chore: 不优化首页头像

.gitea/workflows/deploy.yml

@@ -0,0 +1,80 @@
+# .gitea/workflows/deploy.yml
+name: Deploy to K3s
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    container:
+      image: localhost:5000/tiny-ci-runner:latest
+
+    env:
+      IMAGE_TAG: ${{ github.sha }}
+      KUBECONFIG: /tmp/.kube/config
+      NODE_ENV: production
+
+    steps:
+      - name: Write kubeconfig
+        run: |
+          mkdir -p /tmp/.kube
+          cat << 'EOF' > /tmp/.kube/config
+          ${{ secrets.KUBECONFIG_DATA }}
+          EOF
+          chmod 600 /tmp/.kube/config
+
+      - name: Verify Kubernetes access
+        run: |
+          kubectl cluster-info
+          kubectl get nodes
+
+      - name: Checkout code
+        run: |
+          git clone --depth=1 --branch master \
+            https://git.tonesc.cn/tone/tonePage.git \
+            /workspace/tone/tonePage
+          cd /workspace/tone/tonePage
+          git log -1 --oneline
+
+      - name: Build and push backend image
+        run: |
+          cd /workspace/tone/tonePage/apps/backend
+          docker build -t localhost:5000/backend:${IMAGE_TAG} .
+          docker push localhost:5000/backend:${IMAGE_TAG}
+
+      - name: Build and push frontend image
+        run: |
+          cd /workspace/tone/tonePage/apps/frontend
+          docker build \
+            --build-arg API_BASE="http://backend-service:3001" \
+            -t localhost:5000/frontend:${IMAGE_TAG} .
+          docker push localhost:5000/frontend:${IMAGE_TAG}
+
+      - name: Deploy to K3s
+        run: |
+          cd /workspace/tone/tonePage/apps/deploy
+
+          # 基础资源
+          kubectl apply -f postgres-deployment.yaml
+          kubectl apply -f backend-deployment.yaml
+          kubectl apply -f frontend-deployment.yaml
+
+          # 更新镜像（触发滚动更新）
+          kubectl set image deployment/backend \
+            backend=localhost:5000/backend:${IMAGE_TAG}
+
+          kubectl set image deployment/frontend \
+            frontend=localhost:5000/frontend:${IMAGE_TAG}
+
+          # 等待滚动完成
+          kubectl rollout status deployment/backend --timeout=120s
+          kubectl rollout status deployment/frontend --timeout=120s
+
+      - name: Post-deploy sanity check
+        run: |
+          kubectl get pods
+          kubectl get svc

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 tonecn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

apps/.dockerignore

@@ -0,0 +1,4 @@
+node_modules
+.next
+.git
+.env.local

apps/backend/Dockerfile

@@ -0,0 +1,23 @@
+FROM node:22-alpine AS builder
+RUN npm install -g pnpm
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+COPY . .
+RUN pnpm run build
+
+RUN CI=true pnpm prune --prod
+
+FROM node:22-alpine AS runner
+WORKDIR /app
+
+ENV NODE_ENV=production
+
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/package.json ./package.json
+
+EXPOSE 3001
+CMD ["node", "dist/main.js"]

apps/backend/package.json

@@ -17,30 +17,33 @@
     "test:watch": "jest --watch",
     "test:cov": "jest --coverage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json"
+    "test:e2e": "jest --config ./test/jest-e2e.json",
+    "migration:generate": "typeorm migration:generate -d src/data-source.ts",
+    "migration:run": "typeorm migration:run -d dist/data-source.js",
+    "migration:revert": "typeorm migration:revert -d dist/data-source.js"
   },
   "dependencies": {
     "@alicloud/credentials": "^2.4.3",
     "@alicloud/dm20151123": "1.2.6",
+    "@alicloud/dypnsapi20170525": "^2.0.0",
     "@alicloud/dysmsapi20170525": "4.1.0",
     "@alicloud/openapi-client": "^0.4.14",
     "@alicloud/tea-util": "^1.4.10",
     "@nestjs/common": "^10.0.0",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^10.0.0",
-    "@nestjs/jwt": "^11.0.0",
     "@nestjs/mapped-types": "*",
-    "@nestjs/passport": "^11.0.5",
     "@nestjs/platform-express": "^10.0.0",
     "@nestjs/throttler": "^6.4.0",
     "@nestjs/typeorm": "^11.0.0",
+    "@simplewebauthn/server": "^13.2.2",
     "@types/ali-oss": "^6.16.11",
     "ali-oss": "^6.23.0",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.2",
+    "cookie-parser": "^1.4.7",
+    "dotenv": "^17.2.3",
     "jsonwebtoken": "^9.0.2",
-    "passport": "^0.7.0",
-    "passport-jwt": "^4.0.1",
     "pg": "^8.15.6",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.1",
@@ -51,10 +54,10 @@
     "@nestjs/cli": "^10.0.0",
     "@nestjs/schematics": "^10.0.0",
     "@nestjs/testing": "^10.0.0",
+    "@types/cookie-parser": "^1.4.10",
     "@types/express": "^5.0.0",
     "@types/jest": "^29.5.2",
     "@types/node": "^20.3.1",
-    "@types/passport-jwt": "^4.0.1",
     "@types/supertest": "^6.0.0",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",

apps/backend/pnpm-lock.yaml

@@ -14,6 +14,9 @@ importers:
       '@alicloud/dm20151123':
         specifier: 1.2.6
         version: 1.2.6
+      '@alicloud/dypnsapi20170525':
+        specifier: ^2.0.0
+        version: 2.0.0
       '@alicloud/dysmsapi20170525':
         specifier: 4.1.0
         version: 4.1.0
@@ -32,15 +35,9 @@ importers:
       '@nestjs/core':
         specifier: ^10.0.0
         version: 10.4.17(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/platform-express@10.4.17)(reflect-metadata@0.2.2)(rxjs@7.8.2)
-      '@nestjs/jwt':
-        specifier: ^11.0.0
-        version: 11.0.0(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))
       '@nestjs/mapped-types':
         specifier: '*'
         version: 2.1.0(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)
-      '@nestjs/passport':
-        specifier: ^11.0.5
-        version: 11.0.5(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(passport@0.7.0)
       '@nestjs/platform-express':
         specifier: ^10.0.0
         version: 10.4.17(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@10.4.17)
@@ -50,6 +47,9 @@ importers:
       '@nestjs/typeorm':
         specifier: ^11.0.0
         version: 11.0.0(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@10.4.17)(reflect-metadata@0.2.2)(rxjs@7.8.2)(typeorm@0.3.22(pg@8.15.6)(reflect-metadata@0.2.2)(ts-node@10.9.2(@types/node@20.17.31)(typescript@5.8.3)))
+      '@simplewebauthn/server':
+        specifier: ^13.2.2
+        version: 13.2.2
       '@types/ali-oss':
         specifier: ^6.16.11
         version: 6.16.11
@@ -62,15 +62,15 @@ importers:
       class-validator:
         specifier: ^0.14.2
         version: 0.14.2
+      cookie-parser:
+        specifier: ^1.4.7
+        version: 1.4.7
+      dotenv:
+        specifier: ^17.2.3
+        version: 17.2.3
       jsonwebtoken:
         specifier: ^9.0.2
         version: 9.0.2
-      passport:
-        specifier: ^0.7.0
-        version: 0.7.0
-      passport-jwt:
-        specifier: ^4.0.1
-        version: 4.0.1
       pg:
         specifier: ^8.15.6
         version: 8.15.6
@@ -96,6 +96,9 @@ importers:
       '@nestjs/testing':
         specifier: ^10.0.0
         version: 10.4.17(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@10.4.17)(@nestjs/platform-express@10.4.17)
+      '@types/cookie-parser':
+        specifier: ^1.4.10
+        version: 1.4.10(@types/express@5.0.1)
       '@types/express':
         specifier: ^5.0.0
         version: 5.0.1
@@ -105,9 +108,6 @@ importers:
       '@types/node':
         specifier: ^20.3.1
         version: 20.17.31
-      '@types/passport-jwt':
-        specifier: ^4.0.1
-        version: 4.0.1
       '@types/supertest':
         specifier: ^6.0.0
         version: 6.0.3
@@ -159,6 +159,9 @@ packages:
   '@alicloud/credentials@2.4.3':
     resolution: {integrity: sha512-r2thNtthchTz/c8/HryGSey1vY0UZx2FkAvb+vd+j7xhD/v/KUwnp8RJNQKNG3E4kfs4wSx2bgDSkcPAiXHQLQ==}
 
+  '@alicloud/credentials@2.4.4':
+    resolution: {integrity: sha512-/eRAGSKcniLIFQ1UCpDhB/IrHUZisQ1sc65ws/c2avxUMpXwH1rWAohb76SVAUJhiF4mwvLzLJM1Mn1XL4Xe/Q==}
+
   '@alicloud/darabonba-array@0.1.0':
     resolution: {integrity: sha512-y4oM4O2uXiroUjfWBLEXRHMm1279rWpkWWNalF7DFQyO5awJ/e0d631prU4i10ytKzo8XJd12eCHmm3IOW85+g==}
 
@@ -180,6 +183,9 @@ packages:
   '@alicloud/dm20151123@1.2.6':
     resolution: {integrity: sha512-6pYgy0D5zmUoxfRYwj0ysX4WPw8IfGimaw3ORFj6hF6lTxWpJ3tteOD72i8rw764eZ78TRc4UyET3U9qCaBeaA==}
 
+  '@alicloud/dypnsapi20170525@2.0.0':
+    resolution: {integrity: sha512-eVh1dJ2HA82bBHt+YZFIBzPEYW80FK+TSpcxSR9o0W+FgfTqBaj6eeIHnN7NFhyDAD/3+HtZ146Pmvr51JEEAg==}
+
   '@alicloud/dysmsapi20170525@4.1.0':
     resolution: {integrity: sha512-oUmRp6DTI6gGNbrSQK4lW7EouHIB4C0DCbSEA121NvxHC9XKe4cqiPP2VDqgDQiIK43oiFaHKY3rj+IteOWekA==}
 
@@ -425,6 +431,9 @@ packages:
     resolution: {integrity: sha512-d9zaMRSTIKDLhctzH12MtXvJKSSUhaHcjV+2Z+GK+EEY7XKpP5yR4x+N3TAcHTcu963nIr+TMcCb4DBCYX1z6Q==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
 
+  '@hexagon/base64@1.1.28':
+    resolution: {integrity: sha512-lhqDEAvWixy3bZ+UOYbPwUbBkwBq5C1LAJ/xPC8Oi+lL54oyakv/npbA0aU2hgCsx/1NUd4IBvV03+aUBWxerw==}
+
   '@humanwhocodes/config-array@0.13.0':
     resolution: {integrity: sha512-DZLEEqFWQFiyK6h5YIeynKx7JlvCYWL0cImfSRXZ9l4Sg2efkFGTuFf6vzXjK1cq6IYkU+Eg/JizXw+TD2vRNw==}
     engines: {node: '>=10.10.0'}
@@ -540,6 +549,9 @@ packages:
   '@jridgewell/trace-mapping@0.3.9':
     resolution: {integrity: sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ==}
 
+  '@levischuck/tiny-cbor@0.2.11':
+    resolution: {integrity: sha512-llBRm4dT4Z89aRsm6u2oEZ8tfwL/2l6BwpZ7JcyieouniDECM5AqNgr/y08zalEIvW3RSK4upYyybDcmjXqAow==}
+
   '@ljharb/through@2.3.14':
     resolution: {integrity: sha512-ajBvlKpWucBB17FuQYUShqpqy8GRgYEpJW0vWJbUu1CV9lWyrDCapy0lScU8T8Z6qn49sSwJB3+M+evYIdGg+A==}
     engines: {node: '>= 0.4'}
@@ -597,11 +609,6 @@ packages:
       '@nestjs/websockets':
         optional: true
 
-  '@nestjs/jwt@11.0.0':
-    resolution: {integrity: sha512-v7YRsW3Xi8HNTsO+jeHSEEqelX37TVWgwt+BcxtkG/OfXJEOs6GZdbdza200d6KqId1pJQZ6UPj1F0M6E+mxaA==}
-    peerDependencies:
-      '@nestjs/common': ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0
-
   '@nestjs/mapped-types@2.1.0':
     resolution: {integrity: sha512-W+n+rM69XsFdwORF11UqJahn4J3xi4g/ZEOlJNL6KoW5ygWSmBB2p0S2BZ4FQeS/NDH72e6xIcu35SfJnE8bXw==}
     peerDependencies:
@@ -615,12 +622,6 @@ packages:
       class-validator:
         optional: true
 
