gaoxiaopei
/
assets-ai
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: SSO 集成 — 共享 JWT + LDAP 认证 + 跨站点用户管理 API 

- 新增 src/lib/jwt.ts:共享 JWT 签发/验证(与 OA 共用密钥)
- 新增 src/lib/ldap.ts:LDAP 认证与用户存在性检查
- 新增 src/app/api/internal/roles/route.ts:内部 API 供 OA 查询角色
- 重构 auth.ts:双路径认证(共享 JWT + 本地 JWT 回退)
- 重构 middleware.ts:SSO 优先 + 本地认证回退
- 更新 docker-compose.yml:挂载 docker.sock 用于运行时 LLDAP 密码获取
- 更新 next.config.ts:serverExternalPackages 添加 ldapts
- 更新 Dockerfile:生产依赖安装优化
This commit is contained in:
gitadmin 2026-05-14 16:37:49 +08:00
parent c6a92ed33a
commit 747fe293d5
27 changed files with 506 additions and 182 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
CHANGELOG.md
View File

@ -1,5 +1,35 @@
# 变更日志
## 2026-05-14
- [修复] `next.config.ts` 添加 `ldapts``serverExternalPackages`(预防性修复),确保 Next.js standalone 构建包含 LLDAP 客户端模块,避免 SSO 自动创建用户失败issue-ai 已实际触发,参见 issue-ai CHANGELOG
- [调整] 全局证书切换Cloudflare Origin CA → Let's Encrypt`/etc/letsencrypt/live/www.tlyq.ai/`),覆盖全部 7 个子域名nginx 8 个站点配置同步更新
## 2026-05-12
- [部署] 云端 JWT 密钥统一为 oa-shared-jwt-secret-tlyq-2026三站点密钥一致
- [部署] docker-compose 移除 AUTHELIA_URL添加 LDAP/COOKIE/INTERNAL_API_KEY 环境变量
- [部署] LLDAP admin 密码更新为 3Vm!Y!@RCiPs
- [部署] nginx 移除 auth_request恢复纯反向代理改为运行时 DNS 解析
- [新增] `src/lib/db-schema.ts`users 表新增 last_login_at / last_active_at 列
- [新增] `src/lib/auth.ts`getSession() 更新 last_active_at
- [新增] `src/app/api/auth/login/route.ts`:登录时更新 last_login_at 和 last_active_at
## 2026-05-11
- [新增] `src/lib/ldap.ts``ldapUserExists()` 函数,检查 LLDAP 中用户是否存在admin bind 搜索,不可达时容错放行)
- [新增] `src/lib/jwt.ts`:共享 JWT 签发/验证(`tlyq_session` cookieHS256与 OA/issue 共用密钥)
- [调整] `src/lib/auth.ts``getSession()` 优先 `tlyq_session`,加入 LLDAP 存在性检查,用户被删除后自动清除 cookie 踢出
- [调整] `src/app/api/auth/login/route.ts`LDAP 优先认证 + 本地密码缓存回退 + localadmin 应急用户直连
- [调整] `src/app/api/auth/logout/route.ts`:同时清除 `session_assets``tlyq_session`
- [调整] `src/app/api/auth/me/route.ts`:移除 SSO header 路径,改用 `getSession()` 统一获取
- [调整] `src/middleware.ts`:优先 `tlyq_session` → 回退 `session_assets`,移除 SSO 代理路径,放行 `/api/internal/`
- [调整] `src/app/(app)/layout.tsx`:移除 SSO header 路径,统一从 `session` cookie 读取用户
- [新增] `src/app/api/internal/roles/route.ts`:内部 API返回站点可用角色列表INTERNAL_API_KEY 鉴权)
- [新增] `src/app/api/users/[id]/route.ts`admin/localadmin 用户禁止删除和修改角色
- [调整] `src/app/(app)/settings/users/page.tsx`admin/localadmin 用户隐藏删除按钮,编辑时角色字段显示为只读
- [新增] `src/lib/db-schema.ts`:预置 localadmin 应急用户admin 角色,纯本地 BCrypt 认证)
## 2026-05-07
- [新增] 导出功能区分"导出选中"和"导出全部"两种模式,有选中时工具栏显示两个按钮独立操作

16
CLAUDE.md
View File

@ -86,11 +86,16 @@ npm run import # 导入设备数据
### 认证
登录逻辑v2.1LDAP 优先 + 本地密码缓存回退 + localadmin 应急用户。
登录成功签发两个 cookie`session_assets`(本地 JWT24h+ `tlyq_session`(共享 JWT7 天domain=.tlyq.ai
中间件优先检查 `tlyq_session`,回退 `session_assets`。`getSession()` 每次验证时检查 LLDAP 用户是否存在(已删除则清除 cookie 踢出)。
| 方法 | 路径 | 说明 |
|------|------|------|
| POST | `/api/auth/login` | 登录username + password → JWT cookie24h 有效) |
| POST | `/api/auth/logout` | 登出 |
| POST | `/api/auth/login` | 登录(LDAP 优先 + 本地回退 |
| POST | `/api/auth/logout` | 登出(清除两个 cookie |
| GET | `/api/auth/me` | 当前用户信息 |
| GET | `/api/internal/roles` | 内部 API返回角色列表x-internal-key 鉴权) |
### 资产
@ -129,7 +134,8 @@ npm run import # 导入设备数据
## 认证机制
- **Web UI**`middleware.ts` 检查 cookie 中的 JWT tokenpayload 含 `{ userId, username, role, iat, exp }`
- **Web UIv2.1**`middleware.ts` 优先检查 `tlyq_session`(共享 JWTOA 统一签发)→ 回退 `session_assets`(本地 JWT。`getSession()` 每次请求时检查 LLDAP 用户是否存在,已删除则清除 cookie 踢出
- **localadmin**:纯本地 BCrypt 认证,不依赖 LLDAP用于 LLDAP 故障时应急登录DB 预置admin 角色)
- **API Key**`Bearer ak_<32位十六进制>`,存储时 SHA-256 hash验证时更新 `last_used_at`,权限由创建时指定的 `permissions` 数组控制
---
@ -218,7 +224,9 @@ NEXT_PUBLIC_ISSUE_URL=https://issue.tlyq.ai/tickets
- **新增 API**:在 `src/app/api/` 下创建路由 → 顶部调用 `initDatabase()``getCurrentUser()` 验证
- **新增页面**:在 `src/app/(app)/` 下创建 → 布局由 `(app)/layout.tsx` 提供
- **日期处理**:禁止使用 `Date.toISOString()` 格式化本地日期。`toISOString()` 返回 UTC 时间在中国时区UTC+8`new Date('2026-04-01T00:00:00').toISOString()` 会返回 `"2026-03-31T16:00:00.000Z"`,日期偏移一天。应使用本地时间方法拼接:`${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')}`
- **日期处理(时区规范)**:整个系统统一使用 UTC+8北京时间。两处必须遵守
1. **JavaScript/TypeScript**:禁止使用 `Date.toISOString()` 格式化本地日期。`toISOString()` 返回 UTC 时间在中国时区UTC+8`new Date('2026-04-01T00:00:00').toISOString()` 会返回 `"2026-03-31T16:00:00.000Z"`,日期偏移一天。应使用本地时间方法拼接:`${d.getFullYear()}-${String(d.getMonth()+1).padStart(2,'0')}-${String(d.getDate()).padStart(2,'0')}`
2. **SQLite**:所有 `datetime('now')` 必须写成 `datetime('now', '+8 hours')`,包括 CREATE TABLE 的 DEFAULT 值、UPDATE/SET 语句、以及查询条件中的时间比较。禁止使用不含时区偏移的 `datetime('now')`
---

