v4.6 -1 (#459)

packages/service/support/permission/auth/app.ts

@@ -0,0 +1,72 @@
+import { MongoApp } from '../../../core/app/schema';
+import { AppDetailType } from '@fastgpt/global/core/app/type.d';
+import { AuthModeType } from '../type';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { parseHeaderCert } from '../controller';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { AppErrEnum } from '@fastgpt/global/common/error/code/app';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+// 模型使用权校验
+export async function authApp({
+  appId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  appId: string;
+}): Promise<
+  AuthResponseType & {
+    teamOwner: boolean;
+    app: AppDetailType;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { userId, teamId, tmbId } = result;
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { app, isOwner, canWrite } = await (async () => {
+    // get app
+    const app = (await MongoApp.findOne({ _id: appId, teamId }))?.toJSON();
+    if (!app) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+
+    const isOwner =
+      role !== TeamMemberRoleEnum.visitor &&
+      (String(app.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+    const canWrite =
+      isOwner ||
+      (app.permission === PermissionTypeEnum.public && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r') {
+      if (!isOwner && app.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(AppErrEnum.unAuthApp);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+
+    return {
+      app: {
+        ...app,
+        isOwner,
+        canWrite
+      },
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    app,
+    isOwner,
+    canWrite,
+    teamOwner: role === TeamMemberRoleEnum.owner
+  };
+}

packages/service/support/permission/auth/chat.ts

@@ -0,0 +1,67 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import type { ChatSchema, ChatWithAppSchema } from '@fastgpt/global/core/chat/type';
+import { parseHeaderCert } from '../controller';
+import { MongoChat } from '../../../core/chat/chatSchema';
+import { ChatErrEnum } from '@fastgpt/global/common/error/code/chat';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+
+export async function authChat({
+  chatId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  chatId: string;
+}): Promise<
+  AuthResponseType & {
+    chat: ChatSchema;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { chat, isOwner, canWrite } = await (async () => {
+    // get chat
+    const chat = (
+      await MongoChat.findOne({ chatId, teamId }).populate('appId')
+    )?.toJSON() as ChatWithAppSchema;
+
+    if (!chat) {
+      return Promise.reject('Chat is not exists');
+    }
+
+    const isOwner = role === TeamMemberRoleEnum.owner || String(chat.tmbId) === tmbId;
+    const canWrite = isOwner;
+
+    if (
+      per === 'r' &&
+      role !== TeamMemberRoleEnum.owner &&
+      chat.appId.permission !== PermissionTypeEnum.public
+    ) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+
+    return {
+      chat,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    chat,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/common.ts

@@ -0,0 +1,12 @@
+import { parseHeaderCert } from '../controller';
+import { AuthModeType } from '../type';
+
+export const authCert = async (props: AuthModeType) => {
+  const result = await parseHeaderCert(props);
+
+  return {
+    ...result,
+    isOwner: true,
+    canWrite: true
+  };
+};

packages/service/support/permission/auth/dataset.ts

@@ -0,0 +1,181 @@
+import { AuthModeType } from '../type';
+import { parseHeaderCert } from '../controller';
+import { DatasetErrEnum } from '@fastgpt/global/common/error/code/dataset';
+import { MongoDataset } from '../../../core/dataset/schema';
+import { getCollectionWithDataset } from '../../../core/dataset/controller';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import {
+  CollectionWithDatasetType,
+  DatasetFileSchema,
+  DatasetSchemaType
+} from '@fastgpt/global/core/dataset/type';
+import { getFileById } from '../../../common/file/gridfs/controller';
+import { BucketNameEnum } from '@fastgpt/global/common/file/constants';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+export async function authDataset({
+  datasetId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  datasetId: string;
+}): Promise<
+  AuthResponseType & {
+    dataset: DatasetSchemaType;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { userId, teamId, tmbId } = result;
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { dataset, isOwner, canWrite } = await (async () => {
+    const dataset = (await MongoDataset.findOne({ _id: datasetId, teamId }))?.toJSON();
+
+    if (!dataset) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+
+    const isOwner =
+      role !== TeamMemberRoleEnum.visitor &&
+      (String(dataset.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+    const canWrite =
+      isOwner ||
+      (role !== TeamMemberRoleEnum.visitor && dataset.permission === PermissionTypeEnum.public);
+    if (per === 'r') {
+      if (!isOwner && dataset.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(DatasetErrEnum.unAuthDataset);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+
+    return { dataset, isOwner, canWrite };
+  })();
+
+  return {
+    ...result,
+    dataset,
+    isOwner,
+    canWrite
+  };
+}
+
+/* 
+   Read: in team and dataset permission is public
+   Write: in team, not visitor and dataset permission is public
+*/
+export async function authDatasetCollection({
+  collectionId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  collectionId: string;
+}): Promise<
+  AuthResponseType & {
+    collection: CollectionWithDatasetType;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { collection, isOwner, canWrite } = await (async () => {
+    const collection = await getCollectionWithDataset(collectionId);
+
+    if (!collection || String(collection.teamId) !== teamId) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+
+    const isOwner =
+      String(collection.datasetId.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner ||
+      (role !== TeamMemberRoleEnum.visitor &&
+        collection.datasetId.permission === PermissionTypeEnum.public);
+
+    if (per === 'r') {
+      if (!isOwner && collection.datasetId.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+
+    return {
+      collection,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    collection,
+    isOwner,
+    canWrite
+  };
+}
+
+export async function authDatasetFile({
+  fileId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  fileId: string;
+}): Promise<
+  AuthResponseType & {
+    file: DatasetFileSchema;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const file = await getFileById({ bucketName: BucketNameEnum.dataset, fileId });
+
+  if (file.metadata.teamId !== teamId) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+
+  const { dataset } = await authDataset({
+    ...props,
+    datasetId: file.metadata.datasetId,
+    per
+  });
+  const isOwner =
+    role !== TeamMemberRoleEnum.visitor &&
+    (String(dataset.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+
+  const canWrite =
+    isOwner ||
+    (role !== TeamMemberRoleEnum.visitor && dataset.permission === PermissionTypeEnum.public);
+
+  if (per === 'r' && !isOwner && dataset.permission !== PermissionTypeEnum.public) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+  if (per === 'w' && !canWrite) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+  if (per === 'owner' && !isOwner) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    file,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/openapi.ts

