+
+
+
+
+
+
+
-
-
-
-
-
+
+
+ Classworks KV
+
+
云原生键值数据库
+
+
+
+
+
+
+
+
+ {{ accountStore.userName }}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{ deviceInfo?.name || '设备标识' }}
+
+
+
+
+
您的唯一设备标识符
+
+
+
+
+
+
+
+
+
+
+
-
-
设备 UUID:
-
- {{ deviceUuid }}
-
-
-
+
+
+
+
+
+
+ {{ deviceUuid }}
+
+
+
+
+
+
+
+
+
+
+
+
{{ groupedByApp.length }}
+
应用数
+
+
+
{{ tokens.length }}
+
令牌数
+
+
+
+ {{ hasPassword ? '安全' : '未设置' }}
+
+
安全状态
+
+
+
+
+
+
+
+
+
密码提示
+
{{ passwordHint }}
+
+
+
@@ -332,14 +676,19 @@ onMounted(() => {
placeholder="为此授权添加备注"
/>
-
设备密码
-
+
+
+ 已登录绑定账户,无需输入密码
+
@@ -359,20 +708,47 @@ onMounted(() => {
撤销授权
- 确定要撤销此令牌的授权吗?此操作无法撤销。
+ 确定要撤销此令牌的授权吗?此操作无法撤销。{{selectedToken}}
-
+
应用:
- {{ selectedToken.app.name }}
+ {{ selectedToken.appName }}
令牌:
{{ selectedToken.token.slice(0, 16) }}...
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -386,39 +762,6 @@ onMounted(() => {
-
-
-
- 更换设备 UUID
-
- 输入新的 UUID 或留空以生成随机 UUID
-
-
-
-
- 新 UUID(可选)
-
-
- 警告: 更换 UUID 后,所有现有授权将失效
-
-
-
- 取消
-
-
- 确认更换
-
-
-
-
-
-
@@ -428,22 +771,35 @@ onMounted(() => {
-
-
-
新密码
-
+
+
+
+
账户已登录
+
您已登录绑定的账户,无需输入当前密码
+
+
+
+
\ No newline at end of file
diff --git a/kv-admin/src/pages/kv-manager.vue b/kv-admin/src/pages/kv-manager.vue
new file mode 100644
index 0000000..ca8713e
--- /dev/null
+++ b/kv-admin/src/pages/kv-manager.vue
@@ -0,0 +1,615 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
加载中...
+
+
+
{{ error }}
+
+
+
+
+
+
+ 键名
+ 值
+ 操作
+
+
+
+
+ {{ key }}
+
+ 加载中...
+
+
{{ formatValue(values[key]) }}
+
查看
+
+
+ 编辑
+ 删除
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
{{ editingKey ? '编辑键值' : '添加键值' }}
+
+ 键名
+
+
+ 值(JSON 格式)
+
+
+
{{ dialogError }}
+
+ 取消
+ 保存
+
+
+
+
+
+
+
+
diff --git a/kv-admin/src/pages/password-manager.vue b/kv-admin/src/pages/password-manager.vue
new file mode 100644
index 0000000..e19e2d2
--- /dev/null
+++ b/kv-admin/src/pages/password-manager.vue
@@ -0,0 +1,591 @@
+
+
+
+
+
+
+
+
+
+
+
+
+ {{ successMessage }}
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 密码状态
+ 当前设备的密码保护状态
+
+
+
+
+
+
+
+
+
+ 设备 UUID
+ {{ deviceUuid }}
+
+
+
+
+
+
+
+
密码提示
+
{{ passwordHint }}
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
设备管理
+
+
+
+
+
+
+
+ 重置或换新设备标识。此操作无法撤销,您将失去当前设备的所有授权。
+
+
+
+
+
+
+
+
+
警告:此操作不可逆
+
+ 重置设备后,您将获得全新的设备标识,现有的所有授权将被撤销,无法恢复。
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {{ hasPassword ? '修改密码' : '设置密码' }}
+
+ {{ hasPassword ? '请输入当前密码和新密码' : '为您的设备设置一个安全的密码' }}
+
+
+
+
+
+
+
+ 取消
+
+
+ {{ isLoading ? '处理中...' : (hasPassword ? '修改密码' : '设置密码') }}
+
+
+
+
+
+
+
+
+
+ 删除密码
+
+ 删除密码后,您的设备将不再受密码保护。此操作无法撤销。
+
+
+
+
+
+
+
+
+
警告
+
删除密码后,任何拥有您设备 UUID 的人都可以管理您的授权应用。
+
+
+
+
+
+
+
+ 取消
+
+
+ {{ isLoading ? '删除中...' : '确认删除' }}
+
+
+
+
+
+
+
+
+
+ {{ passwordHint ? '修改密码提示' : '设置密码提示' }}
+
+ 密码提示可以帮助您在忘记密码时回忆起密码
+
+
+
+
+
+
当前提示
+
{{ passwordHint }}
+
+
+
+
新的密码提示
+
+
+ 提示不应包含密码本身,而是能帮助您回忆密码的信息
+
+
+
+
+
+
+ 取消
+
+
+ {{ isLoading ? '保存中...' : '保存提示' }}
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/kv-admin/src/stores/account.js b/kv-admin/src/stores/account.js
new file mode 100644
index 0000000..3aed301
--- /dev/null
+++ b/kv-admin/src/stores/account.js
@@ -0,0 +1,116 @@
+import { defineStore } from 'pinia'
+import { ref, computed } from 'vue'
+import { apiClient } from '@/lib/api'
+
+export const useAccountStore = defineStore('account', () => {
+ // 状态
+ const token = ref(localStorage.getItem('auth_token') || null)
+ const profile = ref(null)
+ const devices = ref([])
+ const loading = ref(false)
+
+ // 计算属性
+ const isAuthenticated = computed(() => !!token.value)
+ const userName = computed(() => profile.value?.name || '')
+ const userAvatar = computed(() => profile.value?.avatarUrl || '')
+
+ // 方法
+ const setToken = (newToken) => {
+ token.value = newToken
+ if (newToken) {
+ localStorage.setItem('auth_token', newToken)
+ } else {
+ localStorage.removeItem('auth_token')
+ localStorage.removeItem('auth_provider')
+ }
+ }
+
+ const loadProfile = async () => {
+ if (!token.value) return
+
+ loading.value = true
+ try {
+ const response = await apiClient.getAccountProfile(token.value)
+ profile.value = response.data
+ } catch (error) {
+ console.error('Failed to load profile:', error)
+ // Token可能无效,清除
+ if (error.message.includes('401')) {
+ logout()
+ }
+ } finally {
+ loading.value = false
+ }
+ }
+
+ const loadDevices = async () => {
+ if (!token.value) return
+
+ try {
+ const response = await apiClient.getAccountDevices(token.value)
+ devices.value = response.data || []
+ return devices.value
+ } catch (error) {
+ console.error('Failed to load devices:', error)
+ return []
+ }
+ }
+
+ const bindDevice = async (deviceUuid) => {
+ if (!token.value) throw new Error('未登录')
+
+ const response = await apiClient.bindDevice(token.value, deviceUuid)
+ // 重新加载设备列表
+ await loadDevices()
+ return response
+ }
+
+ const unbindDevice = async (deviceUuid) => {
+ if (!token.value) throw new Error('未登录')
+
+ const response = await apiClient.unbindDevice(token.value, deviceUuid)
+ // 重新加载设备列表
+ await loadDevices()
+ return response
+ }
+
+ const login = async (authToken) => {
+ setToken(authToken)
+ await loadProfile()
+ await loadDevices()
+ }
+
+ const logout = () => {
+ token.value = null
+ profile.value = null
+ devices.value = []
+ localStorage.removeItem('auth_token')
+ localStorage.removeItem('auth_provider')
+ }
+
+ // 初始化时加载用户信息
+ if (token.value) {
+ loadProfile()
+ loadDevices()
+ }
+
+ return {
+ // 状态
+ token,
+ profile,
+ devices,
+ loading,
+ // 计算属性
+ isAuthenticated,
+ userName,
+ userAvatar,
+ // 方法
+ setToken,
+ loadProfile,
+ loadDevices,
+ bindDevice,
+ unbindDevice,
+ login,
+ logout,
+ }
+})
\ No newline at end of file
diff --git a/middleware/auth.js b/middleware/auth.js
deleted file mode 100644
index f35e1c1..0000000
--- a/middleware/auth.js
+++ /dev/null
@@ -1,521 +0,0 @@
-/**
- * Token认证中间件系统
- *
- * 本系统完全基于Token进行认证,不再支持UUID+密码的认证方式。
- *
- * ## 推荐使用的认证中间件:
- *
- * ### 1. 纯Token认证中间件(推荐)
- * - `tokenOnlyAuthMiddleware`: 完整的Token认证,要求设备匹配
- * - `tokenOnlyReadAuthMiddleware`: Token读取权限认证
- * - `tokenOnlyWriteAuthMiddleware`: Token写入权限认证
- * - `appTokenAuthMiddleware`: 应用Token认证,不要求设备匹配
- *
- * ### 2. 应用权限认证中间件
- * - `appReadAuthMiddleware`: 应用读取权限(Token + 权限前缀检查)
- * - `appWriteAuthMiddleware`: 应用写入权限(Token + 权限前缀检查)
- * - `appListAuthMiddleware`: 应用列表权限(Token + 键过滤)
- *
- * ## Token获取方式:
- * Token可通过以下三种方式提供:
- * 1. HTTP Header: `x-app-token: your-token`
- * 2. 查询参数: `?apptoken=your-token`
- * 3. 请求体: `{\"apptoken\": \"your-token\"}`
- *
- * ## 认证成功响应:
- * 认证成功后,中间件会在 `res.locals` 中设置:
- * - `device`: 设备信息
- * - `appInstall`: 应用安装信息
- * - `app`: 应用信息
- * - `filterKeys`: 键过滤函数(仅限应用权限中间件)
- *
- * ## 认证失败响应:
- * - 401: Token无效或不存在
- * - 403: 权限不足或设备不匹配
- * - 404: 设备或应用不存在
- */
-
-import { PrismaClient } from "@prisma/client";
-import errors from "../utils/errors.js";
-
-const prisma = new PrismaClient();
-
-// 全局可读键列表
-const GLOBAL_READABLE_KEYS = [
- "_info",
- "_check",
- "_hint",
- "_keys",
-];
-
-/**
- * 检查站点密钥
- */
-export const checkSiteKey = (req, res, next) => {
- const siteKey = req.headers["x-site-key"] || req.query.sitekey || req.body?.sitekey;
- const expectedSiteKey = process.env.SITE_KEY;
-
- if (expectedSiteKey && siteKey !== expectedSiteKey) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的站点密钥",
- });
- }
-
- next();
-};
-
-/**
- * 通过Token获取设备信息
- * @param {string} token - 应用安装Token
- * @returns {Promise
} 设备信息或null
- */
-export const getDeviceByToken = async (token) => {
- if (!token) {
- return null;
- }
-
- try {
- const appInstall = await prisma.appInstall.findUnique({
- where: { token },
- include: {
- device: true,
- app: true,
- },
- });
-
- return appInstall;
- } catch (error) {
- console.error("获取设备信息时出错:", error);
