openxiangda 1.0.87 → 1.0.88

package/README.md

@@ -176,6 +176,8 @@ const affiliatedDepartmentExternalId = user?.affiliatedDepartment?.externalId
 
 React SPA 新应用的无需登录访问统一使用 `/view/:appType/public/*`。应用在 `src/resources/routes/*.json` 声明公开路由，在 `src/resources/public-access/*.json` 声明公开策略、外部角色和可访问资源 grant，页面用 `PublicAccessGate` 或 `createPublicAccessClient` 创建 scoped public session。公开 guest 的 form、dataView、function、connector 默认全部拒绝，只有 policy `grants` 明确列出的资源可访问，并且仍受对应表单权限组、dataView 权限组等后端权限控制。
 
+`mode: "ticket"` 的公开策略默认按单次 ticket 使用；只有明确配置 `ticketConfig.singleUse: false` 时才允许复用。新 public session 只返回 bearer token，SDK 会把 token 注入后续 runtime/bootstrap、dataView、function、connector 请求，不依赖认证 cookie。
+
 旧 `?publicAccess=guest` 和表单 `settings/forms/*.json` 里的 `publicAccess` 只用于旧 `sy-lowcode-view` 兼容。新 React SPA 应用不要再设计或生成这种链接。
 
 ```json

package/openxiangda-skills/references/openxiangda-api.md

@@ -263,10 +263,12 @@ Body:
 ```json
 {
   "expiresAt": "2026-06-18T12:00:00.000Z",
-  "subject": { "usage": "single-use" }
+  "subject": { "scenario": "score-link" }
 }
 ```
 
+Tickets are single-use by default. Set policy `ticketConfig.singleUse: false` only when the link is intentionally reusable.
+
 ### POST `/apps/:appType/public/session`
 
 Does not require an existing login. Creates a scoped public guest session.
@@ -285,6 +287,8 @@ Body:
 }
 ```
 
+The response returns a scoped bearer token. New React SPA apps must use `PublicAccessGate` or `createPublicAccessClient` so follow-up runtime/bootstrap, dataView, function, and connector calls include `Authorization: Bearer <token>`. Do not depend on auth cookies for public sessions.
+
 Returns the normal guest token payload plus `extra.publicAccess`.
 
 ### GET `/apps/:appType/menus`

package/openxiangda-skills/references/pages/page-sdk.md

@@ -174,7 +174,7 @@ await publicAccess.startSession({
 });
 ```
 
-The matching resources must exist under `src/resources/routes/` and `src/resources/public-access/`. Public guest access to forms, data views, functions, and connectors is denied unless the policy `grants` explicitly names that resource.
+`PublicAccessGate` stores the returned bearer token in the runtime provider and injects it into follow-up SDK requests. If you call `createPublicAccessClient` directly outside the provider, pass the returned `accessToken` as `Authorization: Bearer <token>` for follow-up APIs. The matching resources must exist under `src/resources/routes/` and `src/resources/public-access/`. Public guest access to forms, data views, functions, and connectors is denied unless the policy `grants` explicitly names that resource.
 
 Logout and current-user role switching:
 

package/openxiangda-skills/references/resource-manifest-cheatsheet.md

@@ -157,13 +157,15 @@ Ticket 模式：
   "routeCode": "public.scoreLookup",
   "pathPattern": "/view/:appType/public/score",
   "externalRoleCodes": ["external_ticket_holder"],
-  "ticketConfig": { "ttlSeconds": 1800 },
+  "ticketConfig": { "ttlSeconds": 1800, "singleUse": true },
   "grants": {
     "dataViews": ["public_score_lookup"]
   }
 }
 ```
 
+Ticket 默认单次使用，首次换取 public session 后立即失效；只有明确配置 `ticketConfig.singleUse: false` 的业务场景才允许复用。
+
 `grants.forms` 可以写本地 `formCode`，CLI 发布时会解析为真实 `formUuid`。
 
