BatchUploadAuth 仅用于批量上传相关接口。 它同时接受普通登录 JWT、channel token(如 SSO 登录发放的 token)和 MCP 换发的短期委派 token。
(role int64)
| 12 | // BatchUploadAuth 仅用于批量上传相关接口。 |
| 13 | // 它同时接受普通登录 JWT、channel token(如 SSO 登录发放的 token)和 MCP 换发的短期委派 token。 |
| 14 | func BatchUploadAuth(role int64) gin.HandlerFunc { |
| 15 | return func(c *gin.Context) { |
| 16 | token := tokenFromAuthorization(c.GetHeader("Authorization")) |
| 17 | if token == "" { |
| 18 | c.JSON(http.StatusUnauthorized, model.UnauthorizedError.ToResponse(nil)) |
| 19 | c.Abort() |
| 20 | return |
| 21 | } |
| 22 | |
| 23 | if user, tokenEid, err := HandleTokenAuth(token, role); err == nil { |
| 24 | setUserSession(c, user, tokenEid) |
| 25 | c.Next() |
| 26 | return |
| 27 | } |
| 28 | |
| 29 | // 也支持 channel token(如 SSO 登录发放的 token) |
| 30 | if channelUser, _, _, channelErr := model.ValidateUserChannelToken(token); channelErr == nil { |
| 31 | if channelUser == nil || channelUser.Status == model.UserStatusDisabled { |
| 32 | c.JSON(http.StatusUnauthorized, model.ForbiddenError.ToResponse(nil)) |
| 33 | c.Abort() |
| 34 | return |
| 35 | } |
| 36 | if role > 0 && channelUser.Role < role { |
| 37 | c.JSON(http.StatusUnauthorized, model.ForbiddenError.ToResponse(nil)) |
| 38 | c.Abort() |
| 39 | return |
| 40 | } |
| 41 | setUserSession(c, channelUser, channelUser.Eid) |
| 42 | c.Next() |
| 43 | return |
| 44 | } |
| 45 | |
| 46 | claims, err := jwt.ParseUploadDelegateJWT(token) |
| 47 | if err != nil { |
| 48 | if strings.Contains(err.Error(), "token is expired") { |
| 49 | c.JSON(http.StatusUnauthorized, model.TokenExpiredError.ToResponse(nil)) |
| 50 | } else if strings.Contains(err.Error(), "token has invalid claims") || strings.Contains(err.Error(), "signature") { |
| 51 | c.JSON(http.StatusUnauthorized, model.ForbiddenError.ToResponse(nil)) |
| 52 | } else { |
| 53 | c.JSON(http.StatusUnauthorized, model.UnauthorizedError.ToResponse(nil)) |
| 54 | } |
| 55 | c.Abort() |
| 56 | return |
| 57 | } |
| 58 | |
| 59 | if claims.Scope != jwt.UploadDelegateScopeBatch { |
| 60 | c.JSON(http.StatusUnauthorized, model.ForbiddenError.ToResponse(nil)) |
| 61 | c.Abort() |
| 62 | return |
| 63 | } |
| 64 | |
| 65 | user, err := model.GetUserByID(claims.UserID) |
| 66 | if err != nil || user == nil { |
| 67 | c.JSON(http.StatusUnauthorized, model.ForbiddenError.ToResponse(nil)) |
| 68 | c.Abort() |
| 69 | return |
| 70 | } |
| 71 | if user.Status == model.UserStatusDisabled { |
nothing calls this directly
no test coverage detected