- return null;
- }
-};
-
-/**
- * 从请求中提取Token
- * @param {Object} req - Express请求对象
- * @returns {string|null} Token或null
- */
-const extractToken = (req) => {
- // 优先级:Header > Query > Body
- return (
- req.headers["x-app-token"] ||
- req.query.apptoken ||
- req.body?.apptoken ||
- null
- );
-};
-
-/**
- * 设备信息中间件(仅检查设备存在性,不进行认证)
- */
-export const deviceInfoMiddleware = async (req, res, next) => {
- try {
- const { deviceUuid,namespace } = req.params;
-
- if (!deviceUuid&&!namespace) {
- return res.status(400).json({
- statusCode: 400,
- message: "缺少命名空间参数",
- });
- }
-
- // 查找设备
- const device = await prisma.device.findUnique({
- where: { uuid: deviceUuid||namespace },
- });
-
- if (!device) {
- return res.status(404).json({
- statusCode: 404,
- message: "设备不存在",
- });
- }
-
- res.locals.device = device;
- next();
- } catch (error) {
- console.error("设备信息中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
-
-/**
- * 纯Token认证中间件(推荐使用)
- * 要求Token存在且对应的设备与请求的命名空间匹配
- */
-export const tokenOnlyAuthMiddleware = async (req, res, next) => {
- try {
- const token = extractToken(req);
- const { namespace } = req.params;
-
- if (!token) {
- return res.status(401).json({
- statusCode: 401,
- message: "缺少认证Token",
- });
- }
-
- const appInstall = await getDeviceByToken(token);
- if (!appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的Token",
- });
- }
-
- // 验证设备匹配
- if (namespace && appInstall.device.uuid !== namespace) {
- return res.status(403).json({
- statusCode: 403,
- message: "Token对应的设备与请求的命名空间不匹配",
- });
- }
-
- res.locals.device = appInstall.device;
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
- next();
- } catch (error) {
- console.error("Token认证中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
-
-/**
- * 纯Token读取认证中间件
- */
-export const tokenOnlyReadAuthMiddleware = async (req, res, next) => {
- try {
- const token = extractToken(req);
- const { namespace } = req.params;
-
- if (!token) {
- return res.status(401).json({
- statusCode: 401,
- message: "缺少认证Token",
- });
- }
-
- const appInstall = await getDeviceByToken(token);
- if (!appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的Token",
- });
- }
-
- // 验证设备匹配
- if (namespace && appInstall.device.uuid !== namespace) {
- return res.status(403).json({
- statusCode: 403,
- message: "Token对应的设备与请求的命名空间不匹配",
- });
- }
-
- // 检查读取权限
- if (!appInstall.permissions?.read) {
- return res.status(403).json({
- statusCode: 403,
- message: "无读取权限",
- });
- }
-
- res.locals.device = appInstall.device;
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
- next();
- } catch (error) {
- console.error("Token读取认证中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
-
-/**
- * 纯Token写入认证中间件
- */
-export const tokenOnlyWriteAuthMiddleware = async (req, res, next) => {
- try {
- const token = extractToken(req);
- const { namespace } = req.params;
-
- if (!token) {
- return res.status(401).json({
- statusCode: 401,
- message: "缺少认证Token",
- });
- }
-
- const appInstall = await getDeviceByToken(token);
- if (!appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的Token",
- });
- }
-
- // 验证设备匹配
- if (namespace && appInstall.device.uuid !== namespace) {
- return res.status(403).json({
- statusCode: 403,
- message: "Token对应的设备与请求的命名空间不匹配",
- });
- }
-
- // 检查写入权限
- if (!appInstall.permissions?.write) {
- return res.status(403).json({
- statusCode: 403,
- message: "无写入权限",
- });
- }
-
- res.locals.device = appInstall.device;
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
- next();
- } catch (error) {
- console.error("Token写入认证中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
-
-/**
- * 应用Token认证中间件
- * 不要求设备匹配,适用于应用级别的操作
- */
-export const appTokenAuthMiddleware = async (req, res, next) => {
- try {
- const token = extractToken(req);
-
- if (!token) {
- return res.status(401).json({
- statusCode: 401,
- message: "缺少应用Token",
- });
- }
-
- const appInstall = await getDeviceByToken(token);
- if (!appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的应用Token",
- });
- }
-
- res.locals.device = appInstall.device;
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
- next();
- } catch (error) {
- console.error("应用Token认证中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
-
-/**
- * 应用权限前缀检查中间件
- */
-export const appPrefixAuthMiddleware = (req, res, next) => {
- const { key } = req.params;
- const app = res.locals.app;
- const appInstall = res.locals.appInstall;
-
- if (!app || !appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "未认证的应用",
- });
- }
-
- // 检查是否为全局可读键
- if (GLOBAL_READABLE_KEYS.includes(key)) {
- return next();
- }
-
- // 检查权限前缀
- const permissionPrefix = app.permissionPrefix;
- if (!key.startsWith(permissionPrefix + ".")) {
- // 检查特殊权限
- const specialPermissions = appInstall.specialPermissions || [];
- const hasSpecialPermission = specialPermissions.some(permission =>
- key.startsWith(permission + ".") || key === permission
- );
-
- if (!hasSpecialPermission) {
- return res.status(403).json({
- statusCode: 403,
- message: `无权限访问键 '${key}'。需要权限前缀 '${permissionPrefix}.' 或特殊权限。`,
- });
- }
- }
-
- next();
-};
-
-/**
- * 应用读取权限中间件
- * 结合Token认证和权限前缀检查
- */
-export const appReadAuthMiddleware = async (req, res, next) => {
- // 先进行Token认证
- await new Promise((resolve, reject) => {
- tokenOnlyReadAuthMiddleware(req, res, (err) => {
- if (err) reject(err);
- else resolve();
- });
- }).catch(() => {
- return; // 错误已经在tokenOnlyReadAuthMiddleware中处理
- });
-
- // 如果Token认证失败,直接返回
- if (res.headersSent) {
- return;
- }
-
- // 进行权限前缀检查
- appPrefixAuthMiddleware(req, res, next);
-};
-
-/**
- * 应用写入权限中间件
- * 结合Token认证和权限前缀检查
- */
-export const appWriteAuthMiddleware = async (req, res, next) => {
- // 先进行Token认证
- await new Promise((resolve, reject) => {
- tokenOnlyWriteAuthMiddleware(req, res, (err) => {
- if (err) reject(err);
- else resolve();
- });
- }).catch(() => {
- return; // 错误已经在tokenOnlyWriteAuthMiddleware中处理
- });
-
- // 如果Token认证失败,直接返回
- if (res.headersSent) {
- return;
- }
-
- // 进行权限前缀检查
- appPrefixAuthMiddleware(req, res, next);
-};
-
-/**
- * 应用列表权限中间件
- * 用于过滤键列表,只显示应用有权限访问的键
- */
-export const appListAuthMiddleware = async (req, res, next) => {
- // 先进行Token认证
- await new Promise((resolve, reject) => {
- tokenOnlyReadAuthMiddleware(req, res, (err) => {
- if (err) reject(err);
- else resolve();
- });
- }).catch(() => {
- return; // 错误已经在tokenOnlyReadAuthMiddleware中处理
- });
-
- // 如果Token认证失败,直接返回
- if (res.headersSent) {
- return;
- }
-
- const app = res.locals.app;
- const appInstall = res.locals.appInstall;
-
- if (app && appInstall) {
- // 设置键过滤函数
- res.locals.filterKeys = (keys) => {
- const permissionPrefix = app.permissionPrefix;
- const specialPermissions = appInstall.specialPermissions || [];
-
- return keys.filter(key => {
- // 全局可读键
- if (GLOBAL_READABLE_KEYS.includes(key)) {
- return true;
- }
-
- // 权限前缀匹配
- if (key.startsWith(permissionPrefix + ".")) {
- return true;
- }
-
- // 特殊权限匹配
- return specialPermissions.some(permission =>
- key.startsWith(permission + ".") || key === permission
- );
- });
- };
- }
-
- next();
-};
-
-/**
- * Token认证中间件,并将设备UUID注入为命名空间
- *
- * 这个中间件专门用于处理那些URL中不包含 `:namespace` 参数的路由。
- * 它会从Token中解析出设备信息,然后将设备的UUID(即命名空间)
- * 注入到 `req.params.namespace` 中。
- *
- * 这使得后续的中间件(如权限检查中间件)和路由处理器可以统一
- * 从 `req.params.namespace` 获取命名空间,而无需关心它最初是
- * 来自URL还是来自Token。
- *
- * 认证成功后,除了注入 `req.params.namespace`,还会在 `res.locals` 中设置:
- * - `device`: 设备信息
- * - `appInstall`: 应用安装信息
- * - `app`: 应用信息
- */
-export const tokenAuthMiddleware = async (req, res, next) => {
- try {
- const token = extractToken(req);
-
- if (!token) {
- return res.status(401).json({
- statusCode: 401,
- message: "缺少认证Token",
- });
- }
-
- const appInstall = await getDeviceByToken(token);
