@longzai-intelligence-auth/elysia 0.0.2

package/dist/core/auth-strategy.d.ts

@@ -0,0 +1,14 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+import type { JwtStrategyConfig, StandaloneStrategyConfig, EnvBasicStrategyConfig, StrategyContext, AuthPluginConfig } from "../types/auth-plugin-config";
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export type AuthStrategy = {
+    context: StrategyContext;
+    createJwtVerifyPlugin(): AnyElysia;
+    supportsAuthRoutes: boolean;
+};
+export declare function createAuthStrategy(config: AuthPluginConfig): Promise<AuthStrategy>;
+export declare function extractJwtConfig(config: JwtStrategyConfig | StandaloneStrategyConfig | EnvBasicStrategyConfig): JwtSignerConfig;
+export declare function extractDefaultTenantId(config: JwtStrategyConfig | StandaloneStrategyConfig | EnvBasicStrategyConfig): string;
+export declare function extractRegisterRoutes(config: AuthPluginConfig): boolean;
+export {};

package/dist/core/auth-strategy.js

@@ -0,0 +1,98 @@
+import { createJwtVerifyPlugin } from "../plugins/jwt-verify.plugin";
+function createJwtStrategy(config) {
+    const defaultTenantId = config.defaultTenantId ?? "default";
+    return {
+        context: {
+            strategy: "jwt",
+            defaultTenantId,
+            registerRoutes: config.registerRoutes ?? false,
+        },
+        createJwtVerifyPlugin: () => createJwtVerifyPlugin({ jwt: config.jwt, defaultTenantId }),
+        supportsAuthRoutes: true,
+    };
+}
+function createStandaloneStrategy(config) {
+    console.warn("[@longzai-intelligence-auth/elysia] standalone 策略仅用于开发和测试环境，生产环境请使用 jwt 策略");
+    const defaultTenantId = config.defaultTenantId ?? "default";
+    return {
+        context: {
+            strategy: "standalone",
+            defaultTenantId,
+            registerRoutes: config.registerRoutes ?? true,
+            adapter: config.adapter,
+            passwordHasher: config.passwordHasher,
+        },
+        createJwtVerifyPlugin: () => createJwtVerifyPlugin({ jwt: config.jwt, defaultTenantId }),
+        supportsAuthRoutes: true,
+    };
+}
+async function createEnvBasicStrategy(config) {
+    const adminUsername = config.adminUsername ?? process.env.AUTH_ADMIN_USERNAME ?? "admin";
+    const adminPassword = config.adminPassword ?? process.env.AUTH_ADMIN_PASSWORD;
+    if (!adminPassword) {
+        throw new Error("[@longzai-intelligence-auth/elysia] env-basic 策略需要设置 AUTH_ADMIN_PASSWORD 环境变量或 adminPassword 配置项");
+    }
+    console.warn("[@longzai-intelligence-auth/elysia] env-basic 策略仅用于开发和测试环境，生产环境请使用 jwt 或 standalone 策略");
+    let createInMemoryAuthBackend;
+    let createEnvBasicPasswordHasher;
+    try {
+        const adapter = await import("@longzai-intelligence-auth/identity-adapter");
+        createInMemoryAuthBackend = adapter.createInMemoryAuthBackend;
+        createEnvBasicPasswordHasher = adapter.createEnvBasicPasswordHasher;
+    }
+    catch {
+        throw new Error("[@longzai-intelligence-auth/elysia] env-basic 策略需要安装 @longzai-intelligence-auth/identity-adapter 包");
+    }
+    const defaultTenantId = config.defaultTenantId ?? "default";
+    const backend = createInMemoryAuthBackend({
+        adminUsername,
+        adminPassword,
+        jwtConfig: config.jwt,
+    });
+    const passwordHasher = createEnvBasicPasswordHasher();
+    return {
+        context: {
+            strategy: "env-basic",
+            defaultTenantId,
+            registerRoutes: config.registerRoutes ?? true,
+            adapter: backend,
+            passwordHasher,
+        },
+        createJwtVerifyPlugin: () => createJwtVerifyPlugin({ jwt: config.jwt, defaultTenantId }),
+        supportsAuthRoutes: true,
+    };
+}
+export async function createAuthStrategy(config) {
+    switch (config.strategy) {
+        case "jwt":
+            return createJwtStrategy(config);
+        case "standalone":
+            return createStandaloneStrategy(config);
+        case "env-basic":
+            return createEnvBasicStrategy(config);
+        default: {
+            const _exhaustive = config;
+            throw new Error(`未知的认证策略: ${JSON.stringify(_exhaustive)}`);
+        }
+    }
+}
+export function extractJwtConfig(config) {
+    return config.jwt;
+}
+export function extractDefaultTenantId(config) {
+    return config.defaultTenantId ?? "default";
+}
+export function extractRegisterRoutes(config) {
+    switch (config.strategy) {
+        case "jwt":
+            return config.registerRoutes ?? false;
+        case "standalone":
+            return config.registerRoutes ?? true;
+        case "env-basic":
+            return config.registerRoutes ?? true;
+        default: {
+            const _exhaustive = config;
+            return false;
+        }
+    }
+}

