) {
+    let message;
+    if (customMessage) {
+      message = customMessage;
+    } else if (requiredPermissions.length === 1) {
+      const perm = requiredPermissions[0];
+      message = or ? `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u5BF9 ${perm.subject} \u6267\u884C\u4EE5\u4E0B\u4EFB\u4E00\u64CD\u4F5C [${perm.actions.join(", ")}]` : `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u5BF9 ${perm.subject} \u6267\u884C\u6240\u6709\u64CD\u4F5C [${perm.actions.join(", ")}]`;
+    } else {
+      message = or ? `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u6EE1\u8DB3\u4EE5\u4E0B\u4EFB\u4E00\u6743\u9650\u8981\u6C42: ${requiredPermissions.map(({ actions, subject }) => `\u5BF9 ${subject} \u6267\u884C\u4EE5\u4E0B\u4EFB\u4E00\u64CD\u4F5C [${actions.join(", ")}]`).join(", ")}` : `\u7F3A\u5C11\u6743\u9650: \u9700\u8981\u6EE1\u8DB3\u4EE5\u4E0B\u6240\u6709\u6743\u9650\u8981\u6C42: ${requiredPermissions.map(({ actions, subject }) => `\u5BF9 ${subject} \u6267\u884C\u6240\u6709\u64CD\u4F5C [${actions.join(", ")}]`).join(", ")}`;
+    }
+    return new _PermissionDeniedException({
+      type: "PERMISSION_REQUIRED",
+      message,
+      requiredPermissions,
+      metadata: {
+        or
+      }
+    });
+  }
+  /**
+  * 创建环境不满足异常
+  */
+  static environmentRequired(requirement, message) {
+    return new _PermissionDeniedException({
+      type: "ENVIRONMENT_REQUIRED",
+      message: message || "\u4E0D\u6EE1\u8DB3\u73AF\u5883\u8981\u6C42",
+      environmentRequirement: requirement
+    });
+  }
+};
+
+// src/services/permission.service.ts
+function _ts_decorate2(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate2, "_ts_decorate");
+function _ts_metadata(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata, "_ts_metadata");
+function _ts_param(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param, "_ts_param");
+var PermissionService = class _PermissionService {
+  static {
+    __name(this, "PermissionService");
+  }
+  apiConfig;
+  abilityFactory;
+  logger = new Logger(_PermissionService.name);
+  // 统一的缓存，同时缓存权限数据和 Ability 实例
+  cache;
+  // 缓存正在进行中的 Promise，避免重复请求
+  pendingRequests = /* @__PURE__ */ new Map();
+  constructor(apiConfig, cacheConfig, abilityFactory) {
+    this.apiConfig = apiConfig;
+    this.abilityFactory = abilityFactory;
+    this.cache = new MemoryCache({
+      ttl: cacheConfig.ttl || 300,
+      max: cacheConfig.max || 1e3,
+      enabled: cacheConfig.enabled !== false
+    });
+    this.logger.log(`PermissionService initialized with API: ${apiConfig?.baseUrl}`);
+  }
+  /**
+  * 构建权限/Ability 缓存 key
+  * - 若存在模拟角色：按角色集合排序拼接 + 用户维度
+  * - 否则按 userId/匿名用户
+  */
+  buildCacheKey(userId, mockRoles) {
+    if (mockRoles && mockRoles.length > 0) {
+      const sortedRoles = [
+        ...mockRoles
+      ].sort();
+      return `@roles:${sortedRoles.join("|")}#u:${userId || ANONYMOUS_USER_ID}`;
+    }
+    return userId || ANONYMOUS_USER_ID;
+  }
+  /**
+  * 获取用户权限数据（带缓存）
+  */
+  async getUserPermissions(userId, mockRoles) {
+    if (!this.apiConfig?.endpoint) {
+      this.logger.warn("Permission API endpoint is not configured, returning null");
+      return null;
+    }
+    const key = this.buildCacheKey(userId, mockRoles);
+    const cached = this.cache.get(key);
+    if (cached) {
+      this.logger.debug(`Cache hit for user ${key}`);
+      return cached.permissionData;
+    }
+    const pendingRequest = this.pendingRequests.get(key);
+    if (pendingRequest) {
+      this.logger.debug(`Reusing pending request for user ${key}`);
+      return pendingRequest;
+    }
+    this.logger.debug(`Cache miss for key ${key}, fetching from API`);
+    const requestPromise = (async () => {
+      try {
+        const permissionData = mockRoles && mockRoles.length > 0 ? await this.getPermissionsByMockRoles(userId, mockRoles) : await this.fetchFromApi(userId);
+        const dataWithTimestamp = {
+          ...permissionData,
+          fetchedAt: /* @__PURE__ */ new Date()
+        };
+        const ability = this.abilityFactory.createForUser(dataWithTimestamp);
+        this.cache.set(key, {
+          permissionData: dataWithTimestamp,
+          ability
+        });
+        return dataWithTimestamp;
+      } catch (error) {
+        this.logger.error(`Failed to fetch permissions for key ${key}:`, error);
+        throw error;
+      } finally {
+        this.pendingRequests.delete(key);
