add: user auth accomplished
This commit is contained in:
wwweww
@@ -1,90 +0,0 @@
|
||||
package utils
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
)
|
||||
|
||||
// JWKS (JSON Web Key Set) 结构
|
||||
type JWKSKey struct {
|
||||
Kty string `json:"kty"`
|
||||
Use string `json:"use"`
|
||||
Kid string `json:"kid"`
|
||||
N string `json:"n,omitempty"`
|
||||
E string `json:"e,omitempty"`
|
||||
K string `json:"k,omitempty"` // 对称密钥
|
||||
Alg string `json:"alg"`
|
||||
}
|
||||
|
||||
type JWKS struct {
|
||||
Keys []JWKSKey `json:"keys"`
|
||||
}
|
||||
|
||||
// GenerateJWKSFromSecret 从密钥生成 JWKS(用于对称加密 HS256)
|
||||
func GenerateJWKSFromSecret(secretKey string, keyID string) *JWKS {
|
||||
// 对于 HS256,将密钥进行 base64 编码
|
||||
encodedSecret := base64.RawURLEncoding.EncodeToString([]byte(secretKey))
|
||||
|
||||
return &JWKS{
|
||||
Keys: []JWKSKey{
|
||||
{
|
||||
Kty: "oct",
|
||||
Use: "sig",
|
||||
Kid: keyID,
|
||||
K: encodedSecret,
|
||||
Alg: "HS256",
|
||||
},
|
||||
},
|
||||
}
|
||||
}
|
||||
|
||||
// GenerateJWKSEndpoint 生成可以被 Envoy 使用的 JWKS JSON
|
||||
// 此端点应在 user-rpc 中暴露,URL 为 /.well-known/jwks.json
|
||||
func GenerateJWKSEndpoint(secretKey string, keyID string) (string, error) {
|
||||
if secretKey == "" {
|
||||
return "", fmt.Errorf("secret key cannot be empty")
|
||||
}
|
||||
|
||||
jwks := GenerateJWKSFromSecret(secretKey, keyID)
|
||||
|
||||
jsonData, err := json.MarshalIndent(jwks, "", " ")
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
|
||||
return string(jsonData), nil
|
||||
}
|
||||
|
||||
// TokenPayload 令牌负载
|
||||
type TokenMetadata struct {
|
||||
IssuedAt time.Time
|
||||
ExpiresAt time.Time
|
||||
Subject string // userId
|
||||
Issuer string
|
||||
Audience string
|
||||
}
|
||||
|
||||
// ExtractTokenMetadata 从 token 中提取元数据(不验证签名)
|
||||
func ExtractTokenMetadata(tokenString string) (*TokenMetadata, error) {
|
||||
token, _, err := new(jwt.Parser).ParseUnverified(tokenString, &Claims{})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
claims, ok := token.Claims.(*Claims)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("invalid token claims type")
|
||||
}
|
||||
|
||||
return &TokenMetadata{
|
||||
IssuedAt: claims.IssuedAt.Time,
|
||||
ExpiresAt: claims.ExpiresAt.Time,
|
||||
Subject: claims.UserId,
|
||||
Issuer: claims.Issuer,
|
||||
Audience: "", // 如果需要,可以增加到 Claims 中
|
||||
}, nil
|
||||
}
|
||||
@@ -5,6 +5,7 @@ import (
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"strconv"
|
||||
"time"
|
||||
|
||||
"github.com/golang-jwt/jwt/v4"
|
||||
@@ -12,7 +13,7 @@ import (
|
||||
)
|
||||
|
||||
type TokenPayload struct {
|
||||
UserId string
|
||||
UserId int64
|
||||
IsAdmin bool
|
||||
}
|
||||
|
||||
@@ -33,6 +34,7 @@ var (
|
||||
errInvalidToken = errors.New("invalid token claims")
|
||||
errTokenNotInCache = errors.New("token not found in cache")
|
||||
errNoRedisClient = errors.New("redis client not configured")
|
||||
errInvalidUserID = errors.New("invalid user id")
|
||||
// errExpiredToken = errors.New("token expired")
|
||||
)
|
||||
|
||||