package/dist/core/error-mapper.d.ts

@@ -0,0 +1,2 @@
+import type { DomainError } from "@longzai-intelligence/error";
+export declare function mapDomainErrorToStatus(error: DomainError): number;

package/dist/core/error-mapper.js

@@ -0,0 +1,27 @@
+import { AuthenticationError, DuplicateEntityError, isValidationError, isEntityNotFoundError, isPermissionDeniedError, isBusinessRuleError, isConcurrencyError, } from "@longzai-intelligence/error";
+import { TokenExpiredError, TokenInvalidError, TokenMissingError, MfaRequiredError, InvalidCredentialsError, AccountDisabledError, RateLimitExceededError, } from "@longzai-intelligence-auth/core";
+export function mapDomainErrorToStatus(error) {
+    if (isValidationError(error))
+        return 400;
+    if (error instanceof TokenExpiredError ||
+        error instanceof TokenInvalidError ||
+        error instanceof TokenMissingError ||
+        error instanceof MfaRequiredError ||
+        error instanceof InvalidCredentialsError ||
+        error instanceof AccountDisabledError ||
+        error instanceof AuthenticationError)
+        return 401;
+    if (isPermissionDeniedError(error))
+        return 403;
+    if (isEntityNotFoundError(error))
+        return 404;
+    if (error instanceof DuplicateEntityError)
+        return 409;
+    if (error instanceof RateLimitExceededError)
+        return 429;
+    if (isConcurrencyError(error))
+        return 409;
+    if (isBusinessRuleError(error))
+        return 422;
+    return 500;
+}

package/dist/index.d.ts

@@ -0,0 +1,25 @@
+export { createAuthPlugin } from "./plugin";
+export type { AuthPluginConfig, AuthPluginOptions, JwtStrategyConfig, StandaloneStrategyConfig, EnvBasicStrategyConfig, StrategyName, StrategyContext, } from "./types/auth-plugin-config";
+export { createAuthStrategy, extractJwtConfig, extractDefaultTenantId, extractRegisterRoutes } from "./core/auth-strategy";
+export type { AuthStrategy } from "./core/auth-strategy";
+export { mapDomainErrorToStatus } from "./core/error-mapper";
+export { createJwtVerifyPlugin } from "./plugins/jwt-verify.plugin";
+export type { JwtVerifyPluginOptions } from "./plugins/jwt-verify.plugin";
+export { createRbacPlugin } from "./plugins/rbac.plugin";
+export type { RbacPluginOptions } from "./plugins/rbac.plugin";
+export { createTenantPlugin } from "./plugins/tenant.plugin";
+export type { TenantPluginOptions } from "./plugins/tenant.plugin";
+export { createRateLimitPlugin } from "./plugins/rate-limit.plugin";
+export type { RateLimitPluginOptions } from "./plugins/rate-limit.plugin";
+export { createAuditPlugin } from "./plugins/audit.plugin";
+export type { AuditPluginOptions } from "./plugins/audit.plugin";
+export { createErrorHandlerPlugin } from "./plugins/error-handler.plugin";
+export type { ErrorHandlerPluginOptions } from "./plugins/error-handler.plugin";
+export { createLoggerPlugin } from "./plugins/logger.plugin";
+export type { LoggerPluginOptions } from "./plugins/logger.plugin";
+export { createBasicPreset } from "./presets/basic-preset";
+export type { BasicPresetOptions } from "./presets/basic-preset";
+export { createStandardPreset } from "./presets/standard-preset";
+export type { StandardPresetOptions } from "./presets/standard-preset";
+export { extractClientIp } from "./utils/extract-client-ip";
+export { extractUserAgent } from "./utils/extract-user-agent";

package/dist/index.js

@@ -0,0 +1,21 @@
+// @bun
+export {
+  mapDomainErrorToStatus,
+  extractUserAgent,
+  extractRegisterRoutes,
+  extractJwtConfig,
+  extractDefaultTenantId,
+  extractClientIp,
+  createTenantPlugin,
+  createStandardPreset,
+  createRbacPlugin,
+  createRateLimitPlugin,
+  createLoggerPlugin,
+  createJwtVerifyPlugin,
+  createErrorHandlerPlugin,
+  createBasicPreset,
+  createAuthStrategy,
+  createAuthPlugin,
+  createAuditPlugin,
+  createAuditElysiaPlugin
+};

