✨ add api signature
This commit is contained in:
landaiqing
@@ -6,7 +6,8 @@ func CORSMiddleware() func(http.Header) {
|
||||
return func(header http.Header) {
|
||||
header.Set("Access-Control-Allow-Origin", "*")
|
||||
header.Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, PATCH")
|
||||
header.Set("Access-Control-Expose-Headers", "Content-Length, Content-Type,Authorization,Accept-Language,Origin")
|
||||
header.Set("Access-Control-Expose-Headers", "Content-Length, Content-Type")
|
||||
header.Set("Access-Control-Allow-Headers", "Content-Type,Authorization,Accept-Language,Origin,X-Content-Security")
|
||||
header.Set("Access-Control-Allow-Credentials", "true")
|
||||
}
|
||||
}
|
||||
|
||||
@@ -158,13 +158,25 @@ service core {
|
||||
@handler resetPassword
|
||||
post /reset/password (ResetPasswordRequest) returns (Response)
|
||||
|
||||
@handler refreshToken
|
||||
post /token/refresh returns (Response)
|
||||
|
||||
@handler getUserDevice
|
||||
get /device
|
||||
}
|
||||
|
||||
@server (
|
||||
group: token // 微服务分组
|
||||
prefix: /api/auth // 微服务前缀
|
||||
timeout: 10s // 超时时间
|
||||
maxBytes: 1048576 // 最大请求大小
|
||||
signature: true // 是否开启签名验证
|
||||
middleware: SecurityHeadersMiddleware,CasbinVerifyMiddleware // 注册中间件
|
||||
MaxConns: true // 是否开启最大连接数限制
|
||||
Recover: true // 是否开启自动恢复
|
||||
)
|
||||
service core {
|
||||
@handler refreshToken
|
||||
post /token/refresh returns (Response)
|
||||
}
|
||||
|
||||
// 客户端服务
|
||||
@server (
|
||||
group: client // 微服务分组
|
||||
@@ -273,7 +285,7 @@ service core {
|
||||
prefix: /api/auth/comment // 微服务前缀
|
||||
timeout: 10s // 超时时间
|
||||
maxBytes: 1048576 // 最大请求大小
|
||||
signature: true // 是否开启签名验证
|
||||
signature: false // 是否开启签名验证
|
||||
middleware: SecurityHeadersMiddleware,CasbinVerifyMiddleware // 注册中间件
|
||||
MaxConns: true // 是否开启最大连接数限制
|
||||
Recover: true // 是否开启自动恢复
|
||||
|
||||
@@ -23,7 +23,10 @@ func main() {
|
||||
var c config.Config
|
||||
conf.MustLoad(*configFile, &c)
|
||||
|
||||
server := rest.MustNewServer(c.RestConf, rest.WithCustomCors(middleware.CORSMiddleware(), nil), rest.WithUnauthorizedCallback(middleware.UnauthorizedCallbackMiddleware()))
|
||||
server := rest.MustNewServer(
|
||||
c.RestConf,
|
||||
rest.WithCustomCors(middleware.CORSMiddleware(), nil),
|
||||
rest.WithUnauthorizedCallback(middleware.UnauthorizedCallbackMiddleware()))
|
||||
defer server.Stop()
|
||||
// i18n middleware
|
||||
server.Use(middleware.I18nMiddleware)
|
||||
|
||||
@@ -9,6 +9,12 @@ Mysql:
|
||||
DataSource: root:LDQ20020618xxx@tcp(1.95.0.111:3306)/schisandra-cloud-album?charset=utf8mb4&parseTime=True&loc=Local
|
||||
Auth:
|
||||
AccessSecret: uOvKLmVfztaXGpNYd4Z0I1SiT7MweJhl
|
||||
Signature:
|
||||
Strict: true
|
||||
Expiry: 1h
|
||||
PrivateKeys:
|
||||
- Fingerprint: idm0jdoau38lwourb4pbjk4dxkat0kcx
|
||||
KeyFile: etc/rsa_private_key.pem
|
||||
Redis:
|
||||
Host: 1.95.0.111:6379
|
||||
Pass: LDQ20020618xxx
|
||||
|
||||
15
app/core/api/etc/rsa_private_key.pem
Normal file
15
app/core/api/etc/rsa_private_key.pem
Normal file
@@ -0,0 +1,15 @@
|
||||
-----BEGIN RSA PRIVATE KEY-----
|
||||
MIICXQIBAAKBgQCFe70Zi3OF7NuFi2saenJPjADWLn402d142LOLBeN6cuWpItE3
|
||||
qgFsaMSorQApSM0recmAHMg4M4ly7+NgFPsaTzteMrO/LFCagwLWyyFJeqV4oQWR
|
||||