@@ -74,8 +76,7 @@ func (m *JwtManager) New(ctx context.Context, payload *TokenPayload) (string, er
|
||||
return "", err
|
||||
}
|
||||
|
||||
// 存储 token 到 Redis,TTL 为 30 天
|
||||
userKey := tokenCachePrefixUser + payload.UserId
|
||||
userKey := tokenCachePrefixUser + strconv.FormatInt(claims.UserId, 10)
|
||||
tokenKey := tokenCachePrefixToken + tokenString
|
||||
|
||||
tokenData, _ := json.Marshal(payload)
|
||||
@@ -105,12 +106,12 @@ func (m *JwtManager) Valid(ctx context.Context, tokenString string) (*TokenPaylo
|
||||
// 检查 token 是否在 Redis 中
|
||||
tokenKey := tokenCachePrefixToken + tokenString
|
||||
tokenData, err := m.redisCluster.Get(ctx, tokenKey).Result()
|
||||
if err != nil && err != redis.Nil {
|
||||
if err != nil && !errors.Is(err, redis.Nil) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var payload TokenPayload
|
||||
if err == redis.Nil {
|
||||
if errors.Is(err, redis.Nil) {
|
||||
return nil, errTokenNotInCache
|
||||
}
|
||||
|
||||
@@ -125,6 +126,20 @@ func (m *JwtManager) Valid(ctx context.Context, tokenString string) (*TokenPaylo
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
if errors.Is(err, jwt.ErrTokenExpired) {
|
||||
if _, renewErr := m.Renew(ctx, tokenString); renewErr != nil {
|
||||
return nil, renewErr
|
||||
}
|
||||
|
||||
if token != nil {
|
||||
if claims, ok := token.Claims.(*Claims); ok {
|
||||
return &claims.TokenPayload, nil
|
||||
}
|
||||
}
|
||||
|
||||
return &payload, nil
|
||||
}
|
||||
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -146,7 +161,7 @@ func (m *JwtManager) Renew(ctx context.Context, tokenString string) (string, err
|
||||
tokenKey := tokenCachePrefixToken + tokenString
|
||||
tokenData, err := m.redisCluster.Get(ctx, tokenKey).Result()
|
||||
if err != nil {
|
||||
if err == redis.Nil {
|
||||
if errors.Is(err, redis.Nil) {
|
||||
return "", errTokenNotInCache
|
||||
}
|
||||
return "", err
|
||||
@@ -159,15 +174,15 @@ func (m *JwtManager) Renew(ctx context.Context, tokenString string) (string, err
|
||||
}
|
||||
|
||||
// 删除旧 token 记录
|
||||
userKey := tokenCachePrefixUser + payload.UserId
|
||||
userKey := tokenCachePrefixUser + strconv.FormatInt(payload.UserId, 10)
|
||||
m.redisCluster.Del(ctx, tokenKey, userKey)
|
||||
|
||||
// 生成新 token
|
||||
return m.New(ctx, &payload)
|
||||
}
|
||||
|
||||
// extract payload from token without validating expiration (used for auto-renewal)
|
||||
func (m *JwtManager) Extract(ctx context.Context, tokenString string) (*TokenPayload, error) {
|
||||
// Extract payload from token without validating expiration (used for auto-renewal)
|
||||
func (m *JwtManager) Extract(_ context.Context, tokenString string) (*TokenPayload, error) {
|
||||
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
|
||||
return []byte(m.secretKey), nil
|
||||
})
|
||||
@@ -184,7 +199,7 @@ func (m *JwtManager) Extract(ctx context.Context, tokenString string) (*TokenPay
|
||||
return &claims.TokenPayload, nil
|
||||
}
|
||||
|
||||
// check if token exists in Redis (i.e. is valid and not revoked)
|
||||
// Exists check if token exists in Redis (i.e. is valid and not revoked)
