@tachybase/auth 1.6.0-alpha.9 → 1.6.1-alpha.0

package/lib/auth-manager.d.ts

@@ -4,6 +4,7 @@ import { Auth, AuthExtend } from './auth';
 import { JwtOptions, JwtService } from './base/jwt-service';
 import { ITokenBlacklistService } from './base/token-blacklist-service';
 import { ITokenControlService } from './base/token-control-service';
+import { IUserStatusService } from './base/user-status-service';
 export interface Authenticator {
     authType: string;
     options: Record<string, any>;
@@ -25,6 +26,7 @@ type AuthConfig = {
 export declare class AuthManager {
     jwt: JwtService;
     tokenController: ITokenControlService;
+    userStatusService: IUserStatusService;
     protected options: AuthManagerOptions;
     protected authTypes: Registry<AuthConfig>;
     protected storer: Storer;
@@ -32,6 +34,7 @@ export declare class AuthManager {
     setStorer(storer: Storer): void;
     setTokenBlacklistService(service: ITokenBlacklistService): void;
     setTokenControlService(service: ITokenControlService): void;
+    setUserStatusService(service: IUserStatusService): void;
     /**
      * registerTypes
      * @description Add a new authenticate type and the corresponding authenticator.

package/lib/auth-manager.js

@@ -38,6 +38,9 @@ const _AuthManager = class _AuthManager {
   setTokenControlService(service) {
     this.tokenController = service;
   }
+  setUserStatusService(service) {
+    this.userStatusService = service;
+  }
   /**
    * registerTypes
    * @description Add a new authenticate type and the corresponding authenticator.

package/lib/auth.d.ts

@@ -17,6 +17,7 @@ export declare const AuthErrorCode: {
     EXPIRED_SESSION: "EXPIRED_SESSION";
     NOT_EXIST_USER: "NOT_EXIST_USER";
     SKIP_TOKEN_RENEW: "SKIP_TOKEN_RENEW";
+    USER_STATUS_NOT_ALLOW_LOGIN: "USER_STATUS_NOT_ALLOW_LOGIN";
 };
 export type AuthErrorType = keyof typeof AuthErrorCode;
 export declare class AuthError extends Error {

package/lib/auth.js

@@ -31,7 +31,8 @@ const AuthErrorCode = {
   BLOCKED_TOKEN: "BLOCKED_TOKEN",
   EXPIRED_SESSION: "EXPIRED_SESSION",
   NOT_EXIST_USER: "NOT_EXIST_USER",
-  SKIP_TOKEN_RENEW: "SKIP_TOKEN_RENEW"
+  SKIP_TOKEN_RENEW: "SKIP_TOKEN_RENEW",
+  USER_STATUS_NOT_ALLOW_LOGIN: "USER_STATUS_NOT_ALLOW_LOGIN"
 };
 const _AuthError = class _AuthError extends Error {
   constructor(options) {

package/lib/base/auth.d.ts

@@ -2,6 +2,7 @@ import { Collection, Model } from '@tachybase/database';
 import { Auth, AuthConfig } from '../auth';
 import { JwtService } from './jwt-service';
 import { ITokenControlService } from './token-control-service';
+import { IUserStatusService } from './user-status-service';
 /**
  * BaseAuth
  * @description A base class with jwt provide some common methods.
@@ -14,6 +15,7 @@ export declare class BaseAuth extends Auth {
     get userRepository(): import("@tachybase/database").Repository<any, any>;
     get jwt(): JwtService;
     get tokenController(): ITokenControlService;
+    get userStatusService(): IUserStatusService;
     set user(user: Model);
     get user(): Model;
     getCacheKey(userId: number): string;
@@ -21,6 +23,7 @@ export declare class BaseAuth extends Auth {
     checkToken(): Promise<{
         tokenStatus: 'valid' | 'expired' | 'invalid';
         user: Awaited<ReturnType<Auth['check']>>;
+        userStatus: string;
         jti?: string;
         temp: any;
         roleName?: any;
@@ -28,6 +31,11 @@ export declare class BaseAuth extends Auth {
     }>;
     check(): ReturnType<Auth['check']>;
     validate(): Promise<Model>;
+    /**
+     * 签新 token
+     * @param userId 用户 ID
+     * @returns 新 token
+     */
     signNewToken(userId: number): Promise<string>;
     signIn(): Promise<{
         user: Model<any, any>;

