@nocobase/plugin-auth 1.6.0-alpha.3 → 1.6.0-alpha.30

package/dist/node_modules/cron/package.json

@@ -1 +1 @@
-{"name":"cron","description":"Cron jobs for your node","version":"2.4.4","author":"Nick Campbell <nicholas.j.campbell@gmail.com> (https://github.com/ncb000gt)","bugs":{"url":"https://github.com/kelektiv/node-cron/issues"},"repository":{"type":"git","url":"https://github.com/kelektiv/node-cron.git"},"main":"lib/cron","scripts":{"lint":"eslint {lib,tests}/*.js","test":"jest --coverage","test:watch":"jest --watch --coverage","test:types":"tsd","prepare":"husky install","release":"semantic-release"},"types":"types/index.d.ts","dependencies":{"@types/luxon":"~3.3.0","luxon":"~3.3.0"},"devDependencies":{"@commitlint/cli":"~17.6.6","@insurgentlab/commitlint-config":"^18.1.0","@insurgentlab/conventional-changelog-preset":"~6.0.3","@semantic-release/changelog":"~6.0.x","@semantic-release/commit-analyzer":"~9.0.x","@semantic-release/git":"~10.0.x","@semantic-release/github":"~8.1.x","@semantic-release/npm":"~10.0.x","@semantic-release/release-notes-generator":"~11.0.x","chai":"~4.2.x","eslint":"~8.36.x","eslint-config-prettier":"^8.7.x","eslint-config-standard":"~17.0.x","eslint-plugin-import":"~2.27.x","eslint-plugin-jest":"~27.2.x","eslint-plugin-n":"~15.6.x","eslint-plugin-prettier":"~4.2.x","eslint-plugin-promise":"~6.1.x","husky":"^8.0.3","jest":"~29.5.x","prettier":"~2.8.x","semantic-release":"~21.0.x","sinon":"^15.0.x","tsd":"^0.28.1"},"keywords":["cron","node cron","node-cron","schedule","scheduler","cronjob","cron job"],"license":"MIT","contributors":["Brandon der Blätter <https://interlucid.com/contact/> (https://github.com/intcreator)","Romain Beauxis <toots@rastageeks.org> (https://github.com/toots)","James Padolsey <> (https://github.com/jamespadolsey)","Finn Herpich <fh@three-heads.de> (https://github.com/ErrorProne)","Clifton Cunningham <clifton.cunningham@gmail.com> (https://github.com/cliftonc)","Eric Abouaf <eric.abouaf@gmail.com> (https://github.com/neyric)","humanchimp <morphcham@gmail.com> (https://github.com/humanchimp)","Craig Condon <craig@spiceapps.com> (https://github.com/spiceapps)","Dan Bear <daniel@hulu.com> (https://github.com/danhbear)","Vadim Baryshev <vadimbaryshev@gmail.com> (https://github.com/baryshev)","Leandro Ferrari <lfthomaz@gmail.com> (https://github.com/lfthomaz)","Gregg Zigler <greggzigler@gmail.com> (https://github.com/greggzigler)","Jordan Abderrachid <jabderrachid@gmail.com> (https://github.com/jordanabderrachid)","Masakazu Matsushita <matsukaz@gmail.com> (matsukaz)","Christopher Lunt <me@kirisu.co.uk> (https://github.com/kirisu)"],"jest":{"collectCoverage":true,"collectCoverageFrom":["lib/*.js"],"coverageThreshold":{"global":{"statements":80,"branches":80,"functions":70,"lines":80}}},"files":["lib","types","CHANGELOG.md","LICENSE","README.md"],"_lastModified":"2024-12-09T02:48:56.427Z"}
