npm - @longzai-intelligence-auth/elysia - Versions diffs - 0.0.5 → 0.0.7 - Mend

@longzai-intelligence-auth/elysia 0.0.5 → 0.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,32 +1,239 @@
 import { DomainError } from "@longzai-intelligence/error";
-import { JwtConfig, LoggerService, RateLimiterPort, ResourceAction, TenantValidateFn, TokenVerifierPort, UnifiedAuthContext, UnifiedAuthContext as UnifiedAuthContext$1 } from "@longzai-intelligence-auth/core";
+import { JwtConfig, LoggerService, RateLimiterPort, ResourceAction, TokenVerifierPort, UnifiedAuthContext, UnifiedAuthContext as UnifiedAuthContext$1 } from "@longzai-intelligence-auth/core";
 import { Elysia } from "elysia";
 import { z } from "zod";
 //#region src/core/error-mapper.d.ts
-/** 根据 DomainError 类型映射 HTTP 状态码 */
+/**
+ * 根据 DomainError 类型映射 HTTP 状态码
+ *
+ * @param error - 领域错误实例
+ * @returns 对应的 HTTP 状态码
+ */
 declare function mapDomainErrorToStatus(error: DomainError): number;
 //#endregion
+//#region src/verifiers/static-token-verifier.d.ts
+/**
+ * 静态令牌验证器配置
+ */
+type StaticTokenVerifierOptions = {
+  /**
+   * 静态令牌（与 getToken 至少提供一个）
+   */
+  token?: string;
+  /**
+   * 动态获取令牌的回调，优先级高于 token
+   * 用于运行时从 secret manager / env 缓存等来源解析令牌
+   */
+  getToken?: () => string | null;
+  /**
+   * 验证通过后填充到 AccessTokenPayload.sub 中的主体标识
+   * 默认 "static"
+   */
+  subject?: string;
+  /**
+   * 验证通过后填充到 AccessTokenPayload.tenantId 中的租户标识
+   * 默认不设置
+   */
+  tenantId?: string;
+};
+/**
+ * 创建静态令牌验证器
+ *
+ * @param options - 静态令牌验证器配置
+ * @returns 实现 TokenVerifierPort 的静态令牌验证器
+ */
+declare function createStaticTokenVerifier(options: StaticTokenVerifierOptions): TokenVerifierPort;
+//#endregion
+//#region src/extractors/types.d.ts
+/**
+ * 凭证提取器类型定义
+ *
+ * 提取器负责从 Request 中提取凭证字符串，与"如何验证凭证"完全解耦。
+ * 同一种提取器（如 cookie）可以配合任意验证器（JWT、静态 token、远程校验等）。
+ */
+/**
+ * 凭证提取器接口
+ *
+ * 一个提取器回答一个问题：这个请求里有没有携带凭证，如果有，凭证字符串是什么？
+ * 提取器不做任何验证，仅负责"取出"。
+ */
+type CredentialExtractor = {
+  /**
+   * 从请求中提取凭证字符串
+   *
+   * @param request - Web 标准 Request 对象
+   * @returns 凭证字符串；请求未携带凭证时返回 null
+   */
+  extract(request: Request): string | null;
+};
+/**
+ * 请求级令牌验证器接口
+ *
+ * 与 TokenVerifierPort（输入字符串）解耦：RequestTokenVerifier 接受 Request，
+ * 内部组合"提取器 + 令牌验证器"，对调用方屏蔽凭证载体细节。
+ *
+ * 用于在 plugin 层组合多种载体（cookie、bearer、api-key header）与多种算法（JWT、静态比较）。
+ */
+type RequestTokenVerifier = {
+  /**
+   * 验证请求中的凭证
+   *
+   * @param request - Web 标准 Request 对象
+   * @returns 验证结果，含 AccessTokenPayload 或错误信息
+   */
+  verify(request: Request): Promise<import("@longzai-intelligence-auth/core").TokenVerifyResult<import("@longzai-intelligence-auth/core").AccessTokenPayload>>;
+};
+//#endregion
+//#region src/extractors/cookie-extractor.d.ts
+/**
+ * Cookie 提取器配置
+ */
+type CookieExtractorOptions = {
+  /**
+   * Cookie 名称（必填）
+   */
+  cookieName: string;
+};
+/**
+ * 创建 Cookie 凭证提取器
+ *
+ * 兼容 Elysia/Bun 的 cookie 解析行为：仅做简单的"key=value"拆分，
+ * 不处理属性（Domain/Path/Expires/Secure/HttpOnly/SameSite 等）。
+ * 复杂场景下建议消费方自行解析后通过其他 extractor 注入。
+ *
+ * @param options - Cookie 提取器配置
+ * @returns 实现 CredentialExtractor 的 cookie 提取器
+ */
+declare function createCookieExtractor(options: CookieExtractorOptions): CredentialExtractor;
+//#endregion
+//#region src/extractors/bearer-extractor.d.ts
+/**
+ * Bearer 提取器配置
+ */
+type BearerExtractorOptions = {
+  /**
+   * Authorization 头字段名（默认 "authorization"）
+   * 大小写不敏感（HTTP header 字段名本身大小写不敏感）
+   */
+  headerName?: string;
+};
+/**
+ * 创建 Bearer 凭证提取器
+ *
+ * 兼容标准 "Authorization: Bearer <token>" 格式，
+ * 不做任何令牌格式校验（由 verifier 负责）。
+ *
+ * @param options - Bearer 提取器配置
+ * @returns 实现 CredentialExtractor 的 bearer 提取器
+ */
+declare function createBearerExtractor(options?: BearerExtractorOptions): CredentialExtractor;
+//#endregion
+//#region src/verifiers/cookie-jwt-verifier.d.ts
+/**
+ * Cookie JWT 验证器配置
+ */
+type CookieJwtVerifierOptions = {
+  /**
+   * Cookie 名称（承载 JWT 的 cookie 字段名）
+   */
+  cookieName: string;
+  /**
+   * JWT 配置（与 verifier 二选一）
+   * 提供时内部创建 JwtTokenVerifier 实例
+   */
+  jwt?: JwtConfig;
+  /**
+   * 已构造的 TokenVerifierPort（与 jwt 二选一）
+   * 用于注入自定义 verifier（如多策略、远程校验等）
+   */
+  verifier?: TokenVerifierPort;
+  /**
+   * 自定义凭证提取器（高级用法）
+   * 默认使用 createCookieExtractor({ cookieName })
+   */
+  extractor?: CredentialExtractor;
+};
+/**
+ * 创建 Cookie JWT 验证器
+ *
+ * @param options - Cookie JWT 验证器配置
+ * @returns 实现 RequestTokenVerifier 的组合验证器
+ */
+declare function createCookieJwtVerifier(options: CookieJwtVerifierOptions): RequestTokenVerifier;
+//#endregion
 //#region src/plugins/jwt-verify.plugin.d.ts
 /** JWT 验证插件解析后的认证上下文 */
 type VerifiedAuthContext = {
-  /** 用户 ID（来自 payload.sub） */userId: string; /** 租户 ID（来自 payload.tenantId，默认使用 defaultTenantId） */
-  tenantId: string; /** 角色列表 */
-  roles: string[]; /** 权限列表 */
-  permissions: string[]; /** JWT ID（用于 token 黑名单检查） */
+  /**
+   * 用户 ID（来自 payload.sub）
+   */
+  userId: string;
+  /**
+   * 租户 ID（来自 payload.tenantId，默认使用 defaultTenantId）
+   */
+  tenantId: string;
+  /**
+   * 角色列表
+   */
+  roles: string[];
+  /**
+   * 权限列表
+   */
+  permissions: string[];
+  /**
+   * JWT ID（用于 token 黑名单检查）
+   */
   jti?: string;
 };
+/**
+ * JWT 验证插件配置选项
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ */
 type JwtVerifyPluginOptions<T extends z.ZodTypeAny = z.ZodUndefined> = {