+      }
+    })();
+    this.pendingRequests.set(key, requestPromise);
+    return requestPromise;
+  }
+  /**
+  * 从 API 获取权限数据
+  * 内置实现，用户无需配置
+  */
+  async fetchFromApi(userId) {
+    const { baseUrl, apiToken, endpoint, headers = {}, timeout = 5e3 } = this.apiConfig || {};
+    const url = `${baseUrl}${endpoint}${userId ? `?userId=${userId}` : ""}`;
+    const requestHeaders = {
+      "Content-Type": "application/json",
+      ...headers
+    };
+    if (apiToken) {
+      requestHeaders["Authorization"] = `Bearer ${apiToken}`;
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        headers: requestHeaders,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        const error = new Error(`Permission API returned ${response.status}: ${response.statusText}`);
+        throw new PermissionDeniedException({
+          cause: error,
+          type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+          message: error.message
+        }, HttpStatus.INTERNAL_SERVER_ERROR);
+      }
+      const data = await response.json();
+      const roles = (data.roles || []).map((role) => typeof role === "string" ? role : role.name);
+      return {
+        userId,
+        roles,
+        permissions: data.permissions || [],
+        fetchedAt: /* @__PURE__ */ new Date()
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      let err = error;
+      if (error.name === "AbortError") {
+        err = new Error(`Permission API request timeout after ${timeout}ms`);
+      }
+      throw new PermissionDeniedException({
+        cause: err,
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: err.message
+      }, HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+  }
+  /**
+  * 基于模拟角色获取权限数据（不使用缓存）
+  * 该方法用于前端/守卫在检测到 mockRoles 时直接按角色获取权限
+  */
+  async getPermissionsByMockRoles(userId, mockRoles) {
+    const { baseUrl, timeout = 5e3 } = this.apiConfig || {};
+    const rolesParam = encodeURIComponent(mockRoles.join(","));
+    const userParam = userId ? `&userId=${encodeURIComponent(userId)}` : "";
+    const url = `${baseUrl}/mock-api/permissions-by-roles?roles=${rolesParam}${userParam}`;
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), timeout);
+    try {
+      const response = await fetch(url, {
+        method: "GET",
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+      if (!response.ok) {
+        throw new Error(`Permission API (mock by roles) returned ${response.status}: ${response.statusText}`);
+      }
+      const data = await response.json();
+      return {
+        userId,
+        roles: data.roles || [],
+        permissions: data.permissions || [],
+        fetchedAt: /* @__PURE__ */ new Date()
+      };
+    } catch (error) {
+      clearTimeout(timeoutId);
+      throw new PermissionDeniedException({
+        cause: error,
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: error.message
+      }, HttpStatus.INTERNAL_SERVER_ERROR);
+    }
+  }
+  /**
+  * 获取用户的 Ability 实例（带缓存）
+  * @param userId 用户ID
+  * @returns CASL Ability 实例
+  */
+  async getUserAbility(userId, mockRoles) {
+    const key = this.buildCacheKey(userId, mockRoles);
+    const cached = this.cache.get(key);
+    if (cached) {
+      return cached.ability;
+    }
+    await this.getUserPermissions(userId, mockRoles);
+    const newCached = this.cache.get(key);
+    return newCached.ability;
+  }
+  /**
+  * 清除用户权限缓存
+  */
+  clearUserCache(userId) {
+    const key = userId || ANONYMOUS_USER_ID;
+    this.cache.delete(key);
+    this.pendingRequests.delete(key);
+    this.logger.debug(`Cache cleared for user ${key}`);
+  }
+  /**
+  * 清除所有缓存
+  */
+  clearAllCache() {
+    this.cache.clear();
+    this.pendingRequests.clear();
+    this.logger.log("All permission cache cleared");
+  }
+  /**
+  * 获取缓存统计信息
+  */
+  getCacheStats() {
+    return this.cache.getStats();
+  }
+  /**
+  * 检查角色要求
+  * 使用 CASL Ability 统一鉴权方式
+  * @param requirement 角色要求
+  * @param userId 用户ID,匿名用户时为空
+  * @returns 用户权限数据
+  * @throws PermissionDeniedException 当角色不满足时
+  */
+  async checkRoles(requirement, userId, mockRoles) {
+    const permissionData = await this.getUserPermissions(userId, mockRoles);
+    if (!permissionData) {
+      throw new PermissionDeniedException({
+        cause: new Error("Permission data fetch api is not configured"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "Permission data fetch api is not configured"
