feat: bootstrap user rbac foundation

fastapi_common/fastapi_common_security/jwtService.py

@@ -18,7 +18,7 @@ import jwt
 from fastapi_common.fastapi_common_logger import logger
 from fastapi_admin.config import JWT_SECRET_KEY, JWT_ALGORITHM
 
-ACCESS_TOKEN_EXPIRE_MINUTES = 15
+ACCESS_TOKEN_EXPIRE_MINUTES = 60
 REFRESH_TOKEN_EXPIRE_DAYS = 7
 JWT_AUDIENCE = "leaudit-platform"
 JWT_ISSUER = "leaudit-platform"
@@ -39,6 +39,7 @@ class JwtService:
         ouId: str = "",
         ouName: str = "",
         roles: list[str] | None = None,
+        permissions: list[str] | None = None,
         area: str | None = None,
         userRole: str | None = None,
         deviceId: str | None = None,
@@ -68,6 +69,7 @@ class JwtService:
             "ou_id": ouId,
             "ou_name": ouName,
             "roles": roles or [],
+            "permissions": permissions or [],
             "area": area,
             "user_role": userRole,
             "iat": now,

fastapi_common/fastapi_common_security/security.py

@@ -5,19 +5,40 @@ from __future__ import annotations
 from typing import Any
 
 import jwt
-from fastapi import Request
+from fastapi import HTTPException, Request, status
 
-from fastapi_admin.config import JWT_SECRET_KEY, JWT_ALGORITHM
+from fastapi_common.fastapi_common_security.jwtService import JwtService
 
 
 def verify_access_token(RequestObj: Request) -> dict[str, Any]:
-    """验证 JWT access token 并返回 payload。"""
+    """验证 JWT access token 并返回 payload。
+
+    认证失败必须直接返回 401，不能静默放行为空 payload，
+    否则受保护接口会在后续逻辑里变成“假鉴权”。
+    """
     auth = RequestObj.headers.get("Authorization", "")
     if not auth.startswith("Bearer "):
-        return {}
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="缺少有效的 Authorization Bearer Token",
+        )
+
     token = auth.removeprefix("Bearer ").strip()
     try:
-        payload = jwt.decode(token, JWT_SECRET_KEY, algorithms=[JWT_ALGORITHM])
+        payload = JwtService.verify(token)
+        if payload.get("type") != "access":
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="无效的访问令牌类型",
+            )
         return payload
+    except jwt.ExpiredSignatureError as exc:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="访问令牌已过期",
+        ) from exc
     except jwt.PyJWTError:
-        return {}
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="访问令牌无效",
+        )