@lark-apaas/nestjs-authzpaas 0.1.0-alpha.4 → 0.1.0-alpha.40
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -529
- package/dist/index.cjs +160 -102
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +92 -115
- package/dist/index.d.ts +92 -115
- package/dist/index.js +161 -98
- package/dist/index.js.map +1 -1
- package/package.json +8 -3
package/dist/index.d.ts
CHANGED
|
@@ -1,5 +1,7 @@
|
|
|
1
|
-
import { DynamicModule, Type, HttpException } from '@nestjs/common';
|
|
1
|
+
import { DynamicModule, Type, CanActivate, ExecutionContext, HttpException } from '@nestjs/common';
|
|
2
|
+
import { Reflector } from '@nestjs/core';
|
|
2
3
|
import { PureAbility } from '@casl/ability';
|
|
4
|
+
import { PlatformHttpClient, RequestContextService, ObservableService } from '@lark-apaas/nestjs-common';
|
|
3
5
|
|
|
4
6
|
/**
|
|
5
7
|
* 用户角色
|
|
@@ -12,21 +14,6 @@ interface UserRole {
|
|
|
12
14
|
/** 角色描述 */
|
|
13
15
|
description?: string;
|
|
14
16
|
}
|
|
15
|
-
/**
|
|
16
|
-
* 权限点位
|
|
17
|
-
*/
|
|
18
|
-
interface Permission {
|
|
19
|
-
/** 资源类型 */
|
|
20
|
-
sub: string;
|
|
21
|
-
/** 操作类型 */
|
|
22
|
-
actions: string[];
|
|
23
|
-
/** 权限ID */
|
|
24
|
-
id?: string;
|
|
25
|
-
/** 权限名称 */
|
|
26
|
-
name?: string;
|
|
27
|
-
/** 权限条件 */
|
|
28
|
-
conditions?: Record<string, unknown>;
|
|
29
|
-
}
|
|
30
17
|
/**
|
|
31
18
|
* 用户权限数据
|
|
32
19
|
*/
|
|
@@ -39,37 +26,6 @@ interface UserPermissionData {
|
|
|
39
26
|
/** 数据获取时间 */
|
|
40
27
|
fetchedAt: Date;
|
|
41
28
|
}
|
|
42
|
-
/**
|
|
43
|
-
* 环境信息
|
|
44
|
-
*/
|
|
45
|
-
interface EnvironmentContext {
|
|
46
|
-
/** 网络信息 */
|
|
47
|
-
network?: {
|
|
48
|
-
ip?: string;
|
|
49
|
-
region?: string;
|
|
50
|
-
};
|
|
51
|
-
/** 终端信息 */
|
|
52
|
-
device?: {
|
|
53
|
-
type?: 'mobile' | 'desktop' | 'tablet';
|
|
54
|
-
os?: string;
|
|
55
|
-
browser?: string;
|
|
56
|
-
};
|
|
57
|
-
/** 自定义环境变量 */
|
|
58
|
-
custom?: Record<string, unknown>;
|
|
59
|
-
}
|
|
60
|
-
/**
|
|
61
|
-
* 权限检查上下文
|
|
62
|
-
*/
|
|
63
|
-
interface AuthorizationContext {
|
|
64
|
-
/** 用户ID */
|
|
65
|
-
userId: string;
|
|
66
|
-
/** 用户权限数据 */
|
|
67
|
-
permissionData?: UserPermissionData;
|
|
68
|
-
/** 环境信息 */
|
|
69
|
-
environment?: EnvironmentContext;
|
|
70
|
-
/** 请求对象 */
|
|
71
|
-
request?: unknown;
|
|
72
|
-
}
|
|
73
29
|
/**
|
|
74
30
|
* CASL 动作类型
|
|
75
31
|
*/
|
|
@@ -78,29 +34,11 @@ type Action = 'create' | 'read' | 'update' | 'delete' | 'manage' | string;
|
|
|
78
34
|
* CASL 主体类型
|
|
79
35
|
*/
|
|
80
36
|
type Subject = string | object;
|
|
81
|
-
/**
|
|
82
|
-
* 获取用户角色数据
|
|
83
|