+{"name":"cron","description":"Cron jobs for your node","version":"2.4.4","author":"Nick Campbell <nicholas.j.campbell@gmail.com> (https://github.com/ncb000gt)","bugs":{"url":"https://github.com/kelektiv/node-cron/issues"},"repository":{"type":"git","url":"https://github.com/kelektiv/node-cron.git"},"main":"lib/cron","scripts":{"lint":"eslint {lib,tests}/*.js","test":"jest --coverage","test:watch":"jest --watch --coverage","test:types":"tsd","prepare":"husky install","release":"semantic-release"},"types":"types/index.d.ts","dependencies":{"@types/luxon":"~3.3.0","luxon":"~3.3.0"},"devDependencies":{"@commitlint/cli":"~17.6.6","@insurgentlab/commitlint-config":"^18.1.0","@insurgentlab/conventional-changelog-preset":"~6.0.3","@semantic-release/changelog":"~6.0.x","@semantic-release/commit-analyzer":"~9.0.x","@semantic-release/git":"~10.0.x","@semantic-release/github":"~8.1.x","@semantic-release/npm":"~10.0.x","@semantic-release/release-notes-generator":"~11.0.x","chai":"~4.2.x","eslint":"~8.36.x","eslint-config-prettier":"^8.7.x","eslint-config-standard":"~17.0.x","eslint-plugin-import":"~2.27.x","eslint-plugin-jest":"~27.2.x","eslint-plugin-n":"~15.6.x","eslint-plugin-prettier":"~4.2.x","eslint-plugin-promise":"~6.1.x","husky":"^8.0.3","jest":"~29.5.x","prettier":"~2.8.x","semantic-release":"~21.0.x","sinon":"^15.0.x","tsd":"^0.28.1"},"keywords":["cron","node cron","node-cron","schedule","scheduler","cronjob","cron job"],"license":"MIT","contributors":["Brandon der Blätter <https://interlucid.com/contact/> (https://github.com/intcreator)","Romain Beauxis <toots@rastageeks.org> (https://github.com/toots)","James Padolsey <> (https://github.com/jamespadolsey)","Finn Herpich <fh@three-heads.de> (https://github.com/ErrorProne)","Clifton Cunningham <clifton.cunningham@gmail.com> (https://github.com/cliftonc)","Eric Abouaf <eric.abouaf@gmail.com> (https://github.com/neyric)","humanchimp <morphcham@gmail.com> (https://github.com/humanchimp)","Craig Condon <craig@spiceapps.com> (https://github.com/spiceapps)","Dan Bear <daniel@hulu.com> (https://github.com/danhbear)","Vadim Baryshev <vadimbaryshev@gmail.com> (https://github.com/baryshev)","Leandro Ferrari <lfthomaz@gmail.com> (https://github.com/lfthomaz)","Gregg Zigler <greggzigler@gmail.com> (https://github.com/greggzigler)","Jordan Abderrachid <jabderrachid@gmail.com> (https://github.com/jordanabderrachid)","Masakazu Matsushita <matsukaz@gmail.com> (matsukaz)","Christopher Lunt <me@kirisu.co.uk> (https://github.com/kirisu)"],"jest":{"collectCoverage":true,"collectCoverageFrom":["lib/*.js"],"coverageThreshold":{"global":{"statements":80,"branches":80,"functions":70,"lines":80}}},"files":["lib","types","CHANGELOG.md","LICENSE","README.md"],"_lastModified":"2025-03-07T08:30:20.403Z"}