10
Dockerfile
View File

@ -8,13 +8,15 @@ RUN --mount=type=cache,target=/root/.npm,id=assets-npm \
COPY . .
RUN npm run build
# runner 阶段:与 builder 保持一致Alpine + musl确保 better-sqlite3 等原生模块兼容
FROM node:20-alpine AS runner
RUN apk add --no-cache python3 make g++
# runner 阶段:使用 Debianglibc与 txjp 宿主机平台一致,避免原生模块 musl/glibc 不兼容
FROM node:20-slim AS runner
WORKDIR /app
COPY --from=builder /app/package.json /app/package-lock.json ./
RUN npm install --omit=dev
COPY --from=builder /app/.next/standalone ./
RUN npm install --omit=dev && \
npm rebuild better-sqlite3 && \
rm -rf node_modules/@img/sharp-linuxmusl-x64 node_modules/@img/sharp-libvips-linuxmusl-x64 \
node_modules/@next/swc-linux-x64-musl
COPY --from=builder /app/.next/static ./.next/static
COPY --from=builder /app/public ./public
RUN mkdir -p /app/data /app/uploads

9
docker-compose.yml
View File

@ -9,12 +9,19 @@ services:
- assets-uploads:/app/uploads
# .next 目录从主机挂载,主机上 npm run build 后直接生效
- ./.next:/app/.next
# 运行时从 LLDAP 容器动态读取 admin 密码
- /var/run/docker.sock:/var/run/docker.sock
environment:
- DATABASE_PATH=/app/data/assets.db
- JWT_SECRET=${ASSETS_JWT_SECRET:-change-me-in-production}
- JWT_SECRET=oa-shared-jwt-secret-tlyq-2026
- ADMIN_PASSWORD=${ADMIN_PASSWORD:-admin123}
- NODE_ENV=production
- COOKIE_DOMAIN=.tlyq.ai
- TZ=Asia/Shanghai
- AUTHELIA_URL=${AUTHELIA_URL:-https://sso.tlyq.ai}
- LDAP_URL=ldap://lldap:3890
- LDAP_BASE_DN=dc=tlyq,dc=ai
- LDAP_ADMIN_DN=uid=admin,ou=people,dc=tlyq,dc=ai
# issue-ai API 地址(容器内使用 issue-ai 服务名)
- ISSUE_API_URL=http://issue-ai:3000/api
# issue-ai API Key用于服务间认证

4
next.config.ts
View File

@ -4,6 +4,8 @@ const nextConfig: NextConfig = {
images: { unoptimized: true },
eslint: { ignoreDuringBuilds: true },
typescript: { ignoreBuildErrors: true },
serverExternalPackages: ['better-sqlite3'],
// better-sqlite3: 原生模块,必须 external
// ldapts: SSO 自动创建用户依赖 LLDAP 验证,缺少则新用户无法免登录进入系统
serverExternalPackages: ['better-sqlite3', 'ldapts'],
}
export default nextConfig

19
package-lock.json generated
View File

@ -11,6 +11,7 @@
"bcryptjs": "^2.4.3",
"better-sqlite3": "^11.7.0",
"cookie": "^1.0.2",
"ldapts": "^8.1.7",
"lucide-react": "^1.8.0",
"next": "^15.1.0",
"react": "^19.0.0",
@ -2861,6 +2862,18 @@
"json-buffer": "3.0.1"
}
},
"node_modules/ldapts": {
"version": "8.1.7",
"resolved": "https://registry.npmjs.org/ldapts/-/ldapts-8.1.7.tgz",
"integrity": "sha512-TJl6T92eIwMf/OJ0hDfKVa6ISwzo+lqCWCI5Mf//ARlKa3LKQZaSrme/H2rCRBhW0DZCQlrsV+fgoW5YHRNLUw==",
"license": "MIT",
"dependencies": {
"strict-event-emitter-types": "2.0.0"
},
"engines": {
"node": ">=20"
}
},
"node_modules/levn": {
"version": "0.4.1",
"resolved": "https://registry.npmjs.org/levn/-/levn-0.4.1.tgz",
@ -3840,6 +3853,12 @@
"node": ">=0.8"
}
},
"node_modules/strict-event-emitter-types": {
"version": "2.0.0",
"resolved": "https://registry.npmjs.org/strict-event-emitter-types/-/strict-event-emitter-types-2.0.0.tgz",
"integrity": "sha512-Nk/brWYpD85WlOgzw5h173aci0Teyv8YdIAEtV+N88nDB0dLlazZyJMIsN6eo1/AR61l+p6CJTG1JIyFaoNEEA==",
"license": "ISC"
},
"node_modules/string_decoder": {
"version": "1.3.0",
"resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz",

1
package.json
View File

@ -14,6 +14,7 @@
"bcryptjs": "^2.4.3",
"better-sqlite3": "^11.7.0",
"cookie": "^1.0.2",
"ldapts": "^8.1.7",
"lucide-react": "^1.8.0",
"next": "^15.1.0",
"react": "^19.0.0",

0
public/.gitkeep Normal file
View File

10
src/app/(app)/assets/page.tsx
View File

@ -379,13 +379,17 @@ export default function AssetsPage() {
</p>
</div>
<div className="flex items-center gap-2">
{selectedIds.size > 0 && (
{selectedIds.size > 0 && permissions.includes('assets:update') && (
<Link href={`/assets/batch-edit?ids=${[...selectedIds].join(',')}`}>
<Button variant="secondary" size="sm"> {selectedIds.size} </Button>
</Link>
)}
<Link href="/assets/import"><Button variant="secondary" size="sm"><Upload size={14} /></Button></Link>
<Link href="/assets/template"><Button variant="secondary" size="sm"><Download size={14} /></Button></Link>
{permissions.includes('assets:import') && (
<Link href="/assets/import"><Button variant="secondary" size="sm"><Upload size={14} /></Button></Link>
)}
{permissions.includes('assets:import') && (
<a href="/api/assets/template" download><Button variant="secondary" size="sm"><Download size={14} /></Button></a>
)}
{canExportSelected && selectedIds.size > 0 && (
<Button variant="secondary" size="sm" onClick={() => { setExportMode('selected'); setExportModalOpen(true) }}><Download size={14} />({selectedIds.size})</Button>
)}