NQcFcGev8sTkUbIhhKpNAcmg37q8cmfI2eumycfl2FXuSyoJOa7hJgYNNQIDAQAB
|
||||
AoGAebmhdE4LBzI77ch53yeSXqAZkzfKt3+Fy9IxyLGSA/QLIvYxPEW4Dphr3jYF
|
||||
U6CkGOVyr3WP0FCPI1VHUDNR2BP1oDUjw4X7EknUJxys+EamsFKyaJLlafDSGpu/
|
||||
Is6ReNV+76QzxfQjY1CuSpugLBxJmG0mNiQ1fHOFS4I/n/ECQQDTmDr9QR9IBNK+
|
||||
6QpCxNN1RODQAMiv0/25RCqJqMoi5sDum2gH/tmDbprQuI+DmDgdC32xWePTU3W6
|
||||
Y+rIMZjvAkEAoX8JDOQ82XTH7voUbHMOiGxMzDE7btBRNf/ILJFSlLCDfh91TLTS
|
||||
HwDLlYMs48FzhY9o5PkLo9cNlxoIGivUGwJAccsDpmFYXlXhtLQFRaUuh3mUYaia
|
||||
RRz/7ZvAOKoikySAC5JeHzaqaamY7rjizYWWX+BnJ3LNOEBBJw1HHYS21wJBAIpi
|
||||
bwDq+vFjzocLKEEd/pAMLWqzrTfxrgVVntQB2v+qmaKTllIaiAslBU6izu6DMFh8
|
||||
YOgEOGM2vmCCX/r9H40CQQC0YgVuVtEk1noqwqs8mEH7GJmA+KfzLPbt4Ekvi56m
|
||||
B9JJ5GAOo4lxmHD4h6GuQJPE6PD0a+tsTJ5n0IOGRj1g
|
||||
-----END RSA PRIVATE KEY-----
|
||||
@@ -12,6 +12,7 @@ import (
|
||||
comment "schisandra-album-cloud-microservices/app/core/api/internal/handler/comment"
|
||||
oauth "schisandra-album-cloud-microservices/app/core/api/internal/handler/oauth"
|
||||
sms "schisandra-album-cloud-microservices/app/core/api/internal/handler/sms"
|
||||
token "schisandra-album-cloud-microservices/app/core/api/internal/handler/token"
|
||||
user "schisandra-album-cloud-microservices/app/core/api/internal/handler/user"
|
||||
websocket "schisandra-album-cloud-microservices/app/core/api/internal/handler/websocket"
|
||||
"schisandra-album-cloud-microservices/app/core/api/internal/svc"
|
||||
@@ -99,7 +100,6 @@ func RegisterHandlers(server *rest.Server, serverCtx *svc.ServiceContext) {
|
||||
}...,
|
||||
),
|
||||
rest.WithJwt(serverCtx.Config.Auth.AccessSecret),
|
||||
rest.WithSignature(serverCtx.Config.Signature),
|
||||
rest.WithPrefix("/api/auth/comment"),
|
||||
rest.WithTimeout(10000*time.Millisecond),
|
||||
rest.WithMaxBytes(1048576),
|
||||
@@ -182,6 +182,23 @@ func RegisterHandlers(server *rest.Server, serverCtx *svc.ServiceContext) {
|
||||
rest.WithMaxBytes(1048576),
|
||||
)
|
||||
|
||||
server.AddRoutes(
|
||||
rest.WithMiddlewares(
|
||||
[]rest.Middleware{serverCtx.SecurityHeadersMiddleware, serverCtx.CasbinVerifyMiddleware},
|
||||
[]rest.Route{
|
||||
{
|
||||
Method: http.MethodPost,
|
||||
Path: "/token/refresh",
|
||||
Handler: token.RefreshTokenHandler(serverCtx),
|
||||
},
|
||||
}...,
|
||||
),
|
||||
rest.WithSignature(serverCtx.Config.Signature),
|
||||
rest.WithPrefix("/api/auth"),
|
||||
rest.WithTimeout(10000*time.Millisecond),
|
||||
rest.WithMaxBytes(1048576),
|
||||
)
|
||||
|
||||
server.AddRoutes(
|
||||
rest.WithMiddlewares(
|
||||
[]rest.Middleware{serverCtx.SecurityHeadersMiddleware},
|
||||
@@ -206,11 +223,6 @@ func RegisterHandlers(server *rest.Server, serverCtx *svc.ServiceContext) {
|
||||
Path: "/reset/password",
|
||||
Handler: user.ResetPasswordHandler(serverCtx),
|
||||
},
|
||||
{
|
||||
Method: http.MethodPost,
|
||||
Path: "/token/refresh",
|
||||
Handler: user.RefreshTokenHandler(serverCtx),
|
||||
},
|
||||
}...,
|
||||
),
|
||||
rest.WithSignature(serverCtx.Config.Signature),
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
package user
|
||||
package token
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
@@ -7,13 +7,13 @@ import (
|
||||
"github.com/zeromicro/go-zero/rest/httpx"
|
||||
|
||||
"schisandra-album-cloud-microservices/app/core/api/common/response"
