feat(auth): implement core service layer (password, JWT, auth, user CRUD)

- error.rs: AuthError with proper HTTP status mapping - service/password.rs: Argon2 hash/verify with tests - service/token_service.rs: JWT sign/validate, token DB storage with SHA-256 hash - service/auth_service.rs: login/refresh/logout flows with event publishing - service/user_service.rs: user CRUD with soft delete and tenant isolation - Added sha2 dependency to workspace for token hashing
2026-04-11 03:05:17 +08:00
parent 411a07caa1
commit edc41a1500
9 changed files with 916 additions and 0 deletions
--- a/crates/erp-auth/src/service/token_service.rs
+++ b/crates/erp-auth/src/service/token_service.rs
@@ -0,0 +1,271 @@
+use chrono::Utc;
+use sea_orm::{ActiveModelTrait, ColumnTrait, DatabaseConnection, EntityTrait, QueryFilter, Set};
+use serde::{Deserialize, Serialize};
+use sha2::{Digest, Sha256};
+use uuid::Uuid;
+
+use crate::entity::{permission, role, role_permission, user_role, user_token};
+use crate::error::AuthError;
+
+use crate::error::AuthResult;
+
+/// JWT claims embedded in access and refresh tokens.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+pub struct Claims {
+    /// Subject — the user ID
+    pub sub: Uuid,
+    /// Tenant ID
+    pub tid: Uuid,
+    /// Role codes assigned to this user
+    pub roles: Vec<String>,
+    /// Permission codes granted to this user
+    pub permissions: Vec<String>,
+    /// Expiry (unix timestamp)
+    pub exp: i64,
+    /// Issued at (unix timestamp)
+    pub iat: i64,
+    /// Token type: "access" or "refresh"
+    pub token_type: String,
+}
+
+/// Stateless service for JWT token signing, validation, and revocation.
+pub struct TokenService;
+
+impl TokenService {
+    /// Sign a short-lived access token containing roles and permissions.
+    pub fn sign_access_token(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        roles: Vec<String>,
+        permissions: Vec<String>,
+        secret: &str,
+        ttl_secs: i64,
+    ) -> AuthResult<String> {
+        let now = Utc::now();
+        let claims = Claims {
+            sub: user_id,
+            tid: tenant_id,
+            roles,
+            permissions,
+            exp: now.timestamp() + ttl_secs,
+            iat: now.timestamp(),
+            token_type: "access".to_string(),
+        };
+        let header = jsonwebtoken::Header::default();
+        let encoded = jsonwebtoken::encode(
+            &header,
+            &claims,
+            &jsonwebtoken::EncodingKey::from_secret(secret.as_bytes()),
+        )?;
+        Ok(encoded)
+    }
+
+    /// Sign a long-lived refresh token and persist its SHA-256 hash in the database.
+    ///
+    /// Returns the raw token string (sent to client) and the database row ID.
+    pub async fn sign_refresh_token(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        db: &DatabaseConnection,
+        secret: &str,
+        ttl_secs: i64,
+    ) -> AuthResult<(String, Uuid)> {
+        let now = Utc::now();
+        let token_id = Uuid::now_v7();
+
+        let claims = Claims {
+            sub: user_id,
+            tid: tenant_id,
+            roles: vec![],
+            permissions: vec![],
+            exp: now.timestamp() + ttl_secs,
+            iat: now.timestamp(),
+            token_type: "refresh".to_string(),
+        };
+        let raw_token = jsonwebtoken::encode(
+            &jsonwebtoken::Header::default(),
+            &claims,
+            &jsonwebtoken::EncodingKey::from_secret(secret.as_bytes()),
+        )?;
+
+        // Store the SHA-256 hash — the raw token is never persisted.
+        let hash = sha256_hex(&raw_token);
+
+        let token_model = user_token::ActiveModel {
+            id: Set(token_id),
+            tenant_id: Set(tenant_id),
+            user_id: Set(user_id),
+            token_hash: Set(hash),
+            token_type: Set("refresh".to_string()),
+            expires_at: Set(now + chrono::Duration::seconds(ttl_secs)),
+            revoked_at: Set(None),
+            device_info: Set(None),
+            created_at: Set(now),
+            updated_at: Set(now),
+            created_by: Set(user_id),
+            updated_by: Set(user_id),
+            deleted_at: Set(None),
+            version: Set(1),
+        };
+        token_model
+            .insert(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        Ok((raw_token, token_id))
+    }
+
+    /// Validate a refresh token against the database.
+    ///
+    /// Returns the database row ID and decoded claims.
