huang
03a0960c4d
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 7m2s
- 移除 RegisterDataPermissionCallback 和 SkipDataPermission 机制 - 在 Auth 中间件预计算 SubordinateShopIDs 并注入 Context - 新增 ApplyShopFilter/ApplyEnterpriseFilter/ApplyOwnerShopFilter 等 Helper 函数 - 所有 Store 层查询方法显式调用数据权限过滤函数 - 权限检查函数 CanManageShop/CanManageEnterprise 改为从 Context 获取数据 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
97 lines
3.5 KiB
Go
97 lines
3.5 KiB
Go
package bootstrap
|
||
|
||
import (
|
||
"context"
|
||
"time"
|
||
|
||
"github.com/break/junhong_cmp_fiber/internal/middleware"
|
||
pkgauth "github.com/break/junhong_cmp_fiber/pkg/auth"
|
||
"github.com/break/junhong_cmp_fiber/pkg/config"
|
||
"github.com/break/junhong_cmp_fiber/pkg/constants"
|
||
"github.com/break/junhong_cmp_fiber/pkg/errors"
|
||
pkgmiddleware "github.com/break/junhong_cmp_fiber/pkg/middleware"
|
||
"github.com/gofiber/fiber/v2"
|
||
)
|
||
|
||
// initMiddlewares 初始化所有中间件
|
||
func initMiddlewares(deps *Dependencies, stores *stores) *Middlewares {
|
||
// 获取全局配置
|
||
cfg := config.Get()
|
||
|
||
// 创建 JWT Manager
|
||
jwtManager := pkgauth.NewJWTManager(cfg.JWT.SecretKey, cfg.JWT.TokenDuration)
|
||
|
||
// 创建个人客户认证中间件
|
||
personalAuthMiddleware := middleware.NewPersonalAuthMiddleware(jwtManager, deps.Logger)
|
||
|
||
// 创建 Token Manager(用于后台和H5认证)
|
||
accessTTL := time.Duration(cfg.JWT.AccessTokenTTL) * time.Second
|
||
refreshTTL := time.Duration(cfg.JWT.RefreshTokenTTL) * time.Second
|
||
tokenManager := pkgauth.NewTokenManager(deps.Redis, accessTTL, refreshTTL)
|
||
|
||
// 创建后台认证中间件(传入 ShopStore 以支持预计算下级店铺 ID)
|
||
adminAuthMiddleware := createAdminAuthMiddleware(tokenManager, stores.Shop)
|
||
|
||
// 创建H5认证中间件(传入 ShopStore 以支持预计算下级店铺 ID)
|
||
h5AuthMiddleware := createH5AuthMiddleware(tokenManager, stores.Shop)
|
||
|
||
return &Middlewares{
|
||
PersonalAuth: personalAuthMiddleware,
|
||
AdminAuth: adminAuthMiddleware,
|
||
H5Auth: h5AuthMiddleware,
|
||
}
|
||
}
|
||
|
||
func createAdminAuthMiddleware(tokenManager *pkgauth.TokenManager, shopStore pkgmiddleware.AuthShopStoreInterface) fiber.Handler {
|
||
return pkgmiddleware.Auth(pkgmiddleware.AuthConfig{
|
||
TokenValidator: func(token string) (*pkgmiddleware.UserContextInfo, error) {
|
||
tokenInfo, err := tokenManager.ValidateAccessToken(context.Background(), token)
|
||
if err != nil {
|
||
return nil, errors.New(errors.CodeInvalidToken, "认证令牌无效或已过期")
|
||
}
|
||
|
||
// 检查用户类型:后台允许 SuperAdmin(1), Platform(2), Agent(3)
|
||
if tokenInfo.UserType != constants.UserTypeSuperAdmin &&
|
||
tokenInfo.UserType != constants.UserTypePlatform &&
|
||
tokenInfo.UserType != constants.UserTypeAgent {
|
||
return nil, errors.New(errors.CodeForbidden, "权限不足")
|
||
}
|
||
|
||
return &pkgmiddleware.UserContextInfo{
|
||
UserID: tokenInfo.UserID,
|
||
UserType: tokenInfo.UserType,
|
||
ShopID: tokenInfo.ShopID,
|
||
EnterpriseID: tokenInfo.EnterpriseID,
|
||
}, nil
|
||
},
|
||
SkipPaths: []string{"/api/admin/login", "/api/admin/refresh-token"},
|
||
ShopStore: shopStore,
|
||
})
|
||
}
|
||
|
||
func createH5AuthMiddleware(tokenManager *pkgauth.TokenManager, shopStore pkgmiddleware.AuthShopStoreInterface) fiber.Handler {
|
||
return pkgmiddleware.Auth(pkgmiddleware.AuthConfig{
|
||
TokenValidator: func(token string) (*pkgmiddleware.UserContextInfo, error) {
|
||
tokenInfo, err := tokenManager.ValidateAccessToken(context.Background(), token)
|
||
if err != nil {
|
||
return nil, errors.New(errors.CodeInvalidToken, "认证令牌无效或已过期")
|
||
}
|
||
|
||
// 检查用户类型:H5 允许 Agent(3), Enterprise(4)
|
||
if tokenInfo.UserType != constants.UserTypeAgent &&
|
||
tokenInfo.UserType != constants.UserTypeEnterprise {
|
||
return nil, errors.New(errors.CodeForbidden, "权限不足")
|
||
}
|
||
|
||
return &pkgmiddleware.UserContextInfo{
|
||
UserID: tokenInfo.UserID,
|
||
UserType: tokenInfo.UserType,
|
||
ShopID: tokenInfo.ShopID,
|
||
EnterpriseID: tokenInfo.EnterpriseID,
|
||
}, nil
|
||
},
|
||
SkipPaths: []string{"/api/h5/login", "/api/h5/refresh-token"},
|
||
ShopStore: shopStore,
|
||
})
|
||
}
|