@@ -0,0 +1,61 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { OpenApiSchema } from '@fastgpt/global/support/openapi/type';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { MongoOpenApi } from '../../openapi/schema';
+import { OpenApiErrEnum } from '@fastgpt/global/common/error/code/openapi';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+
+export async function authOpenApiKeyCrud({
+  id,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  id: string;
+}): Promise<
+  AuthResponseType & {
+    openapi: OpenApiSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { openapi, isOwner, canWrite } = await (async () => {
+    const openapi = await MongoOpenApi.findOne({ _id: id, teamId });
+
+    if (!openapi) {
+      throw new Error(OpenApiErrEnum.unExist);
+    }
+
+    const isOwner = String(openapi.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner || (String(openapi.tmbId) === tmbId && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r' && !canWrite) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+
+    return {
+      openapi,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    openapi,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/outLink.ts

@@ -0,0 +1,98 @@
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { AuthModeType } from '../type';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AppDetailType } from '@fastgpt/global/core/app/type';
+import { OutLinkSchema } from '@fastgpt/global/support/outLink/type';
+import { parseHeaderCert } from '../controller';
+import { MongoOutLink } from '../../outLink/schema';
+import { MongoApp } from '../../../core/app/schema';
+import { OutLinkErrEnum } from '@fastgpt/global/common/error/code/outLink';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { AppErrEnum } from '@fastgpt/global/common/error/code/app';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+/* crud outlink permission */
+export async function authOutLinkCrud({
+  outLinkId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  outLinkId: string;
+}): Promise<
+  AuthResponseType & {
+    app: AppDetailType;
+    outLink: OutLinkSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { app, outLink, isOwner, canWrite } = await (async () => {
+    const outLink = await MongoOutLink.findOne({ _id: outLinkId, teamId });
+
+    if (!outLink) {
+      throw new Error(OutLinkErrEnum.unExist);
+    }
+
+    const app = await MongoApp.findById(outLink.appId);
+
+    if (!app) {
+      return Promise.reject(AppErrEnum.unExist);
+    }
+
+    const isOwner = String(outLink.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner ||
+      (app.permission === PermissionTypeEnum.public && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r' && !isOwner && app.permission !== PermissionTypeEnum.public) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+
+    return {
+      app: {
+        ...app,
+        isOwner: String(app.tmbId) === tmbId,
+        canWrite
+      },
+      outLink,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    app,
+    outLink,
+    isOwner,
+    canWrite
+  };
+}
+
+export async function authOutLinkValid({ shareId }: { shareId?: string }) {
+  const shareChat = await MongoOutLink.findOne({ shareId });
+
+  if (!shareChat) {
+    return Promise.reject(OutLinkErrEnum.linkUnInvalid);
+  }
+
+  const app = await MongoApp.findById(shareChat.appId);
+
+  if (!app) {
+    return Promise.reject(AppErrEnum.unExist);
+  }
+
+  return {
+    app,
+    shareChat
+  };
+}

packages/service/support/permission/auth/plugin.ts

@@ -0,0 +1,56 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { MongoPlugin } from '../../../core/plugin/schema';
+import { PluginErrEnum } from '@fastgpt/global/common/error/code/plugin';
+import { PluginItemSchema } from '@fastgpt/global/core/plugin/type';
+
+export async function authPluginCrud({
+  id,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  id: string;
+}): Promise<
+  AuthResponseType & {
+    plugin: PluginItemSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { plugin, isOwner, canWrite } = await (async () => {
+    const plugin = await MongoPlugin.findOne({ _id: id, teamId });
+
+    if (!plugin) {
+      throw new Error(PluginErrEnum.unExist);
+    }
+
+    const isOwner = String(plugin.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite = isOwner;
+
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(PluginErrEnum.unAuth);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(PluginErrEnum.unAuth);
+    }
+
+    return {
+      plugin,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    plugin,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/user.ts