 ## 3. Connector — `src/resources/connectors/<code>.json`

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.87",
+  "version": "1.0.88",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {

package/packages/sdk/dist/runtime/index.cjs

@@ -4102,12 +4102,23 @@ var OpenXiangdaProvider = ({
     () => appType || resolveAppTypeFromLocation(),
     [appType]
   );
+  const [accessToken, setAccessTokenState] = (0, import_react8.useState)(null);
+  const setAccessToken = (0, import_react8.useCallback)(
+    (nextAccessToken) => {
+      setAccessTokenState(nextAccessToken || null);
+    },
+    []
+  );
+  const authorizedFetch = (0, import_react8.useMemo)(
+    () => createAuthorizedFetch(resolvedFetch, accessToken),
+    [accessToken, resolvedFetch]
+  );
   const [state, setState] = (0, import_react8.useState)({
     data: null,
     loading: true,
     error: null
   });
-  const reload = (0, import_react8.useCallback)(async () => {
+  const reload = (0, import_react8.useCallback)(async (options = {}) => {
     if (!resolvedAppType) {
       setState({
         data: null,
@@ -4120,8 +4131,9 @@ var OpenXiangdaProvider = ({
       return;
     }
     setState((prev) => ({ ...prev, loading: true, error: null }));
+    const requestFetch = options.accessToken !== void 0 ? createAuthorizedFetch(resolvedFetch, options.accessToken || null) : authorizedFetch;
     try {
-      const response = await resolvedFetch(
+      const response = await requestFetch(
         buildServiceUrl3(
           servicePrefix,
           `/openxiangda-api/v1/apps/${encodeURIComponent(
@@ -4153,7 +4165,7 @@ var OpenXiangdaProvider = ({
         error: normalizeRuntimeError(error)
       });
     }
-  }, [resolvedAppType, resolvedFetch, servicePrefix]);
+  }, [authorizedFetch, resolvedAppType, resolvedFetch, servicePrefix]);
   (0, import_react8.useEffect)(() => {
     void reload();
   }, [reload]);
@@ -4162,10 +4174,11 @@ var OpenXiangdaProvider = ({
       ...state,
       appType: resolvedAppType,
       servicePrefix,
-      fetchImpl: resolvedFetch,
-      reload
+      fetchImpl: authorizedFetch,
+      reload,
+      setAccessToken
     }),
-    [reload, resolvedAppType, resolvedFetch, servicePrefix, state]
+    [authorizedFetch, reload, resolvedAppType, servicePrefix, state]
   );
   return /* @__PURE__ */ (0, import_jsx_runtime4.jsx)(OpenXiangdaRuntimeContext.Provider, { value, children });
 };
@@ -4432,6 +4445,19 @@ var buildServiceUrl3 = (servicePrefix, path) => {
   const suffix = path.startsWith("/") ? path : `/${path}`;
   return `${prefix2}${suffix}`;
 };
+var createAuthorizedFetch = (baseFetch, accessToken) => {
+  if (!accessToken) return baseFetch;
+  return ((input, init = {}) => {
+    const headers = new Headers(init.headers || {});
+    if (!headers.has("authorization")) {
+      headers.set("authorization", `Bearer ${accessToken}`);
+    }
+    return baseFetch(input, {
+      ...init,
+      headers
+    });
+  });
+};
 var readJsonPayload = async (response) => {
   try {
     return await response.json();
@@ -4555,7 +4581,8 @@ var usePublicAccess = (options = {}) => {
     appType: runtimeAppType,
     servicePrefix: runtimeServicePrefix,
     fetchImpl: runtimeFetchImpl,
-    reload: reloadRuntime
+    reload: reloadRuntime,
+    setAccessToken
   } = runtime;
   const {
     appType = runtimeAppType,
@@ -4589,7 +4616,8 @@ var usePublicAccess = (options = {}) => {
           path: input.path || stableSessionInput.path || readPathFromLocation()
         });
         setSession(data);
-        await reloadRuntime();
+        setAccessToken(data.accessToken);
+        await reloadRuntime({ accessToken: data.accessToken });
         setLoading(false);
         return data;
       } catch (caught) {
@@ -4602,7 +4630,7 @@ var usePublicAccess = (options = {}) => {
         throw nextError;
       }
     },
-    [client, reloadRuntime, stableSessionInput]
+    [client, reloadRuntime, setAccessToken, stableSessionInput]
   );
   (0, import_react9.useEffect)(() => {
     if (!autoStart) return;