package/dist/plugin.d.ts

@@ -0,0 +1,6 @@
+import { Elysia } from "elysia";
+import type { AuthPluginOptions } from "./types/auth-plugin-config";
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export declare function createAuthPlugin(options: AuthPluginOptions): Promise<AnyElysia>;
+export type { AuthPluginConfig, AuthPluginOptions, StrategyContext, StrategyName } from "./types/auth-plugin-config";
+export type { AuthStrategy } from "./core/auth-strategy";

package/dist/plugin.js

@@ -0,0 +1,39 @@
+import { Elysia } from "elysia";
+import { createAuthStrategy, extractJwtConfig, extractDefaultTenantId, extractRegisterRoutes } from "./core/auth-strategy";
+import { createAuthRoutes, createMeRoute } from "./routes/auth.routes";
+import { createErrorHandlerPlugin } from "./plugins/error-handler.plugin";
+export async function createAuthPlugin(options) {
+    const { logger, ...config } = options;
+    const strategy = await createAuthStrategy(config);
+    const jwtConfig = extractJwtConfig(config);
+    const defaultTenantId = extractDefaultTenantId(config);
+    const registerRoutes = extractRegisterRoutes(config);
+    let plugin = new Elysia({ name: "@longzai-intelligence-auth/plugin" })
+        .use(strategy.createJwtVerifyPlugin())
+        .use(createErrorHandlerPlugin({ logger }));
+    if (registerRoutes && config.strategy === "standalone") {
+        const standaloneConfig = config;
+        plugin = plugin.use(createAuthRoutes({
+            jwt: jwtConfig,
+            adapter: standaloneConfig.adapter,
+            passwordHasher: standaloneConfig.passwordHasher,
+            defaultTenantId,
+        }));
+    }
+    if (registerRoutes && config.strategy === "env-basic") {
+        const envBasicConfig = config;
+        plugin = plugin.use(createAuthRoutes({
+            jwt: jwtConfig,
+            adapter: strategy.context.adapter,
+            passwordHasher: strategy.context.passwordHasher,
+            defaultTenantId,
+        }));
+    }
+    if (registerRoutes && config.strategy === "jwt") {
+        plugin = plugin.use(createMeRoute({
+            jwt: jwtConfig,
+            defaultTenantId,
+        }));
+    }
+    return plugin;
+}

package/dist/plugins/audit.plugin.d.ts

@@ -0,0 +1,38 @@
+import { Elysia } from "elysia";
+import type { AuthBackendPort } from "@longzai-intelligence-auth/core";
+import type { AuditLogEntry } from "@longzai-intelligence-auth/core";
+export type AuditPluginOptions = {
+    adapter: AuthBackendPort;
+};
+export declare function createAuditPlugin(options: AuditPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {
+        readonly recordAudit: (entry: Omit<AuditLogEntry, never>) => void;
+    };
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: import("elysia").ExtractErrorFromHandle<{
+        readonly recordAudit: (entry: Omit<AuditLogEntry, never>) => void;
+    }>;
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/plugins/audit.plugin.js

@@ -0,0 +1,13 @@
+import { Elysia } from "elysia";
+export function createAuditPlugin(options) {
+    const { adapter } = options;
+    return new Elysia({ name: "@longzai-intelligence-auth/audit" })
+        .derive(() => ({
+        recordAudit: (entry) => {
+            adapter.audit.write(entry).catch((error) => {
+                console.error("审计日志写入失败:", error);
+            });
+        },
+    }))
+        .as("scoped");
+}

package/dist/plugins/error-handler.plugin.d.ts

@@ -0,0 +1,46 @@
+import { Elysia } from "elysia";
+import type { LoggerService } from "@longzai-intelligence-auth/core";
+export type ErrorHandlerPluginOptions = {
+    logger?: LoggerService;
+};
+export declare function createErrorHandlerPlugin(options?: ErrorHandlerPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {
+        200: {
+            code: string;
+            message: string;
+            details?: Record<string, unknown> | undefined;
+        } | {
+            code: string;
+            message: string;
+            details: {
+                path: string;
+                message: string | undefined;
+            }[];
+        };
+    };
+}>;

