feat(auth): add handlers, JWT middleware, RBAC, and module registration

- Auth handlers: login/refresh/logout + user CRUD with tenant isolation
- JWT middleware: Bearer token validation → TenantContext injection
- RBAC helpers: require_permission, require_any_permission, require_role
- AuthModule: implements ErpModule with public/protected route split
- AuthState: FromRef pattern avoids circular deps between erp-auth and erp-server
- Server: public routes (health+login+refresh) + protected routes (JWT middleware)
- ErpModule trait: added as_any() for downcast support
- Workspace: added async-trait, sha2 dependencies

crates/erp-auth/src/handler/auth_handler.rs

@@ -0,0 +1,90 @@
+use axum::Extension;
+use axum::extract::{FromRef, State};
+use axum::response::Json;
+use validator::Validate;
+
+use erp_core::error::AppError;
+use erp_core::types::{ApiResponse, TenantContext};
+
+use crate::auth_state::AuthState;
+use crate::dto::{LoginReq, LoginResp, RefreshReq};
+use crate::service::auth_service::AuthService;
+
+/// POST /api/v1/auth/login
+///
+/// Authenticates a user with username and password, returning access and refresh tokens.
+///
+/// During the bootstrap phase, the tenant_id is taken from `AuthState::default_tenant_id`.
+/// In production, this will come from a tenant-resolution middleware.
+pub async fn login<S>(
+    State(state): State<AuthState>,
+    Json(req): Json<LoginReq>,
+) -> Result<Json<ApiResponse<LoginResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    req.validate()
+        .map_err(|e| AppError::Validation(e.to_string()))?;
+
+    let tenant_id = state.default_tenant_id;
+
+    let resp = AuthService::login(
+        tenant_id,
+        &req.username,
+        &req.password,
+        &state.db,
+        &state.jwt_secret,
+        state.access_ttl_secs,
+        state.refresh_ttl_secs,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+/// POST /api/v1/auth/refresh
+///
+/// Validates an existing refresh token, revokes it (rotation), and issues
+/// a new access + refresh token pair.
+pub async fn refresh<S>(
+    State(state): State<AuthState>,
+    Json(req): Json<RefreshReq>,
+) -> Result<Json<ApiResponse<LoginResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    let resp = AuthService::refresh(
+        &req.refresh_token,
+        &state.db,
+        &state.jwt_secret,
+        state.access_ttl_secs,
+        state.refresh_ttl_secs,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(resp)))
+}
+
+/// POST /api/v1/auth/logout
+///
+/// Revokes all refresh tokens for the authenticated user, effectively
+/// logging them out on all devices.
+pub async fn logout<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+) -> Result<Json<ApiResponse<()>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    AuthService::logout(ctx.user_id, ctx.tenant_id, &state.db).await?;
+
+    Ok(Json(ApiResponse {
+        success: true,
+        data: None,
+        message: Some("已成功登出".to_string()),
+    }))
+}

crates/erp-auth/src/handler/mod.rs

@@ -0,0 +1,2 @@
+pub mod auth_handler;
+pub mod user_handler;

crates/erp-auth/src/handler/user_handler.rs

@@ -0,0 +1,137 @@
+use axum::Extension;
+use axum::extract::{FromRef, Path, Query, State};
+use axum::response::Json;
+use validator::Validate;
+
+use erp_core::error::AppError;
+use erp_core::types::{ApiResponse, PaginatedResponse, Pagination, TenantContext};
+use uuid::Uuid;
+
+use crate::auth_state::AuthState;
+use crate::dto::{CreateUserReq, UpdateUserReq, UserResp};
+use crate::middleware::rbac::require_permission;
+use crate::service::user_service::UserService;
+
+/// GET /api/v1/users
+///
+/// List users within the current tenant with pagination.
+/// Requires the `user.list` permission.
+pub async fn list_users<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Query(pagination): Query<Pagination>,
+) -> Result<Json<ApiResponse<PaginatedResponse<UserResp>>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "user.list")?;
+
+    let (users, total) = UserService::list(ctx.tenant_id, &pagination, &state.db).await?;
+
+    let page = pagination.page.unwrap_or(1);
+    let page_size = pagination.limit();
+    let total_pages = (total + page_size - 1) / page_size;
+
+    Ok(Json(ApiResponse::ok(PaginatedResponse {
+        data: users,
+        total,
+        page,
+        page_size,
+        total_pages,
+    })))
+}
+
+/// POST /api/v1/users
+///
+/// Create a new user within the current tenant.
+/// Requires the `user.create` permission.
+pub async fn create_user<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Json(req): Json<CreateUserReq>,
+) -> Result<Json<ApiResponse<UserResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "user.create")?;
+
+    req.validate()
+        .map_err(|e| AppError::Validation(e.to_string()))?;
+
+    let user = UserService::create(
+        ctx.tenant_id,
+        ctx.user_id,
+        &req,
+        &state.db,
+        &state.event_bus,
+    )
+    .await?;
+
+    Ok(Json(ApiResponse::ok(user)))
+}
+
+/// GET /api/v1/users/:id
+///
+/// Fetch a single user by ID within the current tenant.
+/// Requires the `user.read` permission.
+pub async fn get_user<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<UserResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "user.read")?;
+
+    let user = UserService::get_by_id(id, ctx.tenant_id, &state.db).await?;
+    Ok(Json(ApiResponse::ok(user)))
+}
+
+/// PUT /api/v1/users/:id
+///
+/// Update editable user fields.
+/// Requires the `user.update` permission.
+pub async fn update_user<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+    Json(req): Json<UpdateUserReq>,
+) -> Result<Json<ApiResponse<UserResp>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "user.update")?;
+
+    let user =
+        UserService::update(id, ctx.tenant_id, ctx.user_id, &req, &state.db).await?;
+    Ok(Json(ApiResponse::ok(user)))
+}
+
+/// DELETE /api/v1/users/:id
+///
+/// Soft-delete a user by ID within the current tenant.
+/// Requires the `user.delete` permission.
+pub async fn delete_user<S>(
+    State(state): State<AuthState>,
+    Extension(ctx): Extension<TenantContext>,
+    Path(id): Path<Uuid>,
+) -> Result<Json<ApiResponse<()>>, AppError>
+where
+    AuthState: FromRef<S>,
+    S: Clone + Send + Sync + 'static,
+{
+    require_permission(&ctx, "user.delete")?;
+
+    UserService::delete(id, ctx.tenant_id, ctx.user_id, &state.db, &state.event_bus).await?;
+
+    Ok(Json(ApiResponse {
+        success: true,
+        data: None,
+        message: Some("用户已删除".to_string()),
+    }))
+}