+      }, HttpStatus.BAD_REQUEST);
+    }
+    const ability = await this.getUserAbility(userId, mockRoles);
+    const { roles, and } = requirement;
+    const checkResults = roles.map((role) => ability.can(role, ROLE_SUBJECT));
+    const hasRole = and ? checkResults.every((result) => result) : checkResults.some((result) => result);
+    if (!hasRole) {
+      const userRoles = permissionData.roles;
+      this.logger.warn(`\u89D2\u8272\u68C0\u67E5\u5931\u8D25: \u7528\u6237 ${userId}, \u7528\u6237\u89D2\u8272 [${userRoles.join(", ")}], \u9700\u8981 [${roles.join(", ")}]`);
+      throw PermissionDeniedException.roleRequired(roles, and);
+    }
+    return permissionData;
+  }
+  /**
+  * 检查权限要求
+  * @param requirements 权限要求列表
+  * @param userId 用户ID
+  * @returns 用户权限数据
+  * @throws PermissionDeniedException 当权限不满足时
+  */
+  async checkPermissions(params, userId, mockRoles) {
+    const permissionData = await this.getUserPermissions(userId, mockRoles);
+    if (!permissionData) {
+      throw new PermissionDeniedException({
+        cause: new Error("Permission data fetch api is not configured"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "Permission data fetch api is not configured"
+      }, HttpStatus.BAD_REQUEST);
+    }
+    const { requirements, or } = params;
+    if (!requirements || requirements.length === 0) {
+      return permissionData;
+    }
+    const ability = await this.getUserAbility(userId, mockRoles);
+    const failedRequirements = [];
+    for (const requirement of requirements) {
+      const { actions, subject, or: or2 = false } = requirement;
+      const checkResults = actions.map((action) => ability.can(action, subject));
+      const hasPermission = or2 ? checkResults.some((result) => result) : checkResults.every((result) => result);
+      if (!hasPermission) {
+        failedRequirements.push({
+          actions,
+          subject: String(subject),
+          or: or2
+        });
+      }
+    }
+    if (failedRequirements.length > 0) {
+      if (or && failedRequirements.length === requirements.length) {
+        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
+          actions,
+          subject: String(subject)
+        })), true);
+      } else if (!or) {
+        throw PermissionDeniedException.permissionRequired(failedRequirements.map(({ actions, subject }) => ({
+          actions,
+          subject: String(subject)
+        })), false);
+      }
+    }
+    return permissionData;
+  }
+  async getAbility(userId) {
+    return this.getUserAbility(userId);
+  }
+};
+PermissionService = _ts_decorate2([
+  Injectable2(),
+  _ts_param(0, Inject(PERMISSION_API_CONFIG_TOKEN)),
+  _ts_param(1, Inject(CACHE_CONFIG_TOKEN)),
+  _ts_metadata("design:type", Function),
+  _ts_metadata("design:paramtypes", [
+    typeof PermissionApiConfig === "undefined" ? Object : PermissionApiConfig,
+    typeof CacheConfig === "undefined" ? Object : CacheConfig,
+    typeof AbilityFactory === "undefined" ? Object : AbilityFactory
+  ])
+], PermissionService);
+
+// src/guards/authzpaas.guard.ts
+import { Injectable as Injectable3, Inject as Inject2 } from "@nestjs/common";
+import { Reflector } from "@nestjs/core";
+
+// src/utils/index.ts
+function getMockRolesFromCookie(request) {
+  const mockRoles = request.cookies?.[MOCK_ROLES_COOKIE_KEY];
+  return mockRoles ? mockRoles.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+}
+__name(getMockRolesFromCookie, "getMockRolesFromCookie");
+
+// src/guards/authzpaas.guard.ts
+function _ts_decorate3(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate3, "_ts_decorate");
+function _ts_metadata2(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata2, "_ts_metadata");
+function _ts_param2(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param2, "_ts_param");
+var AuthZPaasGuard = class {
+  static {
+    __name(this, "AuthZPaasGuard");
+  }
+  reflector;
+  permissionService;
+  moduleOptions;
+  constructor(reflector, permissionService, moduleOptions) {
+    this.reflector = reflector;
+    this.permissionService = permissionService;
+    this.moduleOptions = moduleOptions;
+  }
+  async canActivate(context) {
+    const http = context.switchToHttp();
+    const request = http.getRequest();
+    request[ENABLE_MOCK_ROLE_KEY] = this.moduleOptions?.enableMockRole;
+    const userId = this.extractUserId(request);
+    const mockRoles = this.moduleOptions?.enableMockRole ? getMockRolesFromCookie(request) : void 0;
