fix(vue3): 添加配置authService的功能以支持严格权限判断

[YufJi]

Summary by CodeRabbit

• 新功能
  • 增强了授权检查机制，现支持对资源权限的逐层验证，确保每个资源路径的所有父级权限都被正确验证。
  • 优化了权限配置流程，允许在初始化时自定义授权服务的行为。

[coderabbitai]

概览

该变更扩展了认证服务的能力，通过暴露内部资源映射和引入服务配置回调，使得外部实现能够自定义权限验证逻辑。变更涉及三个文件，核心是添加可配置的权限检查机制。

变更清单

变更内容	摘要
认证服务基础设施 packages/basic/src/init/auth/authService.ts	新增可选方法 _getResourceMap() 用于暴露内部权限/资源映射结构 _map，支持外部访问和自定义权限验证逻辑。
认证初始化配置 packages/basic/src/init/auth/index.ts	在 initAuth 的 options 参数中新增可选回调 configureAuthService，允许在服务启动前对认证服务进行重新配置；同时调整字符串字面量为单引号风格。
Vue3 认证插件增强 packages/vue3/source/src/common/plugins/auth/index.js	实现 configureAuthService 回调以自定义 service.has() 方法，通过路径分段校验实现更严格的权限验证，当资源映射不可用或缺少父级路径时返回 false 并记录警告。

预估代码审查工作量

🎯 3 (中等难度) | ⏱️ ~25 分钟

诗文

🐰 小兔献上一首贺诗：

认证之图，如今可见，
权限之链，层层递验。
配置之法，轻盈如风，
服务之心，更灵且通。
许可之路，清晰明亮。

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	标题准确描述了主要变更内容：为Vue3的authService添加配置功能以支持严格权限判断，这与PR的核心改动相符。

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch bugfix/3352284660847616

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (3)

packages/vue3/source/src/common/plugins/auth/index.js (2)

31-38: 使用 for...of 替代 while + shift() 提升可读性

当前实现使用 shift() 会修改原数组且时间复杂度较高（虽然对短路径影响不大）。使用 for...of 循环更加简洁。

♻️ 建议的重构

-         while (parentAuthPaths.length > 0) {
-           const path = parentAuthPaths.shift();
-           if (!_map.has(path)) {
-             hasPermission = false;
-             console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`);
-             break;
-           }
-         }
+         for (const path of parentAuthPaths) {
+           if (!_map.has(path)) {
+             hasPermission = false;
+             console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`);
+             break;
+           }
+         }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/vue3/source/src/common/plugins/auth/index.js` around lines 31 - 38,
Replace the while (parentAuthPaths.length > 0) { const path =
parentAuthPaths.shift(); ... } pattern with a for...of loop over parentAuthPaths
to avoid mutating the array and improve readability: iterate using for (const
path of parentAuthPaths) { if (!_map.has(path)) { hasPermission = false;
console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`); break; } } while keeping the
same variables (_map, parentAuthPaths, hasPermission) and preserving the break
behavior and warning.

---

17-18: 生产环境中 console.warn 可能造成日志污染

当前实现在权限检查失败时会输出 console.warn，在生产环境中如果有大量权限检查失败，会造成控制台日志污染。

建议考虑：

1. 添加环境判断，仅在开发模式下输出警告
2. 或使用节流（throttle）减少重复警告

♻️ 开发环境判断示例

+ const isDev = process.env.NODE_ENV === 'development';
+
  service.has = function(authPath) {
    const _map = service._getResourceMap();

    if (!_map) {
-     console.warn('权限资源未获取到，请检查权限资源接口');
+     if (isDev) console.warn('权限资源未获取到，请检查权限资源接口');
      return false;
    }
    // ...
    if (!_map.has(path)) {
      hasPermission = false;
-     console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`);
+     if (isDev) console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`);
      break;
    }

Also applies to: 35-35

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/vue3/source/src/common/plugins/auth/index.js` around lines 17 - 18,
Replace the bare console.warn in the auth plugin with an environment-guarded or
throttled logger: wrap the warning in a dev-only check (e.g. if
(process.env.NODE_ENV !== 'production') console.warn(...)) or route through a
throttled helper so repeated permission failures don't spam logs; update the
specific console.warn occurrences found in this module (the permission-check
warning and the other occurrence referenced) to use the chosen approach and
ensure the message and context remain the same.