-  /** 令牌验证器端口（用户注入，与 jwt 二选一） */verifier?: TokenVerifierPort; /** JWT 配置（与 verifier 二选一，未提供时使用默认配置） */
-  jwt?: JwtConfig; /** 默认租户 ID */
-  defaultTenantId?: string; /** 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"） */
-  publicPaths?: string[]; /** 扩展 schema，用于从 payload 中解析自定义业务字段 */
+  /**
+   * 令牌验证器端口（用户注入，与 jwt 二选一）
+   */
+  verifier?: TokenVerifierPort;
+  /**
+   * JWT 配置（与 verifier 二选一，未提供时使用默认配置）
+   */
+  jwt?: JwtConfig;
+  /**
+   * 默认租户 ID
+   */
+  defaultTenantId?: string;
+  /**
+   * 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"）
+   */
+  publicPaths?: string[];
+  /**
+   * 扩展 schema，用于从 payload 中解析自定义业务字段
+   */
   extendSchema?: T;
 };
-/** 从 extendSchema 提取额外字段类型 */
+/**
+ * 从 extendSchema 提取额外字段类型
+ *
+ * @typeParam T - 扩展 schema 类型，用于推断额外的业务字段类型
+ */
 type ExtractExtra<T extends z.ZodTypeAny> = T extends z.ZodUndefined ? Record<string, never> : z.infer<T>;
-/** 完整的认证上下文类型（基础字段 + 扩展字段） */
+/**
+ * 完整的认证上下文类型（基础字段 + 扩展字段）
+ *
+ * @typeParam T - 扩展 schema 类型，用于推断额外的业务字段类型
+ */
 type AuthContextWithExtra<T extends z.ZodTypeAny = z.ZodUndefined> = VerifiedAuthContext & ExtractExtra<T>;
+/**
+ * 创建 JWT 验证插件
+ *
+ * 该插件从请求头中提取 Bearer token 并验证，验证失败时抛出异常。
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createJwtVerifyPlugin<T extends z.ZodTypeAny = z.ZodUndefined>(options: JwtVerifyPluginOptions<T>): Elysia<"", {
   decorator: {};
   store: {};
@@ -61,16 +268,46 @@ declare function createJwtVerifyPlugin<T extends z.ZodTypeAny = z.ZodUndefined>(
 }>;
 //#endregion
 //#region src/plugins/optional-jwt.plugin.d.ts
+/**
+ * 可选 JWT 认证插件配置选项
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ */
 type OptionalJwtPluginOptions<T extends z.ZodTypeAny = z.ZodUndefined> = {
-  /** 令牌验证器端口（用户注入，与 jwt 二选一） */verifier?: TokenVerifierPort; /** JWT 配置（与 verifier 二选一，未提供时使用默认配置） */
-  jwt?: JwtConfig; /** 默认租户 ID */
-  defaultTenantId?: string; /** 扩展 schema，用于从 payload 中解析自定义业务字段 */
+  /**
+   * 令牌验证器端口（用户注入，与 jwt 二选一）
+   */
+  verifier?: TokenVerifierPort;
+  /**
+   * JWT 配置（与 verifier 二选一，未提供时使用默认配置）
+   */
+  jwt?: JwtConfig;
+  /**
+   * 默认租户 ID
+   */
+  defaultTenantId?: string;
+  /**
+   * 扩展 schema，用于从 payload 中解析自定义业务字段
+   */
   extendSchema?: T;
 };
-/** 可选认证上下文，auth 为 null 表示未认证 */
+/**
+ * 可选认证上下文，auth 为 null 表示未认证
+ *
+ * @typeParam T - 扩展 schema 类型，用于推断额外的业务字段类型
+ */
 type OptionalAuthContext<T extends z.ZodTypeAny = z.ZodUndefined> = {
   auth: (UnifiedAuthContext$1 & (T extends z.ZodUndefined ? Record<string, never> : z.infer<T>)) | null;
 };
+/**
+ * 创建可选 JWT 认证插件
+ *
+ * 该插件从请求头中提取 Bearer token 并验证，如果验证失败或无 token 则返回 null 认证上下文。
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createOptionalJwtPlugin<T extends z.ZodTypeAny = z.ZodUndefined>(options: OptionalJwtPluginOptions<T>): Elysia<"", {
   decorator: {};
   store: {};
@@ -107,11 +344,26 @@ declare function createOptionalJwtPlugin<T extends z.ZodTypeAny = z.ZodUndefined
 //#region src/plugins/rbac.plugin.d.ts
 /** 用户角色策略接口，用于数据库查询权限 */
 type UserRoleStrategy = {
-  /** 查询用户在指定租户下的所有权限 */findPermissionsByUserId(userId: string, tenantId: string): Promise<ResourceAction[]>;
+  /**
+   * 查询用户在指定租户下的所有权限
+   */
+  findPermissionsByUserId(userId: string, tenantId: string): Promise<ResourceAction[]>;
 };
+/**
+ * RBAC 插件配置选项
+ */
 type RbacPluginOptions = {
-  /** 用户角色策略（用于数据库查询权限，优先于上下文权限） */userRole?: UserRoleStrategy;
+  /**
+   * 用户角色策略（用于数据库查询权限，优先于上下文权限）
+   */
+  userRole?: UserRoleStrategy;
 };
+/**
+ * 创建 RBAC 插件
+ *
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createRbacPlugin(options?: RbacPluginOptions): Elysia<"", {
   decorator: {};
   store: {};
@@ -148,15 +400,42 @@ declare function createRbacPlugin(options?: RbacPluginOptions): Elysia<"", {
 //#region src/plugins/api-key.plugin.d.ts
 /** API Key 认证的主体信息 */
 type ApiKeyPrincipal = {
-  /** 主体标识 */principalId: string; /** 租户 ID */
-  tenantId?: string; /** 角色列表 */
-  roles: string[]; /** 权限列表 */
+  /**
+   * 主体标识
+   */
+  principalId: string;
+  /**
+   * 租户 ID
+   */
+  tenantId?: string;
+  /**
+   * 角色列表
+   */
+  roles: string[];
+  /**
+   * 权限列表
+   */
   permissions: string[];
 };
+/**
+ * API Key 认证插件配置选项
+ */
 type ApiKeyPluginOptions = {
-  /** API Key 所在的请求头名称（默认 "x-api-key"） */header?: string; /** API Key 验证器，返回 null 表示无效 */
+  /**
+   * API Key 所在的请求头名称（默认 "x-api-key"）
+   */
+  header?: string;
+  /**
+   * API Key 验证器，返回 null 表示无效
+   */
   validator: (key: string) => Promise<ApiKeyPrincipal | null>;
 };
+/**
+ * 创建 API Key 认证插件
+ *
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createApiKeyPlugin(options: ApiKeyPluginOptions): Elysia<"", {
   decorator: {};
   store: {};
@@ -193,9 +472,21 @@ declare function createApiKeyPlugin(options: ApiKeyPluginOptions): Elysia<"", {
 //#region src/plugins/in-memory-api-key-validator.d.ts
 /** 内存 API Key 映射条目 */
 type InMemoryApiKeyEntry = {
-  /** 主体标识 */principalId: string; /** 租户ID（可选） */
-  tenantId?: string; /** 角色列表 */
-  roles: string[]; /** 权限列表 */
+  /**
+   * 主体标识
+   */
+  principalId: string;
+  /**
+   * 租户ID（可选）
+   */
+  tenantId?: string;
+  /**
+   * 角色列表
+   */
+  roles: string[];
+  /**
+   * 权限列表
+   */
   permissions: string[];
 };
 /** 内存 API Key 映射表 */
@@ -203,22 +494,64 @@ type InMemoryApiKeyMap = Record<string, InMemoryApiKeyEntry>;
 /**
  * 创建内存 API Key 验证器
  * 接受静态 API Key 映射，返回符合 createApiKeyPlugin 的 validator 函数
