♻️ reconstruct the authentication mode

2024-12-21 13:01:10 +08:00
parent f213644aa9
commit 462e811742
25 changed files with 371 additions and 77 deletions
--- a/app/core/api/common/constant/redis_prefix.go
+++ b/app/core/api/common/constant/redis_prefix.go
@@ -22,5 +22,5 @@ const (

 // 系统相关的redis key
 const (
-	SystemApiNonceRedisKey = "system:controller:nonce:"
+	SystemApiNoncePrefix = "system:nonce:"
 )
--- a/app/core/api/common/constant/time.go
+++ b/app/core/api/common/constant/time.go
@@ -0,0 +1,3 @@
+package constant
+
+const TimeFormat = "2006-01-02 15:04:05"
--- a/app/core/api/common/encrypt/aes.go
+++ b/app/core/api/common/encrypt/aes.go
@@ -0,0 +1,99 @@
+package encrypt
+
+import (
+	"bytes"
+	"crypto/aes"
+	"crypto/cipher"
+	"encoding/base64"
+)
+
+// AEC/CBC/PKCS7Padding 加密解密
+
+// Encrypt 加密
+//
+// plainText: 加密目标字符串
+// key: 加密Key
+// iv: 加密iv(AES时固定为16位)
+func Encrypt(plainText string, key string, iv string) (string, error) {
+	data, err := aesCBCEncrypt([]byte(plainText), []byte(key), []byte(iv))
+	if err != nil {
+		return "", err
+	}
+
+	return base64.StdEncoding.EncodeToString(data), nil
+}
+
+// Decrypt 解密
+//
+// cipherText: 解密目标字符串
+// key: 加密Key
+// iv: 加密iv(AES时固定为16位)
+func Decrypt(cipherText string, key string, iv string) (string, error) {
+	data, err := base64.StdEncoding.DecodeString(cipherText)
+	if err != nil {
+		return "", err
+	}
+
+	dnData, err := aesCBCDecrypt(data, []byte(key), []byte(iv))
+	if err != nil {
+		return "", err
+	}
+
+	return string(dnData), nil
+}
+
+// aesCBCEncrypt AES/CBC/PKCS7Padding 加密
+func aesCBCEncrypt(plaintext []byte, key []byte, iv []byte) ([]byte, error) {
+	// AES
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+
+	// PKCS7 填充
+	plaintext = paddingPKCS7(plaintext, aes.BlockSize)
+
+	// CBC 加密
+	mode := cipher.NewCBCEncrypter(block, iv)
+	mode.CryptBlocks(plaintext, plaintext)
+
+	return plaintext, nil
+}
+
+// aesCBCDecrypt AES/CBC/PKCS7Padding 解密
+func aesCBCDecrypt(ciphertext []byte, key []byte, iv []byte) ([]byte, error) {
+	// AES
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		panic(err)
+	}
+
+	if len(ciphertext)%aes.BlockSize != 0 {
+		panic("ciphertext is not a multiple of the block size")
+	}
+
+	// CBC 解密
+	mode := cipher.NewCBCDecrypter(block, iv)
+	mode.CryptBlocks(ciphertext, ciphertext)
+
+	// PKCS7 反填充
+	result := unPaddingPKCS7(ciphertext)
+	return result, nil
+}
+
+// PKCS7 填充
+func paddingPKCS7(plaintext []byte, blockSize int) []byte {
+	paddingSize := blockSize - len(plaintext)%blockSize
+	paddingText := bytes.Repeat([]byte{byte(paddingSize)}, paddingSize)
+	return append(plaintext, paddingText...)
+}
+
+// PKCS7 反填充
+func unPaddingPKCS7(s []byte) []byte {
+	length := len(s)
+	if length == 0 {
+		return s
+	}
+	unPadding := int(s[length-1])
+	return s[:(length - unPadding)]
+}
--- a/app/core/api/common/jwt/access_token.go
+++ b/app/core/api/common/jwt/access_token.go
@@ -15,11 +15,11 @@ type AccessJWTClaims struct {
 	jwt.RegisteredClaims
 }

-func GenerateAccessToken(secret string, payload AccessJWTPayload) string {
+func GenerateAccessToken(secret string, payload AccessJWTPayload) (string, int64) {
 	claims := AccessJWTClaims{
 		AccessJWTPayload: payload,
 		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 15)),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 30)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			NotBefore: jwt.NewNumericDate(time.Now()),
 		},
@@ -27,9 +27,10 @@ func GenerateAccessToken(secret string, payload AccessJWTPayload) string {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
 	accessToken, err := token.SignedString([]byte(secret))
 	if err != nil {
-		return ""
+		return "", 0
 	}
-	return accessToken
+	expiresAt := claims.ExpiresAt.Unix()
+	return accessToken, expiresAt
 }

 // ParseAccessToken parses a JWT token and returns the payload
--- a/app/core/api/common/jwt/websocket_token.go
+++ b/app/core/api/common/jwt/websocket_token.go
@@ -20,7 +20,7 @@ func GenerateWebsocketToken(secret string, payload AccessJWTPayload) string {
 	claims := AccessJWTClaims{
 		AccessJWTPayload: payload,
 		RegisteredClaims: jwt.RegisteredClaims{
-			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 15)),
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 30)),
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			NotBefore: jwt.NewNumericDate(time.Now()),
 		},
--- a/app/core/api/common/middleware/cors_middleware.go
+++ b/app/core/api/common/middleware/cors_middleware.go
@@ -7,7 +7,7 @@ func CORSMiddleware() func(http.Header) {
 		header.Set("Access-Control-Allow-Origin", "*")
 		header.Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH")
 		header.Set("Access-Control-Expose-Headers", "Content-Length, Content-Type")
-		header.Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Accept-Language,Origin,X-Content-Security,X-UID")
+		header.Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Accept-Language,Origin,X-Content-Security,X-UID,X-Nonce,X-Expire-At")
 		header.Set("Access-Control-Allow-Credentials", "true")
 	}
 }
--- a/app/core/api/common/middleware/unsigned_callback_middleware.go
+++ b/app/core/api/common/middleware/unsigned_callback_middleware.go
@@ -0,0 +1,13 @@
+package middleware
+
+import (
+	"github.com/zeromicro/go-zero/rest/httpx"
+	"net/http"
+)
+
+func UnsignedCallbackMiddleware() func(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int) {
+	return func(w http.ResponseWriter, r *http.Request, next http.Handler, strict bool, code int) {
+		httpx.WriteJsonCtx(r.Context(), w, http.StatusForbidden, "forbidden")
+		return
+	}
+}