package/dist/node_modules/ms/index.js

@@ -0,0 +1 @@
+(function(){var e={900:function(e){var r=1e3;var s=r*60;var a=s*60;var n=a*24;var t=n*7;var u=n*365.25;e.exports=function(e,r){r=r||{};var s=typeof e;if(s==="string"&&e.length>0){return parse(e)}else if(s==="number"&&isFinite(e)){return r.long?fmtLong(e):fmtShort(e)}throw new Error("val is not a non-empty string or a valid number. val="+JSON.stringify(e))};function parse(e){e=String(e);if(e.length>100){return}var c=/^(-?(?:\d+)?\.?\d+) *(milliseconds?|msecs?|ms|seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)?$/i.exec(e);if(!c){return}var i=parseFloat(c[1]);var o=(c[2]||"ms").toLowerCase();switch(o){case"years":case"year":case"yrs":case"yr":case"y":return i*u;case"weeks":case"week":case"w":return i*t;case"days":case"day":case"d":return i*n;case"hours":case"hour":case"hrs":case"hr":case"h":return i*a;case"minutes":case"minute":case"mins":case"min":case"m":return i*s;case"seconds":case"second":case"secs":case"sec":case"s":return i*r;case"milliseconds":case"millisecond":case"msecs":case"msec":case"ms":return i;default:return undefined}}function fmtShort(e){var t=Math.abs(e);if(t>=n){return Math.round(e/n)+"d"}if(t>=a){return Math.round(e/a)+"h"}if(t>=s){return Math.round(e/s)+"m"}if(t>=r){return Math.round(e/r)+"s"}return e+"ms"}function fmtLong(e){var t=Math.abs(e);if(t>=n){return plural(e,t,n,"day")}if(t>=a){return plural(e,t,a,"hour")}if(t>=s){return plural(e,t,s,"minute")}if(t>=r){return plural(e,t,r,"second")}return e+" ms"}function plural(e,r,s,a){var n=r>=s*1.5;return Math.round(e/s)+" "+a+(n?"s":"")}}};var r={};function __nccwpck_require__(s){var a=r[s];if(a!==undefined){return a.exports}var n=r[s]={exports:{}};var t=true;try{e[s](n,n.exports,__nccwpck_require__);t=false}finally{if(t)delete r[s]}return n.exports}if(typeof __nccwpck_require__!=="undefined")__nccwpck_require__.ab=__dirname+"/";var s=__nccwpck_require__(900);module.exports=s})();

package/dist/node_modules/ms/package.json

@@ -0,0 +1 @@
+{"name":"ms","version":"2.1.3","description":"Tiny millisecond conversion utility","repository":"vercel/ms","main":"./index","files":["index.js"],"scripts":{"precommit":"lint-staged","lint":"eslint lib/* bin/*","test":"mocha tests.js"},"eslintConfig":{"extends":"eslint:recommended","env":{"node":true,"es6":true}},"lint-staged":{"*.js":["npm run lint","prettier --single-quote --write","git add"]},"license":"MIT","devDependencies":{"eslint":"4.18.2","expect.js":"0.3.1","husky":"0.14.3","lint-staged":"5.0.0","mocha":"4.0.1","prettier":"2.0.5"},"_lastModified":"2025-03-07T08:30:20.491Z"}

package/dist/server/actions/auth.js

@@ -45,6 +45,12 @@ var auth_default = {
   //   await next();
   // },
   changePassword: async (ctx, next) => {
+    const systemSettings = ctx.db.getRepository("systemSettings");
+    const settings = await systemSettings.findOne();
+    const enableChangePassword = settings.get("enableChangePassword");
+    if (enableChangePassword === false) {
+      ctx.throw(403, ctx.t("Password is not allowed to be changed", { ns: import_preset.namespace }));
+    }
     const {
       values: { oldPassword, newPassword, confirmPassword }
     } = ctx.action.params;
@@ -61,7 +67,8 @@ var auth_default = {
     } else {
       key = "email";
     }
-    const user = await ctx.db.getRepository("users").findOne({
+    const UserRepo = ctx.db.getRepository("users");
+    const user = await UserRepo.findOne({
       where: {
         [key]: currentUser[key]
       }
@@ -71,8 +78,12 @@ var auth_default = {
     if (!isValid) {
       ctx.throw(401, ctx.t("The password is incorrect, please re-enter", { ns: import_preset.namespace }));
     }
-    user.password = newPassword;
-    await user.save();
+    await UserRepo.update({
+      filterByTk: user.id,
+      values: {
+        password: newPassword
+      }
+    });
     ctx.body = currentUser;
     await next();
   }

package/dist/server/basic-auth.js

@@ -72,7 +72,10 @@ class BasicAuth extends import_auth.BaseAuth {
     const field = this.userCollection.getField("password");
     const valid = await field.verify(password, user.password);
     if (!valid) {
-      ctx.throw(401, ctx.t("The username/email or password is incorrect, please re-enter", { ns: import_preset.namespace }));
+      ctx.throw(401, ctx.t("The username/email or password is incorrect, please re-enter", { ns: import_preset.namespace }), {
+        code: "INCORRECT_PASSWORD",
+        user
+      });
     }
     return user;
   }