+ *
  * @param keyMap - API Key 到主体信息的映射
  * @returns validator 函数
  */
 declare function createInMemoryApiKeyValidator(keyMap: InMemoryApiKeyMap): (key: string) => Promise<ApiKeyPrincipal | null>;
 //#endregion
 //#region src/plugins/composite-auth.plugin.d.ts
+/**
+ * 组合认证插件配置选项
+ *
+ * 支持多种认证方式（JWT 和 API Key），优先尝试 JWT 认证。
+ */
 type CompositeAuthPluginOptions = {
-  /** 令牌验证器端口（用户注入，与 jwt 二选一） */verifier?: TokenVerifierPort; /** JWT 配置（与 verifier 二选一，未提供时使用默认配置） */
-  jwt?: JwtConfig; /** 默认租户 ID */
-  defaultTenantId?: string; /** API Key 验证器 */
-  apiKeyValidator?: (key: string) => Promise<ApiKeyPrincipal | null>; /** API Key 所在的请求头名称（默认 "x-api-key"） */
-  apiKeyHeader?: string; /** 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"） */
+  /**
+   * 令牌验证器端口（用户注入，与 jwt 二选一）
+   *
+   * 单个验证器场景的简写形式；与 verifiers 同时提供时会合并到列表头部。
+   */
+  verifier?: TokenVerifierPort;
+  /**
+   * 令牌验证器端口列表（多验证器场景）
+   *
+   * 按数组顺序依次尝试，任一成功即返回；
+   * 用于多模式共存（如同时支持 cookie JWT 与静态令牌、新旧密钥平滑迁移等）。
+   */
+  verifiers?: TokenVerifierPort[];
+  /**
+   * JWT 配置（与 verifier/verifiers 二选一，未提供时使用默认配置）
+   */
+  jwt?: JwtConfig;
+  /**
+   * 默认租户 ID
+   */
+  defaultTenantId?: string;
+  /**
+   * API Key 验证器
+   */
+  apiKeyValidator?: (key: string) => Promise<ApiKeyPrincipal | null>;
+  /**
+   * API Key 所在的请求头名称（默认 "x-api-key"）
+   */
+  apiKeyHeader?: string;
+  /**
+   * 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"）
+   */
   publicPaths?: string[];
 };
 /** 组合认证上下文（向后兼容，内部使用 UnifiedAuthContext） */
 type CompositeAuthContext = UnifiedAuthContext$1;
+/**
+ * 创建组合认证插件
+ *
+ * 该插件支持多种认证方式（JWT 和 API Key），优先尝试 JWT 认证，
+ * 如果 JWT 认证失败则尝试 API Key 认证，未认证时返回 null。
+ *
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createCompositeAuthPlugin(options: CompositeAuthPluginOptions): Elysia<"", {
   decorator: {};
   store: {};
@@ -251,7 +584,12 @@ declare function createCompositeAuthPlugin(options: CompositeAuthPluginOptions):
   standaloneSchema: {};
   response: {};
 }>;
-/** 创建要求认证的组合认证插件（未认证时抛出异常） */
+/**
+ * 创建要求认证的组合认证插件（未认证时抛出异常）
+ *
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createRequiredCompositeAuthPlugin(options: CompositeAuthPluginOptions): Elysia<"", {
   decorator: {};
   store: {};
@@ -285,50 +623,30 @@ declare function createRequiredCompositeAuthPlugin(options: CompositeAuthPluginO
   response: {};
 }>;
 //#endregion
-//#region src/plugins/tenant.plugin.d.ts
-type TenantPluginOptions = {
-  /** 默认租户 ID */defaultTenantId?: string; /** 租户验证函数 */
-  validateFn?: TenantValidateFn;
-};
-declare function createTenantPlugin(options?: TenantPluginOptions): Elysia<"", {
-  decorator: {};
-  store: {};
-  derive: {
-    tenantId: string;
-  };
-  resolve: {};
-}, {
-  typebox: {};
-  error: {};
-}, {
-  schema: {};
-  standaloneSchema: {};
-  macro: {};
-  macroFn: {};
-  parser: {};
-  response: import("elysia").ExtractErrorFromHandle<{
-    tenantId: string;
-  }> & {};
-}, {}, {
-  derive: {};
-  resolve: {};
-  schema: {};
-  standaloneSchema: {};
-  response: {};
-}, {
-  derive: {};
-  resolve: {};
-  schema: {};
-  standaloneSchema: {};
-  response: {};
-}>;
-//#endregion
 //#region src/plugins/rate-limit.plugin.d.ts
+/**
+ * 速率限制插件配置选项
+ */
 type RateLimitPluginOptions = {
-  /** 速率限制器端口（用户注入） */limiter: RateLimiterPort; /** 日志服务 */
-  logger?: LoggerService; /** 键生成器（用于从请求中提取限制键） */
+  /**
+   * 速率限制器端口（用户注入）
+   */
+  limiter: RateLimiterPort;
+  /**
+   * 日志服务
+   */
+  logger?: LoggerService;
+  /**
+   * 键生成器（用于从请求中提取限制键）
+   */
   keyGenerator?: (request: Request) => string;
 };
+/**
+ * 创建速率限制插件
+ *
+ * @param options - 插件配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createRateLimitPlugin(options: RateLimitPluginOptions): Elysia<"", {
   decorator: {};
   store: {};
@@ -444,13 +762,42 @@ declare function createLoggerPlugin(options: LoggerPluginOptions): Elysia<"", {
 }>;
 //#endregion
 //#region src/presets/basic-preset.d.ts
+/**
+ * 基础预设配置选项
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ */
 type BasicPresetOptions<T extends z.ZodTypeAny = z.ZodUndefined> = {
-  /** 令牌验证器端口（用户注入） */tokenVerifier: TokenVerifierPort; /** 默认租户 ID */
-  defaultTenantId?: string; /** 日志服务 */
-  logger?: LoggerService; /** 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"） */
-  publicPaths?: string[]; /** 扩展 schema，用于从 payload 中解析自定义业务字段 */
+  /**
+   * 令牌验证器端口（用户注入）
+   */
+  tokenVerifier: TokenVerifierPort;
+  /**
+   * 默认租户 ID
+   */
+  defaultTenantId?: string;
+  /**
+   * 日志服务
+   */
+  logger?: LoggerService;
+  /**
+   * 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"）
+   */
+  publicPaths?: string[];
+  /**
+   * 扩展 schema，用于从 payload 中解析自定义业务字段
+   */
   extendSchema?: T;
 };
+/**
+ * 创建基础预设插件
+ *
+ * 该预设包含 JWT 验证插件和错误处理插件，提供完整的认证功能。
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ * @param options - 预设配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createBasicPreset<T extends z.ZodTypeAny = z.ZodUndefined>(options: BasicPresetOptions<T>): Elysia<"", {
   decorator: {};
   store: {};
@@ -517,24 +864,59 @@ declare function createBasicPreset<T extends z.ZodTypeAny = z.ZodUndefined>(opti
 }>;
 //#endregion
 //#region src/presets/standard-preset.d.ts
+/**
+ * 标准预设配置选项
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ */
 type StandardPresetOptions<T extends z.ZodTypeAny = z.ZodUndefined> = {