+    const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (checkRoleRequirement) {
+      await this.checkRoleRequirement(checkRoleRequirement, userId, mockRoles);
+    }
+    const checkPermissionParams = this.reflector.getAllAndOverride(PERMISSIONS_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (checkPermissionParams) {
+      await this.checkPermissionRequirement(checkPermissionParams, userId, mockRoles);
+    }
+    const envRequirement = this.reflector.getAllAndOverride(ENVIRONMENT_KEY, [
+      context.getHandler(),
+      context.getClass()
+    ]);
+    if (envRequirement) {
+      const envContext = this.extractEnvironmentContext(request);
+      await this.checkEnvironmentRequirement(envRequirement, envContext, request);
+    }
+    return true;
+  }
+  /**
+  * 从请求中提取用户ID
+  * 子类可以重写此方法以适应不同的认证策略
+  */
+  extractUserId(request) {
+    const mockUserId = request.cookies?.mockUserId;
+    if (mockUserId) return mockUserId;
+    return request.userContext?.userId;
+  }
+  /**
+  * 从请求中提取环境上下文
+  */
+  extractEnvironmentContext(request) {
+    const regionHeader = request.headers["x-region"];
+    const osHeader = request.headers["x-os"];
+    const uaHeader = request.headers["user-agent"];
+    const region = Array.isArray(regionHeader) ? regionHeader[0] : regionHeader;
+    const os = Array.isArray(osHeader) ? osHeader[0] : osHeader;
+    const userAgent = Array.isArray(uaHeader) ? uaHeader[0] : uaHeader;
+    return {
+      network: {
+        ip: request.ip || request.connection?.remoteAddress,
+        region
+      },
+      device: {
+        type: this.detectDeviceType(userAgent),
+        os,
+        browser: userAgent
+      },
+      custom: {
+        headers: request.headers,
+        query: request.query
+      }
+    };
+  }
+  /**
+  * 检测设备类型
+  */
+  detectDeviceType(userAgent) {
+    if (!userAgent) return "desktop";
+    const ua = userAgent.toLowerCase();
+    if (/(tablet|ipad|playbook|silk)|(android(?!.*mobile))/i.test(ua)) {
+      return "tablet";
+    }
+    if (/mobile|iphone|ipod|android|blackberry|opera mini|iemobile/i.test(ua)) {
+      return "mobile";
+    }
+    return "desktop";
+  }
+  /**
+  * 检查角色要求
+  */
+  async checkRoleRequirement(requirement, userId, mockRoles) {
+    return this.permissionService.checkRoles(requirement, userId, mockRoles);
+  }
+  /**
+  * 检查权限要求
+  */
+  async checkPermissionRequirement(params, userId, mockRoles) {
+    return this.permissionService.checkPermissions(params, userId, mockRoles);
+  }
+  /**
+  * 检查环境要求
+  */
+  async checkEnvironmentRequirement(requirement, envContext, request) {
+    if (requirement.network) {
+      await this.checkNetworkRequirement(requirement.network, envContext);
+    }
+    if (requirement.device) {
+      await this.checkDeviceRequirement(requirement.device, envContext);
+    }
+    if (requirement.custom) {
+      const result = await requirement.custom(request);
+      if (!result) {
+        throw PermissionDeniedException.environmentRequired("custom", "\u4E0D\u6EE1\u8DB3\u81EA\u5B9A\u4E49\u73AF\u5883\u8981\u6C42");
+      }
+    }
+  }
+  /**
+  * 检查网络要求
+  */
+  async checkNetworkRequirement(requirement, envContext) {
+    const ip = envContext.network?.ip;
+    if (requirement.allowedIPs && ip) {
+      const isAllowed = this.checkIPMatch(ip, requirement.allowedIPs);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("network.allowedIPs", `IP \u5730\u5740\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${ip}`);
+      }
+    }
+    if (requirement.blockedIPs && ip) {
+      const isBlocked = this.checkIPMatch(ip, requirement.blockedIPs);
+      if (isBlocked) {
+        throw PermissionDeniedException.environmentRequired("network.blockedIPs", `IP \u5730\u5740\u88AB\u7981\u6B62\u8BBF\u95EE: ${ip}`);
+      }
+    }
+    if (requirement.allowedRegions && envContext.network?.region) {
+      const isAllowed = requirement.allowedRegions.includes(envContext.network.region);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("network.allowedRegions", `\u5730\u533A\u4E0D\u5728\u5141\u8BB8\u5217\u8868\u4E2D: ${envContext.network.region}`);
+      }
+    }
+  }
+  /**
+  * 检查设备要求
+  */
+  async checkDeviceRequirement(requirement, envContext) {
+    if (requirement.types && envContext.device?.type) {
+      const isAllowed = requirement.types.includes(envContext.device.type);
