api-server/src/common/guards/jwt-auth.guard.ts

import {
  Injectable,
  CanActivate,
  ExecutionContext,
  UnauthorizedException,
} from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import { Request } from 'express';
import { IS_PUBLIC_KEY } from '../decorators/public.decorator';

@Injectable()
export class JwtAuthGuard implements CanActivate {
  constructor(
    private readonly jwtService: JwtService,
    private readonly configService: ConfigService,
    private readonly reflector: Reflector,
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
      context.getHandler(),
      context.getClass(),
    ]);
    if (isPublic) return true;

    const request = context.switchToHttp().getRequest<Request>();
    const token = this.extractToken(request);

    if (!token) {
      throw new UnauthorizedException('请先登录');
    }

    try {
      const payload = await this.jwtService.verifyAsync(token, {
        secret: this.configService.get<string>('jwt.secret'),
      });
      request.user = { id: String(payload.sub), email: payload.email, role: payload.role };
      return true;
    } catch {
      throw new UnauthorizedException('登录已过期，请重新登录');
    }
  }

  private extractToken(request: Request): string | undefined {
    const authHeader = request.headers.authorization;
    if (!authHeader?.startsWith('Bearer ')) return undefined;
    return authHeader.split(' ')[1];
  }
}
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`import {`
			`Injectable,`
			`CanActivate,`
			`ExecutionContext,`
			`UnauthorizedException,`
			`} from '@nestjs/common';`
feat: AI三层架构 + 全局JwtAuthGuard + 12个Repository迁Prisma - AI: 新三层架构 Provider→Gateway→Workflow（15文件，DeepSeek+MiniMax） - Auth: 全局JwtAuthGuard + @Public()装饰器白名单路由 - DB: 12个Repository从Map/Array迁到Prisma - Schema: 新增AiUsageLog、WaitlistEntry模型 - API: /api-docs-json加Basic Auth保护 - 清理: 删除infrastructure/ai、docs/旧文档 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-17 00:39:46 +08:00			`import { Reflector } from '@nestjs/core';`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`import { JwtService } from '@nestjs/jwt';`
			`import { ConfigService } from '@nestjs/config';`
			`import { Request } from 'express';`
feat: AI三层架构 + 全局JwtAuthGuard + 12个Repository迁Prisma - AI: 新三层架构 Provider→Gateway→Workflow（15文件，DeepSeek+MiniMax） - Auth: 全局JwtAuthGuard + @Public()装饰器白名单路由 - DB: 12个Repository从Map/Array迁到Prisma - Schema: 新增AiUsageLog、WaitlistEntry模型 - API: /api-docs-json加Basic Auth保护 - 清理: 删除infrastructure/ai、docs/旧文档 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-17 00:39:46 +08:00			`import { IS_PUBLIC_KEY } from '../decorators/public.decorator';`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00
			`@Injectable()`
			`export class JwtAuthGuard implements CanActivate {`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`constructor(`
			`private readonly jwtService: JwtService,`
			`private readonly configService: ConfigService,`
feat: AI三层架构 + 全局JwtAuthGuard + 12个Repository迁Prisma - AI: 新三层架构 Provider→Gateway→Workflow（15文件，DeepSeek+MiniMax） - Auth: 全局JwtAuthGuard + @Public()装饰器白名单路由 - DB: 12个Repository从Map/Array迁到Prisma - Schema: 新增AiUsageLog、WaitlistEntry模型 - API: /api-docs-json加Basic Auth保护 - 清理: 删除infrastructure/ai、docs/旧文档 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-17 00:39:46 +08:00			`private readonly reflector: Reflector,`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`) {}`

			`async canActivate(context: ExecutionContext): Promise<boolean> {`
feat: AI三层架构 + 全局JwtAuthGuard + 12个Repository迁Prisma - AI: 新三层架构 Provider→Gateway→Workflow（15文件，DeepSeek+MiniMax） - Auth: 全局JwtAuthGuard + @Public()装饰器白名单路由 - DB: 12个Repository从Map/Array迁到Prisma - Schema: 新增AiUsageLog、WaitlistEntry模型 - API: /api-docs-json加Basic Auth保护 - 清理: 删除infrastructure/ai、docs/旧文档 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> 2026-05-17 00:39:46 +08:00			`const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [`
			`context.getHandler(),`
			`context.getClass(),`
			`]);`
			`if (isPublic) return true;`

feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`const request = context.switchToHttp().getRequest<Request>();`
			`const token = this.extractToken(request);`

			`if (!token) {`
			`throw new UnauthorizedException('请先登录');`
			`}`

			`try {`
			`const payload = await this.jwtService.verifyAsync(token, {`
			`secret: this.configService.get<string>('jwt.secret'),`
			`});`
refactor(auth): restructure auth system, align with iOS login flow spec - Split AuthService into AppleAuthService, TokenService, AuthService - Add dev-login endpoint (dev-only, disabled in production) - AppleLoginDto: authorizationCode optional, add userIdentifier/email/fullName/nonce - Login/refresh responses now include user object - logout: single-token revoke + JwtAuthGuard protection - users.repository: switch from in-memory Map to Prisma persistence - JWT payload includes role, guards attach full user info to request - Dual JWT secret support (JWT_ACCESS_SECRET / JWT_REFRESH_SECRET) - Replace jwks-rsa+jsonwebtoken with jose library - Prisma User model: add role field - Independent DTO files with @Transform for empty string safety - Add 5 iOS login flow documentation files 2026-05-13 17:31:50 +08:00			`request.user = { id: String(payload.sub), email: payload.email, role: payload.role };`
feat: 安全基线 + 4个安全漏洞修复 - JWT AuthGuard/OptionalAuthGuard, StrictValidationPipe, 全局异常过滤器, Redis限流429, Apple登录mock模式, BigInt精度修复, SECURITY.md 2026-05-09 18:57:33 +08:00			`return true;`
			`} catch {`
			`throw new UnauthorizedException('登录已过期，请重新登录');`
			`}`
			`}`

			`private extractToken(request: Request): string \| undefined {`
			`const authHeader = request.headers.authorization;`
			`if (!authHeader?.startsWith('Bearer ')) return undefined;`
			`return authHeader.split(' ')[1];`
feat: 重构 api-server 为模块化单体架构，接入 MySQL + Redis - 按 BACKEND-PLAN.md 将项目重构为 4 层架构: config/ -> common/ -> infrastructure/ -> modules/ - 15 个业务模块，遵循 Controller → Service → Repository 分层 - infrastructure: PrismaService / RedisService / QueueService / AiService / StorageService - common: guards / interceptors / filters / pipes / decorators / dto / types / utils - Prisma schema 含 27 张表，MySQL 8.0 服务器 db push 成功 - Redis 7 接入: 限流/任务状态/分布式锁/队列预留 - ai-analysis 模块: 每日 50 次限流 + 重复提交锁 + 异步任务状态追踪 - document-import 模块: 异步导入流程 + 进度追踪 - notifications 模块: BullMQ notification 队列预留 - /health 端点实时返回 database + redis 连接状态 - Swagger 注册 15 个 tag，67 个路由全部映射 2026-05-09 18:25:04 +08:00			`}`
			`}`