@@ -0,0 +1,52 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { TeamItemType } from '@fastgpt/global/support/user/team/type';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { UserErrEnum } from '../../../../global/common/error/code/user';
+
+export async function authUserNotVisitor(props: AuthModeType): Promise<
+  AuthResponseType & {
+    team: TeamItemType;
+    role: `${TeamMemberRoleEnum}`;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const team = await getTeamInfoByTmbId({ tmbId });
+
+  if (team.role === TeamMemberRoleEnum.visitor) {
+    return Promise.reject(UserErrEnum.binVisitor);
+  }
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    team,
+    role: team.role,
+    isOwner: team.role === TeamMemberRoleEnum.owner, // teamOwner
+    canWrite: true
+  };
+}
+
+/* auth user role  */
+export async function authUserRole(props: AuthModeType): Promise<
+  AuthResponseType & {
+    role: `${TeamMemberRoleEnum}`;
+    teamOwner: boolean;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role: userRole, canWrite } = await getTeamInfoByTmbId({ tmbId });
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    isOwner: true,
+    role: userRole,
+    teamOwner: userRole === TeamMemberRoleEnum.owner,
+    canWrite
+  };
+}

packages/service/support/permission/controller.ts

@@ -0,0 +1,241 @@
+import Cookie from 'cookie';
+import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
+import jwt from 'jsonwebtoken';
+import { NextApiResponse } from 'next';
+import type { AuthModeType, ReqHeaderAuthType } from './type.d';
+import { AuthUserTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { authOpenApiKey } from '../openapi/auth';
+import { FileTokenQuery } from '@fastgpt/global/common/file/type';
+
+/* create token */
+export function createJWT(user: { _id?: string; team?: { teamId?: string; tmbId: string } }) {
+  const key = process.env.TOKEN_KEY as string;
+  const token = jwt.sign(
+    {
+      userId: String(user._id),
+      teamId: String(user.team?.teamId),
+      tmbId: String(user.team?.tmbId),
+      exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 7
+    },
+    key
+  );
+  return token;
+}
+
+// auth token
+export function authJWT(token: string) {
+  return new Promise<{
+    userId: string;
+    teamId: string;
+    tmbId: string;
+  }>((resolve, reject) => {
+    const key = process.env.TOKEN_KEY as string;
+
+    jwt.verify(token, key, function (err, decoded: any) {
+      if (err || !decoded?.userId) {
+        reject(ERROR_ENUM.unAuthorization);
+        return;
+      }
+
+      resolve({
+        userId: decoded.userId,
+        teamId: decoded.teamId || '',
+        tmbId: decoded.tmbId
+      });
+    });
+  });
+}
+
+export async function parseHeaderCert({
+  req,
+  authToken = false,
+  authRoot = false,
+  authApiKey = false
+}: AuthModeType) {
+  // parse jwt
+  async function authCookieToken(cookie?: string, token?: string) {
+    // 获取 cookie
+    const cookies = Cookie.parse(cookie || '');
+    const cookieToken = cookies.token || token;
+
+    if (!cookieToken) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    return await authJWT(cookieToken);
+  }
+  // from authorization get apikey
+  async function parseAuthorization(authorization?: string) {
+    if (!authorization) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    // Bearer fastgpt-xxxx-appId
+    const auth = authorization.split(' ')[1];
+    if (!auth) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+
+    const { apikey, appId: authorizationAppid = '' } = await (async () => {
+      const arr = auth.split('-');
+      // abandon
+      if (arr.length === 3) {
+        return {
+          apikey: `${arr[0]}-${arr[1]}`,
+          appId: arr[2]
+        };
+      }
+      if (arr.length === 2) {
+        return {
+          apikey: auth
+        };
+      }
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    })();
+
+    // auth apikey
+    const { userId, teamId, tmbId, appId: apiKeyAppId = '' } = await authOpenApiKey({ apikey });
+
+    return {
+      uid: userId,
+      teamId,
+      tmbId,
+      apikey,
+      appId: apiKeyAppId || authorizationAppid
+    };
+  }
