@windrun-huaiin/backend-core 14.3.0 → 14.5.0

package/dist/app/api/stripe/checkout/route.js

@@ -9,7 +9,7 @@ require('../../../../prisma/prisma.js');
 require('../../../../services/database/credit.service.js');
 var transaction_service = require('../../../../services/database/transaction.service.js');
 require('@prisma/client');
-var authUtils = require('../../../../lib/auth-utils.js');
+var authUtils = require('../../../../auth/auth-utils.js');
 var moneyPriceConfig = require('../../../../lib/money-price-config.js');
 
 // Request validation schema

package/dist/app/api/stripe/checkout/route.mjs

@@ -7,7 +7,7 @@ import '../../../../prisma/prisma.mjs';
 import '../../../../services/database/credit.service.mjs';
 import { transactionService } from '../../../../services/database/transaction.service.mjs';
 import '@prisma/client';
-import { ApiAuthUtils } from '../../../../lib/auth-utils.mjs';
+import { ApiAuthUtils } from '../../../../auth/auth-utils.mjs';
 import { getPriceConfig } from '../../../../lib/money-price-config.mjs';
 
 // Request validation schema

package/dist/app/api/stripe/customer-portal/route.js

@@ -4,7 +4,7 @@ var tslib_es6 = require('../../../../node_modules/.pnpm/@rollup_plugin-typescrip
 var server = require('next/server');
 var zod = require('zod');
 var stripeConfig = require('../../../../lib/stripe-config.js');
-var authUtils = require('../../../../lib/auth-utils.js');
+var authUtils = require('../../../../auth/auth-utils.js');
 require('../../../../prisma/prisma.js');
 var subscription_service = require('../../../../services/database/subscription.service.js');
 require('../../../../services/database/credit.service.js');

package/dist/app/api/stripe/customer-portal/route.mjs

@@ -2,7 +2,7 @@ import { __awaiter } from '../../../../node_modules/.pnpm/@rollup_plugin-typescr
 import { NextResponse } from 'next/server';
 import { z } from 'zod';
 import { createOrGetCustomer, createCustomerPortalSession } from '../../../../lib/stripe-config.mjs';
-import { ApiAuthUtils } from '../../../../lib/auth-utils.mjs';
+import { ApiAuthUtils } from '../../../../auth/auth-utils.mjs';
 import '../../../../prisma/prisma.mjs';
 import { subscriptionService } from '../../../../services/database/subscription.service.mjs';
 import '../../../../services/database/credit.service.mjs';

package/dist/app/api/user/anonymous/init/route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../../src/app/api/user/anonymous/init/route.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA4rBxD;;;GAGG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,kCAE9C"}
+{"version":3,"file":"route.d.ts","sourceRoot":"","sources":["../../../../../../src/app/api/user/anonymous/init/route.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AA6rBxD;;;GAGG;AACH,wBAAsB,IAAI,CAAC,OAAO,EAAE,WAAW,kCAE9C"}

package/dist/app/api/user/anonymous/init/route.js

@@ -2,9 +2,9 @@
 
 var tslib_es6 = require('../../../../../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.js');
 var anonymous_aggregate_service = require('../../../../../services/aggregate/anonymous.aggregate.service.js');
+var authUtils = require('../../../../../auth/auth-utils.js');
 var server = require('@windrun-huaiin/third-ui/fingerprint/server');
-var server$1 = require('@clerk/nextjs/server');
-var server$2 = require('next/server');
+var server$1 = require('next/server');
 var userContextService = require('../../../../../services/context/user-context-service.js');
 var userContextFinalizer = require('../../../../../services/context/user-context-finalizer.js');
 
@@ -22,7 +22,7 @@ function createSuccessResponse(params) {
 /** 创建错误响应 */
 function createErrorResponse(message, status = 400) {
     const errorResponse = { error: message };
-    return server$2.NextResponse.json(errorResponse, { status });
+    return server$1.NextResponse.json(errorResponse, { status });
 }
 const SOURCE_REF_MAX_LENGTH = 2048;
 const QUERY_PARAM_MAX_LENGTH = 512;
@@ -494,6 +494,7 @@ function getUserByFingerprintId(fingerprintId) {
  */
 function handleFingerprintRequest(request_1) {
     return tslib_es6.__awaiter(this, arguments, void 0, function* (request, options = {}) {
+        var _a;
         // 从请求中提取fingerprint ID
         const fingerprintId = server.extractFingerprintFromNextRequest(request);
         // 验证fingerprint ID
@@ -501,7 +502,8 @@ function handleFingerprintRequest(request_1) {
             return createErrorResponse('Invalid or missing fingerprint ID');
         }
         console.log('Received fingerprintId:', fingerprintId);
-        const { userId: clerkUserId } = yield server$1.auth();
+        const authIdentity = yield authUtils.getOptionalServerAuthIdentity();
+        const clerkUserId = (_a = authIdentity === null || authIdentity === void 0 ? void 0 : authIdentity.providerUserId) !== null && _a !== void 0 ? _a : null;
         try {
             // 优先根据 Clerk ID 查询（如果已登录）
             let existingUserResult = null;
@@ -521,7 +523,7 @@ function handleFingerprintRequest(request_1) {
                 existingUserResult = yield getUserByFingerprintId(fingerprintId);
             }
             if (existingUserResult) {
-                return server$2.NextResponse.json(existingUserResult);
+                return server$1.NextResponse.json(existingUserResult);
             }
             // 如果不存在用户且不允许创建，返回404
             if (!options.createIfNotExists) {
@@ -545,7 +547,7 @@ function handleFingerprintRequest(request_1) {
                     hasAnonymousUser: anonymousInitResult.hasAnonymousUser,
                 },
             });
-            return server$2.NextResponse.json(response);
+            return server$1.NextResponse.json(response);
         }
         catch (error) {
             console.error('Fingerprint request error:', error);