package/lib/base/auth.js

@@ -49,6 +49,9 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   get tokenController() {
     return this.ctx.tego.authManager.tokenController;
   }
+  get userStatusService() {
+    return this.ctx.tego.authManager.userStatusService;
+  }
   set user(user) {
     this.ctx.state.currentUser = user;
   }
@@ -87,7 +90,7 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         });
       }
     }
-    const { userId, roleName, iat, temp, jti, exp, signInTime } = payload ?? {};
+    const { userId, userStatus = "active", roleName, iat, temp, jti, exp, signInTime } = payload ?? {};
     const user = userId ? await this.ctx.tego.cache.wrap(
       this.getCacheKey(userId),
       () => this.userRepository.findOne({
@@ -103,6 +106,19 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         code: import_auth.AuthErrorCode.NOT_EXIST_USER
       });
     }
+    const statusCheckResult = await this.userStatusService.checkUserStatus(user.id);
+    if (!statusCheckResult.allowed) {
+      this.ctx.throw(401, {
+        message: this.ctx.t(statusCheckResult.errorMessage, { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.USER_STATUS_NOT_ALLOW_LOGIN
+      });
+    }
+    if (statusCheckResult.status !== userStatus) {
+      this.ctx.throw(401, {
+        message: this.ctx.t("Your account status has changed. Please sign in again.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.INVALID_TOKEN
+      });
+    }
     if (roleName) {
       this.ctx.headers["x-role"] = roleName;
     }
@@ -115,7 +131,7 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
     }
     if (!temp) {
       if (tokenStatus === "valid") {
-        return { tokenStatus, user, temp };
+        return { tokenStatus, user, userStatus, temp };
       } else {
         this.ctx.throw(401, {
           message: this.ctx.t("Your session has expired. Please sign in again.", { ns: localeNamespace }),
@@ -158,13 +174,13 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
           code: import_auth.AuthErrorCode.INVALID_TOKEN
         });
       }
-      return { tokenStatus, user, jti, signInTime, temp };
+      return { tokenStatus, user, userStatus, jti, signInTime, temp };
     }
-    return { tokenStatus, user, jti, signInTime, temp };
+    return { tokenStatus, user, userStatus, jti, signInTime, temp };
   }
   async check() {
     var _a, _b, _c;
-    const { tokenStatus, user, jti, temp, signInTime, roleName } = await this.checkToken();
+    const { tokenStatus, user, userStatus, jti, temp, signInTime, roleName } = await this.checkToken();
     if (tokenStatus === "expired") {
       const tokenPolicy = await this.tokenController.getConfig();
       try {
@@ -193,7 +209,7 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         });
         const expiresIn = Math.floor(tokenPolicy.tokenExpirationTime / 1e3);
         const newToken = this.jwt.sign(
-          { userId: user.id, roleName, temp, signInTime, iat: Math.floor(renewedResult.issuedTime / 1e3) },
+          { userId: user.id, userStatus, roleName, temp, signInTime, iat: Math.floor(renewedResult.issuedTime / 1e3) },
           { jwtid: renewedResult.jti, expiresIn }
         );
         this.ctx.res.setHeader("x-new-token", newToken);
@@ -214,12 +230,28 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
   async validate() {
     return null;
   }
+  /**
+   * 签新 token
+   * @param userId 用户 ID
+   * @returns 新 token
+   */
   async signNewToken(userId) {
+    const user = await this.userRepository.findOne({
+      filter: { id: userId },
+      fields: ["id", "status"]
+    });
+    if (!user) {
+      this.ctx.throw(401, {
+        message: this.ctx.t("User not found. Please sign in again to continue.", { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.NOT_EXIST_USER
+      });
+    }
     const tokenInfo = await this.tokenController.add({ userId });
     const expiresIn = Math.floor((await this.tokenController.getConfig()).tokenExpirationTime / 1e3);
     const token = this.jwt.sign(
       {
         userId,
+        userStatus: user.status,
         temp: true,
         iat: Math.floor(tokenInfo.issuedTime / 1e3),
         signInTime: tokenInfo.signInTime
@@ -246,6 +278,13 @@ const _BaseAuth = class _BaseAuth extends import_auth.Auth {
         code: import_auth.AuthErrorCode.NOT_EXIST_USER
       });
     }
+    const statusCheckResult = await this.userStatusService.checkUserStatus(user.id);
+    if (!statusCheckResult.allowed) {
+      this.ctx.throw(401, {
+        message: this.ctx.t(statusCheckResult.errorMessage, { ns: localeNamespace }),
+        code: import_auth.AuthErrorCode.USER_STATUS_NOT_ALLOW_LOGIN
+      });
+    }
     const token = await this.signNewToken(user.id);
     return {
       user,

