feat: add authz-adapter service and Envoy ext_authz integration

- Implemented authz-adapter deployment and service for Envoy gRPC authorization. - Created PowerShell script to generate JWK for JWT authentication. - Documented the integration of ext_authz with user-rpc.ValidateToken in ENVOY_EXT_AUTHZ_ADAPTER.md. - Added comprehensive Envoy Gateway configuration guide with JWT authentication and access control in ENVOY_GATEWAY_GUIDE.md.
2026-02-26 06:08:35 +08:00
parent 60b6f40f9f
commit 659168fe32
30 changed files with 2093 additions and 3527 deletions
@@ -23,25 +23,25 @@ func LoginHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {

 		l := user.NewLoginLogic(r.Context(), svcCtx)
 		resp, err := l.Login(&req)
-		token := resp.Token
-		resp.Token = ""
-		http.SetCookie(w, &http.Cookie{
-			Name:        "JToken",
-			Value:       token,
-			Quoted:      false,
-			Path:        "/",
-			Domain:      "",
-			RawExpires:  "",
-			MaxAge:      691200,
-			Secure:      false,
-			HttpOnly:    true,
-			SameSite:    http.SameSiteStrictMode,
-			Partitioned: false,
-		})

 		if err != nil {
 			httpx.ErrorCtx(r.Context(), w, err)
 		} else {
+			token := resp.Token
+			resp.Token = ""
+			http.SetCookie(w, &http.Cookie{
+				Name:        "JToken",
+				Value:       token,
+				Quoted:      false,
+				Path:        "/",
+				Domain:      "",
+				RawExpires:  "",
+				MaxAge:      691200,
+				Secure:      false,
+				HttpOnly:    true,
+				SameSite:    http.SameSiteStrictMode,
+				Partitioned: false,
+			})
 			httpx.OkJsonCtx(r.Context(), w, resp)
 		}
 	}
@@ -46,9 +46,9 @@ func RegisterHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
 		resp, err := l.Register(&req)

 		if err != nil {
-			httpx.ErrorCtx(r.Context(), w, err)
+			httpx.ErrorCtx(r.Context(), w, utils.NewErrorResp(400, err))
 		} else {
-			httpx.OkJsonCtx(r.Context(), w, utils.NewErrorResp(400, err))
+			httpx.OkJsonCtx(r.Context(), w, resp)
 		}
 	}
 }
@@ -38,11 +38,17 @@ func (l *LoginLogic) Login(req *types.LoginReq) (resp *types.LoginResp, err erro
 		Username: req.Username,
 		Passwd:   req.Password,
 	})
+	logx.Infof("res:%v", res)
 	if err != nil {
 		logx.Errorf("rpc login err: %v", err)
 		return nil, errors.New("login fail")
 	}

+	if res == nil || res.Id <= 0 || res.Username == "" || res.Token == "" {
+		logx.Errorf("rpc login returned empty payload, username=%s, resp=%+v", req.Username, res)
+		return nil, errors.New("login fail")
+	}
+
 	return &types.LoginResp{
 		UserId:   res.Id,
 		Username: res.Username,
@@ -59,7 +59,7 @@ func (l *RegisterLogic) Register(req *types.RegisterReq) (resp *types.RegisterRe

 	requestId, err := contextx.RequestIdFrom(l.ctx)
 	if err != nil {
-		logx.Errorf("contextx.RequestIdFrom failed: %v", errjA)
+		logx.Errorf("contextx.RequestIdFrom failed: %v", err)
 		return nil, errors.New("contextx.RequestIdFrom failed")
 	}

@@ -28,3 +28,6 @@ CacheConf:
 Jwt:
  SecretKey: "${JWT_SECRET_KEY}"
  Issuer: "juwan-user-rpc"
+
+Log:
+  Level: info
@@ -31,6 +31,7 @@ func (l *LoginLogic) Login(in *pb.LoginReq) (*pb.LoginResp, error) {
 		logx.WithContext(l.ctx).Errorf("LoginLogic.Login error:%v", err)
 		return nil, err
 	}
+	logx.Infof("user:%v", user)
 	if !utils.VerifyPassword(user.Passwd, in.Passwd) {
 		logx.WithContext(l.ctx).Errorf("User %s Login failed", user.Username)
 		return nil, errors.New("incorrect password")
@@ -2,7 +2,6 @@ package logic

 import (
 	"context"
-	"fmt"

 	"juwan-backend/app/users/rpc/internal/svc"
 	"juwan-backend/app/users/rpc/pb"
@@ -27,8 +26,8 @@ func NewValidateTokenLogic(ctx context.Context, svcCtx *svc.ServiceContext) *Val
 }

 func (l *ValidateTokenLogic) ValidateToken(in *pb.ValidateTokenReq) (*pb.ValidateTokenResp, error) {
-	redisKey := fmt.Sprintf(USER_TOKEN_TEMP, in.UserId)
-	_, err := l.svcCtx.JwtManager.Valid(l.ctx, redisKey)
+
+	_, err := l.svcCtx.JwtManager.Valid(l.ctx, in.Token)
 	if err != nil {
 		return nil, err
 	}