npm - @lark-apaas/nestjs-authzpaas - Versions diffs - 0.1.0-alpha.1 → 0.1.0-alpha.10 - Mend

@lark-apaas/nestjs-authzpaas 0.1.0-alpha.1 → 0.1.0-alpha.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/README.md CHANGED Viewed

@@ -230,257 +230,6 @@ export class SensitiveController {
 }
 ```
-### 2. CanPermission - 权限检查
-使用 `@CanPermission()` 装饰器检查用户对特定资源的操作权限。
-#### 示例 1: 单个操作检查
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { CanPermission } from '@lark-apaas/nestjs-authzpaas';
-@Controller('demo')
-export class DemoController {
-  // 需要对 User 资源有 read 权限
-  @CanPermission([{ actions: ['read'], subject: 'User' }])
-  @Get('read-user')
-  readUser() {
-    return {
-      message: '✅ 用户读取成功（需要 read 权限）',
-    };
-  }
-  // 需要对 User 资源有 create 权限
-  @CanPermission([{ actions: ['create'], subject: 'User' }])
-  @Get('create-user')
-  createUser() {
-    return {
-      message: '✅ 用户创建成功（需要 create 权限）',
-    };
-  }
-}
-```
-#### 示例 2: 多个操作检查（AND 逻辑，默认）
-```typescript
-@Controller('articles')
-export class ArticleController {
-  // 需要同时拥有 read 和 update 权限
-  @CanPermission([{
-    actions: ['read', 'update'],
-    subject: 'Article',
-    requireAll: true  // 默认为 true，可省略
-  }])
-  @Get('publish')
-  publish() {
-    return '发布文章';
-  }
-}
-```
-#### 示例 3: 多个操作检查（OR 逻辑）
-```typescript
-@Controller('articles')
-export class ArticleController {
-  // 拥有 read 或 preview 任一权限即可
-  @CanPermission([{
-    actions: ['read', 'preview'],
-    subject: 'Article',
-    requireAll: false  // OR 逻辑
-  }])
-  @Get('preview')
-  preview() {
-    return '预览文章';
-  }
-}
-```
-#### 示例 4: 多个资源权限检查
-```typescript
-@Controller('articles')
-export class ArticleController {
-  // 需要同时满足：能读文章 AND 能创建评论
-  @CanPermission([
-    { actions: ['read'], subject: 'Article' },
-    { actions: ['create'], subject: 'Comment' }
-  ])
-  @Get('comment')
-  addComment() {
-    return '添加评论';
-  }
-  // 需要同时满足：能读文章 AND (能更新或删除评论)
-  @CanPermission([
-    { actions: ['read'], subject: 'Article' },
-    { actions: ['update', 'delete'], subject: 'Comment', requireAll: false }
-  ])
-  @Get('manage-comment')
-  manageComment() {
-    return '管理评论';
-  }
-}
-```
-### 3. UserId - 获取用户ID
-使用 `@UserId()` 参数装饰器获取当前用户ID。
-#### 示例 1: 基本用法
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { UserId } from '@lark-apaas/nestjs-authzpaas';
-@Controller('demo')
-export class DemoController {
-  @Get('profile')
-  getProfile(@UserId() userId: string) {
-    return {
-      message: '获取用户资料',
-      userId,
-    };
-  }
-}
-```
-#### 示例 2: 结合 PermissionService 使用
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { UserId, PermissionService } from '@lark-apaas/nestjs-authzpaas';
-@Controller('demo')
-export class DemoController {
-  constructor(private readonly permissionService: PermissionService) {}
-  @Get('check-permission')
-  async checkPermission(@UserId() userId: string) {
-    // 手动检查权限
-    const hasPermission = await this.permissionService.checkPermissions(
-      [{ actions: ['read'], subject: 'User' }],
-      userId
-    );
-    return {
-      message: '权限检查成功',
-      userId,
-      hasPermission,
-    };
-  }
-}
-```
-#### 示例 3: 使用 CASL Ability
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { UserId, PermissionService, ROLE_SUBJECT } from '@lark-apaas/nestjs-authzpaas';
-@Controller('demo')
-export class DemoController {
-  constructor(private readonly permissionService: PermissionService) {}