-  /** 令牌验证器端口（用户注入） */tokenVerifier: TokenVerifierPort; /** 速率限制器端口（可选，用户注入） */
-  rateLimiter?: RateLimiterPort; /** 默认租户 ID */
-  defaultTenantId?: string; /** 租户验证函数 */
-  validateFn?: TenantValidateFn; /** 用户角色策略 */
-  userRole?: UserRoleStrategy; /** 日志服务 */
-  logger?: LoggerService; /** 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"） */
-  publicPaths?: string[]; /** 扩展 schema，用于从 payload 中解析自定义业务字段（仅在未使用 apiKeyValidator 时生效） */
-  extendSchema?: T; /** API Key 验证器（提供后使用组合认证插件替代 JWT 验证插件） */
+  /**
+   * 令牌验证器端口（用户注入）
+   */
+  tokenVerifier: TokenVerifierPort;
+  /**
+   * 速率限制器端口（可选，用户注入）
+   */
+  rateLimiter?: RateLimiterPort;
+  /**
+   * 默认租户 ID
+   */
+  defaultTenantId?: string;
+  /**
+   * 用户角色策略
+   */
+  userRole?: UserRoleStrategy;
+  /**
+   * 日志服务
+   */
+  logger?: LoggerService;
+  /**
+   * 跳过认证的路径列表（精确匹配或前缀匹配，如 "/api/public/*"）
+   */
+  publicPaths?: string[];
+  /**
+   * 扩展 schema，用于从 payload 中解析自定义业务字段（仅在未使用 apiKeyValidator 时生效）
+   */
+  extendSchema?: T;
+  /**
+   * API Key 验证器（提供后使用组合认证插件替代 JWT 验证插件）
+   */
   apiKeyValidator?: (key: string) => Promise<ApiKeyPrincipal | null>;
 };
+/**
+ * 创建标准预设插件
+ *
+ * 该预设包含认证插件、RBAC 插件、可选的限流插件和错误处理插件。
+ *
+ * @typeParam T - 扩展 schema 类型，用于从 payload 中解析自定义业务字段
+ * @param options - 预设配置选项
+ * @returns Elysia 插件实例
+ */
 declare function createStandardPreset<T extends z.ZodTypeAny = z.ZodUndefined>(options: StandardPresetOptions<T>): Elysia<"", {
   decorator: {};
   store: {};
   derive: {
     readonly requirePermission: (resource: string, action: string) => Promise<void>;
-  } & {
-    tenantId: string;
   };
   resolve: {};
 }, {
@@ -556,15 +938,6 @@ declare function createStandardPreset<T extends z.ZodTypeAny = z.ZodUndefined>(o
   response: import("elysia").ExtractErrorFromHandle<{
     readonly requirePermission: (resource: string, action: string) => Promise<void>;
   }>;
-} & {
-  schema: {};
-  standaloneSchema: {};
-  macro: {};
-  macroFn: {};
-  parser: {};
-  response: import("elysia").ExtractErrorFromHandle<{
-    tenantId: string;
-  }> & {};
 } & {
   schema: {};
   standaloneSchema: {};
@@ -591,13 +964,13 @@ declare function createStandardPreset<T extends z.ZodTypeAny = z.ZodUndefined>(o
   schema: {};
   standaloneSchema: {};
   response: {};
-}, ({
+}, (({
   derive: {};
   resolve: {};
   schema: {};
   standaloneSchema: {};
   response: {};
-} & {
+} & ({
   derive: {
     auth: import("@longzai-intelligence-auth/core").UnifiedAuthContext;
   };
@@ -607,19 +980,7 @@ declare function createStandardPreset<T extends z.ZodTypeAny = z.ZodUndefined>(o
   response: import("elysia").ExtractErrorFromHandle<{
     auth: import("@longzai-intelligence-auth/core").UnifiedAuthContext;
   }>;
-} & {
-  derive: {};
-  resolve: {};
-  schema: {};
-  standaloneSchema: {};
-  response: {};
-}) | ({
-  derive: {};
-  resolve: {};
-  schema: {};
-  standaloneSchema: {};
-  response: {};
-} & {
+} | {
   derive: {
     readonly auth: any;
   };
@@ -629,20 +990,36 @@ declare function createStandardPreset<T extends z.ZodTypeAny = z.ZodUndefined>(o
   response: import("elysia").ExtractErrorFromHandle<{
     readonly auth: any;
   }>;
-} & {
+})) & {
+  derive: {};
+  resolve: {};
+  schema: {};
+  standaloneSchema: {};
+  response: {};
+}) & {
   derive: {};
   resolve: {};
   schema: {};
   standaloneSchema: {};
   response: {};
-})>;
+}>;
 //#endregion
 //#region src/utils/extract-client-ip.d.ts
-/** 从请求中提取客户端 IP 地址 */
+/**
+ * 从请求中提取客户端 IP 地址
+ *
+ * @param request - HTTP 请求对象
+ * @returns 客户端 IP 地址，如果无法提取则返回 undefined
+ */
 declare function extractClientIp(request: Request): string | undefined;
 //#endregion
 //#region src/utils/extract-user-agent.d.ts
-/** 从请求中提取用户代理 */
+/**
+ * 从请求中提取用户代理
+ *
+ * @param request - HTTP 请求对象
+ * @returns 用户代理字符串，如果无法提取则返回 undefined
+ */
 declare function extractUserAgent(request: Request): string | undefined;
 //#endregion
-export { type ApiKeyPluginOptions, type ApiKeyPrincipal, type AuthContextWithExtra, type BasicPresetOptions, type CompositeAuthContext, type CompositeAuthPluginOptions, type ErrorHandlerPluginOptions, type ExtractExtra, type InMemoryApiKeyEntry, type InMemoryApiKeyMap, type JwtVerifyPluginOptions, type LoggerPluginOptions, type OptionalAuthContext, type OptionalJwtPluginOptions, type RateLimitPluginOptions, type RbacPluginOptions, type StandardPresetOptions, type TenantPluginOptions, type UnifiedAuthContext, type UserRoleStrategy, type VerifiedAuthContext, createApiKeyPlugin, createBasicPreset, createCompositeAuthPlugin, createErrorHandlerPlugin, createInMemoryApiKeyValidator, createJwtVerifyPlugin, createLoggerPlugin, createOptionalJwtPlugin, createRateLimitPlugin, createRbacPlugin, createRequiredCompositeAuthPlugin, createStandardPreset, createTenantPlugin, extractClientIp, extractUserAgent, mapDomainErrorToStatus };
