200172f0af
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles) via shared canAccessScheduling helper, replacing hardcoded userId allowlist - Thread roles[] through JWT payload → middleware → frontend nav - Add router guard that 403s non-authorized users on /api/scheduling/* - Emit replace_qualified suggestion for every qualified vehicle so list count matches the 已完成考核目标 card; recalc qualifiedCount / hopelessCount post-permission-filter for card↔list consistency Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
97 lines
3.0 KiB
TypeScript
97 lines
3.0 KiB
TypeScript
import { Hono } from 'hono';
|
|
import jwt from 'jsonwebtoken';
|
|
import pool from '../db.js';
|
|
import type { AuthUser, JwtPayload, PermissionLevel } from './types.js';
|
|
import { FULL_ACCESS_ROLES, DEPT_ACCESS_ROLES } from './types.js';
|
|
|
|
const app = new Hono();
|
|
|
|
const EXTERNAL_API_BASE = process.env.EXTERNAL_API_BASE || 'https://beta.lnh2e.com';
|
|
const JWT_SECRET = process.env.JWT_SECRET || 'ln-bi-default-secret';
|
|
|
|
/** GET /api/auth/exchange?jumpToken=xxx — 一步完成:换取用户信息 + 签发 JWT */
|
|
app.get('/exchange', async (c) => {
|
|
const jumpToken = c.req.query('jumpToken');
|
|
if (!jumpToken) return c.json({ error: 'Missing jumpToken' }, 400);
|
|
|
|
try {
|
|
const res = await fetch(
|
|
`${EXTERNAL_API_BASE}/api/lingniu-manager-v1/v1/auth/issueTokenByJump?jumpToken=${encodeURIComponent(jumpToken)}`
|
|
);
|
|
const data = await res.json() as {
|
|
code: number;
|
|
data: {
|
|
userInfo: {
|
|
id: string;
|
|
userName: string;
|
|
loginName: string;
|
|
depCode: string;
|
|
orgId: string;
|
|
roles: { roleName: string; id: string }[];
|
|
};
|
|
token: string;
|
|
} | null;
|
|
message: string;
|
|
};
|
|
|
|
if (data.code !== 0 || !data.data?.userInfo) {
|
|
return c.json({ error: 'Token exchange failed', message: data.message }, 401);
|
|
}
|
|
|
|
const userInfo = data.data.userInfo;
|
|
const roleNames = userInfo.roles.map(r => r.roleName);
|
|
|
|
// 确定权限级别
|
|
let permissionLevel: PermissionLevel = 'personal';
|
|
if (roleNames.some(r => FULL_ACCESS_ROLES.includes(r))) {
|
|
permissionLevel = 'full';
|
|
} else if (roleNames.some(r => DEPT_ACCESS_ROLES.includes(r))) {
|
|
permissionLevel = 'department';
|
|
}
|
|
|
|
// 查询 depCode 对应的部门名称
|
|
let depName = '';
|
|
if (userInfo.depCode) {
|
|
const [rows] = await pool.execute(
|
|
'SELECT dep_name FROM tab_department WHERE dep_code = ? AND is_deleted = 0 LIMIT 1',
|
|
[userInfo.depCode]
|
|
) as [{ dep_name: string }[], unknown];
|
|
depName = rows[0]?.dep_name || '';
|
|
}
|
|
|
|
const payload: JwtPayload = {
|
|
userId: userInfo.id,
|
|
userName: userInfo.userName,
|
|
loginName: userInfo.loginName,
|
|
depCode: userInfo.depCode,
|
|
depName,
|
|
permissionLevel,
|
|
roles: roleNames,
|
|
};
|
|
|
|
const token = jwt.sign(payload, JWT_SECRET, { expiresIn: '8h' });
|
|
const authUser: AuthUser = { ...payload };
|
|
|
|
return c.json({ token, user: authUser });
|
|
} catch (e: unknown) {
|
|
console.error('auth exchange error:', e);
|
|
return c.json({ error: 'Authentication failed' }, 500);
|
|
}
|
|
});
|
|
|
|
/** GET /api/auth/me — 查看当前用户信息(调试用) */
|
|
app.get('/me', async (c) => {
|
|
const authHeader = c.req.header('Authorization');
|
|
if (!authHeader?.startsWith('Bearer ')) {
|
|
return c.json({ error: 'No token' }, 401);
|
|
}
|
|
try {
|
|
const payload = jwt.verify(authHeader.slice(7), JWT_SECRET) as JwtPayload;
|
|
return c.json(payload);
|
|
} catch {
|
|
return c.json({ error: 'Invalid token' }, 401);
|
|
}
|
|
});
|
|
|
|
export default app;
|