Skip to content

[WIP] ♻️Refactoring authentication&authorization to develop the user management feature #2328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xuyaqist wants to merge 8 commits into
base: develop
Choose a base branch
from
Open

[WIP] ♻️Refactoring authentication&authorization to develop the user management feature #2328

xuyaqist wants to merge 8 commits into from
+2,672 −1,987

Conversation

@xuyaqist
Copy link
Contributor

@xuyaqist xuyaqist commented Jan 27, 2026
edited
Loading

认证+鉴权

image

认证和鉴权之间的交互通过authEvent(事件监听和触发)。

  1. 当用户经过认证后,触发auth:login-success事件。
  2. 鉴权监听auth:login-success事件,获取对应的权限信息。

用户登录/注册

  1. 用户输入 email/password
  2. useAuthenticationState.login(email, password)
  3. authService.signIn(email, password)
  4. POST /api/user/signin
    后端返回: { data: { user, session } }
    session = { access_token, refresh_token, expires_at }
  5. saveSessionToStorage(session) ← lib/session.ts
  6. 【认证】authEventUtils.emitLoginSuccess() ← lib/authEvents.ts
  7. 【鉴权】useAuthorization 监听,handleLoginSuccess()
  8. GET /api/user/current_user_info
  9. 返回 user + accessibleRoutes + permissions
  10. UI 更新: isAuthenticated = true

Session管理

Session 过期检测

当用户登录时,会返回session以及其过期时间。前端将其存储至localstorage中,按需计算其是否过期,当发现session过期时,在鉴权逻辑中,会立刻令user相关的权限信息失效。有几个特殊的节点会检查session是否过期:

  1. 调用API之前,由前端计算一次session是否过期,如果过期则直接报401.
  2. 调用API之后,由后端计算一次session是否过期,如果过期,后端向前端报401.
  3. 前端设置了一个定时期,30s检查一次session是否过期,如果过期,直接弹出session过期提示窗。

滑动过期

为了避免用户在活跃的状态下session也会在10分钟过期,因此设置一个滑动过期的能力。当用户处于活跃状态(click/ keydown/ mousemove...),会判断session是否快过期了(<5分钟),如果session快过期了,则调用refresh session接口,主动延长session过期的时间。

@xuyaqist xuyaqist changed the title Refactoring authentication&authorization to develop new user management feature [WIP] ♻️Refactoring authentication&authorization to develop new user management feature Jan 27, 2026
@xuyaqist
Merge branch 'develop' into xyq/user_management
d949c6e 
# Conflicts:
#	frontend/app/[locale]/tenant-resources/components/UserManageComp.tsx
#	frontend/app/[locale]/users/page.tsx
#	frontend/components/navigation/SideNavigation.tsx
@xuyaqist
Set permission denied event from auth to authz
775140d
@xuyaqist
Add slide session refreshing & periodically session checking ability
6a5b65b
@xuyaqist
Add pre session expiration check
31ec742
@xuyaqist xuyaqist force-pushed the xyq/user_management branch from 3120d0d to 31ec742 Compare January 27, 2026 11:49
@xuyaqist xuyaqist changed the title [WIP] ♻️Refactoring authentication&authorization to develop new user management feature [WIP] ♻️Refactoring authentication&authorization to develop the user management feature Jan 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Phinease Phinease Awaiting requested review from Phinease Phinease is a code owner

@WMC001 WMC001 Awaiting requested review from WMC001 WMC001 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xuyaqist