+      if (!isAllowed) {
+        throw PermissionDeniedException.environmentRequired("device.types", `\u4E0D\u5141\u8BB8\u7684\u8BBE\u5907\u7C7B\u578B: ${envContext.device.type}`);
+      }
+    }
+  }
+  /**
+  * 检查 IP 是否匹配
+  * 简化版本，仅支持精确匹配
+  * 生产环境建议使用 ipaddr.js 等库
+  */
+  checkIPMatch(ip, patterns) {
+    return patterns.some((pattern) => {
+      if (pattern === ip) return true;
+      return false;
+    });
+  }
+};
+AuthZPaasGuard = _ts_decorate3([
+  Injectable3(),
+  _ts_param2(2, Inject2(AUTHZPAAS_MODULE_OPTIONS)),
+  _ts_metadata2("design:type", Function),
+  _ts_metadata2("design:paramtypes", [
+    typeof Reflector === "undefined" ? Object : Reflector,
+    typeof PermissionService === "undefined" ? Object : PermissionService,
+    typeof AuthZPaasModuleOptions === "undefined" ? Object : AuthZPaasModuleOptions
+  ])
+], AuthZPaasGuard);
+
+// src/middlewares/roles.middleware.ts
+import { Injectable as Injectable4, Logger as Logger2 } from "@nestjs/common";
+function _ts_decorate4(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate4, "_ts_decorate");
+function _ts_metadata3(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata3, "_ts_metadata");
+var RolesMiddleware = class _RolesMiddleware {
+  static {
+    __name(this, "RolesMiddleware");
+  }
+  permissionService;
+  logger = new Logger2(_RolesMiddleware.name);
+  constructor(permissionService) {
+    this.permissionService = permissionService;
+  }
+  async use(req, _res, next) {
+    try {
+      const userId = req.userContext?.userId;
+      const mockRoles = req[ENABLE_MOCK_ROLE_KEY] ? getMockRolesFromCookie(req) : void 0;
+      this.logger.debug(`Fetching roles for user: ${userId}`);
+      const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+      let roles;
+      if (permissionData) {
+        roles = permissionData.roles;
+      }
+      req.userContext.userRoles = roles;
+      req.userContext.userId = userId;
+      this.logger.debug(`User ${userId} roles loaded: [${roles?.join(", ")}]`);
+      next();
+    } catch (error) {
+      this.logger.warn(`Failed to fetch roles for request: ${error instanceof Error ? error.message : "Unknown error"}`);
+      next();
+    }
+  }
+};
+RolesMiddleware = _ts_decorate4([
+  Injectable4(),
+  _ts_metadata3("design:type", Function),
+  _ts_metadata3("design:paramtypes", [
+    typeof PermissionService === "undefined" ? Object : PermissionService
+  ])
+], RolesMiddleware);
+
+// src/filters/authzpaas-exception.filter.ts
+import { Catch } from "@nestjs/common";
+function _ts_decorate5(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate5, "_ts_decorate");
+var AuthZPaasExceptionFilter = class {
+  static {
+    __name(this, "AuthZPaasExceptionFilter");
+  }
+  catch(exception, host) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+    const status = exception.getStatus();
+    const exceptionResponse = exception.getResponse();
+    const errorResponse = {
+      statusCode: status,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      cause: exception.cause,
+      type: exception.type,
+      message: typeof exceptionResponse === "string" ? exceptionResponse : exceptionResponse.message || "\u6743\u9650\u4E0D\u8DB3"
+    };
+    if (exception.details.requiredRoles) {
+      errorResponse.requiredRoles = exception.details.requiredRoles;
+    }
+    if (exception.details.requiredPermissions) {
+      errorResponse.requiredPermissions = exception.details.requiredPermissions;
+    }
+    if (exception.details.environmentRequirement) {
+      errorResponse.environmentRequirement = exception.details.environmentRequirement;
+    }
+    if (exception.details.metadata) {
+      errorResponse.metadata = exception.details.metadata;
+    }
+    response.status(status).json(errorResponse);
+  }
+};
+AuthZPaasExceptionFilter = _ts_decorate5([
+  Catch(PermissionDeniedException)
+], AuthZPaasExceptionFilter);
+
+// src/authzpaas.module.ts
+function _ts_decorate6(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate6, "_ts_decorate");
+var AuthZPaasModule = class _AuthZPaasModule {
+  static {
+    __name(this, "AuthZPaasModule");
+  }
+  static forRoot(options) {
+    const { permissionApi, cache = {
+      ttl: 300,
+      max: 1e3,
+      enabled: true
+    }, isGlobal = true } = options;
+    return {
+      module: _AuthZPaasModule,
+      global: isGlobal,
+      controllers: [],
+      providers: [