-  '@nestjs/passport@11.0.5':
-    resolution: {integrity: sha512-ulQX6mbjlws92PIM15Naes4F4p2JoxGnIJuUsdXQPT+Oo2sqQmENEZXM7eYuimocfHnKlcfZOuyzbA33LwUlOQ==}
-    peerDependencies:
-      '@nestjs/common': ^10.0.0 || ^11.0.0
-      passport: ^0.5.0 || ^0.6.0 || ^0.7.0
-
   '@nestjs/platform-express@10.4.17':
     resolution: {integrity: sha512-ovn4Wxney3QGBrqNPv0QLcCuH5QoAi6pb/GNWAz6B/NmBjZbs9/zl4a2beGDA2SaYre9w43YbfmHTm17PneP9w==}
     peerDependencies:
@@ -685,6 +686,43 @@ packages:
   '@paralleldrive/cuid2@2.2.2':
     resolution: {integrity: sha512-ZOBkgDwEdoYVlSeRbYYXs0S9MejQofiVYoTbKzy/6GQa39/q5tQU2IX46+shYnUkpEl3wc+J6wRlar7r2EK2xA==}
 
+  '@peculiar/asn1-android@2.6.0':
+    resolution: {integrity: sha512-cBRCKtYPF7vJGN76/yG8VbxRcHLPF3HnkoHhKOZeHpoVtbMYfY9ROKtH3DtYUY9m8uI1Mh47PRhHf2hSK3xcSQ==}
+
+  '@peculiar/asn1-cms@2.6.0':
+    resolution: {integrity: sha512-2uZqP+ggSncESeUF/9Su8rWqGclEfEiz1SyU02WX5fUONFfkjzS2Z/F1Li0ofSmf4JqYXIOdCAZqIXAIBAT1OA==}
+
+  '@peculiar/asn1-csr@2.6.0':
+    resolution: {integrity: sha512-BeWIu5VpTIhfRysfEp73SGbwjjoLL/JWXhJ/9mo4vXnz3tRGm+NGm3KNcRzQ9VMVqwYS2RHlolz21svzRXIHPQ==}
+
+  '@peculiar/asn1-ecc@2.6.0':
+    resolution: {integrity: sha512-FF3LMGq6SfAOwUG2sKpPXblibn6XnEIKa+SryvUl5Pik+WR9rmRA3OCiwz8R3lVXnYnyRkSZsSLdml8H3UiOcw==}
+
+  '@peculiar/asn1-pfx@2.6.0':
+    resolution: {integrity: sha512-rtUvtf+tyKGgokHHmZzeUojRZJYPxoD/jaN1+VAB4kKR7tXrnDCA/RAWXAIhMJJC+7W27IIRGe9djvxKgsldCQ==}
+
+  '@peculiar/asn1-pkcs8@2.6.0':
+    resolution: {integrity: sha512-KyQ4D8G/NrS7Fw3XCJrngxmjwO/3htnA0lL9gDICvEQ+GJ+EPFqldcJQTwPIdvx98Tua+WjkdKHSC0/Km7T+lA==}
+
+  '@peculiar/asn1-pkcs9@2.6.0':
+    resolution: {integrity: sha512-b78OQ6OciW0aqZxdzliXGYHASeCvvw5caqidbpQRYW2mBtXIX2WhofNXTEe7NyxTb0P6J62kAAWLwn0HuMF1Fw==}
+
+  '@peculiar/asn1-rsa@2.6.0':
+    resolution: {integrity: sha512-Nu4C19tsrTsCp9fDrH+sdcOKoVfdfoQQ7S3VqjJU6vedR7tY3RLkQ5oguOIB3zFW33USDUuYZnPEQYySlgha4w==}
+
+  '@peculiar/asn1-schema@2.6.0':
+    resolution: {integrity: sha512-xNLYLBFTBKkCzEZIw842BxytQQATQv+lDTCEMZ8C196iJcJJMBUZxrhSTxLaohMyKK8QlzRNTRkUmanucnDSqg==}
+
+  '@peculiar/asn1-x509-attr@2.6.0':
+    resolution: {integrity: sha512-MuIAXFX3/dc8gmoZBkwJWxUWOSvG4MMDntXhrOZpJVMkYX+MYc/rUAU2uJOved9iJEoiUx7//3D8oG83a78UJA==}
+
+  '@peculiar/asn1-x509@2.6.0':
+    resolution: {integrity: sha512-uzYbPEpoQiBoTq0/+jZtpM6Gq6zADBx+JNFP3yqRgziWBxQ/Dt/HcuvRfm9zJTPdRcBqPNdaRHTVwpyiq6iNMA==}
+
+  '@peculiar/x509@1.14.2':
+    resolution: {integrity: sha512-r2w1Hg6pODDs0zfAKHkSS5HLkOLSeburtcgwvlLLWWCixw+MmW3U6kD5ddyvc2Y2YdbGuVwCF2S2ASoU1cFAag==}
+    engines: {node: '>=22.0.0'}
+
   '@pkgjs/parseargs@0.11.0':
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
@@ -693,6 +731,10 @@ packages:
     resolution: {integrity: sha512-ROFF39F6ZrnzSUEmQQZUar0Jt4xVoP9WnDRdWwF4NNcXs3xBTLgBUDoOwW141y1jP+S8nahIbdxbFC7IShw9Iw==}
     engines: {node: ^12.20.0 || ^14.18.0 || >=16.0.0}
 
+  '@simplewebauthn/server@13.2.2':
+    resolution: {integrity: sha512-HcWLW28yTMGXpwE9VLx9J+N2KEUaELadLrkPEEI9tpI5la70xNEVEsu/C+m3u7uoq4FulLqZQhgBCzR9IZhFpA==}
+    engines: {node: '>=20.0.0'}
+
   '@sinclair/typebox@0.27.8':
     resolution: {integrity: sha512-+Fj43pSMwJs4KRrH/938Uf+uAELIgVBmQzg/q1YG10djyfA3TnrU8N8XzqCh/okZdszqBQTZf96idMfE5lnwTA==}
 
@@ -745,6 +787,11 @@ packages:
   '@types/connect@3.4.38':
     resolution: {integrity: sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==}
 
+  '@types/cookie-parser@1.4.10':
+    resolution: {integrity: sha512-B4xqkqfZ8Wek+rCOeRxsjMS9OgvzebEzzLYw7NHYuvzb7IdxOkI0ZHGgeEBX4PUM7QGVvNSK60T3OvWj3YfBRg==}
+    peerDependencies:
+      '@types/express': '*'
+
   '@types/cookiejar@2.1.5':
     resolution: {integrity: sha512-he+DHOWReW0nghN24E1WUqM0efK4kI9oTqDm6XmK8ZPe2djZ90BSNdGnIyCLzCPw7/pogPlGbzI2wHGGmi4O/Q==}
 
@@ -784,9 +831,6 @@ packages:
   '@types/json-schema@7.0.15':
     resolution: {integrity: sha512-5+fP8P8MFNC+AyZCDxrB2pkZFPGzqQWUzpSeuuVLvm8VMcorNYavBqoFcxK8bQz4Qsbn4oUEEem4wDLfcysGHA==}
 
-  '@types/jsonwebtoken@9.0.7':
-    resolution: {integrity: sha512-ugo316mmTYBl2g81zDFnZ7cfxlut3o+/EQdaP7J8QN2kY6lJ22hmQYCK5EHcJHbrW+dkCGSCPgbG8JtYj6qSrg==}
-
   '@types/methods@1.1.4':
     resolution: {integrity: sha512-ymXWVrDiCxTBE3+RIrrP533E70eA+9qu7zdWoHuOmGujkYtzf4HQF96b8nwHLqhuf4ykX61IGRIB38CC6/sImQ==}
 
@@ -802,15 +846,6 @@ packages:
   '@types/node@22.15.14':
     resolution: {integrity: sha512-BL1eyu/XWsFGTtDWOYULQEs4KR0qdtYfCxYAUYRoB7JP7h9ETYLgQTww6kH8Sj2C0pFGgrpM0XKv6/kbIzYJ1g==}
 
-  '@types/passport-jwt@4.0.1':
-    resolution: {integrity: sha512-Y0Ykz6nWP4jpxgEUYq8NoVZeCQPo1ZndJLfapI249g1jHChvRfZRO/LS3tqu26YgAS/laI1qx98sYGz0IalRXQ==}
-
-  '@types/passport-strategy@0.2.38':
-    resolution: {integrity: sha512-GC6eMqqojOooq993Tmnmp7AUTbbQSgilyvpCYQjT+H6JfG/g6RGc7nXEniZlp0zyKJ0WUdOiZWLBZft9Yug1uA==}
-
-  '@types/passport@1.0.17':
-    resolution: {integrity: sha512-aciLyx+wDwT2t2/kJGJR2AEeBz0nJU4WuRX04Wu9Dqc5lSUtwu0WERPHYsLhF9PtseiAMPBGNUOtFjxZ56prsg==}
-
   '@types/qs@6.9.18':
     resolution: {integrity: sha512-kK7dgTYDyGqS+e2Q4aK9X3D7q234CIZ1Bv0q/7Z5IwRDoADNU81xXJK/YVyLbLTZCoIwUoDoffFeF+p/eIklAA==}
 
@@ -1066,6 +1101,10 @@ packages:
   asap@2.0.6:
     resolution: {integrity: sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==}
 
+  asn1js@3.0.7:
+    resolution: {integrity: sha512-uLvq6KJu04qoQM6gvBfKFjlh6Gl0vOKQuR5cJMDHQkmwfMOQeN3F3SHCv9SNYSL+CRoHvOGFfllDlVz03GQjvQ==}
+    engines: {node: '>=12.0.0'}
+
   async@3.2.6:
     resolution: {integrity: sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==}
 
@@ -1306,6 +1345,10 @@ packages:
   convert-source-map@2.0.0:
     resolution: {integrity: sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==}
 
+  cookie-parser@1.4.7:
+    resolution: {integrity: sha512-nGUvgXnotP3BsjiLX2ypbQnWoGUPIIfHQNZkkC668ntrzGWEZVW70HDEB1qnNGMicPje6EttlIgzo51YSwNQGw==}
+    engines: {node: '>= 0.8.0'}
+
   cookie-signature@1.0.6:
     resolution: {integrity: sha512-QADzlaHc8icV8I7vbaJXJwod9HWYp8uCqf1xa4OfNu1T7JVxQIrUgOWtHdNDtPiywmFbiS12VjotIXLrKM3orQ==}
 
@@ -1313,6 +1356,10 @@ packages:
     resolution: {integrity: sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==}
     engines: {node: '>= 0.6'}
 
+  cookie@0.7.2:
+    resolution: {integrity: sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==}
+    engines: {node: '>= 0.6'}
+
   cookiejar@2.1.4:
     resolution: {integrity: sha512-LDx6oHrK+PhzLKJU9j5S7/Y3jM/mUHvD/DeI1WQmJn652iPC5Y4TBzC9l+5OMOXlyTTA+SmVUPm0HQUwpD5Jqw==}
 
@@ -1439,6 +1486,10 @@ packages:
     resolution: {integrity: sha512-47qPchRCykZC03FhkYAhrvwU4xDBFIj1QPqaarj6mdM/hgUzfPHcpkHJOn3mJAufFeeAxAzeGsr5X0M4k6fLZQ==}
     engines: {node: '>=12'}
 
+  dotenv@17.2.3:
+    resolution: {integrity: sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w==}
+    engines: {node: '>=12'}
+
   dunder-proto@1.0.1:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
@@ -2509,17 +2560,6 @@ packages:
     resolution: {integrity: sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==}
     engines: {node: '>= 0.8'}
 
