From 3db41f4b0c518f4d22021d2386027405e5c87d63 Mon Sep 17 00:00:00 2001
From: Rogee <rogee@ipao.vip>
Date: Tue, 23 Dec 2025 14:58:08 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E8=B7=B3=E8=BF=87=20?=
 =?UTF-8?q?JWT=20=E8=AE=A4=E8=AF=81=E5=92=8C=E6=88=90=E5=91=98=E9=AA=8C?=
 =?UTF-8?q?=E8=AF=81=E7=9A=84=E9=80=BB=E8=BE=91=EF=BC=8C=E4=BC=98=E5=8C=96?=
 =?UTF-8?q?=E4=B8=AD=E9=97=B4=E4=BB=B6=E5=A4=84=E7=90=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/app/middlewares/tenant.go | 39 +++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/backend/app/middlewares/tenant.go b/backend/app/middlewares/tenant.go
index dde4c1b..f4d8a98 100644
--- a/backend/app/middlewares/tenant.go
+++ b/backend/app/middlewares/tenant.go
@@ -6,10 +6,39 @@ import (
 	"quyun/v2/database/models"
 	"quyun/v2/pkg/consts"
 	"quyun/v2/providers/jwt"
+	"strings"
 
 	"github.com/gofiber/fiber/v3"
 )
 
+func shouldSkipTenantJWTAuth(path string) bool {
+	// Public read endpoints allow anonymous access (optional JWT).
+	if strings.Contains(path, "/v1/public/") {
+		return true
+	}
+	// Media play is token-based, no JWT required.
+	if strings.Contains(path, "/v1/media/play") {
+		return true
+	}
+	return false
+}
+
+func shouldSkipTenantRequireMember(path string) bool {
+	// Public read endpoints allow anonymous access.
+	if strings.Contains(path, "/v1/public/") {
+		return true
+	}
+	// Join endpoints require JWT but not tenant membership.
+	if strings.Contains(path, "/v1/join/") {
+		return true
+	}
+	// Media play is token-based, no JWT required.
+	if strings.Contains(path, "/v1/media/play") {
+		return true
+	}
+	return false
+}
+
 func (f *Middlewares) TenantResolve(c fiber.Ctx) error {
 	tenantCode := c.Params("tenantCode")
 	if tenantCode == "" {
@@ -32,6 +61,11 @@ func (f *Middlewares) TenantResolve(c fiber.Ctx) error {
 }
 
 func (f *Middlewares) TenantAuth(c fiber.Ctx) error {
+	if shouldSkipTenantJWTAuth(c.Path()) {
+		f.log.Debug("middlewares.tenant.auth.skipped")
+		return c.Next()
+	}
+
 	authHeader := c.Get(jwt.HttpHeader)
 	if authHeader == "" {
 		f.log.Info("middlewares.tenant.auth.missing_token")
@@ -98,6 +132,11 @@ func (f *Middlewares) TenantOptionalAuth(c fiber.Ctx) error {
 }
 
 func (f *Middlewares) TenantRequireMember(c fiber.Ctx) error {
+	if shouldSkipTenantRequireMember(c.Path()) {
+		f.log.Debug("middlewares.tenant.require_member.skipped")
+		return c.Next()
+	}
+
 	tenantModel, ok := c.Locals(consts.CtxKeyTenant).(*models.Tenant)
 	if !ok || tenantModel == nil {
 		f.log.Error("middlewares.tenant.require_member.missing_tenant_context")