package/dist/app/api/user/anonymous/init/route.mjs

@@ -1,7 +1,7 @@
 import { __awaiter, __rest } from '../../../../../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.mjs';
 import { anonymousAggregateService } from '../../../../../services/aggregate/anonymous.aggregate.service.mjs';
+import { getOptionalServerAuthIdentity } from '../../../../../auth/auth-utils.mjs';
 import { extractFingerprintFromNextRequest } from '@windrun-huaiin/third-ui/fingerprint/server';
-import { auth } from '@clerk/nextjs/server';
 import { NextResponse } from 'next/server';
 import { fetchUserContextByClerkUserId, fetchLatestUserContextByFingerprintId, mapSubscriptionToXSubscription, mapCreditToXCredit, mapUserToXUser } from '../../../../../services/context/user-context-service.mjs';
 import { finalizeUserContext } from '../../../../../services/context/user-context-finalizer.mjs';
@@ -492,6 +492,7 @@ function getUserByFingerprintId(fingerprintId) {
  */
 function handleFingerprintRequest(request_1) {
     return __awaiter(this, arguments, void 0, function* (request, options = {}) {
+        var _a;
         // 从请求中提取fingerprint ID
         const fingerprintId = extractFingerprintFromNextRequest(request);
         // 验证fingerprint ID
@@ -499,7 +500,8 @@ function handleFingerprintRequest(request_1) {
             return createErrorResponse('Invalid or missing fingerprint ID');
         }
         console.log('Received fingerprintId:', fingerprintId);
-        const { userId: clerkUserId } = yield auth();
+        const authIdentity = yield getOptionalServerAuthIdentity();
+        const clerkUserId = (_a = authIdentity === null || authIdentity === void 0 ? void 0 : authIdentity.providerUserId) !== null && _a !== void 0 ? _a : null;
         try {
             // 优先根据 Clerk ID 查询（如果已登录）
             let existingUserResult = null;

package/dist/auth/auth-middleware.d.ts

@@ -0,0 +1,13 @@
+import type { ClerkMiddlewareAuth } from '@clerk/nextjs/server';
+import { NextRequest, NextResponse } from 'next/server';
+import { type ProviderIdentity } from './auth-shared';
+export declare function buildProtectedPageRoutePatterns(protectedRoots: readonly string[], locales: readonly string[]): string[];
+export interface AuthMiddlewareOptions {
+    protectedPageRoutes: (req: NextRequest) => boolean;
+    protectedApiRoutes: (req: NextRequest) => boolean;
+    publicApiRoutes: (req: NextRequest) => boolean;
+    intlMiddleware: (req: NextRequest) => ReturnType<typeof NextResponse.next> | Response | undefined;
+}
+export declare function buildAuthenticatedRequestHeaders(req: NextRequest, auth: ProviderIdentity): Headers;
+export declare function handleAuthMiddleware(auth: ClerkMiddlewareAuth, req: NextRequest, options: AuthMiddlewareOptions): Promise<Response | null | undefined>;
+//# sourceMappingURL=auth-middleware.d.ts.map

package/dist/auth/auth-middleware.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-middleware.d.ts","sourceRoot":"","sources":["../../src/auth/auth-middleware.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAgB,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEpE,wBAAgB,+BAA+B,CAC7C,cAAc,EAAE,SAAS,MAAM,EAAE,EACjC,OAAO,EAAE,SAAS,MAAM,EAAE,GACzB,MAAM,EAAE,CAsBV;AAED,MAAM,WAAW,qBAAqB;IACpC,mBAAmB,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC;IACnD,kBAAkB,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC;IAClD,eAAe,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,OAAO,CAAC;IAC/C,cAAc,EAAE,CAAC,GAAG,EAAE,WAAW,KAAK,UAAU,CAAC,OAAO,YAAY,CAAC,IAAI,CAAC,GAAG,QAAQ,GAAG,SAAS,CAAC;CACnG;AAcD,wBAAgB,gCAAgC,CAC9C,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,gBAAgB,GACrB,OAAO,CAKT;AAED,wBAAsB,oBAAoB,CACxC,IAAI,EAAE,mBAAmB,EACzB,GAAG,EAAE,WAAW,EAChB,OAAO,EAAE,qBAAqB,wCA6C/B"}

package/dist/auth/auth-middleware.js

@@ -0,0 +1,86 @@
+'use strict';
+
+var tslib_es6 = require('../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.js');
+var server = require('next/server');
+var authShared = require('./auth-shared.js');
+
+function buildProtectedPageRoutePatterns(protectedRoots, locales) {
+    const uniqueRoots = [...new Set(protectedRoots)]
+        .map((root) => root.trim())
+        .filter(Boolean)
+        .map((root) => (root.startsWith('/') ? root : `/${root}`))
+        .map((root) => root.replace(/\/+$/, ''));
+    const uniqueLocales = [...new Set(locales)]
+        .map((locale) => locale.trim())
+        .filter(Boolean);
+    const patterns = new Set();
+    for (const root of uniqueRoots) {
+        patterns.add(`${root}(.*)`);
+        for (const locale of uniqueLocales) {
+            patterns.add(`/${locale}${root}(.*)`);
+        }
+    }
+    return [...patterns];
+}
+function authenticateWithClerk(auth) {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        const { userId } = yield auth();
+        if (!userId) {
+            return null;
+        }
+        return {
+            provider: 'clerk',
+            providerUserId: userId,
+        };
+    });
+}
+function buildAuthenticatedRequestHeaders(req, auth) {
+    const headers = new Headers(req.headers);
+    headers.set(authShared.AUTH_HEADERS.provider, auth.provider);
+    headers.set(authShared.AUTH_HEADERS.providerUserId, auth.providerUserId);
+    return headers;
+}
+function handleAuthMiddleware(auth, req, options) {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        const { protectedPageRoutes, protectedApiRoutes, publicApiRoutes, intlMiddleware } = options;
+        if (protectedPageRoutes(req)) {
+            const identity = yield authenticateWithClerk(auth);
+            if (!identity) {
+                return (yield auth()).redirectToSignIn();
+            }
+            const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+            console.log('Forward auth context for protected page:', identity.provider, identity.providerUserId);
+            return intlMiddleware(new server.NextRequest(req.url, {
+                headers: requestHeaders,
+                method: req.method,
+                body: req.body,
+            }));
+        }
+        if (protectedApiRoutes(req)) {
+            const identity = yield authenticateWithClerk(auth);
+            if (!identity) {
+                return (yield auth()).redirectToSignIn();
+            }
+            const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+            console.log('Forward auth context for protected API:', identity.provider, identity.providerUserId);
+            return server.NextResponse.next({
+                request: {
+                    headers: requestHeaders,
+                },
+            });
+        }
+        if (publicApiRoutes(req)) {
+            console.log('Public API route, no auth required:', req.nextUrl.pathname);
+            return server.NextResponse.next();
+        }
+        if (req.nextUrl.pathname.startsWith('/api/')) {
+            console.log('Other API route, no internationalization:', req.nextUrl.pathname);
+            return server.NextResponse.next();
+        }
+        return null;
+    });
+}
+
+exports.buildAuthenticatedRequestHeaders = buildAuthenticatedRequestHeaders;
+exports.buildProtectedPageRoutePatterns = buildProtectedPageRoutePatterns;
+exports.handleAuthMiddleware = handleAuthMiddleware;

