fix: close auth, permission, contract and e2e review blockers

2026-05-28 15:19:13 +08:00
parent f33e39a702
commit 6be90ddff8
29 changed files with 1356 additions and 259 deletions
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -54,6 +54,7 @@ type Claims struct {
 	Remember bool   `json:"remember,omitempty"` // 记住登录标记
 	JTI      string `json:"jti"`                // JWT ID，用于黑名单
 	PCE      int64  `json:"pce,omitempty"`       // Password Changed Epoch，密码变更时间戳，用于 token 失效机制
+	DeviceID string `json:"device_id,omitempty"`
 	jwt.RegisteredClaims
 }

@@ -494,6 +495,47 @@ func (j *JWT) ValidateRefreshToken(tokenString string) (*Claims, error) {
 	return claims, nil
 }

+func (j *JWT) GenerateTOTPChallengeToken(userID int64, username, deviceID string, pce int64) (string, error) {
+	if err := j.ensureReady(); err != nil {
+		return "", err
+	}
+
+	now := time.Now()
+	jti, err := generateJTI()
+	if err != nil {
+		return "", err
+	}
+	claims := Claims{
+		UserID:   userID,
+		Username: username,
+		Type:     "totp_challenge",
+		JTI:      jti,
+		PCE:      pce,
+		DeviceID: strings.TrimSpace(deviceID),
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(now.Add(5 * time.Minute)),
+			IssuedAt:  jwt.NewNumericDate(now),
+			NotBefore: jwt.NewNumericDate(now),
+		},
+	}
+
+	token := jwt.NewWithClaims(j.signingMethod(), claims)
+	return token.SignedString(j.signingKey())
+}
+
+func (j *JWT) ValidateTOTPChallengeToken(tokenString string) (*Claims, error) {
+	claims, err := j.ParseToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	if claims.Type != "totp_challenge" {
+		return nil, errors.New("invalid token type")
+	}
+
+	return claims, nil
+}
+
 // RefreshAccessToken 刷新访问令牌
 func (j *JWT) RefreshAccessToken(refreshTokenString string) (string, error) {
 	claims, err := j.ValidateRefreshToken(refreshTokenString)