mirrors/buildadmin
1
0
Fork 0
mirror of https://gitee.com/wonderful-code/buildadmin synced 2024-11-21 14:41:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor:鉴权相关解耦、细节优化

Browse Source
This commit is contained in:
妙码生花 2024-03-22 01:03:48 +08:00
parent 3010c6cdbc
commit d9a932a141
15 changed files with 192 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
app/admin/library/Auth.php
View File

@ -35,6 +35,11 @@ class Auth extends \ba\Auth
*/
public const LOGGED_IN = 'logged in';
/**
* token 入库 type
*/
public const TOKEN_TYPE = 'admin';
/**
* 是否登录
* @var bool
@ -125,8 +130,14 @@ class Auth extends \ba\Auth
{
$tokenData = Token::get($token);
if ($tokenData) {
/**
* 过期检查,过期则抛出 @see TokenExpirationException
*/
Token::tokenExpirationCheck($tokenData);
$userId = intval($tokenData['user_id']);
if ($userId > 0) {
if ($tokenData['type'] == self::TOKEN_TYPE && $userId > 0) {
$this->model = Admin::where('id', $userId)->find();
if (!$this->model) {
$this->setError('Account not exist');
@ -176,8 +187,8 @@ class Auth extends \ba\Auth
return false;
}
if (Config::get('buildadmin.admin_sso')) {
Token::clear('admin', $this->model->id);
Token::clear('admin-refresh', $this->model->id);
Token::clear(self::TOKEN_TYPE, $this->model->id);
Token::clear(self::TOKEN_TYPE . '-refresh', $this->model->id);
}
if ($keep) {
@ -194,7 +205,7 @@ class Auth extends \ba\Auth
public function setRefreshToken(int $keepTime = 0): void
{
$this->refreshToken = Random::uuid();
Token::set($this->refreshToken, 'admin-refresh', $this->model->id, $keepTime);
Token::set($this->refreshToken, self::TOKEN_TYPE . '-refresh', $this->model->id, $keepTime);
}
/**
@ -214,7 +225,7 @@ class Auth extends \ba\Auth
if (!$this->token) {
$this->token = Random::uuid();
Token::set($this->token, 'admin', $this->model->id, $this->keepTime);
Token::set($this->token, self::TOKEN_TYPE, $this->model->id, $this->keepTime);
}
$this->model->commit();
} catch (Throwable $e) {

2
app/api/controller/Account.php
View File

@ -117,7 +117,7 @@ class Account extends Frontend
$user = $this->auth->getUser();
if ($user[$params['type']]) {
if (!Token::check($params['accountVerificationToken'], $params['type'] . '-pass', $user->id, false)) {
if (!Token::check($params['accountVerificationToken'], $params['type'] . '-pass', $user->id)) {
$this->error(__('You need to verify your account before modifying the binding information'));
}
} else {

21
app/api/controller/Common.php
View File

@ -7,8 +7,11 @@ use Throwable;
use ba\Captcha;
use think\Response;
use ba\ClickCaptcha;
use think\facade\Config;
use app\common\facade\Token;
use app\common\controller\Api;
use app\admin\library\Auth as AdminAuth;
use app\common\library\Auth as UserAuth;
class Common extends Api
{
@ -59,7 +62,7 @@ class Common extends Api
public function refreshToken(): void
{
$refreshToken = $this->request->post('refreshToken');
$refreshToken = Token::get($refreshToken, false);
$refreshToken = Token::get($refreshToken);
if (!$refreshToken || $refreshToken['expire_time'] < time()) {
$this->error(__('Login expired, please login again.'));
@ -67,20 +70,24 @@ class Common extends Api
$newToken = Random::uuid();
if ($refreshToken['type'] == 'admin-refresh') {
$baToken = $this->request->server('HTTP_BATOKEN', $this->request->request('batoken', ''));
// 管理员token刷新
if ($refreshToken['type'] == AdminAuth::TOKEN_TYPE . '-refresh') {
$baToken = get_auth_token();
if (!$baToken) {
$this->error(__('Invalid token'));
}
Token::delete($baToken);
Token::set($newToken, 'admin', $refreshToken['user_id'], 86400);
} elseif ($refreshToken['type'] == 'user-refresh') {
$baUserToken = $this->request->server('HTTP_BA_USER_TOKEN', $this->request->request('ba-user-token', ''));
Token::set($newToken, AdminAuth::TOKEN_TYPE, $refreshToken['user_id'], (int)Config::get('buildadmin.admin_token_keep_time'));
}
// 会员token刷新
if ($refreshToken['type'] == UserAuth::TOKEN_TYPE . '-refresh') {
$baUserToken = get_auth_token(['ba', 'user', 'token']);
if (!$baUserToken) {
$this->error(__('Invalid token'));
}
Token::delete($baUserToken);
Token::set($newToken, 'user', $refreshToken['user_id'], 86400);
Token::set($newToken, UserAuth::TOKEN_TYPE, $refreshToken['user_id'], (int)Config::get('buildadmin.user_token_keep_time'));
}
$this->success('', [

