tdm_server_rust/middleware/

auth.rs

//! 登录鉴权与路由权限中间件
//!
//! 对齐 Java `LoginCheckInterceptor` + `PermissionCheckInterceptor`。
//!
//! ## 鉴权流程
//!
//! 1. 放行 `/login`、`/reg`、`OPTIONS` 请求
//! 2. 从 Header `token` 或 `Authorization` 提取 JWT
//! 3. 解析 Token → 加载组员信息
//! 4. 特殊路由权限校验（evaluations、takeEpisode、download 等）
//! 5. 注入 [`AuthMember`] 到请求扩展

use crate::{
    app::AppState,
    cache::get_auth_snapshot_cached,
    common::result::permission_denied_response,
    entity::member::Member,
    error::AppError,
    utils::jwt::{JwtClaims, JwtUtil},
};
use axum::{
    body::Body,
    extract::State,
    http::{Method, Request},
    middleware::Next,
    response::Response,
};

/// 请求扩展中的当前组员
#[derive(Debug, Clone)]
pub struct AuthMember(pub Option<Member>);

/// 鉴权中间件
#[tracing::instrument(skip_all, level = "info")]
pub async fn auth_middleware(
    State(state): State<AppState>,
    mut req: Request<Body>,
    next: Next,
) -> Result<Response, AppError> {
    let uri = req.uri().path().to_string();
    let method = req.method().clone();

    if uri.contains("login") || uri.contains("reg") {
        req.extensions_mut().insert(AuthMember(None));
        return Ok(next.run(req).await);
    }

    if method == Method::OPTIONS {
        req.extensions_mut().insert(AuthMember(None));
        return Ok(next.run(req).await);
    }

    if uri.contains("undefined") {
        return Err(AppError::login_expired("未登录哦 快加入提灯喵接坑吧喵！"));
    }

    let token = extract_token(req.headers());
    if method != Method::GET && token.is_none() {
        return Err(AppError::login_expired("请登录一下哦喵……"));
    }

    let mut member: Option<Member> = None;
    if let Some(jwt) = token.as_deref() {
        let claims = parse_token(&state, jwt)?;
        member = Some(load_member(&state, claims.id).await?);
    }

    check_route_permission(&uri, token.as_deref())?;

    if uri.starts_with("/api/evaluations") {
        if let Some(ref m) = member {
            let posts = &m.post_ids;
            let has = posts.contains(&2) || posts.contains(&4);
            if !has && !posts.contains(&4) {
                return Ok(permission_denied_response());
            }
        } else {
            return Ok(permission_denied_response());
        }
    }

    req.extensions_mut().insert(AuthMember(member));
    Ok(next.run(req).await)
}

/// 解析 JWT token
#[tracing::instrument(name = "auth::parse_token", skip(state, token), level = "info")]
fn parse_token(state: &AppState, token: &str) -> Result<JwtClaims, AppError> {
    let util = JwtUtil::new(&state.config.jwt.sign_key, state.config.jwt.expire_ms);
    util.parse(token).map_err(|e| {
        if e.to_string().contains("ExpiredSignature") {
            AppError::login_expired("登录数据过期,请重新登录喵！")
        } else {
            AppError::login_expired("Token解析失败喵！请重新登录喵！")
        }
    })
}

/// 从数据库加载组员
#[tracing::instrument(name = "auth::load_member", skip(state), level = "info")]
async fn load_member(state: &AppState, member_id: i32) -> Result<Member, AppError> {
    let m = get_auth_snapshot_cached(state, member_id).await?;
    if crate::entity::enums::MemberInternEnum::is_left(m.intern) {
        return Err(AppError::login_expired("你已经退出了提灯喵猫娘化计划喵……"));
    }
    Ok(m)
}

/// 路由级权限校验
#[tracing::instrument(name = "auth::check_permission", skip(uri, token), level = "info")]
fn check_route_permission(uri: &str, token: Option<&str>) -> Result<(), AppError> {
    let needs_strict = uri.contains("takeEpisode")
        || uri.contains("invitationCodes")
        || uri.contains("download");
    if needs_strict && token.is_none() {
        return Err(AppError::login_expired("必须要登录才能访问这里喵！"));
    }
    Ok(())
}

/// 从请求头提取 token
fn extract_token(headers: &axum::http::HeaderMap) -> Option<String> {
    headers
        .get("token")
        .or_else(|| headers.get("Authorization"))
        .and_then(|v| v.to_str().ok())
        .map(|s| s.to_string())
}