refactor openapikey and outlink apis (#2134)

* refactor: OpenAPIKey refactor * refactor: outlink api refactor fix: list return wrong data * chore: remove deprecated type definition * chore: remove throw Error. instead of Promise.reject * fix: auth openapikey's owner * fix: manager could read all keys
2025-07-23 13:03:50 +00:00 · 2024-07-24 11:11:36 +08:00
parent a233ab9584
commit a478621730
12 changed files with 300 additions and 244 deletions
--- a/packages/service/support/permission/auth/openapi.ts
+++ b/packages/service/support/permission/auth/openapi.ts
@@ -1,16 +1,12 @@
-import { AuthResponseType } from '@fastgpt/global/support/permission/type';
-import { AuthModeType } from '../type';
+import { AuthModeType, AuthResponseType } from '../type';
 import { OpenApiSchema } from '@fastgpt/global/support/openapi/type';
 import { parseHeaderCert } from '../controller';
 import { getTmbInfoByTmbId } from '../../user/team/controller';
 import { MongoOpenApi } from '../../openapi/schema';
 import { OpenApiErrEnum } from '@fastgpt/global/common/error/code/openapi';
-import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
-import {
-  OwnerPermissionVal,
-  ReadPermissionVal,
-  WritePermissionVal
-} from '@fastgpt/global/support/permission/constant';
+import { OwnerPermissionVal } from '@fastgpt/global/support/permission/constant';
+import { authAppByTmbId } from '../app/auth';
+import { Permission } from '@fastgpt/global/support/permission/controller';

 export async function authOpenApiKeyCrud({
  id,
@@ -26,39 +22,38 @@ export async function authOpenApiKeyCrud({
  const result = await parseHeaderCert(props);
  const { tmbId, teamId } = result;

-  const { role, permission: tmbPer } = await getTmbInfoByTmbId({ tmbId });
-
-  const { openapi, isOwner, canWrite } = await (async () => {
+  const { openapi, permission } = await (async () => {
    const openapi = await MongoOpenApi.findOne({ _id: id, teamId });
-
    if (!openapi) {
      throw new Error(OpenApiErrEnum.unExist);
    }

-    const isOwner = String(openapi.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
-    const canWrite = isOwner || (String(openapi.tmbId) === tmbId && tmbPer.hasWritePer);
+    if (!!openapi.appId) {
+      // if is not global openapi, then auth app
+      const { app } = await authAppByTmbId({ appId: openapi.appId!, tmbId, per });
+      return {
+        permission: app.permission,
+        openapi
+      };
+    }
+    // if is global openapi, then auth openapi
+    const { permission: tmbPer } = await getTmbInfoByTmbId({ tmbId });

-    if (per === ReadPermissionVal && !canWrite) {
-      return Promise.reject(OpenApiErrEnum.unAuth);
-    }
-    if (per === WritePermissionVal && !canWrite) {
-      return Promise.reject(OpenApiErrEnum.unAuth);
-    }
-    if (per === OwnerPermissionVal && !isOwner) {
+    if (!tmbPer.checkPer(per) && tmbId !== String(openapi.tmbId)) {
      return Promise.reject(OpenApiErrEnum.unAuth);
    }

    return {
      openapi,
-      isOwner,
-      canWrite
+      permission: new Permission({
+        per
+      })
    };
  })();

  return {
    ...result,
    openapi,
-    isOwner,
-    canWrite
+    permission
  };
 }