package/dist/auth/auth-middleware.mjs

@@ -0,0 +1,82 @@
+import { __awaiter } from '../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.mjs';
+import { NextRequest, NextResponse } from 'next/server';
+import { AUTH_HEADERS } from './auth-shared.mjs';
+
+function buildProtectedPageRoutePatterns(protectedRoots, locales) {
+    const uniqueRoots = [...new Set(protectedRoots)]
+        .map((root) => root.trim())
+        .filter(Boolean)
+        .map((root) => (root.startsWith('/') ? root : `/${root}`))
+        .map((root) => root.replace(/\/+$/, ''));
+    const uniqueLocales = [...new Set(locales)]
+        .map((locale) => locale.trim())
+        .filter(Boolean);
+    const patterns = new Set();
+    for (const root of uniqueRoots) {
+        patterns.add(`${root}(.*)`);
+        for (const locale of uniqueLocales) {
+            patterns.add(`/${locale}${root}(.*)`);
+        }
+    }
+    return [...patterns];
+}
+function authenticateWithClerk(auth) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { userId } = yield auth();
+        if (!userId) {
+            return null;
+        }
+        return {
+            provider: 'clerk',
+            providerUserId: userId,
+        };
+    });
+}
+function buildAuthenticatedRequestHeaders(req, auth) {
+    const headers = new Headers(req.headers);
+    headers.set(AUTH_HEADERS.provider, auth.provider);
+    headers.set(AUTH_HEADERS.providerUserId, auth.providerUserId);
+    return headers;
+}
+function handleAuthMiddleware(auth, req, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const { protectedPageRoutes, protectedApiRoutes, publicApiRoutes, intlMiddleware } = options;
+        if (protectedPageRoutes(req)) {
+            const identity = yield authenticateWithClerk(auth);
+            if (!identity) {
+                return (yield auth()).redirectToSignIn();
+            }
+            const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+            console.log('Forward auth context for protected page:', identity.provider, identity.providerUserId);
+            return intlMiddleware(new NextRequest(req.url, {
+                headers: requestHeaders,
+                method: req.method,
+                body: req.body,
+            }));
+        }
+        if (protectedApiRoutes(req)) {
+            const identity = yield authenticateWithClerk(auth);
+            if (!identity) {
+                return (yield auth()).redirectToSignIn();
+            }
+            const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+            console.log('Forward auth context for protected API:', identity.provider, identity.providerUserId);
+            return NextResponse.next({
+                request: {
+                    headers: requestHeaders,
+                },
+            });
+        }
+        if (publicApiRoutes(req)) {
+            console.log('Public API route, no auth required:', req.nextUrl.pathname);
+            return NextResponse.next();
+        }
+        if (req.nextUrl.pathname.startsWith('/api/')) {
+            console.log('Other API route, no internationalization:', req.nextUrl.pathname);
+            return NextResponse.next();
+        }
+        return null;
+    });
+}
+
+export { buildAuthenticatedRequestHeaders, buildProtectedPageRoutePatterns, handleAuthMiddleware };

package/dist/auth/auth-shared.d.ts

@@ -0,0 +1,14 @@
+export declare const AUTH_HEADERS: {
+    readonly provider: "x-auth-provider";
+    readonly providerUserId: "x-auth-provider-user-id";
+};
+export declare const AUTH_ERRORS: {
+    readonly unauthorized: "UNAUTHORIZED";
+    readonly userNotFound: "USER_NOT_FOUND";
+};
+export type AuthProvider = 'clerk';
+export interface ProviderIdentity {
+    provider: AuthProvider;
+    providerUserId: string;
+}
+//# sourceMappingURL=auth-shared.d.ts.map

package/dist/auth/auth-shared.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-shared.d.ts","sourceRoot":"","sources":["../../src/auth/auth-shared.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,YAAY;;;CAGf,CAAC;AAEX,eAAO,MAAM,WAAW;;;CAGd,CAAC;AAEX,MAAM,MAAM,YAAY,GAAG,OAAO,CAAC;AAEnC,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,YAAY,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;CACxB"}

package/dist/auth/auth-shared.js

@@ -0,0 +1,13 @@
+'use strict';
+
+const AUTH_HEADERS = {
+    provider: 'x-auth-provider',
+    providerUserId: 'x-auth-provider-user-id',
+};
+const AUTH_ERRORS = {
+    unauthorized: 'UNAUTHORIZED',
+    userNotFound: 'USER_NOT_FOUND',
+};
+
+exports.AUTH_ERRORS = AUTH_ERRORS;
+exports.AUTH_HEADERS = AUTH_HEADERS;

package/dist/auth/auth-shared.mjs

@@ -0,0 +1,10 @@
+const AUTH_HEADERS = {
+    provider: 'x-auth-provider',
+    providerUserId: 'x-auth-provider-user-id',
+};
+const AUTH_ERRORS = {
+    unauthorized: 'UNAUTHORIZED',
+    userNotFound: 'USER_NOT_FOUND',
+};
+
+export { AUTH_ERRORS, AUTH_HEADERS };