- if (!appInstall) {
- return res.status(401).json({
- statusCode: 401,
- message: "无效的Token",
- });
- }
-
- // 核心逻辑:将设备UUID注入req.params.namespace
- req.params.namespace = appInstall.device.uuid;
-
- // 存储认证信息以供后续使用
- res.locals.device = appInstall.device;
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
-
- next();
- } catch (error) {
- console.error("Token认证与命名空间注入中间件错误:", error);
- return res.status(500).json({
- statusCode: 500,
- message: "服务器内部错误",
- });
- }
-};
diff --git a/middleware/device.js b/middleware/device.js
index f3c80fc..1623d4e 100644
--- a/middleware/device.js
+++ b/middleware/device.js
@@ -92,6 +92,8 @@ export const deviceInfoMiddleware = errors.catchAsync(async (req, res, next) =>
* 从req.body.password获取密码
* 如果设备有密码但未提供或密码错误,则返回401错误
*
+ * 特殊规则:如果设备绑定了账户,且req.account存在且匹配,则跳过密码验证
+ *
* 使用方式:
* router.post('/path', deviceMiddleware, passwordMiddleware, handler)
*/
@@ -103,6 +105,11 @@ export const passwordMiddleware = errors.catchAsync(async (req, res, next) => {
return next(errors.createError(500, "设备信息未加载,请先使用deviceMiddleware"));
}
+ // 如果设备绑定了账户,且请求中有账户信息且匹配,则跳过密码验证
+ if (device.accountId && req.account && req.account.id === device.accountId) {
+ return next();
+ }
+
// 如果设备有密码,验证密码
if (device.password) {
if (!password) {
diff --git a/middleware/jwt-auth.js b/middleware/jwt-auth.js
new file mode 100644
index 0000000..646fbef
--- /dev/null
+++ b/middleware/jwt-auth.js
@@ -0,0 +1,54 @@
+/**
+ * 纯账户JWT认证中间件
+ *
+ * 只验证账户JWT是否正确,不需要设备上下文
+ * 适用于只需要账户验证的接口
+ */
+
+import { verifyToken } from "../utils/jwt.js";
+import { PrismaClient } from "@prisma/client";
+import errors from "../utils/errors.js";
+
+const prisma = new PrismaClient();
+
+/**
+ * 纯JWT认证中间件
+ * 只验证Bearer token并将账户信息存储到res.locals
+ */
+export const jwtAuth = async (req, res, next) => {
+ try {
+ const authHeader = req.headers.authorization;
+
+ if (!authHeader || !authHeader.startsWith("Bearer ")) {
+ return next(errors.createError(401, "需要提供有效的JWT token"));
+ }
+
+ const token = authHeader.substring(7);
+
+ // 验证JWT token
+ const decoded = verifyToken(token);
+
+ // 从数据库获取账户信息
+ const account = await prisma.account.findUnique({
+ where: { id: decoded.accountId },
+ });
+
+ if (!account) {
+ return next(errors.createError(401, "账户不存在"));
+ }
+
+ // 将账户信息存储到res.locals
+ res.locals.account = account;
+ next();
+ } catch (error) {
+ if (error.name === 'JsonWebTokenError') {
+ return next(errors.createError(401, "无效的JWT token"));
+ }
+
+ if (error.name === 'TokenExpiredError') {
+ return next(errors.createError(401, "JWT token已过期"));
+ }
+
+ return next(errors.createError(500, "认证过程出错"));
+ }
+};
\ No newline at end of file
diff --git a/middleware/kvTokenAuth.js b/middleware/kvTokenAuth.js
new file mode 100644
index 0000000..d1721d7
--- /dev/null
+++ b/middleware/kvTokenAuth.js
@@ -0,0 +1,66 @@
+/**
+ * KV接口专用Token认证中间件
+ *
+ * 仅验证app token,设置设备和应用信息到res.locals
+ * 适用于所有KV相关的接口
+ */
+
+import { PrismaClient } from "@prisma/client";
+import errors from "../utils/errors.js";
+
+const prisma = new PrismaClient();
+
+/**
+ * KV Token认证中间件
+ * 从请求中提取token(支持多种方式),验证后将设备和应用信息注入到res.locals
+ */
+export const kvTokenAuth = async (req, res, next) => {
+ try {
+ // 从多种途径获取token
+ const token = extractToken(req);
+
+ if (!token) {
+ return next(errors.createError(401, "需要提供有效的token"));
+ }
+
+ // 查找token对应的应用安装信息
+ const appInstall = await prisma.appInstall.findUnique({
+ where: { token },
+ include: {
+ app: true,
+ device: true,
+ },
+ });
+
+ if (!appInstall) {
+ return next(errors.createError(401, "无效的token"));
+ }
+
+ // 将信息存储到res.locals供后续使用
+ res.locals.device = appInstall.device;
+ res.locals.app = appInstall.app;
+ res.locals.appInstall = appInstall;
+ res.locals.deviceId = appInstall.device.id;
+
+ next();
+ } catch (error) {
+ next(error);
+ }
+};
+
+/**
+ * 从请求中提取token
+ * 支持的方式:
+ * 1. Header: x-app-token
+ * 2. Query: token 或 apptoken
+ * 3. Body: token 或 apptoken
+ */
+function extractToken(req) {
+ return (
+ req.headers["x-app-token"] ||
+ req.query.token ||
+ req.query.apptoken ||
+ (req.body && req.body.token) ||
+ (req.body && req.body.apptoken)
+ );
+}
\ No newline at end of file
diff --git a/middleware/rateLimiter.js b/middleware/rateLimiter.js
index 0d096eb..19a1d65 100644
--- a/middleware/rateLimiter.js
+++ b/middleware/rateLimiter.js
@@ -45,7 +45,7 @@ export const globalLimiter = rateLimit({
// API限速器
export const apiLimiter = rateLimit({
windowMs: 1 * 60 * 1000, // 1分钟
- limit: 50, // 每个IP在windowMs时间内最多允许50个请求
+ limit: 100, // 每个IP在windowMs时间内最多允许100个请求
standardHeaders: "draft-7",
legacyHeaders: false,
message: "API请求过于频繁,请稍后再试",
diff --git a/middleware/tokenAuth.js b/middleware/tokenAuth.js
deleted file mode 100644
index fc5f0ab..0000000
--- a/middleware/tokenAuth.js
+++ /dev/null
@@ -1,112 +0,0 @@
-import { PrismaClient } from "@prisma/client";
-import { verifyDevicePassword } from "../utils/crypto.js";
-import errors from "../utils/errors.js";
-
-const prisma = new PrismaClient();
-
-/**
- * Token认证中间件
- *
- * 从请求中提取token,验证后将设备信息注入到res.locals
- * 同时将deviceId注入到req.params,以便后续路由使用
- *
- * Token可通过以下方式提供:
- * 1. Authorization header: Bearer
- * 2. Query参数: ?token=
- * 3. Body: {"token": ""}
- */
-export const tokenAuth = errors.catchAsync(async (req, res, next) => {
- let token;
-
- // 尝试从 headers, query, body 中获取 token
- if (req.headers.authorization && req.headers.authorization.startsWith("Bearer ")) {
- token = req.headers.authorization.split(" ")[1];
- } else if (req.query.token) {
- token = req.query.token;
- } else if (req.body.token) {
- token = req.body.token;
- }
-
- if (!token) {
- return next(errors.createError(401, "未提供身份验证令牌"));
- }
-
- const appInstall = await prisma.appInstall.findUnique({
- where: { token },
- include: {
- app: true,
- device: true,
- },
- });
-
- if (!appInstall) {
- return next(errors.createError(401, "无效的身份验证令牌"));
- }
-
- // 将认证信息存储到res.locals
- res.locals.appInstall = appInstall;
- res.locals.app = appInstall.app;
- res.locals.device = appInstall.device;
- res.locals.deviceId = appInstall.device.id;
-
- // 将deviceId注入到req.params(向后兼容,某些路由可能需要namespace参数)
- req.params.namespace = appInstall.device.uuid;
- req.params.deviceId = appInstall.device.id;
-
- next();
-});
-
-/**
- * 写权限验证中间件
- *
- * 依赖于deviceMiddleware,必须在其后使用
- * 验证设备密码和写权限
- *
- * 逻辑:
- * 1. 如果设备没有设置密码,直接允许写入
- * 2. 如果设备设置了密码:
- * - 验证提供的密码是否正确
- * - 密码正确则允许写入
- * - 密码错误或未提供则拒绝写入
- *
- * 使用方式:
- * router.post('/path', deviceMiddleware, requireWriteAuth, handler)
- * router.put('/path', deviceMiddleware, requireWriteAuth, handler)
- * router.delete('/path', deviceMiddleware, requireWriteAuth, handler)
- */
-export const requireWriteAuth = errors.catchAsync(async (req, res, next) => {
- const device = res.locals.device;
-
- if (!device) {
- return next(errors.createError(500, "设备信息未加载,请确保使用了deviceMiddleware"));
- }
-
- // 如果设备没有设置密码,直接通过
- if (!device.password) {
- return next();
- }
-
- // 设备有密码,需要验证
- const providedPassword = req.body.password || req.query.password;
-
- if (!providedPassword) {
- return res.status(401).json({
- statusCode: 401,
- message: "此操作需要密码",
- passwordHint: device.passwordHint,
- });
- }
-
- // 验证密码
- const isValid = await verifyDevicePassword(providedPassword, device.password);
-
- if (!isValid) {
- return res.status(401).json({
- statusCode: 401,
- message: "密码错误",
- });
- }
-
- // 密码正确,继续
- next();
-});
\ No newline at end of file
diff --git a/middleware/uuidAuth.js b/middleware/uuidAuth.js
new file mode 100644
index 0000000..bc6aef5
--- /dev/null
+++ b/middleware/uuidAuth.js
@@ -0,0 +1,131 @@
+/**
+ * UUID+密码/JWT混合认证中间件
+ *
+ * 1. 必须提供UUID,读取设备信息并存储到res.locals
+ * 2. 验证密码或账户JWT(二选一)
+ * 3. 适用于需要设备上下文的接口
+ */
+
+import { PrismaClient } from "@prisma/client";