package/lib/base/user-status-service.d.ts

@@ -0,0 +1,77 @@
+/**
+ * 用户状态检查结果
+ */
+export interface UserStatusCheckResult {
+    allowed: boolean;
+    status: string;
+    statusInfo: {
+        title: string;
+        color: string;
+        allowLogin: boolean;
+    };
+    errorMessage: string;
+    isExpired: boolean;
+}
+/**
+ * 用户状态缓存数据
+ */
+export interface UserStatusCache {
+    userId: number;
+    status: string;
+    expireAt: Date | null;
+    previousStatus: string | null;
+    lastChecked: Date;
+}
+/**
+ * 用户状态服务接口
+ */
+export interface IUserStatusService {
+    /**
+     * 检查用户状态是否允许登录
+     * @param userId 用户ID
+     * @returns 检查结果
+     */
+    checkUserStatus(userId: number): Promise<UserStatusCheckResult>;
+    /**
+     * 设置用户状态缓存
+     * @param userId 用户ID
+     * @param data 缓存数据
+     */
+    setUserStatusCache(userId: number, data: UserStatusCache): Promise<void>;
+    /**
+     * 从缓存获取用户状态
+     * @param userId 用户ID
+     * @returns 缓存数据或 null
+     */
+    getUserStatusFromCache(userId: number): Promise<UserStatusCache | null>;
+    /**
+     * 获取用户状态缓存键
+     * @param userId 用户ID
+     * @returns 缓存键
+     */
+    getUserStatusCacheKey(userId: number): string;
+    /**
+     * 恢复过期的用户状态
+     * @param userId 用户ID
+     */
+    restoreUserStatus(userId: number): Promise<void>;
+    /**
+     * 清除用户状态缓存
+     * @param userId 用户ID
+     */
+    clearUserStatusCache(userId: number): Promise<void>;
+    /**
+     * 记录状态变更历史（如果不存在相同记录）
+     * @param params 状态变更参数
+     */
+    recordStatusHistoryIfNotExists(params: {
+        userId: number;
+        fromStatus: string;
+        toStatus: string;
+        reason: string | null;
+        expireAt: Date | null;
+        operationType: 'manual' | 'auto' | 'system';
+        createdBy: number | null;
+        transaction?: any;
+    }): Promise<void>;
+}

package/lib/base/user-status-service.js

@@ -0,0 +1,15 @@
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var user_status_service_exports = {};
+module.exports = __toCommonJS(user_status_service_exports);

package/lib/index.d.ts

@@ -4,3 +4,4 @@ export * from './auth-manager';
 export * from './base/auth';
 export * from './base/token-blacklist-service';
 export * from './base/token-control-service';
+export * from './base/user-status-service';

package/lib/index.js

@@ -20,6 +20,7 @@ __reExport(index_exports, require("./auth-manager"), module.exports);
 __reExport(index_exports, require("./base/auth"), module.exports);
 __reExport(index_exports, require("./base/token-blacklist-service"), module.exports);
 __reExport(index_exports, require("./base/token-control-service"), module.exports);
+__reExport(index_exports, require("./base/user-status-service"), module.exports);
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ...require("./actions"),
@@ -27,5 +28,6 @@ __reExport(index_exports, require("./base/token-control-service"), module.export
   ...require("./auth-manager"),
   ...require("./base/auth"),
   ...require("./base/token-blacklist-service"),
-  ...require("./base/token-control-service")
+  ...require("./base/token-control-service"),
+  ...require("./base/user-status-service")
 });

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@tachybase/auth",
-  "version": "1.6.0-alpha.9",
+  "version": "1.6.1-alpha.0",
   "description": "",
   "license": "Apache-2.0",
   "main": "./lib/index.js",
   "types": "./lib/index.d.ts",
   "dependencies": {
     "jsonwebtoken": "^8.5.1",
-    "@tachybase/actions": "1.6.0-alpha.9",
-    "@tachybase/database": "1.6.0-alpha.9",
-    "@tachybase/resourcer": "1.6.0-alpha.9",
-    "@tachybase/utils": "1.6.0-alpha.9"
+    "@tachybase/database": "1.6.1-alpha.0",
+    "@tachybase/resourcer": "1.6.1-alpha.0",
+    "@tachybase/actions": "1.6.1-alpha.0",
+    "@tachybase/utils": "1.6.1-alpha.0"
   },
   "devDependencies": {
     "@types/jsonwebtoken": "^8.5.9",