| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| data/jvs-dw | ||
| prisma | ||
| sql | ||
| src | ||
| tests | ||
| .dockerignore | ||
| .env.example | ||
| .gitignore | ||
| .swcrc | ||
| Dockerfile | ||
| jest.config.cjs | ||
| nest-cli.json | ||
| package.json | ||
| tsconfig.build.json | ||
| tsconfig.json |
JWT 是 host 也能解码的凭证,原先装展开后的 sourceUnits/clinicIds(PAC 内部 schema 词汇),
与"host 只发 org_scope"的契约不一致、泄漏内部表示。改为 JWT 只装 orgScope(与契约同词汇),
过滤维留到每请求展开:
- AccessTokenPayload / RefreshPayload:sourceUnits/clinicIds → orgScope;issueTokens 不再展开,直接签
- org-tree.ts(纯函数 expandScope:按 tenantId 选 host org 树展开)+ jvs-dw-preset.ts(树数据,与 mock 共用)
- tenant-scope.interceptor(REST)/ mcp-auth(MCP)每请求 expandScope → scope.{sourceUnits,clinicIds}
- 前端展不开 orgScope → 新增 GET /auth/session 返回展开后的 clinicIds/sourceUnits + role/permissions/dictionary;
auth-store 加 loadSession(登录/F5 后异步补进 user),组件读 user.clinicIds 不变
- weixin-aibot 自签 token 同步改 orgScope;契约文档 §2/§3 同步
验证:JWT 解码只含 orgScope;/auth/session 展开正确;REST /plans 诊所过滤生效(石琳仅本诊所);
集团级 orgScope=[grp]→clinicIds=[]/sourceUnits=[] 不限。两端 tsc 0 错。
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
| Name |
Last commit
|
Last update |
|---|---|---|
| .. | ||
| data/jvs-dw | Loading commit data... | |
| prisma | Loading commit data... | |
| sql | Loading commit data... | |
| src | Loading commit data... | |
| tests | Loading commit data... | |
| .dockerignore | Loading commit data... | |
| .env.example | Loading commit data... | |
| .gitignore | Loading commit data... | |
| .swcrc | Loading commit data... | |
| Dockerfile | Loading commit data... | |
| jest.config.cjs | Loading commit data... | |
| nest-cli.json | Loading commit data... | |
| package.json | Loading commit data... | |
| tsconfig.build.json | Loading commit data... | |
| tsconfig.json | Loading commit data... |