package/dist/plugins/error-handler.plugin.js

@@ -0,0 +1,45 @@
+import { Elysia } from "elysia";
+import { DomainError } from "@longzai-intelligence/error";
+import { mapDomainErrorToStatus } from "../core/error-mapper";
+export function createErrorHandlerPlugin(options = {}) {
+    const { logger } = options;
+    return new Elysia({ name: "@longzai-intelligence-auth/error-handler" })
+        .onError(({ code, error, set }) => {
+        if (error instanceof DomainError) {
+            const status = mapDomainErrorToStatus(error);
+            set.status = status;
+            return {
+                code: error.code,
+                message: error.message,
+                ...(error.context && Object.keys(error.context).length > 0
+                    ? { details: error.context }
+                    : {}),
+            };
+        }
+        switch (code) {
+            case "VALIDATION":
+                set.status = 400;
+                return {
+                    code: "VALIDATION_ERROR",
+                    message: "请求参数验证失败",
+                    details: error.all.map((e) => ({
+                        path: e.path,
+                        message: e.summary,
+                    })),
+                };
+            case "NOT_FOUND":
+                set.status = 404;
+                return { code: "NOT_FOUND", message: "未找到请求的资源" };
+            case "PARSE":
+                set.status = 400;
+                return { code: "PARSE_ERROR", message: "请求数据解析失败" };
+            default:
+                logger?.error("未预期的错误", {
+                    error: error instanceof Error ? error.message : String(error),
+                    stack: error instanceof Error ? error.stack : undefined,
+                });
+                set.status = 500;
+                return { code: "INTERNAL_ERROR", message: "服务器内部错误" };
+        }
+    });
+}

package/dist/plugins/jwt-verify.plugin.d.ts

@@ -0,0 +1,9 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+export type JwtVerifyPluginOptions = {
+    jwt: JwtSignerConfig;
+    defaultTenantId?: string;
+};
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export declare function createJwtVerifyPlugin(options: JwtVerifyPluginOptions): AnyElysia;
+export {};

package/dist/plugins/jwt-verify.plugin.js

@@ -0,0 +1,31 @@
+import { Elysia } from "elysia";
+import { createJwtVerifier } from "@longzai-intelligence-auth/jwt";
+import { TokenMissingError, TokenInvalidError } from "@longzai-intelligence-auth/core";
+export function createJwtVerifyPlugin(options) {
+    const { jwt: jwtConfig, defaultTenantId = "default" } = options;
+    let verifierPromise = null;
+    const getVerifier = () => {
+        if (!verifierPromise) {
+            verifierPromise = createJwtVerifier(jwtConfig);
+        }
+        return verifierPromise;
+    };
+    return new Elysia({ name: "@longzai-intelligence-auth/jwt-verify" })
+        .derive(async ({ request }) => {
+        const authHeader = request.headers.get("Authorization");
+        const bearer = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+        if (!bearer) {
+            throw new TokenMissingError();
+        }
+        const verifier = await getVerifier();
+        const result = await verifier.verifyAccessToken(bearer);
+        if (!result.success || !result.payload) {
+            throw new TokenInvalidError(result.error);
+        }
+        const payload = result.payload;
+        const userId = payload.sub;
+        const tenantId = payload.tenantId ?? defaultTenantId;
+        return { userId, tenantId };
+    })
+        .as("scoped");
+}

package/dist/plugins/logger.plugin.d.ts

@@ -0,0 +1,33 @@
+import { Elysia } from "elysia";
+import type { LoggerService } from "@longzai-intelligence-auth/core";
+export type LoggerPluginOptions = {
+    logger: LoggerService;
+};
+export declare function createLoggerPlugin(options: LoggerPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/plugins/logger.plugin.js

@@ -0,0 +1,16 @@
+import { Elysia } from "elysia";
+export function createLoggerPlugin(options) {
+    const { logger } = options;
+    return new Elysia({ name: "@longzai-intelligence-auth/logger" })
+        .onRequest(({ request }) => {
+        logger.info(`${request.method} ${request.url}`);
+    })
+        .onAfterResponse(({ request, set }) => {
+        logger.info(`${request.method} ${request.url} ${set.status}`);
+    })
+        .onError(({ request, error }) => {
+        logger.error(`${request.method} ${request.url} 请求错误`, {
+            error: error instanceof Error ? error.message : String(error),
+        });
+    });
+}

package/dist/plugins/rate-limit.plugin.d.ts

@@ -0,0 +1,40 @@
+import { Elysia } from "elysia";
+import type { RateLimitConfig, LoggerService } from "@longzai-intelligence-auth/core";
+export type RateLimitPluginOptions = RateLimitConfig & {
+    logger?: LoggerService;
+    keyGenerator?: (request: Request) => string;
+};
+export declare function createRateLimitPlugin(options?: RateLimitPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {
+        readonly clientIp: string;
+    } & {
+        readonly rateLimitRemaining: number;
+    };
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: import("elysia").ExtractErrorFromHandle<{
+        readonly rateLimitRemaining: number;
+    }>;
+}>;