+export { type ApiKeyPluginOptions, type ApiKeyPrincipal, type AuthContextWithExtra, type BasicPresetOptions, type BearerExtractorOptions, type CompositeAuthContext, type CompositeAuthPluginOptions, type CookieExtractorOptions, type CookieJwtVerifierOptions, type CredentialExtractor, type ErrorHandlerPluginOptions, type ExtractExtra, type InMemoryApiKeyEntry, type InMemoryApiKeyMap, type JwtVerifyPluginOptions, type LoggerPluginOptions, type OptionalAuthContext, type OptionalJwtPluginOptions, type RateLimitPluginOptions, type RbacPluginOptions, type RequestTokenVerifier, type StandardPresetOptions, type StaticTokenVerifierOptions, type UnifiedAuthContext, type UserRoleStrategy, type VerifiedAuthContext, createApiKeyPlugin, createBasicPreset, createBearerExtractor, createCompositeAuthPlugin, createCookieExtractor, createCookieJwtVerifier, createErrorHandlerPlugin, createInMemoryApiKeyValidator, createJwtVerifyPlugin, createLoggerPlugin, createOptionalJwtPlugin, createRateLimitPlugin, createRbacPlugin, createRequiredCompositeAuthPlugin, createStandardPreset, createStaticTokenVerifier, extractClientIp, extractUserAgent, mapDomainErrorToStatus };

package/dist/index.js CHANGED Viewed

	@@ -1 +1 @@
1	- import{AuthenticationError as e,DomainError as t,DuplicateEntityError as n,isBusinessRuleError as r,isConcurrencyError as i,isEntityNotFoundError as a,isPermissionDeniedError as o,isValidationError as s}from"@longzai-intelligence/error";import{AccountDisabledError as c,InvalidCredentialsError as l,MfaRequiredError as u,RateLimitExceededError as d,TokenExpiredError as f,TokenInvalidError as p,TokenMissingError as m,UserAlreadyExistsError as h,accessTokenPayloadSchema as g,createDefaultJwtConfig as _}from"@longzai-intelligence-auth/core";import{Elysia as v}from"elysia";import{JwtTokenVerifier as y}from"@longzai-intelligence-auth/jwt";function b(t){return s(t)?400:t instanceof f\|\|t instanceof p\|\|t instanceof m\|\|t instanceof u\|\|t instanceof l\|\|t instanceof c\|\|t instanceof e?401:o(t)?403:a(t)?404:t instanceof n\|\|t instanceof h?409:t instanceof d?429:i(t)?409:r(t)\|\|t.code===`PASSWORD_POLICY_VIOLATION`?422:500}function x(e,t){return{userId:e.sub,tenantId:e.tenantId??t,roles:e.roles??[],permissions:e.permissions??[],authMethod:`jwt`}}function S(e){return{userId:``,tenantId:e,roles:[],permissions:[],authMethod:`jwt`}}function C(e,t){return t.some(t=>t.endsWith(`/`)?e.startsWith(t.slice(0,-2)):e===t)}function w(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function T(e,t){return e\|\|new y(w(t??_()))}function E(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,publicPaths:i=[],extendSchema:a}=e,o=T(t,n);return new v({name:`@longzai-intelligence-auth/jwt-verify`}).derive(async({request:e})=>{if(C(new URL(e.url).pathname,i)){let e=a?a.parse({}):{};return{auth:{...S(r),...e}}}let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(!n)throw new m;let s=await o.verifyAccessToken(n);if(!s.success\|\|!s.payload)throw new p(s.error);g.parse(s.payload);let c=x(s.payload,r),l=a?a.parse(s.payload):{};return{auth:{...c,...l}}}).as(`scoped`)}function D(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function O(e,t){return e\|\|new y(D(t??_()))}function k(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,extendSchema:i}=e,a=O(t,n);return new v({name:`@longzai-intelligence-auth/optional-jwt`}).derive(async({request:e})=>{let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(!n)return{auth:null};try{let e=await a.verifyAccessToken(n);if(!e.success\|\|!e.payload)return{auth:null};g.parse(e.payload);let t=e.payload,o={userId:t.sub,tenantId:t.tenantId??r,roles:t.roles??[],permissions:t.permissions??[],authMethod:`jwt`},s=i?i.parse(t):{};return{auth:{...o,...s}}}catch{return{auth:null}}}).as(`scoped`)}function A(e,t,n){return e.some(e=>e.resource===``&&e.action===``\|\|e.resource===t&&e.action===``\|\|e.resource===``&&e.action===n\|\|e.resource===t&&e.action===n)}function j(e,t,n){let r=`${t}:${n}`;return e.includes(r)\|\|e.includes(`${t}:`)\|\|e.includes(`:${n}`)\|\|e.includes(`:`)}function M(e={}){let{userRole:t}=e;return new v({name:`@longzai-intelligence-auth/rbac`}).derive({as:`scoped`},async e=>{let n=e.auth;if(!n)throw new m;let r=n.userId,i=n.tenantId;return{requirePermission:async(e,a)=>{if(t){if(A(await t.findPermissionsByUserId(r,i),e,a))return;let{PermissionDeniedError:n}=await import(`@longzai-intelligence/error`);throw new n(e,a)}if(j(n.permissions??[],e,a))return;let{PermissionDeniedError:o}=await import(`@longzai-intelligence/error`);throw new o(e,a)}}}).as(`global`)}function N(e){let{header:t=`x-api-key`,validator:n}=e;return new v({name:`@longzai-intelligence-auth/api-key`}).derive(async({request:e})=>{let r=e.headers.get(t)??e.headers.get(t.toLowerCase());if(!r)throw new m(`缺少 API Key`);let i=await n(r);if(!i)throw new p(`无效的 API Key`);return{auth:{userId:i.principalId,tenantId:i.tenantId??`default`,roles:i.roles,permissions:i.permissions,authMethod:`api-key`}}}).as(`scoped`)}function P(e){return async t=>{let n=e[t];return n?{principalId:n.principalId,tenantId:n.tenantId,roles:n.roles,permissions:n.permissions}:null}}function F(e){return{authMethod:`jwt`,userId:e.userId,tenantId:e.tenantId,roles:e.roles,permissions:e.permissions}}function I(e,t){return{authMethod:`api-key`,userId:e.principalId,tenantId:e.tenantId??t,roles:e.roles,permissions:e.permissions}}function L(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function R(e,t){return e\|\|new y(L(t??