+        // 配置提供者
+        {
+          provide: AUTHZPAAS_MODULE_OPTIONS,
+          useValue: {
+            ...options,
+            loginPath: options.loginPath || DEFAULT_LOGIN_PATH
+          }
+        },
+        {
+          provide: PERMISSION_API_CONFIG_TOKEN,
+          useValue: permissionApi
+        },
+        {
+          provide: CACHE_CONFIG_TOKEN,
+          useValue: cache
+        },
+        // 核心服务
+        Reflector2,
+        // 服务提供者
+        PermissionService,
+        AbilityFactory,
+        AuthZPaasGuard,
+        RolesMiddleware,
+        // 守卫提供者
+        {
+          provide: APP_GUARD,
+          useClass: AuthZPaasGuard
+        },
+        {
+          provide: APP_FILTER,
+          useClass: AuthZPaasExceptionFilter
+        }
+      ],
+      exports: [
+        PermissionService,
+        AbilityFactory,
+        RolesMiddleware
+      ]
+    };
+  }
+  /**
+  * 异步注册 AuthZPaas 模块（根模块）
+  * 用于需要从配置服务获取设置的场景
+  *
+  * @param options 异步配置选项
+  * @returns 动态模块
+  *
+  * @example
+  * ```typescript
+  * @Module({
+  *   imports: [
+  *     AuthZPaasModule.forRootAsync({
+  *       imports: [ConfigModule],
+  *       inject: [ConfigService],
+  *       useFactory: async (configService: ConfigService) => ({
+  *         permissionApi: {
+  *           baseUrl: configService.get('PERMISSION_API_URL'),
+  *           apiToken: configService.get('PERMISSION_API_TOKEN'),
+  *         },
+  *         cache: {
+  *           ttl: configService.get('CACHE_TTL', 300),
+  *           max: configService.get('CACHE_MAX', 1000),
+  *         },
+  *       }),
+  *     }),
+  *   ],
+  * })
+  * export class AppModule {}
+  * ```
+  */
+  static forRootAsync(options) {
+    const { imports = [], inject = [], useFactory, isGlobal = true } = options;
+    return {
+      module: _AuthZPaasModule,
+      global: isGlobal,
+      imports,
+      controllers: [],
+      providers: [
+        // 异步配置提供者
+        {
+          provide: AUTHZPAAS_MODULE_OPTIONS,
+          useFactory,
+          inject
+        },
+        // 权限 API 配置提供者
+        {
+          provide: PERMISSION_API_CONFIG_TOKEN,
+          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
+            return moduleOptions.permissionApi;
+          }, "useFactory"),
+          inject: [
+            AUTHZPAAS_MODULE_OPTIONS
+          ]
+        },
+        // 缓存配置提供者
+        {
+          provide: CACHE_CONFIG_TOKEN,
+          useFactory: /* @__PURE__ */ __name((moduleOptions) => {
+            return moduleOptions.cache || {
+              ttl: 300,
+              max: 1e3,
+              enabled: true
+            };
+          }, "useFactory"),
+          inject: [
+            AUTHZPAAS_MODULE_OPTIONS
+          ]
+        },
+        // 核心服务
+        Reflector2,
+        // 服务提供者
+        PermissionService,
+        AbilityFactory,
+        AuthZPaasGuard,
+        RolesMiddleware,
+        // 守卫提供者
+        {
+          provide: APP_GUARD,
+          useClass: AuthZPaasGuard
+        },
+        {
+          provide: APP_FILTER,
+          useClass: AuthZPaasExceptionFilter
+        }
+      ],
+      exports: [
+        PermissionService,
+        AbilityFactory,
+        RolesMiddleware
+      ]
+    };
+  }
+};
+AuthZPaasModule = _ts_decorate6([
+  Module({})
+], AuthZPaasModule);
+
+// src/decorators/can-role.decorator.ts
+import { SetMetadata } from "@nestjs/common";
+var CanRole = /* @__PURE__ */ __name((role, and = false) => {
+  let requirement;
+  if (!Array.isArray(role) && typeof role === "string") {
+    requirement = {
+      roles: [
+        role
+      ],
+      and
+    };
+  } else if (Array.isArray(role) && role.some((role2) => typeof role2 === "string")) {
+    requirement = {
+      roles: role,
+      and
+    };
+  } else {
+    throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
+  }
+  return SetMetadata(ROLES_KEY, requirement);
+}, "CanRole");
+
+// src/decorators/can-permission.decorator.ts
+import { SetMetadata as SetMetadata2 } from "@nestjs/common";
+var CanPermission = /* @__PURE__ */ __name((permission, or) => {
+  let requirements;
+  if (Array.isArray(permission)) {
+    requirements = permission;
+  } else if (typeof permission === "object" && "subject" in permission) {
+    requirements = [
+      permission
+    ];
+  } else {
+    throw new Error("Invalid CanPermission parameter: " + JSON.stringify(permission));
