
如果你使用 DeepSeek、元宝 AI、Copilot、ChatGPT 等 AI 工具,协助配置轩辕镜像、编写 docker pull 命令、修改 Docker Compose 镜像地址、配置镜像加速、排查镜像拉取失败、分析报错日志等问题,请先让 AI 阅读并遵守轩辕镜像的规则文档。
只需在 AI 对话中先发送下面这句话即可:
请先完整阅读并严格遵守以下文档中的全部规则与要求:
https://xuanyuan.cloud/agents.md
在未充分阅读并理解该文档前,不要生成任何命令、配置、修改建议、故障排查方案或技术回答。后续所有输出都必须严格以该文档中的规范为最高优先级执行。查看 agents.md 用法指南与完整示范。国内用户首推 元宝 AI、DeepSeek 的深度思考模式,不推荐豆包 AI;Cursor 等编辑器可在对话 @ 该链接,或加入 User Rules。 若 AI 无法访问外链,可 打开说明文档 复制全文粘贴。文档会随站点更新,复制内容可能过期,建议定期检查。
https://img.shields.io/badge/License-MIT-yellow.svg](https://opensource.org/licenses/MIT) https://img.shields.io/badge/TypeScript-5.8.x-blue?logo=typescript](https://www.typescriptlang.org/) https://img.shields.io/badge/Express-4.18.x-green?logo=express](https://expressjs.com/) https://img.shields.io/badge/Node.js-20.x-green?logo=node.js](https://nodejs.org/) https://img.shields.io/badge/AWS-DynamoDB-orange?logo=amazon-aws](https://aws.amazon.com/dynamodb/) https://img.shields.io/badge/PostgreSQL-17.x-blue?logo=postgresql](https://www.postgresql.org/) https://img.shields.io/badge/Jest-29.x-red?logo=jest](https://jestjs.io/) https://img.shields.io/badge/Serverless-3.x-fd5750?logo=serverless]([***] https://img.shields.io/badge/Docker-28.1.x-2496ED?logo=docker](https://www.docker.com/)
A comprehensive authentication and authorization API server built with Domain-Driven Design (DDD) principles, featuring JWT-based authentication, role-based access control, and flexible database support (AWS DynamoDB or PostgreSQL). Designed for serverless deployment with comprehensive test coverage.
This project follows Domain-Driven Design (DDD) principles with clean architecture:
src/ ├── auth/ │ ├── domain/ # Business logic and entities │ │ ├── User.ts # User entity with business rules │ │ └── UserDomain.ts # Domain services │ ├── application/ # Use cases and application services │ │ ├── LoginUseCase.ts │ │ ├── SignupUseCase.ts │ │ └── ... │ ├── infrastructure/ # External concerns (database, etc.) │ │ ├── UserRepository.ts # Repository interface │ │ ├── DynamoDBUserRepository.ts # DynamoDB implementation │ │ ├── PostgresUserRepository.ts # PostgreSQL implementation │ │ └── UserRepositoryFactory.ts # Factory for database selection │ └── api/ # Controllers and routes │ ├── AuthController.ts │ ├── AdminController.ts │ └── AuthRoutes.ts ├── commons/ │ └── infrastructure/ # Shared infrastructure components │ └── Datasource.ts # Database configuration and connection ├── app.ts # Express app configuration ├── server.ts # Development server └── lambda.ts # AWS Lambda handler
The architecture follows these key principles:
bash# Clone the repository git clone https://github.com/luismr/heimdall.git cd heimdall/heimdall-server # Install dependencies npm install # Setup environment variables cp .env.example .env
⚠️ Important Package Dependency: This project requires the
@luismr/heimdall-middleware-expresspackage from GitHub Packages. Make sure you:
- Have a GitHub personal access token with
read:packagesscope- Configure npm to use GitHub Packages (via
.npmrc)- Set the
GITHUB_TOKENenvironment variable or provide it during Docker build
Create a .env file in the project root:
env# Application Configuration JWT_SECRET=your-super-secret-jwt-key USERS_TABLE=HeimdallUsers PORT=4000 NODE_ENV=development # Signup Protection (required for creating new users) SIGNUP_ACCESS_TOKEN=your-signup-access-token SIGNUP_SECRET_TOKEN=your-signup-secret-token # Database Selection DB_TYPE=dynamodb # Options: 'dynamodb' or 'postgres' # AWS Credentials (required for DynamoDB) AWS_ACCESS_KEY_ID=your-access-key-id AWS_SECRET_ACCESS_KEY=your-secret-access-key AWS_REGION=us-east-1 # PostgreSQL Configuration (required if DB_TYPE=postgres) POSTGRES_HOST=localhost POSTGRES_PORT=5432 POSTGRES_USER=heimdall POSTGRES_PASSWORD=your-secure-password POSTGRES_DB=heimdall POSTGRES_SSL=false
⚠️ Important: Always use strong secrets in production environments!
📚 Database Configuration: Set
DB_TYPEto either 'dynamodb' or 'postgres' to choose your database backend. Make sure to configure the corresponding environment variables for your chosen database type.
