feat(project): init

src/app/api/dev/set-tenant/route.ts

@@ -0,0 +1,23 @@
+import { NextRequest, NextResponse } from "next/server"
+
+export const runtime = "nodejs"
+
+export async function GET(req: NextRequest) {
+  const tenantId = req.nextUrl.searchParams.get("tenantId")?.trim() ?? ""
+  if (!tenantId) {
+    return NextResponse.json({ message: "tenantId is required" }, { status: 400 })
+  }
+
+  const res = NextResponse.redirect(new URL("/", req.url), 302)
+  res.cookies.set({
+    name: "tenantId",
+    value: tenantId,
+    httpOnly: false,
+    sameSite: "strict",
+    secure: process.env.NODE_ENV === "production",
+    path: "/",
+    maxAge: 30 * 24 * 60 * 60,
+  })
+  return res
+}
+

src/app/auth-error/page.tsx

@@ -0,0 +1,21 @@
+export default function AuthErrorPage({
+  searchParams,
+}: {
+  searchParams?: { message?: string }
+}) {
+  const message = searchParams?.message ?? "认证失败"
+  return (
+    <main className="min-h-screen flex items-center justify-center p-6">
+      <div className="max-w-md text-sm">
+        <div className="font-medium">无法完成登录</div>
+        <div className="mt-2 break-words text-muted-foreground">{message}</div>
+        <div className="mt-4">
+          <a className="underline underline-offset-4" href="/">
+            返回首页重试
+          </a>
+        </div>
+      </div>
+    </main>
+  )
+}
+

src/app/client-required/page.tsx

@@ -0,0 +1,10 @@
+export default function ClientRequiredPage() {
+  return (
+    <main className="min-h-screen flex items-center justify-center p-6">
+      <div className="max-w-md text-sm">
+        缺少 CMS_CLIENT_ID 环境变量，无法发起 SSO 登录跳转。
+      </div>
+    </main>
+  )
+}
+

src/app/globals.css

@@ -0,0 +1,30 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+:root {
+  --background: 0 0% 100%;
+  --foreground: 222.2 84% 4.9%;
+  --card: 0 0% 100%;
+  --card-foreground: 222.2 84% 4.9%;
+  --primary: 222.2 47.4% 11.2%;
+  --primary-foreground: 210 40% 98%;
+  --secondary: 210 40% 96.1%;
+  --secondary-foreground: 222.2 47.4% 11.2%;
+  --muted: 210 40% 96.1%;
+  --muted-foreground: 215.4 16.3% 46.9%;
+  --accent: 210 40% 96.1%;
+  --accent-foreground: 222.2 47.4% 11.2%;
+  --destructive: 0 84.2% 60.2%;
+  --destructive-foreground: 210 40% 98%;
+  --border: 214.3 31.8% 91.4%;
+  --input: 214.3 31.8% 91.4%;
+  --ring: 222.2 84% 4.9%;
+  --radius: 0.75rem;
+}
+
+body {
+  background: hsl(var(--background));
+  color: hsl(var(--foreground));
+}
+

src/app/layout.tsx

@@ -0,0 +1,16 @@
+import type { Metadata } from "next"
+import "./globals.css"
+
+export const metadata: Metadata = {
+  title: "CMS",
+  description: "CMS Frontend",
+}
+
+export default function RootLayout({ children }: { children: React.ReactNode }) {
+  return (
+    <html lang="zh-CN">
+      <body>{children}</body>
+    </html>
+  )
+}
+

src/app/page.tsx

@@ -0,0 +1,22 @@
+import { cookies } from "next/headers"
+
+export default function Home() {
+  const tenantId = cookies().get("tenantId")?.value ?? ""
+  const userId = cookies().get("userId")?.value ?? ""
+
+  return (
+    <main className="min-h-screen p-6">
+      <div className="mx-auto max-w-3xl space-y-4">
+        <div className="text-2xl font-semibold">CMS</div>
+        <div className="rounded-md border border-border p-4 text-sm">
+          <div>tenantId: {tenantId || "-"}</div>
+          <div>userId: {userId || "-"}</div>
+        </div>
+        <div className="text-sm text-muted-foreground">
+          如果未登录，会被中间件重定向到统一登录页。
+        </div>
+      </div>
+    </main>
+  )
+}
+

src/app/tenant-required/page.tsx

@@ -0,0 +1,12 @@
+export default function TenantRequiredPage() {
+  return (
+    <main className="min-h-screen flex items-center justify-center p-6">
+      <div className="max-w-md text-sm">
+        缺少 tenantId（x-tenant-id header 或 tenantId cookie），无法跳转统一登录页。
+        <div className="mt-2">
+          开发环境可访问：/api/dev/set-tenant?tenantId=你的租户UUID
+        </div>
+      </div>
+    </main>
+  )
+}