+    pub async fn validate_refresh_token(
+        token: &str,
+        db: &DatabaseConnection,
+        secret: &str,
+    ) -> AuthResult<(Uuid, Claims)> {
+        let claims = Self::decode_token(token, secret)?;
+        if claims.token_type != "refresh" {
+            return Err(AuthError::Validation("不是 refresh token".to_string()));
+        }
+
+        let hash = sha256_hex(token);
+        let token_row = user_token::Entity::find()
+            .filter(user_token::Column::TokenHash.eq(hash))
+            .filter(user_token::Column::RevokedAt.is_null())
+            .one(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?
+            .ok_or(AuthError::TokenRevoked)?;
+
+        Ok((token_row.id, claims))
+    }
+
+    /// Decode and validate any JWT token, returning the claims.
+    pub fn decode_token(token: &str, secret: &str) -> AuthResult<Claims> {
+        let data = jsonwebtoken::decode::<Claims>(
+            token,
+            &jsonwebtoken::DecodingKey::from_secret(secret.as_bytes()),
+            &jsonwebtoken::Validation::default(),
+        )?;
+        Ok(data.claims)
+    }
+
+    /// Revoke a specific refresh token by database ID.
+    pub async fn revoke_token(token_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
+        let token_row = user_token::Entity::find_by_id(token_id)
+            .one(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?
+            .ok_or(AuthError::TokenRevoked)?;
+
+        let mut active: user_token::ActiveModel = token_row.into();
+        active.revoked_at = Set(Some(Utc::now()));
+        active.updated_at = Set(Utc::now());
+        active
+            .update(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+        Ok(())
+    }
+
+    /// Revoke all non-revoked refresh tokens for a given user within a tenant.
+    pub async fn revoke_all_user_tokens(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        db: &DatabaseConnection,
+    ) -> AuthResult<()> {
+        let tokens = user_token::Entity::find()
+            .filter(user_token::Column::UserId.eq(user_id))
+            .filter(user_token::Column::TenantId.eq(tenant_id))
+            .filter(user_token::Column::RevokedAt.is_null())
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        let now = Utc::now();
+        for token in tokens {
+            let mut active: user_token::ActiveModel = token.into();
+            active.revoked_at = Set(Some(now));
+            active.updated_at = Set(now);
+            active
+                .update(db)
+                .await
+                .map_err(|e| AuthError::Validation(e.to_string()))?;
+        }
+        Ok(())
+    }
+
+    /// Look up a user's permission codes through user_roles -> role_permissions -> permissions.
+    pub async fn get_user_permissions(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        db: &DatabaseConnection,
+    ) -> AuthResult<Vec<String>> {
+        let user_role_rows = user_role::Entity::find()
+            .filter(user_role::Column::UserId.eq(user_id))
+            .filter(user_role::Column::TenantId.eq(tenant_id))
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        let role_ids: Vec<Uuid> = user_role_rows.iter().map(|ur| ur.role_id).collect();
+        if role_ids.is_empty() {
+            return Ok(vec![]);
+        }
+
+        let role_perm_rows = role_permission::Entity::find()
+            .filter(role_permission::Column::RoleId.is_in(role_ids))
+            .filter(role_permission::Column::TenantId.eq(tenant_id))
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        let perm_ids: Vec<Uuid> = role_perm_rows.iter().map(|rp| rp.permission_id).collect();
+        if perm_ids.is_empty() {
+            return Ok(vec![]);
+        }
+
+        let perms = permission::Entity::find()
+            .filter(permission::Column::Id.is_in(perm_ids))
+            .filter(permission::Column::TenantId.eq(tenant_id))
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        Ok(perms.iter().map(|p| p.code.clone()).collect())
+    }
+
+    /// Look up a user's role codes through user_roles -> roles.
+    pub async fn get_user_roles(
+        user_id: Uuid,
+        tenant_id: Uuid,
+        db: &DatabaseConnection,
+    ) -> AuthResult<Vec<String>> {
+        let user_role_rows = user_role::Entity::find()
+            .filter(user_role::Column::UserId.eq(user_id))
+            .filter(user_role::Column::TenantId.eq(tenant_id))
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        let role_ids: Vec<Uuid> = user_role_rows.iter().map(|ur| ur.role_id).collect();
+        if role_ids.is_empty() {
+            return Ok(vec![]);
+        }
+
+        let roles = role::Entity::find()
+            .filter(role::Column::Id.is_in(role_ids))
+            .filter(role::Column::TenantId.eq(tenant_id))
+            .all(db)
+            .await
+            .map_err(|e| AuthError::Validation(e.to_string()))?;
+
+        Ok(roles.iter().map(|r| r.code.clone()).collect())
+    }
+}
+
+/// Compute a SHA-256 hex digest of the input string.
+fn sha256_hex(input: &str) -> String {
+    let hash = Sha256::digest(input.as_bytes());
+    format!("{:x}", hash)
+}