From fdaccc918ffd81efc274fd8a1e74a2aa09ea5e0f Mon Sep 17 00:00:00 2001 From: Jethro Lin Date: Wed, 4 Dec 2024 12:47:30 +0800 Subject: [PATCH] fix premission error --- app/Http/Middleware/AdminAuthenticate.php | 14 ++++++++++++-- app/Http/Middleware/ValidateAccessToken.php | 17 +++++++++++++---- routes/api.php | 8 +++++--- 3 files changed, 30 insertions(+), 9 deletions(-) diff --git a/app/Http/Middleware/AdminAuthenticate.php b/app/Http/Middleware/AdminAuthenticate.php index 413fa44..2618749 100644 --- a/app/Http/Middleware/AdminAuthenticate.php +++ b/app/Http/Middleware/AdminAuthenticate.php @@ -4,6 +4,7 @@ namespace App\Http\Middleware; +use App\Constants\ErrorCode; use Closure; use Illuminate\Http\Request; use Illuminate\Support\Facades\Auth; @@ -13,15 +14,24 @@ class AdminAuthenticate { public function handle(Request $request, Closure $next): Response { + // 检查是否已登录 if (!Auth::guard('admin')->check()) { return response()->json([ - 'error' => 'unauthorized', + 'error' => ErrorCode::UNAUTHORIZED, 'message' => '未授权,请先登录。', - ], 401); + ], Response::HTTP_UNAUTHORIZED); } $admin = Auth::guard('admin')->user(); + // 检查是否是管理员 + if (!$admin || !in_array($admin->role, ['super', 'admin'])) { + return response()->json([ + 'error' => ErrorCode::FORBIDDEN, + 'message' => '无权访问管理员资源。', + ], Response::HTTP_FORBIDDEN); + } + // Add admin information to the request $request->merge(['admin' => $admin]); diff --git a/app/Http/Middleware/ValidateAccessToken.php b/app/Http/Middleware/ValidateAccessToken.php index 7ecb930..bfe5a64 100644 --- a/app/Http/Middleware/ValidateAccessToken.php +++ b/app/Http/Middleware/ValidateAccessToken.php @@ -4,6 +4,7 @@ namespace App\Http\Middleware; +use App\Constants\ErrorCode; use App\Services\Auth\TokenService; use Closure; use Illuminate\Http\Request; @@ -17,22 +18,30 @@ public function __construct( public function handle(Request $request, Closure $next): Response { + // 禁止访问管理员路由 + if (str_starts_with($request->path(), 'api/admin')) { + return response()->json([ + 'error' => ErrorCode::FORBIDDEN, + 'message' => '客户用户无权访问管理员资源。', + ], Response::HTTP_FORBIDDEN); + } + $bearerToken = $request->bearerToken(); if (!$bearerToken) { return response()->json([ - 'error' => 'unauthorized', + 'error' => ErrorCode::UNAUTHORIZED, 'message' => '未授权,令牌无效或未提供。', - ], 401); + ], Response::HTTP_UNAUTHORIZED); } $tokenData = $this->tokenService->validateAccessToken($bearerToken); if (!$tokenData) { return response()->json([ - 'error' => 'unauthorized', + 'error' => ErrorCode::UNAUTHORIZED, 'message' => '访问令牌无效或已过期。', - ], 401); + ], Response::HTTP_UNAUTHORIZED); } // Add client information to the request for later use diff --git a/routes/api.php b/routes/api.php index ae2e703..d0d1c9d 100644 --- a/routes/api.php +++ b/routes/api.php @@ -15,11 +15,13 @@ Route::post('/llm/request', [LlmController::class, 'request']); }); -// Admin authentication routes -Route::middleware(['auth:sanctum', 'admin'])->prefix('admin')->group(function () { +// Admin routes +Route::prefix('admin')->group(function () { + // Admin auth routes (public) Route::post('login', [AdminAuthController::class, 'login']); - Route::middleware('auth.admin')->group(function () { + // Protected admin routes + Route::middleware(['auth:sanctum', 'auth.admin'])->group(function () { Route::post('logout', [AdminAuthController::class, 'logout']); Route::post('change-password', [AdminAuthController::class, 'changePassword']);