package/dist/plugins/rate-limit.plugin.js

@@ -0,0 +1,39 @@
+import { Elysia } from "elysia";
+import { createMemoryRateLimiter } from "@longzai-intelligence-auth/rate-limit";
+import { RateLimitExceededError } from "@longzai-intelligence-auth/core";
+function defaultKeyGenerator(request) {
+    return request.headers.get("x-forwarded-for")?.split(",")[0]?.trim()
+        ?? request.headers.get("x-real-ip")
+        ?? "unknown";
+}
+export function createRateLimitPlugin(options = { windowSeconds: 60, maxRequests: 100 }) {
+    const { logger } = options;
+    const keyGen = options.keyGenerator ?? defaultKeyGenerator;
+    const limiter = createMemoryRateLimiter({
+        windowSeconds: options.windowSeconds,
+        maxRequests: options.maxRequests,
+    });
+    const timer = setInterval(() => {
+        limiter.cleanup();
+    }, 60_000);
+    if (typeof process !== "undefined" && typeof process.on === "function") {
+        process.on("exit", () => clearInterval(timer));
+    }
+    return new Elysia({ name: "@longzai-intelligence-auth/rate-limit" })
+        .derive(({ request }) => {
+        const clientIp = keyGen(request);
+        return { clientIp };
+    })
+        .derive(async ({ clientIp, request }) => {
+        const url = new URL(request.url);
+        const path = url.pathname;
+        const key = `${clientIp}:${path}`;
+        const allowed = await limiter.check(key);
+        if (!allowed) {
+            logger?.warn("限流触发", { clientIp, path });
+            throw new RateLimitExceededError();
+        }
+        const remaining = options.maxRequests - limiter.getCount(key);
+        return { rateLimitRemaining: remaining };
+    });
+}

package/dist/plugins/rbac.plugin.d.ts

@@ -0,0 +1,36 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+export type RbacPluginOptions = {
+    jwt: JwtSignerConfig;
+    defaultTenantId?: string;
+};
+export declare function createRbacPlugin(options: RbacPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: Partial<{}>;
+    macroFn: ({ onBeforeHandle }: any) => {
+        permission(permission: string): void;
+    };
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/plugins/rbac.plugin.js

@@ -0,0 +1,42 @@
+import { Elysia } from "elysia";
+import { createRoleChecker } from "@longzai-intelligence-auth/rbac";
+import { createJwtVerifier } from "@longzai-intelligence-auth/jwt";
+import { TokenMissingError, TokenInvalidError } from "@longzai-intelligence-auth/core";
+export function createRbacPlugin(options) {
+    const { jwt: jwtConfig, defaultTenantId = "default" } = options;
+    const roleChecker = createRoleChecker();
+    let verifierPromise = null;
+    const getVerifier = () => {
+        if (!verifierPromise) {
+            verifierPromise = createJwtVerifier(jwtConfig);
+        }
+        return verifierPromise;
+    };
+    return new Elysia({ name: "@longzai-intelligence-auth/rbac" })
+        .macro(({ onBeforeHandle }) => ({
+        permission(permission) {
+            onBeforeHandle(async ({ request }) => {
+                const authHeader = request.headers.get("Authorization");
+                const bearer = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+                if (!bearer) {
+                    throw new TokenMissingError();
+                }
+                const verifier = await getVerifier();
+                const result = await verifier.verifyAccessToken(bearer);
+                if (!result.success || !result.payload) {
+                    throw new TokenInvalidError(result.error);
+                }
+                const payload = result.payload;
+                const [resource, action] = permission.split(":");
+                if (!resource || !action) {
+                    throw new Error(`无效的权限格式: ${permission}，应为 resource:action`);
+                }
+                const hasPermission = roleChecker.hasPermission(payload, resource, action);
+                if (!hasPermission) {
+                    const { PermissionDeniedError } = await import("@longzai-intelligence/error");
+                    throw new PermissionDeniedError(resource, action);
+                }
+            });
+        },
+    }));
+}

package/dist/plugins/tenant.plugin.d.ts

@@ -0,0 +1,38 @@
+import { Elysia } from "elysia";
+import type { AuthBackendPort } from "@longzai-intelligence-auth/core";
+export type TenantPluginOptions = {
+    defaultTenantId?: string;
+    adapter?: AuthBackendPort;
+};
+export declare function createTenantPlugin(options?: TenantPluginOptions): Elysia<"", {
+    decorator: {};
+    store: {};
+    derive: {};
+    resolve: {};
+}, {
+    typebox: {};
+    error: {};
+}, {
+    schema: {};
+    standaloneSchema: {};
+    macro: {};
+    macroFn: {};
+    parser: {};
+    response: {};
+}, {}, {
+    derive: {
+        tenantId: string;
+    };
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: import("elysia").ExtractErrorFromHandle<{
+        tenantId: string;
+    }>;
+}, {
+    derive: {};
+    resolve: {};
+    schema: {};
+    standaloneSchema: {};
+    response: {};
+}>;

