diff --git a/services/api-gateway/internal/middleware/auth.go b/services/api-gateway/internal/middleware/auth.go index 837b986..486525b 100644 --- a/services/api-gateway/internal/middleware/auth.go +++ b/services/api-gateway/internal/middleware/auth.go @@ -10,6 +10,20 @@ import ( "github.com/google/uuid" ) +// publicPaths 是无需鉴权的公开路径(精确匹配,基于去掉 /api/v1 前缀后的路径) +var publicPaths = map[string]bool{ + "/iam/register": true, + "/iam/login": true, + "/iam/refresh": true, +} + +// isPublicPath 判断请求路径是否属于公开路径(无需鉴权) +// 匹配规则:去掉 /api/v1 前缀后,与 publicPaths 精确匹配 +func isPublicPath(path string) bool { + stripped := strings.TrimPrefix(path, "/api/v1") + return publicPaths[stripped] +} + // AuthMiddleware 验证 JWT 并注入用户信息到请求头 // P1 用 HS256,P2 改 RS256(IAM 签发) func AuthMiddleware(cfg *config.Config) gin.HandlerFunc { @@ -20,6 +34,12 @@ func AuthMiddleware(cfg *config.Config) gin.HandlerFunc { return } + // 公开路径白名单(register/login/refresh 无需鉴权) + if isPublicPath(c.Request.URL.Path) { + c.Next() + return + } + authHeader := c.GetHeader("Authorization") if authHeader == "" { c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{