-  passport-jwt@4.0.1:
-    resolution: {integrity: sha512-UCKMDYhNuGOBE9/9Ycuoyh7vP6jpeTp/+sfMJl7nLff/t6dps+iaeE0hhNkKN8/HZHcJ7lCdOyDxHdDoxoSvdQ==}
-
-  passport-strategy@1.0.0:
-    resolution: {integrity: sha512-CB97UUvDKJde2V0KDWWB3lyf6PC3FaZP7YxZ2G8OAtn9p4HI9j9JLP9qjOGZFvyl8uwNT8qM+hGnz/n16NI7oA==}
-    engines: {node: '>= 0.4.0'}
-
-  passport@0.7.0:
-    resolution: {integrity: sha512-cPLl+qZpSc+ireUvt+IzqbED1cHHkDoVYMo30jbJIdOOjQ1MQYZBPiNvmi8UM6lJuOpTPXJGZQk0DtC4y61MYQ==}
-    engines: {node: '>= 0.4.0'}
-
   path-exists@4.0.0:
     resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
     engines: {node: '>=8'}
@@ -2552,9 +2592,6 @@ packages:
   pause-stream@0.0.11:
     resolution: {integrity: sha512-e3FBlXLmN/D1S+zHzanP4E/4Z60oFAa3O051qt1pxa7DEJWKAyil6upYVXCWadEnuoqa4Pkc9oUx9zsxYeRv8A==}
 
-  pause@0.0.1:
-    resolution: {integrity: sha512-KG8UEiEVkR3wGEb4m5yZkVCzigAD+cVEJck2CzYZO37ZGJfctvVptVO192MwrtPhzONn6go8ylnOdMhKqi4nfg==}
-
   peek-readable@7.0.0:
     resolution: {integrity: sha512-nri2TO5JE3/mRryik9LlHFT53cgHfRK0Lt0BAZQXku/AW3E6XLt2GaY8siWi7dvW/m1z0ecn+J+bpDa9ZN3IsQ==}
     engines: {node: '>=18'}
@@ -2673,6 +2710,13 @@ packages:
   pure-rand@6.1.0:
     resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==}
 
+  pvtsutils@1.3.6:
+    resolution: {integrity: sha512-PLgQXQ6H2FWCaeRak8vvk1GW462lMxB5s3Jm673N82zI4vqtVUPuZdffdZbPDFRoU8kAhItWFtPCWiPpp4/EDg==}
+
+  pvutils@1.1.5:
+    resolution: {integrity: sha512-KTqnxsgGiQ6ZAzZCVlJH5eOjSnvlyEgx1m8bkRJfOhmGRqfo5KLvmAlACQkrjEtOQ4B7wF9TdSLIs9O90MX9xA==}
+    engines: {node: '>=16.0.0'}
+
   qs@6.13.0:
     resolution: {integrity: sha512-+38qI9SOr8tfZ4QmJNplMUxqjbe7LKvvZgWdExBOmd+egZTtjLB67Gu0HRX3u/XOq7UU2Nx6nsjvS16Z9uwfpg==}
     engines: {node: '>=0.6'}
@@ -3126,9 +3170,16 @@ packages:
     resolution: {integrity: sha512-NoZ4roiN7LnbKn9QqE1amc9DJfzvZXxF4xDavcOWt1BPkdx+m+0gJuPM+S0vCe7zTJMYUP0R8pO2XMr+Y8oLIg==}
     engines: {node: '>=6'}
 
+  tslib@1.14.1:
+    resolution: {integrity: sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==}
+
   tslib@2.8.1:
     resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==}
 
+  tsyringe@4.10.0:
+    resolution: {integrity: sha512-axr3IdNuVIxnaK5XGEUFTu3YmAQ6lllgrvqfEoR16g/HGnYY/6We4oWENtAnzK6/LpJ2ur9PAb80RBt7/U4ugw==}
+    engines: {node: '>= 6.0.0'}
+
   type-check@0.4.0:
     resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
     engines: {node: '>= 0.8.0'}
@@ -3411,6 +3462,15 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@alicloud/credentials@2.4.4':
+    dependencies:
+      '@alicloud/tea-typescript': 1.8.0
+      httpx: 2.3.3
+      ini: 1.3.8
+      kitx: 2.2.0
+    transitivePeerDependencies:
+      - supports-color
+
   '@alicloud/darabonba-array@0.1.0':
     dependencies:
       '@alicloud/tea-typescript': 1.8.0
@@ -3453,6 +3513,13 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  '@alicloud/dypnsapi20170525@2.0.0':
+    dependencies:
+      '@alicloud/openapi-core': 1.0.4
+      '@darabonba/typescript': 1.0.3
+    transitivePeerDependencies:
+      - supports-color
+
   '@alicloud/dysmsapi20170525@4.1.0':
     dependencies:
       '@alicloud/openapi-core': 1.0.4
@@ -3469,7 +3536,7 @@ snapshots:
 
   '@alicloud/gateway-pop@0.0.6':
     dependencies:
-      '@alicloud/credentials': 2.4.3
+      '@alicloud/credentials': 2.4.4
       '@alicloud/darabonba-array': 0.1.0
       '@alicloud/darabonba-encode-util': 0.0.2
       '@alicloud/darabonba-map': 0.0.1
@@ -3503,7 +3570,7 @@ snapshots:
 
   '@alicloud/openapi-core@1.0.4':
     dependencies:
-      '@alicloud/credentials': 2.4.3
+      '@alicloud/credentials': 2.4.4
       '@alicloud/gateway-pop': 0.0.6
       '@alicloud/gateway-spi': 0.0.8
       '@darabonba/typescript': 1.0.3
@@ -3814,6 +3881,8 @@ snapshots:
 
   '@eslint/js@8.57.1': {}
 
+  '@hexagon/base64@1.1.28': {}
+
   '@humanwhocodes/config-array@0.13.0':
     dependencies:
       '@humanwhocodes/object-schema': 2.0.3
@@ -4034,6 +4103,8 @@ snapshots:
       '@jridgewell/resolve-uri': 3.1.2
       '@jridgewell/sourcemap-codec': 1.5.0
 
+  '@levischuck/tiny-cbor@0.2.11': {}
+
   '@ljharb/through@2.3.14':
     dependencies:
       call-bind: 1.0.8
@@ -4104,12 +4175,6 @@ snapshots:
     transitivePeerDependencies:
       - encoding
 
-  '@nestjs/jwt@11.0.0(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))':
-    dependencies:
-      '@nestjs/common': 10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2)
-      '@types/jsonwebtoken': 9.0.7
-      jsonwebtoken: 9.0.2
-
   '@nestjs/mapped-types@2.1.0(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)':
     dependencies:
       '@nestjs/common': 10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2)
@@ -4118,11 +4183,6 @@ snapshots:
       class-transformer: 0.5.1
       class-validator: 0.14.2
 
-  '@nestjs/passport@11.0.5(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(passport@0.7.0)':
-    dependencies:
-      '@nestjs/common': 10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2)
-      passport: 0.7.0
-
   '@nestjs/platform-express@10.4.17(@nestjs/common@10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2))(@nestjs/core@10.4.17)':
     dependencies:
       '@nestjs/common': 10.4.17(class-transformer@0.5.1)(class-validator@0.14.2)(reflect-metadata@0.2.2)(rxjs@7.8.2)
@@ -4205,11 +4265,118 @@ snapshots:
     dependencies:
       '@noble/hashes': 1.8.0
 
+  '@peculiar/asn1-android@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-cms@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      '@peculiar/asn1-x509-attr': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-csr@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-ecc@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pfx@2.6.0':
+    dependencies:
+      '@peculiar/asn1-cms': 2.6.0
+      '@peculiar/asn1-pkcs8': 2.6.0
+      '@peculiar/asn1-rsa': 2.6.0
+      '@peculiar/asn1-schema': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs8@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-pkcs9@2.6.0':
+    dependencies:
+      '@peculiar/asn1-cms': 2.6.0
+      '@peculiar/asn1-pfx': 2.6.0
+      '@peculiar/asn1-pkcs8': 2.6.0
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      '@peculiar/asn1-x509-attr': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-rsa@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-schema@2.6.0':
+    dependencies:
+      asn1js: 3.0.7
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509-attr@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      asn1js: 3.0.7
+      tslib: 2.8.1
+
+  '@peculiar/asn1-x509@2.6.0':
+    dependencies:
+      '@peculiar/asn1-schema': 2.6.0
+      asn1js: 3.0.7
+      pvtsutils: 1.3.6
+      tslib: 2.8.1
+
+  '@peculiar/x509@1.14.2':
+    dependencies:
+      '@peculiar/asn1-cms': 2.6.0
+      '@peculiar/asn1-csr': 2.6.0
+      '@peculiar/asn1-ecc': 2.6.0
+      '@peculiar/asn1-pkcs9': 2.6.0
+      '@peculiar/asn1-rsa': 2.6.0
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      pvtsutils: 1.3.6
+      reflect-metadata: 0.2.2
+      tslib: 2.8.1
+      tsyringe: 4.10.0
+
   '@pkgjs/parseargs@0.11.0':
     optional: true
 
   '@pkgr/core@0.2.4': {}
 
+  '@simplewebauthn/server@13.2.2':
+    dependencies:
+      '@hexagon/base64': 1.1.28
+      '@levischuck/tiny-cbor': 0.2.11
+      '@peculiar/asn1-android': 2.6.0
+      '@peculiar/asn1-ecc': 2.6.0
+      '@peculiar/asn1-rsa': 2.6.0
+      '@peculiar/asn1-schema': 2.6.0
+      '@peculiar/asn1-x509': 2.6.0
+      '@peculiar/x509': 1.14.2
+
   '@sinclair/typebox@0.27.8': {}
 
   '@sinonjs/commons@3.0.1':
@@ -4272,6 +4439,10 @@ snapshots:
     dependencies:
       '@types/node': 20.17.31
 
+  '@types/cookie-parser@1.4.10(@types/express@5.0.1)':
+    dependencies:
+      '@types/express': 5.0.1
+
   '@types/cookiejar@2.1.5': {}
 
   '@types/eslint-scope@3.7.7':
@@ -4322,10 +4493,6 @@ snapshots:
 
   '@types/json-schema@7.0.15': {}
 
-  '@types/jsonwebtoken@9.0.7':
-    dependencies:
-      '@types/node': 20.17.31
-
   '@types/methods@1.1.4': {}
 
   '@types/mime@1.3.5': {}
@@ -4340,20 +4507,6 @@ snapshots:
     dependencies:
       undici-types: 6.21.0
 
-  '@types/passport-jwt@4.0.1':
-    dependencies:
-      '@types/jsonwebtoken': 9.0.7
-      '@types/passport-strategy': 0.2.38
-
-  '@types/passport-strategy@0.2.38':
-    dependencies:
-      '@types/express': 5.0.1
-      '@types/passport': 1.0.17
-
-  '@types/passport@1.0.17':
-    dependencies:
-      '@types/express': 5.0.1
-
   '@types/qs@6.9.18': {}
 
   '@types/range-parser@1.2.7': {}
@@ -4689,6 +4842,12 @@ snapshots:
 
   asap@2.0.6: {}
 
+  asn1js@3.0.7:
+    dependencies:
+      pvtsutils: 1.3.6
+      pvutils: 1.1.5
+      tslib: 2.8.1
+
   async@3.2.6: {}
 
   asynckit@0.4.0: {}
@@ -4962,10 +5121,17 @@ snapshots:
 
   convert-source-map@2.0.0: {}
 
+  cookie-parser@1.4.7:
+    dependencies:
+      cookie: 0.7.2
+      cookie-signature: 1.0.6
+
   cookie-signature@1.0.6: {}
 
   cookie@0.7.1: {}
 
+  cookie@0.7.2: {}
+
   cookiejar@2.1.4: {}
 
   copy-to@2.0.1: {}
@@ -5070,6 +5236,8 @@ snapshots:
 
   dotenv@16.4.7: {}
 
+  dotenv@17.2.3: {}
+
   dunder-proto@1.0.1:
     dependencies:
       call-bind-apply-helpers: 1.0.2
@@ -6381,19 +6549,6 @@ snapshots:
 
   parseurl@1.3.3: {}
 
-  passport-jwt@4.0.1:
-    dependencies:
-      jsonwebtoken: 9.0.2
-      passport-strategy: 1.0.0
-
-  passport-strategy@1.0.0: {}
-
-  passport@0.7.0:
-    dependencies:
-      passport-strategy: 1.0.0
-      pause: 0.0.1
-      utils-merge: 1.0.1
-
   path-exists@4.0.0: {}
 
   path-is-absolute@1.0.1: {}
@@ -6417,8 +6572,6 @@ snapshots:
     dependencies:
       through: 2.3.8
 
-  pause@0.0.1: {}
-
   peek-readable@7.0.0: {}
 
   pg-cloudflare@1.2.5:
@@ -6517,6 +6670,12 @@ snapshots:
 
   pure-rand@6.1.0: {}
 
+  pvtsutils@1.3.6:
+    dependencies:
+      tslib: 2.8.1
+
+  pvutils@1.1.5: {}
+
   qs@6.13.0:
     dependencies:
       side-channel: 1.1.0
@@ -6983,8 +7142,14 @@ snapshots:
       minimist: 1.2.8
       strip-bom: 3.0.0
 
