feat: 增强玩家管理功能，集成接入站点权限控制

在多个玩家相关控制器中引入 AdminSiteScope，确保管理员在执行操作前具备相应的接入站点权限。更新 Player 相关请求以支持 site_code 参数，增强权限验证逻辑，确保系统安全性与灵活性。同时，新增 AdminUser 模型方法以获取可访问的站点 ID 列表，优化权限管理。
2026-05-27 13:36:23 +08:00
parent b649c862ef
commit a10135d6ee
47 changed files with 2265 additions and 38 deletions
--- a/app/Services/PlayerTokenResolver.php
+++ b/app/Services/PlayerTokenResolver.php
@@ -10,6 +10,7 @@ use Illuminate\Http\Request;
 use App\Support\PlayerTokenAesUnwrap;
 use Illuminate\Database\QueryException;
 use App\Exceptions\PlayerAuthenticationException;
+use App\Services\Integration\PartnerSiteConfigResolver;

 /**
 * 从请求头解析玩家身份，返回已落库的 {@see Player}。
@@ -36,6 +37,10 @@ final class PlayerTokenResolver
    /** players.status：与迁移注释一致 */
    private const PLAYER_STATUS_ACTIVE = 0;

+    public function __construct(
+        private readonly PartnerSiteConfigResolver $partnerSiteConfigResolver,
+    ) {}
+
    public function resolve(Request $request): Player
    {
        $header = $request->header('Authorization', '');
@@ -56,17 +61,27 @@ final class PlayerTokenResolver
        if ($this->devBypassAllowed() && str_starts_with($token, 'dev:')) {
            $player = $this->resolveDevToken($token);
        } else {
-            // 与 .env 中 MAIN_SITE_SSO_JWT_SECRET 一致，用于 firebase/php-jwt 验签
-            $secret = config('lottery.main_site.sso_jwt_secret');
+            $jwtPlain = $this->unwrapOpaqueToJwtString($token);
+            $siteCode = $this->partnerSiteConfigResolver->peekSiteCodeFromJwt($jwtPlain);
+            if ($siteCode === null) {
+                throw new PlayerAuthenticationException('JWT 缺少站点标识', ErrorCode::PlayerTokenInvalid->value);
+            }
+
+            $siteConfig = $this->partnerSiteConfigResolver->resolveBySiteCode($siteCode);
+            if (! $siteConfig->enabled) {
+                throw new PlayerAuthenticationException('站点已停用', ErrorCode::PlayerAccountSuspended->value, 403);
+            }
+
+            $secret = $siteConfig->ssoJwtSecret;
            if (! is_string($secret) || $secret === '') {
                throw new PlayerAuthenticationException(
-                    'SSO 未配置（MAIN_SITE_SSO_JWT_SECRET）',
+                    'SSO 未配置（站点 '.$siteCode.'）',
                    ErrorCode::PlayerSsoSecretNotConfigured->value,
                    503,
                );
            }

-            $player = $this->resolveJwtOrAesWrappedJwt($token, $secret);
+            $player = $this->resolveJwt($jwtPlain, $secret);
        }

        $this->assertPlayerActive($player);