16
app/common/controller/Api.php
View File

@ -5,8 +5,10 @@ namespace app\common\controller;
use Throwable;
use think\App;
use think\Response;
use think\facade\Db;
use app\BaseController;
use think\facade\Config;
use think\db\exception\PDOException;
use think\exception\HttpResponseException;
/**
@ -38,11 +40,17 @@ class Api extends BaseController
*/
protected function initialize(): void
{
// 检查数据库连接
try {
Db::execute("SELECT 1");
} catch (PDOException $e) {
$this->error(mb_convert_encoding($e->getMessage(), 'UTF-8', 'UTF-8,GBK,GB2312,BIG5'));
}
// 系统站点配置
if ($this->useSystemSettings) {
// ip检查
ip_check();
// 时区设定
set_timezone();
ip_check(); // ip检查
set_timezone(); // 时区设定
}
parent::initialize();

30
app/common/controller/Backend.php
View File

@ -4,11 +4,9 @@ namespace app\common\controller;
use Throwable;
use think\Model;
use think\facade\Db;
use think\facade\Event;
use app\admin\library\Auth;
use think\db\exception\PDOException;
use think\exception\HttpResponseException;
use app\common\library\token\TokenExpirationException;
class Backend extends Api
{
@ -138,17 +136,22 @@ class Backend extends Api
{
parent::initialize();
// 检测数据库连接
$needLogin = !action_in_arr($this->noNeedLogin);
try {
Db::execute("SELECT 1");
} catch (PDOException $e) {
$this->error(mb_convert_encoding($e->getMessage(), 'UTF-8', 'UTF-8,GBK,GB2312,BIG5'));
// 初始化管理员鉴权实例
$this->auth = Auth::instance();
$token = get_auth_token();
if ($token) $this->auth->init($token);
} catch (TokenExpirationException) {
if ($needLogin) {
$this->error(__('Token expiration'), [], 409);
}
}
$token = get_auth_token();
$this->auth = Auth::instance();
if (!action_in_arr($this->noNeedLogin)) {
$this->auth->init($token);
if ($needLogin) {
if (!$this->auth->isLogin()) {
$this->error(__('Please login first'), [
'type' => $this->auth::NEED_LOGIN
@ -160,11 +163,6 @@ class Backend extends Api
$this->error(__('You have no permission'), [], 401);
}
}
} elseif ($token) {
try {
$this->auth->init($token);
} catch (HttpResponseException) {
}
}
// 管理员验权和登录标签位

