refactor: align backend with company-site-member schema and system-level RBAC groups

2026-03-30 01:59:50 +08:00
parent f5848a360f
commit f9ad9417ba
37 changed files with 1361 additions and 966 deletions
--- a/docs/FRONTEND_API_CONTRACT.md
+++ b/docs/FRONTEND_API_CONTRACT.md
@@ -2,229 +2,99 @@

 Base URL：`https://memberapi.ose.tw`

-## 0. OIDC 登入（目前主流程）
-### GET `/auth/oidc/url?redirect_uri=<frontend-callback-url>`
-200 Response:
-```json
-{
-  "authorize_url": "https://auth.ose.tw/application/o/authorize/..."
-}
-```
-
-### POST `/auth/oidc/exchange`
-Request:
-```json
-{
-  "code": "authorization-code",
-  "redirect_uri": "http://localhost:5173/auth/callback"
-}
-```
-
-200 Response:
-```json
-{
-  "access_token": "<jwt>",
-  "token_type": "Bearer",
-  "expires_in": 3600,
-  "scope": "openid profile email"
-}
-```
+## 0. OIDC 登入
+- `GET /auth/oidc/url?redirect_uri=...`
+- `POST /auth/oidc/exchange`

 ## 1. 使用者資訊
-### GET `/me`
-Headers:
- `Authorization: Bearer <access_token>`
+- `GET /me`
+- `GET /me/permissions/snapshot`

-200 Response:
+`permissions` item:
 ```json
 {
-  "sub": "authentik-sub-123",
-  "email": "user@example.com",
-  "display_name": "User Name"
+  "scope_type": "company|site",
+  "scope_id": "company_key_or_site_key",
+  "system": "mkt",
+  "module": "mkt.campaign",
+  "action": "view"
 }
 ```

-401 Error:
-```json
-{ "detail": "missing_bearer_token" }
-```
-或
-```json
-{ "detail": "invalid_bearer_token" }
-```
-
-## 2. 我的權限快照
-### GET `/me/permissions/snapshot`
+## 2. 權限（User 直接授權）
 Headers:
- `Authorization: Bearer <access_token>`
+- `X-Client-Key`
+- `X-API-Key`

-200 Response:
-```json
-{
-  "authentik_sub": "authentik-sub-123",
-  "permissions": [
-    {
-      "scope_type": "site",
-      "scope_id": "tw-main",
-      "module": "campaign",
-      "action": "view"
-    }
-  ]
-}
-```
-
-## 3. Grant 權限
 ### POST `/admin/permissions/grant`
-Headers:
- `X-Client-Key: <client_key>`
- `X-API-Key: <plain_api_key>`
-
-Request:
 ```json
 {
-  "authentik_sub": "authentik-sub-123",
+  "authentik_sub": "authentik-sub",
  "email": "user@example.com",
-  "display_name": "User Name",
-  "scope_type": "site",
-  "scope_id": "tw-main",
+  "display_name": "User",
+  "scope_type": "company",
+  "scope_id": "ose-main",
+  "system": "mkt",
  "module": "campaign",
  "action": "view"
 }
 ```

-200 Response:
-```json
-{
-  "permission_id": "uuid",
-  "result": "granted"
-}
-```
-
-## 4. Revoke 權限
 ### POST `/admin/permissions/revoke`
-Headers:
- `X-Client-Key: <client_key>`
- `X-API-Key: <plain_api_key>`
-
-Request:
 ```json
 {
-  "authentik_sub": "authentik-sub-123",
+  "authentik_sub": "authentik-sub",
  "scope_type": "site",
  "scope_id": "tw-main",
+  "system": "mkt",
  "module": "campaign",
  "action": "view"
 }
 ```

-200 Response:
-```json
-{
-  "deleted": 1,
-  "result": "revoked"
-}
-```
+說明：
+- `module` 可省略，代表系統層權限，後端會使用 `system.__system__`。
+- `module` 有值時會組成 `{system}.{module}` 存入（例如 `mkt.campaign`）。