-  @Get('ability')
-  async getAbility(@UserId() userId: string) {
-    const ability = await this.permissionService.getAbility(userId);
-    // 使用 CASL Ability 检查权限
-    const canReadUser = ability.can('read', 'User');
-    const canWriteTask = ability.can('write', 'Task');
-    const isAdmin = ability.can('admin', ROLE_SUBJECT);
-    return {
-      userId,
-      permissions: {
-        canReadUser,
-        canWriteTask,
-        isAdmin,
-      },
-    };
-  }
-}
-```
-### 4. MockRoles - 角色模拟
-使用 `@MockRoles()` 参数装饰器获取模拟角色，仅在 `enableMockRole: true` 时有效。
-#### 示例 1: 基本用法
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { MockRoles } from '@lark-apaas/nestjs-authzpaas';
-@Controller('demo')
-export class DemoController {
-  @Get('mock-roles')
-  getMockRoles(@MockRoles() mockRoles: string[]) {
-    return {
-      message: '获取模拟角色',
-      mockRoles: mockRoles || [],
-      hasMockRoles: !!mockRoles,
-    };
-  }
-}
-```
-#### 示例 2: 结合权限检查
-```typescript
-@Controller('admin')
-export class AdminController {
-  @Get('test')
-  @CanRole(['admin'])  // 会优先使用模拟角色进行验证
-  testWithMockRoles(@MockRoles() mockRoles: string[]) {
-    return {
-      message: '管理员测试接口',
-      mockRoles,
-    };
-  }
-}
-```
-### 5. 装饰器组合使用
-可以组合使用多个装饰器实现复杂的鉴权需求。
-#### 示例 1: 角色 + 权限
-```typescript
-import { Controller, Get } from '@nestjs/common';
-import { CanRole, CanPermission } from '@lark-apaas/nestjs-authzpaas';
-@Controller('posts')
-export class PostController {
-  // 需要 editor 角色 + 对 Post 有 delete 权限
-  @CanRole(['editor'])
-  @CanPermission([{ actions: ['delete'], subject: 'Post' }])
-  @Get('delete')
-  delete() {
-    return '删除帖子';
-  }
-}
-```
-#### 示例 2: 多层权限检查
-```typescript
-@Controller('tasks')
-export class TasksController {
-  // 需要 admin 或 manager 角色 + Task 的 manage 权限
-  @CanRole(['admin', 'manager'])
-  @CanPermission([{ actions: ['manage'], subject: 'Task' }])
-  @Get('manage')
-  manageTasks() {
-    return '管理任务';
-  }
-}
-```
 ## 核心组件
 > 📚 **核心组件是装饰器的底层实现**，了解核心组件有助于深入理解权限系统的工作原理。
@@ -491,8 +240,6 @@ export class TasksController {
 1. **提取用户ID**: 从 `req.userContext.userId` 中提取用户ID
 2. **角色检查**: 如果使用了 `@CanRole()`，检查用户角色
-3. **权限检查**: 如果使用了 `@CanPermission()`，检查用户权限
-4. **环境检查**: 如果使用了 `@RequireEnvironment()`，检查环境条件
 5. **注入权限数据**: 将权限数据附加到 `req.userPermissions`
 **工作流程**:

package/dist/index.cjs CHANGED Viewed

@@ -24,7 +24,6 @@ __export(index_exports, {
   ANONYMOUS_USER_ID: () => ANONYMOUS_USER_ID,
   AUTHZPAAS_MODULE_OPTIONS: () => AUTHZPAAS_MODULE_OPTIONS,
   AbilityFactory: () => AbilityFactory,
-  AuthZPaasExceptionFilter: () => AuthZPaasExceptionFilter,
   AuthZPaasGuard: () => AuthZPaasGuard,
   AuthZPaasModule: () => AuthZPaasModule,
   CACHE_CONFIG_TOKEN: () => CACHE_CONFIG_TOKEN,
@@ -40,13 +39,12 @@ __export(index_exports, {
   PermissionDeniedType: () => PermissionDeniedType,
   PermissionService: () => PermissionService,
   ROLES_KEY: () => ROLES_KEY,
-  ROLE_SUBJECT: () => ROLE_SUBJECT,
-  RolesMiddleware: () => RolesMiddleware
+  ROLE_SUBJECT: () => ROLE_SUBJECT
 });
 module.exports = __toCommonJS(index_exports);
 // src/authzpaas.module.ts
-var import_common11 = require("@nestjs/common");
+var import_common9 = require("@nestjs/common");
 var import_core4 = require("@nestjs/core");
 // src/services/permission.service.ts
@@ -344,16 +342,13 @@ var PermissionService = class _PermissionService {
   */
   async fetchFromApi(requestDto) {