package/dist/auth/auth-utils.d.ts

@@ -0,0 +1,58 @@
+import { NextRequest } from 'next/server';
+import { User } from '../services/database/prisma-model-type';
+import { type AuthProvider, type ProviderIdentity } from './auth-shared';
+/**
+ * 认证结果类型
+ */
+export interface AuthResult {
+    userId: string;
+    user: User;
+    provider: AuthProvider;
+    providerUserId: string;
+}
+/**
+ * 从中间件设置的 Clerk ID 获取完整用户信息
+ */
+export declare function getAuthenticatedUser(req: NextRequest): Promise<AuthResult>;
+/**
+ * 要求用户必须已认证，返回用户ID
+ */
+export declare function requireAuth(req: NextRequest): Promise<string>;
+/**
+ * 要求用户必须已认证，返回完整用户信息
+ */
+export declare function requireAuthWithUser(req: NextRequest): Promise<AuthResult>;
+/**
+ * 服务端场景下获取当前已认证身份（如果存在）
+ * 适用于只依赖登录态、不需要查询业务用户的逻辑
+ */
+export declare function getOptionalServerAuthIdentity(): Promise<ProviderIdentity | null>;
+/**
+ * 服务端场景下获取当前已认证用户（如果存在）
+ * 适用于 Server Component / Server Action 中基于登录态控制展示的逻辑
+ */
+export declare function getOptionalServerAuthUser(): Promise<AuthResult | null>;
+/**
+ * API Route版本的认证工具函数
+ */
+export declare class ApiAuthUtils {
+    private req;
+    constructor(req: NextRequest);
+    /**
+     * 要求用户必须已认证，返回用户ID
+     */
+    requireAuth(): Promise<string>;
+    /**
+     * 要求用户必须已认证，返回完整用户信息
+     */
+    requireAuthWithUser(): Promise<AuthResult>;
+    /**
+     * 获取用户ID（如果已认证）
+     */
+    getUserId(): Promise<string | null>;
+    /**
+     * 获取完整用户信息（如果已认证）
+     */
+    getUser(): Promise<AuthResult | null>;
+}
+//# sourceMappingURL=auth-utils.d.ts.map

package/dist/auth/auth-utils.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-utils.d.ts","sourceRoot":"","sources":["../../src/auth/auth-utils.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,OAAO,EAAE,IAAI,EAAE,MAAM,wCAAwC,CAAC;AAC9D,OAAO,EAA6B,KAAK,YAAY,EAAE,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAEpG;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,IAAI,CAAC;IACX,QAAQ,EAAE,YAAY,CAAC;IACvB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,wBAAsB,oBAAoB,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAuBhF;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAGnE;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,GAAG,EAAE,WAAW,GAAG,OAAO,CAAC,UAAU,CAAC,CAE/E;AAED;;;GAGG;AACH,wBAAsB,6BAA6B,IAAI,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAetF;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,IAAI,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAsB5E;AAED;;GAEG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,GAAG,CAAc;gBAEb,GAAG,EAAE,WAAW;IAI5B;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,CAAC;IAIpC;;OAEG;IACG,mBAAmB,IAAI,OAAO,CAAC,UAAU,CAAC;IAIhD;;OAEG;IACG,SAAS,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IASzC;;OAEG;IACG,OAAO,IAAI,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;CAO5C"}

package/dist/auth/auth-utils.js

@@ -0,0 +1,163 @@
+'use strict';
+
+var tslib_es6 = require('../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.js');
+var server = require('@clerk/nextjs/server');
+var user_service = require('../services/database/user.service.js');
+require('../prisma/prisma.js');
+require('../services/database/credit.service.js');
+require('@prisma/client');
+var authShared = require('./auth-shared.js');
+
+/**
+ * 从中间件设置的 Clerk ID 获取完整用户信息
+ */
+function getAuthenticatedUser(req) {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        try {
+            const provider = req.headers.get(authShared.AUTH_HEADERS.provider);
+            const providerUserId = req.headers.get(authShared.AUTH_HEADERS.providerUserId);
+            if (provider !== 'clerk' || !providerUserId) {
+                throw new Error(authShared.AUTH_ERRORS.unauthorized);
+            }
+            const user = yield user_service.userService.findByClerkUserId(providerUserId);
+            if (!user) {
+                throw new Error(authShared.AUTH_ERRORS.userNotFound);
+            }
+            return {
+                userId: user.userId,
+                user,
+                provider: 'clerk',
+                providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting authenticated user:', error);
+            throw error;
+        }
+    });
+}
+/**
+ * 要求用户必须已认证，返回用户ID
+ */
+function requireAuth(req) {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        const auth = yield getAuthenticatedUser(req);
+        return auth.userId;
+    });
+}
+/**
+ * 要求用户必须已认证，返回完整用户信息
+ */
+function requireAuthWithUser(req) {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        return yield getAuthenticatedUser(req);
+    });
+}
+/**
+ * 服务端场景下获取当前已认证身份（如果存在）
+ * 适用于只依赖登录态、不需要查询业务用户的逻辑
+ */
+function getOptionalServerAuthIdentity() {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        try {
+            const { userId: providerUserId } = yield server.auth();
+            if (!providerUserId) {
+                return null;
+            }
+            return {
+                provider: 'clerk',
+                providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting optional server auth identity:', error);
+            return null;
+        }
+    });
+}
+/**
+ * 服务端场景下获取当前已认证用户（如果存在）
+ * 适用于 Server Component / Server Action 中基于登录态控制展示的逻辑
+ */
+function getOptionalServerAuthUser() {
+    return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+        try {
+            const identity = yield getOptionalServerAuthIdentity();
+            if (!identity) {
+                return null;
+            }
+            const user = yield user_service.userService.findByClerkUserId(identity.providerUserId);
+            if (!user) {
+                return null;
+            }
+            return {
+                userId: user.userId,
+                user,
+                provider: identity.provider,
+                providerUserId: identity.providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting optional server auth user:', error);
+            return null;
+        }
+    });
+}
+/**
+ * API Route版本的认证工具函数
+ */
+class ApiAuthUtils {
+    constructor(req) {
+        this.req = req;
+    }
+    /**
+     * 要求用户必须已认证，返回用户ID
+     */
+    requireAuth() {
+        return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+            return yield requireAuth(this.req);
+        });
+    }
+    /**
+     * 要求用户必须已认证，返回完整用户信息
+     */
+    requireAuthWithUser() {
+        return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+            return yield requireAuthWithUser(this.req);
+        });
+    }
+    /**
+     * 获取用户ID（如果已认证）
+     */
+    getUserId() {
+        return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+            try {
+                const auth = yield getAuthenticatedUser(this.req);
+                return auth.userId;
+            }
+            catch (_a) {
+                return null;
+            }
+        });
+    }
+    /**
+     * 获取完整用户信息（如果已认证）
+     */
+    getUser() {
+        return tslib_es6.__awaiter(this, void 0, void 0, function* () {
+            try {
+                return yield getAuthenticatedUser(this.req);
+            }
+            catch (_a) {
+                return null;
+            }
+        });
+    }
+}
+
+exports.ApiAuthUtils = ApiAuthUtils;
+exports.getAuthenticatedUser = getAuthenticatedUser;
+exports.getOptionalServerAuthIdentity = getOptionalServerAuthIdentity;
+exports.getOptionalServerAuthUser = getOptionalServerAuthUser;
+exports.requireAuth = requireAuth;
+exports.requireAuthWithUser = requireAuthWithUser;

