@nocobase/auth 1.6.0-beta.9 → 1.7.0-alpha.1

package/lib/auth.d.ts

@@ -56,6 +56,14 @@ export declare abstract class Auth implements IAuth {
     constructor(config: AuthConfig);
     skipCheck(): Promise<any>;
     abstract check(): Promise<Model>;
+    abstract checkToken(): Promise<{
+        tokenStatus: 'valid' | 'expired' | 'invalid';
+        user: Awaited<ReturnType<Auth['check']>>;
+        jti?: string;
+        temp: any;
+        roleName?: any;
+        signInTime?: number;
+    }>;
     signIn(): Promise<any>;
     signUp(): Promise<any>;
     signOut(): Promise<any>;

package/lib/auth.js

@@ -64,6 +64,9 @@ const _Auth = class _Auth {
     this.ctx = ctx;
   }
   async skipCheck() {
+    if (this.ctx.skipAuthCheck === true) {
+      return true;
+    }
     const token = this.ctx.getBearerToken();
     if (!token && this.ctx.app.options.acl === false) {
       return true;

package/lib/base/auth.d.ts

@@ -35,8 +35,17 @@ export declare class BaseAuth extends Auth {
      * @internal
      */
     validateUsername(username: string): boolean;
+    checkToken(): Promise<{
+        tokenStatus: 'valid' | 'expired' | 'invalid';
+        user: Awaited<ReturnType<Auth['check']>>;
+        jti?: string;
+        temp: any;
+        roleName?: any;
+        signInTime?: number;
+    }>;
     check(): ReturnType<Auth['check']>;
     validate(): Promise<Model>;
+    signNewToken(userId: number): Promise<string>;
     signIn(): Promise<{
         user: Model<any, any>;
         token: string;