-
*/
|
|
84
|
-
interface UserRolesDTO {
|
|
85
|
-
/** 基础 URL */
|
|
86
|
-
baseUrl: string;
|
|
87
|
-
/** 用户ID */
|
|
88
|
-
userId: string;
|
|
89
|
-
/** 应用ID */
|
|
90
|
-
appId: string;
|
|
91
|
-
/** cookies 字符串 */
|
|
92
|
-
cookies: Record<string, string>;
|
|
93
|
-
/** CSRF 令牌 */
|
|
94
|
-
csrfToken: string;
|
|
95
|
-
}
|
|
96
37
|
interface UserContext {
|
|
97
38
|
userId?: string;
|
|
98
39
|
tenantId?: number;
|
|
99
40
|
appId?: string;
|
|
100
|
-
userRoles?: string[];
|
|
101
41
|
baseUrl?: string;
|
|
102
|
-
cookies?: Record<string, string>;
|
|
103
|
-
csrfToken?: string;
|
|
104
42
|
}
|
|
105
43
|
/**
|
|
106
44
|
* 权限 API 配置
|
|
@@ -163,8 +101,6 @@ declare class AuthZPaasModule {
|
|
|
163
101
|
interface RoleRequirement {
|
|
164
102
|
/** 需要的角色列表 */
|
|
165
103
|
roles: string[];
|
|
166
|
-
/** 是否需要所有角色(AND),默认 false(OR) */
|
|
167
|
-
and?: boolean;
|
|
168
104
|
}
|
|
169
105
|
type CheckRoleRequirement = RoleRequirement;
|
|
170
106
|
/**
|
|
@@ -172,16 +108,98 @@ type CheckRoleRequirement = RoleRequirement;
|
|
|
172
108
|
*
|
|
173
109
|
* @example
|
|
174
110
|
* ```typescript
|
|
175
|
-
*
|
|
176
|
-
* @CanRole(['admin'
|
|
111
|
+
* 单一角色
|
|
112
|
+
* @CanRole(['admin'])
|
|
177
113
|
* async deleteUser() {}
|
|
178
114
|
*
|
|
179
|
-
*
|
|
180
|
-
* @CanRole(['admin', '
|
|
115
|
+
* 任一角色
|
|
116
|
+
* @CanRole(['admin', 'editor'])
|
|
181
117
|
* async criticalOperation() {}
|
|
182
118
|
* ```
|
|
183
119
|
*/
|
|
184
|
-
declare const CanRole: (role: string[] | string
|
|
120
|
+
declare const CanRole: (role: string[] | string) => MethodDecorator;
|
|
121
|
+
|
|
122
|
+
/**
|
|
123
|
+
* CASL Ability 类型
|
|
124
|
+
*/
|
|
125
|
+
type AppAbility = PureAbility<[Action, Subject]>;
|
|
126
|
+
/**
|
|
127
|
+
* 角色检查的特殊 Subject
|
|
128
|
+
* 用于统一角色鉴权和权限点位鉴权
|
|
129
|
+
*
|
|
130
|
+
* 使用方式:
|
|
131
|
+
* - 权限点位鉴权:ability.can('read', 'Todo')
|
|
132
|
+
* - 角色鉴权:ability.can('admin', ROLE_SUBJECT) 或 ability.can('admin', '@role')
|
|
133
|
+
*/
|
|
134
|
+
declare const ROLE_SUBJECT = "@role";
|
|
135
|
+
/**
|
|
136
|
+
* Ability 工厂
|
|
137
|
+
* 负责根据用户权限数据创建 CASL Ability 实例
|
|
138
|
+
*
|
|
139
|
+
* 统一了两种鉴权方式:
|
|
140
|
+
* 1. 基于角色的鉴权 - 角色名作为 action,'@role' 作为 subject
|
|
141
|
+
* 2. 基于权限点位的鉴权 - 标准的 action + subject 模式
|
|
142
|
+
*/
|
|
143
|
+
declare class AbilityFactory {
|
|
144
|
+
/**
|
|
145
|
+
* 为用户创建 Ability
|
|
146
|
+
*/
|
|
147
|
+
createForUser(permissionData: UserPermissionData): AppAbility;
|
|
148
|
+
}
|
|
149
|
+
|
|
150
|
+
/**
|
|
151
|
+
* 权限服务
|
|
152
|
+
* 内置权限获取和缓存逻辑,以及权限检查逻辑
|