     const { timeout = 5e3 } = this.apiConfig || {};
-    const { baseUrl, userId, appId, cookies, csrfToken } = requestDto;
-    const url = `${baseUrl}/api/apps/${appId}/management/permissions/roles`;
+    const { baseUrl, userId, appId, cookie, csrfToken } = requestDto;
+    const url = `${baseUrl}/spark/app/${appId}/runtime/api/v1/permissions/roles`;
     const requestHeaders = {
       "Content-Type": "application/json"
     };
-    if (cookies) {
-      const cookieString = Object.entries(cookies).map(([key, value]) => `${key}=${value}`).join("; ");
-      if (cookieString) {
-        requestHeaders.Cookie = cookieString;
-      }
+    if (cookie) {
+      requestHeaders.Cookie = cookie;
     }
     if (csrfToken) {
       requestHeaders["X-Suda-Csrf-Token"] = csrfToken;
@@ -362,7 +357,8 @@ var PermissionService = class _PermissionService {
     const timeoutId = setTimeout(() => controller.abort(), timeout);
     try {
       const response = await fetch(url, {
-        method: "GET",
+        method: "POST",
+        credentials: "include",
         headers: requestHeaders,
         signal: controller.signal
       });
@@ -378,12 +374,13 @@ var PermissionService = class _PermissionService {
       const data = await response.json();
       return {
         userId,
-        roles: data.role_list || [],
+        roles: data.data?.roleList || [],
         // TODO: 基于权限点位设置能力
         // permissions: data.permissions || [],
         fetchedAt: /* @__PURE__ */ new Date()
       };
     } catch (error) {
+      console.log("error", error);
       clearTimeout(timeoutId);
       let err = error;
       if (error.name === "AbortError") {
@@ -426,14 +423,22 @@ var PermissionService = class _PermissionService {
   * @returns 用户权限数据
   * @throws PermissionDeniedException 当角色不满足时
   */
-  async checkRoles(requirement, userContext) {
+  async checkRoles(requirement, userContext, cookie, csrfToken) {
     const userId = userContext?.userId || ANONYMOUS_USER_ID;
+    if (!csrfToken) {
+      throw new PermissionDeniedException({
+        cause: new Error("CSRF token is required"),
+        type: PermissionDeniedType.PERMISSION_CONFIG_QUERY_FAILED,
+        message: "CSRF token is required"
+      }, import_common7.HttpStatus.BAD_REQUEST);
+    }
     const permissionData = await this.getUserPermissions({
+      // FIXME: 使用 request 的 base url
       baseUrl: userContext?.baseUrl || "",
       userId,
       appId: userContext?.appId || "",
-      cookies: userContext?.cookies || {},
-      csrfToken: userContext?.csrfToken || ""
+      csrfToken,
+      cookie
     });
     if (!permissionData) {
       throw new PermissionDeniedException({
@@ -492,22 +497,20 @@ var AuthZPaasGuard = class {
   async canActivate(context) {
     const http = context.switchToHttp();
     const request = http.getRequest();
+    const cookie = request.headers.cookie;
+    const csrfToken = request.csrfToken;
+    const baseUrl = `${request.protocol}://${request.get("host")}`;
     const userContext = request.userContext;
+    userContext.baseUrl = baseUrl;
     const checkRoleRequirement = this.reflector.getAllAndOverride(ROLES_KEY, [
       context.getHandler(),
       context.getClass()
     ]);
     if (checkRoleRequirement) {
-      await this.checkRoleRequirement(checkRoleRequirement, userContext);
+      await this.permissionService.checkRoles(checkRoleRequirement, userContext, cookie, csrfToken);
     }
