sa2kit 1.0.0

package/dist/chunk-6BL3AZGD.js

@@ -0,0 +1,285 @@
+'use strict';
+
+var chunkSVWQN2LR_js = require('./chunk-SVWQN2LR.js');
+var drizzleOrm = require('drizzle-orm');
+var crypto = require('crypto');
+var bcrypt = require('bcryptjs');
+var jwt = require('jsonwebtoken');
+
+function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
+
+var bcrypt__default = /*#__PURE__*/_interopDefault(bcrypt);
+var jwt__default = /*#__PURE__*/_interopDefault(jwt);
+
+async function hashPassword(password, saltRounds = 12) {
+  return bcrypt__default.default.hash(password, saltRounds);
+}
+async function verifyPassword(password, hashedPassword) {
+  return bcrypt__default.default.compare(password, hashedPassword);
+}
+function generateToken(payload, secret, expiresIn = "7d") {
+  return jwt__default.default.sign(payload, secret, { expiresIn });
+}
+function verifyJwtToken(token, secret) {
+  return jwt__default.default.verify(token, secret);
+}
+function getTokenFromRequest(request) {
+  const cookieHeader = request.headers.get("Cookie");
+  if (cookieHeader) {
+    const match = cookieHeader.match(/auth_token=([^;]+)/);
+    if (match && match[1]) {
+      return match[1];
+    }
+  }
+  const authHeader = request.headers.get("Authorization");
+  if (authHeader && authHeader.startsWith("Bearer ")) {
+    const token = authHeader.substring(7);
+    return token || null;
+  }
+  return null;
+}
+
+// src/auth/services/drizzle-auth-service.ts
+var DrizzleAuthService = class {
+  constructor(config) {
+    this.config = {
+      db: config.db,
+      jwtSecret: config.jwtSecret,
+      jwtExpiresIn: config.jwtExpiresIn || "7d",
+      saltRounds: config.saltRounds || 12,
+      checkSecretStrength: config.checkSecretStrength !== false
+    };
+    this.validateConfig();
+  }
+  /**
+   * 验证配置
+   */
+  validateConfig() {
+    if (!this.config.jwtSecret) {
+      throw new Error(
+        `JWT_SECRET is required. Please provide jwtSecret in config. You can generate a secure secret with: node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"`
+      );
+    }
+    if (this.config.checkSecretStrength && process.env.NODE_ENV === "production" && this.config.jwtSecret.length < 32) {
+      throw new Error(
+        `JWT_SECRET is too short (${this.config.jwtSecret.length} chars, minimum 32 required in production)`
+      );
+    }
+  }
+  /**
+   * 用户注册
+   */
+  async signUp(email, password, username, role = "USER") {
+    try {
+      const existingUser = await this.config.db.select().from(chunkSVWQN2LR_js.user).where(drizzleOrm.eq(chunkSVWQN2LR_js.user.email, email)).limit(1);
+      if (existingUser.length > 0) {
+        throw new Error("\u7528\u6237\u5DF2\u5B58\u5728");
+      }
+      const hashedPassword = await hashPassword(password, this.config.saltRounds);
+      const [newUser] = await this.config.db.insert(chunkSVWQN2LR_js.user).values({
+        id: crypto.randomBytes(16).toString("hex"),
+        email,
+        password: hashedPassword,
+        username: username || email.split("@")[0],
+        role,
+        emailVerified: false,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+        updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+      }).returning();
+      const token = generateToken(
+        {
+          userId: newUser.id,
+          email: newUser.email,
+          role: newUser.role
+        },
+        this.config.jwtSecret,
+        this.config.jwtExpiresIn
