3b6fca44a6
后端:
1.阶段 6 CP4/CP5 目录收口与共享边界纯化
- 将 backend 根目录收口为 services、client、gateway、cmd、shared 五个一级目录
- 收拢 bootstrap、inits、infra/kafka、infra/outbox、conv、respond、pkg、middleware,移除根目录旧实现与空目录
- 将 utils 下沉到 services/userauth/internal/auth,将 logic 下沉到 services/schedule/core/planning
- 将迁移期 runtime 桥接实现统一收拢到 services/runtime/{conv,dao,eventsvc,model},删除 shared/legacy 与未再被 import 的旧 service 实现
- 将 gateway/shared/respond 收口为 HTTP/Gin 错误写回适配,shared/respond 仅保留共享错误语义与状态映射
- 将 HTTP IdempotencyMiddleware 与 RateLimitMiddleware 收口到 gateway/middleware
- 将 GormCachePlugin 下沉到 shared/infra/gormcache,将共享 RateLimiter 下沉到 shared/infra/ratelimit,将 agent token budget 下沉到 services/agent/shared
- 删除 InitEino 兼容壳,收缩 cmd/internal/coreinit 仅保留旧组合壳残留域初始化语义
- 更新微服务迁移计划与桌面 checklist,补齐 CP4/CP5 当前切流点、目录终态与验证结果
- 完成 go test ./...、git diff --check 与最终真实 smoke;health、register/login、task/create+get、schedule/today、task-class/list、memory/items、agent chat/meta/timeline/context-stats 全部 200,SSE 合并结果为 CP5_OK 且 [DONE] 只有 1 个
76 lines
2.0 KiB
Go
76 lines
2.0 KiB
Go
package middleware
|
||
|
||
import (
|
||
"context"
|
||
"errors"
|
||
"net/http"
|
||
"strings"
|
||
"time"
|
||
|
||
"github.com/LoveLosita/smartflow/backend/gateway/shared/respond"
|
||
"github.com/LoveLosita/smartflow/backend/shared/ports"
|
||
"github.com/gin-gonic/gin"
|
||
)
|
||
|
||
// ExtractTokenFromAuthorization 从 Authorization 头中提取 token。
|
||
// 职责边界:
|
||
// 1. 兼容裸 token 与 Bearer token 两种传参方式;
|
||
// 2. 不做签名校验,只做字符串提取;
|
||
// 3. 返回空串表示缺少或格式非法。
|
||
func ExtractTokenFromAuthorization(header string) string {
|
||
trimmed := strings.TrimSpace(header)
|
||
if trimmed == "" {
|
||
return ""
|
||
}
|
||
|
||
parts := strings.Fields(trimmed)
|
||
if len(parts) == 2 && strings.EqualFold(parts[0], "Bearer") {
|
||
return strings.TrimSpace(parts[1])
|
||
}
|
||
if len(parts) == 1 {
|
||
return parts[0]
|
||
}
|
||
return ""
|
||
}
|
||
|
||
// JWTTokenAuth 负责 access token 的 gateway 边缘鉴权。
|
||
// 职责边界:
|
||
// 1. 只验证 token,并把 user_id 写入 gin 上下文;
|
||
// 2. 不直连 Redis、JWT 或 users 表,所有核心校验都交给 userauth 服务;
|
||
// 3. 校验失败时直接中断请求,由 respond 风格统一写回前端。
|
||
func JWTTokenAuth(validator ports.AccessTokenValidator) gin.HandlerFunc {
|
||
return func(c *gin.Context) {
|
||
if validator == nil {
|
||
c.JSON(http.StatusInternalServerError, respond.InternalError(errors.New("token validator dependency not initialized")))
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
tokenString := ExtractTokenFromAuthorization(c.GetHeader("Authorization"))
|
||
if tokenString == "" {
|
||
c.JSON(http.StatusUnauthorized, respond.MissingToken)
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
ctx, cancel := context.WithTimeout(c.Request.Context(), 2*time.Second)
|
||
defer cancel()
|
||
|
||
resp, err := validator.ValidateAccessToken(ctx, tokenString)
|
||
if err != nil {
|
||
writeRespondError(c, err)
|
||
c.Abort()
|
||
return
|
||
}
|
||
if resp == nil || !resp.Valid || resp.UserID <= 0 {
|
||
c.JSON(http.StatusUnauthorized, respond.InvalidClaims)
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
c.Set("user_id", resp.UserID)
|
||
c.Set("claims", resp)
|
||
c.Next()
|
||
}
|
||
}
|