api-server/src/modules/auth/auth.service.ts

import * as crypto from 'crypto';
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import { PrismaService } from '../../infrastructure/database/prisma.service';

@Injectable()
export class AuthService {
  constructor(
    private readonly jwtService: JwtService,
    private readonly prisma: PrismaService,
    private readonly configService: ConfigService,
  ) {}

  async appleLogin(params: {
    identityToken: string;
    authorizationCode: string;
    user?: { name?: { firstName?: string; lastName?: string }; email?: string };
  }) {
    const appleUserId = await this.verifyAppleIdentity(
      params.identityToken,
      params.authorizationCode,
      params.user?.email,
    );

    let account = await this.prisma.authAccount.findUnique({
      where: { provider_providerUserId: { provider: 'apple', providerUserId: appleUserId } },
      include: { user: true },
    });

    if (!account) {
      const displayName =
        params.user?.name
          ? `${params.user.name.lastName || ''}${params.user.name.firstName || ''}`
          : undefined;
      account = await this.prisma.authAccount.create({
        data: {
          provider: 'apple',
          providerUserId: appleUserId,
          email: params.user?.email,
          user: {
            create: {
              email: params.user?.email,
              nickname: displayName || undefined,
              status: 'active',
            },
          },
        },
        include: { user: true },
      });
    }

    const userIdStr = String(account.user.id);

    const accessToken = await this.jwtService.signAsync({
      sub: userIdStr,
      email: account.user.email,
    });

    const refreshToken = crypto.randomBytes(48).toString('hex');
    const refreshTokenHash = crypto
      .createHash('sha256')
      .update(refreshToken)
      .digest('hex');

    await this.prisma.refreshToken.create({
      data: {
        userId: account.user.id,
        tokenHash: refreshTokenHash,
        expiresAt: new Date(Date.now() + 7 * 86400000),
      },
    });

    return { accessToken, refreshToken, expiresIn: 3600 };
  }

  async refresh(refreshToken: string) {
    const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');
    const stored = await this.prisma.refreshToken.findFirst({
      where: { tokenHash: hash, revokedAt: null },
      include: { user: true },
    });

    if (!stored || stored.expiresAt < new Date()) {
      throw new UnauthorizedException('刷新令牌无效或已过期');
    }

    await this.prisma.refreshToken.update({
      where: { id: stored.id },
      data: { revokedAt: new Date() },
    });

    const newRefreshToken = crypto.randomBytes(48).toString('hex');
    const newHash = crypto
      .createHash('sha256')
      .update(newRefreshToken)
      .digest('hex');

    await this.prisma.refreshToken.create({
      data: {
        userId: stored.userId,
        tokenHash: newHash,
        expiresAt: new Date(Date.now() + 7 * 86400000),
      },
    });

    const accessToken = await this.jwtService.signAsync({
      sub: String(stored.user.id),
      email: stored.user.email,
    });

    return {
      accessToken,
      refreshToken: newRefreshToken,
      expiresIn: 3600,
    };
  }

  async logout(userId: number) {
    await this.prisma.refreshToken.updateMany({
      where: { userId, revokedAt: null },
      data: { revokedAt: new Date() },
    });
  }

  private async verifyAppleIdentity(
    identityToken: string,
    authorizationCode: string,
    email?: string | null,
  ): Promise<string> {
    if (this.isMockMode()) {
      return this.verifyMockApple(identityToken, email);
    }
    return this.verifyRealApple(identityToken, authorizationCode);
  }

  private isMockMode(): boolean {
    const env = this.configService.get<string>('app.nodeEnv');
    const aiProvider = this.configService.get<string>('ai.provider');
    return env !== 'production' || aiProvider === 'mock';
  }

  private verifyMockApple(identityToken: string, email?: string | null): string {
    if (!identityToken || identityToken.trim().length < 4) {
      throw new UnauthorizedException('identityToken 无效');
    }
    return crypto
      .createHash('sha256')
      .update(`apple-mock:${identityToken}:${email || 'no-email'}`)
      .digest('hex')
      .slice(0, 64);
  }

  private async verifyRealApple(
    identityToken: string,
    authorizationCode: string,
  ): Promise<string> {
    throw new UnauthorizedException('Apple 登录尚未接入，请先配置 Apple Developer 凭证');
  }
}
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`import * as crypto from 'crypto';`
			`import { Injectable, UnauthorizedException } from '@nestjs/common';`
			`import { JwtService } from '@nestjs/jwt';`
			`import { ConfigService } from '@nestjs/config';`
			`import { PrismaService } from '../../infrastructure/database/prisma.service';`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00
			`@Injectable()`
			`export class AuthService {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`constructor(`
			`private readonly jwtService: JwtService,`
			`private readonly prisma: PrismaService,`
			`private readonly configService: ConfigService,`
			`) {}`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00
			`async appleLogin(params: {`
			`identityToken: string;`
			`authorizationCode: string;`
			`user?: { name?: { firstName?: string; lastName?: string }; email?: string };`
			`}) {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`const appleUserId = await this.verifyAppleIdentity(`
			`params.identityToken,`
			`params.authorizationCode,`
			`params.user?.email,`
			`);`