package/dist/plugins/tenant.plugin.js

@@ -0,0 +1,19 @@
+import { Elysia } from "elysia";
+export function createTenantPlugin(options = {}) {
+    const { defaultTenantId = "default", adapter } = options;
+    return new Elysia({ name: "@longzai-intelligence-auth/tenant" })
+        .derive(({ request }) => {
+        const headerTenantId = request.headers.get("x-tenant-id");
+        return { tenantId: headerTenantId ?? defaultTenantId };
+    })
+        .as("scoped")
+        .onBeforeHandle(async ({ tenantId }) => {
+        if (adapter && tenantId !== defaultTenantId) {
+            const result = await adapter.tenant.validateStatus(tenantId);
+            if (!result.valid) {
+                const { PermissionDeniedError } = await import("@longzai-intelligence/error");
+                throw new PermissionDeniedError("tenant", "access");
+            }
+        }
+    });
+}

package/dist/presets/basic-preset.d.ts

@@ -0,0 +1,11 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+import type { LoggerService } from "@longzai-intelligence-auth/core";
+export type BasicPresetOptions = {
+    jwt: JwtSignerConfig;
+    defaultTenantId?: string;
+    logger?: LoggerService;
+};
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export declare function createBasicPreset(options: BasicPresetOptions): AnyElysia;
+export {};

package/dist/presets/basic-preset.js

@@ -0,0 +1,11 @@
+import { Elysia } from "elysia";
+import { createJwtVerifyPlugin } from "../plugins/jwt-verify.plugin";
+import { createErrorHandlerPlugin } from "../plugins/error-handler.plugin";
+export function createBasicPreset(options) {
+    return new Elysia({ name: "@longzai-intelligence-auth/basic-preset" })
+        .use(createJwtVerifyPlugin({
+        jwt: options.jwt,
+        defaultTenantId: options.defaultTenantId,
+    }))
+        .use(createErrorHandlerPlugin({ logger: options.logger }));
+}

package/dist/presets/standard-preset.d.ts

@@ -0,0 +1,13 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+import type { AuthBackendPort } from "@longzai-intelligence-auth/core";
+import type { LoggerService } from "@longzai-intelligence-auth/core";
+export type StandardPresetOptions = {
+    jwt: JwtSignerConfig;
+    defaultTenantId?: string;
+    adapter: AuthBackendPort;
+    logger?: LoggerService;
+};
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export declare function createStandardPreset(options: StandardPresetOptions): AnyElysia;
+export {};

package/dist/presets/standard-preset.js

@@ -0,0 +1,26 @@
+import { Elysia } from "elysia";
+import { createJwtVerifyPlugin } from "../plugins/jwt-verify.plugin";
+import { createRbacPlugin } from "../plugins/rbac.plugin";
+import { createTenantPlugin } from "../plugins/tenant.plugin";
+import { createRateLimitPlugin } from "../plugins/rate-limit.plugin";
+import { createErrorHandlerPlugin } from "../plugins/error-handler.plugin";
+export function createStandardPreset(options) {
+    return new Elysia({ name: "@longzai-intelligence-auth/standard-preset" })
+        .use(createJwtVerifyPlugin({
+        jwt: options.jwt,
+        defaultTenantId: options.defaultTenantId,
+    }))
+        .use(createRbacPlugin({
+        jwt: options.jwt,
+        defaultTenantId: options.defaultTenantId,
+    }))
+        .use(createTenantPlugin({
+        defaultTenantId: options.defaultTenantId,
+        adapter: options.adapter,
+    }))
+        .use(createRateLimitPlugin({
+        windowSeconds: 60,
+        maxRequests: 100,
+    }))
+        .use(createErrorHandlerPlugin({ logger: options.logger }));
+}

package/dist/routes/auth.routes.d.ts

@@ -0,0 +1,17 @@
+import { Elysia } from "elysia";
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+import type { AuthBackendPort, PasswordHasher } from "@longzai-intelligence-auth/core";
+export type AuthRoutesConfig = {
+    jwt: JwtSignerConfig;
+    adapter: AuthBackendPort;
+    passwordHasher: PasswordHasher;
+    defaultTenantId: string;
+};
+type AnyElysia = Elysia<any, any, any, any, any, any, any>;
+export declare function createAuthRoutes(config: AuthRoutesConfig): AnyElysia;
+export type MeRouteConfig = {
+    jwt: JwtSignerConfig;
+    defaultTenantId: string;
+};
+export declare function createMeRoute(config: MeRouteConfig): AnyElysia;
+export {};

