feat(auth): 完善API网关JWT认证和权限控制功能

- 实现网关侧JWT工具类和权限规则匹配器 - 集成JWT认证流程，支持Bearer Token验证 - 添加基于路径和HTTP方法的权限控制机制 - 配置白名单路由规则，优化认证性能 - 更新前端受保护路由组件，实现权限验证 - 添加403禁止访问页面和权限检查逻辑 - 重构登录页面，集成实际认证API调用 - 实现用户信息获取和权限加载功能 - 优化全局异常处理器中的认证错误状态码 - 集成FastJSON2和JJWT依赖库支持
2026-02-06 13:11:08 +08:00
parent 719f54bf2e
commit 056cee11cc
33 changed files with 1462 additions and 89 deletions
--- a/frontend/src/auth/permissions.ts
+++ b/frontend/src/auth/permissions.ts
@@ -0,0 +1,75 @@
+export const PermissionCodes = {
+  dataManagementRead: "module:data-management:read",
+  dataManagementWrite: "module:data-management:write",
+  dataAnnotationRead: "module:data-annotation:read",
+  dataAnnotationWrite: "module:data-annotation:write",
+  dataCollectionRead: "module:data-collection:read",
+  dataCollectionWrite: "module:data-collection:write",
+  dataEvaluationRead: "module:data-evaluation:read",
+  dataEvaluationWrite: "module:data-evaluation:write",
+  dataSynthesisRead: "module:data-synthesis:read",
+  dataSynthesisWrite: "module:data-synthesis:write",
+  knowledgeManagementRead: "module:knowledge-management:read",
+  knowledgeManagementWrite: "module:knowledge-management:write",
+  knowledgeBaseRead: "module:knowledge-base:read",
+  knowledgeBaseWrite: "module:knowledge-base:write",
+  operatorMarketRead: "module:operator-market:read",
+  operatorMarketWrite: "module:operator-market:write",
+  orchestrationRead: "module:orchestration:read",
+  orchestrationWrite: "module:orchestration:write",
+  contentGenerationUse: "module:content-generation:use",
+  agentUse: "module:agent:use",
+  userManage: "system:user:manage",
+  roleManage: "system:role:manage",
+  permissionManage: "system:permission:manage",
+} as const;
+
+const routePermissionRules: Array<{ prefix: string; permission: string }> = [
+  { prefix: "/data/management", permission: PermissionCodes.dataManagementRead },
+  { prefix: "/data/annotation", permission: PermissionCodes.dataAnnotationRead },
+  { prefix: "/data/collection", permission: PermissionCodes.dataCollectionRead },
+  { prefix: "/data/evaluation", permission: PermissionCodes.dataEvaluationRead },
+  { prefix: "/data/synthesis", permission: PermissionCodes.dataSynthesisRead },
+  { prefix: "/data/knowledge-management", permission: PermissionCodes.knowledgeManagementRead },
+  { prefix: "/data/knowledge-base", permission: PermissionCodes.knowledgeBaseRead },
+  { prefix: "/data/operator-market", permission: PermissionCodes.operatorMarketRead },
+  { prefix: "/data/orchestration", permission: PermissionCodes.orchestrationRead },
+  { prefix: "/data/content-generation", permission: PermissionCodes.contentGenerationUse },
+  { prefix: "/chat", permission: PermissionCodes.agentUse },
+];
+
+const defaultRouteCandidates: Array<{ path: string; permission: string }> = [
+  { path: "/data/management", permission: PermissionCodes.dataManagementRead },
+  { path: "/data/annotation", permission: PermissionCodes.dataAnnotationRead },
+  { path: "/data/knowledge-management", permission: PermissionCodes.knowledgeManagementRead },
+  { path: "/data/knowledge-base", permission: PermissionCodes.knowledgeBaseRead },
+  { path: "/chat", permission: PermissionCodes.agentUse },
+];
+
+export function hasPermission(
+  userPermissions: string[] | undefined,
+  requiredPermission?: string | null
+): boolean {
+  if (!requiredPermission) {
+    return true;
+  }
+  return (userPermissions ?? []).includes(requiredPermission);
+}
+
+export function resolveRequiredPermissionByPath(pathname: string): string | null {
+  if (pathname === "/403") {
+    return null;
+  }
+  const matchedRule = routePermissionRules.find((rule) =>
+    pathname.startsWith(rule.prefix)
+  );
+  return matchedRule?.permission ?? null;
+}
+
+export function resolveDefaultAuthorizedPath(userPermissions: string[]): string {
+  const matchedPath = defaultRouteCandidates.find((candidate) =>
+    hasPermission(userPermissions, candidate.permission)
+  )?.path;
+  return matchedPath ?? "/403";
+}
+