守卫

用户1734586190553
33 阅读1分钟

守卫

loginGuard

import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { JwtService } from '@nestjs/jwt';
import { FastifyRequest } from 'fastify';
import { Observable } from 'rxjs';

@Injectable()
export class LoginGuard implements CanActivate {
  constructor(
    private readonly reflector: Reflector,
    private readonly jwtService: JwtService,
  ) { }
  canActivate(
    context: ExecutionContext,
  ): boolean | Promise<boolean> | Observable<boolean> {
    const request: FastifyRequest = context.switchToHttp().getRequest();
    // 感觉需要登录的接口多,不需要登录的接口少,这里简单处理不需要登录的接口
    const notRequireLogin = this.reflector.getAllAndOverride('not-require-login', [
      context.getClass(),
      context.getHandler()
    ]);

    if (notRequireLogin) return true

    const authorization = request.headers.authorization;

    if (!authorization) {
      throw new UnauthorizedException('用户未登录');
    }

    try {
      const verifyUser = this.jwtService.verify(authorization);
      // 将用户id添加到请求体中,方便在控制器中使用
      if (verifyUser && request.body) {
        (request.body as any).userId = verifyUser.userId;
      }
      return true;
    } catch (e) {

      throw new UnauthorizedException('token失效,请重新登录');
    }
  }
}


// 用户注册接口不需要登录
@Post("register")
@SetMetadata('not-require-login', true)

permissionGuard

import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { JwtService } from '@nestjs/jwt';
import { isArray } from 'class-validator';
import { FastifyRequest } from 'fastify';
import { Observable } from 'rxjs';

@Injectable()
export class PermissionGuard implements CanActivate {
  constructor(
    private readonly reflector: Reflector,
    private readonly jwtService: JwtService,
  ) { }
  canActivate(
    context: ExecutionContext,
  ): boolean | Promise<boolean> | Observable<boolean> {
    const request: FastifyRequest = context.switchToHttp().getRequest();
    const requiredPermissions = this.reflector.getAllAndOverride('require-permission', [
      context.getClass(),
      context.getHandler()
    ]);
    if (!requiredPermissions || !isArray(requiredPermissions) || requiredPermissions.length < 1) return true;

    const authorization = request.headers.authorization;

    if (authorization) {
      // 在token中获取用户权限,简单做法,实际项目中需要根据用户id查询用户权限
      const userPermissions = this.jwtService.verify(authorization)?.permissions;
      if (userPermissions && isArray(userPermissions) && userPermissions.length > 0) {
        if (requiredPermissions.every(item => userPermissions.includes(item))) {
          return true
        } else {
          throw new ForbiddenException("用户没有权限")
        }
      } else {
        throw new ForbiddenException("用户没有权限")
      }
    } else {
      throw new ForbiddenException("用户没有权限")
    }
  }
}


@ApiTags('角色管理')
@Controller('role')
// 添加权限控制
@SetMetadata('require-permission', ['superAdmin'])
export class RoleController {

注册guard

// app.module.ts

{
  provide: APP_GUARD,
  useClass: LoginGuard
},
{
  provide: APP_GUARD,
  useClass: PermissionGuard
}
avatar
文章
阅读
粉丝