+  tslib@1.14.1: {}
+
   tslib@2.8.1: {}
 
+  tsyringe@4.10.0:
+    dependencies:
+      tslib: 1.14.1
+
   type-check@0.4.0:
     dependencies:
       prelude-ls: 1.2.1

apps/backend/src/admin/admin.module.ts

@@ -8,13 +8,19 @@ import { AdminWebResourceController } from './controller/web/admin-web-resource.
 import { AdminWebBlogController } from './controller/web/admin-web-blog.controller';
 import { ResourceModule } from 'src/resource/resource.module';
 import { BlogModule } from 'src/blog/blog.module';
+import { AuthModule } from 'src/auth/auth.module';
+import { AdminResourceService } from './services/admin.resource.service';
 
 @Module({
+  providers: [
+    AdminResourceService,
+  ],
   imports: [
     TypeOrmModule.forFeature([User]),
     UserModule,
     ResourceModule,
     BlogModule,
+    AuthModule,
   ],
   controllers: [
     AdminController,

apps/backend/src/admin/controller/admin-user.controller.ts

@@ -19,10 +19,10 @@ import { RemoveUserDto } from '../dto/admin-user/remove.dto';
 import { RolesGuard } from 'src/common/guard/roles.guard';
 import { Roles } from 'src/common/decorators/role.decorator';
 import { Role } from 'src/auth/role.enum';
-import { AuthGuard } from '@nestjs/passport';
+import { AuthGuard } from 'src/auth/guards/auth.guard';
 
 @Controller('admin/user')
-@UseGuards(AuthGuard('jwt'), RolesGuard)
+@UseGuards(AuthGuard, RolesGuard)
 @Roles(Role.Admin)
 export class AdminUserController {
   constructor(private readonly userService: UserService) { }
@@ -41,7 +41,7 @@ export class AdminUserController {
 
   @Post()
   async create(@Body() createDto: CreateDto) {
-    return this.userService.create({
+    return this.userService.register({
       ...createDto,
       ...(createDto.password &&
         (() => {

apps/backend/src/admin/controller/web/admin-web-blog.controller.ts

@@ -9,17 +9,17 @@ import {
   Put,
   UseGuards,
 } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
 import { CreateBlogDto } from 'src/admin/dto/admin-web/create-blog.dto';
 import { SetBlogPasswordDto } from 'src/admin/dto/admin-web/set-blog-password.dto';
 import { UpdateBlogDto } from 'src/admin/dto/admin-web/update-blog.dto';
+import { AuthGuard } from 'src/auth/guards/auth.guard';
 import { Role } from 'src/auth/role.enum';
 import { BlogService } from 'src/blog/blog.service';
 import { Roles } from 'src/common/decorators/role.decorator';
 import { RolesGuard } from 'src/common/guard/roles.guard';
 
 @Controller('/admin/web/blog')
-@UseGuards(AuthGuard('jwt'), RolesGuard)
+@UseGuards(AuthGuard, RolesGuard)
 @Roles(Role.Admin)
 export class AdminWebBlogController {
   constructor(private readonly adminWebBlogService: BlogService) { }

apps/backend/src/admin/controller/web/admin-web-resource.controller.ts

@@ -9,18 +9,19 @@ import {
   Put,
   UseGuards,
 } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
 import { CreateResourceDto } from 'src/admin/dto/admin-web/create-resource.dto';
+import { AdminResourceService } from 'src/admin/services/admin.resource.service';
+import { AuthGuard } from 'src/auth/guards/auth.guard';
 import { Role } from 'src/auth/role.enum';
 import { Roles } from 'src/common/decorators/role.decorator';
 import { RolesGuard } from 'src/common/guard/roles.guard';
-import { ResourceService } from 'src/resource/resource.service';
 
 @Controller('/admin/web/resource')
-@UseGuards(AuthGuard('jwt'), RolesGuard)
+@UseGuards(AuthGuard, RolesGuard)
 @Roles(Role.Admin)
 export class AdminWebResourceController {
-  constructor(private readonly resourceService: ResourceService) {}
+
+  constructor(private readonly resourceService: AdminResourceService) { }
 
   @Get()
   async list() {
@@ -42,7 +43,10 @@ export class AdminWebResourceController {
     @Param('id', new ParseUUIDPipe({ version: '4' })) id: string,
     @Body() data: CreateResourceDto,
   ) {
-    return this.resourceService.update(id, data);
+    return this.resourceService.update({
+      ...data,
+      id,
+    });
   }
 
   @Delete(':id')

apps/backend/src/admin/dto/admin-web/create-blog.dto.ts

@@ -5,6 +5,9 @@ export class CreateBlogDto {
   @IsString()
   title: string;
 
+  @IsString()
+  slug: string;// 允许空串，但如果为空则需要手动设置为null，防止数据库唯一键冲突
+
   @IsString()
   description: string;
 

apps/backend/src/admin/dto/admin-web/update-blog.dto.ts

@@ -8,6 +8,9 @@ export class UpdateBlogDto {
   @IsString()
   description: string;
 
+  @IsString()
+  slug: string;
+
   @IsString()
   contentUrl: string;
 

apps/backend/src/admin/services/admin.resource.service.ts

@@ -0,0 +1,42 @@
+import { Injectable } from "@nestjs/common";
+import { InjectRepository } from "@nestjs/typeorm";
+import { Resource } from "src/resource/entity/resource.entity";
+import { Repository } from "typeorm";
+
+@Injectable()
+export class AdminResourceService {
+
+    constructor(
+        @InjectRepository(Resource)
+        private readonly resourceRepository: Repository<Resource>,
+    ) { }
+
+
+    async findAll() {
+        return this.resourceRepository.find({
+            order: {
+                updatedAt: 'DESC',
+            }
+        });
+    }
+
+    async findById(id: string): Promise<Resource> {
+        return this.resourceRepository.findOne({ where: { id } });
+    }
+
+    async create(data: Partial<Resource>): Promise<Resource> {
+        const resource = this.resourceRepository.create(data);
+        return this.resourceRepository.save(resource);
+    }
+
+    async update(data: Partial<Resource>): Promise<Resource> {
+        // const updateRes =  await this.resourceRepository.update(id, data);
+        // updateRes.affected
+        // return this.resourceRepository.findOne({ where: { id } });
+        return this.resourceRepository.save(data);
+    }
+
+    async delete(id: string): Promise<void> {
+        await this.resourceRepository.delete(id);
+    }
+}

apps/backend/src/app.module.ts

@@ -7,33 +7,39 @@ import { UserModule } from './user/user.module';
 import { AuthModule } from './auth/auth.module';
 import { VerificationModule } from './verification/verification.module';
 import { NotificationModule } from './notification/notification.module';
-import { PassportModule } from '@nestjs/passport';
 import { ResourceModule } from './resource/resource.module';
 import { BlogModule } from './blog/blog.module';
 import { AdminModule } from './admin/admin.module';
 import { OssModule } from './oss/oss.module';
 import { ThrottlerModule } from '@nestjs/throttler';
+import { CaptchaModule } from './captcha/captcha.module';
+import { SmsModule } from './sms/sms.module';
+import { CommonModule } from './common/common.module';
+import { AppDataSource } from './data-source';
 
 @Module({
   imports: [
     ConfigModule.forRoot({ isGlobal: true }),
-    TypeOrmModule.forRoot({
-      type: 'postgres',
-      host: process.env.DATABASE_HOST,
-      port: parseInt(process.env.DATABASE_PORT, 10) || 5432,
-      username: process.env.DATABASE_USERNAME,
-      password: process.env.DATABASE_PASSWORD,
-      database: process.env.DATABASE_NAME,
-      autoLoadEntities: true,
-      entities: [],
-      synchronize: process.env.NODE_ENV !== 'production', // Set to false in production
+    TypeOrmModule.forRootAsync({
+      useFactory: () => AppDataSource.options,
     }),
-    PassportModule.register({ defaultStrategy: 'jwt' }),
     ThrottlerModule.forRoot({
+      ignoreUserAgents: [/googlebot/i, /bingbot/i],
       throttlers: [
         {
-          limit: 1000,
-          ttl: 60000, // 1 minute
+          name: 'min',
+          limit: 100,
+          ttl: 60 * 1000,
+        },
+        {
+          name: 'hour',
+          limit: 500,
+          ttl: 60 * 60 * 1000,
+        },
+        {
+          name: 'day',
+          limit: 10000,
+          ttl: 24 * 60 * 60 * 1000,
         },
       ],
     }),
@@ -45,6 +51,9 @@ import { ThrottlerModule } from '@nestjs/throttler';
     BlogModule,
     AdminModule,
     OssModule,
+    CaptchaModule,
+    SmsModule,
+    CommonModule,
   ],
   controllers: [AppController],
   providers: [AppService],

apps/backend/src/auth/auth.controller.ts

@@ -0,0 +1,183 @@
+import {
+  BadRequestException,
+  Body,
+  Controller,
+  Post,
+  Req,
+  Res,
+  UseGuards,
+} from '@nestjs/common';
+import { LoginByPasswordDto } from './dto/login.dto';
+import { AuthService } from './auth.service';
+import { UserSessionService } from 'src/auth/service/user-session.service';
+import { Throttle, ThrottlerGuard } from '@nestjs/throttler';
+import { Request, Response } from 'express';
+import { UserService } from 'src/user/user.service';
+import { AuthGuard } from './guards/auth.guard';
+import { SmsLoginDto } from './dto/sms-login.dto';
+import { SmsService } from 'src/sms/sms.service';
+import { UserSession } from 'src/auth/entity/user-session.entity';
+import { PasskeyService } from './service/passkey.service';
+import { v4 as uuidv4 } from 'uuid';
+import { PasskeyLoginDto } from './dto/passkey-login.dto';
+import { AuthUser, CurrentUser } from './decorator/current-user.decorator';
+import { PasskeyRegisterDto } from './dto/passkey-register.dto';
+
+@Controller('auth')
+export class AuthController {
+  constructor(
+    private readonly authService: AuthService,
+    private readonly userService: UserService,
+    private readonly userSessionService: UserSessionService,
+    private readonly smsService: SmsService,
+    private readonly passkeyService: PasskeyService,
+  ) { }
+
+  private setUserSession(res: Response, session: UserSession) {
+    res.cookie('session', session.sessionId, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      // 永不过期，不用设置maxAge
+      path: '/',
+    })
+  }
+
+  @Post('login/password')
+  @UseGuards(ThrottlerGuard)
+  @Throttle({
+    'min': { limit: 5, ttl: 60 * 1000 },
+    'hour': { limit: 20, ttl: 60 * 60 * 1000 },
+    'day': { limit: 50, ttl: 24 * 60 * 60 * 1000 }
+  })
+  async loginByPassword(
+    @Body() loginDto: LoginByPasswordDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const { identifier, password } = loginDto;
+    const session = await this.authService.loginWithPassword(identifier, password);
+    this.setUserSession(res, session);
+    return {
+      user: await this.userService.findById(session.userId),
+    };
+  }
+
+  @Post('login/sms')
+  @UseGuards(ThrottlerGuard)
+  @Throttle({
+    'day': { limit: 50, ttl: 24 * 60 * 60 * 1000 }
+  })
+  async loginBySms(
+    @Body() dto: SmsLoginDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const { phone, code } = dto;
+    await this.smsService.checkSms(phone, 'login', code);
+    // 验证通过，（注册并）登陆
+    const session = await this.authService.loginWithPhone(phone);
+    this.setUserSession(res, session);
+    return {
+      user: await this.userService.findById(session.userId),
+    }
+  }
+
+
+  @Post('passkey/login/options')
+  @UseGuards(ThrottlerGuard)
+  @Throttle({
+    'day': { limit: 20, ttl: 24 * 60 * 60 * 1000 }
+  })
+  async loginByPasskeyOptions(
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const tempSessionId = uuidv4();
+    const options = await this.passkeyService.getAuthenticationOptions(tempSessionId);
+
+    res.cookie('passkey_temp_session', tempSessionId, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      path: '/api/auth/passkey/login',
+      maxAge: 1 * 60 * 1000,
+    });
+    return options;
+  }
+
+  @Post('passkey/login')
+  @UseGuards(ThrottlerGuard)
+  @Throttle({
+    'day': { limit: 20, ttl: 24 * 60 * 60 * 1000 }
+  })
+  async loginByPasskey(
+    @Req() req: Request,
+    @Body() body: PasskeyLoginDto,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    const tempSessionId = req.cookies?.passkey_temp_session;
+    if (!tempSessionId) {
+      throw new BadRequestException('登录失败，请重试');
+    }
+
+    try {
+      const user = await this.passkeyService.login(tempSessionId, body.credentialResponse);
+
+      const session = await this.userSessionService.createSession(user.userId);
+
+      this.setUserSession(res, session);
+
+      return {
+        user: await this.userService.findById(user.userId),
+      };
+    } catch (error) {
+      throw error;
+    } finally {
+      res.clearCookie('passkey_temp_session', {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'lax',
+        path: '/api/auth/passkey/login',
+      });
+    }
+  }
+
+  @UseGuards(AuthGuard)
+  @Post('passkey/register/options')
+  async getPasskeyRegisterOptions(
+    @CurrentUser() user: AuthUser,
+  ) {
+    const { userId } = user;
+    return this.passkeyService.getRegistrationOptions(userId);
+  }
+
+  @UseGuards(AuthGuard)
+  @Post('passkey/register')
+  async registerPasskey(
+    @CurrentUser() user: AuthUser,
+    @Body() dto: PasskeyRegisterDto,
+  ) {
+    const { userId } = user;
+    const { credentialResponse, name } = dto;
+
+    const passkey = await this.passkeyService.register(userId, credentialResponse, name.trim());
+
+    return {
+      id: passkey.id,
+      name: passkey.name,
+      createdAt: passkey.createdAt,
+    };
+  }
+
+  @UseGuards(AuthGuard)
+  @Post('logout')
+  async logout(@CurrentUser() user: AuthUser, @Res({ passthrough: true }) res: Response) {
+    const { sessionId } = user;
+    await this.userSessionService.invalidateSession(sessionId, '用户主动登出');
+    res.clearCookie('session', {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      path: '/',
+    })
+    return true;
+  }
+}