+      );
+      await this.createSession(newUser.id, token);
+      return {
+        user: {
+          id: newUser.id,
+          email: newUser.email,
+          username: newUser.username,
+          role: newUser.role
+        },
+        token
+      };
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * 用户登录
+   */
+  async signIn(email, password) {
+    try {
+      const [foundUser] = await this.config.db.select().from(chunkSVWQN2LR_js.user).where(drizzleOrm.eq(chunkSVWQN2LR_js.user.email, email)).limit(1);
+      if (!foundUser) {
+        throw new Error("\u90AE\u7BB1\u6216\u5BC6\u7801\u9519\u8BEF");
+      }
+      if (!foundUser.password) {
+        throw new Error("\u7528\u6237\u5BC6\u7801\u672A\u8BBE\u7F6E");
+      }
+      const isPasswordValid = await verifyPassword(password, foundUser.password);
+      if (!isPasswordValid) {
+        throw new Error("\u90AE\u7BB1\u6216\u5BC6\u7801\u9519\u8BEF");
+      }
+      const token = generateToken(
+        {
+          userId: foundUser.id,
+          email: foundUser.email,
+          role: foundUser.role
+        },
+        this.config.jwtSecret,
+        this.config.jwtExpiresIn
+      );
+      await this.createSession(foundUser.id, token);
+      return {
+        user: {
+          id: foundUser.id,
+          email: foundUser.email,
+          username: foundUser.username,
+          role: foundUser.role
+        },
+        token
+      };
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * 验证 Token
+   */
+  async verifyToken(token) {
+    try {
+      const decoded = verifyJwtToken(token, this.config.jwtSecret);
+      const [foundSession] = await this.config.db.select().from(chunkSVWQN2LR_js.session).where(
+        drizzleOrm.and(drizzleOrm.eq(chunkSVWQN2LR_js.session.token, token), drizzleOrm.gt(chunkSVWQN2LR_js.session.expiresAt, (/* @__PURE__ */ new Date()).toISOString()))
+      ).limit(1);
+      if (!foundSession) {
+        throw new Error("\u4F1A\u8BDD\u65E0\u6548\u6216\u5DF2\u8FC7\u671F");
+      }
+      const [foundUser] = await this.config.db.select().from(chunkSVWQN2LR_js.user).where(drizzleOrm.eq(chunkSVWQN2LR_js.user.id, decoded.userId)).limit(1);
+      if (!foundUser) {
+        throw new Error("\u7528\u6237\u4E0D\u5B58\u5728");
+      }
+      return {
+        user: {
+          id: foundUser.id,
+          email: foundUser.email,
+          username: foundUser.username,
+          role: foundUser.role
+        },
+        session: foundSession
+      };
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * 创建会话
+   */
+  async createSession(userId, token, ipAddress, userAgent) {
+    const expiresAt = /* @__PURE__ */ new Date();
+    expiresAt.setDate(expiresAt.getDate() + 7);
+    await this.config.db.insert(chunkSVWQN2LR_js.session).values({
+      id: crypto.randomBytes(16).toString("hex"),
+      userId,
+      token,
+      expiresAt: expiresAt.toISOString(),
+      ipAddress,
+      userAgent,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  /**
+   * 删除会话（登出）
+   */
+  async signOut(token) {
+    try {
+      await this.config.db.delete(chunkSVWQN2LR_js.session).where(drizzleOrm.eq(chunkSVWQN2LR_js.session.token, token));
+      return { success: true };
+    } catch (error) {
+      throw error;
+    }
+  }
+  /**
+   * 获取会话
+   */
+  async getSession(token) {
+    try {
+      return await this.verifyToken(token);
+    } catch (error) {