46
src/app/(app)/layout.tsx
View File

@ -1,45 +1,27 @@
export const dynamic = 'force-dynamic'
import { cookies, headers } from 'next/headers'
import { cookies } from 'next/headers'
import { redirect } from 'next/navigation'
import db from '@/lib/db'
import { verifyJwt } from '@/lib/auth'
import AppShell from '@/components/layout/AppShell'
export default async function AppLayout({ children }: { children: React.ReactNode }) {
const cookieStore = await cookies()
const headersList = await headers()
const originalPath = headersList.get('x-original-pathname') || ''
const loginUrl = '/login' + (originalPath ? `?redirect=${encodeURIComponent(originalPath)}` : '')
// 路径 1SSO来自 nginx auth_request 代理认证)
let ssoUsername = ''
const ssoSession = cookieStore.get('session')?.value
if (ssoSession) {
try { ssoUsername = JSON.parse(ssoSession).username || '' } catch { }
// 从 middleware 设置的 session cookie 获取用户名
const sessionCookie = cookieStore.get('session')?.value
let username = ''
if (sessionCookie) {
try { username = JSON.parse(sessionCookie).username || '' } catch { }
}
if (!ssoUsername) ssoUsername = headersList.get('x-remote-user') || ''
if (!username) redirect('/login')
if (ssoUsername) {
db.prepare(
"INSERT OR IGNORE INTO users (username, password_hash, display_name, role, is_active) VALUES (?, '__SSO__', ?, 'viewer', 1)"
).run(ssoUsername, ssoUsername)
const user = db.prepare(
'SELECT id, username, display_name, role FROM users WHERE username = ? AND is_active = 1'
).get(ssoUsername) as { id: number; username: string; display_name: string; role: string } | undefined
if (user) {
return <AppShell user={{ display_name: user.display_name, role: user.role }}>{children}</AppShell>
}
}
// 路径 2JWT cookie本地开发 / @fallback 紧急绕过)
const token = cookieStore.get('session_assets')?.value
if (!token) redirect(loginUrl)
const payload = verifyJwt(token)
if (!payload) redirect(loginUrl)
// 从数据库获取用户完整信息
const user = db.prepare(
'SELECT display_name, role FROM users WHERE id = ? AND is_active = 1'
).get(payload.userId) as { display_name: string; role: string } | undefined
if (!user) redirect(loginUrl)
return <AppShell user={user}>{children}</AppShell>
'SELECT id, username, display_name, role FROM users WHERE username = ? AND is_active = 1'
).get(username) as { id: number; username: string; display_name: string; role: string } | undefined
if (!user) redirect('/login')
return <AppShell user={{ display_name: user.display_name, role: user.role }}>{children}</AppShell>
}

23
src/app/(app)/settings/users/page.tsx
View File

@ -10,7 +10,8 @@ import { Plus, Edit, Trash2 } from 'lucide-react'
interface UserItem {
id: number; username: string; display_name: string; email: string | null;
role: string; is_active: number; created_at: string
role: string; is_active: number; created_at: string; last_login_at: string | null;
is_online: number;
}
export default function UsersPage() {
@ -90,11 +91,20 @@ export default function UsersPage() {
return <Badge color={r.role === 'admin' ? 'blue' : r.role === 'editor' ? 'green' : 'gray'}>{option?.label || r.role}</Badge>
} },
{ key: 'is_active', title: '状态', render: (r) => <Badge color={r.is_active ? 'green' : 'red'}>{r.is_active ? '启用' : '禁用'}</Badge> },
{ key: 'is_online', title: '在线', render: (r) => (
<span className="inline-flex items-center gap-1.5">
<span className={`inline-block w-2 h-2 rounded-full ${r.is_online ? 'bg-green-500' : 'bg-gray-300 dark:bg-gray-600'}`} />
<span className="text-xs text-slate-500">{r.is_online ? '在线' : '离线'}</span>
</span>
)},
{ key: 'last_login_at', title: '最后登录', render: (r) => r.last_login_at ? <span className="text-xs text-slate-500">{r.last_login_at}</span> : <span className="text-xs text-slate-400"></span> },
{ key: 'created_at', title: '创建时间' },
{ key: 'actions', title: '操作', render: (r) => (
<div className="flex items-center gap-1">
<button onClick={() => openEdit(r)} className="p-1.5 rounded-lg text-slate-500 hover:text-blue-500 hover:bg-slate-100 dark:hover:bg-slate-800 transition-colors"><Edit size={16} /></button>
<button onClick={() => setDeleteTarget(r)} className="p-1.5 rounded-lg text-slate-500 hover:text-red-500 hover:bg-slate-100 dark:hover:bg-slate-800 transition-colors"><Trash2 size={16} /></button>
{r.username !== 'admin' && r.username !== 'localadmin' && (
<button onClick={() => setDeleteTarget(r)} className="p-1.5 rounded-lg text-slate-500 hover:text-red-500 hover:bg-slate-100 dark:hover:bg-slate-800 transition-colors"><Trash2 size={16} /></button>
)}
</div>
)},
]
@ -120,7 +130,14 @@ export default function UsersPage() {
<Input label="显示名称" value={form.display_name} onChange={e => setForm(p => ({ ...p, display_name: e.target.value }))} />
<Input label="邮箱" type="email" value={form.email} onChange={e => setForm(p => ({ ...p, email: e.target.value }))} />
<Input label={editing ? '新密码(留空不修改)' : '密码'} type="password" value={form.password} onChange={e => setForm(p => ({ ...p, password: e.target.value }))} />
<Select label="角色" value={form.role} onChange={e => setForm(p => ({ ...p, role: e.target.value }))} options={roleOptions} />
{editing && (editing.username === 'admin' || editing.username === 'localadmin') ? (
<div>
<label className="block text-sm font-medium text-slate-700 dark:text-slate-300 mb-1"></label>
<p className="text-sm text-slate-500 dark:text-slate-400 py-2">{editing.role === 'admin' ? '管理员' : '管理员(系统保留)'}</p>
</div>
) : (
<Select label="角色" value={form.role} onChange={e => setForm(p => ({ ...p, role: e.target.value }))} options={roleOptions} />
)}
</div>
</Modal>

