juwan/juwan-backend
1
0
Fork 0
Code Issues Pull Requests Actions 7 Packages Projects Releases Wiki Activity
Files
fdbcde13b2d83a46d8e43e347c107e43a4cf835e
juwan-backend/app/users/rpc/internal/utils/jwt.go
T
wwweww fdbcde13b2 add:
2026-02-23 20:36:21 +08:00

244 lines
5.8 KiB
Go
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
package utils
import (
"context"
"encoding/json"
"errors"
"fmt"
"time"
"github.com/golang-jwt/jwt/v4"
"github.com/redis/go-redis/v9"
)
type TokenPayload struct {
UserId string
IsAdmin bool
}
type Claims struct {
TokenPayload
jwt.RegisteredClaims
}
const (
tokenCachePrefixUser = "jwt:user:"
tokenCachePrefixToken = "jwt:token:"
tokenCacheTTL = 30 * 24 * time.Hour
tokenLifetime = 7 * 24 * time.Hour
)
var (
errMissingToken = errors.New("token missing in request")
errInvalidToken = errors.New("invalid token claims")
errTokenNotInCache = errors.New("token not found in cache")
errNoRedisClient = errors.New("redis client not configured")
// errExpiredToken = errors.New("token expired")
)
type JwtManager struct {
redisCluster *redis.ClusterClient
secretKey string
issuer string
}
func NewJwtManager(redisCluster *redis.ClusterClient, secretKey, issuer string) *JwtManager {
return &JwtManager{
redisCluster: redisCluster,
secretKey: secretKey,
issuer: issuer,
}
}
// New 生成新的 JWT token
func (m *JwtManager) New(ctx context.Context, payload *TokenPayload) (string, error) {
if m.redisCluster == nil {
return "", errNoRedisClient
}
now := time.Now()
expiresAt := now.Add(tokenLifetime)
claims := &Claims{
TokenPayload: *payload,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expiresAt),
IssuedAt: jwt.NewNumericDate(now),
Issuer: m.issuer,
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString([]byte(m.secretKey))
if err != nil {
return "", err
}
// 存储 token 到 RedisTTL 为 30 天
userKey := tokenCachePrefixUser + payload.UserId
tokenKey := tokenCachePrefixToken + tokenString
tokenData, _ := json.Marshal(payload)
// 同时存储两个 key:用户 -> token 和 token -> payload
pipe := m.redisCluster.Pipeline()
pipe.Set(ctx, userKey, tokenString, tokenCacheTTL)
pipe.Set(ctx, tokenKey, string(tokenData), tokenCacheTTL)
_, err = pipe.Exec(ctx)
if err != nil {
return "", err
}
return tokenString, nil
}
// Valid 验证 token 有效性,支持自动换票
func (m *JwtManager) Valid(ctx context.Context, tokenString string) (*TokenPayload, error) {
if m.redisCluster == nil {
return nil, errNoRedisClient
}
if tokenString == "" {
return nil, errMissingToken
}
// 检查 token 是否在 Redis 中
tokenKey := tokenCachePrefixToken + tokenString
tokenData, err := m.redisCluster.Get(ctx, tokenKey).Result()
if err != nil && err != redis.Nil {
return nil, err
}
var payload TokenPayload
if err == redis.Nil {
return nil, errTokenNotInCache
}
err = json.Unmarshal([]byte(tokenData), &payload)
if err != nil {
return nil, errInvalidToken
}
// 解析 JWT 并验证签名和过期时间
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
return []byte(m.secretKey), nil
})
if err != nil {
return nil, err
}
claims, ok := token.Claims.(*Claims)
if !ok || !token.Valid {
return nil, errInvalidToken
}
return &claims.TokenPayload, nil
}
// Renew 换票逻辑:如果 token 过期但 Redis 中还存在,则生成新 token
func (m *JwtManager) Renew(ctx context.Context, tokenString string) (string, error) {
if m.redisCluster == nil {
return "", errNoRedisClient
}
// 检查 token 是否在 Redis 中(不检查过期时间)
tokenKey := tokenCachePrefixToken + tokenString
tokenData, err := m.redisCluster.Get(ctx, tokenKey).Result()
if err != nil {
if err == redis.Nil {
return "", errTokenNotInCache
}
return "", err
}
var payload TokenPayload
err = json.Unmarshal([]byte(tokenData), &payload)
if err != nil {
return "", errInvalidToken
}
// 删除旧 token 记录
userKey := tokenCachePrefixUser + payload.UserId
m.redisCluster.Del(ctx, tokenKey, userKey)
// 生成新 token
return m.New(ctx, &payload)
}
// extract payload from token without validating expiration (used for auto-renewal)
func (m *JwtManager) Extract(ctx context.Context, tokenString string) (*TokenPayload, error) {
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
return []byte(m.secretKey), nil
})
if err != nil {
return nil, err
}
claims, ok := token.Claims.(*Claims)
if !ok {
return nil, errInvalidToken
}
return &claims.TokenPayload, nil
}
// check if token exists in Redis (i.e. is valid and not revoked)
func (m *JwtManager) Exists(ctx context.Context, tokenString string) (bool, error) {
if m.redisCluster == nil {
return false, errNoRedisClient
}
tokenKey := tokenCachePrefixToken + tokenString
exists, err := m.redisCluster.Exists(ctx, tokenKey).Result()
if err != nil {
return false, err
}
return exists > 0, nil
}
// extract payload from JWT claims
func (m *JwtManager) ClaimsToPayload(claims *Claims) *TokenPayload {
return &claims.TokenPayload
}
// revoke token by deleting both user -> token and token -> payload keys from Redis
func (m *JwtManager) Revoke(ctx context.Context, tokenString string) error {
if m.redisCluster == nil {
return errNoRedisClient
}
payload, err := m.Extract(ctx, tokenString)
if err != nil {
return err
}
userKey := tokenCachePrefixUser + payload.UserId
tokenKey := tokenCachePrefixToken + tokenString
pipe := m.redisCluster.Pipeline()
pipe.Del(ctx, userKey)
pipe.Del(ctx, tokenKey)
_, err = pipe.Exec(ctx)
return err
}
func (m *JwtManager) GetUserToken(ctx context.Context, userID string) (string, error) {
if m.redisCluster == nil {
return "", errNoRedisClient
}
userKey := tokenCachePrefixUser + userID
token, err := m.redisCluster.Get(ctx, userKey).Result()
if err != nil {
if err == redis.Nil {
return "", fmt.Errorf("user %s has no token", userID)
}
return "", err
}
return token, nil
}
Reference in New Issue View Git Blame Copy Permalink