The system uses the DB_TYPE environment variable to determine which database to use:
DB_TYPE=dynamodb for AWS DynamoDBDB_TYPE=postgres for PostgreSQLMake sure to configure the corresponding environment variables for your chosen database:
USERS_TABLEPOSTGRES_* variablesIf using DynamoDB, ensure your AWS credentials are properly configured and the USERS_TABLE exists in your DynamoDB instance.
bash# Create DynamoDB table using AWS CLI aws dynamodb create-table \ --table-name HeimdallUsers \ --attribute-definitions AttributeName=username,AttributeType=S \ --key-schema AttributeName=username,KeyType=HASH \ --provisioned-throughput ReadCapacityUnits=5,WriteCapacityUnits=5
If using PostgreSQL, follow these steps:
sqlCREATE DATABASE heimdall; CREATE USER heimdall WITH ENCRYPTED PASSWORD 'your-secure-password'; GRANT ALL PRIVILEGES ON DATABASE heimdall TO heimdall;
bash# Run all pending migrations npm run typeorm:migration:run # Revert the last applied migration npm run typeorm:migration:revert # Create a new empty migration (for development) npm run typeorm:migration:create -- -n YourMigrationName # Generate a migration from entity changes (for development) npm run typeorm:migration:generate -- -n YourMigrationName
The migrations will:
The system will automatically detect which database to use based on your environment configuration:
POSTGRES_HOST is set, PostgreSQL will be usedThe project uses GitHub Packages which requires authentication to access the required @luismr/heimdall-middleware-express package. You'll need a GitHub personal access token with read:packages scope.
bash# Build the Docker image with GitHub token docker build -t heimdall-server . --build-arg GITHUB_TOKEN=your_github_token # Build with a specific tag docker build -t heimdall-server:1.0.0 . --build-arg GITHUB_TOKEN=your_github_token # If you have the token in an environment variable docker build -t heimdall-server . --build-arg GITHUB_TOKEN=${GITHUB_TOKEN}
⚠️ Security Note: The GitHub token is only used during build time and is not included in the final image. The
.npmrcfile is removed after dependency installation.
CI/CD Configuration
For automated Docker builds in GitHub Actions, you need to configure the following secrets:
GH_PACKAGES_TOKEN: A GitHub personal access token with read:packages scope for accessing the middleware packageDOCKERHUB_USERNAME: Your Docker Hub usernameDOCKERHUB_TOKEN: Your Docker Hub access tokenbash# Run the container docker run -d \ -p 4000:4000 \ --name heimdall \ --env-file .env \ heimdall-server # View container logs docker logs -f heimdall # Stop the container docker stop heimdall # Remove the container docker rm heimdall
When running with Docker, make sure to:
.env file as described in the Environment Variables section--env-file flagPOSTGRES_HOST is accessible from within the containerFor development with PostgreSQL, you can use this docker-compose.yml:
yamlversion: '3.8' services: app: build: . ports: - "4000:4000" env_file: .env depends_on: - postgres postgres: image: postgres:17-alpine ports: - "5432:5432" environment: POSTGRES_USER: heimdall POSTGRES_PASSWORD: your-secure-password POSTGRES_DB: heimdall volumes: - postgres_data:/var/lib/postgresql/data volumes: postgres_data:
Run with Docker Compose:
bash# Start all services docker-compose up -d # View logs docker-compose logs -f # Stop all services docker-compose down
bash# Start development server with hot reload npm run dev # The API will be available at http://localhost:4000
bash# Start serverless offline npm run serverless:dev # The API will be available at http://localhost:4000
bash# Run all tests npm test # Run tests in watch mode npm run test:watch # Run tests with coverage npm run test:coverage
http://localhost:4000/apihttps://your-api-domain.com/apiPOST /signup
Register a new user account. This endpoint requires special authentication tokens to prevent unauthorized user creation.
Headers Required:
httpX-Access-Token: your-signup-access-token X-Secret-Token: your-signup-secret-token
Request Body:
json{ "username": "johndoe", "password": "securepassword123" }
Response:
json{ "username": "johndoe", "roles": ["ROLE_USER"], "blocked": false }
Error Responses:
401 Unauthorized: Missing or invalid signup tokens400 Bad Request: Invalid request body or user already exists500 Internal Server Error: Server configuration error (tokens not configured)POST /login
Authenticate user and get JWT tokens.
Request:
json{ "username": "johndoe", "password": "securepassword123" }
Response:
json{ "user": { "username": "johndoe", "roles": ["ROLE_USER"], "blocked": false }, "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
POST /logout 🔒
Logout user and invalidate refresh token.
Headers:
Authorization: Bearer <access-token>
Request:
json{ "refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." }
Response:
json{ "message": "Logged out successfully" }
All admin endpoints require ROLE_ADMIN role.
POST /admin/block 🔒👑
Block a user account.
Headers:
Authorization: Bearer <admin-access-token>
您可以使用以下命令拉取该镜像。请将 <标签> 替换为具体的标签版本。如需查看所有可用标签版本,请访问 标签列表页面。
来自真实用户的反馈,见证轩辕镜像的优质服务