apps/backend/src/auth/auth.module.ts

@@ -0,0 +1,28 @@
+import { forwardRef, Module } from '@nestjs/common';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { UserModule } from 'src/user/user.module';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { UserSession } from 'src/auth/entity/user-session.entity';
+import { ConfigModule } from '@nestjs/config';
+import { VerificationModule } from 'src/verification/verification.module';
+import { AuthGuard } from './guards/auth.guard';
+import { OptionalAuthGuard } from './guards/optional-auth.guard';
+import { SmsModule } from 'src/sms/sms.module';
+import { PasskeyCredential } from './entity/passkey-credential.entity';
+import { UserSessionService } from './service/user-session.service';
+import { PasskeyService } from './service/passkey.service';
+
+@Module({
+  imports: [
+    ConfigModule,
+    forwardRef(() => UserModule),
+    TypeOrmModule.forFeature([UserSession, PasskeyCredential]),
+    VerificationModule,
+    SmsModule,
+  ],
+  controllers: [AuthController],
+  providers: [AuthService, UserSessionService, PasskeyService, AuthGuard, OptionalAuthGuard],
+  exports: [AuthService, UserSessionService, PasskeyService, AuthGuard, OptionalAuthGuard],
+})
+export class AuthModule { }

apps/backend/src/auth/auth.service.ts

@@ -0,0 +1,76 @@
+import { createHash } from 'crypto';
+import { BadRequestException, Injectable } from '@nestjs/common';
+import { UserService } from 'src/user/user.service';
+import { UserSessionService } from 'src/auth/service/user-session.service';
+import { BusinessException } from 'src/common/exceptions/business.exception';
+import { ErrorCode } from 'src/common/constants/error-codes';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private readonly userService: UserService,
+    private readonly userSessionService: UserSessionService,
+  ) { }
+
+  async loginWithPassword(identifier: string, password: string) {
+    // 依次使用邮箱、手机号、账号登陆（防止有大聪明给账号改成别人的邮箱或手机号）
+    const user = await this.userService.findOne(
+      [{ email: identifier }, { phone: identifier }, { username: identifier }],
+      {
+        withDeleted: true,
+      },
+    );
+
+    if (user && user.deletedAt !== null) {
+      throw new BusinessException({
+        message: '该账号注销中',
+        code: ErrorCode.USER_ACCOUNT_DEACTIVATED,
+      });
+    }
+
+    if (user === null || !user.password_hash || !user.salt) {
+      throw new BusinessException({
+        message: '账户或密码错误',
+        code: ErrorCode.AUTH_INVALID_CREDENTIALS
+      });
+    }
+
+    // 判断密码是否正确
+    const hashedPassword = this.hashPassword(password, user.salt);
+    if (hashedPassword !== user.password_hash) {
+      throw new BusinessException({
+        message: '账户或密码错误',
+        code: ErrorCode.AUTH_INVALID_CREDENTIALS
+      });
+    }
+
+    const { userId } = user;
+
+    return this.userSessionService.createSession(userId);
+  }
+
+  async loginWithPhone(phone: string) {
+    // 判断用户是否存在，若不存在则进行注册
+    let user = await this.userService.findOne({ phone }, { withDeleted: true });
+    if (user && user.deletedAt !== null) {
+      throw new BadRequestException('该账号注销中，请使用其他手机号');
+    }
+
+    if (!user) {
+      // 执行注册操作
+      user = await this.userService.register({ phone });
+    }
+
+    if (!user || !user.userId) {
+      // 注册失败或用户信息错误
+      throw new BadRequestException('请求失败，请稍后再试');
+    }
+
+    return this.userSessionService.createSession(user.userId);
+  }
+
+  private hashPassword(password: string, salt: string): string {
+    return createHash('sha256').update(`${password}${salt}`).digest('hex');
+  }
+
+}

apps/backend/src/auth/decorator/current-user.decorator.ts

@@ -0,0 +1,14 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { Request } from 'express';
+
+export interface AuthUser {
+    sessionId: string;
+    userId: string;
+}
+
+export const CurrentUser = createParamDecorator(
+    (data: unknown, ctx: ExecutionContext): AuthUser => {
+        const request = ctx.switchToHttp().getRequest<Request>();
+        return request.user;
+    },
+);

apps/backend/src/auth/dto/login.dto.ts

@@ -0,0 +1,37 @@
+import { IsEnum, IsString, Length, ValidateIf } from 'class-validator';
+
+// export class LoginDto {
+//   @IsEnum(['password', 'phone', 'email'], { message: '请求类型错误' })
+//   type: 'password' | 'phone' | 'email';
+
+//   @ValidateIf((o) => o.type === 'password')
+
+//   account?: string;
+
+
+
+//   @ValidateIf((o) => o.type === 'phone')
+//   @IsString({ message: '手机号必须输入' })
+//   @Length(11, 11, { message: '手机号异常' }) // 中国大陆，11位数字
+//   phone?: string;
+
+//   @ValidateIf((o) => o.type === 'email')
+//   @IsString({ message: '邮箱必须输入' })
+//   @Length(6, 254, { message: '邮箱异常' }) // RFC 5321
+//   email?: string;
+
+//   @ValidateIf((o) => o.type === 'phone' || o.type === 'email')
+//   @IsString({ message: '验证码必须输入' })
+//   @Length(6, 6, { message: '验证码异常' }) // 6位数字
+//   code?: string;
+// }
+
+export class LoginByPasswordDto {
+  @IsString({ message: '账户必须输入' })
+  @Length(1, 254, { message: '账户异常' }) // 用户名、邮箱、手机号
+  identifier: string;
+
+  @IsString({ message: '密码必须输入' })
+  @Length(6, 32, { message: '密码异常' }) // 6-32位
+  password: string;
+}

apps/backend/src/auth/dto/passkey-login.dto.ts

@@ -0,0 +1,6 @@
+import { IsObject } from "class-validator";
+
+export class PasskeyLoginDto {
+    @IsObject()
+    credentialResponse: any;
+}

apps/backend/src/auth/dto/passkey-register.dto.ts

@@ -0,0 +1,9 @@
+import { IsObject, IsString } from "class-validator";
+
+export class PasskeyRegisterDto {
+    @IsObject()
+    credentialResponse: any;
+
+    @IsString({ message: '通行证名称只能是字符串' })
+    name: string;
+}

apps/backend/src/auth/dto/sms-login.dto.ts

@@ -0,0 +1,13 @@
+import { IsPhoneNumber, Matches } from "class-validator";
+
+export class SmsLoginDto {
+    @IsPhoneNumber('CN', {
+        message: '请输入有效的中国大陆手机号',
+    })
+    phone: string;
+
+    @Matches(/^\d{6}$/, {
+        message: '验证码必须是6位数字',
+    })
+    code: string;
+}

apps/backend/src/auth/entity/passkey-credential.entity.ts

@@ -0,0 +1,36 @@
+import { User } from "src/user/entities/user.entity";
+import { Column, CreateDateColumn, Entity, Index, ManyToOne, PrimaryGeneratedColumn, UpdateDateColumn } from "typeorm";
+
+@Entity()
+@Index(['user'])
+export class PasskeyCredential {
+    @PrimaryGeneratedColumn('uuid')
+    id: string;
+
+    // 关联用户
+    @ManyToOne(() => User, user => user.passkeys, { onDelete: 'CASCADE' })
+    user: User;
+
+    // WebAuthn 必需字段
+    @Column({ length: 255 })
+    name: string; // 用户自定义名称，如 "iPhone", "工作笔记本"
+
+    @Column({ unique: true })
+    credentialId: string; // Base64URL 编码的 credentialId（唯一标识）
+
+    @Column({ type: 'text' })
+    publicKey: string; // Base64URL 编码的公钥（SPKI 格式）
+
+    @Column({ type: 'int' })
+    signCount: number; // 防重放攻击，每次签名递增
+
+    // 是否已验证（注册时验证，登录时更新）
+    @Column({ default: false })
+    verified: boolean;
+
+    @CreateDateColumn()
+    createdAt: Date;
+
+    @UpdateDateColumn()
+    updatedAt: Date;
+}

apps/backend/src/auth/entity/user-session.entity.ts

@@ -3,29 +3,23 @@ import {
   CreateDateColumn,
   DeleteDateColumn,
   Entity,
-  Index,
   PrimaryGeneratedColumn,
 } from 'typeorm';
 
 @Entity()
-@Index(['sessionId', 'userId'])
 export class UserSession {
   @PrimaryGeneratedColumn('uuid')
-  id: string;
-
-  @Column({ length: 36 })
   sessionId: string;
 
   @Column({ length: 36 })
   userId: string;
 
+  @Column({ nullable: true })
+  disabledReason?: string;
+
   @CreateDateColumn({ precision: 3 })
   createdAt: Date;
 