4
src/app/api/assets/[id]/route.ts
View File

@ -25,7 +25,7 @@ export async function GET(request: Request, { params }: { params: Promise<{ id:
export async function PUT(request: Request, { params }: { params: Promise<{ id: string }> }) {
const session = await getSession()
if (!session) return NextResponse.json({ error: '未授权' }, { status: 401 })
if (!checkPermission(session.role, 'assets:write')) {
if (!checkPermission(session.role, 'assets:update')) {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}
@ -70,7 +70,7 @@ export async function PUT(request: Request, { params }: { params: Promise<{ id:
return NextResponse.json({ error: '没有要更新的字段' }, { status: 400 })
}
updates.push("updated_at = datetime('now')")
updates.push("updated_at = datetime('now', '+8 hours')")
values.push(id)
db.prepare(`UPDATE assets SET ${updates.join(', ')} WHERE id = ?`).run(...values)

4
src/app/api/assets/batch/route.ts
View File

@ -14,7 +14,7 @@ const UPDATABLE_FIELDS = [
export async function POST(request: Request) {
const session = await getSession()
if (!session) return NextResponse.json({ error: '未授权' }, { status: 401 })
if (!checkPermission(session.role, 'assets:write')) {
if (!checkPermission(session.role, 'assets:update')) {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}
@ -41,7 +41,7 @@ export async function POST(request: Request) {
return NextResponse.json({ error: '没有可更新的有效字段' }, { status: 400 })
}
updates.push("updated_at = datetime('now')")
updates.push("updated_at = datetime('now', '+8 hours')")
const placeholders = ids.map(() => '?').join(', ')
const stmt = db.prepare(`UPDATE assets SET ${updates.join(', ')} WHERE id IN (${placeholders})`)

4
src/app/api/assets/import/route.ts
View File

@ -10,7 +10,7 @@ import { parseImportBuffer } from '@/lib/excel'
export async function POST(request: Request) {
const session = await getSession()
if (!session) return NextResponse.json({ error: '未授权' }, { status: 401 })
if (!checkPermission(session.role, 'assets:write')) {
if (!checkPermission(session.role, 'assets:import')) {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}
@ -65,7 +65,7 @@ export async function POST(request: Request) {
}
}
if (updates.length > 0) {
updates.push("updated_at = datetime('now')")
updates.push("updated_at = datetime('now', '+8 hours')")
values.push(existing.id)
db.prepare(`UPDATE assets SET ${updates.join(', ')} WHERE id = ?`).run(...values)
updated++

2
src/app/api/assets/route.ts
View File

@ -128,7 +128,7 @@ export async function GET(request: Request) {
export async function POST(request: Request) {
const session = await getSession()
if (!session) return NextResponse.json({ error: '未授权' }, { status: 401 })
if (!checkPermission(session.role, 'assets:write')) {
if (!checkPermission(session.role, 'assets:create')) {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}

10
src/app/api/assets/template/route.ts
View File

@ -1,14 +1,14 @@
import { NextResponse } from 'next/server'
import { cookies } from 'next/headers'
import { getSession } from '@/lib/auth'
import { checkPermission } from '@/lib/permissions'
import { generateTemplateBuffer } from '@/lib/excel'
export async function GET() {
const cookieStore = await cookies()
const token = cookieStore.get('session_assets')?.value
if (!token) return NextResponse.json({ error: '未授权' }, { status: 401 })
const payload = await getSession()
if (!payload) return NextResponse.json({ error: '会话已过期' }, { status: 401 })
if (!payload) return NextResponse.json({ error: '未授权' }, { status: 401 })
if (!checkPermission(payload.role, 'assets:import')) {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}
const buffer = generateTemplateBuffer()
return new NextResponse(buffer, {

93
src/app/api/auth/login/route.ts
View File

@ -1,18 +1,97 @@
import { NextResponse } from 'next/server'
import { cookies } from 'next/headers'
import db from '@/lib/db'
import { verifyPassword, signJwt } from '@/lib/auth'
import { verifyPassword, signJwt, hashPassword } from '@/lib/auth'
import { signSharedJwt, sharedCookieConfig } from '@/lib/jwt'
import { ldapAuth } from '@/lib/ldap'
import type { User } from '@/types'
export async function POST(request: Request) {
try {
const { username, password } = await request.json()
if (!username || !password) return NextResponse.json({ error: '请输入用户名和密码' }, { status: 400 })
const user = db.prepare('SELECT * FROM users WHERE username = ? AND is_active = 1').get(username) as User | undefined
if (!user || !verifyPassword(password, user.password_hash)) return NextResponse.json({ error: '用户名或密码错误' }, { status: 401 })
const token = signJwt({ userId: user.id, username: user.username, role: user.role })
let userId: number
let role: string
let displayName: string
// 1. localadmin纯本地 BCrypt不依赖 LLDAP
if (username === 'localadmin') {
const localUser = db.prepare(
'SELECT * FROM users WHERE username = ? AND is_active = 1'
).get(username) as User | undefined
if (!localUser || !verifyPassword(password, localUser.password_hash)) {
return NextResponse.json({ error: '用户名或密码错误' }, { status: 401 })
}
userId = localUser.id
role = localUser.role
displayName = localUser.display_name || username
} else {
// 2. 其他用户LLDAP 优先
const ldapResult = await ldapAuth(username, password)
if (ldapResult.success) {
// LDAP 认证成功 → 更新本地密码缓存 + 自动创建用户
displayName = ldapResult.displayName || username
const pwHash = hashPassword(password)
const existing = db.prepare(
'SELECT id, role FROM users WHERE username = ? AND is_active = 1'
).get(username) as { id: number; role: string } | undefined
if (existing) {
db.prepare('UPDATE users SET password_hash = ?, display_name = ? WHERE id = ?')
.run(pwHash, displayName, existing.id)
userId = existing.id
role = existing.role
} else {
db.prepare(
"INSERT INTO users (username, password_hash, display_name, role, is_active, created_at, updated_at) VALUES (?, ?, ?, 'viewer', 1, datetime('now', '+8 hours'), datetime('now', '+8 hours'))"
).run(username, pwHash, displayName)
const created = db.prepare(
'SELECT id, role FROM users WHERE username = ?'
).get(username) as { id: number; role: string } | undefined
if (!created) return NextResponse.json({ error: '用户创建失败' }, { status: 500 })
userId = created.id
role = created.role
}
} else if (ldapResult.unreachable) {
// LLDAP 不可达 → 回退本地密码缓存
const localUser = db.prepare(
'SELECT * FROM users WHERE username = ? AND is_active = 1'
).get(username) as User | undefined
if (!localUser || !verifyPassword(password, localUser.password_hash)) {
return NextResponse.json({ error: '认证服务不可用,且本地密码不匹配' }, { status: 401 })
}
userId = localUser.id
role = localUser.role
displayName = localUser.display_name || username
} else {
return NextResponse.json({ error: '用户名或密码错误' }, { status: 401 })
}
}
// 3. 更新最后登录时间和活跃时间
db.prepare("UPDATE users SET last_login_at = datetime('now', '+8 hours'), last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(userId)
// 4. 签发两个 cookie
const localToken = signJwt({ userId, username, role })
const sharedToken = signSharedJwt({ username, displayName })
const sharedCfg = sharedCookieConfig()
const cookieStore = await cookies()
cookieStore.set('session_assets', token, { httpOnly: true, secure: process.env.NODE_ENV === 'production', sameSite: 'lax', maxAge: 86400, path: '/' })
return NextResponse.json({ user: { id: user.id, username: user.username, display_name: user.display_name, role: user.role } })
} catch { return NextResponse.json({ error: '登录失败' }, { status: 500 }) }
cookieStore.set('session_assets', localToken, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
maxAge: 86400,
path: '/',
})
cookieStore.set(sharedCfg.name, sharedToken, sharedCfg)
return NextResponse.json({
user: { id: userId, username, display_name: displayName, role },
})
} catch {
return NextResponse.json({ error: '登录失败' }, { status: 500 })
}
}