+  }
+  return SetMetadata2(PERMISSIONS_KEY, {
+    requirements,
+    or: or ?? false
+  });
+}, "CanPermission");
+
+// src/decorators/can-env.decorator.ts
+import { SetMetadata as SetMetadata3 } from "@nestjs/common";
+var CanEnv = /* @__PURE__ */ __name((requirement) => {
+  return SetMetadata3(ENVIRONMENT_KEY, requirement);
+}, "CanEnv");
+
+// src/decorators/user-id.decorator.ts
+import { createParamDecorator } from "@nestjs/common";
+var UserId = createParamDecorator((_data, ctx) => {
+  const request = ctx.switchToHttp().getRequest();
+  return request.userContext?.userId;
+});
+
+// src/decorators/mock-roles.decorator.ts
+import { createParamDecorator as createParamDecorator2 } from "@nestjs/common";
+var MockRoles = createParamDecorator2((_data, ctx) => {
+  const request = ctx.switchToHttp().getRequest();
+  const mockRoles = getMockRolesFromCookie(request);
+  return request[ENABLE_MOCK_ROLE_KEY] ? mockRoles : void 0;
+});
+
+// src/controllers/permission.controller.ts
+import { Controller, Get, Post, Res, Body } from "@nestjs/common";
+import { ApiOperation, ApiResponse, ApiTags, ApiProperty } from "@nestjs/swagger";
+function _ts_decorate7(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+__name(_ts_decorate7, "_ts_decorate");
+function _ts_metadata4(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+__name(_ts_metadata4, "_ts_metadata");
+function _ts_param3(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+}
+__name(_ts_param3, "_ts_param");
+var PermissionDto = class {
+  static {
+    __name(this, "PermissionDto");
+  }
+  sub;
+  actions;
+  id;
+  name;
+  conditions;
+};
+_ts_decorate7([
+  ApiProperty({
+    description: "\u8D44\u6E90\u7C7B\u578B",
+    example: "task"
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "sub", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u64CD\u4F5C\u7C7B\u578B\u5217\u8868",
+    example: [
+      "create",
+      "read",
+      "update",
+      "delete"
+    ],
+    type: [
+      String
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionDto.prototype, "actions", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u6743\u9650ID",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "id", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u6743\u9650\u540D\u79F0",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionDto.prototype, "name", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u6743\u9650\u6761\u4EF6",
+    required: false,
+    type: "object"
+  }),
+  _ts_metadata4("design:type", typeof Record === "undefined" ? Object : Record)
+], PermissionDto.prototype, "conditions", void 0);
+var PermissionResponse = class {
+  static {
+    __name(this, "PermissionResponse");
+  }
+  userId;
+  roles;
+  permissions;
+  fetchedAt;
+};
+_ts_decorate7([
+  ApiProperty({
+    description: "\u7528\u6237ID",
+    example: "user123",
+    required: false
+  }),
+  _ts_metadata4("design:type", String)
+], PermissionResponse.prototype, "userId", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u7528\u6237\u89D2\u8272\u5217\u8868",
+    example: [
+      "admin",
+      "user"
+    ],
+    type: [
+      String
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionResponse.prototype, "roles", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u7528\u6237\u6743\u9650\u70B9\u4F4D\u5217\u8868",
+    type: [
+      PermissionDto
+    ]
+  }),
+  _ts_metadata4("design:type", Array)
+], PermissionResponse.prototype, "permissions", void 0);
+_ts_decorate7([
+  ApiProperty({
+    description: "\u6570\u636E\u83B7\u53D6\u65F6\u95F4",
+    example: "2025-10-14T00:00:00.000Z"
+  }),
+  _ts_metadata4("design:type", typeof Date === "undefined" ? Object : Date)
+], PermissionResponse.prototype, "fetchedAt", void 0);
+var PermissionController = class {
+  static {
+    __name(this, "PermissionController");
+  }
+  permissionService;
+  constructor(permissionService) {
+    this.permissionService = permissionService;
+  }
+  /**
+  * 获取当前用户的权限数据
+  * 
+  * @param userId 当前用户ID（从请求上下文中获取）
+  * @returns 用户权限数据
+  * 
+  * @example
+  * GET /api/permissions
+  * 
+  * Response:
+  * {
+  *   "userId": "user123",
+  *   "roles": ["admin", "user"],
+  *   "permissions": [
+  *     { "sub": "task", "actions": ["create", "read", "update", "delete"] }
+  *   ],
+  *   "fetchedAt": "2025-10-14T00:00:00.000Z"
+  * }
+  */
+  async getUserPermissions(userId, mockRoles) {