|
153
|
+
*/
|
|
154
|
+
declare class PermissionService {
|
|
155
|
+
private readonly apiConfig;
|
|
156
|
+
private readonly abilityFactory;
|
|
157
|
+
private readonly client;
|
|
158
|
+
private readonly requestContextService;
|
|
159
|
+
constructor(apiConfig: PermissionApiConfig, abilityFactory: AbilityFactory, client: PlatformHttpClient, requestContextService: RequestContextService);
|
|
160
|
+
/**
|
|
161
|
+
* 获取用户权限数据
|
|
162
|
+
*/
|
|
163
|
+
getUserPermissions({ laneId, }: {
|
|
164
|
+
laneId?: string;
|
|
165
|
+
}): Promise<UserPermissionData | null>;
|
|
166
|
+
/**
|
|
167
|
+
* 从 API 获取权限数据
|
|
168
|
+
* 内置实现,用户无需配置
|
|
169
|
+
*/
|
|
170
|
+
private fetchFromApi;
|
|
171
|
+
/**
|
|
172
|
+
* 检查角色要求
|
|
173
|
+
* 使用 CASL Ability 统一鉴权方式
|
|
174
|
+
* @param requirement 角色要求
|
|
175
|
+
* @param laneId 环境ID
|
|
176
|
+
* @returns 用户权限检查结果,包含结果和详细信息
|
|
177
|
+
* @throws PermissionDeniedException 当权限数据获取失败时
|
|
178
|
+
*/
|
|
179
|
+
checkRoles(requirement: RoleRequirement, laneId?: string): Promise<{
|
|
180
|
+
result: boolean;
|
|
181
|
+
details?: string;
|
|
182
|
+
}>;
|
|
183
|
+
}
|
|
184
|
+
|
|
185
|
+
/**
|
|
186
|
+
* AuthZPaas 守卫
|
|
187
|
+
* 负责协调所有鉴权检查,具体检查逻辑委托给 PermissionService
|
|
188
|
+
*/
|
|
189
|
+
declare class AuthZPaasGuard implements CanActivate {
|
|
190
|
+
private reflector;
|
|
191
|
+
private permissionService;
|
|
192
|
+
private obs;
|
|
193
|
+
constructor(reflector: Reflector, permissionService: PermissionService, obs: ObservableService);
|
|
194
|
+
private logger;
|
|
195
|
+
/**
|
|
196
|
+
* 验证角色要求是否有效
|
|
197
|
+
* @param requirements 角色要求
|
|
198
|
+
* @returns 是否有效
|
|
199
|
+
*/
|
|
200
|
+
private isValidRoleRequirement;
|
|
201
|
+
canActivate(context: ExecutionContext): Promise<boolean>;
|
|
202
|
+
}
|
|
185
203
|
|
|
186
204
|
/**
|
|
187
205
|
* 权限拒绝异常类型
|
|
@@ -233,7 +251,7 @@ declare class PermissionDeniedException extends HttpException {
|
|
|
233
251
|
/**
|
|
234
252
|
* 创建角色不足异常
|
|
235
253
|
*/
|
|
236
|
-
static roleRequired(requiredRoles: string[]
|
|
254
|
+
static roleRequired(requiredRoles: string[]): PermissionDeniedException;
|
|
237
255
|
/**
|
|
238
256
|
* 创建权限不足异常
|
|
239
257
|
*/
|
|
@@ -243,34 +261,6 @@ declare class PermissionDeniedException extends HttpException {
|
|
|
243
261
|
}>, or?: boolean, customMessage?: string): PermissionDeniedException;
|
|
244
262
|
}
|
|
245
263
|
|
|
246
|
-
/**
|
|
247
|
-
* CASL Ability 类型
|
|
248
|
-
*/
|
|
249
|
-
type AppAbility = PureAbility<[Action, Subject]>;
|
|
250
|
-
/**
|
|
251
|
-
* 角色检查的特殊 Subject
|
|
252
|
-
