Add user-scoped Hermes profile access

2026-05-23 18:44:53 +08:00
parent 56e7716302
commit 3f6a25d8f1
54 changed files with 2656 additions and 592 deletions
@@ -3,6 +3,7 @@ import { request } from './client'
 export interface AuthStatus {
  hasPasswordLogin: boolean
  username: string | null
+  hasUsers?: boolean
 }

 export async function fetchAuthStatus(): Promise<AuthStatus> {
@@ -27,6 +28,21 @@ export async function loginWithPassword(username: string, password: string): Pro
  return data.token
 }

+export interface CurrentUser {
+  id: number
+  username: string
+  role: UserRole
+  status: UserStatus
+  created_at: number
+  updated_at: number
+  last_login_at: number | null
+}
+
+export async function fetchCurrentUser(): Promise<CurrentUser> {
+  const res = await request<{ user: CurrentUser }>('/api/auth/me')
+  return res.user
+}
+
 export async function setupPassword(username: string, password: string): Promise<void> {
  return request('/api/auth/setup', {
    method: 'POST',
@@ -54,6 +70,70 @@ export async function removePassword(): Promise<void> {
  })
 }

+export type UserRole = 'super_admin' | 'admin'
+export type UserStatus = 'active' | 'disabled'
+
+export interface ManagedUser {
+  id: number
+  username: string
+  role: UserRole
+  status: UserStatus
+  profiles: string[]
+  default_profile: string | null
+  created_at: number
+  updated_at: number
+  last_login_at: number | null
+}
+
+export interface ManagedUsersResponse {
+  users: ManagedUser[]
+  profiles: string[]
+}
+
+export async function fetchManagedUsers(): Promise<ManagedUsersResponse> {
+  return request<ManagedUsersResponse>('/api/auth/users')
+}
+
+export async function createManagedUser(input: {
+  username: string
+  password: string
+  role: UserRole
+  status: UserStatus
+  profiles: string[]
+  defaultProfile?: string | null
+}): Promise<ManagedUsersResponse> {
+  const res = await request<{ users: ManagedUser[] }>('/api/auth/users', {
+    method: 'POST',
+    body: JSON.stringify(input),
+  })
+  const current = await fetchManagedUsers()
+  return { ...current, users: res.users }
+}
+
+export async function updateManagedUser(id: number, input: {
+  username?: string
+  password?: string
+  role?: UserRole
+  status?: UserStatus
+  profiles?: string[]
+  defaultProfile?: string | null
+}): Promise<ManagedUsersResponse> {
+  const res = await request<{ users: ManagedUser[] }>(`/api/auth/users/${id}`, {
+    method: 'PUT',
+    body: JSON.stringify(input),
+  })
+  const current = await fetchManagedUsers()
+  return { ...current, users: res.users }
+}
+
+export async function deleteManagedUser(id: number): Promise<ManagedUsersResponse> {
+  const res = await request<{ users: ManagedUser[] }>(`/api/auth/users/${id}`, {
+    method: 'DELETE',
+  })
+  const current = await fetchManagedUsers()
+  return { ...current, users: res.users }
+}
+
 export interface LockedIp {
  ip: string
  type: 'password' | 'token'
@@ -26,23 +26,56 @@ export function hasApiKey(): boolean {
  return !!getApiKey()
 }

-/**
- * Get current active profile name.
- * Reads from store first (authoritative source), falls back to localStorage.
- */
-function getActiveProfileName(): string | null {
+export type StoredUserRole = 'super_admin' | 'admin'
+
+export function getStoredUserRole(): StoredUserRole | null {
+  const token = getApiKey()
+  const payload = token.split('.')[1]
+  if (!payload) return null
  try {
-    // Dynamic import to avoid circular dependency
-    const { useProfilesStore } = require('@/stores/hermes/profiles')
-    const store = useProfilesStore()
-    // Store is the source of truth - it's updated from /api/hermes/profiles
-    return store.activeProfileName
+    const normalized = payload.replace(/-/g, '+').replace(/_/g, '/')
+    const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=')
+    const data = JSON.parse(atob(padded)) as { role?: unknown }
+    return data.role === 'super_admin' || data.role === 'admin' ? data.role : null
  } catch {
-    // Fallback to localStorage if store is not available (e.g., during initialization)
-    return localStorage.getItem('hermes_active_profile_name')
+    return null
  }
 }

+export function isStoredSuperAdmin(): boolean {
+  return getStoredUserRole() === 'super_admin'
+}
+
+function getActiveProfileName(): string | null {
+  return localStorage.getItem('hermes_active_profile_name')
+}
+
+function bodyHasProfileSelector(body: BodyInit | null | undefined): boolean {
+  if (typeof body !== 'string') return false
+  try {
+    const parsed = JSON.parse(body) as { profile?: unknown }
+    return typeof parsed?.profile === 'string' && parsed.profile.trim().length > 0
+  } catch {
+    return false
+  }
+}
+
+function shouldAttachProfileHeader(path: string, options: RequestInit): boolean {
+  try {
+    const url = new URL(path, 'http://hermes.local')
+    if (url.searchParams.has('profile')) return false
+    if (url.pathname.startsWith('/api/hermes/profiles')) return false
+  } catch {
+    if (path.startsWith('/api/hermes/profiles')) return false
+  }
+  return !bodyHasProfileSelector(options.body)
+}
+
+function emitAuthNotice(kind: 'expired' | 'forbidden') {
+  if (typeof window === 'undefined') return
+  window.dispatchEvent(new CustomEvent('hermes-auth-notice', { detail: { kind } }))
+}
+
 export async function request<T>(path: string, options: RequestInit = {}): Promise<T> {
  const base = getBaseUrl()
  const url = `${base}${path}`
@@ -56,9 +89,10 @@ export async function request<T>(path: string, options: RequestInit = {}): Promi
    headers['Authorization'] = `Bearer ${apiKey}`
  }