   @DeleteDateColumn({ nullable: true, precision: 3 })
   deletedAt: Date;
 }
-
-/**
- * 考虑是否使用sessionId代替id，以节省存储空间
- */

apps/backend/src/auth/guards/auth.guard.ts

@@ -0,0 +1,34 @@
+// auth.guard.ts
+import { Injectable, CanActivate, ExecutionContext, UnauthorizedException } from '@nestjs/common';
+import { Request } from 'express';
+import { UserSessionService } from 'src/auth/service/user-session.service';
+
+@Injectable()
+export class AuthGuard implements CanActivate {
+    constructor(
+        private userSessionService: UserSessionService,
+    ) { }
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const request = context.switchToHttp().getRequest<Request>();
+
+        // 从 Cookie 读取 session
+        const sessionId = request.cookies?.['session'];
+        if (!sessionId) {
+            throw new UnauthorizedException('登陆凭证无效，请重新登陆');
+        }
+
+        // 验证 session
+        const session = await this.userSessionService.getSession(sessionId);
+        if (!session) {
+            throw new UnauthorizedException('登陆凭证无效，请重新登陆');
+        }
+
+        const { userId } = session;
+        request.user = {
+            sessionId,
+            userId,
+        };
+        return true;
+    }
+}

apps/backend/src/auth/guards/optional-auth.guard.ts

@@ -0,0 +1,16 @@
+import { ExecutionContext, Injectable } from "@nestjs/common";
+import { AuthGuard } from "./auth.guard";
+
+@Injectable()
+export class OptionalAuthGuard extends AuthGuard {
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        try {
+            return await super.canActivate(context);
+        } catch (error) {
+            // 验证失败时，req.user = null，但允许继续
+            const request = context.switchToHttp().getRequest();
+            request.user = null;
+            return true;
+        }
+    }
+}

apps/backend/src/auth/service/passkey.service.ts

@@ -0,0 +1,249 @@
+import { BadRequestException, Injectable, InternalServerErrorException, NotFoundException, OnModuleDestroy, OnModuleInit } from "@nestjs/common";
+import { InjectRepository } from "@nestjs/typeorm";
+import { PasskeyCredential } from "../entity/passkey-credential.entity";
+import { Repository } from "typeorm";
+import { User } from "src/user/entities/user.entity";
+import { randomBytes } from 'crypto';
+import { generateAuthenticationOptions, GenerateAuthenticationOptionsOpts, generateRegistrationOptions, GenerateRegistrationOptionsOpts, VerifiedAuthenticationResponse, VerifiedRegistrationResponse, verifyAuthenticationResponse, verifyRegistrationResponse } from "@simplewebauthn/server";
+import { isoBase64URL } from '@simplewebauthn/server/helpers';
+
+interface ChallengeEntry {
+    value: string;
+    expiresAt: number;
+}
+
+class MemoryChallengeStore {
+    private store = new Map<string, ChallengeEntry>();
+    private cleanupInterval: NodeJS.Timeout | null = null;
+
+    constructor(private ttlMs: number = 5 * 60 * 100) {
+        this.startCleanup();
+    }
+
+    set(key: string, value: string): void {
+        this.store.set(key, {
+            value,
+            expiresAt: Date.now() + this.ttlMs,
+        });
+    }
+
+    get(key: string): string | null {
+        const entry = this.store.get(key);
+        if (!entry) return null;
+        if (Date.now() > entry.expiresAt) {
+            this.store.delete(key);
+            return null;
+        }
+        return entry.value;
+    }
+
+    delete(key: string): void {
+        this.store.delete(key);
+    }
+
+    private startCleanup(): void {
+        this.cleanupInterval = setInterval(() => {
+            const now = Date.now();
+            for (const [key, entry] of this.store.entries()) {
+                if (now > entry.expiresAt) {
+                    this.store.delete(key);
+                }
+            }
+        }, 60_000); // 每分钟清理一次
+    }
+
+    stopCleanup(): void {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+    }
+}
+
+const registrationChallenges = new MemoryChallengeStore(5 * 60 * 1000); // 5 分钟过期
+const authenticationChallenges = new MemoryChallengeStore(5 * 60 * 1000);
+
+
+@Injectable()
+export class PasskeyService implements OnModuleDestroy {
+
+    private readonly rpID: string;
+    private readonly origin: string;
+    private readonly rpName: string;
+
+    constructor(
+        @InjectRepository(PasskeyCredential)
+        private readonly passkeyRepo: Repository<PasskeyCredential>,
+        @InjectRepository(User)
+        private readonly userRepository: Repository<User>,
+    ) {
+        this.rpID = process.env.WEBAUTHN_RP_ID;
+        this.origin = process.env.WEBAUTHN_ORIGIN;
+        this.rpName = process.env.WEBAUTHN_RP_NAME;
+
+        if (!this.rpID || !this.origin || !this.rpName) {
+            throw new Error('Missing required env: WEBAUTHN_RP_ID or WEBAUTHN_ORIGIN');
+        }
+    }
+
+    onModuleDestroy() {
+        registrationChallenges.stopCleanup();
+        authenticationChallenges.stopCleanup();
+    }
+
+    private generateChallenge(length: number = 32): string {
+        return randomBytes(length).toString('base64');
+    }
+
+    async getRegistrationOptions(userId: string) {
+        const user = await this.userRepository.findOneBy({ userId });
+        if (!user) {
+            throw new NotFoundException('用户不存在');
+        }
+
+        const challenge = this.generateChallenge();
+
+        const opts: GenerateRegistrationOptionsOpts = {
+            rpName: this.rpName,
+            rpID: this.rpID,
+            userID: Buffer.from(userId),
+            userName: user.username || 'user',
+            userDisplayName: user.nickname || 'User',
+            challenge,
+            authenticatorSelection: {
+                residentKey: 'required', // 必须是可发现凭证（Passkey）
+                userVerification: 'preferred',
+            },
+            supportedAlgorithmIDs: [-7], // ES256
+            timeout: 60000,
+        };
+
+        const options = await generateRegistrationOptions(opts);
+        registrationChallenges.set(userId, options.challenge)
+        return options;
+    }
+
+    async register(userId: string, credentialResponse: any, name: string): Promise<PasskeyCredential> {
+        const expectedChallenge = registrationChallenges.get(userId);
+        if (!expectedChallenge) {
+            throw new BadRequestException('注册失败，请重试');
+        }
+
+        let verification: VerifiedRegistrationResponse;
+        try {
+            verification = await verifyRegistrationResponse({
+                response: credentialResponse,
+                expectedChallenge,
+                expectedOrigin: this.origin,
+                expectedRPID: this.rpID,
+                requireUserVerification: false,
+            });
+        } catch (err) {
+            throw new BadRequestException('注册失败');
+        }
+
+        if (!verification.verified) {
+            throw new BadRequestException('注册失败');
+        }
+
+        const { credential } = verification.registrationInfo;
+        if (!credential) {
+            throw new InternalServerErrorException('服务器内部错误');
+        }
+
+        // 保存凭证到数据库
+        const passkey = this.passkeyRepo.create({
+            user: { userId } as User,
+            name: name || '新的通行证',
+            credentialId: credential.id,
+            publicKey: isoBase64URL.fromBuffer(credential.publicKey),
+            signCount: credential.counter,
+            verified: true,
+        });
+
+        await this.passkeyRepo.save(passkey);
+        registrationChallenges.delete(userId);
+
+        return passkey;
+    }
+
+    async getAuthenticationOptions(sessionId: string) {
+        const challenge = this.generateChallenge();
+        const opts: GenerateAuthenticationOptionsOpts = {
+            rpID: this.rpID,
+            challenge,
+            timeout: 60000,
+            userVerification: 'preferred',
+        };
+
+        const options = await generateAuthenticationOptions(opts);
+        authenticationChallenges.set(sessionId, options.challenge);
+        return options;
+    }
+
+    async login(sessionId: string, credentialResponse: any): Promise<User> {
+        const expectedChallenge = authenticationChallenges.get(sessionId);
+        if (!expectedChallenge) {
+            throw new BadRequestException('认证失败，请重试');
+        }
+
+        const credentialId = credentialResponse.id;
+        const passkey = await this.passkeyRepo.findOne({
+            where: { credentialId, verified: true },
+            relations: ['user'],
+        });
+
+        if (!passkey) {
+            throw new NotFoundException('未找到可用的通行证');
+        }
+
+        let verification: VerifiedAuthenticationResponse;
+        try {
+            verification = await verifyAuthenticationResponse({
+                response: credentialResponse,
+                expectedChallenge,
+                expectedOrigin: this.origin,
+                expectedRPID: this.rpID,
+                credential: {
+                    id: passkey.credentialId,
+                    publicKey: isoBase64URL.toBuffer(passkey.publicKey),
+                    counter: passkey.signCount,
+                },
+                requireUserVerification: false,
+            });
+        } catch (err) {
+            throw new BadRequestException('认证失败');
+        }
+
+        if (!verification.verified) {
+            throw new BadRequestException('认证失败');
+        }
+
+        const newSignCount = verification.authenticationInfo.newCounter;
+        if (newSignCount !== passkey.signCount) {
+            passkey.signCount = newSignCount;
+            await this.passkeyRepo.save(passkey);
+        }
+
+        authenticationChallenges.delete(sessionId);
+        return passkey.user;
+    }
+
+    async listUserPasskeys(userId: string): Promise<PasskeyCredential[]> {
+        return this.passkeyRepo.find({
+            where: { user: { userId }, verified: true },
+            select: ['id', 'name', 'createdAt'],
+        });
+    }
+
+    async removePasskey(userId: string, passkeyId: string): Promise<void> {
+        const result = await this.passkeyRepo.delete({
+            id: passkeyId,
+            user: { userId },
+        });
+
+        if (result.affected === 0) {
+            throw new NotFoundException('未找到对应的通行证');
+        }
+    }
+}

apps/backend/src/auth/service/user-session.service.ts

@@ -0,0 +1,39 @@
+import { InjectRepository } from '@nestjs/typeorm';
+import { Injectable } from '@nestjs/common';
+import { UserSession } from '../entity/user-session.entity';
+import { Repository } from 'typeorm';
+
+@Injectable()
+export class UserSessionService {
+  constructor(
+    @InjectRepository(UserSession)
+    private readonly userSessionRepository: Repository<UserSession>,
+  ) { }
+
+  async createSession(userId: string): Promise<UserSession> {
+    const session = this.userSessionRepository.create({
+      userId,
+    });
+    return this.userSessionRepository.save(session);
+  }
+
+  async getSession(sessionId: string) {
+    const session = await this.userSessionRepository.findOne({
+      where: {
+        sessionId,
+      },
+    });
+
+    return session;
+  }
+
+  async invalidateSession(sessionId: string, reason?: string): Promise<void> {
+    await this.userSessionRepository.update(
+      { sessionId, deletedAt: null },
+      {
+        deletedAt: new Date(),
+        disabledReason: reason || null,
+      }
+    )
+  }
+}

apps/backend/src/blog/blog.controller.ts

@@ -11,11 +11,13 @@ import {
   UseGuards,
 } from '@nestjs/common';
 import { BlogService } from './blog.service';
-import { OptionalAuthGuard } from 'src/auth/strategies/OptionalAuthGuard';
 import { UserService } from 'src/user/user.service';
 import { createBlogCommentDto } from './dto/create.blogcomment.dto';
 import { Throttle, ThrottlerGuard } from '@nestjs/throttler';
 import { BlogPermission } from './blog.permission.enum';
+import { OptionalAuthGuard } from 'src/auth/guards/optional-auth.guard';
+import { AuthUser, CurrentUser } from 'src/auth/decorator/current-user.decorator';
+import { Request } from 'express';
 
 @Controller('blog')
 export class BlogController {
@@ -29,12 +31,16 @@ export class BlogController {
     return this.blogService.list();
   }
 
-  @Get(':id')
-  async getBlog(
-    @Param('id', new ParseUUIDPipe({ version: '4' })) id: string,
+  @Get(':id/slug')
+  async getBlogBySlug(
+    @Param('id') slug: string,
     @Query('p') password?: string,
   ) {
-    const blog = await this.blogService.findById(id);
+    if (slug.trim().length === 0) {
+      throw new BadRequestException('文章不存在');
+    }
+    
+    const blog = await this.blogService.findBySlug(slug);
     if (!blog) throw new BadRequestException('文章不存在或无权限访问');
 
     if (!blog.permissions.includes(BlogPermission.Public)) {
@@ -44,7 +50,7 @@ export class BlogController {
       } else {
         // 判断密码是否正确
         if (
-          !password ||
+          typeof password !== 'string' ||
           this.blogService.hashPassword(password) !== blog.password_hash
         ) {
           throw new BadRequestException('文章不存在或无权限访问');
@@ -55,10 +61,11 @@ export class BlogController {
     const blogDataRes = await fetch(`${blog.contentUrl}`);
     const blogContent = await blogDataRes.text();
 
-    await this.blogService.incrementViewCount(id);
+    this.blogService.incrementViewCount(blog.id).catch(() => null);
     return {
       id: blog.id,
       title: blog.title,
+      description: blog.description,
       createdAt: blog.createdAt,
       content: blogContent,
     };
@@ -73,7 +80,10 @@ export class BlogController {
 
     /** @todo 对文章可读性进行更详细的判定 */
 
-    if (!blog.permissions.includes(BlogPermission.Public) && !blog.permissions.includes(BlogPermission.ByPassword)) {
+    if (
+      !blog.permissions.includes(BlogPermission.Public) &&
+      !blog.permissions.includes(BlogPermission.ByPassword)
+    ) {
       throw new BadRequestException('文章不存在或未公开');
     }
 
