feat(auth): add password/jwt/rate-limit utility libs

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 week ago · e2ffc316fa
3 changed files with 135 additions and 0 deletions
--- a/server/service/auth/lib/jwt.ts
+++ b/server/service/auth/lib/jwt.ts
@ -0,0 +1,44 @@
 import { SignJWT, jwtVerify, decodeJwt } from "jose";
 import type { JWTPayload } from "jose";
 const JWT_SECRET = new TextEncoder().encode(
  process.env.JWT_SECRET || "dev-secret-change-in-production"
 );
 const ACCESS_TOKEN_EXPIRY = "15m";
 export interface AccessTokenPayload extends JWTPayload {
  userId: number;
  sessionId: string;
  role: string;
 }
 export async function signAccessToken(payload: {
  userId: number;
  sessionId: string;
  role: string;
 }): Promise<string> {
  return new SignJWT(payload as Record<string, unknown>)
    .setProtectedHeader({ alg: "HS256" })
    .setIssuedAt()
    .setExpirationTime(ACCESS_TOKEN_EXPIRY)
    .sign(JWT_SECRET);
 }
 export async function verifyAccessToken(
  token: string
 ): Promise<AccessTokenPayload | null> {
  try {
    const { payload } = await jwtVerify(token, JWT_SECRET);
    return payload as AccessTokenPayload;
  } catch {
    return null;
  }
 }
 export function decodeAccessTokenNoVerify(token: string): AccessTokenPayload | null {
  try {
    return decodeJwt(token) as AccessTokenPayload;
  } catch {
    return null;
  }
 }
--- a/server/service/auth/lib/password.ts
+++ b/server/service/auth/lib/password.ts
@ -0,0 +1,55 @@
 import bcrypt from "bcryptjs";
 const SALT_ROUNDS = 12;
 const PASSWORD_HISTORY_SIZE = 5;
 export function hashPassword(password: string): Promise<string> {
  return bcrypt.hash(password, SALT_ROUNDS);
 }
 export async function verifyPassword(
  password: string,
  hashedPassword: string
 ): Promise<boolean> {
  return bcrypt.compare(password, hashedPassword);
 }
 export async function isPasswordInHistory(
  password: string,
  history: string[]
 ): Promise<boolean> {
  if (history.length === 0) return false;
  for (const h of history) {
    if (await bcrypt.compare(password, h)) return true;
  }
  return false;
 }
 export function addPasswordToHistory(
  newHash: string,
  history: string[]
 ): string[] {
  const updated = [newHash, ...history];
  return updated.slice(0, PASSWORD_HISTORY_SIZE);
 }
 export interface PasswordStrengthResult {
  valid: boolean;
  errors: string[];
 }
 export function validatePasswordStrength(password: string): PasswordStrengthResult {
  const errors: string[] = [];
  if (password.length < 8) errors.push("至少8个字符");
  if (!/[A-Z]/.test(password)) errors.push("需包含大写字母");
  if (!/[a-z]/.test(password)) errors.push("需包含小写字母");
  if (!/[0-9]/.test(password)) errors.push("需包含数字");
  if (!/[!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]/.test(password))
    errors.push("需包含特殊字符");
  return { valid: errors.length === 0, errors };
 }
 export function isLocked(lockoutUntil: Date | null): boolean {
  if (!lockoutUntil) return false;
  return Date.now() < lockoutUntil.getTime();
 }
--- a/server/service/auth/lib/rate-limit.ts
+++ b/server/service/auth/lib/rate-limit.ts
@ -0,0 +1,36 @@
 // In-memory rate limiter keyed by IP
 const loginAttempts = new Map<
  string,
  { count: number; resetAt: number }
 >();
 const WINDOW_MS = 60_000;       // 1 minute window
 const MAX_ATTEMPTS = 5;         // max 5 attempts per window
 const LOCKOUT_MS = 15 * 60_000; // 15 minute lockout
 export function checkRateLimit(ip: string): {
  allowed: boolean;
  retryAfterMs: number;
 } {
  const now = Date.now();
  const entry = loginAttempts.get(ip);
  if (!entry || now > entry.resetAt) {
    loginAttempts.set(ip, { count: 1, resetAt: now + WINDOW_MS });
    return { allowed: true, retryAfterMs: 0 };
  }
  if (entry.count >= MAX_ATTEMPTS) {
    return {
      allowed: false,
      retryAfterMs: entry.resetAt - now,
    };
  }
  entry.count++;
  return { allowed: true, retryAfterMs: 0 };
 }
 export function clearRateLimit(ip: string): void {
  loginAttempts.delete(ip);
 }