封装 jwt,使用 RS256 签名

main
熊二 1 year ago
parent 59ae7e72f0
commit adb24eaf5d
  1. 45
      pkg/ticket/claims.go
  2. 78
      pkg/ticket/ticket.go
  3. 45
      pkg/ticket/util.go

@ -0,0 +1,45 @@
package ticket
import "github.com/golang-jwt/jwt/v5"
type Claims struct {
ID string `json:"jti,omitempty"` // ticket编号
UID uint `json:"uid"` // 用户编号
Role string `json:"role"` // 账号类型
Issuer string `json:"iss,omitempty"` // 签发人
Subject string `json:"sub,omitempty"` // 主题
Audience jwt.ClaimStrings `json:"aud,omitempty"` // 受众
ExpiresAt *jwt.NumericDate `json:"exp,omitempty"` // 过期时间
NotBefore *jwt.NumericDate `json:"nbf,omitempty"` // 生效时间
IssuedAt *jwt.NumericDate `json:"iat,omitempty"` // 签发时间
}
// GetExpirationTime implements the Claims interface.
func (c *Claims) GetExpirationTime() (*jwt.NumericDate, error) {
return c.ExpiresAt, nil
}
// GetNotBefore implements the Claims interface.
func (c *Claims) GetNotBefore() (*jwt.NumericDate, error) {
return c.NotBefore, nil
}
// GetIssuedAt implements the Claims interface.
func (c *Claims) GetIssuedAt() (*jwt.NumericDate, error) {
return c.IssuedAt, nil
}
// GetAudience implements the Claims interface.
func (c *Claims) GetAudience() (jwt.ClaimStrings, error) {
return c.Audience, nil
}
// GetIssuer implements the Claims interface.
func (c *Claims) GetIssuer() (string, error) {
return c.Issuer, nil
}
// GetSubject implements the Claims interface.
func (c *Claims) GetSubject() (string, error) {
return c.Subject, nil
}

@ -0,0 +1,78 @@
package ticket
import (
"crypto/rsa"
"encoding/base64"
"errors"
"github.com/golang-jwt/jwt/v5"
"github.com/rs/xid"
"slices"
"time"
)
var (
ErrUnauthorized = errors.New("ticket is unauthorized")
ErrInvalidTicket = errors.New("invalid ticket")
ErrTicketExpired = errors.New("ticket is expired")
ErrNoTicketFound = errors.New("no ticket found")
ErrBadAudience = errors.New("bad audience")
)
// Create 创建令牌
// 如果参数 claims 中未给出过期时间,将默认1小时过期
// 如果未给出令牌编号,则自动生成。
func Create(claims *Claims, key *rsa.PrivateKey) (string, error) {
if claims.ID == "" {
claims.ID = xid.New().String()
}
if claims.ExpiresAt == nil {
claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(time.Hour))
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
signedString, err := token.SignedString(key)
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString([]byte(signedString)), nil
}
// Verify 验证令牌
func Verify(ticket string, key *rsa.PublicKey, audiences ...string) (*Claims, error) {
decodeString, err := base64.StdEncoding.DecodeString(ticket)
if err != nil {
return nil, err
}
claims := new(Claims)
token, err := jwt.ParseWithClaims(string(decodeString), claims, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
return nil, ErrInvalidTicket
}
return key, nil
})
if err != nil {
if errors.Is(err, jwt.ErrTokenExpired) {
return nil, ErrTicketExpired
}
return nil, err
}
if !token.Valid {
return nil, ErrInvalidTicket
}
var pass bool
for _, audience := range audiences {
for _, allow := range claims.Audience {
if audience == allow {
pass = true
goto NEXT
}
}
}
NEXT:
if !pass && slices.Contains(claims.Audience, "*") {
pass = true
}
if !pass {
return claims, ErrBadAudience
}
return claims, nil
}

@ -0,0 +1,45 @@
package ticket
import (
"net/http"
"strings"
)
type Finder func(r *http.Request) string
func DefaultFinder(r *http.Request) string {
if s := FromHeader(r); s != "" {
return s
}
if s := FromCookie(r); s != "" {
return s
}
return FromQuery(r)
}
func FromCookie(r *http.Request) string {
cookie, err := r.Cookie("ticket")
if err != nil {
return ""
}
return cookie.Value
}
func FromHeader(r *http.Request) string {
bearer := r.Header.Get("Authorization")
if len(bearer) > 7 && strings.ToUpper(bearer[0:6]) == "BEARER" {
return bearer[7:]
}
return ""
}
func FromQuery(r *http.Request, keys ...string) string {
q := r.URL.Query()
for _, key := range keys {
s := q.Get(key)
if s != "" {
return s
}
}
return q.Get("ticket")
}
Loading…
Cancel
Save