From 5402e311a4a0451c76509823ec881a0f3ec94bd5 Mon Sep 17 00:00:00 2001
From: g82tt <snow82@vip.qq.com>
Date: Tue, 19 May 2026 22:41:54 +0800
Subject: [PATCH] =?UTF-8?q?K2:=20KmsAuthHelper=20Bearer=20Token=20?=
 =?UTF-8?q?=E8=AE=A4=E8=AF=81=E5=B0=B1=E7=BB=AA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../KmsAuthHelper.cs                          | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs

diff --git a/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs b/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs
new file mode 100644
index 0000000..8f39c9c
--- /dev/null
+++ b/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs
@@ -0,0 +1,70 @@
+using System.Net.Http.Json;
+using System.Text.Json;
+
+namespace IntegrationGateway.Adapters.Kms;
+
+/// <summary>
+/// KMS Bearer Token 认证辅助。
+/// 认证流程: POST /prod-api/getToken?clientId=x&clientSecret=y → { code:200, token:"xxx" }
+/// Token 缓存 25 分钟（KMS 有效期 30 分钟，留 5 分钟余量）。
+/// </summary>
+public class KmsAuthHelper
+{
+    private readonly HttpClient _http;
+    private readonly string _baseUrl;
+    private readonly string _clientId;
+    private readonly string _clientSecret;
+    private string? _token;
+    private DateTime _tokenExpiry = DateTime.MinValue;
+
+    /// <summary>
+    /// 创建 KMS 认证辅助
+    /// </summary>
+    /// <param name="http">HttpClient 实例</param>
+    /// <param name="baseUrl">KMS 服务地址</param>
+    /// <param name="clientId">KMS 客户端 ID</param>
+    /// <param name="clientSecret">KMS 客户端密钥</param>
+    public KmsAuthHelper(HttpClient http, string baseUrl, string clientId, string clientSecret)
+    {
+        _http = http;
+        _baseUrl = baseUrl.TrimEnd('/');
+        _clientId = clientId;
+        _clientSecret = clientSecret;
+    }
+
+    /// <summary>
+    /// 获取有效的 Bearer Token。缓存有效则直接返回，否则重新获取。
+    /// </summary>
+    public async Task<string> GetTokenAsync()
+    {
+        if (!string.IsNullOrEmpty(_token) && DateTime.UtcNow < _tokenExpiry)
+            return _token;
+
+        var url = $"{_baseUrl}/prod-api/getToken?clientId={Uri.EscapeDataString(_clientId)}&clientSecret={Uri.EscapeDataString(_clientSecret)}";
+        var resp = await _http.PostAsync(url, null);
+        resp.EnsureSuccessStatusCode();
+
+        var result = await resp.Content.ReadFromJsonAsync<KmsTokenResponse>()
+            ?? throw new Exception("KMS Token 响应为空");
+        if (result.Code != 200)
+            throw new Exception($"KMS 认证失败: code={result.Code}");
+
+        _token = result.Token;
+        _tokenExpiry = DateTime.UtcNow.AddMinutes(25);
+        return _token;
+    }
+
+    /// <summary>
+    /// 创建一个已认证的 HttpClient，自动附带 Authorization: Bearer 头。
+    /// </summary>
+    public async Task<HttpClient> GetAuthenticatedClientAsync()
+    {
+        var token = await GetTokenAsync();
+        var client = new HttpClient { BaseAddress = new Uri(_baseUrl) };
+        client.DefaultRequestHeaders.Add("Authorization", $"Bearer {token}");
+        return client;
+    }
+
+    /// <summary>强制清除缓存的 Token，下次调用 GetTokenAsync 将重新登录</summary>
+    public void Invalidate() => _token = null;
+}