+import errors from "../utils/errors.js";
+import { verifyToken as verifyAccountJWT } from "../utils/jwt.js";
+import { verifyDevicePassword } from "../utils/crypto.js";
+
+const prisma = new PrismaClient();
+
+/**
+ * UUID+密码/JWT混合认证中间件
+ */
+export const uuidAuth = async (req, res, next) => {
+ try {
+ // 1. 获取UUID(必需)
+ const uuid = extractUuid(req);
+ if (!uuid) {
+ return next(errors.createError(400, "需要提供设备UUID"));
+ }
+
+ // 2. 查找设备并存储到locals
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ // 存储设备信息到locals
+ res.locals.device = device;
+ res.locals.deviceId = device.id;
+
+ // 3. 验证密码或JWT(二选一)
+ const password = extractPassword(req);
+ const jwt = extractJWT(req);
+
+ if (jwt) {
+ // 验证账户JWT
+ try {
+ const accountPayload = await verifyAccountJWT(jwt);
+ const account = await prisma.account.findUnique({
+ where: { id: accountPayload.accountId },
+ include: {
+ devices: {
+ where: { uuid },
+ select: { id: true }
+ }
+ }
+ });
+
+ if (!account) {
+ return next(errors.createError(401, "账户不存在"));
+ }
+
+ // 检查设备是否绑定到此账户
+ if (account.devices.length === 0) {
+ return next(errors.createError(403, "设备未绑定到此账户"));
+ }
+
+ res.locals.account = account;
+ res.locals.isAccountOwner = true; // 标记为账户拥有者
+ return next();
+ } catch (error) {
+ return next(errors.createError(401, "无效的JWT token"));
+ }
+ } else if (password) {
+ // 验证设备密码
+ if (!device.password) {
+ return next(); // 如果设备未设置密码,允许无密码访问
+ }
+
+ const isValid = await verifyDevicePassword(password, device.password);
+ if (!isValid) {
+ return next(errors.createError(401, "密码错误"));
+ }
+
+ return next();
+ } else {
+ // 如果设备未设置密码,允许无密码访问
+ if (!device.password) {
+ return next();
+ }
+ return next(errors.createError(401, "需要提供密码或JWT token"));
+ }
+ } catch (error) {
+ next(error);
+ }
+};
+
+/**
+ * 从请求中提取UUID
+ */
+function extractUuid(req) {
+ return (
+ req.headers["x-device-uuid"] ||
+ req.query.uuid ||
+ req.params.uuid ||
+ req.params.deviceUuid ||
+ (req.body && req.body.uuid) ||
+ (req.body && req.body.deviceUuid)
+ );
+}
+
+/**
+ * 从请求中提取密码
+ */
+function extractPassword(req) {
+ return (
+ req.headers["x-device-password"] ||
+ req.query.password ||
+ req.query.currentPassword
+ );
+}
+
+/**
+ * 从请求中提取JWT
+ */
+function extractJWT(req) {
+ const authHeader = req.headers.authorization;
+ if (authHeader && authHeader.startsWith("Bearer ")) {
+ return authHeader.substring(7);
+ }
+ return null;
+}
\ No newline at end of file
diff --git a/package.json b/package.json
index af2c370..430b891 100644
--- a/package.json
+++ b/package.json
@@ -30,6 +30,7 @@
"express-rate-limit": "^7.5.0",
"http-errors": "~2.0.0",
"js-base64": "^3.7.7",
+ "jsonwebtoken": "^9.0.2",
"morgan": "~1.10.0",
"uuid": "^11.1.0"
},
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index fb51069..946659b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -65,6 +65,9 @@ importers:
js-base64:
specifier: ^3.7.7
version: 3.7.7
+ jsonwebtoken:
+ specifier: ^9.0.2
+ version: 9.0.2
morgan:
specifier: ~1.10.0
version: 1.10.0
@@ -1377,6 +1380,9 @@ packages:
brace-expansion@2.0.1:
resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}
+ buffer-equal-constant-time@1.0.1:
+ resolution: {integrity: sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==}
+
bytes@3.1.2:
resolution: {integrity: sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==}
engines: {node: '>= 0.8'}
@@ -1535,6 +1541,9 @@ packages:
resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
engines: {node: '>= 0.4'}
+ ecdsa-sig-formatter@1.0.11:
+ resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==}
+
ee-first@1.1.1:
resolution: {integrity: sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==}
@@ -1794,6 +1803,16 @@ packages:
engines: {node: '>=6'}
hasBin: true
+ jsonwebtoken@9.0.2:
+ resolution: {integrity: sha512-PRp66vJ865SSqOlgqS8hujT5U4AOgMfhrwYIuIhfKaoSCZcirrmASQr8CX7cUg+RMih+hgznrjp99o+W4pJLHQ==}
+ engines: {node: '>=12', npm: '>=6'}
+
+ jwa@1.4.2:
+ resolution: {integrity: sha512-eeH5JO+21J78qMvTIDdBXidBd6nG2kZjg5Ohz/1fpa28Z4CcsWUzJ1ZZyFq/3z3N17aZy+ZuBoHljASbL1WfOw==}
+
+ jws@3.2.2:
+ resolution: {integrity: sha512-YHlZCB6lMTllWDtSPHz/ZXTsi8S00usEV6v1tjq8tOUZzw7DpSDWVXjXDre6ed1w/pd495ODpHZYSdkRTsa0HA==}
+
lightningcss-darwin-arm64@1.30.1:
resolution: {integrity: sha512-c8JK7hyE65X1MHMN+Viq9n11RRC7hgin3HhYKhrMyaXflk5GVplZ60IxyoVtzILeKr+xAJwg6zK6sjTBJ0FKYQ==}
engines: {node: '>= 12.0.0'}
@@ -1865,6 +1884,27 @@ packages:
lodash.camelcase@4.3.0:
resolution: {integrity: sha512-TwuEnCnxbc3rAvhf/LbG7tJUDzhqXyFnv3dtzLOPgCG/hODL7WFnsbwktkD7yUV0RrreP/l1PALq/YSg6VvjlA==}
+ lodash.includes@4.3.0:
+ resolution: {integrity: sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==}
+
+ lodash.isboolean@3.0.3:
+ resolution: {integrity: sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==}
+
+ lodash.isinteger@4.0.4:
+ resolution: {integrity: sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==}
+
+ lodash.isnumber@3.0.3:
+ resolution: {integrity: sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==}
+
+ lodash.isplainobject@4.0.6:
+ resolution: {integrity: sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==}
+
+ lodash.isstring@4.0.1:
+ resolution: {integrity: sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==}
+
+ lodash.once@4.1.1:
+ resolution: {integrity: sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==}
+
long@5.3.2:
resolution: {integrity: sha512-mNAgZ1GmyNhD7AuqnTG3/VQ26o760+ZYBPKjPvugO8+nLbYfX6TVpJPseBvopbdY+qpZ/lKUnmEc1LeZYS3QAA==}
@@ -2176,6 +2216,11 @@ packages:
scule@1.3.0:
resolution: {integrity: sha512-6FtHJEvt+pVMIB9IBY+IcCJ6Z5f1iQnytgyfKMhDKgmzYG+TeH/wx1y3l27rshSbLiSanrR9ffZDrEsmjlQF2g==}
+ semver@7.7.2:
+ resolution: {integrity: sha512-RF0Fw+rO5AMf9MAyaRXI4AV0Ulj5lMHqVxxdSgiVbixSCXoEmmX/jk0CuJw4+3SqroYO9VoUh+HcuJivvtJemA==}
+ engines: {node: '>=10'}
+ hasBin: true
+
send@1.2.0:
resolution: {integrity: sha512-uaW0WwXKpL9blXE2o0bRhoL2EGXIrZxQ2ZQ4mgcfoBxdFmQold+qWsD2jLrfZ0trjKL6vOw0j//eAwcALFjKSw==}
engines: {node: '>= 18'}
@@ -3834,6 +3879,8 @@ snapshots:
dependencies:
balanced-match: 1.0.2
+ buffer-equal-constant-time@1.0.1: {}
+
bytes@3.1.2: {}
c12@3.1.0:
@@ -3966,6 +4013,10 @@ snapshots:
es-errors: 1.3.0
gopd: 1.2.0
+ ecdsa-sig-formatter@1.0.11:
+ dependencies:
+ safe-buffer: 5.2.1
+
ee-first@1.1.1: {}
effect@3.16.12:
@@ -4261,6 +4312,30 @@ snapshots:
json5@2.2.3: {}
+ jsonwebtoken@9.0.2:
+ dependencies:
+ jws: 3.2.2
+ lodash.includes: 4.3.0
+ lodash.isboolean: 3.0.3
+ lodash.isinteger: 4.0.4
+ lodash.isnumber: 3.0.3
+ lodash.isplainobject: 4.0.6
+ lodash.isstring: 4.0.1
+ lodash.once: 4.1.1
+ ms: 2.1.3
+ semver: 7.7.2
+
+ jwa@1.4.2:
+ dependencies:
+ buffer-equal-constant-time: 1.0.1
+ ecdsa-sig-formatter: 1.0.11
+ safe-buffer: 5.2.1
+
+ jws@3.2.2:
+ dependencies:
+ jwa: 1.4.2
+ safe-buffer: 5.2.1
+
lightningcss-darwin-arm64@1.30.1:
optional: true
@@ -4314,6 +4389,20 @@ snapshots:
lodash.camelcase@4.3.0: {}
+ lodash.includes@4.3.0: {}
+
+ lodash.isboolean@3.0.3: {}
+
+ lodash.isinteger@4.0.4: {}
+
+ lodash.isnumber@3.0.3: {}
+
+ lodash.isplainobject@4.0.6: {}
+
+ lodash.isstring@4.0.1: {}
+
+ lodash.once@4.1.1: {}
+
long@5.3.2: {}
lucide-react@0.544.0(react@19.2.0):
@@ -4646,6 +4735,8 @@ snapshots:
scule@1.3.0: {}
+ semver@7.7.2: {}
+
send@1.2.0:
dependencies:
debug: 4.4.1
diff --git a/prisma/migrations/20251002074755_update/migration.sql b/prisma/migrations/20251002074755_update/migration.sql
new file mode 100644
index 0000000..0321915
--- /dev/null
+++ b/prisma/migrations/20251002074755_update/migration.sql
@@ -0,0 +1,21 @@
+-- CreateTable
+CREATE TABLE `Account` (
+ `id` VARCHAR(191) NOT NULL,
+ `provider` VARCHAR(191) NOT NULL,
+ `providerId` VARCHAR(191) NOT NULL,
+ `email` VARCHAR(191) NULL,
+ `name` VARCHAR(191) NULL,