packages/basic/src/init/auth/authService.ts (1)

51-51: 接口返回类型与实际实现不完全匹配

_getResourceMap 的返回类型声明为 Map<string, any>，但实际上 _map 可能是 null（在 start() 中设置）或 undefined（初始状态）。建议将返回类型改为可选类型以更准确地反映实际情况。

♻️ 建议的修改

-  _getResourceMap?: () => Map<string, any>;
+  _getResourceMap?: () => Map<string, any> | null | undefined;

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/basic/src/init/auth/authService.ts` at line 51, _getResourceMap
的声明目前是 Map<string, any> 但实现中 _map 在 start() 里可能被设为 null，初始也可能为
undefined，导致类型不匹配；将 _getResourceMap 的返回类型改为可选/联合类型（例如 Map<string, any> | null |
undefined 或 Map<string, any> | undefined）以反映实际可能值，或者在实现中保证始终返回 Map 并移除
null/undefined 的赋值；定位符：_getResourceMap、_map、start() 并同步更新相关调用处的类型检查或空值处理。

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/vue3/source/src/common/plugins/auth/index.js`:
- Around line 23-29: The code builds parentAuthPaths from authPathSegments but
doesn't handle the empty-path edge case: when authPath is '' or '/',
authPathSegments becomes [] and parentAuthPaths is empty which makes the
permission check incorrectly return true; update the auth check to explicitly
handle empty or root paths before computing authPathSegments (e.g., in the
function where authPath is used, add a guard like if (!authPath ||
authPath.trim() === '' || authPath === '/') return false or, if root should be
allowed, add a clear comment documenting that behavior), and keep references to
authPath, authPathSegments and parentAuthPaths when making the change so the
intended behavior is explicit.
- Around line 7-41: The current configureAuthService override replaces
service.has with a strict parent-path check that differs from Vue2 and can break
migrations; change configureAuthService to accept a configurable mode (e.g.,
authStrictMode or strategy) and make service.has branch on that flag: when in
permissive mode keep the original behavior (only check
service._getResourceMap().has(authPath)), and when in strict mode run the
existing parent-path iteration; ensure the new flag defaults to the
Vue2-compatible permissive behavior, reference configureAuthService, service.has
and service._getResourceMap to locate code, and update the docs/upgrade guide to
mention the new option and default.

---

Nitpick comments:
In `@packages/basic/src/init/auth/authService.ts`:
- Line 51: _getResourceMap 的声明目前是 Map<string, any> 但实现中 _map 在 start() 里可能被设为
null，初始也可能为 undefined，导致类型不匹配；将 _getResourceMap 的返回类型改为可选/联合类型（例如 Map<string,
any> | null | undefined 或 Map<string, any> | undefined）以反映实际可能值，或者在实现中保证始终返回 Map
并移除 null/undefined 的赋值；定位符：_getResourceMap、_map、start() 并同步更新相关调用处的类型检查或空值处理。

In `@packages/vue3/source/src/common/plugins/auth/index.js`:
- Around line 31-38: Replace the while (parentAuthPaths.length > 0) { const path
= parentAuthPaths.shift(); ... } pattern with a for...of loop over
parentAuthPaths to avoid mutating the array and improve readability: iterate
using for (const path of parentAuthPaths) { if (!_map.has(path)) { hasPermission
= false; console.warn(`权限资源：缺少权限 ${path}，请确认是否已配置该权限项`); break; } } while
keeping the same variables (_map, parentAuthPaths, hasPermission) and preserving
the break behavior and warning.
- Around line 17-18: Replace the bare console.warn in the auth plugin with an
environment-guarded or throttled logger: wrap the warning in a dev-only check
(e.g. if (process.env.NODE_ENV !== 'production') console.warn(...)) or route
through a throttled helper so repeated permission failures don't spam logs;
update the specific console.warn occurrences found in this module (the
permission-check warning and the other occurrence referenced) to use the chosen
approach and ensure the message and context remain the same.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3f7fc4f4-2db3-480b-a6d5-cf2f02865f0d

📥 Commits

Reviewing files that changed from the base of the PR and between 89f62fd and 55f914c.

📒 Files selected for processing (3)

• packages/basic/src/init/auth/authService.ts
• packages/basic/src/init/auth/index.ts
• packages/vue3/source/src/common/plugins/auth/index.js