feat(message): add message center module (Phase 5)

Implement the complete message center with: - Database migrations for message_templates, messages, message_subscriptions tables - erp-message crate with entities, DTOs, services, handlers - Message CRUD, send, read/unread tracking, soft delete - Template management with variable interpolation - Subscription preferences with DND support - Frontend: messages page, notification panel, unread count badge - Server integration with module registration and routing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 12:25:05 +08:00
parent 91ecaa3ed7
commit 5ceed71e62
35 changed files with 2252 additions and 15 deletions
--- a/crates/erp-server/src/config.rs
+++ b/crates/erp-server/src/config.rs
@@ -8,6 +8,7 @@ pub struct AppConfig {
    pub jwt: JwtConfig,
    pub auth: AuthConfig,
    pub log: LogConfig,
+    pub cors: CorsConfig,
 }

 #[derive(Debug, Clone, Deserialize)]
@@ -45,6 +46,13 @@ pub struct AuthConfig {
    pub super_admin_password: String,
 }

+#[derive(Debug, Clone, Deserialize)]
+pub struct CorsConfig {
+    /// Comma-separated list of allowed origins.
+    /// Use "*" to allow all origins (development only).
+    pub allowed_origins: String,
+}
+
 impl AppConfig {
    pub fn load() -> anyhow::Result<Self> {
        let config = config::Config::builder()
--- a/crates/erp-server/src/main.rs
+++ b/crates/erp-server/src/main.rs
@@ -109,11 +109,16 @@ async fn main() -> anyhow::Result<()> {
    let workflow_module = erp_workflow::WorkflowModule::new();
    tracing::info!(module = workflow_module.name(), version = workflow_module.version(), "Workflow module initialized");

+    // Initialize message module
+    let message_module = erp_message::MessageModule::new();
+    tracing::info!(module = message_module.name(), version = message_module.version(), "Message module initialized");
+
    // Initialize module registry and register modules
    let registry = ModuleRegistry::new()
        .register(auth_module)
        .register(config_module)
-        .register(workflow_module);
+        .register(workflow_module)
+        .register(message_module);
    tracing::info!(module_count = registry.modules().len(), "Modules registered");

    // Register event handlers
@@ -152,6 +157,7 @@ async fn main() -> anyhow::Result<()> {
    let protected_routes = erp_auth::AuthModule::protected_routes()
        .merge(erp_config::ConfigModule::protected_routes())
        .merge(erp_workflow::WorkflowModule::protected_routes())
+        .merge(erp_message::MessageModule::protected_routes())
        .layer(middleware::from_fn(move |req, next| {
            let secret = jwt_secret.clone();
            async move { jwt_auth_middleware_fn(secret, req, next).await }
@@ -159,7 +165,7 @@ async fn main() -> anyhow::Result<()> {
        .with_state(state.clone());

    // Merge public + protected into the final application router
-    let cors = tower_http::cors::CorsLayer::permissive(); // TODO: restrict origins in production
+    let cors = build_cors_layer(&state.config.cors.allowed_origins);
    let app = Router::new()
        .merge(public_routes)
        .merge(protected_routes)
@@ -178,6 +184,48 @@ async fn main() -> anyhow::Result<()> {
    Ok(())
 }

+/// Build a CORS layer from the comma-separated allowed origins config.
+///
+/// If the config is "*", allows all origins (development mode).
+/// Otherwise, parses each origin as a URL and restricts to those origins only.
+fn build_cors_layer(allowed_origins: &str) -> tower_http::cors::CorsLayer {
+    use axum::http::HeaderValue;
+    use tower_http::cors::AllowOrigin;
+
+    let origins = allowed_origins
+        .split(',')
+        .map(|s| s.trim())
+        .filter(|s| !s.is_empty())
+        .collect::<Vec<_>>();
+
+    if origins.len() == 1 && origins[0] == "*" {
+        tracing::warn!("CORS: allowing all origins — only use in development!");
+        tower_http::cors::CorsLayer::permissive()
+    } else {
+        let allowed: Vec<HeaderValue> = origins
+            .iter()
+            .filter_map(|o| o.parse::<HeaderValue>().ok())
+            .collect();
+
+        tracing::info!(origins = ?origins, "CORS: restricting to allowed origins");
+
+        tower_http::cors::CorsLayer::new()
+            .allow_origin(AllowOrigin::list(allowed))
+            .allow_methods([
+                axum::http::Method::GET,
+                axum::http::Method::POST,
+                axum::http::Method::PUT,
+                axum::http::Method::DELETE,
+                axum::http::Method::PATCH,
+            ])
+            .allow_headers([
+                axum::http::header::AUTHORIZATION,
+                axum::http::header::CONTENT_TYPE,
+            ])
+            .allow_credentials(true)
+    }
+}
+
 async fn shutdown_signal() {
    let ctrl_c = async {
        tokio::signal::ctrl_c()
--- a/crates/erp-server/src/state.rs
+++ b/crates/erp-server/src/state.rs
@@ -70,3 +70,13 @@ impl FromRef<AppState> for erp_workflow::WorkflowState {
        }
    }
 }
+
+/// Allow erp-message handlers to extract their required state without depending on erp-server.
+impl FromRef<AppState> for erp_message::MessageState {
+    fn from_ref(state: &AppState) -> Self {
+        Self {
+            db: state.db.clone(),
+            event_bus: state.event_bus.clone(),
+        }
+    }
+}