package/dist/server/collections/authenticators.js

@@ -34,6 +34,7 @@ var authenticators_default = (0, import_database.defineCollection)({
   dumpRules: {
     group: "third-party"
   },
+  migrationRules: ["overwrite", "schema-only"],
   shared: true,
   name: "authenticators",
   sortable: true,

package/dist/server/collections/issued-tokens.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+declare const _default: import("@nocobase/database").CollectionOptions;
+export default _default;

package/dist/server/collections/issued-tokens.js

@@ -0,0 +1,70 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var issued_tokens_exports = {};
+__export(issued_tokens_exports, {
+  default: () => issued_tokens_default
+});
+module.exports = __toCommonJS(issued_tokens_exports);
+var import_database = require("@nocobase/database");
+var import_constants = require("../../constants");
+var issued_tokens_default = (0, import_database.defineCollection)({
+  name: import_constants.issuedTokensCollectionName,
+  migrationRules: ["schema-only"],
+  autoGenId: false,
+  createdAt: true,
+  updatedAt: true,
+  fields: [
+    {
+      name: "id",
+      type: "uuid",
+      primaryKey: true,
+      allowNull: false,
+      interface: "input"
+    },
+    {
+      type: "bigInt",
+      name: "signInTime",
+      allowNull: false
+    },
+    {
+      name: "jti",
+      type: "uuid",
+      allowNull: false,
+      index: true
+    },
+    {
+      type: "bigInt",
+      name: "issuedTime",
+      allowNull: false
+    },
+    {
+      type: "bigInt",
+      name: "userId",
+      allowNull: false
+    }
+  ]
+});

package/dist/server/collections/token-blacklist.js

@@ -34,6 +34,7 @@ var token_blacklist_default = (0, import_database.defineCollection)({
   dumpRules: {
     group: "log"
   },
+  migrationRules: ["schema-only"],
   shared: true,
   name: "tokenBlacklist",
   model: "TokenBlacklistModel",

package/dist/server/collections/token-poilcy-config.d.ts

@@ -0,0 +1,10 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+declare const _default: import("@nocobase/database").CollectionOptions;
+export default _default;

package/dist/server/collections/token-poilcy-config.js

@@ -0,0 +1,57 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var token_poilcy_config_exports = {};
+__export(token_poilcy_config_exports, {
+  default: () => token_poilcy_config_default
+});
+module.exports = __toCommonJS(token_poilcy_config_exports);
+var import_database = require("@nocobase/database");
+var import_constants = require("../../constants");
+var token_poilcy_config_default = (0, import_database.defineCollection)({
+  name: import_constants.tokenPolicyCollectionName,
+  migrationRules: ["overwrite", "schema-only"],
+  autoGenId: false,
+  createdAt: true,
+  createdBy: true,
+  updatedAt: true,
+  updatedBy: true,
+  fields: [
+    {
+      name: "key",
+      type: "string",
+      primaryKey: true,
+      allowNull: false,
+      interface: "input"
+    },
+    {
+      type: "json",
+      name: "config",
+      allowNull: false,
+      defaultValue: {}
+    }
+  ]
+});

package/dist/server/collections/users-authenticators.js

@@ -35,6 +35,7 @@ var users_authenticators_default = (0, import_database.defineCollection)({
     group: "user"
   },
   shared: true,
+  migrationRules: ["schema-only", "overwrite"],
   name: "usersAuthenticators",
   model: "UserAuthModel",
   createdBy: true,

package/dist/server/index.d.ts

@@ -8,4 +8,6 @@
  */
 export { BasicAuth } from './basic-auth';
 export { AuthModel } from './model/authenticator';
+export { presetAuthType } from '../preset';
 export { default } from './plugin';
+export * from '../constants';