@@ -82,14 +92,15 @@ export class BlogController {
 
   // 该接口允许匿名评论，但仍需验证userId合法性
   @UseGuards(ThrottlerGuard, OptionalAuthGuard)
-  @Throttle({ default: { limit: 5, ttl: 60000 } })
+  @Throttle({ default: { limit: 20, ttl: 60000 } })
   @Post(':id/comment')
   async createBlogComment(
     @Param('id', new ParseUUIDPipe({ version: '4' })) id: string,
     @Body() commentData: createBlogCommentDto,
-    @Req() req,
+    @Req() req: Request,
+    @CurrentUser() authUser: AuthUser,
   ) {
-    const { userId } = req.user || {};
+    const { userId } = (authUser ?? {}) as { userId: string | undefined };
     const blog = await this.blogService.findById(id);
     if (!blog) throw new BadRequestException('文章不存在');
 
@@ -97,9 +108,9 @@ export class BlogController {
       throw new BadRequestException('作者关闭了该文章的评论功能');
     }
 
-    const user = userId ? await this.userService.findById(userId) : null;
+    const user = userId ? await this.userService.findOne({ userId }) : null;
 
-    const ip = req.headers['x-forwarded-for'] || req.ip;
+    const ip = `${req.headers['x-forwarded-for'] || req.ip}`;
     // 获取IP归属地
     let address = '未知';
     if (!['::1'].includes(ip)) {

apps/backend/src/blog/blog.service.ts

@@ -35,13 +35,15 @@ export class BlogService {
           return i;
         }
 
-        const { createdAt, deletedAt, id, title, viewCount } = i;
+        const { createdAt, updatedAt, id, title, viewCount, description, slug } = i;
         return {
           createdAt,
-          deletedAt,
+          updatedAt,
           id,
           title,
+          slug,
           viewCount,
+          description,
         };
       });
   }
@@ -55,6 +57,9 @@ export class BlogService {
           .digest('hex');
       }
     }
+    if (typeof blog.slug === 'string' && blog.slug.trim().length === 0) {
+      blog.slug = null;
+    }
 
     const newBlog = this.blogRepository.create(blog);
     return this.blogRepository.save(newBlog);
@@ -91,6 +96,12 @@ export class BlogService {
     return await this.blogRepository.findOneBy({ id });
   }
 
+  async findBySlug(slug: string) {
+    return this.blogRepository.findOne({
+      where: { slug }
+    })
+  }
+
   async incrementViewCount(id: string) {
     await this.blogRepository.increment({ id }, 'viewCount', 1);
   }
@@ -104,30 +115,36 @@ export class BlogService {
       },
     });
 
-    return comments.map(comment => {
-      const { blog, user, ...rest } = comment;
+    return comments.map((comment) => {
+      const { user, ...rest } = comment;
+      delete rest.blog;
       return {
         ...rest,
-        user: user ? {
+        user: user
+          ? {
             userId: user.userId,
             username: user.username,
             nickname: user.nickname,
-        } : null,
           }
-    })
+          : null,
+      };
+    });
   }
 
   async createComment(comment: Partial<BlogComment>) {
     const newComment = this.blogCommentRepository.create(comment);
     const savedComment = await this.blogCommentRepository.save(newComment, {});
-    const { blog, user, ...commentWithoutBlog } = savedComment;
+    const { user, ...commentWithoutBlog } = savedComment;
+    delete commentWithoutBlog.blog;
     return {
       ...commentWithoutBlog,
-      user: user ? {
+      user: user
+        ? {
           userId: user.userId,
           username: user.username,
           nickname: user.nickname,
-      } : null,
+        }
+        : null,
     };
   }
 

apps/backend/src/blog/entity/Blog.entity.ts

@@ -16,6 +16,9 @@ export class Blog {
   @PrimaryGeneratedColumn('uuid')
   id: string;
 
+  @Column({ unique: true, nullable: true })
+  slug: string;
+
   @Column()
   title: string;
 

apps/backend/src/captcha/captcha.controller.spec.ts

@@ -0,0 +1,18 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { CaptchaController } from './captcha.controller';
+
+describe('CaptchaController', () => {
+  let controller: CaptchaController;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [CaptchaController],
+    }).compile();
+
+    controller = module.get<CaptchaController>(CaptchaController);
+  });
+
+  it('should be defined', () => {
+    expect(controller).toBeDefined();
+  });
+});

apps/backend/src/captcha/captcha.controller.ts

@@ -0,0 +1,10 @@
+import { Controller, Get } from '@nestjs/common';
+import { GetCaptchaDto } from './dto/get-captcha.dto';
+
+@Controller('captcha')
+export class CaptchaController {
+    @Get()
+    async getCaptcha(dto: GetCaptchaDto) {
+        
+    }
+}

apps/backend/src/captcha/captcha.module.ts

@@ -0,0 +1,11 @@
+import { Module } from '@nestjs/common';
+import { CaptchaService } from './captcha.service';
+import { CaptchaController } from './captcha.controller';
+import { CaptchaRateLimitService } from './service/rate-limit';
+
+@Module({
+  providers: [CaptchaService, CaptchaRateLimitService],
+  controllers: [CaptchaController],
+  imports: [],
+})
+export class CaptchaModule { }

apps/backend/src/captcha/captcha.service.spec.ts

@@ -0,0 +1,18 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { CaptchaService } from './captcha.service';
+
+describe('CaptchaService', () => {
+  let service: CaptchaService;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [CaptchaService],
+    }).compile();
+
+    service = module.get<CaptchaService>(CaptchaService);
+  });
+
+  it('should be defined', () => {
+    expect(service).toBeDefined();
+  });
+});

apps/backend/src/captcha/captcha.service.ts

@@ -0,0 +1,27 @@
+import { Injectable } from '@nestjs/common';
+import { ErrorCode } from 'src/common/constants/error-codes';
+import { BusinessException } from 'src/common/exceptions/business.exception';
+
+export enum CaptchaContext {
+    SEND_SMS = 'send_sms',
+    PASSKEY = 'passkey',
+}
+
+@Injectable()
+export class CaptchaService {
+    public async generate(context: CaptchaContext, ip: string, userId?: string) {
+        await this.checkRateLimit(ip, context)
+    }
+
+    public async verify(token: string, ip: string, userId?: string) {
+
+    }
+
+    private async checkRateLimit(ip: string, context: CaptchaContext) {
+        /** @todo */
+        throw new BusinessException({
+            code: ErrorCode.CAPTCHA_RARE_LIMIT,
+            message: '服务器处理不过来了，过会儿再试试吧',
+        });
+    }
+}

apps/backend/src/captcha/dto/get-captcha.dto.ts

@@ -0,0 +1,16 @@
+import { IsEnum, IsOptional, IsUUID } from "class-validator";
+
+export enum CaptchaContext {
+    SEND_SMS = 'send_sms',
+    PASSKEY = 'passkey',
+}
+
+export class GetCaptchaDto {
+
+    @IsEnum(CaptchaContext, { message: '无效的context' })
+    context: string;
+
+    @IsOptional()
+    @IsUUID('4', { message: 'userId不合法' })
+    userId?: string;
+}

apps/backend/src/captcha/service/rate-limit.ts

@@ -0,0 +1,3 @@
+export class CaptchaRateLimitService {
+
+}

apps/backend/src/common/common.module.ts

@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+import { RolesGuard } from './guard/roles.guard';
+import { UserModule } from 'src/user/user.module';
+
+@Module({
+    providers: [RolesGuard],
+    imports: [UserModule],
+    exports: [RolesGuard],
+})
+export class CommonModule { }

apps/backend/src/common/constants/error-codes.ts

@@ -0,0 +1,47 @@
+/**
+ * 全局业务错误码规范：
+ * - 每个模块分配一个 1000 起始的段（如 USER: -1000~1999, AUTH: -2000~2999）
+ * - 代码结构：{ 模块名大写 }_{ 错误语义 }
+ */
+
+export const ErrorCode = {
+    // 通用错误（0 ~ 999）
+    COMMON_INTERNAL_ERROR: -1,
+    COMMON_INVALID_PARAM: -2,
+    COMMON_NOT_FOUND: -3,
+
+    // 用户模块（1000 ~ 1999）
+    USER_NOT_FOUND: -1001,
+    USER_ALREADY_EXISTS: -1002,
+    USER_ACCOUNT_DISABLED: -1003,
+    USER_FIND_OPTIONS_EMPTY: -1004,
+    USER_ACCOUNT_DEACTIVATED: -1005,
+
+    // 认证模块
+    AUTH_INVALID_CREDENTIALS: -2001,
+    AUTH_PASSKEY_NOT_REGISTERED: -2002,
+    AUTH_SESSION_EXPIRED: -2003,
+
+    // 博客模块
+    BLOG_NOT_FOUND: -3001,
+    BLOG_PERMISSION_DENIED: -3002,
+
+    // 验证模块
+    CAPTCHA_RARE_LIMIT: -4001,
+
+    // 通知模块
+    NOTIFICATION_SEND_FAILED: -5001,
+
+    // Sms模块
+    SMS_CODE_INCORRECT: -6001,
+    SMS_CODE_EXPIRED: -6002,
+
+    // 资源模块
+    RESOURCE_UPLOAD_FAILED: -7001,
+    RESOURCE_NOT_FOUND: -7002,
+
+    // 管理员模块
+    ADMIN_FORBIDDEN: -8001,
+} as const;
+
+export type ErrorCodeType = typeof ErrorCode[keyof typeof ErrorCode];

apps/backend/src/common/exceptions/business.exception.ts

@@ -0,0 +1,22 @@
+import { HttpStatus } from '@nestjs/common';
+
+export class BusinessException {
+
+    public statusCode: HttpStatus;
+    public message: string;
+    public code: number;
+    public data: any;
+
+    constructor(args: {
+        statusCode?: HttpStatus,
+        message?: string,
+        code?: number,
+        data?: any,
+    }) {
+        const { statusCode, message, code, data } = args;
+        this.statusCode = statusCode || HttpStatus.BAD_REQUEST;
+        this.message = message || '请求错误';
+        this.code = code || -1;
+        this.data = data || null;
+    }
+}

apps/backend/src/common/filters/global.exceptions.filter.ts

@@ -0,0 +1,56 @@
+import { ArgumentsHost, ExceptionFilter, HttpException, HttpStatus, Logger } from "@nestjs/common";
+import { Request, Response } from "express";
+import { BusinessException } from "../exceptions/business.exception";
+
+export class GlobalExceptionsFilter implements ExceptionFilter {
+    catch(exception: any, host: ArgumentsHost) {
+        const ctx = host.switchToHttp();
+        const response = ctx.getResponse<Response>();
+        const request = ctx.getRequest<Request>();
+
+        let statusCode = HttpStatus.INTERNAL_SERVER_ERROR;
+        let errorResponse = {
+            success: false,
+            message: '服务器内部错误',
+            code: -1,
+            data: null as any,
+        };
+
+        if (exception instanceof BusinessException) {
+            statusCode = exception.statusCode;
+            const { message, code, data } = exception;
+            errorResponse = {
+                ...errorResponse,
+                message, code, data,
+            }
+        } else if (exception instanceof HttpException) {
+            // 当HttpException传入类型为string时，响应data为null，message为传入的string
+            // 其他请况（object/number），响应为传入数据，message为HttpException的错误码
+            statusCode = exception.getStatus();
+            const exceptionResponse = exception.getResponse() as Record<string, any>;
+            if (exceptionResponse.message) {
+                errorResponse.message = exceptionResponse.message;
+            } else {
+                errorResponse.message = '请求失败';
+                errorResponse.data = exceptionResponse;
+            }
+
+            if (statusCode === HttpStatus.UNAUTHORIZED && request.cookies?.['session']) {
+                response.clearCookie('session', {
+                    httpOnly: true,
+                    secure: process.env.NODE_ENV === 'production',
+                    sameSite: 'lax',
+                    path: '/',
+                });
+            }
+
+            if (statusCode === HttpStatus.TOO_MANY_REQUESTS) {
+                errorResponse.message = '请求过于频繁，请稍后再试';
+            }
+        } else {
+            Logger.warn(exception, request.path);
+        }
+
+        response.status(statusCode).json(errorResponse);
+    }
+}

