feat: migrate runtime backend to node server

2026-04-08 16:41:29 +08:00
parent 9d2fc9e4b8
commit a83841ff2d
70 changed files with 8239 additions and 1561 deletions
--- a/server-node/src/auth/token.ts
+++ b/server-node/src/auth/token.ts
@@ -0,0 +1,46 @@
+import { jwtVerify, SignJWT } from 'jose';
+
+import type { AppConfig } from '../config.js';
+import { unauthorized } from '../errors.js';
+
+export type AccessTokenClaims = {
+  userId: string;
+  tokenVersion: number;
+};
+
+function getSecret(config: AppConfig) {
+  return new TextEncoder().encode(config.jwtSecret);
+}
+
+export async function signAccessToken(
+  claims: AccessTokenClaims,
+  config: AppConfig,
+) {
+  return new SignJWT({ ver: claims.tokenVersion })
+    .setProtectedHeader({ alg: 'HS256', typ: 'JWT' })
+    .setSubject(claims.userId)
+    .setIssuer(config.jwtIssuer)
+    .setIssuedAt()
+    .sign(getSecret(config));
+}
+
+export async function verifyAccessToken(token: string, config: AppConfig) {
+  try {
+    const { payload } = await jwtVerify(token, getSecret(config), {
+      issuer: config.jwtIssuer,
+    });
+    const userId = typeof payload.sub === 'string' ? payload.sub : '';
+    const tokenVersion = typeof payload.ver === 'number' ? payload.ver : NaN;
+
+    if (!userId || !Number.isFinite(tokenVersion)) {
+      throw unauthorized('JWT 内容无效');
+    }
+
+    return {
+      userId,
+      tokenVersion,
+    } satisfies AccessTokenClaims;
+  } catch (error) {
+    throw unauthorized('JWT 校验失败');
+  }
+}