package/dist/auth/auth-utils.mjs

@@ -0,0 +1,156 @@
+import { __awaiter } from '../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.mjs';
+import { auth } from '@clerk/nextjs/server';
+import { userService } from '../services/database/user.service.mjs';
+import '../prisma/prisma.mjs';
+import '../services/database/credit.service.mjs';
+import '@prisma/client';
+import { AUTH_HEADERS, AUTH_ERRORS } from './auth-shared.mjs';
+
+/**
+ * 从中间件设置的 Clerk ID 获取完整用户信息
+ */
+function getAuthenticatedUser(req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const provider = req.headers.get(AUTH_HEADERS.provider);
+            const providerUserId = req.headers.get(AUTH_HEADERS.providerUserId);
+            if (provider !== 'clerk' || !providerUserId) {
+                throw new Error(AUTH_ERRORS.unauthorized);
+            }
+            const user = yield userService.findByClerkUserId(providerUserId);
+            if (!user) {
+                throw new Error(AUTH_ERRORS.userNotFound);
+            }
+            return {
+                userId: user.userId,
+                user,
+                provider: 'clerk',
+                providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting authenticated user:', error);
+            throw error;
+        }
+    });
+}
+/**
+ * 要求用户必须已认证，返回用户ID
+ */
+function requireAuth(req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const auth = yield getAuthenticatedUser(req);
+        return auth.userId;
+    });
+}
+/**
+ * 要求用户必须已认证，返回完整用户信息
+ */
+function requireAuthWithUser(req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        return yield getAuthenticatedUser(req);
+    });
+}
+/**
+ * 服务端场景下获取当前已认证身份（如果存在）
+ * 适用于只依赖登录态、不需要查询业务用户的逻辑
+ */
+function getOptionalServerAuthIdentity() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const { userId: providerUserId } = yield auth();
+            if (!providerUserId) {
+                return null;
+            }
+            return {
+                provider: 'clerk',
+                providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting optional server auth identity:', error);
+            return null;
+        }
+    });
+}
+/**
+ * 服务端场景下获取当前已认证用户（如果存在）
+ * 适用于 Server Component / Server Action 中基于登录态控制展示的逻辑
+ */
+function getOptionalServerAuthUser() {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const identity = yield getOptionalServerAuthIdentity();
+            if (!identity) {
+                return null;
+            }
+            const user = yield userService.findByClerkUserId(identity.providerUserId);
+            if (!user) {
+                return null;
+            }
+            return {
+                userId: user.userId,
+                user,
+                provider: identity.provider,
+                providerUserId: identity.providerUserId,
+            };
+        }
+        catch (error) {
+            console.error('Error getting optional server auth user:', error);
+            return null;
+        }
+    });
+}
+/**
+ * API Route版本的认证工具函数
+ */
+class ApiAuthUtils {
+    constructor(req) {
+        this.req = req;
+    }
+    /**
+     * 要求用户必须已认证，返回用户ID
+     */
+    requireAuth() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return yield requireAuth(this.req);
+        });
+    }
+    /**
+     * 要求用户必须已认证，返回完整用户信息
+     */
+    requireAuthWithUser() {
+        return __awaiter(this, void 0, void 0, function* () {
+            return yield requireAuthWithUser(this.req);
+        });
+    }
+    /**
+     * 获取用户ID（如果已认证）
+     */
+    getUserId() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                const auth = yield getAuthenticatedUser(this.req);
+                return auth.userId;
+            }
+            catch (_a) {
+                return null;
+            }
+        });
+    }
+    /**
+     * 获取完整用户信息（如果已认证）
+     */
+    getUser() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                return yield getAuthenticatedUser(this.req);
+            }
+            catch (_a) {
+                return null;
+            }
+        });
+    }
+}
+
+export { ApiAuthUtils, getAuthenticatedUser, getOptionalServerAuthIdentity, getOptionalServerAuthUser, requireAuth, requireAuthWithUser };

package/dist/index.js

@@ -21,7 +21,6 @@ var moneyPriceHelper = require('./lib/money-price-helper.js');
 var fingerprintConfig = require('./lib/fingerprint-config.js');
 var creditInit = require('./lib/credit-init.js');
 var stripeConfig = require('./lib/stripe-config.js');
-var authUtils = require('./lib/auth-utils.js');
 var upstashConfig = require('./lib/upstash-config.js');
 var redisLock = require('./lib/upstash/redis-lock.js');
 var redisLike = require('./lib/upstash/redis-like.js');
@@ -91,10 +90,6 @@ exports.fetchPaymentId = stripeConfig.fetchPaymentId;
 exports.getStripe = stripeConfig.getStripe;
 exports.updateSubscription = stripeConfig.updateSubscription;
 exports.validateStripeWebhook = stripeConfig.validateStripeWebhook;
-exports.ApiAuthUtils = authUtils.ApiAuthUtils;
-exports.getAuthenticatedUser = authUtils.getAuthenticatedUser;
-exports.requireAuth = authUtils.requireAuth;
-exports.requireAuthWithUser = authUtils.requireAuthWithUser;
 exports.getQstash = upstashConfig.getQstash;
 exports.getRedis = upstashConfig.getRedis;
 exports.withQstash = upstashConfig.withQstash;

package/dist/index.mjs

@@ -19,7 +19,6 @@ export { getMoneyPriceInitUserContext } from './lib/money-price-helper.mjs';
 export { fingerprintConfig } from './lib/fingerprint-config.mjs';
 export { creditsConfig, freeAmount, freeExpiredDays, freeRegisterAmount, oneTimeExpiredDays } from './lib/credit-init.mjs';
 export { ActiveSubscriptionExistsError, cancelSubscription, createCheckoutSession, createCustomerPortalSession, createOrGetCustomer, fetchPaymentId, getStripe, updateSubscription, validateStripeWebhook } from './lib/stripe-config.mjs';
-export { ApiAuthUtils, getAuthenticatedUser, requireAuth, requireAuthWithUser } from './lib/auth-utils.mjs';
 export { getQstash, getRedis, withQstash, withRedis } from './lib/upstash-config.mjs';
 export { acquireLock, releaseLock, withLock } from './lib/upstash/redis-lock.mjs';
 export { getTargetLikeCount, getUserLikedTargets, isTargetLiked, likeTarget, unlikeTarget } from './lib/upstash/redis-like.mjs';