apps/backend/src/common/guard/roles.guard.ts

@@ -0,0 +1,59 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  InternalServerErrorException,
+  Logger,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Request } from 'express';
+import { AuthUser } from 'src/auth/decorator/current-user.decorator';
+import { Role } from 'src/auth/role.enum';
+import { UserService } from 'src/user/user.service';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+
+  private logger = new Logger(RolesGuard.name);
+
+  constructor(
+    private reflector: Reflector,
+    private readonly userService: UserService,
+  ) { }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const requiredRoles = this.reflector.getAllAndOverride<Role[] | undefined>(
+      'roles',
+      [context.getHandler(), context.getClass()],
+    );
+
+    if (!requiredRoles) return true;
+
+    const request = context.switchToHttp().getRequest<Request>();
+    const authUser = request.user as AuthUser;
+
+    if (!authUser) {
+      this.logger.warn(
+        `Path: ${request.path} has RolesGuard enabled, but it seems AuthGuard was forgotten.`
+      )
+      throw new InternalServerErrorException('服务器内部错误');
+    }
+
+    const { userId } = authUser;
+    const user = await this.userService.findOne({ userId })
+    if (!user) {
+      this.logger.warn(
+        `UserId: ${user.userId} has a valid login credential, but the user information does not exist.`
+      )
+      throw new UnauthorizedException('用户不存在');
+    }
+
+    if (!requiredRoles.some((role) => user.roles.includes(role))) {
+      throw new ForbiddenException('权限不足');
+    }
+
+    return true;
+  }
+}

apps/backend/src/common/interceptors/response.interceptor.ts

@@ -15,7 +15,8 @@ export class ResponseInterceptor implements NestInterceptor {
   ): Observable<any> | Promise<Observable<any>> {
     return next.handle().pipe(
       map((data) => ({
-        statusCode: 200,
+        success: true,
+        code: 0,
         message: '请求成功',
         data,
       })),

apps/backend/src/common/types/express/index.d.ts

@@ -0,0 +1,9 @@
+import { AuthUser } from "src/auth/decorator/current-user.decorator";
+
+declare global {
+  namespace Express {
+    interface Request {
+      user?: AuthUser;
+    }
+  }
+}

apps/backend/src/data-source.ts

@@ -0,0 +1,20 @@
+import 'reflect-metadata';
+import { DataSource } from 'typeorm';
+import * as dotenv from 'dotenv';
+
+dotenv.config();
+
+export const AppDataSource = new DataSource({
+    type: 'postgres',
+    host: process.env.DATABASE_HOST,
+    port: Number(process.env.DATABASE_PORT ?? 5432),
+    username: process.env.DATABASE_USERNAME,
+    password: process.env.DATABASE_PASSWORD,
+    database: process.env.DATABASE_NAME,
+
+    synchronize: false,
+    logging: false,
+
+    entities: ['dist/**/*.entity.js'],
+    migrations: ['dist/migrations/*.js'],
+});

apps/backend/src/main.ts

@@ -2,9 +2,13 @@ import { NestFactory } from '@nestjs/core';
 import { AppModule } from './app.module';
 import { BadRequestException, ValidationPipe } from '@nestjs/common';
 import { ResponseInterceptor } from './common/interceptors/response.interceptor';
+import { GlobalExceptionsFilter } from './common/filters/global.exceptions.filter';
+import * as cookieParser from 'cookie-parser';
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
+  app.use(cookieParser());
+  app.setGlobalPrefix('api');
   app.useGlobalPipes(
     new ValidationPipe({
       transform: true,
@@ -17,15 +21,12 @@ async function bootstrap() {
           ? Object.values(error.constraints)[0]
           : '验证失败';
 
-        throw new BadRequestException({
-          message: firstConstraint,
-          error: 'Bad Request',
-          statusCode: 400,
-        });
+        throw new BadRequestException(firstConstraint);
       },
     }),
   );
   app.useGlobalInterceptors(new ResponseInterceptor());
+  app.useGlobalFilters(new GlobalExceptionsFilter());
   await app.listen(process.env.PORT ?? 3001);
 }
 bootstrap();

apps/backend/src/migrations/1766809565876-AddSlugToBlog.ts

@@ -0,0 +1,16 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddSlugToBlog1766809565876 implements MigrationInterface {
+    name = 'AddSlugToBlog1766809565876'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "blog" ADD "slug" character varying`);
+        await queryRunner.query(`ALTER TABLE "blog" ADD CONSTRAINT "UQ_0dc7e58d73a1390874a663bd599" UNIQUE ("slug")`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "blog" DROP CONSTRAINT "UQ_0dc7e58d73a1390874a663bd599"`);
+        await queryRunner.query(`ALTER TABLE "blog" DROP COLUMN "slug"`);
+    }
+
+}

apps/backend/src/notification/notification.service.ts

@@ -8,18 +8,18 @@ import Credential, { Config } from '@alicloud/credentials';
 
 @Injectable()
 export class NotificationService {
-  private dm: Dm20151123;
+  // private dm: Dm20151123;
 
   constructor() {
-    const credentialsConfig = new Config({
-      type: 'access_key',
-      accessKeyId: process.env.ALIYUN_ACCESS_KEY_ID,
-      accessKeySecret: process.env.ALIYUN_ACCESS_KEY_SECRET,
-    });
-    const credential = new Credential(credentialsConfig);
-    const config = new $OpenApi.Config({ credential });
-    config.endpoint = 'dm.aliyuncs.com';
-    this.dm = new Dm20151123(config);
+    // const credentialsConfig = new Config({
+    //   type: 'access_key',
+    //   accessKeyId: process.env.ALIYUN_ACCESS_KEY_ID,
+    //   accessKeySecret: process.env.ALIYUN_ACCESS_KEY_SECRET,
+    // });
+    // const credential = new Credential(credentialsConfig);
+    // const config = new $OpenApi.Config({ credential });
+    // config.endpoint = 'dm.aliyuncs.com';
+    // this.dm = new Dm20151123(config);
   }
 
   private getMailHtmlBody(option: { type: 'login-verify'; code: string }) {
@@ -86,27 +86,28 @@ export class NotificationService {
     targetMail: string;
     code: string;
   }) {
-    const runtime = new $Util.RuntimeOptions({});
+    // const runtime = new $Util.RuntimeOptions({});
 
-    const singleSendMailRequest = new $Dm20151123.SingleSendMailRequest({
-      accountName: 'security@tonesc.cn',
-      addressType: 1,
-      replyToAddress: false,
-      toAddress: `${option.targetMail}`,
-      subject: '【特恩的日志】登陆验证码',
-      htmlBody: this.getMailHtmlBody({
-        type: 'login-verify',
-        code: option.code,
-      }),
-      textBody: '',
-    });
+    // const singleSendMailRequest = new $Dm20151123.SingleSendMailRequest({
+    //   accountName: 'security@tonesc.cn',
+    //   addressType: 1,
+    //   replyToAddress: false,
+    //   toAddress: `${option.targetMail}`,
+    //   subject: '【特恩的日志】登陆验证码',
+    //   htmlBody: this.getMailHtmlBody({
+    //     type: 'login-verify',
+    //     code: option.code,
+    //   }),
+    //   textBody: '',
+    // });
 
-    try {
-      await this.dm.singleSendMailWithOptions(singleSendMailRequest, runtime);
-    } catch (error) {
-      console.error(error);
-      throw new BadRequestException('邮件发送失败');
-    }
+    // try {
+    //   await this.dm.singleSendMailWithOptions(singleSendMailRequest, runtime);
+    // } catch (error) {
+    //   console.error(error);
+    //   throw new BadRequestException('邮件发送失败');
+    // }
+    throw new Error('not implement')
   }
 
   /**

apps/backend/src/oss/oss.controller.ts

@@ -0,0 +1,19 @@
+import { Controller, Get, UseGuards } from '@nestjs/common';
+import { OssService } from './oss.service';
+import { AuthGuard } from 'src/auth/guards/auth.guard';
+import { AuthUser, CurrentUser } from 'src/auth/decorator/current-user.decorator';
+
+@Controller('oss')
+export class OssController {
+  constructor(private readonly ossService: OssService) { }
+
+  @UseGuards(AuthGuard)
+  @Get('sts')
+  async getStsToken(@CurrentUser() user: AuthUser) {
+    const { userId } = user;
+    return {
+      ...(await this.ossService.getStsToken(`${userId}`)),
+      userId,
+    };
+  }
+}

apps/backend/src/oss/oss.module.ts

@@ -1,9 +1,12 @@
 import { Module } from '@nestjs/common';
 import { OssService } from './oss.service';
 import { OssController } from './oss.controller';
+import { AuthModule } from 'src/auth/auth.module';
+import { UserModule } from 'src/user/user.module';
 
 @Module({
   providers: [OssService],
   controllers: [OssController],
+  imports: [AuthModule, UserModule],
 })
 export class OssModule { }

apps/backend/src/resource/entity/resource.entity.ts

@@ -39,3 +39,12 @@ export class Resource {
   @UpdateDateColumn({ precision: 3 })
   updatedAt: Date;
 }
+
+export interface PublicResource {
+  id: string;
+  title: string;
+  description: string;
+  imageUrl: string;
+  link: string;
+  tags: ResourceTag[];
+}

apps/backend/src/resource/resource.module.ts

@@ -8,6 +8,6 @@ import { Resource } from './entity/resource.entity';
   imports: [TypeOrmModule.forFeature([Resource])],
   controllers: [ResourceController],
   providers: [ResourceService],
-  exports: [ResourceService],
+  exports: [ResourceService, TypeOrmModule.forFeature([Resource])],
 })
 export class ResourceModule {}

apps/backend/src/resource/resource.service.ts

@@ -0,0 +1,21 @@
+import { Injectable } from '@nestjs/common';
+import { Repository } from 'typeorm';
+import { PublicResource, Resource } from './entity/resource.entity';
+import { InjectRepository } from '@nestjs/typeorm';
+
+@Injectable()
+export class ResourceService {
+  constructor(
+    @InjectRepository(Resource)
+    private readonly resourceRepository: Repository<Resource>,
+  ) { }
+
+  async findAll(): Promise<PublicResource[]> {
+    return this.resourceRepository.find({
+      select: ['id', 'title', 'description', 'imageUrl', 'link', 'tags'],
+      order: {
+        updatedAt: 'DESC',
+      },
+    });
+  }
+}

apps/backend/src/sms/dto/send-login-sms.dto.ts

@@ -0,0 +1,6 @@
+import { IsPhoneNumber } from "class-validator";
+
+export class SendLoginSmsDto {
+    @IsPhoneNumber('CN', { message: '请输入有效的中国大陆手机号' })
+    phone: string;
+}

apps/backend/src/sms/entity/sms-record.entity.ts

@@ -0,0 +1,30 @@
+import { Column, CreateDateColumn, Entity, Index, PrimaryGeneratedColumn } from "typeorm";
+
+@Entity()
+@Index('IDX_SMS_PHONE_TYPE', ['phone', 'type'])
+@Index('IDX_SMS_EXPIRED', ['expiredAt'])
+export class SmsRecord {
+    @PrimaryGeneratedColumn('identity')
+    id: number;
+
+    @Column()
+    phone: string;
+
+    @Column()
+    type: string;
+
+    @Column()
+    code: string;
+
+    @Column({ type: 'smallint', default: 0 })
+    tryCount: number;
+
+    @CreateDateColumn({ precision: 3 })
+    createdAt: Date;
+
+    @Column({ type: 'timestamp with time zone', precision: 3 })
+    expiredAt: Date;
+
+    @Column({ type: 'timestamp with time zone', precision: 3, nullable: true })
+    usedAt: Date;
+}

apps/backend/src/sms/sms.controller.spec.ts

@@ -0,0 +1,18 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { SmsController } from './sms.controller';
+
+describe('SmsController', () => {
+  let controller: SmsController;
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      controllers: [SmsController],
+    }).compile();
+
+    controller = module.get<SmsController>(SmsController);
+  });
+
+  it('should be defined', () => {
+    expect(controller).toBeDefined();
+  });
+});

apps/backend/src/sms/sms.controller.ts

@@ -0,0 +1,22 @@
+import { Body, Controller, Post, UseGuards } from '@nestjs/common';
+import { SendLoginSmsDto } from './dto/send-login-sms.dto';
+import { SmsService } from './sms.service';
+import { Throttle, ThrottlerGuard } from '@nestjs/throttler';
+
+@Controller('sms')
+export class SmsController {
+
+    constructor(private readonly smsService: SmsService) { }
+
+    @Post('send/login')
+    @UseGuards(ThrottlerGuard)
+    @Throttle({
+        'min': { limit: 3, ttl: 60 * 1000 },
+        'hour': { limit: 10, ttl: 60 * 60 * 1000 },
+        'day': { limit: 20, ttl: 24 * 60 * 60 * 1000 }
+    })
+    async sendLoginSms(@Body() dto: SendLoginSmsDto) {
+        await this.smsService.sendSms(dto.phone, 'login');
+        return null;
+    }
+}