|
||||
"schisandra-album-cloud-microservices/app/core/api/internal/logic/user"
|
||||
"schisandra-album-cloud-microservices/app/core/api/internal/logic/token"
|
||||
"schisandra-album-cloud-microservices/app/core/api/internal/svc"
|
||||
)
|
||||
|
||||
func RefreshTokenHandler(svcCtx *svc.ServiceContext) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
l := user.NewRefreshTokenLogic(r.Context(), svcCtx)
|
||||
l := token.NewRefreshTokenLogic(r.Context(), svcCtx)
|
||||
resp, err := l.RefreshToken(r)
|
||||
if err != nil {
|
||||
logx.Error(err)
|
||||
@@ -1,4 +1,4 @@
|
||||
package user
|
||||
package token
|
||||
|
||||
import (
|
||||
"context"
|
||||
@@ -4,21 +4,35 @@ import (
|
||||
"net/http"
|
||||
|
||||
"github.com/casbin/casbin/v2"
|
||||
"github.com/rbcervilla/redisstore/v9"
|
||||
|
||||
"schisandra-album-cloud-microservices/app/core/api/common/constant"
|
||||
)
|
||||
|
||||
type CasbinVerifyMiddleware struct {
|
||||
casbin *casbin.CachedEnforcer
|
||||
casbin *casbin.CachedEnforcer
|
||||
session *redisstore.RedisStore
|
||||
}
|
||||
|
||||
func NewCasbinVerifyMiddleware(casbin *casbin.CachedEnforcer) *CasbinVerifyMiddleware {
|
||||
func NewCasbinVerifyMiddleware(casbin *casbin.CachedEnforcer, session *redisstore.RedisStore) *CasbinVerifyMiddleware {
|
||||
return &CasbinVerifyMiddleware{
|
||||
casbin: casbin,
|
||||
casbin: casbin,
|
||||
session: session,
|
||||
}
|
||||
}
|
||||
|
||||
func (m *CasbinVerifyMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
userId := r.Context().Value("user_id")
|
||||
session, err := m.session.Get(r, constant.SESSION_KEY)
|
||||
if err != nil {
|
||||
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
userId, ok := session.Values["uid"].(string)
|
||||
if !ok {
|
||||
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
||||
return
|
||||
}
|
||||
correct, err := m.casbin.Enforce(userId, r.URL.Path, r.Method)
|
||||
if err != nil || !correct {
|
||||
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
|
||||
|
||||
@@ -46,14 +46,15 @@ type ServiceContext struct {
|
||||
func NewServiceContext(c config.Config) *ServiceContext {
|
||||
casbinEnforcer := casbinx.NewCasbin(c.Mysql.DataSource)
|
||||
redisClient := redisx.NewRedis(c.Redis.Host, c.Redis.Pass, c.Redis.DB)
|
||||
session := redis_session.NewRedisSession(redisClient)
|
||||
return &ServiceContext{
|
||||
Config: c,
|
||||
SecurityHeadersMiddleware: middleware.NewSecurityHeadersMiddleware().Handle,
|
||||
CasbinVerifyMiddleware: middleware.NewCasbinVerifyMiddleware(casbinEnforcer).Handle,
|
||||
CasbinVerifyMiddleware: middleware.NewCasbinVerifyMiddleware(casbinEnforcer, session).Handle,
|
||||
MySQLClient: mysql.NewMySQL(c.Mysql.DataSource),
|
||||
RedisClient: redisClient,
|
||||
MongoClient: mongodb.NewMongoDB(c.Mongo.Uri, c.Mongo.Username, c.Mongo.Password, c.Mongo.AuthSource, c.Mongo.Database),
|
||||
Session: redis_session.NewRedisSession(redisClient),
|
||||
Session: session,
|
||||
Ip2Region: ip2region.NewIP2Region(),
|
||||
CasbinEnforcer: casbinEnforcer,
|
||||
WechatPublic: wechat_public.NewWechatPublic(c.Wechat.AppID, c.Wechat.AppSecret, c.Wechat.Token, c.Wechat.AESKey, c.Redis.Host, c.Redis.Pass, c.Redis.DB),
|
||||
|
||||
Reference in New Issue
Block a user