package/dist/lib/index.d.ts

@@ -3,7 +3,6 @@ export * from './money-price-helper';
 export * from './fingerprint-config';
 export * from './credit-init';
 export * from './stripe-config';
-export * from './auth-utils';
 export * from './upstash-config';
 export * from './upstash';
 //# sourceMappingURL=index.d.ts.map

package/dist/lib/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,WAAW,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,sBAAsB,CAAC;AACrC,cAAc,eAAe,CAAC;AAC9B,cAAc,iBAAiB,CAAC;AAChC,cAAc,kBAAkB,CAAC;AACjC,cAAc,WAAW,CAAC"}

package/dist/lib/index.js

@@ -5,7 +5,6 @@ var moneyPriceHelper = require('./money-price-helper.js');
 var fingerprintConfig = require('./fingerprint-config.js');
 var creditInit = require('./credit-init.js');
 var stripeConfig = require('./stripe-config.js');
-var authUtils = require('./auth-utils.js');
 var upstashConfig = require('./upstash-config.js');
 var redisLock = require('./upstash/redis-lock.js');
 var redisLike = require('./upstash/redis-like.js');
@@ -36,10 +35,6 @@ exports.fetchPaymentId = stripeConfig.fetchPaymentId;
 exports.getStripe = stripeConfig.getStripe;
 exports.updateSubscription = stripeConfig.updateSubscription;
 exports.validateStripeWebhook = stripeConfig.validateStripeWebhook;
-exports.ApiAuthUtils = authUtils.ApiAuthUtils;
-exports.getAuthenticatedUser = authUtils.getAuthenticatedUser;
-exports.requireAuth = authUtils.requireAuth;
-exports.requireAuthWithUser = authUtils.requireAuthWithUser;
 exports.getQstash = upstashConfig.getQstash;
 exports.getRedis = upstashConfig.getRedis;
 exports.withQstash = upstashConfig.withQstash;

package/dist/lib/index.mjs

@@ -3,7 +3,6 @@ export { getMoneyPriceInitUserContext } from './money-price-helper.mjs';
 export { fingerprintConfig } from './fingerprint-config.mjs';
 export { creditsConfig, freeAmount, freeExpiredDays, freeRegisterAmount, oneTimeExpiredDays } from './credit-init.mjs';
 export { ActiveSubscriptionExistsError, cancelSubscription, createCheckoutSession, createCustomerPortalSession, createOrGetCustomer, fetchPaymentId, getStripe, updateSubscription, validateStripeWebhook } from './stripe-config.mjs';
-export { ApiAuthUtils, getAuthenticatedUser, requireAuth, requireAuthWithUser } from './auth-utils.mjs';
 export { getQstash, getRedis, withQstash, withRedis } from './upstash-config.mjs';
 export { acquireLock, releaseLock, withLock } from './upstash/redis-lock.mjs';
 export { getTargetLikeCount, getUserLikedTargets, isTargetLiked, likeTarget, unlikeTarget } from './upstash/redis-like.mjs';

package/dist/lib/money-price-helper.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"money-price-helper.d.ts","sourceRoot":"","sources":["../../src/lib/money-price-helper.ts"],"names":[],"mappings":"AAKA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAiB5E,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,eAAe,CAAC,CAsC7E"}
+{"version":3,"file":"money-price-helper.d.ts","sourceRoot":"","sources":["../../src/lib/money-price-helper.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,sCAAsC,CAAC;AAkB5E,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,eAAe,CAAC,CAuC7E"}

package/dist/lib/money-price-helper.js

@@ -1,9 +1,9 @@
 'use strict';
 
 var tslib_es6 = require('../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.js');
-var server = require('@clerk/nextjs/server');
 var headers = require('next/headers');
-var server$1 = require('@windrun-huaiin/third-ui/fingerprint/server');
+var server = require('@windrun-huaiin/third-ui/fingerprint/server');
+var authUtils = require('../auth/auth-utils.js');
 var userContextService = require('../services/context/user-context-service.js');
 var userContextFinalizer = require('../services/context/user-context-finalizer.js');
 
@@ -11,7 +11,7 @@ function readFingerprintIdFromRequest() {
     return tslib_es6.__awaiter(this, void 0, void 0, function* () {
         const cookieStore = yield headers.cookies();
         const headerList = yield headers.headers();
-        return server$1.extractFingerprintFromNextStores({
+        return server.extractFingerprintFromNextStores({
             headers: headerList,
             cookies: cookieStore,
         });
@@ -19,7 +19,9 @@ function readFingerprintIdFromRequest() {
 }
 function getMoneyPriceInitUserContext() {
     return tslib_es6.__awaiter(this, void 0, void 0, function* () {
-        const { userId: clerkUserId } = yield server.auth();
+        var _a;
+        const authIdentity = yield authUtils.getOptionalServerAuthIdentity();
+        const clerkUserId = (_a = authIdentity === null || authIdentity === void 0 ? void 0 : authIdentity.providerUserId) !== null && _a !== void 0 ? _a : null;
         if (clerkUserId) {
             const userContext = yield userContextService.fetchUserContextByClerkUserId(clerkUserId);
             if (!userContext) {

package/dist/lib/money-price-helper.mjs

@@ -1,7 +1,7 @@
 import { __awaiter } from '../node_modules/.pnpm/@rollup_plugin-typescript@12.1.4_rollup@4.46.2_tslib@2.8.1_typescript@5.9.3/node_modules/tslib/tslib.es6.mjs';
-import { auth } from '@clerk/nextjs/server';
 import { cookies, headers } from 'next/headers';
 import { extractFingerprintFromNextStores } from '@windrun-huaiin/third-ui/fingerprint/server';
+import { getOptionalServerAuthIdentity } from '../auth/auth-utils.mjs';
 import { fetchUserContextByClerkUserId, buildInitUserContextFromEntities } from '../services/context/user-context-service.mjs';
 import { finalizeUserContext } from '../services/context/user-context-finalizer.mjs';
 