+ `avatarUrl` VARCHAR(191) NULL,
+ `providerData` JSON NULL,
+ `accessToken` VARCHAR(191) NOT NULL,
+ `refreshToken` VARCHAR(191) NULL,
+ `createdAt` DATETIME(3) NOT NULL DEFAULT CURRENT_TIMESTAMP(3),
+ `updatedAt` DATETIME(3) NOT NULL,
+
+ UNIQUE INDEX `Account_accessToken_key`(`accessToken`),
+ UNIQUE INDEX `Account_provider_providerId_key`(`provider`, `providerId`),
+ PRIMARY KEY (`id`)
+) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+
+-- AddForeignKey
+ALTER TABLE `Device` ADD CONSTRAINT `Device_accountId_fkey` FOREIGN KEY (`accountId`) REFERENCES `Account`(`id`) ON DELETE SET NULL ON UPDATE CASCADE;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
index 2e56c9a..b4c51e4 100644
--- a/prisma/schema.prisma
+++ b/prisma/schema.prisma
@@ -21,17 +21,37 @@ model KVStore {
@@id([deviceId, key])
}
+model Account {
+ id String @id @default(cuid())
+ provider String // OAuth提供者 (例如: google, github, gitlab等)
+ providerId String // 提供者返回的用户唯一ID
+ email String? // 用户邮箱
+ name String? // 用户名称
+ avatarUrl String? // 用户头像URL
+ providerData Json? // OAuth提供者返回的完整信息
+ accessToken String @unique // 账户访问令牌
+ refreshToken String? // OAuth refresh token (如果提供者支持)
+ createdAt DateTime @default(now())
+ updatedAt DateTime @updatedAt
+
+ // 关联的设备
+ devices Device[]
+
+ @@unique([provider, providerId]) // 确保同一提供者的用户ID唯一
+}
+
model Device {
id Int @id @default(autoincrement())
uuid String @unique // 设备的唯一标识符
name String?
- accountId String? // 关联的社区账户ID,暂不添加相关代码
+ accountId String? // 关联的账户ID
createdAt DateTime @default(now())
updatedAt DateTime @updatedAt
password String?
passwordHint String?
- // 关联的应用安装记录
+ // 关联关系
+ account Account? @relation(fields: [accountId], references: [id], onDelete: SetNull)
appInstalls AppInstall[]
kvStore KVStore[] // 设备相关的KV存储
}
diff --git a/public/auth-error.html b/public/auth-error.html
new file mode 100644
index 0000000..484c20a
--- /dev/null
+++ b/public/auth-error.html
@@ -0,0 +1,166 @@
+
+
+
+ 登录失败
+
+
+
+
+
+
+
登录失败
+
+
+
+
返回重试
+
关闭窗口
+
+
+ 如果问题持续存在,请检查:
+
登录成功
+
+
+
+
+
+
+
登录成功
+
OAuth Provider
+
+
+
+
复制令牌
+
+
+ 窗口将在 10 秒后自动关闭
+
+
+ */
+router.get("/profile", jwtAuth, async (req, res, next) => {
+ try {
+ const accountContext = res.locals.account;
+
+ const account = await prisma.account.findUnique({
+ where: { id: accountContext.id },
+ include: {
+ devices: {
+ select: {
+ id: true,
+ uuid: true,
+ name: true,
+ createdAt: true,
+ },
+ },
+ },
+ });
+
+ res.json({
+ success: true,
+ data: {
+ id: account.id,
+ provider: account.provider,
+ email: account.email,
+ name: account.name,
+ avatarUrl: account.avatarUrl,
+ devices: account.devices,
+ createdAt: account.createdAt,
+ },
+ });
+ } catch (error) {
+ next(error);
+ }
+});
+
+/**
+ * 绑定设备到账户
+ * POST /api/accounts/devices/bind
+ *
+ * Headers:
+ * Authorization: Bearer
+ *
+ * Body:
+ * {
+ * uuid: string // 设备UUID
+ * }
+ */
+router.post("/devices/bind", jwtAuth, async (req, res, next) => {
+ try {
+ const accountContext = res.locals.account;
+ const { uuid } = req.body;
+
+ if (!uuid) {
+ return res.status(400).json({
+ success: false,
+ message: "缺少设备UUID",
+ });
+ }
+
+ // 查找设备
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (!device) {
+ return res.status(404).json({
+ success: false,
+ message: "设备不存在 #1",
+ });
+ }
+
+ // 检查设备是否已绑定其他账户
+ if (device.accountId && device.accountId !== accountContext.id) {
+ return res.status(400).json({
+ success: false,
+ message: "设备已绑定其他账户",
+ });
+ }
+
+ // 绑定设备到账户
+ const updatedDevice = await prisma.device.update({
+ where: { uuid },
+ data: {
+ accountId: accountContext.id,
+ },
+ });
+
+ res.json({
+ success: true,
+ message: "设备绑定成功",
+ data: {
+ deviceId: updatedDevice.id,
+ uuid: updatedDevice.uuid,
+ name: updatedDevice.name,
+ },
+ });
+ } catch (error) {
+ next(error);
+ }
+});
+
+/**
+ * 解绑设备
+ * POST /api/accounts/devices/unbind
+ *
+ * Headers:
+ * Authorization: Bearer
+ *
+ * Body:
+ * {
+ * uuid: string // 设备UUID(单个解绑)
+ * uuids: string[] // 设备UUID数组(批量解绑)
+ * }
+ */
+router.post("/devices/unbind", jwtAuth, async (req, res, next) => {
+ try {
+ const accountContext = res.locals.account;
+ const { uuid, uuids } = req.body;
+
+ // 支持单个解绑或批量解绑
+ const uuidsToUnbind = uuids || (uuid ? [uuid] : []);
+
+ if (uuidsToUnbind.length === 0) {
+ return res.status(400).json({
+ success: false,
+ message: "请提供要解绑的设备UUID",
+ });
+ }
+
+ // 查找所有设备并验证所有权
+ const devices = await prisma.device.findMany({
+ where: {
+ uuid: { in: uuidsToUnbind },
+ },
+ });
+
+ // 检查是否有不存在的设备
+ if (devices.length !== uuidsToUnbind.length) {
+ const foundUuids = devices.map(d => d.uuid);
+ const notFoundUuids = uuidsToUnbind.filter(u => !foundUuids.includes(u));
+ return res.status(404).json({
+ success: false,
+ message: `以下设备不存在: ${notFoundUuids.join(', ')}`,
+ });
+ }
+
+ // 检查所有权
+ const unauthorizedDevices = devices.filter(d => d.accountId !== accountContext.id);
+ if (unauthorizedDevices.length > 0) {
+ return res.status(403).json({
+ success: false,
+ message: `您没有权限解绑以下设备: ${unauthorizedDevices.map(d => d.uuid).join(', ')}`,
+ });
+ }
+
+ // 批量解绑设备
+ await prisma.device.updateMany({
+ where: {
+ uuid: { in: uuidsToUnbind },
+ accountId: accountContext.id,
+ },
+ data: {
+ accountId: null,
+ },
+ });
+
+ res.json({
+ success: true,
+ message: uuidsToUnbind.length === 1 ? "设备解绑成功" : `成功解绑 ${uuidsToUnbind.length} 个设备`,
+ unboundCount: uuidsToUnbind.length,
+ });
+ } catch (error) {
+ next(error);
+ }
+});
+
+/**
+ * 获取账户绑定的设备列表
+ * GET /api/accounts/devices
+ *
+ * Headers:
+ * Authorization: Bearer
+ */
+router.get("/devices", jwtAuth, async (req, res, next) => {
+ try {
+ const accountContext = res.locals.account;
+ // 获取账户的设备列表
+ const account = await prisma.account.findUnique({
+ where: { id: accountContext.id },
+ include: {
+ devices: {
+ select: {
+ id: true,
+ uuid: true,
+ name: true,
+ createdAt: true,
+ updatedAt: true,
+ appInstalls: {
+ include: {
+ app: {
+ select: {
+ id: true,
+ name: true,
+ iconHash: true,
+ },
+ },
+ },
+ },
+ },
+ },
+ },
+ });
+
+ res.json({
+ success: true,
+ data: account.devices,
+ });
+ } catch (error) {
+ next(error);
+ }
+});
+
+/**
+ * 根据设备UUID获取账户公开信息
+ * GET /accounts/device/:uuid/account
+ *
+ * 无需认证,返回公开信息
+ */
+router.get("/device/:uuid/account", async (req, res, next) => {
+ try {
+ const { uuid } = req.params;
+
+ // 查找设备及其关联的账户
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ include: {
+ account: {
+ select: {
+ id: true,
+ provider: true,
+ name: true,
+ avatarUrl: true,
+ createdAt: true,
+ },
+ },
+ },
+ });
+
+ if (!device) {
+ return res.status(404).json({
+ success: false,
+ message: "设备不存在 #2",
+ });
+ }
+
+ if (!device.account) {
+ return res.json({
+ success: true,
+ data: null, // 设备未绑定账户
+ });
+ }
+
+ res.json({
+ success: true,
+ data: {
+ id: device.account.id,
+ provider: device.account.provider,
+ name: device.account.name,
+ avatarUrl: device.account.avatarUrl,
+ bindTime: device.updatedAt, // 绑定时间
+ },
+ });
+ } catch (error) {
+ next(error);
+ }
+});
+
+export default router;
\ No newline at end of file
diff --git a/routes/apps.js b/routes/apps.js
index aced87c..cbf408f 100644
--- a/routes/apps.js
+++ b/routes/apps.js
@@ -1,156 +1,176 @@
import { Router } from "express";
const router = Router();
-import {
- deviceMiddleware,
- passwordMiddleware,
- deviceInfoMiddleware,
-} from "../middleware/device.js";
-import { checkSiteKey } from "../middleware/auth.js";
+import { uuidAuth } from "../middleware/uuidAuth.js";
+import { jwtAuth } from "../middleware/jwt-auth.js";
import { PrismaClient } from "@prisma/client";
import crypto from "crypto";
import errors from "../utils/errors.js";
-import { hashPassword, verifyDevicePassword } from "../utils/crypto.js";
const prisma = new PrismaClient();