27
app/common/controller/Frontend.php
View File

@ -6,6 +6,7 @@ use Throwable;
use think\facade\Event;
use app\common\library\Auth;
use think\exception\HttpResponseException;
use app\common\library\token\TokenExpirationException;
class Frontend extends Api
{
@ -36,10 +37,23 @@ class Frontend extends Api
public function initialize(): void
{
parent::initialize();
$token = get_auth_token(['ba', 'user', 'token']);
$this->auth = Auth::instance();
if (!action_in_arr($this->noNeedLogin)) {
$this->auth->init($token);
$needLogin = !action_in_arr($this->noNeedLogin);
try {
// 初始化会员鉴权实例
$this->auth = Auth::instance();
$token = get_auth_token(['ba', 'user', 'token']);
if ($token) $this->auth->init($token);
} catch (TokenExpirationException) {
if ($needLogin) {
$this->error(__('Token expiration'), [], 409);
}
}
if ($needLogin) {
if (!$this->auth->isLogin()) {
$this->error(__('Please login first'), [
'type' => $this->auth::NEED_LOGIN
@ -51,11 +65,6 @@ class Frontend extends Api
$this->error(__('You have no permission'), [], 401);
}
}
} elseif ($token) {
try {
$this->auth->init($token);
} catch (HttpResponseException) {
}
}
// 会员验权和登录标签位

11
app/common/facade/Token.php
View File

@ -8,11 +8,12 @@ use app\common\library\token\Driver;
/**
* Token 门面类
* @see Driver
* @method Driver get(string $token, bool $expirationException = true) static 获取 token 的数据
* @method Driver set(string $token, string $type, int $user_id, int $expire = 0) static 设置 token
* @method Driver check(string $token, string $type, int $user_id, bool $expirationException = true) static 检查token是否有效
* @method Driver delete(string $token) static 删除一个token
* @method Driver clear(string $type, int $user_id) static 清理一个用户的所有token
* @method array get(string $token) static 获取 token 的数据
* @method bool set(string $token, string $type, int $userId, int $expire = 0) static 设置 token
* @method bool check(string $token, string $type, int $userId) static 检查token是否有效
* @method bool delete(string $token) static 删除一个token
* @method bool clear(string $type, int $userId) static 清理一个用户的所有token
* @method void tokenExpirationCheck(array $token) static 检查一个token是否过期过期则抛出token过期异常
*/
class Token extends Facade
{

27
app/common/library/Auth.php
View File

@ -38,6 +38,11 @@ class Auth extends \ba\Auth
*/
public const LOGGED_IN = 'logged in';
/**
* token 入库 type
*/
public const TOKEN_TYPE = 'user';
/**
* 是否登录
* @var bool
@ -133,8 +138,14 @@ class Auth extends \ba\Auth
{
$tokenData = Token::get($token);
if ($tokenData) {
/**
* 过期检查,过期则抛出 @see TokenExpirationException
*/
Token::tokenExpirationCheck($tokenData);
$userId = intval($tokenData['user_id']);
if ($tokenData['type'] == 'user' && $userId > 0) {
if ($tokenData['type'] == self::TOKEN_TYPE && $userId > 0) {
$this->model = User::where('id', $userId)->find();
if (!$this->model) {
$this->setError('Account not exist');
@ -204,7 +215,7 @@ class Auth extends \ba\Auth
try {
$this->model = User::create($data);
$this->token = Random::uuid();
Token::set($this->token, 'user', $this->model->id, $this->keepTime);
Token::set($this->token, self::TOKEN_TYPE, $this->model->id, $this->keepTime);
Db::commit();
Event::trigger('userRegisterSuccess', $this->model);
} catch (Throwable $e) {
@ -260,8 +271,8 @@ class Auth extends \ba\Auth
return false;
}
if (Config::get('buildadmin.user_sso')) {
Token::clear('user', $this->model->id);
Token::clear('user-refresh', $this->model->id);
Token::clear(self::TOKEN_TYPE, $this->model->id);
Token::clear(self::TOKEN_TYPE . '-refresh', $this->model->id);
}
if ($keep) {
@ -282,8 +293,8 @@ class Auth extends \ba\Auth
$this->model = User::find($userId);
if (!$this->model) return false;
if (Config::get('buildadmin.user_sso')) {
Token::clear('user', $this->model->id);
Token::clear('user-refresh', $this->model->id);
Token::clear(self::TOKEN_TYPE, $this->model->id);
Token::clear(self::TOKEN_TYPE . '-refresh', $this->model->id);
}
return $this->loginSuccessful();
}
@ -321,7 +332,7 @@ class Auth extends \ba\Auth
if (!$this->token) {
$this->token = Random::uuid();
Token::set($this->token, 'user', $this->model->id, $this->keepTime);
Token::set($this->token, self::TOKEN_TYPE, $this->model->id, $this->keepTime);
}
$this->model->commit();
} catch (Throwable $e) {
@ -402,7 +413,7 @@ class Auth extends \ba\Auth
public function setRefreshToken(int $keepTime = 0): void
{
$this->refreshToken = Random::uuid();
Token::set($this->refreshToken, 'user-refresh', $this->model->id, $keepTime);
Token::set($this->refreshToken, self::TOKEN_TYPE . '-refresh', $this->model->id, $keepTime);
}
/**