package/dist/routes/auth.routes.js

@@ -0,0 +1,145 @@
+import { Elysia, t } from "elysia";
+import { createJwtSigner, createJwtVerifier } from "@longzai-intelligence-auth/jwt";
+import { validatePasswordPolicy } from "@longzai-intelligence-auth/password";
+import { createSessionManager } from "@longzai-intelligence-auth/session";
+import { createLoginUseCase } from "@longzai-intelligence-auth/session";
+import { createLogoutUseCase } from "@longzai-intelligence-auth/session";
+import { createRefreshSessionUseCase } from "@longzai-intelligence-auth/session";
+import { TokenMissingError, TokenInvalidError, UserAlreadyExistsError, PasswordPolicyViolationError, } from "@longzai-intelligence-auth/core";
+export function createAuthRoutes(config) {
+    const { jwt: jwtConfig, adapter, passwordHasher, defaultTenantId } = config;
+    const sessionManager = createSessionManager();
+    let signerPromise = null;
+    const getTokenSigner = () => {
+        if (!signerPromise) {
+            signerPromise = createJwtSigner(jwtConfig);
+        }
+        return signerPromise;
+    };
+    let verifierPromise = null;
+    const getVerifier = () => {
+        if (!verifierPromise) {
+            verifierPromise = createJwtVerifier(jwtConfig);
+        }
+        return verifierPromise;
+    };
+    return new Elysia({ name: "@longzai-intelligence-auth/routes", prefix: "/auth" })
+        .post("/login", async ({ body, request }) => {
+        const { email, password } = body;
+        const ipAddress = request.headers.get("x-forwarded-for") ?? request.headers.get("x-real-ip") ?? undefined;
+        const userAgent = request.headers.get("user-agent") ?? undefined;
+        const tokenSigner = await getTokenSigner();
+        const loginUseCase = createLoginUseCase({ adapter, tokenSigner, sessionManager, defaultTenantId });
+        return loginUseCase.execute(email, password, userAgent, ipAddress);
+    }, {
+        body: t.Object({
+            email: t.String({ format: "email" }),
+            password: t.String({ minLength: 1 }),
+        }),
+        detail: {
+            summary: "用户登录",
+            description: "使用邮箱和密码登录，返回访问令牌和刷新令牌",
+        },
+    })
+        .post("/logout", async ({ request }) => {
+        const authHeader = request.headers.get("Authorization");
+        const bearer = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+        if (!bearer) {
+            throw new TokenMissingError();
+        }
+        const verifier = await getVerifier();
+        const verifyResult = await verifier.verifyAccessToken(bearer);
+        if (!verifyResult.success || !verifyResult.payload) {
+            throw new TokenInvalidError(verifyResult.error);
+        }
+        const tokenSigner = await getTokenSigner();
+        const logoutUseCase = createLogoutUseCase({ adapter, tokenSigner, sessionManager });
+        return logoutUseCase.execute("session-revoked");
+    }, {
+        detail: {
+            summary: "用户登出",
+            description: "使当前会话失效",
+        },
+    })
+        .post("/refresh", async ({ body }) => {
+        const { refreshToken } = body;
+        const tokenSigner = await getTokenSigner();
+        const refreshSessionUseCase = createRefreshSessionUseCase({ adapter, tokenSigner, sessionManager });
+        return refreshSessionUseCase.execute(refreshToken);
+    }, {
+        body: t.Object({
+            refreshToken: t.String({ minLength: 1 }),
+        }),
+        detail: {
+            summary: "刷新令牌",
+            description: "使用刷新令牌获取新的访问令牌",
+        },
+    })
+        .post("/register", async ({ body }) => {
+        const { email, password, name } = body;
+        const validation = validatePasswordPolicy(password);
+        if (!validation.valid) {
+            throw new PasswordPolicyViolationError(validation.errors.join(", "));
+        }
+        const existingUser = await adapter.user.findByEmail(email);
+        if (existingUser) {
+            throw new UserAlreadyExistsError();
+        }
+        const passwordHash = await passwordHasher.hash(password);
+        const newUser = await adapter.user.create({
+            email,
+            username: email,
+            passwordHash,
+            displayName: name,
+        });
+        return {
+            userId: newUser.id,
+            message: "注册成功",
+        };
+    }, {
+        body: t.Object({
+            email: t.String({ format: "email" }),
+            password: t.String({ minLength: 8 }),
+            name: t.String({ minLength: 1 }),
+        }),
+        detail: {
+            summary: "用户注册",
+            description: "创建新用户账户",
+        },
+    });
+}
+export function createMeRoute(config) {
+    const { jwt: jwtConfig, defaultTenantId } = config;
+    let verifierPromise = null;
+    const getVerifier = () => {
+        if (!verifierPromise) {
+            verifierPromise = createJwtVerifier(jwtConfig);
+        }
+        return verifierPromise;
+    };
+    return new Elysia({ name: "@longzai-intelligence-auth/me-route", prefix: "/auth" })
+        .get("/me", async ({ request }) => {
+        const authHeader = request.headers.get("Authorization");
+        const bearer = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : null;
+        if (!bearer) {
+            throw new TokenMissingError();
+        }
+        const verifier = await getVerifier();
+        const result = await verifier.verifyAccessToken(bearer);
+        if (!result.success || !result.payload) {
+            throw new TokenInvalidError(result.error);
+        }
+        const payload = result.payload;
+        const userId = payload.sub;
+        const tenantId = payload.tenantId ?? defaultTenantId;
+        return {
+            userId,
+            ...(tenantId ? { tenantId } : {}),
+        };
+    }, {
+        detail: {
+            summary: "获取当前用户信息",
+            description: "使用 Bearer Token 获取当前认证用户的信息",
+        },
+    });
+}

