NestJS (6 services): implement @RequirePermission decorator with SetMetadata+Reflector, register APP_GUARD globally, fix as assertions to type guards, add explicit return types, fix import type for express, fix /metrics implicit any, replace native Error with ApplicationError, remove typeorm remnants, register LifecycleService. teacher-bff: add logger, ApplicationError, GlobalErrorFilter, forward real userId to downstream, log downstream failures, migrate health controller to shared/health. Go (2 services): interface to any, doc comments, CORS dev whitelist, JWT secret fail-fast, push-gateway internal API auth, metrics and readyz endpoints, remove dead code. Python (2 services): lifespan return type, dev_mode to bool, data-ana APIRouter, ai POST body model, ClickHouse async wrapping.
IAM Service
身份与访问管理服务(Identity and Access Management),P2 身份阶段交付。
职责
- 用户注册 / 登录 / 刷新令牌
- 角色(Role)与权限(Permission)管理
- Access / Refresh Token 签发与校验
- 用户信息查询(供 BFF / Gateway 聚合)
技术栈
- NestJS 10 + TypeScript(ESM)
- Drizzle ORM + MySQL
- bcrypt 密码哈希
- jsonwebtoken(P2 骨架使用 HS256,后续切 RS256)
- pino 日志 / prom-client 指标 / OpenTelemetry 链路
端口
默认 3002,通过 PORT 环境变量覆盖。
API
| Method | Path | 说明 |
|---|---|---|
| POST | /iam/register |
注册 |
| POST | /iam/login |
登录 |
| POST | /iam/refresh |
刷新令牌 |
| GET | /iam/me |
当前用户信息(需 x-user-id 头) |
健康检查
| 端点 | 用途 | 鉴权 |
|---|---|---|
GET /healthz |
存活探针(liveness),仅返回进程状态,不检查依赖 | 无 |
GET /readyz |
就绪探针(readiness),检查 DB 连接,失败返回 503 | 无 |
实现见 src/shared/health/health.controller.ts,5 个 NestJS 服务(iam/core-edu/content/msg/classes)一致。
数据表
iam_users / iam_roles / iam_user_roles / iam_permissions / iam_role_permissions / iam_refresh_tokens