+      return null;
+    }
+  }
+  /**
+   * 检查管理员权限
+   */
+  async requireAdmin(token) {
+    const result = await this.verifyToken(token);
+    if (!["ADMIN", "SUPER_ADMIN"].includes(result.user.role)) {
+      throw new Error("\u9700\u8981\u7BA1\u7406\u5458\u6743\u9650");
+    }
+    return result;
+  }
+  /**
+   * 检查超级管理员权限
+   */
+  async requireSuperAdmin(token) {
+    const result = await this.verifyToken(token);
+    if (result.user.role !== "SUPER_ADMIN") {
+      throw new Error("\u9700\u8981\u8D85\u7EA7\u7BA1\u7406\u5458\u6743\u9650");
+    }
+    return result;
+  }
+  /**
+   * 通过用户 ID 获取用户信息
+   */
+  async getUserById(userId) {
+    try {
+      const [foundUser] = await this.config.db.select().from(chunkSVWQN2LR_js.user).where(drizzleOrm.eq(chunkSVWQN2LR_js.user.id, userId)).limit(1);
+      if (!foundUser) {
+        return null;
+      }
+      return {
+        id: foundUser.id,
+        email: foundUser.email,
+        username: foundUser.username,
+        role: foundUser.role
+      };
+    } catch (error) {
+      return null;
+    }
+  }
+  /**
+   * 通过邮箱获取用户信息
+   */
+  async getUserByEmail(email) {
+    try {
+      const [foundUser] = await this.config.db.select().from(chunkSVWQN2LR_js.user).where(drizzleOrm.eq(chunkSVWQN2LR_js.user.email, email)).limit(1);
+      if (!foundUser) {
+        return null;
+      }
+      return {
+        id: foundUser.id,
+        email: foundUser.email,
+        username: foundUser.username,
+        role: foundUser.role
+      };
+    } catch (error) {
+      return null;
+    }
+  }
+};
+
+exports.DrizzleAuthService = DrizzleAuthService;
+exports.generateToken = generateToken;
+exports.getTokenFromRequest = getTokenFromRequest;
+exports.hashPassword = hashPassword;
+exports.verifyJwtToken = verifyJwtToken;
+exports.verifyPassword = verifyPassword;
+//# sourceMappingURL=chunk-6BL3AZGD.js.map
+//# sourceMappingURL=chunk-6BL3AZGD.js.map

package/dist/chunk-6BL3AZGD.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/auth/services/password-utils.ts","../src/auth/services/token-utils.ts","../src/auth/services/drizzle-auth-service.ts"],"names":["bcrypt","jwt","user","eq","randomBytes","session","and","gt"],"mappings":";;;;;;;;;;;;;AAUA,eAAsB,YAAA,CAAa,QAAA,EAAkB,UAAA,GAAqB,EAAA,EAAqB;AAC7F,EAAA,OAAOA,uBAAA,CAAO,IAAA,CAAK,QAAA,EAAU,UAAU,CAAA;AACzC;AAKA,eAAsB,cAAA,CAAe,UAAkB,cAAA,EAA0C;AAC/F,EAAA,OAAOA,uBAAA,CAAO,OAAA,CAAQ,QAAA,EAAU,cAAc,CAAA;AAChD;ACGO,SAAS,aAAA,CACd,OAAA,EACA,MAAA,EACA,SAAA,GAA6B,IAAA,EACrB;AACR,EAAA,OAAOC,qBAAI,IAAA,CAAK,OAAA,EAAS,MAAA,EAAQ,EAAE,WAA8B,CAAA;AACnE;AAKO,SAAS,cAAA,CAAe,OAAe,MAAA,EAA4B;AACxE,EAAA,OAAOA,oBAAA,CAAI,MAAA,CAAO,KAAA,EAAO,MAAM,CAAA;AACjC;AAMO,SAAS,oBAAoB,OAAA,EAAiC;AAEnE,EAAA,MAAM,YAAA,GAAe,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,QAAQ,CAAA;AACjD,EAAA,IAAI,YAAA,EAAc;AAEhB,IAAA,MAAM,KAAA,GAAQ,YAAA,CAAa,KAAA,CAAM,oBAAoB,CAAA;AACrD,IAAA,IAAI,KAAA,IAAS,KAAA,CAAM,CAAC,CAAA,EAAG;AACrB,MAAA,OAAO,MAAM,CAAC,CAAA;AAAA,IAChB;AAAA,EACF;AAGA,EAAA,MAAM,UAAA,GAAa,OAAA,CAAQ,OAAA,CAAQ,GAAA,CAAI,eAAe,CAAA;AACtD,EAAA,IAAI,UAAA,IAAc,UAAA,CAAW,UAAA,CAAW,SAAS,CAAA,EAAG;AAClD,IAAA,MAAM,KAAA,GAAQ,UAAA,CAAW,SAAA,CAAU,CAAC,CAAA;AACpC,IAAA,OAAO,KAAA,IAAS,IAAA;AAAA,EAClB;AAEA,EAAA,OAAO,IAAA;AACT;;;ACpBO,IAAM,qBAAN,MAAyB;AAAA,EAG9B,YAAY,MAAA,EAA2B;AAErC,IAAA,IAAA,CAAK,MAAA,GAAS;AAAA,MACZ,IAAI,MAAA,CAAO,EAAA;AAAA,MACX,WAAW,MAAA,CAAO,SAAA;AAAA,MAClB,YAAA,EAAc,OAAO,YAAA,IAAgB,IAAA;AAAA,MACrC,UAAA,EAAY,