package/dist/server/index.js

@@ -25,6 +25,7 @@ var __copyProps = (to, from, except, desc) => {
   }
   return to;
 };
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
 var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
   // If the importer is in node compatibility mode or this is not an ESM
   // file that has been converted to a CommonJS file using a Babel-
@@ -38,14 +39,19 @@ var server_exports = {};
 __export(server_exports, {
   AuthModel: () => import_authenticator.AuthModel,
   BasicAuth: () => import_basic_auth.BasicAuth,
-  default: () => import_plugin.default
+  default: () => import_plugin.default,
+  presetAuthType: () => import_preset.presetAuthType
 });
 module.exports = __toCommonJS(server_exports);
 var import_basic_auth = require("./basic-auth");
 var import_authenticator = require("./model/authenticator");
+var import_preset = require("../preset");
 var import_plugin = __toESM(require("./plugin"));
+__reExport(server_exports, require("../constants"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AuthModel,
-  BasicAuth
+  BasicAuth,
+  presetAuthType,
+  ...require("../constants")
 });

package/dist/server/migrations/20241229080941-create-token-policy-config.d.ts

@@ -0,0 +1,14 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+import { Migration } from '@nocobase/server';
+export default class extends Migration {
+    on: string;
+    appVersion: string;
+    up(): Promise<void>;
+}

package/dist/server/migrations/20241229080941-create-token-policy-config.js

@@ -0,0 +1,58 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var create_token_policy_config_exports = {};
+__export(create_token_policy_config_exports, {
+  default: () => create_token_policy_config_default
+});
+module.exports = __toCommonJS(create_token_policy_config_exports);
+var import_server = require("@nocobase/server");
+var import_constants = require("../../constants");
+class create_token_policy_config_default extends import_server.Migration {
+  on = "afterLoad";
+  // 'beforeLoad' or 'afterLoad'
+  appVersion = "<1.6.1";
+  async up() {
+    const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+    const tokenPolicy = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+    if (tokenPolicy) {
+      this.app.authManager.tokenController.setConfig(tokenPolicy.config);
+    } else {
+      const config = {
+        tokenExpirationTime: "1d",
+        sessionExpirationTime: "7d",
+        expiredTokenRenewLimit: "1d"
+      };
+      await tokenPolicyRepo.create({
+        values: {
+          key: import_constants.tokenPolicyRecordKey,
+          config
+        }
+      });
+      this.app.authManager.tokenController.setConfig(config);
+    }
+  }
+}

