feat: github login

Author: xuna

openapi.json

@@ -19,6 +19,7 @@ import { RegionModule } from './region';
 import { RoleModule } from './role';
 import { SessionModule } from './session';
 import { SmsModule } from './sms';
+import { ThirdPartyModule } from './third-party';
 import { UserModule } from './user';
 
 @Module({
@@ -50,7 +51,7 @@ import { UserModule } from './user';
     IndustryModule,
     NamespaceModule,
     GroupModule,
-
+    ThirdPartyModule,
     RegionModule,
     SessionModule,
     SmsModule,

src/app.module.ts

@@ -22,10 +22,12 @@ import { addShortTimeSpan } from 'src/lib/lang/time';
 import { NamespaceService } from 'src/namespace';
 import { ErrorCodes as SessionErrorCodes, SessionService } from 'src/session';
 import { SmsRecordService } from 'src/sms';
+import { ThirdPartyService, ThirdPartySource } from 'src/third-party';
 import { User, UserDocument, ErrorCodes as UserErrorCodes, UserService } from 'src/user';
 
 import { AuthService } from './auth.service';
 import { ErrorCodes } from './constants';
+import { GithubDto } from './dto/github.dto';
 import { LoginByEmailDto, LoginByPhoneDto, LoginDto, LogoutDto } from './dto/login.dto';
 import { RefreshTokenDto } from './dto/refresh-token.dto';
 import { RegisterByEmailDto, RegisterbyPhoneDto, RegisterDto } from './dto/register.dto';
@@ -47,20 +49,24 @@ export class AuthController {
     private readonly captchaService: CaptchaService,
     private readonly emailRecordService: EmailRecordService,
     private readonly smsRecordService: SmsRecordService,
-    private readonly authService: AuthService
+    private readonly authService: AuthService,
+    private readonly thirdPartyService: ThirdPartyService
   ) {}
 
   _login = async (user: UserDocument): Promise<SessionWithToken> => {
     const session = await this.sessionService.create({
       uid: user.id,
-      expireAt: addShortTimeSpan(SESSION_EXPIRES_IN), // session 先固定 7 天过期吧
+      ns: user.ns,
+      type: user.type,
+      permissions: user.permissions,
+      refreshTokenExpireAt: addShortTimeSpan(SESSION_EXPIRES_IN), // session 先固定 7 天过期吧
     });
 
     const jwtpayload: JwtPayload = {
       uid: user.id,
-      roles: user.roles,
       ns: user.ns,
-      super: user.super,
+      type: user.type,
+      permissions: user.permissions,
     };
 
     const tokenExpireAt = addShortTimeSpan(TOKEN_EXPIRES_IN);
@@ -119,7 +125,74 @@ export class AuthController {
   }
 
   /**
-   * login with email and code
+   * login by Github
+   */
+  @ApiOperation({ operationId: 'loginByGithub' })
+  @HttpCode(HttpStatus.OK)
+  @ApiOkResponse({
+    description: 'The session with token has been successfully created.',
+    type: SessionWithToken,
+  })
+  @Post('@loginByGithub')
+  async loginByGithub(@Body() githubDto: GithubDto): Promise<SessionWithToken> {
+    const { code } = githubDto;
+    const githubAccessToken = await this.authService.getGithubAccessToken(code);
+    if (!githubAccessToken) {
+      throw new UnauthorizedException({
+        code: ErrorCodes.AUTH_FAILED,
+        message: `github access token not found.`,
+      });
+    }
+    const githubUser = await this.authService.getGithubUser(code);
+    if (!githubUser) {
+      throw new UnauthorizedException({
+        code: ErrorCodes.AUTH_FAILED,
+        message: `github user not found.`,
+      });
+    }
+
+    // github 已绑定用户
+    if (githubUser.uid) {
+      const user = await this.userService.get(githubUser.uid);
+      if (!user) {
+        throw new UnauthorizedException({
+          code: ErrorCodes.AUTH_FAILED,
+          message: `user not found.`,
+        });
+      }
+
+      return this._login(user);
+    }
+
+    // github 未绑定用户
+    const session = await this.sessionService.create({
+      uid: githubUser.login,
+      source: ThirdPartySource.GITHUB,
+      refreshTokenExpireAt: addShortTimeSpan(SESSION_EXPIRES_IN), // session 先固定 7 天过期吧
+    });
+
+    const jwtpayload: JwtPayload = {
+      uid: githubUser.login,
+      source: ThirdPartySource.GITHUB,
+    };
+
+    const tokenExpireAt = addShortTimeSpan(TOKEN_EXPIRES_IN);
+    const token = this.jwtService.sign(jwtpayload, {
+      expiresIn: TOKEN_EXPIRES_IN,
+      subject: githubUser.login,
+    });
+
+    const res: SessionWithToken = {
+      ...session.toJSON(),
+      token,
+      tokenExpireAt,
+    };
+
+    return res;
+  }
+
+  /**
+   * login by email and code
    */
   @ApiOperation({ operationId: 'loginByEmail' })
   @HttpCode(HttpStatus.OK)
@@ -289,10 +362,9 @@ export class AuthController {
 