OAAO,UAAA,IAAc,EAAA;AAAA,MACjC,mBAAA,EAAqB,OAAO,mBAAA,KAAwB;AAAA,KACtD;AAGA,IAAA,IAAA,CAAK,cAAA,EAAe;AAAA,EACtB;AAAA;AAAA;AAAA;AAAA,EAKQ,cAAA,GAAuB;AAC7B,IAAA,IAAI,CAAC,IAAA,CAAK,MAAA,CAAO,SAAA,EAAW;AAC1B,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,2KAAA;AAAA,OAEF;AAAA,IACF;AAGA,IAAA,IACE,IAAA,CAAK,MAAA,CAAO,mBAAA,IACZ,OAAA,CAAQ,GAAA,CAAI,QAAA,KAAa,YAAA,IACzB,IAAA,CAAK,MAAA,CAAO,SAAA,CAAU,MAAA,GAAS,EAAA,EAC/B;AACA,MAAA,MAAM,IAAI,KAAA;AAAA,QACR,CAAA,yBAAA,EAA4B,IAAA,CAAK,MAAA,CAAO,SAAA,CAAU,MAAM,CAAA,0CAAA;AAAA,OAC1D;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CACJ,KAAA,EACA,QAAA,EACA,QAAA,EACA,OAAiB,MAAA,EACI;AACrB,IAAA,IAAI;AAEF,MAAA,MAAM,eAAe,MAAM,IAAA,CAAK,OAAO,EAAA,CACpC,MAAA,GACA,IAAA,CAAKC,qBAAI,CAAA,CACT,KAAA,CAAMC,cAAGD,qBAAA,CAAK,KAAA,EAAO,KAAK,CAAC,CAAA,CAC3B,MAAM,CAAC,CAAA;AAEV,MAAA,IAAI,YAAA,CAAa,SAAS,CAAA,EAAG;AAC3B,QAAA,MAAM,IAAI,MAAM,gCAAO,CAAA;AAAA,MACzB;AAGA,MAAA,MAAM,iBAAiB,MAAM,YAAA,CAAa,QAAA,EAAU,IAAA,CAAK,OAAO,UAAU,CAAA;AAG1E,MAAA,MAAM,CAAC,OAAO,CAAA,GAAI,MAAM,IAAA,CAAK,OAAO,EAAA,CACjC,MAAA,CAAOA,qBAAI,CAAA,CACX,MAAA,CAAO;AAAA,QACN,EAAA,EAAIE,kBAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAAA,QAClC,KAAA;AAAA,QACA,QAAA,EAAU,cAAA;AAAA,QACV,UAAU,QAAA,IAAY,KAAA,CAAM,KAAA,CAAM,GAAG,EAAE,CAAC,CAAA;AAAA,QACxC,IAAA;AAAA,QACA,aAAA,EAAe,KAAA;AAAA,QACf,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,QAClC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,OACnC,EACA,SAAA,EAAU;AAGb,MAAA,MAAM,KAAA,GAAQ,aAAA;AAAA,QACZ;AAAA,UACE,QAAQ,OAAA,CAAQ,EAAA;AAAA,UAChB,OAAO,OAAA,CAAQ,KAAA;AAAA,UACf,MAAM,OAAA,CAAQ;AAAA,SAChB;AAAA,QACA,KAAK,MAAA,CAAO,SAAA;AAAA,QACZ,KAAK,MAAA,CAAO;AAAA,OACd;AAGA,MAAA,MAAM,IAAA,CAAK,aAAA,CAAc,OAAA,CAAQ,EAAA,EAAI,KAAK,CAAA;AAE1C,MAAA,OAAO;AAAA,QACL,IAAA,EAAM;AAAA,UACJ,IAAI,OAAA,CAAQ,EAAA;AAAA,UACZ,OAAO,OAAA,CAAQ,KAAA;AAAA,UACf,UAAU,OAAA,CAAQ,QAAA;AAAA,UAClB,MAAM,OAAA,CAAQ;AAAA,SAChB;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,MAAA,CAAO,KAAA,EAAe,QAAA,EAAuC;AACjE,IAAA,IAAI;AAEF,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,KAAK,MAAA,CAAO,EAAA,CACnC,QAAO,CACP,IAAA,CAAKF,qBAAI,CAAA,CACT,KAAA,CAAMC,cAAGD,qBAAA,CAAK,KAAA,EAAO,KAAK,CAAC,CAAA,CAC3B,MAAM,CAAC,CAAA;AAEV,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,MAAM,IAAI,MAAM,4CAAS,CAAA;AAAA,MAC3B;AAGA,MAAA,IAAI,CAAC,UAAU,QAAA,EAAU;AACvB,QAAA,MAAM,IAAI,MAAM,4CAAS,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,eAAA,GAAkB,MAAM,cAAA,CAAe,QAAA,EAAU,UAAU,QAAQ,CAAA;AACzE,MAAA,IAAI,CAAC,eAAA,EAAiB;AACpB,QAAA,MAAM,IAAI,MAAM,4CAAS,CAAA;AAAA,MAC3B;AAGA,MAAA,MAAM,KAAA,GAAQ,aAAA;AAAA,QACZ;AAAA,UACE,QAAQ,SAAA,CAAU,EAAA;AAAA,UAClB,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,MAAM,SAAA,CAAU;AAAA,SAClB;AAAA,QACA,KAAK,MAAA,CAAO,SAAA;AAAA,QACZ,KAAK,MAAA,CAAO;AAAA,OACd;AAGA,MAAA,MAAM,IAAA,CAAK,aAAA,CAAc,SAAA,CAAU,EAAA,EAAI,KAAK,CAAA;AAE5C,MAAA,OAAO;AAAA,QACL,IAAA,EAAM;AAAA,UACJ,IAAI,SAAA,CAAU,EAAA;AAAA,UACd,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,UAAU,SAAA,CAAU,QAAA;AAAA,UACpB,MAAM,SAAA,CAAU;AAAA,SAClB;AAAA,QACA;AAAA,OACF;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,KAAA,EAAsC;AACtD,IAAA,IAAI;AAEF,MAAA,MAAM,OAAA,GAAU,cAAA,CAAe,KAAA,EAAO,IAAA,CAAK,OAAO,SAAS,CAAA;AAG3D,MAAA,MAAM,CAAC,YAAY,CAAA,GAAI,MAAM,IAAA,CAAK,MAAA,CAAO,EAAA,CACtC,MAAA,EAAO,CACP,IAAA,CAAKG,wBAAO,CAAA,CACZ,KAAA;AAAA,QACCC,cAAA,CAAIH,aAAA,CAAGE,wBAAA,CAAQ,KAAA,EAAO,KAAK,CAAA,EAAGE,aAAA,CAAGF,wBAAA,CAAQ,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAa,CAAC;AAAA,OAC/E,CACC,MAAM,CAAC,CAAA;AAEV,MAAA,IAAI,CAAC,YAAA,EAAc;AACjB,QAAA,MAAM,IAAI,MAAM,kDAAU,CAAA;AAAA,MAC5B;AAGA,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,KAAK,MAAA,CAAO,EAAA,CACnC,QAAO,CACP,IAAA,CAAKH,qBAAI,CAAA,CACT,KAAA,CAAMC,cAAGD,qBAAA,CAAK,EAAA,EAAI,QAAQ,MAAM,CAAC,CAAA,CACjC,KAAA,CAAM,CAAC,CAAA;AAEV,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,MAAM,IAAI,MAAM,gCAAO,CAAA;AAAA,MACzB;AAEA,MAAA,OAAO;AAAA,QACL,IAAA,EAAM;AAAA,UACJ,IAAI,SAAA,CAAU,EAAA;AAAA,UACd,OAAO,SAAA,CAAU,KAAA;AAAA,UACjB,UAAU,SAAA,CAAU,QAAA;AAAA,UACpB,MAAM,SAAA,CAAU;AAAA,SAClB;AAAA,QACA,OAAA,EAAS;AAAA,OACX;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAA,CACJ,MAAA,EACA,KAAA,EACA,WACA,SAAA,EACe;AACf,IAAA,MAAM,SAAA,uBAAgB,IAAA,EAAK;AAC3B,IAAA,SAAA,CAAU,OAAA,CAAQ,SAAA,CAAU,OAAA,EAAQ,GAAI,CAAC,CAAA;AAEzC,IAAA,MAAM,KAAK,MAAA,CAAO,EAAA,CAAG,MAAA,CAAOG,wBAAO,EAAE,MAAA,CAAO;AAAA,MAC1C,EAAA,EAAID,kBAAA,CAAY,EAAE,CAAA,CAAE,SAAS,KAAK,CAAA;AAAA,MAClC,MAAA;AAAA,MACA,KAAA;AAAA,MACA,SAAA,EAAW,UAAU,WAAA,EAAY;AAAA,MACjC,SAAA;AAAA,MACA,SAAA;AAAA,MACA,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAAA,MAClC,SAAA,EAAA,iBAAW,IAAI,IAAA,EAAK,EAAE,WAAA;AAAY,KACnC,CAAA;AAAA,EACH;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,QAAQ,KAAA,EAA8C;AAC1D,IAAA,IAAI;AACF,MAAA,MAAM,IAAA,CAAK,MAAA,CAAO,EAAA,CAAG,MAAA,CAAOC,wBAAO,CAAA,CAAE,KAAA,CAAMF,aAAA,CAAGE,wBAAA,CAAQ,KAAA,EAAO,KAAK,CAAC,CAAA;AACnE,MAAA,OAAO,EAAE,SAAS,IAAA,EAAK;AAAA,IACzB,SAAS,KAAA,EAAO;AACd,MAAA,MAAM,KAAA;AAAA,IACR;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,WAAW,KAAA,EAA6C;AAC5D,IAAA,IAAI;AACF,MAAA,OAAO,MAAM,IAAA,CAAK,WAAA,CAAY,KAAK,CAAA;AAAA,IACrC,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,KAAA,EAAsC;AACvD,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY,KAAK,CAAA;AAC3C,IAAA,IAAI,CAAC,CAAC,OAAA,EAAS,aAAa,EAAE,QAAA,CAAS,MAAA,CAAO,IAAA,CAAK,IAAI,CAAA,EAAG;AACxD,MAAA,MAAM,IAAI,MAAM,4CAAS,CAAA;AAAA,IAC3B;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,kBAAkB,KAAA,EAAsC;AAC5D,IAAA,MAAM,MAAA,GAAS,MAAM,IAAA,CAAK,WAAA,CAAY,KAAK,CAAA;AAC3C,IAAA,IAAI,MAAA,CAAO,IAAA,CAAK,IAAA,KAAS,aAAA,EAAe;AACtC,MAAA,MAAM,IAAI,MAAM,wDAAW,CAAA;AAAA,IAC7B;AACA,IAAA,OAAO,MAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,YAAY,MAAA,EAA0C;AAC1D,IAAA,IAAI;AACF,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,KAAK,MAAA,CAAO,EAAA,CACnC,QAAO,CACP,IAAA,CAAKH,qBAAI,CAAA,CACT,KAAA,CAAMC,cAAGD,qBAAA,CAAK,EAAA,EAAI,MAAM,CAAC,CAAA,CACzB,MAAM,CAAC,CAAA;AAEV,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,IAAI,SAAA,CAAU,EAAA;AAAA,QACd,OAAO,SAAA,CAAU,KAAA;AAAA,QACjB,UAAU,SAAA,CAAU,QAAA;AAAA,QACpB,MAAM,SAAA,CAAU;AAAA,OAClB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,eAAe,KAAA,EAAyC;AAC5D,IAAA,IAAI;AACF,MAAA,MAAM,CAAC,SAAS,CAAA,GAAI,MAAM,KAAK,MAAA,CAAO,EAAA,CACnC,QAAO,CACP,IAAA,CAAKA,qBAAI,CAAA,CACT,KAAA,CAAMC,cAAGD,qBAAA,CAAK,KAAA,EAAO,KAAK,CAAC,CAAA,CAC3B,MAAM,CAAC,CAAA;AAEV,MAAA,IAAI,CAAC,SAAA,EAAW;AACd,QAAA,OAAO,IAAA;AAAA,MACT;AAEA,MAAA,OAAO;AAAA,QACL,IAAI,SAAA,CAAU,EAAA;AAAA,QACd,OAAO,SAAA,CAAU,KAAA;AAAA,QACjB,UAAU,SAAA,CAAU,QAAA;AAAA,QACpB,MAAM,SAAA,CAAU;AAAA,OAClB;AAAA,IACF,SAAS,KAAA,EAAO;AACd,MAAA,OAAO,IAAA;AAAA,IACT;AAAA,EACF;AACF","file":"chunk-6BL3AZGD.js","sourcesContent":["/**\n * Auth Services - Password Utilities\n * 密码哈希相关工具函数\n */\n\nimport bcrypt from 'bcryptjs';\n\n/**\n * 哈希密码\n */\nexport async function hashPassword(password: string, saltRounds: number = 12): Promise<string> {\n  return