     return true;
   }
-  /**
-  * 检查角色要求
-  */
-  async checkRoleRequirement(requirement, userContext) {
-    return this.permissionService.checkRoles(requirement, userContext);
-  }
 };
 AuthZPaasGuard = _ts_decorate5([
   (0, import_common8.Injectable)(),
@@ -518,8 +521,7 @@ AuthZPaasGuard = _ts_decorate5([
   ])
 ], AuthZPaasGuard);
-// src/middlewares/roles.middleware.ts
-var import_common9 = require("@nestjs/common");
+// src/authzpaas.module.ts
 function _ts_decorate6(decorators, target, key, desc) {
   var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
   if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
@@ -527,114 +529,12 @@ function _ts_decorate6(decorators, target, key, desc) {
   return c > 3 && r && Object.defineProperty(target, key, r), r;
 }
 __name(_ts_decorate6, "_ts_decorate");
-function _ts_metadata4(k, v) {
-  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
-}
-__name(_ts_metadata4, "_ts_metadata");
-var RolesMiddleware = class _RolesMiddleware {
-  static {
-    __name(this, "RolesMiddleware");
-  }
-  permissionService;
-  logger = new import_common9.Logger(_RolesMiddleware.name);
-  constructor(permissionService) {
-    this.permissionService = permissionService;
-  }
-  async use(req, _res, next) {
-    try {
-      const baseUrl = `${req.protocol}://${req.get("host")}`;
-      const userId = req.userContext?.userId ?? "";
-      const appId = req.userContext?.appId ?? "";
-      const cookies = req.cookies ?? {};
-      const csrfToken = req.headers["x-suda-csrf-token"] ?? "";
-      this.logger.debug(`Fetching roles for user: ${userId}`);
-      const permissionData = await this.permissionService.getUserPermissions({
-        baseUrl,
-        userId,
-        appId,
-        cookies,
-        csrfToken
-      });
-      let roles;
-      if (permissionData) {
-        roles = permissionData.roles;
-      }
-      req.userContext.baseUrl = baseUrl;
-      req.userContext.userRoles = roles;
-      req.userContext.userId = userId;
-      req.userContext.cookies = cookies;
-      req.userContext.csrfToken = csrfToken;
-      this.logger.debug(`User ${userId} roles loaded: [${roles?.join(", ")}]`);
-      next();
-    } catch (error) {
-      this.logger.warn(`Failed to fetch roles for request: ${error instanceof Error ? error.message : "Unknown error"}`);
-      next();
-    }
-  }
-};
-RolesMiddleware = _ts_decorate6([
-  (0, import_common9.Injectable)(),
-  _ts_metadata4("design:type", Function),
-  _ts_metadata4("design:paramtypes", [
-    typeof PermissionService === "undefined" ? Object : PermissionService
-  ])
-], RolesMiddleware);
-// src/filters/authzpaas-exception.filter.ts
-var import_common10 = require("@nestjs/common");
-function _ts_decorate7(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate7, "_ts_decorate");
-var AuthZPaasExceptionFilter = class {
-  static {
-    __name(this, "AuthZPaasExceptionFilter");
-  }
-  catch(exception, host) {
-    const ctx = host.switchToHttp();
-    const response = ctx.getResponse();
-    const status = exception.getStatus();
-    const exceptionResponse = exception.getResponse();
-    const errorResponse = {
-      statusCode: status,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-      cause: exception.cause,
-      type: exception.type,
-      message: typeof exceptionResponse === "string" ? exceptionResponse : exceptionResponse.message || "\u6743\u9650\u4E0D\u8DB3"