-404 Response:
-```json
-{ "detail": "user_not_found" }
-```
-
-## 5. Health Check
-### GET `/healthz`
-200 Response:
-```json
-{ "status": "ok" }
-```
-
-## 6. 組織管理（admin）
-### GET `/admin/organizations`
+## 3. 主資料管理（admin）
 Headers:
- `X-Client-Key: <client_key>`
- `X-API-Key: <plain_api_key>`
+- `X-Client-Key`
+- `X-API-Key`

-Query:
- `keyword` (optional)
- `status` (optional: `active|inactive`)
- `limit` (default `50`)
- `offset` (default `0`)
+- `GET/POST /admin/systems`
+- `GET/POST /admin/modules`
+- `GET/POST /admin/companies`
+- `GET/POST /admin/sites`
+- `GET /admin/members`

-### POST `/admin/organizations`
-```json
-{
-  "org_code": "ose-main",
-  "name": "Ose Main",
-  "tax_id": "12345678",
-  "status": "active"
-}
-```
-
-### PATCH `/admin/organizations/{org_id}`
-```json
-{
-  "name": "Ose Main Updated",
-  "status": "inactive"
-}
-```
-
-### POST `/admin/organizations/{org_id}/activate`
-### POST `/admin/organizations/{org_id}/deactivate`
-
-## 7. 會員管理（admin）
-### GET `/admin/members`
+## 4. 權限群組（一組權限綁多個 user）
 Headers:
- `X-Client-Key: <client_key>`
- `X-API-Key: <plain_api_key>`
+- `X-Client-Key`
+- `X-API-Key`

-Query:
- `keyword` (optional)
- `is_active` (optional: `true|false`)
- `limit` (default `50`)
- `offset` (default `0`)
+- `GET/POST /admin/permission-groups`
+- `POST /admin/permission-groups/{group_key}/members/{authentik_sub}`
+- `DELETE /admin/permission-groups/{group_key}/members/{authentik_sub}`
+- `POST /admin/permission-groups/{group_key}/permissions/grant`
+- `POST /admin/permission-groups/{group_key}/permissions/revoke`

-### POST `/admin/members`
-```json
-{
-  "authentik_sub": "authentik-sub-123",
-  "email": "user@example.com",
-  "display_name": "User Name",
-  "is_active": true
-}
-```
+群組授權 payload 與 user 授權 payload 相同（用 `system/module/scope/action`）。

-### PATCH `/admin/members/{member_id}`
-```json
-{
-  "display_name": "New Name",
-  "is_active": false
-}
-```
-
-### POST `/admin/members/{member_id}/activate`
-### POST `/admin/members/{member_id}/deactivate`
-
-## 8. 會員/組織關聯（admin）
-### GET `/admin/members/{member_id}/organizations`
-### POST `/admin/members/{member_id}/organizations/{org_id}`
-### DELETE `/admin/members/{member_id}/organizations/{org_id}`
-
-## 9. 系統對系統查詢（internal）
+## 5. Internal 查詢 API（其他系統）
 Headers:
- `X-Internal-Secret: <internal_shared_secret>`
+- `X-Internal-Secret`

-Endpoints:
+- `GET /internal/systems`
+- `GET /internal/modules`
+- `GET /internal/companies`
+- `GET /internal/sites`
 - `GET /internal/members`
- `GET /internal/members/by-sub/{authentik_sub}`
- `GET /internal/organizations`
- `GET /internal/organizations/by-code/{org_code}`
- `GET /internal/members/{member_id}/organizations`
+- `GET /internal/permissions/{authentik_sub}/snapshot`

-## 10. 常見錯誤碼
+## 6. 常見錯誤
 - `401 invalid_client`
 - `401 invalid_api_key`
- `401 client_expired`
- `403 origin_not_allowed`
- `403 ip_not_allowed`
- `403 path_not_allowed`
- `503 internal_secret_not_configured`
- `503 authentik_admin_not_configured`
+- `401 invalid_internal_secret`
+- `404 system_not_found`
+- `404 company_not_found`
+- `404 site_not_found`