			`let account = await this.prisma.authAccount.findUnique({`
			`where: { provider_providerUserId: { provider: 'apple', providerUserId: appleUserId } },`
			`include: { user: true },`
			`});`

			`if (!account) {`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`const displayName =`
			`params.user?.name`
			? `${params.user.name.lastName \|\| ''}${params.user.name.firstName \|\| ''}`
			`: undefined;`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`account = await this.prisma.authAccount.create({`
			`data: {`
			`provider: 'apple',`
			`providerUserId: appleUserId,`
			`email: params.user?.email,`
			`user: {`
			`create: {`
			`email: params.user?.email,`
			`nickname: displayName \|\| undefined,`
			`status: 'active',`
			`},`
			`},`
			`},`
			`include: { user: true },`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`});`
			`}`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00
			`const userIdStr = String(account.user.id);`

			`const accessToken = await this.jwtService.signAsync({`
			`sub: userIdStr,`
			`email: account.user.email,`
			`});`

			`const refreshToken = crypto.randomBytes(48).toString('hex');`
			`const refreshTokenHash = crypto`
			`.createHash('sha256')`
			`.update(refreshToken)`
			`.digest('hex');`

			`await this.prisma.refreshToken.create({`
			`data: {`
			`userId: account.user.id,`
			`tokenHash: refreshTokenHash,`
			`expiresAt: new Date(Date.now() + 7 * 86400000),`
			`},`
			`});`

feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`return { accessToken, refreshToken, expiresIn: 3600 };`
			`}`

			`async refresh(refreshToken: string) {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');`
			`const stored = await this.prisma.refreshToken.findFirst({`
			`where: { tokenHash: hash, revokedAt: null },`
			`include: { user: true },`
			`});`

			`if (!stored \|\| stored.expiresAt < new Date()) {`
			`throw new UnauthorizedException('刷新令牌无效或已过期');`
			`}`

			`await this.prisma.refreshToken.update({`
			`where: { id: stored.id },`
			`data: { revokedAt: new Date() },`
			`});`

			`const newRefreshToken = crypto.randomBytes(48).toString('hex');`
			`const newHash = crypto`
			`.createHash('sha256')`
			`.update(newRefreshToken)`
			`.digest('hex');`

			`await this.prisma.refreshToken.create({`
			`data: {`
			`userId: stored.userId,`
			`tokenHash: newHash,`
			`expiresAt: new Date(Date.now() + 7 * 86400000),`
			`},`
			`});`

			`const accessToken = await this.jwtService.signAsync({`
			`sub: String(stored.user.id),`
			`email: stored.user.email,`
			`});`

			`return {`
			`accessToken,`
			`refreshToken: newRefreshToken,`
			`expiresIn: 3600,`
			`};`
			`}`

			`async logout(userId: number) {`
			`await this.prisma.refreshToken.updateMany({`
			`where: { userId, revokedAt: null },`
			`data: { revokedAt: new Date() },`
			`});`
			`}`

			`private async verifyAppleIdentity(`
			`identityToken: string,`
			`authorizationCode: string,`
			`email?: string \| null,`
			`): Promise<string> {`
			`if (this.isMockMode()) {`
			`return this.verifyMockApple(identityToken, email);`
			`}`
			`return this.verifyRealApple(identityToken, authorizationCode);`
			`}`

			`private isMockMode(): boolean {`
fix: mock 模式检查同时看 NODE_ENV 和 AI_PROVIDER 2026-05-09 19:49:50 +08:00			`const env = this.configService.get<string>('app.nodeEnv');`
			`const aiProvider = this.configService.get<string>('ai.provider');`
			`return env !== 'production' \|\| aiProvider === 'mock';`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`}`

			`private verifyMockApple(identityToken: string, email?: string \| null): string {`
			`if (!identityToken \|\| identityToken.trim().length < 4) {`
			`throw new UnauthorizedException('identityToken 无效');`
			`}`
			`return crypto`
			`.createHash('sha256')`
			.update(`apple-mock:${identityToken}:${email \|\| 'no-email'}`)
			`.digest('hex')`
			`.slice(0, 64);`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`}`

feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`private async verifyRealApple(`
			`identityToken: string,`
			`authorizationCode: string,`
			`): Promise<string> {`
			`throw new UnauthorizedException('Apple 登录尚未接入，请先配置 Apple Developer 凭证');`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`}`
			`}`