bcrypt.hash(password, saltRounds);\n}\n\n/**\n * 验证密码\n */\nexport async function verifyPassword(password: string, hashedPassword: string): Promise<boolean> {\n  return bcrypt.compare(password, hashedPassword);\n}\n\n","/**\n * Auth Services - Token Utilities\n * Token 相关工具函数\n */\n\nimport jwt from 'jsonwebtoken';\nimport type { UserRole } from '../schema/enums';\n\n/**\n * JWT Payload\n */\nexport interface JwtPayload {\n  userId: string;\n  email: string;\n  role: UserRole;\n  iat?: number;\n  exp?: number;\n}\n\n/**\n * 生成 JWT Token\n */\nexport function generateToken(\n  payload: Omit<JwtPayload, 'iat' | 'exp'>,\n  secret: string,\n  expiresIn: string | number = '7d'\n): string {\n  return jwt.sign(payload, secret, { expiresIn } as jwt.SignOptions);\n}\n\n/**\n * 验证 JWT Token\n */\nexport function verifyJwtToken(token: string, secret: string): JwtPayload {\n  return jwt.verify(token, secret) as JwtPayload;\n}\n\n/**\n * 从请求中获取 Token\n * 优先从 Cookie 读取（Web），兼容 Authorization Header（Mobile/API）\n */\nexport function getTokenFromRequest(request: Request): string | null {\n  // 🔐 优先从 httpOnly Cookie 读取（Web 管理后台，更安全）\n  const cookieHeader = request.headers.get('Cookie');\n  if (cookieHeader) {\n    // 匹配 auth_token\n    const match = cookieHeader.match(/auth_token=([^;]+)/);\n    if (match && match[1]) {\n      return match[1];\n    }\n  }\n\n  // 🔄 兼容从 Authorization Header 读取（移动端、小程序、API 调用）\n  const authHeader = request.headers.get('Authorization');\n  if (authHeader && authHeader.startsWith('Bearer ')) {\n    const token = authHeader.substring(7);\n    return token || null;\n  }\n\n  return null;\n}\n\n","/**\n * Auth Services - Drizzle Auth Service\n * 基于 Drizzle ORM 的认证服务\n */\n\nimport { eq, and, gt } from 'drizzle-orm';\nimport { randomBytes } from 'crypto';\nimport { user, session } from '../schema';\nimport { hashPassword, verifyPassword } from './password-utils';\nimport { generateToken, verifyJwtToken } from './token-utils';\nimport type {\n  AuthServiceConfig,\n  AuthResult,\n  VerifyResult,\n  UserInfo,\n  SessionInfo,\n} from './types';\nimport type { UserRole } from '../schema/enums';\n\n/**\n * Drizzle 认证服务类\n *\n * @example\n * ```typescript\n * import { DrizzleAuthService } from '@qhr123/sa2kit/auth/services';\n * import { db } from './db';\n *\n * const authService = new DrizzleAuthService({\n *   db,\n *   jwtSecret: process.env.JWT_SECRET!,\n *   jwtExpiresIn: '7d',\n * });\n *\n * // 用户注册\n * const result = await authService.signUp('user@example.com', 'password123', 'username');\n *\n * // 用户登录\n * const loginResult = await authService.signIn('user@example.com', 'password123');\n * ```\n */\nexport class DrizzleAuthService {\n  private config: Required<AuthServiceConfig>;\n\n  constructor(config: AuthServiceConfig) {\n    // 设置默认值\n    this.config = {\n      db: config.db,\n      jwtSecret: config.jwtSecret,\n      jwtExpiresIn: config.jwtExpiresIn || '7d',\n      saltRounds: config.saltRounds || 12,\n      checkSecretStrength: config.checkSecretStrength !