@@ -17,7 +17,9 @@ function readFingerprintIdFromRequest() {
 }
 function getMoneyPriceInitUserContext() {
     return __awaiter(this, void 0, void 0, function* () {
-        const { userId: clerkUserId } = yield auth();
+        var _a;
+        const authIdentity = yield getOptionalServerAuthIdentity();
+        const clerkUserId = (_a = authIdentity === null || authIdentity === void 0 ? void 0 : authIdentity.providerUserId) !== null && _a !== void 0 ? _a : null;
         if (clerkUserId) {
             const userContext = yield fetchUserContextByClerkUserId(clerkUserId);
             if (!userContext) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@windrun-huaiin/backend-core",
-  "version": "14.3.0",
+  "version": "14.5.0",
   "description": "Shared backend primitives: Prisma schema/client, database services, routing helpers",
   "type": "module",
   "main": "./dist/index.js",
@@ -47,6 +47,21 @@
       "import": "./dist/lib/index.mjs",
       "require": "./dist/lib/index.js"
     },
+    "./auth/server": {
+      "types": "./dist/auth/auth-utils.d.ts",
+      "import": "./dist/auth/auth-utils.mjs",
+      "require": "./dist/auth/auth-utils.js"
+    },
+    "./auth/shared": {
+      "types": "./dist/auth/auth-shared.d.ts",
+      "import": "./dist/auth/auth-shared.mjs",
+      "require": "./dist/auth/auth-shared.js"
+    },
+    "./auth/middleware": {
+      "types": "./dist/auth/auth-middleware.d.ts",
+      "import": "./dist/auth/auth-middleware.mjs",
+      "require": "./dist/auth/auth-middleware.js"
+    },
     "./app/api/webhook/stripe/route": {
       "types": "./dist/app/api/webhook/stripe/route.d.ts",
       "import": "./dist/app/api/webhook/stripe/route.mjs",
@@ -94,8 +109,8 @@
     "stripe": "20.0.0",
     "svix": "^1.86.0",
     "zod": "^4.3.6",
-    "@windrun-huaiin/lib": "^14.0.1",
-    "@windrun-huaiin/third-ui": "^14.2.0"
+    "@windrun-huaiin/third-ui": "^14.5.0",
+    "@windrun-huaiin/lib": "^14.0.1"
   },
   "devDependencies": {
     "@rollup/plugin-alias": "^5.1.1",

package/src/app/api/stripe/checkout/route.ts

@@ -12,7 +12,7 @@ import {
   PaySupplier,
   PaymentStatus
 } from '@/db/index';
-import { ApiAuthUtils } from '@/lib/auth-utils';
+import { ApiAuthUtils } from '@/auth/auth-utils';
 import { getPriceConfig } from '@/lib/money-price-config';
 
 // Request validation schema

package/src/app/api/stripe/customer-portal/route.ts

@@ -4,7 +4,7 @@ import {
   createCustomerPortalSession,
   createOrGetCustomer,
 } from '@/lib/stripe-config';
-import { ApiAuthUtils } from '@/lib/auth-utils';
+import { ApiAuthUtils } from '@/auth/auth-utils';
 import { subscriptionService } from '@/db/index';
 
 const createCustomerPortalSchema = z

package/src/app/api/user/anonymous/init/route.ts

@@ -6,9 +6,9 @@
 };
 
 import { anonymousAggregateService } from '@/aggregate/anonymous.aggregate.service';
+import { getOptionalServerAuthIdentity } from '@/auth/auth-utils';
 import type { XCredit, XSubscription, XUser } from '@windrun-huaiin/third-ui/fingerprint';
 import { extractFingerprintFromNextRequest } from '@windrun-huaiin/third-ui/fingerprint/server';
-import { auth } from '@clerk/nextjs/server';
 import { NextRequest, NextResponse } from 'next/server';
 import {
   fetchLatestUserContextByFingerprintId,
@@ -650,7 +650,8 @@ async function handleFingerprintRequest(request: NextRequest, options: { createI
   }
   console.log('Received fingerprintId:', fingerprintId);
 
-  const { userId: clerkUserId } = await auth();
+  const authIdentity = await getOptionalServerAuthIdentity();
+  const clerkUserId = authIdentity?.providerUserId ?? null;
   try {
     // 优先根据 Clerk ID 查询（如果已登录）
     let existingUserResult: XUserResponse | null = null;

package/src/auth/auth-middleware.ts

@@ -0,0 +1,109 @@
+import type { ClerkMiddlewareAuth } from '@clerk/nextjs/server';
+import { NextRequest, NextResponse } from 'next/server';
+import { AUTH_HEADERS, type ProviderIdentity } from './auth-shared';
+
+export function buildProtectedPageRoutePatterns(
+  protectedRoots: readonly string[],
+  locales: readonly string[]
+): string[] {
+  const uniqueRoots = [...new Set(protectedRoots)]
+    .map((root) => root.trim())
+    .filter(Boolean)
+    .map((root) => (root.startsWith('/') ? root : `/${root}`))
+    .map((root) => root.replace(/\/+$/, ''));
+
+  const uniqueLocales = [...new Set(locales)]
+    .map((locale) => locale.trim())
+    .filter(Boolean);
+
+  const patterns = new Set<string>();
+
+  for (const root of uniqueRoots) {
+    patterns.add(`${root}(.*)`);
+
+    for (const locale of uniqueLocales) {
+      patterns.add(`/${locale}${root}(.*)`);
+    }
+  }
+
+  return [...patterns];
+}
+
+export interface AuthMiddlewareOptions {
+  protectedPageRoutes: (req: NextRequest) => boolean;
+  protectedApiRoutes: (req: NextRequest) => boolean;
+  publicApiRoutes: (req: NextRequest) => boolean;
+  intlMiddleware: (req: NextRequest) => ReturnType<typeof NextResponse.next> | Response | undefined;
+}
+
+async function authenticateWithClerk(auth: ClerkMiddlewareAuth): Promise<ProviderIdentity | null> {
+  const { userId } = await auth();
+  if (!userId) {
+    return null;
+  }
+
+  return {
+    provider: 'clerk',
+    providerUserId: userId,
+  };
+}
+
+export function buildAuthenticatedRequestHeaders(
+  req: NextRequest,
+  auth: ProviderIdentity
+): Headers {
+  const headers = new Headers(req.headers);
+  headers.set(AUTH_HEADERS.provider, auth.provider);
+  headers.set(AUTH_HEADERS.providerUserId, auth.providerUserId);
+  return headers;
+}
+
+export async function handleAuthMiddleware(
+  auth: ClerkMiddlewareAuth,
+  req: NextRequest,
+  options: AuthMiddlewareOptions
+) {
+  const { protectedPageRoutes, protectedApiRoutes, publicApiRoutes, intlMiddleware } = options;
+
+  if (protectedPageRoutes(req)) {
+    const identity = await authenticateWithClerk(auth);
+    if (!identity) {
+      return (await auth()).redirectToSignIn();
+    }
+    const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+    console.log('Forward auth context for protected page:', identity.provider, identity.providerUserId);
+    return intlMiddleware(
+      new NextRequest(req.url, {
+        headers: requestHeaders,
+        method: req.method,
+        body: req.body,
+      })
+    );
+  }
+
+  if (protectedApiRoutes(req)) {
+    const identity = await authenticateWithClerk(auth);
+    if (!identity) {
+      return (await auth()).redirectToSignIn();
+    }
+    const requestHeaders = buildAuthenticatedRequestHeaders(req, identity);
+    console.log('Forward auth context for protected API:', identity.provider, identity.providerUserId);
+    return NextResponse.next({
+      request: {
+        headers: requestHeaders,
+      },
+    });
+  }
+
+  if (publicApiRoutes(req)) {
+    console.log('Public API route, no auth required:', req.nextUrl.pathname);
+    return NextResponse.next();
+  }
+
+  if (req.nextUrl.pathname.startsWith('/api/')) {
+    console.log('Other API route, no internationalization:', req.nextUrl.pathname);
+    return NextResponse.next();
+  }
+
+  return null;
+}