12
app/common/library/Token.php
View File

@ -6,6 +6,7 @@ use think\helper\Arr;
use think\helper\Str;
use think\facade\Config;
use InvalidArgumentException;
use app\common\library\token\TokenExpirationException;
/**
* Token 管理类
@ -215,4 +216,15 @@ class Token
{
return $this->getDriver()->clear($type, $user_id);
}
/**
* Token过期检查
* @throws TokenExpirationException
*/
public function tokenExpirationCheck(array $token): void
{
if (isset($token['expire_time']) && $token['expire_time'] <= time()) {
throw new TokenExpirationException();
}
}
}

24
app/common/library/token/Driver.php
View File

@ -22,31 +22,29 @@ abstract class Driver
/**
* 设置 token
* @param string $token Token
* @param string $type Type:admin|user
* @param int $user_id 用户ID
* @param int $expire 过期时间
* @param string $token Token
* @param string $type Type
* @param int $userId 用户ID
* @param ?int $expire 过期时间
* @return bool
*/
abstract function set(string $token, string $type, int $user_id, int $expire = 0): bool;
abstract function set(string $token, string $type, int $userId, int $expire = null): bool;
/**
* 获取 token 的数据
* @param string $token Token
* @param bool $expirationException 过期直接抛出异常
* @param string $token Token
* @return array
*/
abstract function get(string $token, bool $expirationException = true): array;
abstract function get(string $token): array;
/**
* 检查token是否有效
* @param string $token
* @param string $type
* @param int $user_id
* @param bool $expirationException
* @param int $userId
* @return bool
*/
abstract function check(string $token, string $type, int $user_id, bool $expirationException = true): bool;
abstract function check(string $token, string $type, int $userId): bool;
/**
* 删除一个token
@ -58,10 +56,10 @@ abstract class Driver
/**
* 清理一个用户的所有token
* @param string $type
* @param int $user_id
* @param int $userId
* @return bool
*/
abstract function clear(string $type, int $user_id): bool;
abstract function clear(string $type, int $userId): bool;
/**
* 返回句柄对象

16
app/common/library/token/TokenExpirationException.php Normal file
View File

@ -0,0 +1,16 @@
<?php
namespace app\common\library\token;
use think\Exception;
/**
* Token过期异常
*/
class TokenExpirationException extends Exception
{
public function __construct(protected $message = '', protected $code = 409, protected $data = [])
{
parent::__construct($message, $code);
}
}