package/dist/server/plugin.js

@@ -41,6 +41,7 @@ __export(plugin_exports, {
 });
 module.exports = __toCommonJS(plugin_exports);
 var import_server = require("@nocobase/server");
+var import_utils = require("@nocobase/utils");
 var import_preset = require("../preset");
 var import_auth = __toESM(require("./actions/auth"));
 var import_authenticators = __toESM(require("./actions/authenticators"));
@@ -48,10 +49,31 @@ var import_basic_auth = require("./basic-auth");
 var import_authenticator = require("./model/authenticator");
 var import_storer = require("./storer");
 var import_token_blacklist = require("./token-blacklist");
-var import_utils = require("@nocobase/utils");
+var import_token_controller = require("./token-controller");
+var import_constants = require("../constants");
 class PluginAuthServer extends import_server.Plugin {
   cache;
   afterAdd() {
+    this.app.on("afterLoad", async () => {
+      if (this.app.authManager.tokenController) {
+        return;
+      }
+      const cache = await this.app.cacheManager.createCache({
+        name: "auth-token-controller",
+        prefix: "auth-token-controller"
+      });
+      const tokenController = new import_token_controller.TokenController({ cache, app: this.app, logger: this.app.log });
+      this.app.authManager.setTokenControlService(tokenController);
+      const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+      try {
+        const res = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+        if (res) {
+          this.app.authManager.tokenController.setConfig(res.config);
+        }
+      } catch (error) {
+        this.app.logger.warn("access control config not exist, use default value");
+      }
+    });
   }
   async beforeLoad() {
     this.app.db.registerModels({ AuthModel: import_authenticator.AuthModel });
@@ -63,8 +85,10 @@ class PluginAuthServer extends import_server.Plugin {
       store: "memory"
     });
     const storer = new import_storer.Storer({
+      app: this.app,
       db: this.db,
-      cache: this.cache
+      cache: this.cache,
+      authManager: this.app.authManager
     });
     this.app.authManager.setStorer(storer);
     if (!this.app.authManager.jwt.blacklist) {
@@ -109,8 +133,8 @@ class PluginAuthServer extends import_server.Plugin {
     Object.entries(import_authenticators.default).forEach(
       ([action, handler]) => this.app.resourceManager.registerActionHandler(`authenticators:${action}`, handler)
     );
-    ["check", "signIn", "signUp"].forEach((action) => this.app.acl.allow("auth", action));
-    ["signOut", "changePassword"].forEach((action) => this.app.acl.allow("auth", action, "loggedIn"));
+    ["signIn", "signUp"].forEach((action) => this.app.acl.allow("auth", action));
+    ["check", "signOut", "changePassword"].forEach((action) => this.app.acl.allow("auth", action, "loggedIn"));
     this.app.acl.allow("authenticators", "publicList");
     this.app.acl.registerSnippet({
       name: `pm.${this.name}.authenticators`,
@@ -127,11 +151,54 @@ class PluginAuthServer extends import_server.Plugin {
     this.app.on("cache:del:auth", async ({ userId }) => {
       await this.cache.del(`auth:${userId}`);
     });
+    this.app.on("ws:message:auth:token", async ({ clientId, payload }) => {
+      if (!payload || !payload.token || !payload.authenticator) {
+        this.app.emit(`ws:removeTag`, {
+          clientId,
+          tagKey: "userId"
+        });
+        return;
+      }
+      const auth = await this.app.authManager.get(payload.authenticator, {
+        getBearerToken: () => payload.token,
+        app: this.app,
+        db: this.app.db,
+        cache: this.app.cache,
+        logger: this.app.logger,
+        log: this.app.log,
+        throw: (...args) => {
+          throw new Error(...args);
+        },
+        t: this.app.i18n.t
+      });
+      let user;
+      try {
+        user = (await auth.checkToken()).user;
+      } catch (error) {
+        if (!user) {
+          this.app.logger.error(error);
+          this.app.emit(`ws:removeTag`, {
+            clientId,
+            tagKey: "userId"
+          });
+          return;
+        }
+      }
+      this.app.emit(`ws:setTag`, {
+        clientId,
+        tagKey: "userId",
+        tagValue: user.id
+      });
+      this.app.emit(`ws:authorized`, {
+        clientId,
+        userId: user.id
+      });
+    });
     this.app.auditManager.registerActions([
       {
         name: "auth:signIn",
         getMetaData: async (ctx) => {
-          var _a, _b, _c, _d, _e, _f;
+          var _a;
           let body = {};
           if (ctx.status === 200) {
             body = {
@@ -145,20 +212,10 @@ class PluginAuthServer extends import_server.Plugin {
           }
           return {
             request: {
-              params: (_a = ctx.request) == null ? void 0 : _a.params,
               body: {
-                ...(_b = ctx.request) == null ? void 0 : _b.body,
+                ...(_a = ctx.request) == null ? void 0 : _a.body,
                 password: void 0
-              },
-              path: (_c = ctx.request) == null ? void 0 : _c.path,
-              headers: {
-                "x-authenticator": (_d = ctx.request) == null ? void 0 : _d.headers["x-authenticator"],
-                "x-locale": (_e = ctx.request) == null ? void 0 : _e.headers["x-locale"],