+    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+    return {
+      userId: permissionData?.userId,
+      roles: permissionData?.roles || [],
+      permissions: permissionData?.permissions || [],
+      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date()
+    };
+  }
+  /**
+  * 开启角色模拟：将传入的 userId 写入 cookie，服务端优先使用该值请求权限
+  */
+  async enableMock(res, roles) {
+    if (!Array.isArray(roles) || roles.length === 0) {
+      return {
+        success: false,
+        message: "roles \u4E0D\u80FD\u4E3A\u7A7A"
+      };
+    }
+    const val = roles.join(",");
+    res.cookie(MOCK_ROLES_COOKIE_KEY, val, {
+      httpOnly: false,
+      sameSite: "lax",
+      maxAge: 24 * 60 * 60 * 1e3,
+      path: "/"
+    });
+    return {
+      success: true,
+      roles
+    };
+  }
+  /**
+  * 关闭角色模拟：清除 cookie
+  */
+  async disableMock(res) {
+    res.clearCookie(MOCK_ROLES_COOKIE_KEY, {
+      path: "/"
+    });
+    return {
+      success: true
+    };
+  }
+  async getMockRoles(mockRoles, userId) {
+    const permissionData = await this.permissionService.getUserPermissions(userId, mockRoles);
+    return {
+      mocking: !!mockRoles,
+      roles: permissionData?.roles || [],
+      permissions: permissionData?.permissions || [],
+      fetchedAt: permissionData?.fetchedAt || /* @__PURE__ */ new Date(),
+      userId
+    };
+  }
+};
+_ts_decorate7([
+  Get(),
+  ApiOperation({
+    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u6743\u9650\u6570\u636E"
+  }),
+  ApiResponse({
+    status: 200,
+    description: "\u6210\u529F\u8FD4\u56DE\u7528\u6237\u6743\u9650\u6570\u636E",
+    type: PermissionResponse
+  }),
+  ApiResponse({
+    status: 400,
+    description: "\u7528\u6237\u672A\u8BA4\u8BC1"
+  }),
+  _ts_param3(0, UserId()),
+  _ts_param3(1, MockRoles()),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    String,
+    Array
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "getUserPermissions", null);
+_ts_decorate7([
+  Post("mock/enable"),
+  ApiOperation({
+    summary: "\u5F00\u542F\u89D2\u8272\u6A21\u62DF\uFF08\u5199\u5165 cookie: mockRoles\uFF09"
+  }),
+  ApiResponse({
+    status: 200,
+    description: "\u6A21\u62DF\u5DF2\u5F00\u542F"
+  }),
+  _ts_param3(0, Res({
+    passthrough: true
+  })),
+  _ts_param3(1, Body("roles")),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof Response === "undefined" ? Object : Response,
+    Array
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "enableMock", null);
+_ts_decorate7([
+  Post("mock/disable"),
+  ApiOperation({
+    summary: "\u5173\u95ED\u89D2\u8272\u6A21\u62DF\uFF08\u6E05\u9664 cookie: mockRoles\uFF09"
+  }),
+  ApiResponse({
+    status: 200,
+    description: "\u6A21\u62DF\u5DF2\u5173\u95ED"
+  }),
+  _ts_param3(0, Res({
+    passthrough: true
+  })),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof Response === "undefined" ? Object : Response
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "disableMock", null);
+_ts_decorate7([
+  Get("mock/status"),
+  ApiOperation({
+    summary: "\u83B7\u53D6\u5F53\u524D\u7528\u6237\u7684\u89D2\u8272\u6A21\u62DF\u72B6\u6001"
+  }),
+  ApiResponse({
+    status: 200,
+    description: "\u6210\u529F\u8FD4\u56DE\u89D2\u8272\u6A21\u62DF\u6570\u636E"
+  }),
+  _ts_param3(0, MockRoles()),
+  _ts_param3(1, UserId()),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    Object,
+    String
+  ]),
+  _ts_metadata4("design:returntype", Promise)
+], PermissionController.prototype, "getMockRoles", null);
+PermissionController = _ts_decorate7([
+  ApiTags("\u6743\u9650\u7BA1\u7406"),
+  Controller("api/permissions"),
+  _ts_metadata4("design:type", Function),
+  _ts_metadata4("design:paramtypes", [
+    typeof PermissionService === "undefined" ? Object : PermissionService
+  ])
+], PermissionController);
+export {
+  ANONYMOUS_USER_ID,
+  AUTHZPAAS_MODULE_OPTIONS,
+  AbilityFactory,
+  AuthZPaasExceptionFilter,
+  AuthZPaasGuard,
+  AuthZPaasModule,
+  CACHE_CONFIG_TOKEN,
+  CanEnv,
+  CanPermission,
+  CanRole,
+  DEFAULT_LOGIN_PATH,
+  ENABLE_MOCK_ROLE_KEY,
+  ENVIRONMENT_KEY,
+  MOCK_ROLES_COOKIE_KEY,
+  MockRoles,
+  NEED_LOGIN_KEY,
+  PERMISSIONS_KEY,
+  PERMISSION_API_CONFIG_TOKEN,
+  PermissionController,
+  PermissionDeniedException,
+  PermissionDeniedType,
+  PermissionDto,
+  PermissionResponse,
+  PermissionService,
+  ROLES_KEY,
+  ROLE_SUBJECT,
+  RolesMiddleware,
+  UserId
+};
+//# sourceMappingURL=index.js.map