-router.use(checkSiteKey);
+/**
+ * GET /apps/devices/:uuid/apps
+ * 获取设备安装的应用列表 (公开接口,无需认证)
+ */
+router.get(
+ "/devices/:uuid/apps",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid } = req.params;
+
+ // 查找设备
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ const installations = await prisma.appInstall.findMany({
+ where: { deviceId: device.id },
+ include: { app: true },
+ });
+
+ const apps = installations.map(install => ({
+ id: install.app.id,
+ name: install.app.name,
+ description: install.app.description,
+ token: install.token,
+ installedAt: install.createdAt,
+ }));
+
+ return res.json({
+ success: true,
+ apps,
+ });
+ })
+);
+
+/**
+ * POST /apps/devices/:uuid/install/:appId
+ * 为设备安装应用 (需要UUID认证)
+ */
+router.post(
+ "/devices/:uuid/install/:appId",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const device = res.locals.device;
+ const { appId } = req.params;
+ const { note } = req.body;
+
+ // 检查应用是否存在
+ const app = await prisma.app.findUnique({
+ where: { id: parseInt(appId) },
+ });
+
+ if (!app) {
+ return next(errors.createError(404, "应用不存在"));
+ }
+
+
+ // 生成token
+ const token = crypto.randomBytes(32).toString("hex");
+
+ // 创建安装记录
+ const installation = await prisma.appInstall.create({
+ data: {
+ deviceId: device.id,
+ appId: app.id,
+ token,
+ note: note || null,
+ },
+ });
+
+ return res.status(201).json({
+ id: installation.id,
+ appId: app.id,
+ appName: app.name,
+ token: installation.token,
+ note: installation.note,
+ installedAt: installation.createdAt,
+ });
+ })
+);
+
+/**
+ * DELETE /apps/devices/:uuid/uninstall/:installId
+ * 卸载设备应用 (需要UUID认证)
+ */
+router.delete(
+ "/devices/:uuid/uninstall/:installId",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const device = res.locals.device;
+ const { installId } = req.params;
+
+ const installation = await prisma.appInstall.findUnique({
+ where: { id: installId },
+ });
+
+ if (!installation) {
+ return next(errors.createError(404, "应用未安装"));
+ }
+
+ // 确保安装记录属于当前设备
+ if (installation.deviceId !== device.id) {
+ return next(errors.createError(403, "无权操作此安装记录"));
+ }
+
+ await prisma.appInstall.delete({
+ where: { id: installation.id },
+ });
+
+ return res.status(204).end();
+ })
+);
/**
* GET /apps
- * 获取应用列表
+ * 获取所有可用应用列表
*/
router.get(
"/",
errors.catchAsync(async (req, res) => {
- const { limit = 20, skip = 0, search } = req.query;
-
- const where = search
- ? {
- OR: [
- { name: { contains: search } },
- { description: { contains: search } },
- { developerName: { contains: search } },
- ],
- }
- : {};
-
- const [apps, total] = await Promise.all([
- prisma.app.findMany({
- where,
- take: parseInt(limit),
- skip: parseInt(skip),
- orderBy: { createdAt: "desc" },
- }),
- prisma.app.count({ where }),
- ]);
-
- res.json({
- apps,
- total,
- limit: parseInt(limit),
- skip: parseInt(skip),
- });
- })
-);
-
-/**
- * GET /apps/:id
- * 获取单个应用详情
- */
-router.get(
- "/:id",
- errors.catchAsync(async (req, res) => {
- const { id } = req.params;
-
- const app = await prisma.app.findUnique({
- where: { id: parseInt(id) },
- });
-
- if (!app) {
- return res.status(404).json({
- statusCode: 404,
- message: "应用不存在",
- });
- }
-
- res.json(app);
- })
-);
-
-/**
- * POST /apps/:id/authorize
- * 为应用授权获取token
- *
- * 使用统一的设备中间件:
- * 1. deviceMiddleware - 自动获取或创建设备
- * 2. passwordMiddleware - 验证密码(如果设备有密码)
- *
- * 请求体:
- * {
- * "deviceUuid": "设备UUID",
- * "password": "设备密码(如果设备有密码则必须提供)",
- * "note": "备注信息" // 可选
- * }
- */
-router.post(
- "/:id/authorize",
- deviceMiddleware,
- passwordMiddleware,
- errors.catchAsync(async (req, res) => {
- const { id: appId } = req.params;
- const { note } = req.body;
- const device = res.locals.device;
-
- // 检查应用是否存在
- const app = await prisma.app.findUnique({
- where: { id: Number(appId) },
- });
-
- if (!app) {
- return res.status(404).json({
- statusCode: 404,
- message: "应用不存在",
- });
- }
-
- // 生成token
- const randomBytes = crypto.randomBytes(32);
- const tokenData = `${appId}-${device.uuid}-${Date.now()}-${randomBytes.toString('hex')}`;
- const token = crypto.createHash("sha256").update(tokenData).digest("hex");
-
- // 创建应用安装记录
- const appInstall = await prisma.appInstall.create({
- data: {
- deviceId: device.id,
- appId: Number(appId),
- token,
- note: note || "授权访问",
+ const apps = await prisma.app.findMany({
+ select: {
+ id: true,
+ name: true,
+ description: true,
+ createdAt: true,
},
});
- res.status(200).json({
- token: appInstall.token,
- appId: Number(appId),
- appName: app.name,
- deviceUuid: device.uuid,
- deviceName: device.name,
- note: appInstall.note,
- authorizedAt: appInstall.installedAt,
-
+ return res.json({
+ success: true,
+ apps,
});
})
);
+
/**
- * GET /apps/devices/:deviceUuid/tokens
- * 获取设备上的所有授权token
+ * GET /apps/tokens
+ * 获取设备的token列表 (需要设备UUID)
*/
router.get(
- "/devices/:deviceUuid/tokens",
- deviceInfoMiddleware,
- errors.catchAsync(async (req, res) => {
- const device = res.locals.device;
+ "/tokens",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid } = req.query;
+ if (!uuid) {
+ return next(errors.createError(400, "需要提供设备UUID"));
+ }
+
+ // 查找设备
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ // 获取该设备的所有应用安装记录(即token)
const installations = await prisma.appInstall.findMany({
where: { deviceId: device.id },
include: {
@@ -159,236 +179,39 @@ router.get(
id: true,
name: true,
description: true,
- developerName: true,
- iconHash: true,
- repositoryUrl: true,
- createdAt: true,
- updatedAt: true,
},
},
},
- orderBy: { installedAt: "desc" },
+ orderBy: { installedAt: 'desc' },
});
- res.json({
- deviceUuid: device.uuid,
- deviceName: device.name,
- tokens: installations.map(install => ({
- id: install.id,
- token: install.token,
- app: install.app,
- note: install.note,
- installedAt: install.installedAt,
- updatedAt: install.updatedAt,
- createdAt: install.createdAt,
- repositoryUrl: install.app.repositoryUrl,
- })),
- total: installations.length,
- });
- })
-);
+ const tokens = installations.map(install => ({
+ id: install.id, // 安装记录ID
+ token: install.token,
+ appId: install.app.id,
+ appName: install.app.name,
+ appDescription: install.app.description,
+ installedAt: install.installedAt,
+ note: install.note,
+ }));
-/**
- * DELETE /apps/tokens/:token
- * 撤销特定token
- */
-router.delete(
- "/tokens/:token",
- errors.catchAsync(async (req, res) => {
- const { token } = req.params;
-
- const result = await prisma.appInstall.deleteMany({
- where: { token },
- });
-
- if (result.count === 0) {
- return res.status(404).json({
- statusCode: 404,
- message: "Token不存在",
- });
- }
-
- res.status(204).end();
- })
-);
-
-/**
- * GET /apps/:id/installations
- * 获取应用的所有安装记录
- */
-router.get(
- "/:id/installations",
- errors.catchAsync(async (req, res) => {
- const { id: appId } = req.params;
- const { limit = 20, skip = 0 } = req.query;
-
- const [installations, total] = await Promise.all([
- prisma.appInstall.findMany({
- where: { appId: Number(appId) },
- include: {
- device: {
- select: {
- uuid: true,
- name: true,
- },
- },
- },
- take: parseInt(limit),
- skip: parseInt(skip),
- orderBy: { installedAt: "desc" },
- }),
- prisma.appInstall.count({ where: { appId: Number(appId) } }),
- ]);
-
- res.json({
- appId: Number(appId),
- installations: installations.map(install => ({
- id: install.id,
- token: install.token,
- device: install.device,
- note: install.note,
- installedAt: install.installedAt,
- updatedAt: install.updatedAt,
- })),
- total,
- limit: parseInt(limit),
- skip: parseInt(skip),
- });
- })
-);
-
-/**
- * PUT /apps/devices/:deviceUuid/password
- * 设置或更新设备密码
- *
- * Request Body:
- * {
- * "newPassword": "新密码",
- * "passwordHint": "密码提示(可选)",
- * "currentPassword": "当前密码(如果已设置密码则必须提供)"
- * }
- */
-router.put(