-                "x-timezone": (_f = ctx.request) == null ? void 0 : _f.headers["x-timezone"]
               }
-            },
-            response: {
-              body
             }
           };
         },
@@ -193,26 +250,13 @@ class PluginAuthServer extends import_server.Plugin {
       {
         name: "auth:signUp",
         getMetaData: async (ctx) => {
-          var _a, _b, _c, _d, _e, _f, _g;
+          var _a;
           return {
             request: {
-              params: (_a = ctx.request) == null ? void 0 : _a.params,
               body: {
-                ...(_b = ctx.request) == null ? void 0 : _b.body,
+                ...(_a = ctx.request) == null ? void 0 : _a.body,
                 password: void 0,
                 confirm_password: void 0
-              },
-              path: (_c = ctx.request) == null ? void 0 : _c.path,
-              headers: {
-                "x-authenticator": (_d = ctx.request) == null ? void 0 : _d.headers["x-authenticator"],
-                "x-locale": (_e = ctx.request) == null ? void 0 : _e.headers["x-locale"],
-                "x-timezone": (_f = ctx.request) == null ? void 0 : _f.headers["x-timezone"]
-              }
-            },
-            response: {
-              body: {
-                ...(_g = ctx.response) == null ? void 0 : _g.body,
-                token: void 0
               }
             }
           };
@@ -221,18 +265,9 @@ class PluginAuthServer extends import_server.Plugin {
       {
         name: "auth:changePassword",
         getMetaData: async (ctx) => {
-          var _a, _b, _c;
           return {
             request: {
-              params: ctx.request.params,
-              query: ctx.request.query,
-              body: {},
-              path: ctx.request.path,
-              headers: {
-                "x-authenticator": (_a = ctx.request) == null ? void 0 : _a.headers["x-authenticator"],
-                "x-locale": (_b = ctx.request) == null ? void 0 : _b.headers["x-locale"],
-                "x-timezone": (_c = ctx.request) == null ? void 0 : _c.headers["x-timezone"]
-              }
+              body: {}
             },
             response: {
               body: {}
@@ -248,24 +283,47 @@ class PluginAuthServer extends import_server.Plugin {
       },
       "auth:signOut"
     ]);
+    this.app.acl.registerSnippet({
+      name: `pm.security.token-policy`,
+      actions: [`${import_constants.tokenPolicyCollectionName}:*`]
+    });
+    this.app.db.on(`${import_constants.tokenPolicyCollectionName}.afterSave`, async (model) => {
+      var _a;
+      (_a = this.app.authManager.tokenController) == null ? void 0 : _a.setConfig(model.config);
+    });
   }
   async install(options) {
-    const repository = this.db.getRepository("authenticators");
-    const exist = await repository.findOne({ filter: { name: import_preset.presetAuthenticator } });
-    if (exist) {
+    const authRepository = this.db.getRepository("authenticators");
+    const exist = await authRepository.findOne({ filter: { name: import_preset.presetAuthenticator } });
+    if (!exist) {
+      await authRepository.create({
+        values: {
+          name: import_preset.presetAuthenticator,
+          authType: import_preset.presetAuthType,
+          description: "Sign in with username/email.",
+          enabled: true,
+          options: {
+            public: {
+              allowSignUp: true
+            }
+          }
+        }
+      });
+    }
+    const tokenPolicyRepo = this.app.db.getRepository(import_constants.tokenPolicyCollectionName);
+    const res = await tokenPolicyRepo.findOne({ filterByTk: import_constants.tokenPolicyRecordKey });
+    if (res) {
       return;
     }
-    await repository.create({
+    const config = {
+      tokenExpirationTime: "1d",
+      sessionExpirationTime: "7d",
+      expiredTokenRenewLimit: "1d"
+    };
+    await tokenPolicyRepo.create({
       values: {
-        name: import_preset.presetAuthenticator,
-        authType: import_preset.presetAuthType,
-        description: "Sign in with username/email.",
-        enabled: true,
-        options: {
-          public: {
-            allowSignUp: true
-          }
-        }
+        key: import_constants.tokenPolicyRecordKey,
+        config
       }
     });
   }

package/dist/server/storer.d.ts

@@ -6,18 +6,24 @@
  * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
-import { Storer as IStorer } from '@nocobase/auth';
+import { AuthManager, Storer as IStorer } from '@nocobase/auth';
 import { Cache } from '@nocobase/cache';
 import { Database } from '@nocobase/database';
+import { Application } from '@nocobase/server';
 import { AuthModel } from './model/authenticator';
 export declare class Storer implements IStorer {
     db: Database;
     cache: Cache;
+    app: Application;
+    authManager: AuthManager;
     key: string;
-    constructor({ db, cache }: {
+    constructor({ app, db, cache, authManager, }: {
+        app?: Application;
         db: Database;
         cache: Cache;
+        authManager: AuthManager;
     });
+    renderJsonTemplate(authenticator: any): any;
     getCache(): Promise<AuthModel[]>;
     setCache(authenticators: AuthModel[]): Promise<void>;
     get(name: string): Promise<AuthModel>;