     const jwtpayload: JwtPayload = {
       uid: user.id,
-      acl: dto.acl,
-      roles: user.roles,
       ns: user.ns,
-      super: user.super,
+      type: user.type,
+      permissions: user.permissions,
     };
 
     const token = this.jwtService.sign(jwtpayload, {
@@ -326,7 +398,9 @@ export class AuthController {
       });
     }
 
-    if (session.expireAt.getTime() < Date.now()) {
+    const user = await this.userService.get(session.uid);
+
+    if (session.refreshTokenExpireAt.getTime() < Date.now()) {
       throw new UnauthorizedException({
         code: SessionErrorCodes.SESSION_EXPIRED,
         message: 'Session has been expired.',
@@ -335,24 +409,25 @@ export class AuthController {
 
     if (session.shouldRotate()) {
       session = await this.sessionService.create({
-        uid: session.user.id,
-        expireAt: addShortTimeSpan(SESSION_EXPIRES_IN),
-        acl: session.acl,
+        uid: user.id,
+        ns: user.ns,
+        type: user.type,
+        permissions: user.permissions,
+        refreshTokenExpireAt: addShortTimeSpan(SESSION_EXPIRES_IN),
       });
     }
 
     const jwtpayload: JwtPayload = {
-      uid: session.user.id,
-      acl: session.acl,
-      roles: session.user.roles,
-      ns: session.user.ns,
-      super: session.user.super,
+      uid: user.id,
+      ns: user.ns,
+      type: user.type,
+      permissions: user.permissions,
     };
 
     const tokenExpireAt = addShortTimeSpan(TOKEN_EXPIRES_IN);
     const token = this.jwtService.sign(jwtpayload, {
       expiresIn: TOKEN_EXPIRES_IN,
-      subject: session.user.id,
+      subject: user.id,
     });
 
     return {

src/auth/auth.controller.ts

@@ -10,6 +10,7 @@ import { NamespaceModule } from 'src/namespace';
 import { RedisModule } from 'src/redis';
 import { SessionModule } from 'src/session';
 import { SmsModule } from 'src/sms';
+import { ThirdPartyModule } from 'src/third-party/third-party.module';
 import { UserModule } from 'src/user';
 
 import { AuthController } from './auth.controller';
@@ -34,6 +35,7 @@ import { jwtSecretKey } from './config';
     RedisModule,
     EmailModule,
     SmsModule,
+    ThirdPartyModule,
   ],
   controllers: [AuthController],
   providers: [AuthService],

src/auth/auth.module.ts

@@ -1,11 +1,24 @@
 import { Inject, Injectable } from '@nestjs/common';
 import { RedisClientType } from 'redis';
 
+import { createThirdPartyDto } from 'src/third-party/dto/create-third-party.dto';
+import { ThirdPartyDoc, ThirdPartySource } from 'src/third-party/entities/third-party.entity';
+import { ThirdPartyService } from 'src/third-party/third-party.service';
+
 import * as config from './config';
+import {
+  GithubAccessTokenUrl,
+  GithubClientId,
+  GithubClientSecret,
+  GithubUserUrl,
+} from './constants';
 