- "/devices/:deviceUuid/password",
- deviceInfoMiddleware,
- errors.catchAsync(async (req, res, next) => {
- const { newPassword, passwordHint, currentPassword } = req.body;
- const device = res.locals.device;
-
- if (!newPassword) {
- return next(errors.createError(400, "请提供新密码"));
- }
-
- // 如果设备已有密码,必须先验证当前密码
- if (device.password) {
- if (!currentPassword) {
- return next(errors.createError(401, "设备已设置密码,请提供当前密码"));
- }
-
- const isValid = await verifyDevicePassword(currentPassword, device.password);
- if (!isValid) {
- return next(errors.createError(401, "当前密码错误"));
- }
- }
-
- // 哈希新密码
- const hashedPassword = await hashPassword(newPassword);
-
- // 更新设备密码
- await prisma.device.update({
- where: { id: device.id },
- data: {
- password: hashedPassword,
- passwordHint: passwordHint || device.passwordHint,
- },
- });
-
- res.json({
+ return res.json({
success: true,
- message: device.password ? "密码已更新" : "密码已设置",
- deviceUuid: device.uuid,
+ tokens,
+ deviceUuid: uuid,
});
})
);
-
-/**
- * DELETE /apps/devices/:deviceUuid/password
- * 删除设备密码
- *
- * Request Body:
- * {
- * "password": "当前密码(必须)"
- * }
- */
-router.delete(
- "/devices/:deviceUuid/password",
- deviceInfoMiddleware,
+router.get("/info/:appid",
errors.catchAsync(async (req, res, next) => {
- const { password } = req.body;
- const device = res.locals.device;
-
- if (!device.password) {
- return next(errors.createError(400, "设备未设置密码"));
- }
-
- if (!password) {
- return next(errors.createError(401, "请提供当前密码"));
- }
-
- // 验证密码
- const isValid = await verifyDevicePassword(password, device.password);
- if (!isValid) {
- return next(errors.createError(401, "密码错误"));
- }
-
- // 删除密码
- await prisma.device.update({
- where: { id: device.id },
- data: {
- password: null,
- passwordHint: null,
- },
- });
-
- res.json({
- success: true,
- message: "密码已删除",
- deviceUuid: device.uuid,
+ const { appid } = req.params;
+ const app = await prisma.app.findUnique({
+ where: { id: parseInt(appid) },
});
+ if (!app) {
+ return next(errors.createError(404, "应用不存在"));
+ }
+ return res.json(app);
})
);
-
-/**
- * POST /apps/devices/:deviceUuid/password/verify
- * 验证设备密码
- *
- * Request Body:
- * {
- * "password": "待验证的密码"
- * }
- */
-router.post(
- "/devices/:deviceUuid/password/verify",
- deviceInfoMiddleware,
- errors.catchAsync(async (req, res, next) => {
- const { password } = req.body;
- const device = res.locals.device;
-
- if (!device.password) {
- return next(errors.createError(400, "设备未设置密码"));
- }
-
- if (!password) {
- return next(errors.createError(400, "请提供密码"));
- }
-
- // 验证密码
- const isValid = await verifyDevicePassword(password, device.password);
-
- res.json({
- valid: isValid,
- });
- })
-);
-
export default router;
\ No newline at end of file
diff --git a/routes/device-auth.js b/routes/device-auth.js
index cc959b0..66f90a6 100644
--- a/routes/device-auth.js
+++ b/routes/device-auth.js
@@ -1,14 +1,12 @@
import { Router } from "express";
import deviceCodeStore from "../utils/deviceCodeStore.js";
-import { checkSiteKey } from "../middleware/auth.js";
import errors from "../utils/errors.js";
import { PrismaClient } from "@prisma/client";
const router = Router();
const prisma = new PrismaClient();
-// 应用站点密钥验证
-router.use(checkSiteKey);
+
/**
* POST /device/code
diff --git a/routes/device.js b/routes/device.js
new file mode 100644
index 0000000..f4f4c1d
--- /dev/null
+++ b/routes/device.js
@@ -0,0 +1,327 @@
+import { Router } from "express";
+const router = Router();
+import { uuidAuth } from "../middleware/uuidAuth.js";
+import { PrismaClient } from "@prisma/client";
+import crypto from "crypto";
+import errors from "../utils/errors.js";
+import { hashPassword, verifyDevicePassword } from "../utils/crypto.js";
+
+const prisma = new PrismaClient();
+
+/**
+ * POST /devices
+ * 注册新设备
+ */
+router.post(
+ "/",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid, deviceName } = req.body;
+
+ if (!uuid) {
+ return next(errors.createError(400, "设备UUID是必需的"));
+ }
+
+ if (!deviceName) {
+ return next(errors.createError(400, "设备名称是必需的"));
+ }
+
+ // 检查UUID是否已存在
+ const existingDevice = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (existingDevice) {
+ return next(errors.createError(409, "设备UUID已存在"));
+ }
+
+ // 创建设备
+ const device = await prisma.device.create({
+ data: {
+ uuid,
+ name: deviceName,
+ },
+ });
+
+ return res.status(201).json({
+ success: true,
+ device: {
+ id: device.id,
+ uuid: device.uuid,
+ name: device.name,
+ createdAt: device.createdAt,
+ },
+ });
+ })
+);
+
+/**
+ * GET /devices/:uuid
+ * 获取设备信息 (公开接口,无需认证)
+ */
+router.get(
+ "/:uuid",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid } = req.params;
+
+ // 查找设备,包含绑定的账户信息
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ include: {
+ account: {
+ select: {
+ id: true,
+ name: true,
+ email: true,
+ avatarUrl: true,
+ },
+ },
+ },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ return res.json({
+ id: device.id,
+ uuid: device.uuid,
+ name: device.name,
+ hasPassword: !!device.password,
+ passwordHint: device.passwordHint,
+ createdAt: device.createdAt,
+ account: device.account ? {
+ id: device.account.id,
+ name: device.account.name,
+ email: device.account.email,
+ avatarUrl: device.account.avatarUrl,
+ } : null,
+ isBoundToAccount: !!device.account,
+ });
+ })
+);/**
+ * PUT /devices/:uuid/name
+ * 设置设备名称 (需要UUID认证)
+ */
+router.put(
+ "/:uuid/name",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const { name } = req.body;
+ const device = res.locals.device;
+
+ if (!name) {
+ return next(errors.createError(400, "设备名称是必需的"));
+ }
+
+ const updatedDevice = await prisma.device.update({
+ where: { id: device.id },
+ data: { name },
+ });
+
+ return res.json({
+ success: true,
+ device: {
+ id: updatedDevice.id,
+ uuid: updatedDevice.uuid,
+ name: updatedDevice.name,
+ hasPassword: !!updatedDevice.password,
+ passwordHint: updatedDevice.passwordHint,
+ },
+ });
+ })
+);
+
+/**
+ * POST /devices/:uuid/password
+ * 初次设置设备密码 (无需认证,仅当设备未设置密码时)
+ */
+router.post(
+ "/:uuid/password",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid } = req.params;
+ const newPassword = req.query.newPassword || req.body.newPassword;
+ const passwordHint = req.query.passwordHint || req.body.passwordHint;
+
+ if (!newPassword) {
+ return next(errors.createError(400, "新密码是必需的"));
+ }
+
+ // 查找设备
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ // 只有在设备未设置密码时才允许无认证设置
+ if (device.password) {
+ return next(errors.createError(403, "设备已设置密码,请使用修改密码接口"));
+ }
+
+ const hashedPassword = await hashPassword(newPassword);
+
+ await prisma.device.update({
+ where: { id: device.id },
+ data: {
+ password: hashedPassword,
+ passwordHint: passwordHint || null,
+ },
+ });
+
+ return res.json({
+ success: true,
+ message: "密码设置成功",
+ });
+ })
+);
+
+/**
+ * PUT /devices/:uuid/password
+ * 修改设备密码 (需要UUID认证和当前密码验证,账户拥有者除外)
+ */
+router.put(
+ "/:uuid/password",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const currentPassword = req.query.currentPassword;
+ const newPassword = req.query.newPassword || req.body.newPassword;
+ const passwordHint = req.query.passwordHint || req.body.passwordHint;
+ const device = res.locals.device;
+ const isAccountOwner = res.locals.isAccountOwner;
+
+ if (!newPassword) {
+ return next(errors.createError(400, "新密码是必需的"));
+ }
+
+ // 如果是账户拥有者,无需验证当前密码
+ if (!isAccountOwner) {
+ if (!device.password) {
+ return next(errors.createError(400, "设备未设置密码,请使用设置密码接口"));
+ }
+
+ if (!currentPassword) {
+ return next(errors.createError(400, "当前密码是必需的"));
+ }
+
+ // 验证当前密码
+ const isCurrentPasswordValid = await verifyDevicePassword(currentPassword, device.password);
+ if (!isCurrentPasswordValid) {
+ return next(errors.createError(401, "当前密码错误"));