src/lib/env.ts

@@ -0,0 +1,6 @@
+export function mustGetEnv(name: string): string {
+  const v = process.env[name]
+  if (!v) throw new Error(`${name} is required`)
+  return v
+}
+

src/lib/utils.ts

@@ -0,0 +1,7 @@
+import { clsx, type ClassValue } from "clsx"
+import { twMerge } from "tailwind-merge"
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs))
+}
+

src/middleware.ts

@@ -0,0 +1,108 @@
+import { NextRequest, NextResponse } from "next/server";
+
+function decodeBase64Url(input: string): string {
+  const normalized = input.replace(/-/g, "+").replace(/_/g, "/");
+  const padLen = (4 - (normalized.length % 4)) % 4;
+  const padded = normalized + "=".repeat(padLen);
+  return atob(padded);
+}
+
+function isExpired(jwt: string): boolean {
+  const parts = jwt.split(".");
+  if (parts.length < 2) return true;
+  try {
+    const payload = JSON.parse(decodeBase64Url(parts[1])) as { exp?: number };
+    if (!payload.exp) return true;
+    return Math.floor(Date.now() / 1000) >= payload.exp;
+  } catch {
+    return true;
+  }
+}
+
+export function middleware(req: NextRequest) {
+  if (process.env.NODE_ENV === "production") {
+    const proto = req.headers.get("x-forwarded-proto");
+    if (proto && proto !== "https") {
+      const url = req.nextUrl.clone();
+      url.protocol = "https";
+      return NextResponse.redirect(url, 308);
+    }
+  }
+
+  const cmsServiceBaseUrl = process.env.CMS_SERVICE_BASE_URL ?? "";
+  const clientId = process.env.CMS_CLIENT_ID ?? "";
+
+  const currentUrl = req.nextUrl.clone();
+  const pathname = currentUrl.pathname;
+  if (
+    pathname === "/auth-error" ||
+    pathname === "/tenant-required" ||
+    pathname === "/client-required"
+  ) {
+    return NextResponse.next();
+  }
+
+  const tenantId =
+    req.headers.get("x-tenant-id") ??
+    req.cookies.get("tenantId")?.value ??
+    (process.env.NODE_ENV !== "production"
+      ? (process.env.CMS_DEFAULT_TENANT_ID ?? "")
+      : "");
+
+  const code = currentUrl.searchParams.get("code")?.trim() ?? "";
+  if (code) {
+    if (!cmsServiceBaseUrl) {
+      const url = req.nextUrl.clone();
+      url.pathname = "/client-required";
+      url.search = "";
+      return NextResponse.redirect(url, 302);
+    }
+    const nextUrl = currentUrl.clone();
+    nextUrl.searchParams.delete("code");
+    const callback = `${cmsServiceBaseUrl}/auth/callback?code=${encodeURIComponent(
+      code,
+    )}&tenant_id=${encodeURIComponent(tenantId)}&next=${encodeURIComponent(nextUrl.toString())}`;
+    return NextResponse.redirect(callback, 302);
+  }
+
+  const accessToken = req.cookies.get("accessToken")?.value ?? "";
+
+  if (!accessToken || isExpired(accessToken)) {
+    if (!tenantId) {
+      const url = req.nextUrl.clone();
+      url.pathname = "/tenant-required";
+      url.search = "";
+      return NextResponse.redirect(url, 302);
+    }
+
+    if (!clientId) {
+      const url = req.nextUrl.clone();
+      url.pathname = "/client-required";
+      url.search = "";
+      return NextResponse.redirect(url, 302);
+    }
+
+    const next = encodeURIComponent(currentUrl.toString());
+    if (!cmsServiceBaseUrl) {
+      const url = req.nextUrl.clone();
+      url.pathname = "/client-required";
+      url.search = "";
+      return NextResponse.redirect(url, 302);
+    }
+    const callback = `${cmsServiceBaseUrl}/auth/callback?tenant_id=${encodeURIComponent(
+      tenantId,
+    )}&next=${next}`;
+    const loginUrl = `${process.env.IAM_FRONT_BASE_URL}/login?clientId=${encodeURIComponent(
+      clientId,
+    )}&tenantId=${encodeURIComponent(
+      tenantId,
+    )}&callback=${encodeURIComponent(callback)}`;
+    return NextResponse.redirect(loginUrl, 302);
+  }
+
+  return NextResponse.next();
+}
+
+export const config = {
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|api).*)"],
+};