 @Injectable()
 export class AuthService {
-  constructor(@Inject('REDIS_CLIENT') private readonly redisClient: RedisClientType) {}
+  constructor(
+    @Inject('REDIS_CLIENT') private readonly redisClient: RedisClientType,
+    private readonly thirdPartyService: ThirdPartyService
+  ) {}
 
   async isLocked(login: string): Promise<boolean> {
     const lock = await this.redisClient.hGetAll(`loginLock:${login}`);
@@ -27,4 +40,64 @@ export class AuthService {
     // 设置过期时间为登录锁定时长（秒）
     await this.redisClient.expire(lockKey, config.loginLockInS);
   }
+
+  async getGithubAccessToken(code: string): Promise<string> {
+    try {
+      // POST 请求到 GitHub 交换 access_token
+      const response = await fetch(GithubAccessTokenUrl, {
+        method: 'POST',
+        headers: {
+          'Accept': 'application/json',
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify({
+          client_id: GithubClientId,
+          client_secret: GithubClientSecret,
+          code,
+        }),
+      });
+      const data = await response.json();
+      if (!data.access_token) {
+        throw new Error('Failed to get access token');
+      }
+      return data.access_token;
+    } catch (e) {
+      console.error(e);
+      return '';
+    }
+  }
+
+  async getGithubUser(accessToken: string): Promise<ThirdPartyDoc> {
+    try {
+      // 向 GitHub 用户信息 API 发送 GET 请求
+      const response = await fetch(GithubUserUrl, {
+        method: 'GET',
+        headers: {
+          // 必须在请求头中传入 Authorization，格式为：Bearer <access_token>
+          Authorization: `Bearer ${accessToken}`,
+          Accept: 'application/json',
+        },
+      });
+
+      // 如果请求失败，比如 token 无效或过期，处理错误
+      if (!response.ok) {
+        console.error(`Failed to fetch user info: ${response.status} ${response.statusText}`);
+        return null;
+      }
+
+      // 解析 JSON 返回的用户信息
+      const userData = await response.json();
+      // 创建或更新第三方登录信息
+      const createDto: createThirdPartyDto = {
+        login: userData.login,
+        source: ThirdPartySource.GITHUB,
+        accessToken,
+      };
+      return this.thirdPartyService.upsert(createDto.login, createDto.source, createDto);
+    } catch (error) {
+      // 捕获网络或代码错误
+      console.error('Error while fetching GitHub user info:', error);
+      return null;
+    }
+  }
 }

src/auth/auth.service.ts

@@ -4,3 +4,8 @@ export const ErrorCodes = {
   CAPTCHA_INVALID: 'CAPTCHA_INVALID',
   TOO_MANY_LOGIN_ATTEMPTS: 'TOO_MANY_LOGIN_ATTEMPTS',
 };
+
+export const GithubAccessTokenUrl = 'https://github.com/login/oauth/access_token';
+export const GithubClientId = 'Iv23lizBaVPIiABBCHaz';
+export const GithubClientSecret = '041f46399c1396ec27d16851c1aa2aa479a3f5a5';
+export const GithubUserUrl = 'https://api.github.com/user';

src/auth/constants.ts

@@ -0,0 +1,7 @@
+import { IsNotEmpty, IsString } from 'class-validator';
+
+export class GithubDto {
+  @IsNotEmpty()
+  @IsString()
+  code: string;
+}

src/auth/dto/github.dto.ts

@@ -1,6 +1,4 @@
-import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
-
-import { Acl } from 'src/auth';
+import { IsNotEmpty, IsString } from 'class-validator';
 
 export class SignTokenDto {
   /**
@@ -24,12 +22,6 @@ export class SignTokenDto {
   @IsString()
   expiresIn: string;
 
-  /**
-   * 访问控制列表
-   */
-  @IsOptional()
-  acl?: Acl;
-
   /**
    * user id
    */

src/auth/dto/sign-token.dto.ts

@@ -8,8 +8,9 @@ export interface Acl {
  */
 export class JwtPayload {
   uid: string; // 用户 ID
-  roles: string[]; // RBAC 角色列表
+  source?: string; // 第三方来源
+  client?: string; // 客户端/设备
+  permissions?: string[]; // 用户动态权限
   ns?: string; // 该用户或资源所属的 namespace
-  acl?: Acl; // ACL 权限控制列表
-  super?: boolean; // 是否是超级管理员
+  type?: string[]; // 类型，支持设置多个
 }

src/auth/entities/jwt.entity.ts

@@ -1,13 +1,5 @@
 import { OmitType } from '@nestjs/swagger';
-import { IsMongoId, IsNotEmpty } from 'class-validator';
 
 import { SessionDoc } from '../entities/session.entity';
 
-export class CreateSessionDto extends OmitType(SessionDoc, ['key', 'user'] as const) {
-  /**
-   * 用户 ID
-   */
-  @IsNotEmpty()
-  @IsMongoId()
-  uid: string;
-}
+export class CreateSessionDto extends OmitType(SessionDoc, ['refreshToken'] as const) {}