_()))}function z(e,t){return t.some(t=>t.endsWith(`/`)?e.startsWith(t.slice(0,-2)):e===t)}function B(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,apiKeyValidator:i,apiKeyHeader:a=`x-api-key`,publicPaths:o=[]}=e,s=R(t,n);return new v({name:`@longzai-intelligence-auth/composite-auth`}).derive(async({request:e})=>{if(z(new URL(e.url).pathname,o))return{auth:null};let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(n)try{let e=await s.verifyAccessToken(n);if(e.success&&e.payload)return g.parse(e.payload),{auth:F({userId:e.payload.sub,tenantId:e.payload.tenantId??r,roles:e.payload.roles??[],permissions:e.payload.permissions??[]})}}catch{}if(i){let t=e.headers.get(a)??e.headers.get(a.toLowerCase());if(t){let e=await i(t);if(e)return{auth:I(e,r)}}}return{auth:null}}).as(`scoped`)}function V(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,apiKeyValidator:i,apiKeyHeader:a=`x-api-key`,publicPaths:o=[]}=e,s=R(t,n);return new v({name:`@longzai-intelligence-auth/required-composite-auth`}).derive(async({request:e})=>{if(z(new URL(e.url).pathname,o))return{auth:{authMethod:`jwt`,userId:``,tenantId:r,roles:[],permissions:[]}};let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(n)try{let e=await s.verifyAccessToken(n);if(e.success&&e.payload)return g.parse(e.payload),{auth:F({userId:e.payload.sub,tenantId:e.payload.tenantId??r,roles:e.payload.roles??[],permissions:e.payload.permissions??[]})}}catch{}if(i){let t=e.headers.get(a)??e.headers.get(a.toLowerCase());if(t){let e=await i(t);if(e)return{auth:I(e,r)}}}throw Error(`认证失败：需要提供有效的 JWT Token 或 API Key`)}).as(`scoped`)}function H(e={}){let{defaultTenantId:t=`default`,validateFn:n}=e;return new v({name:`@longzai-intelligence-auth/tenant`}).derive(({request:e})=>({tenantId:e.headers.get(`x-tenant-id`)??t})).as(`scoped`).onBeforeHandle(async({tenantId:e})=>{if(n&&e!==t&&!(await n(e)).valid){let{PermissionDeniedError:e}=await import(`@longzai-intelligence/error`);throw new e(`tenant`,`access`)}}).as(`global`)}function U(e){return e.headers.get(`x-forwarded-for`)?.split(`,`)[0]?.trim()??e.headers.get(`x-real-ip`)??`unknown`}function W(e){let{limiter:t,logger:n}=e,r=e.keyGenerator??U;return new v({name:`@longzai-intelligence-auth/rate-limit`}).derive(({request:e})=>({clientIp:r(e)})).derive(async({clientIp:e,request:r})=>{let i=new URL(r.url).pathname,a=`${e}:${i}`,o=await t.checkLimit(a);if(!o.allowed)throw n?.warn(`限流触发`,{clientIp:e,path:i}),new d;return{rateLimitRemaining:o.remaining}}).as(`global`)}function G(e={}){let{logger:n}=e;return new v({name:`@longzai-intelligence-auth/error-handler`}).onError(({code:e,error:r,set:i})=>{if(r instanceof t)return i.status=b(r),{code:r.code,message:r.message,...r.context&&Object.keys(r.context).length>0?{details:r.context}:{}};switch(e){case`VALIDATION`:return i.status=400,{code:`VALIDATION_ERROR`,message:`请求参数验证失败`,details:r.all.map(e=>({path:e.path,message:e.summary}))};case`NOT_FOUND`:return i.status=404,{code:`NOT_FOUND`,message:`未找到请求的资源`};case`PARSE`:return i.status=400,{code:`PARSE_ERROR`,message:`请求数据解析失败`};default:return n?.error(`未预期的错误`,{error:r instanceof Error?r.message:String(r),stack:r instanceof Error?r.stack:void 0}),i.status=500,{code:`INTERNAL_ERROR`,message:`服务器内部错误`}}}).as(`global`)}function K(e){let{logger:t}=e;return new v({name:`@longzai-intelligence-auth/logger`}).onRequest(({request:e})=>{t.info(`${e.method} ${e.url}`)}).onAfterResponse(({request:e,set:n})=>{t.info(`${e.method} ${e.url} ${n.status}`)}).onError(({request:e,error:n})=>{t.error(`${e.method} ${e.url} 请求错误`,{error:n instanceof Error?n.message:String(n)})}).as(`global`)}function q(e){return new v({name:`@longzai-intelligence-auth/basic-preset`}).use(E({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,extendSchema:e.extendSchema})).use(G({logger:e.logger}))}function J(e){let t=e.apiKeyValidator?V({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,apiKeyValidator:e.apiKeyValidator}):E({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,extendSchema:e.extendSchema}),n=new v({name:`@longzai-intelligence-auth/standard-preset`}).use(t).use(M({userRole:e.userRole})).use(H({defaultTenantId:e.defaultTenantId,validateFn:e.validateFn}));return e.rateLimiter&&n.use(W({limiter:e.rateLimiter,logger:e.logger})),n.use(G({logger:e.logger}))}function Y(e){return e.headers.get(`x-forwarded-for`)?.split(`,`)[0]?.trim()??e.headers.get(`x-real-ip`)??void 0}function X(e){return e.headers.get(`user-agent`)??void 0}export{N as createApiKeyPlugin,q as createBasicPreset,B as createCompositeAuthPlugin,G as createErrorHandlerPlugin,P as createInMemoryApiKeyValidator,E as createJwtVerifyPlugin,K as createLoggerPlugin,k as createOptionalJwtPlugin,W as createRateLimitPlugin,M as createRbacPlugin,V as createRequiredCompositeAuthPlugin,J as createStandardPreset,H as createTenantPlugin,Y as extractClientIp,X as extractUserAgent,b as mapDomainErrorToStatus};
