package server import ( "context" "time" "perms-system-server/internal/consts" authHelper "perms-system-server/internal/logic/auth" "perms-system-server/internal/middleware" permModel "perms-system-server/internal/model/perm" "perms-system-server/internal/svc" "perms-system-server/pb" "github.com/golang-jwt/jwt/v4" "golang.org/x/crypto/bcrypt" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" ) type PermServer struct { svcCtx *svc.ServiceContext pb.UnimplementedPermServiceServer } func NewPermServer(svcCtx *svc.ServiceContext) *PermServer { return &PermServer{svcCtx: svcCtx} } func (s *PermServer) SyncPermissions(ctx context.Context, req *pb.SyncPermissionsReq) (*pb.SyncPermissionsResp, error) { product, err := s.svcCtx.SysProductModel.FindOneByAppKey(ctx, req.AppKey) if err != nil { return nil, status.Error(codes.Unauthenticated, "无效的appKey") } if product.AppSecret != req.AppSecret { return nil, status.Error(codes.Unauthenticated, "appSecret验证失败") } if product.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "产品已被禁用") } existingMap, err := s.svcCtx.SysPermModel.FindMapByProductCode(ctx, product.Code) if err != nil { return nil, status.Error(codes.Internal, "查询权限数据失败") } now := time.Now().Unix() var added, updated int64 codeList := make([]string, 0, len(req.Perms)) var toInsert []*permModel.SysPerm var toUpdate []*permModel.SysPerm for _, item := range req.Perms { codeList = append(codeList, item.Code) existing, ok := existingMap[item.Code] if !ok { toInsert = append(toInsert, &permModel.SysPerm{ ProductCode: product.Code, Name: item.Name, Code: item.Code, Remark: item.Remark, Status: consts.StatusEnabled, CreateTime: now, UpdateTime: now, }) added++ continue } if existing.Name != item.Name || existing.Remark != item.Remark || existing.Status != consts.StatusEnabled { existing.Name = item.Name existing.Remark = item.Remark existing.Status = consts.StatusEnabled existing.UpdateTime = now toUpdate = append(toUpdate, existing) updated++ } } if len(toInsert) > 0 { if err := s.svcCtx.SysPermModel.BatchInsert(ctx, toInsert); err != nil { return nil, status.Error(codes.Internal, "批量插入权限失败") } } if len(toUpdate) > 0 { if err := s.svcCtx.SysPermModel.BatchUpdate(ctx, toUpdate); err != nil { return nil, status.Error(codes.Internal, "批量更新权限失败") } } disabled, err := s.svcCtx.SysPermModel.DisableNotInCodes(ctx, product.Code, codeList, now) if err != nil { return nil, status.Error(codes.Internal, "禁用权限失败") } if added > 0 || updated > 0 || disabled > 0 { s.svcCtx.UserDetailsLoader.CleanByProduct(ctx, product.Code) } return &pb.SyncPermissionsResp{Added: added, Updated: updated, Disabled: disabled}, nil } func (s *PermServer) Login(ctx context.Context, req *pb.LoginReq) (*pb.LoginResp, error) { if req.ProductCode == "" { return nil, status.Error(codes.InvalidArgument, "productCode不能为空") } user, err := s.svcCtx.SysUserModel.FindOneByUsername(ctx, req.Username) if err != nil { return nil, status.Error(codes.Unauthenticated, "用户名或密码错误") } if user.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "账号已被冻结") } if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Password)); err != nil { return nil, status.Error(codes.Unauthenticated, "用户名或密码错误") } if user.IsSuperAdmin == consts.IsSuperAdminYes { return nil, status.Error(codes.PermissionDenied, "超级管理员不允许通过产品端登录") } ud := s.svcCtx.UserDetailsLoader.Load(ctx, user.Id, req.ProductCode) accessToken, err := authHelper.GenerateAccessToken( s.svcCtx.Config.Auth.AccessSecret, s.svcCtx.Config.Auth.AccessExpire, ud.UserId, ud.Username, ud.ProductCode, ud.MemberType, ud.Perms, ) if err != nil { return nil, status.Error(codes.Internal, "生成token失败") } refreshToken, err := authHelper.GenerateRefreshToken( s.svcCtx.Config.Auth.RefreshSecret, s.svcCtx.Config.Auth.RefreshExpire, ud.UserId, ud.ProductCode, ) if err != nil { return nil, status.Error(codes.Internal, "生成token失败") } return &pb.LoginResp{ AccessToken: accessToken, RefreshToken: refreshToken, Expires: time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire, UserId: ud.UserId, Username: ud.Username, MemberType: ud.MemberType, Perms: ud.Perms, }, nil } func (s *PermServer) RefreshToken(ctx context.Context, req *pb.RefreshTokenReq) (*pb.RefreshTokenResp, error) { claims, err := authHelper.ParseRefreshToken(req.RefreshToken, s.svcCtx.Config.Auth.RefreshSecret) if err != nil { return nil, status.Error(codes.Unauthenticated, "refreshToken无效或已过期") } productCode := req.ProductCode if productCode == "" { productCode = claims.ProductCode } ud := s.svcCtx.UserDetailsLoader.Load(ctx, claims.UserId, productCode) if ud.Status != consts.StatusEnabled { return nil, status.Error(codes.PermissionDenied, "账号已被冻结") } accessToken, err := authHelper.GenerateAccessToken( s.svcCtx.Config.Auth.AccessSecret, s.svcCtx.Config.Auth.AccessExpire, ud.UserId, ud.Username, ud.ProductCode, ud.MemberType, ud.Perms, ) if err != nil { return nil, status.Error(codes.Internal, "生成token失败") } return &pb.RefreshTokenResp{ AccessToken: accessToken, RefreshToken: req.RefreshToken, Expires: time.Now().Unix() + s.svcCtx.Config.Auth.AccessExpire, }, nil } func (s *PermServer) VerifyToken(ctx context.Context, req *pb.VerifyTokenReq) (*pb.VerifyTokenResp, error) { token, err := jwt.ParseWithClaims(req.AccessToken, &middleware.Claims{}, func(token *jwt.Token) (interface{}, error) { return []byte(s.svcCtx.Config.Auth.AccessSecret), nil }) if err != nil || !token.Valid { return &pb.VerifyTokenResp{Valid: false}, nil } claims, ok := token.Claims.(*middleware.Claims) if !ok || claims.TokenType != consts.TokenTypeAccess { return &pb.VerifyTokenResp{Valid: false}, nil } return &pb.VerifyTokenResp{ Valid: true, UserId: claims.UserId, Username: claims.Username, MemberType: claims.MemberType, Perms: claims.Perms, }, nil } func (s *PermServer) GetUserPerms(ctx context.Context, req *pb.GetUserPermsReq) (*pb.GetUserPermsResp, error) { ud := s.svcCtx.UserDetailsLoader.Load(ctx, req.UserId, req.ProductCode) if ud.Username == "" { return nil, status.Error(codes.NotFound, "用户不存在") } return &pb.GetUserPermsResp{ MemberType: ud.MemberType, Perms: ud.Perms, }, nil }