4
src/app/api/auth/logout/route.ts
View File

@ -4,9 +4,7 @@ import { cookies } from 'next/headers'
export async function POST() {
const cookieStore = await cookies()
cookieStore.set('session_assets', '', { maxAge: 0, path: '/' })
cookieStore.set('session', '', { maxAge: 0, path: '/' })
// 清除 Authelia SSO cookiedomain 匹配才会生效)
cookieStore.set('authelia_session', '', { maxAge: 0, path: '/', domain: '127.0.0.1' })
cookieStore.set('tlyq_session', '', { maxAge: 0, path: '/' })
return NextResponse.json({ success: true })
}

46
src/app/api/auth/me/route.ts
View File

@ -1,56 +1,22 @@
import { NextResponse } from 'next/server'
import { cookies, headers } from 'next/headers'
import db from '@/lib/db'
import { getSession, verifyJwt, signJwt } from '@/lib/auth'
import { getSession } from '@/lib/auth'
export async function GET() {
try {
const cookieStore = await cookies()
const session = await getSession()
if (!session) return NextResponse.json({ error: '未授权' }, { status: 401 })
// 路径 1SSO来自 nginx auth_request 代理)
// 优先读 cookie若没有则直接读 header首次请求时 cookie 可能尚未写入)
let ssoUsername = ''
try {
const ssoSession = cookieStore.get('session')?.value
if (ssoSession) ssoUsername = JSON.parse(ssoSession).username || ''
} catch { }
if (!ssoUsername) {
const headersList = await headers()
ssoUsername = headersList.get('x-remote-user') || ''
}
if (ssoUsername) {
db.prepare(
"INSERT OR IGNORE INTO users (username, password_hash, display_name, role, is_active) VALUES (?, '__SSO__', ?, ?, 1)"
).run(ssoUsername, ssoUsername, 'viewer')
const user = db.prepare(
'SELECT id, username, display_name, email, role FROM users WHERE username = ? AND is_active = 1'
).get(ssoUsername) as Record<string, unknown> | undefined
if (user) {
const roleRow = db.prepare(
'SELECT permissions FROM roles WHERE name = ?'
).get(user.role) as { permissions: string } | undefined
const permissions: string[] = roleRow ? JSON.parse(roleRow.permissions) : []
const jwt = signJwt({ userId: user.id as number, username: user.username as string, role: user.role as string })
const response = NextResponse.json({ user: { ...user, permissions } })
response.cookies.set('session_assets', jwt, { httpOnly: true, sameSite: 'lax', path: '/', maxAge: 86400 })
return response
}
}
// 路径 2JWT cookie本地开发 / @fallback 紧急绕过)
const token = cookieStore.get('session_assets')?.value
if (!token) return NextResponse.json({ error: '未授权' }, { status: 401 })
const payload = verifyJwt(token)
if (!payload) return NextResponse.json({ error: '会话已过期' }, { status: 401 })
const user = db.prepare(
'SELECT id, username, display_name, email, role FROM users WHERE id = ? AND is_active = 1'
).get(payload.userId) as Record<string, unknown> | undefined
).get(session.userId) as Record<string, unknown> | undefined
if (!user) return NextResponse.json({ error: '用户不存在' }, { status: 401 })
const roleRow = db.prepare(
'SELECT permissions FROM roles WHERE name = ?'
).get(user.role) as { permissions: string } | undefined
const permissions: string[] = roleRow ? JSON.parse(roleRow.permissions) : []
return NextResponse.json({ user: { ...user, permissions } })
} catch {
return NextResponse.json({ error: '获取用户信息失败' }, { status: 500 })

12
src/app/api/internal/roles/route.ts Normal file
View File

@ -0,0 +1,12 @@
import { NextResponse } from 'next/server'
import db from '@/lib/db'
const INTERNAL_KEY = process.env.INTERNAL_API_KEY || 'oa-internal-key-tlyq-2026'
export async function GET(request: Request) {
const key = request.headers.get('x-internal-key')
if (key !== INTERNAL_KEY) return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
const roles = db.prepare('SELECT name, display_name FROM roles ORDER BY name').all() as { name: string; display_name: string }[]
return NextResponse.json({ roles })
}

15
src/app/api/users/[id]/route.ts
View File

@ -13,11 +13,17 @@ export async function PUT(request: Request, { params }: { params: Promise<{ id:
}
const { id } = await params
const existing = db.prepare('SELECT id FROM users WHERE id = ?').get(id)
const existing = db.prepare('SELECT id, username FROM users WHERE id = ?').get(id) as { id: number; username: string } | undefined
if (!existing) return NextResponse.json({ error: '用户不存在' }, { status: 404 })
try {
const body = await request.json()
// 禁止修改系统保留用户的角色
if (body.role && (existing.username === 'admin' || existing.username === 'localadmin')) {
return NextResponse.json({ error: '不能修改系统保留用户的角色' }, { status: 400 })
}
const updates: string[] = []
const values: unknown[] = []
@ -31,7 +37,7 @@ export async function PUT(request: Request, { params }: { params: Promise<{ id:
return NextResponse.json({ error: '没有要更新的字段' }, { status: 400 })
}
updates.push("updated_at = datetime('now')")
updates.push("updated_at = datetime('now', '+8 hours')")
values.push(id)
db.prepare(`UPDATE users SET ${updates.join(', ')} WHERE id = ?`).run(...values)
@ -55,8 +61,11 @@ export async function DELETE(_request: Request, { params }: { params: Promise<{
return NextResponse.json({ error: '不能删除当前登录用户' }, { status: 400 })
}
const existing = db.prepare('SELECT id FROM users WHERE id = ?').get(id)
const existing = db.prepare('SELECT id, username FROM users WHERE id = ?').get(id) as { id: number; username: string } | undefined
if (!existing) return NextResponse.json({ error: '用户不存在' }, { status: 404 })
if (existing.username === 'admin' || existing.username === 'localadmin') {
return NextResponse.json({ error: '不能删除系统保留用户' }, { status: 400 })
}
db.prepare('DELETE FROM users WHERE id = ?').run(id)
return NextResponse.json({ success: true })