1	+ import{AuthenticationError as e,DomainError as t,DuplicateEntityError as n,isBusinessRuleError as r,isConcurrencyError as i,isEntityNotFoundError as a,isPermissionDeniedError as o,isValidationError as s}from"@longzai-intelligence/error";import{AccountDisabledError as c,InvalidCredentialsError as l,MfaRequiredError as u,RateLimitExceededError as d,TokenExpiredError as f,TokenInvalidError as p,TokenMissingError as m,UserAlreadyExistsError as h,accessTokenPayloadSchema as g,createDefaultJwtConfig as _}from"@longzai-intelligence-auth/core";import v from"node:crypto";import{JwtTokenVerifier as y}from"@longzai-intelligence-auth/jwt";import{Elysia as b}from"elysia";function x(t){return s(t)?400:t instanceof f\|\|t instanceof p\|\|t instanceof m\|\|t instanceof u\|\|t instanceof l\|\|t instanceof c\|\|t instanceof e?401:o(t)?403:a(t)?404:t instanceof n\|\|t instanceof h?409:t instanceof d?429:i(t)?409:r(t)\|\|t.code===`PASSWORD_POLICY_VIOLATION`?422:500}function S(e,t){let n=Buffer.from(e,`utf-8`),r=Buffer.from(t,`utf-8`);if(n.length!==r.length){let e=Buffer.alloc(n.length);return v.timingSafeEqual(n,e),!1}return v.timingSafeEqual(n,r)}function C(e){let{token:t,getToken:n,subject:r=`static`,tenantId:i}=e;if(!t&&!n)throw Error(`createStaticTokenVerifier 需要至少提供 token 或 getToken 之一`);let a=()=>{if(n){let e=n();if(e)return e}return t??null};return{async verifyAccessToken(e){let t=a();return t?S(e,t)?{success:!0,payload:{sub:r,type:`access`,...i!==void 0&&{tenantId:i}}}:{success:!1,error:`静态令牌不匹配`}:{success:!1,error:`静态令牌未配置`}},async verifyRefreshToken(){return{success:!1,error:`静态令牌模式不支持 refresh token`}}}}function w(e){let{cookieName:t}=e;return{extract(e){let n=e.headers.get(`cookie`);if(!n)return null;let r=n.split(`;`);for(let e of r){let n=e.indexOf(`=`);if(n!==-1&&e.slice(0,n).trim()===t)return e.slice(n+1).trim()\|\|null}return null}}}function T(e={}){let{headerName:t=`authorization`}=e;return{extract(e){let n=e.headers.get(t);if(!n)return null;let r=n.split(` `);return r.length!==2\|\|r[0]!==`Bearer`\|\|!r[1]?null:r[1]}}}function E(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function D(e,t){if(e)return e;if(!t)throw Error(`createCookieJwtVerifier 需要至少提供 jwt 或 verifier 之一`);return new y(E(t))}function O(e){let{cookieName:t,jwt:n,verifier:r,extractor:i}=e,a=D(r,n),o=i??w({cookieName:t});return{async verify(e){let t=o.extract(e);return t?a.verifyAccessToken(t):{success:!1,error:`请求未携带 cookie 凭证`}}}}function k(e,t){return{userId:e.sub,tenantId:e.tenantId??t,roles:e.roles??[],permissions:e.permissions??[],authMethod:`jwt`}}function A(e){return{userId:``,tenantId:e,roles:[],permissions:[],authMethod:`jwt`}}function j(e,t){return t.some(t=>t.endsWith(`/`)?e.startsWith(t.slice(0,-2)):e===t)}function M(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function N(e,t){return e\|\|new y(M(t??_()))}function P(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,publicPaths:i=[],extendSchema:a}=e,o=N(t,n);return new b({name:`@longzai-intelligence-auth/jwt-verify`}).derive(async({request:e})=>{if(j(new URL(e.url).pathname,i)){let e=a?a.parse({}):{};return{auth:{...A(r),...e}}}let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(!n)throw new m;let s=await o.verifyAccessToken(n);if(!s.success\|\|!s.payload)throw new p(s.error);g.parse(s.payload);let c=k(s.payload,r),l=a?a.parse(s.payload):{};return{auth:{...c,...l}}}).as(`scoped`)}function F(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function I(e,t){return e\|\|new y(F(t??_()))}function L(e){let{verifier:t,jwt:n,defaultTenantId:r=`default`,extendSchema:i}=e,a=I(t,n);return new b({name:`@longzai-intelligence-auth/optional-jwt`}).derive(async({request:e})=>{let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(!n)return{auth:null};try{let e=await a.verifyAccessToken(n);if(!e.success\|\|!e.payload)return{auth:null};g.parse(e.payload);let t=e.payload,o={userId:t.sub,tenantId:t.tenantId??r,roles:t.roles??[],permissions:t.permissions??[],authMethod:`jwt`},s=i?i.parse(t):{};return{auth:{...o,...s}}}catch{return{auth:null}}}).as(`scoped`)}function R(e,t,n){return e.some(e=>e.resource===``&&e.action===``\|\|e.resource===t&&e.action===``\|\|e.resource===``&&e.action===n\|\|e.resource===t&&e.action===n)}function z(e,t,n){let r=`${t}:${n}`;return e.includes(r)\|\|e.includes(`${t}:`)\|\|e.includes(`:${n}`)\|\|e.includes(`:`)}function B(e={}){let{userRole:t}=e;return new b({name:`@longzai-intelligence-auth/rbac`}).derive({as:`scoped`},async e=>{let n=e.auth;if(!n)throw new m;let r=n.userId,i=n.tenantId;return{requirePermission:async(e,a)=>{if(t){if(R(await t.findPermissionsByUserId(r,i),e,a))return;let{PermissionDeniedError:n}=await import(`@longzai-intelligence/error`);throw new n(e,a)}if(z(n.permissions??[],e,a))return;let{PermissionDeniedError:o}=await import(`@longzai-intelligence/error`);throw new o(e,a)}}}).as(`global`)}function V(e){let{header:t=`x-api-key`,validator:n}=e;return new b({name:`@longzai-intelligence-auth/api-key`}).derive(async({request:e})=>{let r=e.headers.get(t)??e.headers.get(t.toLowerCase());if(!r)throw new m(`缺少 API Key`);let i=await n(r);if(!i)throw new p(`无效的 API Key`);return{auth:{userId:i.principalId,tenantId:i.tenantId??`default`,roles:i.roles,permissions:i.permissions,authMethod:`api-key`}}}).as(`scoped`)}function H(e){return async t=>{let n=e[t];return n?{principalId:n.principalId,tenantId:n.tenantId,roles:n.roles,permissions:n.permissions}:null}}function U(e){return{authMethod:`jwt`,userId:e.userId,tenantId:e.tenantId,roles:e.roles,permissions:e.permissions}}function W(e,t){return{authMethod:`api-key`,userId:e.principalId,tenantId:e.tenantId??t,roles:e.roles,permissions:e.permissions}}function G(e){return{algorithm:`HS256`,secret:e.secret,accessExpiresIn:e.accessExpiresIn,refreshExpiresIn:e.refreshExpiresIn}}function K(e,t,n){let r=[];return e&&r.push(e),t&&t.length>0&&r.push(...t),r.length>0?r:[new y(G(n??