package/lib/base/auth.js

@@ -80,8 +80,9 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   validateUsername(username) {
     return /^[^@.<>"'/]{1,50}$/.test(username);
   }
-  async check() {
-    var _a, _b, _c, _d, _e, _f, _g, _h, _i;
+  async checkToken() {
+    var _a, _b, _c;
+    const cache = this.ctx.cache;
     const token = this.ctx.getBearerToken();
     if (!token) {
       this.ctx.throw(401, {
@@ -107,15 +108,23 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
       }
     }
     const { userId, roleName, iat, temp, jti, exp, signInTime } = payload ?? {};
-    const tokenPolicy = await this.tokenController.getConfig();
-    if (signInTime && Date.now() - signInTime > tokenPolicy.sessionExpirationTime) {
+    const user = userId ? await cache.wrap(
+      this.getCacheKey(userId),
+      () => this.userRepository.findOne({
+        filter: {
+          id: userId
+        },
+        raw: true
+      })
+    ) : null;
+    if (!user) {
       this.ctx.throw(401, {
-        message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
-        code: import_auth.AuthErrorCode.EXPIRED_SESSION
+        message: this.ctx.t("User not found. Please sign in again to continue.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.NOT_EXIST_USER
       });
     }
-    if (tokenStatus === "valid" && Date.now() - iat * 1e3 > tokenPolicy.tokenExpirationTime) {
-      tokenStatus = "expired";
+    if (roleName) {
+      this.ctx.headers["x-role"] = roleName;
     }
     const blocked = await this.jwt.blacklist.has(jti ?? token);
     if (blocked) {
@@ -124,25 +133,26 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         code: import_auth.AuthErrorCode.BLOCKED_TOKEN
       });
     }
-    if (roleName) {
-      this.ctx.headers["x-role"] = roleName;
+    if (!temp) {
+      if (tokenStatus === "valid") {
+        return { tokenStatus, user, temp };
+      } else {
+        this.ctx.throw(401, {
+          message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+          code: import_auth.AuthErrorCode.INVALID_TOKEN
+        });
+      }
     }
-    const cache = this.ctx.cache;
-    const user = await cache.wrap(
-      this.getCacheKey(userId),
-      () => this.userRepository.findOne({
-        filter: {
-          id: userId
-        },
-        raw: true
-      })
-    );
-    if (!temp && tokenStatus !== "valid") {
+    const tokenPolicy = await this.tokenController.getConfig();
+    if (signInTime && Date.now() - signInTime > tokenPolicy.sessionExpirationTime) {
       this.ctx.throw(401, {
         message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
-        code: import_auth.AuthErrorCode.INVALID_TOKEN
+        code: import_auth.AuthErrorCode.EXPIRED_SESSION
       });
     }
+    if (tokenStatus === "valid" && Date.now() - iat * 1e3 > tokenPolicy.tokenExpirationTime) {
+      tokenStatus = "expired";
+    }
     if (tokenStatus === "valid" && user.passwordChangeTz && iat * 1e3 < user.passwordChangeTz) {
       this.ctx.throw(401, {
         message: this.ctx.t("User password changed, please signin again.", { ns: localeNamespace }),
@@ -156,13 +166,39 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
           code: import_auth.AuthErrorCode.EXPIRED_SESSION
         });
       }
+      this.ctx.logger.info("token renewing", {
+        method: "auth.check",
+        url: this.ctx.originalUrl,
+        currentJti: jti
+      });
+      const isStreamRequest = ((_c = (_b = (_a = this.ctx) == null ? void 0 : _a.req) == null ? void 0 : _b.headers) == null ? void 0 : _c.accept) === "text/event-stream";
+      if (isStreamRequest) {
+        this.ctx.throw(401, {
+          message: "Stream api not allow renew token.",
+          code: import_auth.AuthErrorCode.SKIP_TOKEN_RENEW
+        });
+      }
+      if (!jti) {
+        this.ctx.throw(401, {
+          message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
+          code: import_auth.AuthErrorCode.INVALID_TOKEN
+        });
+      }
+      return { tokenStatus, user, jti, signInTime, temp };
+    }
+    return { tokenStatus, user, jti, signInTime, temp };
+  }
+  async check() {
+    var _a, _b, _c;
+    const { tokenStatus, user, jti, temp, signInTime, roleName } = await this.checkToken();
+    if (tokenStatus === "expired") {
+      const tokenPolicy = await this.tokenController.getConfig();
       try {
         this.ctx.logger.info("token renewing", {
           method: "auth.check",
-          url: this.ctx.originalUrl,
-          headers: JSON.stringify((_b = (_a = this.ctx) == null ? void 0 : _a.req) == null ? void 0 : _b.headers)
+          jti
         });
-        const isStreamRequest = ((_e = (_d = (_c = this.ctx) == null ? void 0 : _c.req) == null ? void 0 : _d.headers) == null ? void 0 : _e.accept) === "text/event-stream";
+        const isStreamRequest = ((_c = (_b = (_a = this.ctx) == null ? void 0 : _a.req) == null ? void 0 : _b.headers) == null ? void 0 : _c.accept) === "text/event-stream";
         if (isStreamRequest) {
           this.ctx.throw(401, {
             message: "Stream api not allow renew token.",
@@ -178,22 +214,19 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         const renewedResult = await this.tokenController.renew(jti);
         this.ctx.logger.info("token renewed", {
           method: "auth.check",
-          url: this.ctx.originalUrl,
-          headers: JSON.stringify((_g = (_f = this.ctx) == null ? void 0 : _f.req) == null ? void 0 : _g.headers)
+          oldJti: jti,
+          newJti: renewedResult.jti
         });
         const expiresIn = Math.floor(tokenPolicy.tokenExpirationTime / 1e3);
         const newToken = this.jwt.sign(
-          { userId, roleName, temp, signInTime, iat: Math.floor(renewedResult.issuedTime / 1e3) },
+          { userId: user.id, roleName, temp, signInTime, iat: Math.floor(renewedResult.issuedTime / 1e3) },
           { jwtid: renewedResult.jti, expiresIn }
         );
         this.ctx.res.setHeader("x-new-token", newToken);
-        return user;
       } catch (err) {
-        this.ctx.logger.info("token renew failed", {
+        this.ctx.logger.error("token renew failed", {
           method: "auth.check",
-          url: this.ctx.originalUrl,
-          err,
-          headers: JSON.stringify((_i = (_h = this.ctx) == null ? void 0 : _h.req) == null ? void 0 : _i.headers)
+          jti
         });
         const options = err instanceof import_auth.AuthError ? { code: err.code, message: err.message } : { message: err.message, code: err.code ?? import_auth.AuthErrorCode.INVALID_TOKEN };
         this.ctx.throw(401, {
@@ -207,6 +240,23 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   async validate() {
     return null;
   }
+  async signNewToken(userId) {
+    const tokenInfo = await this.tokenController.add({ userId });
+    const expiresIn = Math.floor((await this.tokenController.getConfig()).tokenExpirationTime / 1e3);
+    const token = this.jwt.sign(
+      {
+        userId,
+        temp: true,
+        iat: Math.floor(tokenInfo.issuedTime / 1e3),
+        signInTime: tokenInfo.signInTime
+      },
+      {
+        jwtid: tokenInfo.jti,
+        expiresIn
+      }
+    );
+    return token;
+  }
   async signIn() {
     let user;
     try {
@@ -222,20 +272,7 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         code: import_auth.AuthErrorCode.NOT_EXIST_USER
       });
     }
-    const tokenInfo = await this.tokenController.add({ userId: user.id });
-    const expiresIn = Math.floor((await this.tokenController.getConfig()).tokenExpirationTime / 1e3);
-    const token = this.jwt.sign(
-      {
-        userId: user.id,
-        temp: true,
-        iat: Math.floor(tokenInfo.issuedTime / 1e3),
-        signInTime: tokenInfo.signInTime
-      },
-      {
-        jwtid: tokenInfo.jti,
-        expiresIn
-      }
-    );
+    const token = await this.signNewToken(user.id);
     return {
       user,
       token

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@nocobase/auth",
-  "version": "1.6.0-beta.9",
+  "version": "1.7.0-alpha.1",
   "description": "",
   "license": "AGPL-3.0",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
-    "@nocobase/actions": "1.6.0-beta.9",
-    "@nocobase/cache": "1.6.0-beta.9",
-    "@nocobase/database": "1.6.0-beta.9",
-    "@nocobase/resourcer": "1.6.0-beta.9",
-    "@nocobase/utils": "1.6.0-beta.9",
+    "@nocobase/actions": "1.7.0-alpha.1",
+    "@nocobase/cache": "1.7.0-alpha.1",
+    "@nocobase/database": "1.7.0-alpha.1",
+    "@nocobase/resourcer": "1.7.0-alpha.1",
+    "@nocobase/utils": "1.7.0-alpha.1",
     "@types/jsonwebtoken": "^8.5.8",
     "jsonwebtoken": "^8.5.1"
   },
@@ -19,5 +19,5 @@
     "url": "git+https://github.com/nocobase/nocobase.git",
     "directory": "packages/auth"
   },
-  "gitHead": "eb1ff948fcf7a51175626a1a56a8b8d9b90be006"
+  "gitHead": "e411c9728b4d1f16b0beac16e40dd3499352b052"
 }