7
src/app/api/users/route.ts
View File

@ -12,7 +12,10 @@ export async function GET() {
return NextResponse.json({ error: '权限不足' }, { status: 403 })
}
const users = db.prepare('SELECT id, username, display_name, email, role, is_active, created_at, updated_at FROM users ORDER BY id').all()
const users = db.prepare(`SELECT id, username, display_name, email, role, is_active, created_at, updated_at,
last_login_at,
CASE WHEN last_active_at IS NOT NULL AND datetime(last_active_at, '+5 minutes') > datetime('now', '+8 hours') THEN 1 ELSE 0 END AS is_online
FROM users ORDER BY id`).all()
return NextResponse.json({ users })
}
@ -36,7 +39,7 @@ export async function POST(request: Request) {
}
const passwordHash = hashPassword(password)
const result = db.prepare('INSERT INTO users (username, password_hash, display_name, email, role) VALUES (?, ?, ?, ?, ?)')
const result = db.prepare("INSERT INTO users (username, password_hash, display_name, email, role, created_at, updated_at) VALUES (?, ?, ?, ?, ?, datetime('now', '+8 hours'), datetime('now', '+8 hours'))")
.run(username, passwordHash, display_name, email || null, role || 'viewer')
const user = db.prepare('SELECT id, username, display_name, email, role, is_active, created_at FROM users WHERE id = ?').get(result.lastInsertRowid)

57
src/lib/auth.ts
View File

@ -37,24 +37,53 @@ export function hashApiKey(key: string): string { return crypto.createHash('sha2
export function generateApiKey(): string { return `ak_${crypto.randomBytes(32).toString('hex')}` }
export function verifySession(token: string): SessionPayload | null { return verifyJwt(token) }
// 统一获取当前会话:先查 JWT再查 SSO header解决首次加载时 JWT 尚未签发的竞态问题)
import { cookies, headers } from 'next/headers'
// 统一获取当前会话:优先 tlyq_session共享 JWT回退 session_assets本地 JWT
import { cookies } from 'next/headers'
import { verifySharedJwt } from '@/lib/jwt'
import { ldapUserExists } from '@/lib/ldap'
export async function getSession(): Promise<SessionPayload | null> {
const cookieStore = await cookies()
// 1. JWT
// 1. tlyq_session共享 JWTLDAP 用户)
const sharedToken = cookieStore.get('tlyq_session')?.value
if (sharedToken) {
const sharedPayload = verifySharedJwt(sharedToken)
if (sharedPayload) {
// Q1: 检查 LLDAP 中用户是否仍存在(已删除则强制退出)
if (!(await ldapUserExists(sharedPayload.username))) {
cookieStore.set('tlyq_session', '', { maxAge: 0, path: '/' })
cookieStore.set('session_assets', '', { maxAge: 0, path: '/' })
return null
}
const row = db.prepare(
'SELECT id, username, role FROM users WHERE username = ? AND is_active = 1'
).get(sharedPayload.username) as { id: number; username: string; role: string } | undefined
if (row) {
db.prepare("UPDATE users SET last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(row.id)
return { userId: row.id, username: row.username, role: row.role }
}
// SSO 免登录LLDAP 验证通过但本地无记录 → 自动创建viewer 角色)
db.prepare(
"INSERT OR IGNORE INTO users (username, display_name, role, is_active, created_at, updated_at) VALUES (?, ?, 'viewer', 1, datetime('now', '+8 hours'), datetime('now', '+8 hours'))"
).run(sharedPayload.username, sharedPayload.displayName)
const newRow = db.prepare(
'SELECT id, username, role FROM users WHERE username = ? AND is_active = 1'
).get(sharedPayload.username) as { id: number; username: string; role: string } | undefined
if (newRow) {
return { userId: newRow.id, username: newRow.username, role: newRow.role }
}
}
}
// 2. session_assets本地 JWTadmin 账号或紧急绕过)
const token = cookieStore.get('session_assets')?.value
if (token) {
const payload = verifyJwt(token)
if (payload) return payload
}
// 2. SSO headernginx auth_request 注入,首次请求时 JWT 可能尚未签发)
const headersList = await headers()
const ssoUsername = headersList.get('x-remote-user')
if (ssoUsername) {
const user = db.prepare(
'SELECT id, username, role FROM users WHERE username = ? AND is_active = 1'
).get(ssoUsername) as SessionPayload | undefined
if (user) return user
if (payload) {
db.prepare("UPDATE users SET last_active_at = datetime('now', '+8 hours') WHERE id = ?").run(payload.userId)
return payload
}
}
return null
}
@ -66,6 +95,6 @@ export function verifyApiKey(key: string): { id: number; name: string; permissio
.get(keyHash) as { id: number; name: string; permissions: string } | undefined
if (!row) return null
if (row.expires_at && new Date(row.expires_at) < new Date()) return null
db.prepare("UPDATE api_keys SET last_used_at = datetime('now') WHERE id = ?").run(row.id)
db.prepare("UPDATE api_keys SET last_used_at = datetime('now', '+8 hours') WHERE id = ?").run(row.id)
return { id: row.id, name: row.name, permissions: JSON.parse(row.permissions) }
}

