feat: migrate runtime backend to node server

server-node/src/middleware/auth.ts

@@ -0,0 +1,40 @@
+import type { NextFunction, Request, Response } from 'express';
+
+import { verifyAccessToken } from '../auth/token.js';
+import type { AppConfig } from '../config.js';
+import { unauthorized } from '../errors.js';
+import { type UserRepository } from '../repositories/userRepository.js';
+
+function readBearerToken(request: Request) {
+  const authorization = request.header('authorization')?.trim() || '';
+  if (!authorization.startsWith('Bearer ')) {
+    return '';
+  }
+  return authorization.slice('Bearer '.length).trim();
+}
+
+export function requireJwtAuth(config: AppConfig, userRepository: UserRepository) {
+  return async (request: Request, _response: Response, next: NextFunction) => {
+    try {
+      const token = readBearerToken(request);
+      if (!token) {
+        throw unauthorized('缺少 Authorization Bearer Token');
+      }
+
+      const claims = await verifyAccessToken(token, config);
+      const user = userRepository.findById(claims.userId);
+      if (!user) {
+        throw unauthorized('用户不存在');
+      }
+      if (user.tokenVersion !== claims.tokenVersion) {
+        throw unauthorized('登录状态已失效，请重新登录');
+      }
+
+      request.auth = claims;
+      request.userId = claims.userId;
+      next();
+    } catch (error) {
+      next(error);
+    }
+  };
+}