* 用于统一角色鉴权和权限点位鉴权
|
|
253
|
-
*
|
|
254
|
-
* 使用方式:
|
|
255
|
-
* - 权限点位鉴权:ability.can('read', 'Todo')
|
|
256
|
-
* - 角色鉴权:ability.can('admin', ROLE_SUBJECT) 或 ability.can('admin', '@role')
|
|
257
|
-
*/
|
|
258
|
-
declare const ROLE_SUBJECT = "@role";
|
|
259
|
-
/**
|
|
260
|
-
* Ability 工厂
|
|
261
|
-
* 负责根据用户权限数据创建 CASL Ability 实例
|
|
262
|
-
*
|
|
263
|
-
* 统一了两种鉴权方式:
|
|
264
|
-
* 1. 基于角色的鉴权 - 角色名作为 action,'@role' 作为 subject
|
|
265
|
-
* 2. 基于权限点位的鉴权 - 标准的 action + subject 模式
|
|
266
|
-
*/
|
|
267
|
-
declare class AbilityFactory {
|
|
268
|
-
/**
|
|
269
|
-
* 为用户创建 Ability
|
|
270
|
-
*/
|
|
271
|
-
createForUser(permissionData: UserPermissionData): AppAbility;
|
|
272
|
-
}
|
|
273
|
-
|
|
274
264
|
/**
|
|
275
265
|
* 常量
|
|
276
266
|
*/
|
|
@@ -281,8 +271,6 @@ declare const ANONYMOUS_USER_ID = "anonymous_user_id";
|
|
|
281
271
|
*/
|
|
282
272
|
/** 权限 API 配置 Token */
|
|
283
273
|
declare const PERMISSION_API_CONFIG_TOKEN: unique symbol;
|
|
284
|
-
/** 缓存配置 Token */
|
|
285
|
-
declare const CACHE_CONFIG_TOKEN: unique symbol;
|
|
286
274
|
/** AuthZPaas 模块选项 Token */
|
|
287
275
|
declare const AUTHZPAAS_MODULE_OPTIONS: unique symbol;
|
|
288
276
|
/**
|
|
@@ -290,16 +278,5 @@ declare const AUTHZPAAS_MODULE_OPTIONS: unique symbol;
|
|
|
290
278
|
*/
|
|
291
279
|
/** 需要的角色元数据键 */
|
|
292
280
|
declare const ROLES_KEY = "authzpaas:roles";
|
|
293
|
-
/** 需要的权限元数据键 */
|
|
294
|
-
declare const PERMISSIONS_KEY = "authzpaas:permissions";
|
|
295
|
-
/** 需要的环境元数据键 */
|
|
296
|
-
declare const ENVIRONMENT_KEY = "authzpaas:environment";
|
|
297
|
-
/** 需要登录元数据键 */
|
|
298
|
-
declare const NEED_LOGIN_KEY = "authzpaas:needLogin";
|
|
299
|
-
/** 模块选项:登录页路径默认值 */
|
|
300
|
-
declare const DEFAULT_LOGIN_PATH = "/login";
|
|
301
|
-
/** 角色模拟的 Cookie 键名 */
|
|
302
|
-
declare const MOCK_ROLES_COOKIE_KEY = "mockRoles";
|
|
303
|
-
declare const ENABLE_MOCK_ROLE_KEY = "__authzpaas_enableMockRole";
|
|
304
281
|
|
|
305
|
-
export { ANONYMOUS_USER_ID, AUTHZPAAS_MODULE_OPTIONS, AbilityFactory, type Action, type AppAbility, AuthZPaasModule, type AuthZPaasModuleOptions,
|
|
282
|
+
export { ANONYMOUS_USER_ID, AUTHZPAAS_MODULE_OPTIONS, AbilityFactory, type Action, type AppAbility, AuthZPaasGuard, AuthZPaasModule, type AuthZPaasModuleOptions, CanRole, type CheckRoleRequirement, PERMISSION_API_CONFIG_TOKEN, type PermissionApiConfig, type PermissionDeniedDetails, PermissionDeniedException, PermissionDeniedType, PermissionService, ROLES_KEY, ROLE_SUBJECT, type RoleRequirement, type Subject, type UserContext, type UserPermissionData, type UserRole };
|