42
src/lib/db-schema.ts
View File

@ -11,21 +11,21 @@ export function initDatabase() {
email TEXT,
role TEXT NOT NULL DEFAULT 'viewer',
is_active INTEGER NOT NULL DEFAULT 1,
created_at TEXT NOT NULL DEFAULT (datetime('now')),
updated_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours')),
updated_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE TABLE IF NOT EXISTS roles (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL UNIQUE,
display_name TEXT NOT NULL,
permissions TEXT NOT NULL DEFAULT '[]',
created_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE TABLE IF NOT EXISTS sessions (
id TEXT PRIMARY KEY,
user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
expires_at TEXT NOT NULL,
created_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE TABLE IF NOT EXISTS api_keys (
id INTEGER PRIMARY KEY AUTOINCREMENT,
@ -36,7 +36,7 @@ export function initDatabase() {
expires_at TEXT,
is_active INTEGER NOT NULL DEFAULT 1,
created_by INTEGER REFERENCES users(id),
created_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE TABLE IF NOT EXISTS assets (
id INTEGER PRIMARY KEY AUTOINCREMENT,
@ -73,8 +73,8 @@ export function initDatabase() {
psu_total_power TEXT,
board_model TEXT, board_count INTEGER,
raw_data TEXT,
created_at TEXT NOT NULL DEFAULT (datetime('now')),
updated_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours')),
updated_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE TABLE IF NOT EXISTS audit_logs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
@ -85,7 +85,7 @@ export function initDatabase() {
entity_id INTEGER,
details TEXT,
ip_address TEXT,
created_at TEXT NOT NULL DEFAULT (datetime('now'))
created_at TEXT NOT NULL DEFAULT (datetime('now', '+8 hours'))
);
CREATE INDEX IF NOT EXISTS idx_assets_node_name ON assets(node_name);
CREATE INDEX IF NOT EXISTS idx_assets_business_ip ON assets(business_ip);
@ -93,15 +93,25 @@ export function initDatabase() {
CREATE INDEX IF NOT EXISTS idx_assets_status ON assets(status);
`)
// 迁移:添加 last_login_at 和 last_active_at 列
try { db.exec('ALTER TABLE users ADD COLUMN last_login_at TEXT') } catch { /* 列已存在 */ }
try { db.exec('ALTER TABLE users ADD COLUMN last_active_at TEXT') } catch { /* 列已存在 */ }
const existingAdmin = db.prepare('SELECT id FROM users WHERE username = ?').get('admin')
if (!existingAdmin) {
const passwordHash = bcrypt.hashSync(process.env.ADMIN_PASSWORD || 'admin123', 10)
db.prepare('INSERT INTO users (username, password_hash, display_name, role) VALUES (?, ?, ?, ?)')
db.prepare("INSERT INTO users (username, password_hash, display_name, role, created_at, updated_at) VALUES (?, ?, ?, ?, datetime('now', '+8 hours'), datetime('now', '+8 hours'))")
.run('admin', passwordHash, '管理员', 'admin')
}
const existingLocalAdmin = db.prepare('SELECT id FROM users WHERE username = ?').get('localadmin')
if (!existingLocalAdmin) {
const localPasswordHash = bcrypt.hashSync(process.env.LOCALADMIN_PASSWORD || 'admin123', 10)
db.prepare("INSERT INTO users (username, password_hash, display_name, role, created_at, updated_at) VALUES (?, ?, ?, ?, datetime('now', '+8 hours'), datetime('now', '+8 hours'))")
.run('localadmin', localPasswordHash, '本地管理员', 'admin')
}
const defaultRoles = [
{ name: 'admin', display_name: '管理员', permissions: '["*"]' },
{ name: 'editor', display_name: '编辑者', permissions: '["assets:read","assets:write","assets:delete","assets:export:selected"]' },
{ name: 'editor', display_name: '编辑者', permissions: '["assets:read","assets:create","assets:import","assets:update","assets:delete","assets:export:selected"]' },
{ name: 'viewer', display_name: '查看者', permissions: '["assets:read"]' },
]
const builtinNames = new Set(defaultRoles.map(r => r.name))
@ -128,4 +138,16 @@ export function initDatabase() {
db.prepare('UPDATE roles SET permissions = ? WHERE id = ?').run(JSON.stringify(upgraded), r.id)
}
}
// 迁移自定义角色中遗留的旧 assets:write 权限(拆分为 create/import/update
const allRoles2 = db.prepare('SELECT id, name, permissions FROM roles').all() as { id: number; name: string; permissions: string }[]
for (const r of allRoles2) {
if (builtinNames.has(r.name)) continue
const perms: string[] = JSON.parse(r.permissions)
if (perms.includes('assets:write')) {
const upgraded = perms.filter(p => p !== 'assets:write')
upgraded.push('assets:create', 'assets:import', 'assets:update')
db.prepare('UPDATE roles SET permissions = ? WHERE id = ?').run(JSON.stringify(upgraded), r.id)
}
}
}

61
src/lib/jwt.ts Normal file
View File

@ -0,0 +1,61 @@
import crypto from 'crypto'
const JWT_SECRET = process.env.JWT_SECRET || 'change-me-same-across-all-sites'
const COOKIE_DOMAIN = process.env.COOKIE_DOMAIN || ''
export interface SharedSession {
username: string
displayName: string
iat: number
exp: number
}
function base64url(str: string): string {
return Buffer.from(str).toString('base64url')
}
export function signSharedJwt(
payload: { username: string; displayName: string },
expiresIn: number = 7 * 24 * 60 * 60
): string {
const header = { alg: 'HS256', typ: 'JWT' }
const now = Math.floor(Date.now() / 1000)
const body = { ...payload, iat: now, exp: now + expiresIn }
const segments = [base64url(JSON.stringify(header)), base64url(JSON.stringify(body))]
const signingInput = segments.join('.')
segments.push(
crypto.createHmac('sha256', JWT_SECRET).update(signingInput).digest('base64url')
)
return segments.join('.')
}
export function verifySharedJwt(token: string): SharedSession | null {
try {
const parts = token.split('.')
if (parts.length !== 3) return null
const signingInput = parts.slice(0, 2).join('.')
const expectedSig = crypto.createHmac('sha256', JWT_SECRET)
.update(signingInput).digest('base64url')
if (parts[2] !== expectedSig) return null
const payload = JSON.parse(Buffer.from(parts[1], 'base64url').toString())
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) return null
return {
username: payload.username,
displayName: payload.displayName,
iat: payload.iat,
exp: payload.exp,
}
} catch { return null }
}
export function sharedCookieConfig(maxAge: number = 7 * 24 * 60 * 60) {
return {
name: 'tlyq_session',
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax' as const,
domain: COOKIE_DOMAIN,
path: '/',
maxAge,
}
}