_()))]}function q(e,t){return t.some(t=>t.endsWith(`/`)?e.startsWith(t.slice(0,-2)):e===t)}async function J(e,t){for(let n of e)try{let e=await n.verifyAccessToken(t);if(e.success&&e.payload)return{success:!0,payload:e.payload}}catch{}return null}function Y(e){let{verifier:t,verifiers:n,jwt:r,defaultTenantId:i=`default`,apiKeyValidator:a,apiKeyHeader:o=`x-api-key`,publicPaths:s=[]}=e,c=K(t,n,r);return new b({name:`@longzai-intelligence-auth/composite-auth`}).derive(async({request:e})=>{if(q(new URL(e.url).pathname,s))return{auth:null};let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(n){let e=await J(c,n);if(e)return g.parse(e.payload),{auth:U({userId:e.payload.sub,tenantId:e.payload.tenantId??i,roles:e.payload.roles??[],permissions:e.payload.permissions??[]})}}if(a){let t=e.headers.get(o)??e.headers.get(o.toLowerCase());if(t){let e=await a(t);if(e)return{auth:W(e,i)}}}return{auth:null}}).as(`scoped`)}function X(e){let{verifier:t,verifiers:n,jwt:r,defaultTenantId:i=`default`,apiKeyValidator:a,apiKeyHeader:o=`x-api-key`,publicPaths:s=[]}=e,c=K(t,n,r);return new b({name:`@longzai-intelligence-auth/required-composite-auth`}).derive(async({request:e})=>{if(q(new URL(e.url).pathname,s))return{auth:{authMethod:`jwt`,userId:``,tenantId:i,roles:[],permissions:[]}};let t=e.headers.get(`Authorization`),n=t?.startsWith(`Bearer `)?t.slice(7):null;if(n){let e=await J(c,n);if(e)return g.parse(e.payload),{auth:U({userId:e.payload.sub,tenantId:e.payload.tenantId??i,roles:e.payload.roles??[],permissions:e.payload.permissions??[]})}}if(a){let t=e.headers.get(o)??e.headers.get(o.toLowerCase());if(t){let e=await a(t);if(e)return{auth:W(e,i)}}}throw Error(`认证失败：需要提供有效的 JWT Token 或 API Key`)}).as(`scoped`)}function Z(e){return e.headers.get(`x-forwarded-for`)?.split(`,`)[0]?.trim()??e.headers.get(`x-real-ip`)??`unknown`}function Q(e){let{limiter:t,logger:n}=e,r=e.keyGenerator??Z;return new b({name:`@longzai-intelligence-auth/rate-limit`}).derive(({request:e})=>({clientIp:r(e)})).derive(async({clientIp:e,request:r})=>{let i=new URL(r.url).pathname,a=`${e}:${i}`,o=await t.checkLimit(a);if(!o.allowed)throw n?.warn(`限流触发`,{clientIp:e,path:i}),new d;return{rateLimitRemaining:o.remaining}}).as(`global`)}function $(e={}){let{logger:n}=e;return new b({name:`@longzai-intelligence-auth/error-handler`}).onError(({code:e,error:r,set:i})=>{if(r instanceof t)return i.status=x(r),{code:r.code,message:r.message,...r.context&&Object.keys(r.context).length>0?{details:r.context}:{}};switch(e){case`VALIDATION`:return i.status=400,{code:`VALIDATION_ERROR`,message:`请求参数验证失败`,details:r.all.map(e=>({path:e.path,message:e.summary}))};case`NOT_FOUND`:return i.status=404,{code:`NOT_FOUND`,message:`未找到请求的资源`};case`PARSE`:return i.status=400,{code:`PARSE_ERROR`,message:`请求数据解析失败`};default:return n?.error(`未预期的错误`,{error:r instanceof Error?r.message:String(r),stack:r instanceof Error?r.stack:void 0}),i.status=500,{code:`INTERNAL_ERROR`,message:`服务器内部错误`}}}).as(`global`)}function ee(e){let{logger:t}=e;return new b({name:`@longzai-intelligence-auth/logger`}).onRequest(({request:e})=>{t.info(`${e.method} ${e.url}`)}).onAfterResponse(({request:e,set:n})=>{t.info(`${e.method} ${e.url} ${n.status}`)}).onError(({request:e,error:n})=>{t.error(`${e.method} ${e.url} 请求错误`,{error:n instanceof Error?n.message:String(n)})}).as(`global`)}function te(e){return new b({name:`@longzai-intelligence-auth/basic-preset`}).use(P({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,extendSchema:e.extendSchema})).use($({logger:e.logger}))}function ne(e){let t=e.apiKeyValidator?X({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,apiKeyValidator:e.apiKeyValidator}):P({verifier:e.tokenVerifier,defaultTenantId:e.defaultTenantId,publicPaths:e.publicPaths,extendSchema:e.extendSchema}),n=new b({name:`@longzai-intelligence-auth/standard-preset`}).use(t).use(B({userRole:e.userRole}));return e.rateLimiter&&n.use(Q({limiter:e.rateLimiter,logger:e.logger})),n.use($({logger:e.logger}))}function re(e){return e.headers.get(`x-forwarded-for`)?.split(`,`)[0]?.trim()??e.headers.get(`x-real-ip`)??void 0}function ie(e){return e.headers.get(`user-agent`)??void 0}export{V as createApiKeyPlugin,te as createBasicPreset,T as createBearerExtractor,Y as createCompositeAuthPlugin,w as createCookieExtractor,O as createCookieJwtVerifier,$ as createErrorHandlerPlugin,H as createInMemoryApiKeyValidator,P as createJwtVerifyPlugin,ee as createLoggerPlugin,L as createOptionalJwtPlugin,Q as createRateLimitPlugin,B as createRbacPlugin,X as createRequiredCompositeAuthPlugin,ne as createStandardPreset,C as createStaticTokenVerifier,re as extractClientIp,ie as extractUserAgent,x as mapDomainErrorToStatus};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@longzai-intelligence-auth/elysia",
-  "version": "0.0.5",
+  "version": "0.0.7",
   "license": "UNLICENSED",
   "type": "module",
   "sideEffects": false,
@@ -33,11 +33,11 @@
     "test:coverage": "bun test --coverage",
     "test:unit": "bun test src/__tests__/unit/",
     "test:integration": "bun test src/__tests__/integration/",
-    "clean": "rm -rf dist out .cache"
+    "clean": "rimraf dist out .cache"
   },
   "dependencies": {
-    "@longzai-intelligence-auth/core": "0.0.5",
-    "@longzai-intelligence-auth/jwt": "0.0.5",
+    "@longzai-intelligence-auth/core": "0.0.7",
+    "@longzai-intelligence-auth/jwt": "0.0.7",
     "@longzai-intelligence/error": "^0.0.5",
     "@elysiajs/bearer": "^1.3",
     "zod": "^3.24"