+ }
+ }
+
+ const hashedNewPassword = await hashPassword(newPassword);
+
+ await prisma.device.update({
+ where: { id: device.id },
+ data: {
+ password: hashedNewPassword,
+ passwordHint: passwordHint !== undefined ? passwordHint : device.passwordHint,
+ },
+ });
+
+ return res.json({
+ success: true,
+ message: "密码修改成功",
+ });
+ })
+);
+
+/**
+ * PUT /devices/:uuid/password-hint
+ * 设置密码提示 (需要UUID认证)
+ */
+router.put(
+ "/:uuid/password-hint",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const { passwordHint } = req.body;
+ const device = res.locals.device;
+
+ await prisma.device.update({
+ where: { id: device.id },
+ data: { passwordHint: passwordHint || null },
+ });
+
+ return res.json({
+ success: true,
+ message: "密码提示设置成功",
+ passwordHint: passwordHint || null,
+ });
+ })
+);
+
+/**
+ * GET /devices/:uuid/password-hint
+ * 获取设备密码提示 (无需认证)
+ */
+router.get(
+ "/:uuid/password-hint",
+ errors.catchAsync(async (req, res, next) => {
+ const { uuid } = req.params;
+
+ const device = await prisma.device.findUnique({
+ where: { uuid },
+ select: {
+ passwordHint: true,
+ },
+ });
+
+ if (!device) {
+ return next(errors.createError(404, "设备不存在"));
+ }
+
+ return res.json({
+ success: true,
+ passwordHint: device.passwordHint || null,
+ });
+ })
+);
+
+/**
+ * DELETE /devices/:uuid/password
+ * 删除设备密码 (需要UUID认证和密码验证,账户拥有者除外)
+ */
+router.delete(
+ "/:uuid/password",
+ uuidAuth,
+ errors.catchAsync(async (req, res, next) => {
+ const password = req.query.password;
+ const device = res.locals.device;
+ const isAccountOwner = res.locals.isAccountOwner;
+
+ if (!device.password) {
+ return next(errors.createError(400, "设备未设置密码"));
+ }
+
+ // 如果不是账户拥有者,需要验证密码
+ if (!isAccountOwner) {
+ if (!password) {
+ return next(errors.createError(400, "密码是必需的"));
+ }
+
+ // 验证密码
+ const isPasswordValid = await verifyDevicePassword(password, device.password);
+ if (!isPasswordValid) {
+ return next(errors.createError(401, "密码错误"));
+ }
+ }
+
+ await prisma.device.update({
+ where: { id: device.id },
+ data: {
+ password: null,
+ passwordHint: null,
+ },
+ });
+
+ return res.json({
+ success: true,
+ message: "密码删除成功",
+ });
+ })
+);
+
+export default router;
\ No newline at end of file
diff --git a/routes/kv-token.js b/routes/kv-token.js
index 4852abd..8bd9902 100644
--- a/routes/kv-token.js
+++ b/routes/kv-token.js
@@ -1,13 +1,11 @@
import { Router } from "express";
const router = Router();
import kvStore from "../utils/kvStore.js";
-import { tokenAuth } from "../middleware/tokenAuth.js";
+import { kvTokenAuth } from "../middleware/kvTokenAuth.js";
import errors from "../utils/errors.js";
-import { checkSiteKey } from "../middleware/auth.js";
-// 应用站点密钥验证和token认证
-router.use(checkSiteKey);
-router.use(tokenAuth);
+// 使用KV专用token认证
+router.use(kvTokenAuth);
/**
* GET /_keys
diff --git a/test/docker/docker-compose.yml b/test/docker/docker-compose.yml
deleted file mode 100644
index 383f836..0000000
--- a/test/docker/docker-compose.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-version: '3.8'
-
-services:
- mysql:
- image: mysql:8.0
- container_name: classworks_mysql
- restart: unless-stopped
- environment:
- MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD:-classworks}
- MYSQL_DATABASE: ${MYSQL_DATABASE:-classworks}
- MYSQL_USER: ${MYSQL_USER:-classworks}
- MYSQL_PASSWORD: ${MYSQL_PASSWORD:-classworks}
- TZ: Asia/Shanghai
- ports:
- - "3306:3306"
- volumes:
- - mysql_data:/var/lib/mysql
- - ./mysql/conf.d:/etc/mysql/conf.d:ro
- - ./mysql/initdb.d:/docker-entrypoint-initdb.d:ro
- command:
- - --character-set-server=utf8mb4
- - --collation-server=utf8mb4_unicode_ci
- - --default-authentication-plugin=mysql_native_password
- healthcheck:
- test: ["CMD", "mysqladmin", "ping", "-h", "localhost", "-u$$MYSQL_USER", "-p$$MYSQL_PASSWORD"]
- interval: 10s
- timeout: 5s
- retries: 5
- networks:
- - classworks_net
-
- postgres:
- image: postgres:15-alpine
- container_name: classworks_postgres
- restart: unless-stopped
- environment:
- POSTGRES_DB: ${POSTGRES_DB:-classworks}
- POSTGRES_USER: ${POSTGRES_USER:-classworks}
- POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-classworks}
- TZ: Asia/Shanghai
- ports:
- - "5432:5432"
- volumes:
- - postgres_data:/var/lib/postgresql/data
- - ./postgres/initdb.d:/docker-entrypoint-initdb.d:ro
- command:
- - "postgres"
- - "-c"
- - "max_connections=100"
- - "-c"
- - "shared_buffers=128MB"
- healthcheck:
- test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
- interval: 10s
- timeout: 5s
- retries: 5
- networks:
- - classworks_net
-
-volumes:
- mysql_data:
- name: classworks_mysql_data
- postgres_data:
- name: classworks_postgres_data
-
-networks:
- classworks_net:
- name: classworks_network
- driver: bridge
\ No newline at end of file
diff --git a/test/docker/mysql/conf.d/my.cnf b/test/docker/mysql/conf.d/my.cnf
deleted file mode 100644
index 0384d42..0000000
--- a/test/docker/mysql/conf.d/my.cnf
+++ /dev/null
@@ -1,33 +0,0 @@
-[mysqld]
-# 字符集设置
-character-set-server=utf8mb4
-collation-server=utf8mb4_unicode_ci
-
-# 连接设置
-max_connections=100
-max_allowed_packet=64M
-
-# InnoDB设置
-innodb_buffer_pool_size=256M
-innodb_log_file_size=64M
-innodb_flush_log_at_trx_commit=2
-innodb_flush_method=O_DIRECT
-
-# 优化设置
-query_cache_type=1
-query_cache_size=32M
-sort_buffer_size=4M
-read_buffer_size=2M
-read_rnd_buffer_size=4M
-join_buffer_size=2M
-
-# 日志设置
-slow_query_log=1
-slow_query_log_file=/var/log/mysql/slow.log
-long_query_time=2
-
-[client]
-default-character-set=utf8mb4
-
-[mysql]
-default-character-set=utf8mb4
\ No newline at end of file
diff --git a/test/docker/mysql/initdb.d/init.sql b/test/docker/mysql/initdb.d/init.sql
deleted file mode 100644
index f96ed98..0000000
--- a/test/docker/mysql/initdb.d/init.sql
+++ /dev/null
@@ -1,12 +0,0 @@
--- 设置时区
-SET GLOBAL time_zone = '+8:00';
-SET time_zone = '+8:00';
-
--- 创建数据库(如果不存在)
-CREATE DATABASE IF NOT EXISTS classworks
- CHARACTER SET utf8mb4
- COLLATE utf8mb4_unicode_ci;
-
--- 设置权限
-GRANT ALL PRIVILEGES ON classworks.* TO 'classworks'@'%';
-FLUSH PRIVILEGES;
\ No newline at end of file
diff --git a/test/docker/postgres/initdb.d/init.sql b/test/docker/postgres/initdb.d/init.sql
deleted file mode 100644
index 2507d7a..0000000
--- a/test/docker/postgres/initdb.d/init.sql
+++ /dev/null
@@ -1,10 +0,0 @@
--- 创建扩展
-CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
-CREATE EXTENSION IF NOT EXISTS "pg_trgm";
-
--- 设置时区
-SET timezone = 'Asia/Shanghai';
-
--- 设置默认权限
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO classworks;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT ON SEQUENCES TO classworks;
\ No newline at end of file
diff --git a/utils/jwt.js b/utils/jwt.js
new file mode 100644
index 0000000..70eb47b
--- /dev/null
+++ b/utils/jwt.js
@@ -0,0 +1,40 @@
+import jwt from 'jsonwebtoken';
+
+// JWT密钥 - 生产环境应该从环境变量读取
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-this-in-production';
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d'; // 默认7天过期
+
+/**
+ * 签发JWT token
+ * @param {Object} payload - 要编码的数据
+ * @returns {string} JWT token
+ */
+export function signToken(payload) {
+ return jwt.sign(payload, JWT_SECRET, {
+ expiresIn: JWT_EXPIRES_IN,
+ });
+}
+
+/**
+ * 验证JWT token
+ * @param {string} token - JWT token
+ * @returns {Object} 解码后的payload
+ */
+export function verifyToken(token) {
+ return jwt.verify(token, JWT_SECRET);
+}
+
+/**
+ * 为账户生成JWT token
+ * @param {Object} account - 账户对象
+ * @returns {string} JWT token
+ */
+export function generateAccountToken(account) {
+ return signToken({
+ accountId: account.id,
+ provider: account.provider,
+ email: account.email,
+ name: account.name,
+ avatarUrl: account.avatarUrl,
+ });
+}
\ No newline at end of file