-    };
-    if (exception.details.requiredRoles) {
-      errorResponse.requiredRoles = exception.details.requiredRoles;
-    }
-    if (exception.details.requiredPermissions) {
-      errorResponse.requiredPermissions = exception.details.requiredPermissions;
-    }
-    if (exception.details.metadata) {
-      errorResponse.metadata = exception.details.metadata;
-    }
-    response.status(status).json(errorResponse);
-  }
-};
-AuthZPaasExceptionFilter = _ts_decorate7([
-  (0, import_common10.Catch)(PermissionDeniedException)
-], AuthZPaasExceptionFilter);
-// src/authzpaas.module.ts
-function _ts_decorate8(decorators, target, key, desc) {
-  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-  return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-__name(_ts_decorate8, "_ts_decorate");
 var AuthZPaasModule = class _AuthZPaasModule {
   static {
     __name(this, "AuthZPaasModule");
   }
   static forRoot(options) {
-    const { permissionApi } = options;
+    const { permissionApi = {} } = options || {};
     return {
       module: _AuthZPaasModule,
       global: true,
@@ -657,21 +557,15 @@ var AuthZPaasModule = class _AuthZPaasModule {
         PermissionService,
         AbilityFactory,
         AuthZPaasGuard,
-        RolesMiddleware,
         // 守卫提供者
         {
           provide: import_core4.APP_GUARD,
           useClass: AuthZPaasGuard
-        },
-        {
-          provide: import_core4.APP_FILTER,
-          useClass: AuthZPaasExceptionFilter
         }
       ],
       exports: [
         PermissionService,
-        AbilityFactory,
-        RolesMiddleware
+        AbilityFactory
       ]
     };
   }
@@ -735,31 +629,25 @@ var AuthZPaasModule = class _AuthZPaasModule {
         PermissionService,
         AbilityFactory,
         AuthZPaasGuard,
-        RolesMiddleware,
         // 守卫提供者
         {
           provide: import_core4.APP_GUARD,
           useClass: AuthZPaasGuard
-        },
-        {
-          provide: import_core4.APP_FILTER,
-          useClass: AuthZPaasExceptionFilter
         }
       ],
       exports: [
         PermissionService,
-        AbilityFactory,
-        RolesMiddleware
+        AbilityFactory
       ]
     };
   }
 };
-AuthZPaasModule = _ts_decorate8([
-  (0, import_common11.Module)({})
+AuthZPaasModule = _ts_decorate6([
+  (0, import_common9.Module)({})
 ], AuthZPaasModule);
 // src/decorators/can-role.decorator.ts
-var import_common12 = require("@nestjs/common");
+var import_common10 = require("@nestjs/common");
 var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   let requirement;
   if (!Array.isArray(role) && typeof role === "string") {
@@ -777,14 +665,13 @@ var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   } else {
     throw new Error("Invalid CanRole parameter: " + JSON.stringify(role));
   }
-  return (0, import_common12.SetMetadata)(ROLES_KEY, requirement);
+  return (0, import_common10.SetMetadata)(ROLES_KEY, requirement);
 }, "CanRole");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ANONYMOUS_USER_ID,
   AUTHZPAAS_MODULE_OPTIONS,
   AbilityFactory,
-  AuthZPaasExceptionFilter,
   AuthZPaasGuard,
   AuthZPaasModule,
   CACHE_CONFIG_TOKEN,
@@ -800,7 +687,6 @@ var CanRole = /* @__PURE__ */ __name((role, and = false) => {
   PermissionDeniedType,
   PermissionService,
   ROLES_KEY,
-  ROLE_SUBJECT,
-  RolesMiddleware
+  ROLE_SUBJECT
 });
 //# sourceMappingURL=index.cjs.map