package/src/auth/auth-shared.ts

@@ -0,0 +1,16 @@
+export const AUTH_HEADERS = {
+  provider: 'x-auth-provider',
+  providerUserId: 'x-auth-provider-user-id',
+} as const;
+
+export const AUTH_ERRORS = {
+  unauthorized: 'UNAUTHORIZED',
+  userNotFound: 'USER_NOT_FOUND',
+} as const;
+
+export type AuthProvider = 'clerk';
+
+export interface ProviderIdentity {
+  provider: AuthProvider;
+  providerUserId: string;
+}

package/src/{lib → auth}/auth-utils.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server';
+import { auth } from '@clerk/nextjs/server';
 import { userService } from '../services/database/index';
 import { User } from '../services/database/prisma-model-type';
+import { AUTH_ERRORS, AUTH_HEADERS, type AuthProvider, type ProviderIdentity } from './auth-shared';
 
 /**
  * 认证结果类型
@@ -8,7 +10,8 @@ import { User } from '../services/database/prisma-model-type';
 export interface AuthResult {
   userId: string;
   user: User;
-  clerkUserId: string;
+  provider: AuthProvider;
+  providerUserId: string;
 }
 
 /**
@@ -16,20 +19,22 @@ export interface AuthResult {
  */
 export async function getAuthenticatedUser(req: NextRequest): Promise<AuthResult> {
   try {
-    const clerkUserId = req.headers.get('x-clerk-user-id');
-    if (!clerkUserId) {
-      throw new Error('Authentication required');
+    const provider = req.headers.get(AUTH_HEADERS.provider);
+    const providerUserId = req.headers.get(AUTH_HEADERS.providerUserId);
+    if (provider !== 'clerk' || !providerUserId) {
+      throw new Error(AUTH_ERRORS.unauthorized);
     }
-    
-    const user = await userService.findByClerkUserId(clerkUserId);
+
+    const user = await userService.findByClerkUserId(providerUserId);
     if (!user) {
-      throw new Error('User not found in database');
+      throw new Error(AUTH_ERRORS.userNotFound);
     }
-    
+
     return {
       userId: user.userId,
       user,
-      clerkUserId
+      provider: 'clerk',
+      providerUserId,
     };
   } catch (error) {
     console.error('Error getting authenticated user:', error);
@@ -52,6 +57,55 @@ export async function requireAuthWithUser(req: NextRequest): Promise<AuthResult>
   return await getAuthenticatedUser(req);
 }
 
+/**
+ * 服务端场景下获取当前已认证身份（如果存在）
+ * 适用于只依赖登录态、不需要查询业务用户的逻辑
+ */
+export async function getOptionalServerAuthIdentity(): Promise<ProviderIdentity | null> {
+  try {
+    const { userId: providerUserId } = await auth();
+    if (!providerUserId) {
+      return null;
+    }
+
+    return {
+      provider: 'clerk',
+      providerUserId,
+    };
+  } catch (error) {
+    console.error('Error getting optional server auth identity:', error);
+    return null;
+  }
+}
+
+/**
+ * 服务端场景下获取当前已认证用户（如果存在）
+ * 适用于 Server Component / Server Action 中基于登录态控制展示的逻辑
+ */
+export async function getOptionalServerAuthUser(): Promise<AuthResult | null> {
+  try {
+    const identity = await getOptionalServerAuthIdentity();
+    if (!identity) {
+      return null;
+    }
+
+    const user = await userService.findByClerkUserId(identity.providerUserId);
+    if (!user) {
+      return null;
+    }
+
+    return {
+      userId: user.userId,
+      user,
+      provider: identity.provider,
+      providerUserId: identity.providerUserId,
+    };
+  } catch (error) {
+    console.error('Error getting optional server auth user:', error);
+    return null;
+  }
+}
+
 /**
  * API Route版本的认证工具函数
  */
@@ -98,4 +152,4 @@ export class ApiAuthUtils {
       return null;
     }
   }
-}
+}

package/src/lib/index.ts

@@ -3,6 +3,5 @@ export * from './money-price-helper';
 export * from './fingerprint-config';
 export * from './credit-init';
 export * from './stripe-config';
-export * from './auth-utils';
 export * from './upstash-config';
 export * from './upstash';

package/src/lib/money-price-helper.ts

@@ -1,9 +1,9 @@
-import { auth } from '@clerk/nextjs/server';
 import { cookies, headers } from 'next/headers';
 import {
   extractFingerprintFromNextStores,
 } from '@windrun-huaiin/third-ui/fingerprint/server';
 import type { InitUserContext } from '@windrun-huaiin/third-ui/main/server';
+import { getOptionalServerAuthIdentity } from '../auth/auth-utils';
 import {
   buildInitUserContextFromEntities,
   fetchUserContextByClerkUserId,
@@ -21,7 +21,8 @@ async function readFingerprintIdFromRequest(): Promise<string | null> {
 }
 
 export async function getMoneyPriceInitUserContext(): Promise<InitUserContext> {
-  const { userId: clerkUserId } = await auth();
+  const authIdentity = await getOptionalServerAuthIdentity();
+  const clerkUserId = authIdentity?.providerUserId ?? null;
 
   if (clerkUserId) {
     const userContext = await fetchUserContextByClerkUserId(clerkUserId);