== false,\n    };\n\n    // 验证配置\n    this.validateConfig();\n  }\n\n  /**\n   * 验证配置\n   */\n  private validateConfig(): void {\n    if (!this.config.jwtSecret) {\n      throw new Error(\n        'JWT_SECRET is required. Please provide jwtSecret in config. ' +\n          \"You can generate a secure secret with: node -e \\\"console.log(require('crypto').randomBytes(64).toString('hex'))\\\"\"\n      );\n    }\n\n    // 生产环境检查密钥强度\n    if (\n      this.config.checkSecretStrength &&\n      process.env.NODE_ENV === 'production' &&\n      this.config.jwtSecret.length < 32\n    ) {\n      throw new Error(\n        `JWT_SECRET is too short (${this.config.jwtSecret.length} chars, minimum 32 required in production)`\n      );\n    }\n  }\n\n  /**\n   * 用户注册\n   */\n  async signUp(\n    email: string,\n    password: string,\n    username?: string,\n    role: UserRole = 'USER'\n  ): Promise<AuthResult> {\n    try {\n      // 检查用户是否已存在\n      const existingUser = await this.config.db\n        .select()\n        .from(user)\n        .where(eq(user.email, email))\n        .limit(1);\n\n      if (existingUser.length > 0) {\n        throw new Error('用户已存在');\n      }\n\n      // 哈希密码\n      const hashedPassword = await hashPassword(password, this.config.saltRounds);\n\n      // 创建用户\n      const [newUser] = await this.config.db\n        .insert(user)\n        .values({\n          id: randomBytes(16).toString('hex'),\n          email,\n          password: hashedPassword,\n          username: username || email.split('@')[0],\n          role,\n          emailVerified: false,\n          createdAt: new Date().toISOString(),\n          updatedAt: new Date().toISOString(),\n        })\n        .returning();\n\n      // 生成 JWT token\n      const token = generateToken(\n        {\n          userId: newUser.id,\n          email: newUser.email,\n          role: newUser.role as UserRole,\n        },\n        this.config.jwtSecret,\n        this.config.jwtExpiresIn\n      );\n\n      // 创建会话\n      await this.createSession(newUser.id, token);\n\n      return {\n        user: {\n          id: newUser.id,\n          email: newUser.email,\n          username: newUser.username,\n          role: newUser.role as UserRole,\n        },\n        token,\n      };\n    } catch (error) {\n      throw error;\n    }\n  }\n\n  /**\n   * 用户登录\n   */\n  async signIn(email: string, password: string): Promise<AuthResult> {\n    try {\n      // 查找用户\n      const [foundUser] = await this.config.db\n        .select()\n        .from(user)\n        .where(eq(user.email, email))\n        .limit(1);\n\n      if (!foundUser) {\n        throw new Error('邮箱或密码错误');\n      }\n\n      // 验证密码\n      if (!foundUser.password) {\n        throw new Error('用户密码未设置');\n      }\n\n      const isPasswordValid = await verifyPassword(password, foundUser.password);\n      if (!isPasswordValid) {\n        throw new Error('邮箱或密码错误');\n      }\n\n      // 生成 JWT token\n      const token = generateToken(\n        {\n          userId: foundUser.id,\n          email: foundUser.email,\n          role: foundUser.role as UserRole,\n        },\n        this.config.jwtSecret,\n        this.config.jwtExpiresIn\n      );\n\n      // 创建会话\n      await this.createSession(foundUser.id, token);\n\n      return {\n        user: {\n          id: foundUser.id,\n          email: foundUser.email,\n          username: foundUser.username,\n          role: foundUser.role as UserRole,\n        },\n        token,\n      };\n    } catch (error) {\n      throw error;\n    }\n  }\n\n  /**\n   * 验证 Token\n   */\n  async verifyToken(token: string): Promise<VerifyResult> {\n    try {\n      // 验证 JWT\n      const decoded = verifyJwtToken(token, this.config.jwtSecret);\n\n      // 检查会话是否存在且未过期\n      const [foundSession] = await this.config.db\n        .select()\n        .from(session)\n        .where(\n          and(eq(session.token, token), gt(session.expiresAt, new Date().toISOString()))\n        )\n        .limit(1);\n\n      if (!foundSession) {\n        throw new Error('会话无效或已过期');\n      }\n\n      // 获取用户信息\n      const [foundUser] = await this.config.db\n        .select()\n        .from(user)\n        .where(eq(user.id, decoded.userId))\n        .limit(1);\n\n      if (!foundUser) {\n        throw new Error('用户不存在');\n      }\n\n      return {\n        user: {\n          id: foundUser.id,\n          email: foundUser.email,\n          username: foundUser.username,\n          role: foundUser.role as UserRole,\n        },\n        session: foundSession as SessionInfo,\n      };\n    } catch (error) {\n      throw error;\n    }\n  }\n\n  /**\n   * 创建会话\n   */\n  async createSession(\n    userId: string,\n    token: string,\n    ipAddress?: string,\n    userAgent?: string\n  ): Promise<void> {\n    const expiresAt = new Date();\n    expiresAt.setDate(expiresAt.getDate() + 7); // 7天后过期\n\n    await this.config.db.insert(session).values({\n      id: randomBytes(16).toString('hex'),\n      userId,\n      token,\n      expiresAt: expiresAt.toISOString(),\n      ipAddress,\n      userAgent,\n      createdAt: new Date().toISOString(),\n      updatedAt: new Date().toISOString(),\n    });\n  }\n\n  /**\n   * 删除会话（登出）\n   */\n  async signOut(token: string): Promise<{ success: boolean }> {\n    try {\n      await this.config.db.delete(session).where(eq(session.token, token));\n      return { success: true };\n    } catch (error) {\n      throw error;\n    }\n  }\n\n  /**\n   * 获取会话\n   */\n  async getSession(token: string): Promise<VerifyResult | null> {\n    try {\n      return await this.verifyToken(token);\n    } catch (error) {\n      return null;\n    }\n  }\n\n  /**\n   * 检查管理员权限\n   */\n  async requireAdmin(token: string): Promise<VerifyResult> {\n    const result = await this.verifyToken(token);\n    if (!['ADMIN', 'SUPER_ADMIN'].includes(result.user.role)) {\n      throw new Error('需要管理员权限');\n    }\n    return result;\n  }\n\n  /**\n   * 检查超级管理员权限\n   */\n  async requireSuperAdmin(token: string): Promise<VerifyResult> {\n    const result = await this.verifyToken(token);\n    if (result.user.role !== 'SUPER_ADMIN') {\n      throw new Error('需要超级管理员权限');\n    }\n    return result;\n  }\n\n  /**\n   * 通过用户 ID 获取用户信息\n   */\n  async getUserById(userId: string): Promise<UserInfo | null> {\n    try {\n      const [foundUser] = await this.config.db\n        .select()\n        .from(user)\n        .where(eq(user.id, userId))\n        .limit(1);\n\n      if (!foundUser) {\n        return null;\n      }\n\n      return {\n        id: foundUser.id,\n        email: foundUser.email,\n        username: foundUser.username,\n        role: foundUser.role as UserRole,\n      };\n    } catch (error) {\n      return null;\n    }\n  }\n\n  /**\n   * 通过邮箱获取用户信息\n   */\n  async getUserByEmail(email: string): Promise<UserInfo | null> {\n    try {\n      const [foundUser] = await this.config.db\n        .select()\n        .from(user)\n        .where(eq(user.email, email))\n        .limit(1);\n\n      if (!foundUser) {\n        return null;\n      }\n\n      return {\n        id: foundUser.id,\n        email: foundUser.email,\n        username: foundUser.username,\n        role: foundUser.role as UserRole,\n      };\n    } catch (error) {\n      return null;\n    }\n  }\n}\n\n"]}