-  // Inject active profile header for proxied gateway requests
+  // Inject active profile header for request-scoped endpoints. Explicit profile
+  // selectors in the URL/body and profile-name routes are validated directly.
  const profileName = getActiveProfileName()
-  if (profileName && profileName !== 'default') {
+  if (profileName && shouldAttachProfileHeader(path, options)) {
    headers['X-Hermes-Profile'] = profileName
  }

@@ -67,11 +101,11 @@ export async function request<T>(path: string, options: RequestInit = {}): Promi
  // Global 401 handler — only redirect to login for local BFF endpoints
  // Proxied gateway requests should not trigger logout
  const isLocalBff = !path.startsWith('/api/hermes/v1/') &&
-    !path.startsWith('/api/hermes/jobs') &&
-    !path.startsWith('/api/hermes/skills')
+    !path.startsWith('/v1/')

  if (res.status === 401 && isLocalBff) {
    clearApiKey()
+    emitAuthNotice('expired')
    if (router.currentRoute.value.name !== 'login') {
      router.replace({ name: 'login' })
    }
@@ -80,6 +114,17 @@ export async function request<T>(path: string, options: RequestInit = {}): Promi

  if (!res.ok) {
    const text = await res.text().catch(() => '')
+    if (res.status === 403 && isLocalBff) {
+      if (text.includes('User is disabled or does not exist')) {
+        clearApiKey()
+        emitAuthNotice('expired')
+        if (router.currentRoute.value.name !== 'login') {
+          router.replace({ name: 'login' })
+        }
+      } else {
+        emitAuthNotice('forbidden')
+      }
+    }
    throw new Error(`API Error ${res.status}: ${text || res.statusText}`)
  }

@@ -225,6 +225,14 @@ function normalizedBoard(board?: string): string {
  return trimmed || 'default'
 }

+function activeProfileName(): string | null {
+  try {
+    return localStorage.getItem('hermes_active_profile_name')
+  } catch {
+    return null
+  }
+}
+
 function appendQuery(path: string, params: URLSearchParams): string {
  const qs = params.toString()
  return qs ? `${path}?${qs}` : path
@@ -251,6 +259,8 @@ export function buildKanbanEventsWebSocketUrl(opts?: KanbanBoardOptions): string
  const params = boardParams(opts?.board)
  const token = getApiKey()
  if (token) params.set('token', token)
+  const profile = activeProfileName()
+  if (profile) params.set('profile', profile)
  const path = `/api/hermes/kanban/events?${params.toString()}`

  if (base) {
@@ -155,6 +155,10 @@ export async function renameProfile(name: string, newName: string): Promise<bool
 }

 export async function switchProfile(name: string): Promise<boolean> {
+  return !!name
+}
+
+export async function switchHermesProfile(name: string): Promise<boolean> {
  try {
    await request('/api/hermes/profiles/active', {
      method: 'PUT',
@@ -2,7 +2,7 @@ import { request, getApiKey, getBaseUrlValue } from '../client'

 export interface SessionSummary {
  id: string
-  profile?: string
+  profile?: string | null
  source: string
  model: string
  provider?: string
@@ -94,18 +94,24 @@ export async function fetchSession(id: string): Promise<SessionDetail | null> {
 /**
 * Fetch Hermes session detail only (exclude api_server source)
 */
-export async function fetchHermesSession(id: string): Promise<SessionDetail | null> {
+export async function fetchHermesSession(id: string, profile?: string | null): Promise<SessionDetail | null> {
  try {
-    const res = await request<{ session: SessionDetail }>(`/api/hermes/sessions/hermes/${id}`)
+    const params = new URLSearchParams()
+    if (profile) params.set('profile', profile)
+    const query = params.toString()
+    const res = await request<{ session: SessionDetail }>(`/api/hermes/sessions/hermes/${id}${query ? `?${query}` : ''}`)
    return res.session
  } catch {
    return null
  }
 }

-export async function deleteSession(id: string): Promise<boolean> {
+export async function deleteSession(id: string, profile?: string | null): Promise<boolean> {
  try {
-    await request(`/api/hermes/sessions/${id}`, { method: 'DELETE' })
+    const params = new URLSearchParams()
+    if (profile) params.set('profile', profile)
+    const query = params.toString()
+    await request(`/api/hermes/sessions/${id}${query ? `?${query}` : ''}`, { method: 'DELETE' })
    return true
  } catch {
    return false