71
src/lib/ldap.ts Normal file
View File

@ -0,0 +1,71 @@
import { Client, InvalidCredentialsError } from 'ldapts'
import { execFileSync } from 'child_process'
const LDAP_URL = process.env.LDAP_URL || 'ldap://localhost:3890'
const LDAP_BASE_DN = process.env.LDAP_BASE_DN || 'dc=tlyq,dc=ai'
// 运行时从 LLDAP 容器动态获取 admin 密码,避免明文存于多个 .env
// 需要容器挂载 /var/run/docker.sock
function getLdapAdminPassword(): string {
try {
return execFileSync('docker', ['exec', 'lldap', 'printenv', 'LLDAP_ADMIN_PASSWORD'],
{ timeout: 3000 }).toString().trim()
} catch { return 'admin123' }
}
export interface LdapResult {
success: boolean
unreachable: boolean
username?: string
displayName?: string
}
export async function ldapAuth(
username: string,
password: string
): Promise<LdapResult> {
const userDn = `uid=${username},ou=people,${LDAP_BASE_DN}`
const client = new Client({ url: LDAP_URL, timeout: 5000 })
try {
await client.bind(userDn, password)
try {
const { searchEntries } = await client.search(LDAP_BASE_DN, {
scope: 'sub',
filter: `(uid=${username})`,
attributes: ['displayName'],
timeLimit: 3,
})
const displayName = (searchEntries[0] as any)?.displayName || username
return { success: true, unreachable: false, username, displayName }
} catch {
return { success: true, unreachable: false, username, displayName: username }
}
} catch (err) {
if (err instanceof InvalidCredentialsError) {
return { success: false, unreachable: false }
}
return { success: false, unreachable: true }
} finally {
await client.unbind()
}
}
// Q1: 检查 LLDAP 中用户是否存在(用 admin bind 搜索,不在/不可达均返回 true 保证容错)
export async function ldapUserExists(username: string): Promise<boolean> {
const adminDn = process.env.LDAP_ADMIN_DN || 'uid=admin,ou=people,dc=tlyq,dc=ai'
const adminPass = getLdapAdminPassword()
const client = new Client({ url: LDAP_URL, timeout: 5000 })
try {
await client.bind(adminDn, adminPass)
const { searchEntries } = await client.search(LDAP_BASE_DN, {
scope: 'sub', filter: `(uid=${username})`, timeLimit: 3,
})
return searchEntries.length > 0
} catch {
return true // LLDAP 不可达 → 不阻断,容错放行
} finally {
await client.unbind()
}
}

88
src/middleware.ts
View File

@ -11,67 +11,69 @@ function decodeJwtPayload(token: string): Record<string, unknown> | null {
} catch { return null }
}
function isValidPayload(payload: Record<string, unknown> | null): boolean {
if (!payload) return false
return !(payload.exp && (payload.exp as number) < Math.floor(Date.now() / 1000))
}
export function middleware(request: NextRequest) {
const { pathname } = request.nextUrl
// 清除外部注入的 trust proxy headers防伪造
const requestHeaders = new Headers(request.headers)
requestHeaders.delete('x-remote-user')
requestHeaders.delete('x-remote-groups')
// 登录/退出路径 + 内部 API 放行(自有 key 认证
if (pathname === '/login' || pathname.startsWith('/api/auth/login') || pathname === '/api/auth/logout' || pathname.startsWith('/api/internal/')) {
return NextResponse.next()
}
// SSO 代理认证路径:检测 X-Remote-User header + 代理密钥验证
const remoteUser = request.headers.get('x-remote-user')
const proxyKey = request.headers.get('x-auth-proxy-key')
const isFromNginx = proxyKey === 'internal-auth-key-tlyq-2026'
// API 路由:检查 session_assets cookie 或 Bearer API Key
if (pathname.startsWith('/api/')) {
const authHeader = request.headers.get('authorization')
if (authHeader?.startsWith('Bearer ak_')) return NextResponse.next()
if (remoteUser && isFromNginx) {
// logout 路径不设置 SSO session避免清除后又重新设置
if (pathname === '/api/auth/logout') return NextResponse.next()
const sharedToken = request.cookies.get('tlyq_session')?.value
const sharedPayload = sharedToken ? decodeJwtPayload(sharedToken) : null
if (isValidPayload(sharedPayload)) return NextResponse.next()
const response = pathname === '/login' || pathname.startsWith('/api/auth/login')
? NextResponse.redirect(new URL('/', request.url))
: NextResponse.next()
const localToken = request.cookies.get('session_assets')?.value
const localPayload = localToken ? decodeJwtPayload(localToken) : null
if (isValidPayload(localPayload)) return NextResponse.next()
response.cookies.set('session', JSON.stringify({ username: remoteUser }), {
return NextResponse.json({ error: '未授权' }, { status: 401 })
}
// 页面路由:优先检查 tlyq_session共享 JWT回退 session_assets本地 JWT
const sharedToken = request.cookies.get('tlyq_session')?.value
const sharedPayload = sharedToken ? decodeJwtPayload(sharedToken) : null
if (isValidPayload(sharedPayload)) {
const response = NextResponse.next()
response.cookies.set('session', JSON.stringify({ username: sharedPayload.username }), {
httpOnly: true,
sameSite: 'lax',
path: '/',
})
if (pathname.startsWith('/api/')) {
response.headers.set('x-original-pathname', pathname + (request.nextUrl.search || ''))
}
return response
}
// 回退:现有 JWT 认证路径
if (pathname === '/login' || pathname.startsWith('/api/auth/login')) return NextResponse.next()
const localToken = request.cookies.get('session_assets')?.value
const localPayload = localToken ? decodeJwtPayload(localToken) : null
if (pathname.startsWith('/api/')) {
const authHeader = request.headers.get('authorization')
if (authHeader?.startsWith('Bearer ak_')) return NextResponse.next()
const token = request.cookies.get('session_assets')?.value
const payload = token ? decodeJwtPayload(token) : null
if (!payload?.userId) {
return NextResponse.json({ error: '未授权' }, { status: 401 })
}
return NextResponse.next()
}
const token = request.cookies.get('session_assets')?.value
const payload = token ? decodeJwtPayload(token) : null
const isValidToken = payload?.userId != null
if (!isValidToken) {
const loginUrl = new URL('/login', request.url)
const dest = pathname + (request.nextUrl.search || '')
loginUrl.searchParams.set('redirect', dest)
const response = NextResponse.redirect(loginUrl)
if (token) response.cookies.delete('session_assets')
if (isValidPayload(localPayload)) {
const response = NextResponse.next()
response.cookies.set('session', JSON.stringify({ username: localPayload.username }), {
httpOnly: true,
sameSite: 'lax',
path: '/',
})
return response
}
const response = NextResponse.next()
response.headers.set('x-original-pathname', pathname + (request.nextUrl.search || ''))
// 未认证 → 重定向登录页
const loginUrl = new URL('/login', request.url)
const dest = pathname + (request.nextUrl.search || '')
loginUrl.searchParams.set('redirect', dest)
const response = NextResponse.redirect(loginUrl)
if (sharedToken) response.cookies.delete('tlyq_session')
if (localToken) response.cookies.delete('session_assets')
return response
}