改进 jwt 验证

2024-07-14 18:14:01 +08:00 · 2024-07-14 18:14:01 +08:00 · ee1e339007
commit ee1e339007
parent 0e421a31a9
5 changed files with 40 additions and 14 deletions
--- a/internal/bootstrap/router.go
+++ b/internal/bootstrap/router.go
@ -10,5 +10,5 @@ import (
 func InitApiRoutes() {
 	var router = *providers.MustGet[gin.Engine]()

-	router.GET("/", http.MiddlewareJSONResponse, http.ValidateUser, user.CurrentUser)
+	router.GET("/", http.MiddlewareJSONResponse, http.RequireJWTIDToken, user.CurrentUser)
 }
--- a/internal/handlers/controllers/user/main.go
+++ b/internal/handlers/controllers/user/main.go
@ -9,7 +9,9 @@ var AuthLogic = logic.NewAuthLogic()

 func CurrentUser(c *gin.Context) {
 	c.JSON(200, gin.H{
-		"IP":   c.ClientIP(),
-		"User": AuthLogic.GinUser(c).Valid,
+		"IP":        c.ClientIP(),
+		"Valid":     AuthLogic.GinUser(c).Valid,
+		"UserEmail": AuthLogic.GinUser(c).Token.Email,
+		"UserId":    AuthLogic.GinUser(c).Token.Sub,
 	})
 }
--- a/internal/logic/auth.go
+++ b/internal/logic/auth.go
@ -15,13 +15,12 @@ import (
 type AuthLogic struct {
 }

-const AnonymousUser = "anonymous"
-
 var (
-	ErrNotValidToken  = errors.New("无效的 JWT 令牌。")
-	ErrJWTFormatError = errors.New("JWT 格式错误。")
-	ErrNotBearerType  = errors.New("不是 Bearer 类型。")
-	ErrEmptyResponse  = errors.New("我们的服务器返回了空请求，可能某些环节出了问题。")
+	ErrNotValidToken  = errors.New("无效的 JWT 令牌")
+	ErrJWTFormatError = errors.New("JWT 格式错误")
+	ErrNotBearerType  = errors.New("不是 Bearer 类型")
+	ErrEmptyResponse  = errors.New("我们的服务器返回了空请求，可能某些环节出了问题")
+	ErrTokenError     = errors.New("token 类型错误")
 	config            = *providers.MustGet[providers.GlobalConfig]()
 	logger            = *providers.MustGet[zap.Logger]()
 )
@ -30,8 +29,8 @@ func NewAuthLogic() *AuthLogic {
 	return &AuthLogic{}
 }

-func (a *AuthLogic) GinMiddlewareAuth(c *gin.Context) (*types.User, error) {
-	var sub = AnonymousUser
+func (a *AuthLogic) GinMiddlewareAuth(tokenType types.JWTTokenTypes, c *gin.Context) (*types.User, error) {
+	var sub = consts.AnonymousUser
 	var jwtIdToken = &types.User{}

 	if config.DebugMode.Enable {
@ -56,18 +55,31 @@ func (a *AuthLogic) GinMiddlewareAuth(c *gin.Context) (*types.User, error) {

 		token, err := jwks.ParseJWT(authSplit[1])
 		if err != nil {
-			return nil, ErrJWTFormatError
+			return nil, ErrNotValidToken
 		}
 		sub, err = token.Claims.GetSubject()
 		if err != nil {
 			return nil, ErrNotValidToken
 		}

+		// 如果 token.Header 中没有 typ
+		if token.Header["typ"] == "" {
+			return nil, ErrEmptyResponse
+		}
+
+		// 验证 token 类型
+		if tokenType != "" && tokenType.String() != token.Header["typ"] {
+			return nil, ErrTokenError
+		}
+
+		jwtIdToken.Valid = true
+
 		err = mapstructure.Decode(token.Claims, &jwtIdToken.Token)
 		if err != nil {
 			logger.Error("Failed to map token claims to JwtIDToken struct.\nError: " + err.Error())
 			return nil, nil
 		}
+
 	}

 	return jwtIdToken, nil
--- a/internal/middleware/http/jwt.go
+++ b/internal/middleware/http/jwt.go
@ -4,13 +4,14 @@ import (
 	"framework_v2/consts"
 	"framework_v2/internal/logic"
 	"framework_v2/internal/providers/helper"
+	"framework_v2/types"
 	"github.com/gin-gonic/gin"
 	"net/http"
 )

-func ValidateUser(c *gin.Context) {
+func RequireJWTIDToken(c *gin.Context) {
 	auth := logic.NewAuthLogic()
-	user, err := auth.GinMiddlewareAuth(c)
+	user, err := auth.GinMiddlewareAuth(types.JWTIDToken, c)

 	if err != nil {
 		c.Abort()
--- a/types/user.go
+++ b/types/user.go
@ -27,3 +27,14 @@ type User struct {
 	Token UserTokenInfo
 	Valid bool
 }
+
+type JWTTokenTypes string
+
+const (
+	JWTAccessToken JWTTokenTypes = "access_token"
+	JWTIDToken     JWTTokenTypes = "id_token"
+)
+
+func (jwtTokenTypes JWTTokenTypes) String() string {
+	return string(jwtTokenTypes)
+}