41
app/common/library/token/driver/Mysql.php
View File

@ -3,11 +3,9 @@
namespace app\common\library\token\driver;
use Throwable;
use think\Response;
use think\facade\Db;
use think\facade\Cache;
use app\common\library\token\Driver;
use think\exception\HttpResponseException;
/**
* @see Driver
@ -41,16 +39,22 @@ class Mysql extends Driver
/**
* @throws Throwable
*/
public function set(string $token, string $type, int $user_id, int $expire = null): bool
public function set(string $token, string $type, int $userId, int $expire = null): bool
{
if (is_null($expire)) {
$expire = $this->options['expire'];
}
$expireTime = $expire !== 0 ? time() + $expire : 0;
$token = $this->getEncryptedToken($token);
$this->handler->insert(['token' => $token, 'type' => $type, 'user_id' => $user_id, 'create_time' => time(), 'expire_time' => $expireTime]);
$this->handler->insert([
'token' => $token,
'type' => $type,
'user_id' => $userId,
'create_time' => time(),
'expire_time' => $expireTime,
]);
// 每隔48小时清理一次过期缓存
// 每隔48小时清理一次过期Token
$time = time();
$lastCacheCleanupTime = Cache::get('last_cache_cleanup_time');
if (!$lastCacheCleanupTime || $lastCacheCleanupTime < $time - 172800) {
@ -63,32 +67,26 @@ class Mysql extends Driver
/**
* @throws Throwable
*/
public function get(string $token, bool $expirationException = true): array
public function get(string $token): array
{
$data = $this->handler->where('token', $this->getEncryptedToken($token))->find();
if (!$data) {
return [];
}
// 返回未加密的token给客户端使用
$data['token'] = $token;
// 返回剩余有效时间
$data['expires_in'] = $this->getExpiredIn($data['expire_time'] ?? 0);
if ($data['expire_time'] && $data['expire_time'] <= time() && $expirationException) {
// token过期-触发前端刷新token
$response = Response::create(['code' => 409, 'msg' => __('Token expiration'), 'data' => $data], 'json');
throw new HttpResponseException($response);
}
$data['token'] = $token; // 返回未加密的token给客户端使用
$data['expires_in'] = $this->getExpiredIn($data['expire_time'] ?? 0); // 返回剩余有效时间
return $data;
}
/**
* @throws Throwable
*/
public function check(string $token, string $type, int $user_id, bool $expirationException = true): bool
public function check(string $token, string $type, int $userId): bool
{
$data = $this->get($token, $expirationException);
if (!$data || (!$expirationException && $data['expire_time'] && $data['expire_time'] <= time())) return false;
return $data['type'] == $type && $data['user_id'] == $user_id;
$data = $this->get($token);
if (!$data || ($data['expire_time'] && $data['expire_time'] <= time())) return false;
return $data['type'] == $type && $data['user_id'] == $userId;
}
/**
@ -103,10 +101,9 @@ class Mysql extends Driver
/**
* @throws Throwable
*/
public function clear(string $type, int $user_id): bool
public function clear(string $type, int $userId): bool
{
$this->handler->where('type', $type)->where('user_id', $user_id)->delete();
$this->handler->where('type', $type)->where('user_id', $userId)->delete();
return true;
}
}