+  // root user
+  async function parseRootKey(rootKey?: string, userId = '') {
+    if (!rootKey || !process.env.ROOT_KEY || rootKey !== process.env.ROOT_KEY) {
+      return Promise.reject(ERROR_ENUM.unAuthorization);
+    }
+    return userId;
+  }
+
+  const { cookie, token, apikey, rootkey, userid, authorization } = (req.headers ||
+    {}) as ReqHeaderAuthType;
+
+  const { uid, teamId, tmbId, appId, openApiKey, authType } = await (async () => {
+    if (authToken && (cookie || token)) {
+      // user token(from fastgpt web)
+      const res = await authCookieToken(cookie, token);
+      return {
+        uid: res.userId,
+        teamId: res.teamId,
+        tmbId: res.tmbId,
+        appId: '',
+        openApiKey: '',
+        authType: AuthUserTypeEnum.token
+      };
+    }
+    if (authRoot && rootkey) {
+      // root user
+      return {
+        uid: await parseRootKey(rootkey, userid),
+        teamId: '',
+        tmbId: '',
+        appId: '',
+        openApiKey: '',
+        authType: AuthUserTypeEnum.root
+      };
+    }
+    if (authApiKey && apikey) {
+      // apikey
+      const parseResult = await authOpenApiKey({ apikey });
+      return {
+        uid: parseResult.userId,
+        teamId: parseResult.teamId,
+        tmbId: parseResult.tmbId,
+        appId: parseResult.appId,
+        openApiKey: parseResult.apikey,
+        authType: AuthUserTypeEnum.apikey
+      };
+    }
+
+    if (authApiKey && authorization) {
+      // apikey from authorization
+      const authResponse = await parseAuthorization(authorization);
+      return {
+        uid: authResponse.uid,
+        teamId: authResponse.teamId,
+        tmbId: authResponse.tmbId,
+        appId: authResponse.appId,
+        openApiKey: authResponse.apikey,
+        authType: AuthUserTypeEnum.apikey
+      };
+    }
+    return {
+      uid: '',
+      teamId: '',
+      tmbId: '',
+      appId: '',
+      openApiKey: '',
+      authType: AuthUserTypeEnum.token
+    };
+  })();
+
+  // not rootUser and no uid, reject request
+  if (!rootkey && !uid && !teamId && !tmbId) {
+    return Promise.reject(ERROR_ENUM.unAuthorization);
+  }
+
+  return {
+    userId: String(uid),
+    teamId: String(teamId),
+    tmbId: String(tmbId),
+    appId,
+    authType,
+    apikey: openApiKey
+  };
+}
+
+/* set cookie */
+export const setCookie = (res: NextApiResponse, token: string) => {
+  res.setHeader(
+    'Set-Cookie',
+    `token=${token}; Path=/; HttpOnly; Max-Age=604800; Samesite=None; Secure;`
+  );
+};
+/* clear cookie */
+export const clearCookie = (res: NextApiResponse) => {
+  res.setHeader('Set-Cookie', 'token=; Path=/; Max-Age=0');
+};
+
+/* file permission */
+export const createFileToken = (data: FileTokenQuery) => {
+  if (!process.env.FILE_TOKEN_KEY) {
+    return Promise.reject('System unset FILE_TOKEN_KEY');
+  }
+  const expiredTime = Math.floor(Date.now() / 1000) + 60 * 30;
+
+  const key = process.env.FILE_TOKEN_KEY as string;
+  const token = jwt.sign(
+    {
+      ...data,
+      exp: expiredTime
+    },
+    key
+  );
+  return Promise.resolve(token);
+};
+
+export const authFileToken = (token?: string) =>
+  new Promise<FileTokenQuery>((resolve, reject) => {
+    if (!token) {
+      return reject(ERROR_ENUM.unAuthFile);
+    }
+    const key = process.env.FILE_TOKEN_KEY as string;
+
+    jwt.verify(token, key, function (err, decoded: any) {
+      if (err || !decoded.bucketName || !decoded?.teamId || !decoded?.tmbId || !decoded?.fileId) {
+        reject(ERROR_ENUM.unAuthFile);
+        return;
+      }
+      resolve({
+        bucketName: decoded.bucketName,
+        teamId: decoded.teamId,
+        tmbId: decoded.tmbId,
+        fileId: decoded.fileId
+      });
+    });
+  });

packages/service/support/permission/type.d.ts

@@ -0,0 +1,17 @@
+import { NextApiRequest } from 'next';
+
+export type ReqHeaderAuthType = {
+  cookie?: string;
+  token?: string;
+  apikey?: string; // abandon
+  rootkey?: string;
+  userid?: string;
+  authorization?: string;
+};
+export type AuthModeType = {
+  req: NextApiRequest;
+  authToken?: boolean;
+  authRoot?: boolean;
+  authApiKey?: boolean;
+  per?: 'r' | 'w' | 'owner';
+};