|
||||
func (m *JwtManager) Exists(ctx context.Context, tokenString string) (bool, error) {
|
||||
if m.redisCluster == nil {
|
||||
return false, errNoRedisClient
|
||||
@@ -199,12 +214,12 @@ func (m *JwtManager) Exists(ctx context.Context, tokenString string) (bool, erro
|
||||
return exists > 0, nil
|
||||
}
|
||||
|
||||
// extract payload from JWT claims
|
||||
// ClaimsToPayload extract payload from JWT claims
|
||||
func (m *JwtManager) ClaimsToPayload(claims *Claims) *TokenPayload {
|
||||
return &claims.TokenPayload
|
||||
}
|
||||
|
||||
// revoke token by deleting both user -> token and token -> payload keys from Redis
|
||||
// Revoke revoke token by deleting both user -> token and token -> payload keys from Redis
|
||||
func (m *JwtManager) Revoke(ctx context.Context, tokenString string) error {
|
||||
if m.redisCluster == nil {
|
||||
return errNoRedisClient
|
||||
@@ -215,7 +230,7 @@ func (m *JwtManager) Revoke(ctx context.Context, tokenString string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
userKey := tokenCachePrefixUser + payload.UserId
|
||||
userKey := tokenCachePrefixUser + strconv.FormatInt(payload.UserId, 10)
|
||||
tokenKey := tokenCachePrefixToken + tokenString
|
||||
|
||||
pipe := m.redisCluster.Pipeline()
|
||||
@@ -225,19 +240,48 @@ func (m *JwtManager) Revoke(ctx context.Context, tokenString string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
func (m *JwtManager) GetUserToken(ctx context.Context, userID string) (string, error) {
|
||||
func (m *JwtManager) GetUserToken(ctx context.Context, userID int64) (string, error) {
|
||||
if m.redisCluster == nil {
|
||||
return "", errNoRedisClient
|
||||
}
|
||||
//userID, err := strconv.FormatInt(userID, 10)
|
||||
id := strconv.FormatInt(userID, 10)
|
||||
|
||||
userKey := tokenCachePrefixUser + userID
|
||||
userKey := tokenCachePrefixUser + id
|
||||
token, err := m.redisCluster.Get(ctx, userKey).Result()
|
||||
if err != nil {
|
||||
if err == redis.Nil {
|
||||
return "", fmt.Errorf("user %s has no token", userID)
|
||||
if errors.Is(err, redis.Nil) {
|
||||
return "", fmt.Errorf("user %v has no token", userID)
|
||||
}
|
||||
return "", err
|
||||
}
|
||||
|
||||
return token, nil
|
||||
}
|
||||
|
||||
// Logout 按用户登出:删除 user->token 和 token->payload 两类缓存数据
|
||||
func (m *JwtManager) Logout(ctx context.Context, userID int64) error {
|
||||
if m.redisCluster == nil {
|
||||
return errNoRedisClient
|
||||
}
|
||||
|
||||
if userID <= 0 {
|
||||
return errInvalidUserID
|
||||
}
|
||||
|
||||
userKey := tokenCachePrefixUser + strconv.FormatInt(userID, 10)
|
||||
tokenString, err := m.redisCluster.Get(ctx, userKey).Result()
|
||||
if err != nil && !errors.Is(err, redis.Nil) {
|
||||
return err
|
||||
}
|
||||
|
||||
pipe := m.redisCluster.Pipeline()
|
||||
pipe.Del(ctx, userKey)
|
||||
if !errors.Is(err, redis.Nil) && tokenString != "" {
|
||||
tokenKey := tokenCachePrefixToken + tokenString
|
||||
pipe.Del(ctx, tokenKey)
|
||||
}
|
||||
|
||||
_, execErr := pipe.Exec(ctx)
|
||||
return execErr
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user