Files
backend/internal/service/group_ability.go
lafay eb931bf1c6
All checks were successful
Build Backend / build (push) Successful in 2m19s
Build Backend / build-docker (push) Successful in 46s
feat(auth): implement session-based token management with revocation support
Add Session model, SessionService, and SessionRepository to track user login
sessions and enable token revocation on auth-critical events.

- Introduce explicit TokenType (access/refresh) in JWT claims to prevent
  refresh token misuse via access token endpoints
- Add SessionID field to JWT claims, enabling stateless JWT validation
  against revoked sessions
- Replace legacy Auth middleware with RequireAuth/OptionalAuth pipeline
  that validates token type, account status, and session validity
- Implement session revocation on password change, reset, user ban/inactive,
  and explicit logout
- Add Principal cache with active invalidation for banned/role-changed users
- Fix IDOR vulnerability: GetMessagesByCursor now validates currentUserID
  is conversation participant via GetParticipantStrict
- Add group member visibility checks: announcements, group info, member list
  now require group membership
- Simplify Casbin policy: remove g grouping, use r.sub == p.sub matcher
  with globMatch; user_roles table is single source of truth for roles
- Add migration logic to clean legacy casbin g rules and migrate old p rules
  from path-style to admin/<domain> resource naming
2026-07-05 18:28:08 +08:00

31 lines
1.3 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package service
import "context"
// GroupAbility 抽象群组能力校验,避免 chat_service 直接依赖 group_service 造成循环。
//
// 由 GroupService 实现并通过 wire 绑定;仅暴露 ChatService 所需的最小校验方法。
type GroupAbility interface {
// CanSendGroupMessage 校验用户是否可在群组中发消息。
// 拒绝场景:非群成员、被单独禁言、群全员禁言。
CanSendGroupMessage(ctx context.Context, userID, groupID string) error
}
// GroupAbilityFunc 适配器类型,便于把闭包/wire 桥接
// 转换为 GroupAbility 接口。
type GroupAbilityFunc func(ctx context.Context, userID, groupID string) error
func (f GroupAbilityFunc) CanSendGroupMessage(ctx context.Context, userID, groupID string) error {
return f(ctx, userID, groupID)
}
// NewGroupAbility 从 GroupService 构造 GroupAbility 适配器wire 注册用)。
//
// 注意GroupService.CanSendGroupMessage 当前签名不带 ctx这里通过闭包桥接保持
// GroupAbility 接口签名一致;后续 GroupService 演进为接受 ctx 时直接传递即可。
func NewGroupAbility(groupService GroupService) GroupAbility {
return GroupAbilityFunc(func(ctx context.Context, userID, groupID string) error {
_ = ctx
return groupService.CanSendGroupMessage(userID, groupID)
})
}