{ "nodes": [ { "id": "title", "type": "text", "text": "# 认证鉴权系统设计\n\n**方案**: JWT + D1\n**状态**: 📋 设计中\n\n特点:\n- 无状态 JWT 认证\n- 基于角色的访问控制 (RBAC)\n- 细粒度资源权限\n- 边缘计算友好", "x": -100, "y": -600, "width": 380, "height": 160, "color": "6" }, { "id": "auth_flow", "type": "text", "text": "## 认证流程\n\n```\n1. 登录请求\n POST /api/auth/login\n { username, password }\n ↓\n2. 验证密码\n bcrypt.compare()\n ↓\n3. 生成 JWT\n { userId, role, exp }\n ↓\n4. 返回 Token\n { accessToken, refreshToken }\n ↓\n5. 客户端存储\n Authorization: Bearer \n```", "x": -500, "y": -380, "width": 300, "height": 340, "color": "2" }, { "id": "jwt_structure", "type": "text", "text": "## JWT 结构\n\n**Header**\n```json\n{ \"alg\": \"HS256\", \"typ\": \"JWT\" }\n```\n\n**Payload**\n```json\n{\n \"sub\": \"user-id\",\n \"username\": \"admin\",\n \"role\": \"admin\",\n \"iat\": 1704067200,\n \"exp\": 1704153600\n}\n```\n\n**有效期**\n- accessToken: 24h\n- refreshToken: 7d", "x": -130, "y": -380, "width": 300, "height": 320, "color": "4" }, { "id": "rbac", "type": "text", "text": "## RBAC 角色权限\n\n| 角色 | 权限 |\n|------|------|\n| admin | 全部操作 |\n| operator | 摄像头管理、直播控制 |\n| viewer | 仅查看 |\n\n**资源权限**\n```\nuser_permissions 表\n- view: 查看摄像头\n- control: 控制直播\n- manage: 管理配置\n```", "x": 240, "y": -380, "width": 280, "height": 280, "color": "3" }, { "id": "middleware", "type": "text", "text": "## 中间件设计\n\n**authMiddleware**\n- 解析 Bearer Token\n- 验证 JWT 签名\n- 检查过期时间\n- 注入 c.set('user', payload)\n\n**requireRole(roles)**\n- 检查用户角色\n- 403 Forbidden\n\n**requirePermission(resource, action)**\n- 查询 user_permissions\n- 检查资源权限", "x": -500, "y": 20, "width": 300, "height": 260, "color": "5" }, { "id": "api_endpoints", "type": "text", "text": "## API 端点\n\n**认证**\n- POST /api/auth/login\n- POST /api/auth/register\n- POST /api/auth/refresh\n- POST /api/auth/logout\n- GET /api/auth/me\n\n**用户管理 (admin)**\n- GET /api/users\n- GET /api/users/:id\n- POST /api/users\n- PUT /api/users/:id\n- DELETE /api/users/:id\n\n**权限管理 (admin)**\n- GET /api/users/:id/permissions\n- POST /api/users/:id/permissions\n- DELETE /api/permissions/:id", "x": -130, "y": 0, "width": 300, "height": 340, "color": "2" }, { "id": "file_structure", "type": "text", "text": "## 文件结构\n\n```\nsrc/\n├── middleware/\n│ └── auth.ts\n├── services/\n│ ├── auth.ts\n│ └── user.ts\n├── routes/\n│ ├── auth.ts\n│ └── user.ts\n├── utils/\n│ ├── jwt.ts\n│ └── password.ts\n└── types/\n └── index.ts\n```", "x": 240, "y": -40, "width": 280, "height": 280, "color": "4" }, { "id": "security", "type": "text", "text": "## 安全措施\n\n- 密码 bcrypt 哈希 (cost=12)\n- JWT 密钥环境变量\n- HTTPS 强制\n- Rate Limiting\n- 登录失败锁定\n- Audit Log 记录\n- CORS 白名单", "x": -500, "y": 340, "width": 300, "height": 180, "color": "1" }, { "id": "env_config", "type": "text", "text": "## 环境配置\n\n**.dev.vars**\n```\nJWT_SECRET=your-secret-key\nJWT_EXPIRES_IN=86400\nREFRESH_EXPIRES_IN=604800\n```\n\n**wrangler secret**\n```bash\nwrangler secret put JWT_SECRET\n```", "x": -130, "y": 400, "width": 300, "height": 180, "color": "4" }, { "id": "protected_routes", "type": "text", "text": "## 路由保护\n\n**公开路由**\n- /api/auth/login\n- /api/auth/register\n- / (健康检查)\n\n**需要认证**\n- /api/stream/*\n- /api/users/*\n- /api/auth/me\n\n**需要 admin**\n- POST/PUT/DELETE /api/users\n- /api/permissions/*", "x": 240, "y": 300, "width": 280, "height": 240, "color": "3" } ], "edges": [ { "id": "edge_flow_jwt", "fromNode": "auth_flow", "fromSide": "right", "toNode": "jwt_structure", "toSide": "left", "label": "生成" }, { "id": "edge_jwt_rbac", "fromNode": "jwt_structure", "fromSide": "right", "toNode": "rbac", "toSide": "left", "label": "携带 role" }, { "id": "edge_mw_api", "fromNode": "middleware", "fromSide": "right", "toNode": "api_endpoints", "toSide": "left", "label": "保护" }, { "id": "edge_api_files", "fromNode": "api_endpoints", "fromSide": "right", "toNode": "file_structure", "toSide": "left", "label": "实现" }, { "id": "edge_mw_security", "fromNode": "middleware", "fromSide": "bottom", "toNode": "security", "toSide": "top", "label": "安全策略" } ] }