扩展认证逻辑支持 API Token 和动态权限解析，更新配置结构及 Swagger 文档

2026-01-14 16:31:58 +08:00
parent fe656fb298
commit 2ea2c93bb4
13 changed files with 634 additions and 207 deletions
--- a/internal/api/middleware/auth.go
+++ b/internal/api/middleware/auth.go
@@ -12,6 +12,7 @@ import (
 )

 func AdminAuth() gin.HandlerFunc {
+	tokenService := service.NewTokenService()
 	return func(c *gin.Context) {
 		authHeader := c.GetHeader("Authorization")
 		if authHeader == "" {
@@ -27,29 +28,41 @@ func AdminAuth() gin.HandlerFunc {
 			return
 		}

-		claims, err := auth.ParseToken(parts[1])
-		if err != nil {
-			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid or expired token"))
-			c.Abort()
+		tokenStr := parts[1]
+
+		// 1. 尝试解析为管理员 JWT
+		claims, err := auth.ParseToken(tokenStr)
+		if err == nil {
+			c.Set("admin_id", claims.AdminID)
+			c.Next()
 			return
 		}

-		c.Set("admin_id", claims.AdminID)
-		c.Next()
+		// 2. 尝试解析为 API Token (如果配置允许)
+		if config.GlobalConfig.APIToken.Enabled && config.GlobalConfig.APIToken.AllowAdminAPI {
+			token, err := tokenService.ValidateToken(tokenStr, model.ScopeAdmin)
+			if err == nil {
+				c.Set("token_id", token.ID)
+				c.Set("token_scope", token.Scope)
+				c.Next()
+				return
+			}
+		}
+
+		c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid or expired token"))
+		c.Abort()
 	}
 }

-func APITokenAuth(requiredScope string) gin.HandlerFunc {
+func APITokenAuth(requiredScope string, optional bool) gin.HandlerFunc {
 	tokenService := service.NewTokenService()
 	return func(c *gin.Context) {
-		if !config.GlobalConfig.APIToken.Enabled {
-			c.JSON(http.StatusForbidden, model.ErrorResponse(model.CodeForbidden, "API Token is disabled"))
-			c.Abort()
-			return
-		}
-
 		authHeader := c.GetHeader("Authorization")
 		if authHeader == "" {
+			if optional {
+				c.Next()
+				return
+			}
 			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Authorization header required"))
 			c.Abort()
 			return
@@ -57,13 +70,31 @@ func APITokenAuth(requiredScope string) gin.HandlerFunc {

 		parts := strings.SplitN(authHeader, " ", 2)
 		if !(len(parts) == 2 && parts[0] == "Bearer") {
+			if optional {
+				c.Next()
+				return
+			}
 			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, "Invalid authorization format"))
 			c.Abort()
 			return
 		}

+		if !config.GlobalConfig.APIToken.Enabled {
+			if optional {
+				c.Next()
+				return
+			}
+			c.JSON(http.StatusForbidden, model.ErrorResponse(model.CodeForbidden, "API Token is disabled"))
+			c.Abort()
+			return
+		}
+
 		token, err := tokenService.ValidateToken(parts[1], requiredScope)
 		if err != nil {
+			if optional {
+				c.Next()
+				return
+			}
 			c.JSON(http.StatusUnauthorized, model.ErrorResponse(model.CodeUnauthorized, err.Error()))
 			c.Abort()
 			return