package/dist/types/auth-plugin-config.d.ts

@@ -0,0 +1,40 @@
+import type { JwtSignerConfig } from "@longzai-intelligence-auth/jwt";
+import type { AuthBackendPort, PasswordHasher } from "@longzai-intelligence-auth/core";
+import type { LoggerService } from "@longzai-intelligence-auth/core";
+export type JwtStrategyConfig = {
+    strategy: "jwt";
+    jwt: JwtSignerConfig;
+    defaultTenantId?: string;
+};
+export type StandaloneStrategyConfig = {
+    strategy: "standalone";
+    jwt: JwtSignerConfig;
+    adapter: AuthBackendPort;
+    passwordHasher: PasswordHasher;
+    defaultTenantId?: string;
+};
+export type EnvBasicStrategyConfig = {
+    strategy: "env-basic";
+    jwt: JwtSignerConfig;
+    adminUsername?: string;
+    adminPassword?: string;
+    defaultTenantId?: string;
+};
+export type AuthPluginConfig = (JwtStrategyConfig & {
+    registerRoutes?: boolean;
+}) | (StandaloneStrategyConfig & {
+    registerRoutes?: boolean;
+}) | (EnvBasicStrategyConfig & {
+    registerRoutes?: boolean;
+});
+export type AuthPluginOptions = AuthPluginConfig & {
+    logger?: LoggerService;
+};
+export type StrategyName = AuthPluginConfig["strategy"];
+export type StrategyContext = {
+    strategy: StrategyName;
+    defaultTenantId: string;
+    registerRoutes: boolean;
+    adapter?: AuthBackendPort;
+    passwordHasher?: PasswordHasher;
+};

package/dist/types/auth-plugin-config.js

@@ -0,0 +1 @@
+export {};

package/dist/utils/extract-client-ip.d.ts

@@ -0,0 +1 @@
+export declare function extractClientIp(request: Request): string | undefined;

package/dist/utils/extract-client-ip.js

@@ -0,0 +1,5 @@
+export function extractClientIp(request) {
+    return request.headers.get("x-forwarded-for")?.split(",")[0]?.trim()
+        ?? request.headers.get("x-real-ip")
+        ?? undefined;
+}

package/dist/utils/extract-user-agent.d.ts

@@ -0,0 +1 @@
+export declare function extractUserAgent(request: Request): string | undefined;

package/dist/utils/extract-user-agent.js

@@ -0,0 +1,3 @@
+export function extractUserAgent(request) {
+    return request.headers.get("user-agent") ?? undefined;
+}

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "@longzai-intelligence-auth/elysia",
+  "version": "0.0.2",
+  "license": "UNLICENSED",
+  "type": "module",
+  "sideEffects": false,
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "bun build src/index.ts --outdir dist --target bun",
+    "build:declaration": "tsgo --declaration --emitDeclarationOnly --outDir dist -p tsconfig/app.json",
+    "build:prod": "NODE_ENV=production tsdown",
+    "prepublishOnly": "echo skip",
+    "typecheck": "bun run typecheck:app && bun run typecheck:node && bun run typecheck:test",
+    "typecheck:app": "tsgo --noEmit -p tsconfig/app.json",
+    "typecheck:node": "tsgo --noEmit -p tsconfig/node.json",
+    "typecheck:test": "tsgo --noEmit -p tsconfig/test.json",
+    "lint": "oxlint && oxfmt --check",
+    "lint:fix": "oxlint --fix && oxfmt",
+    "test": "bun test",
+    "test:watch": "bun test --watch",
+    "test:coverage": "bun test --coverage",
+    "clean": "rm -rf dist out .cache"
+  },
+  "dependencies": {
+    "@longzai-intelligence-auth/core": "0.0.2",
+    "@longzai-intelligence-auth/jwt": "0.0.2",
+    "@longzai-intelligence-auth/rate-limit": "0.0.2",
+    "@longzai-intelligence-auth/rbac": "0.0.2",
+    "@longzai-intelligence-auth/session": "0.0.2",
+    "@longzai-intelligence-auth/hashing": "0.0.2",
+    "@longzai-intelligence/error": "^0.0.5",
+    "@elysiajs/bearer": "^1.3"
+  },
+  "peerDependencies": {
+    "elysia": "^1.3",
+    "@longzai-intelligence-audit/elysia": "^0.1.0"
+  },
+  "peerDependenciesMeta": {
+    "@longzai-intelligence-audit/elysia": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "elysia": "^1.3",
+    "tsdown": "^0.22.1"
+  }
+}