61
app/common/library/token/driver/Redis.php
View File

@ -3,10 +3,8 @@
namespace app\common\library\token\driver;
use Throwable;
use think\Response;
use BadFunctionCallException;
use app\common\library\token\Driver;
use think\exception\HttpResponseException;
/**
* @see Driver
@ -19,6 +17,11 @@ class Redis extends Driver
*/
protected array $options = [];
/**
* Token 过期后缓存继续保留的时间(s)
*/
protected int $expiredHold = 60 * 60 * 24 * 2;
/**
* 构造函数
* @access public
@ -52,7 +55,7 @@ class Redis extends Driver
/**
* @throws Throwable
*/
public function set(string $token, string $type, int $user_id, int $expire = null): bool
public function set(string $token, string $type, int $userId, int $expire = null): bool
{
if (is_null($expire)) {
$expire = $this->options['expire'];
@ -62,28 +65,25 @@ class Redis extends Driver
$tokenInfo = [
'token' => $token,
'type' => $type,
'user_id' => $user_id,
'user_id' => $userId,
'create_time' => time(),
'expire_time' => $expireTime,
];
$tokenInfo = json_encode($tokenInfo, JSON_UNESCAPED_UNICODE);
if ($expire) {
if ($type == 'admin' || $type == 'user') {
// 增加 redis中的 token 过期时间,以免 token 过期自动刷新永远无法触发
$expire *= 2;
}
$expire += $this->expiredHold;
$result = $this->handler->setex($token, $expire, $tokenInfo);
} else {
$result = $this->handler->set($token, $tokenInfo);
}
$this->handler->sAdd($this->getUserKey($user_id), $token);
$this->handler->sAdd($this->getUserKey($type, $userId), $token);
return $result;
}
/**
* @throws Throwable
*/
public function get(string $token, bool $expirationException = true): array
public function get(string $token): array
{
$key = $this->getEncryptedToken($token);
$data = $this->handler->get($key);
@ -91,27 +91,20 @@ class Redis extends Driver
return [];
}
$data = json_decode($data, true);
// 返回未加密的token给客户端使用
$data['token'] = $token;
// 过期时间
$data['expires_in'] = $this->getExpiredIn($data['expire_time'] ?? 0);
if ($data['expire_time'] && $data['expire_time'] <= time() && $expirationException) {
// token过期-触发前端刷新token
$response = Response::create(['code' => 409, 'msg' => __('Token expiration'), 'data' => $data], 'json');
throw new HttpResponseException($response);
}
$data['token'] = $token; // 返回未加密的token给客户端使用
$data['expires_in'] = $this->getExpiredIn($data['expire_time'] ?? 0); // 过期时间
return $data;
}
/**
* @throws Throwable
*/
public function check(string $token, string $type, int $user_id, bool $expirationException = true): bool
public function check(string $token, string $type, int $userId): bool
{
$data = $this->get($token, $expirationException);
if (!$data || (!$expirationException && $data['expire_time'] && $data['expire_time'] <= time())) return false;
return $data['type'] == $type && $data['user_id'] == $user_id;
$data = $this->get($token);
if (!$data || ($data['expire_time'] && $data['expire_time'] <= time())) return false;
return $data['type'] == $type && $data['user_id'] == $userId;
}
/**
@ -119,12 +112,11 @@ class Redis extends Driver
*/
public function delete(string $token): bool
{
$data = $this->get($token, false);
$data = $this->get($token);
if ($data) {
$key = $this->getEncryptedToken($token);
$user_id = $data['user_id'];
$key = $this->getEncryptedToken($token);
$this->handler->del($key);
$this->handler->sRem($this->getUserKey($user_id), $key);
$this->handler->sRem($this->getUserKey($data['type'], $data['user_id']), $key);
}
return true;
}
@ -132,22 +124,23 @@ class Redis extends Driver
/**
* @throws Throwable
*/
public function clear(string $type, int $user_id): bool
public function clear(string $type, int $userId): bool
{
$keys = $this->handler->sMembers($this->getUserKey($user_id));
$this->handler->del($this->getUserKey($user_id));
$userKey = $this->getUserKey($type, $userId);
$keys = $this->handler->sMembers($userKey);
$this->handler->del($userKey);
$this->handler->del($keys);
return true;
}
/**
* 获取会员的key
* @param $user_id
* @param $type
* @param $userId
* @return string
*/
protected function getUserKey($user_id): string
protected function getUserKey($type, $userId): string
{
return $this->options['userprefix'] . $user_id;
return $this->options['prefix'] . $type . '-' . $userId;
}
}

2
app/common/middleware/AllowCrossDomain.php
View File

@ -27,7 +27,7 @@ class AllowCrossDomain
'Access-Control-Allow-Credentials' => 'true',
'Access-Control-Max-Age' => 1800,
'Access-Control-Allow-Methods' => 'GET, POST, PATCH, PUT, DELETE, OPTIONS',
'Access-Control-Allow-Headers' => 'think-lang, server, ba-user-token, batoken, Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, X-CSRF-TOKEN, X-Requested-With',
'Access-Control-Allow-Headers' => 'think-lang, server, ba_user_token, ba-user-token, ba_token, ba-token, batoken, Authorization, Content-Type, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, X-CSRF-TOKEN, X-Requested-With',
];
/**

10
config/buildadmin.php
View File

@ -59,12 +59,14 @@ return [
'host' => '127.0.0.1',
'port' => 6379,
'password' => '',
'select' => false,
// Db索引非 0 以避免数据被意外清理
'select' => 1,
'timeout' => 0,
'expire' => 0,
// 默认 token 有效时间
'expire' => 2592000,
'persistent' => false,
'userprefix' => 'up:',
]
'prefix' => 'tk:',
],
]
],
// 自动写入管理员操作日志