OptimusX
/
OneAuth
mirror of https://github.com/veypi/OneAuth.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
v4
v3
v2
v1.2.0
v1.1.0
v1.1.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '3913640f5b'
${ noResults }
OneAuth/api/auth/login.go

405 lines
11 KiB
Go
Raw Normal View History Unescape Escape

upgrade new version
4 months ago
//
// Copyright (C) 2024 veypi <i@veypi.com>
// 2025-03-04 16:08:06
// Distributed under terms of the MIT license.
//
package auth
import (
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
"net"
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
"net/http"
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
"strings"
upgrade new version
4 months ago
"time"
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
"github.com/veypi/vbase/auth"
upgrade new version
4 months ago
"github.com/veypi/vbase/cfg"
"github.com/veypi/vbase/libs/crypto"
"github.com/veypi/vbase/libs/jwt"
"github.com/veypi/vbase/models"
"github.com/veypi/vigo"
)
// LoginRequest 登录请求
type LoginRequest struct {
Username string `json:"username" src:"json" desc:"用户名/邮箱/手机号"`
Password string `json:"password" src:"json" desc:"密码"`
CaptchaID string `json:"captcha_id,omitempty" src:"json" desc:"验证码ID"`
CaptchaCode string `json:"captcha_code,omitempty" src:"json" desc:"验证码"`
Remember bool `json:"remember,omitempty" src:"json" desc:"记住登录"`
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// AuthResponse 认证响应token 仅通过 HttpOnly Cookie 下发body 只含用户信息)
upgrade new version
4 months ago
type AuthResponse struct {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
TokenType string `json:"token_type,omitempty"`
ExpiresIn int `json:"expires_in,omitempty"`
upgrade new version
4 months ago
User *UserInfo `json:"user"`
}
// UserInfo 用户信息
type UserInfo struct {
fix bug
4 months ago
ID string `json:"id"`
Username string `json:"username"`
Nickname string `json:"nickname"`
Email *string `json:"email"`
Avatar string `json:"avatar"`
upgrade new version
4 months ago
}
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
// LoginWithCodeRequest 验证码登录请求
type LoginWithCodeRequest struct {
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Type string `json:"type" src:"json" desc:"类型: email/sms"`
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
Target string `json:"target" src:"json" desc:"邮箱或手机号"`
Code string `json:"code" src:"json" desc:"验证码"`
}
// loginWithCode 验证码登录
func loginWithCode(x *vigo.X, req *LoginWithCodeRequest) (*AuthResponse, error) {
// 参数校验
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
if req.Type != "email" && req.Type != "sms" {
return nil, vigo.ErrInvalidArg.WithString("invalid type, must be email or sms")
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
if req.Target == "" || req.Code == "" {
return nil, vigo.ErrInvalidArg.WithString("target and code are required")
}
db := cfg.DB()
// 查找最新验证码
var verification models.VerificationCode
if err := db.Where("target = ? AND type = ? AND purpose = ?",
req.Target, req.Type, models.CodePurposeLogin).
Order("created_at DESC").First(&verification).Error; err != nil {
return nil, vigo.ErrInvalidArg.WithString("invalid verification code")
}
// 检查验证码状态
maxAttempts, _ := models.GetSettingInt(models.SettingCodeMaxAttempt)
if maxAttempts == 0 {
maxAttempts = 3
}
if !verification.CanRetry(maxAttempts) {
return nil, vigo.ErrInvalidArg.WithString("verification code expired or max attempts exceeded")
}
// 验证code
if verification.Code != req.Code {
// 增加尝试次数
db.Model(&verification).UpdateColumn("attempts", verification.Attempts+1)
return nil, vigo.ErrInvalidArg.WithString("invalid verification code")
}
// 标记为已使用
now := time.Now()
verification.Status = models.CodeStatusUsed
verification.UsedAt = &now
db.Save(&verification)
// 查找用户
var user models.User
var queryErr error
if req.Type == "email" {
queryErr = db.Where("email = ?", req.Target).First(&user).Error
} else {
queryErr = db.Where("phone = ?", req.Target).First(&user).Error
}
if queryErr != nil {
return nil, vigo.ErrUnauthorized.WithString("user not found")
}
// 检查用户状态
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
// 生成token
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
return generateAuthResponseForUser(x, &user)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
// generateAuthResponseForUser 为用户生成认证响应(创建新 session支持多点登录
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
func generateAuthResponseForUser(x *vigo.X, user *models.User) (*AuthResponse, error) {
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
deviceInfo, ip := extractDeviceInfo(x.Request)
expiresAt := time.Now().Add(cfg.Global.JWT.RefreshExpiry)
session, err := auth.CreateSession(user.ID, deviceInfo, ip, expiresAt)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
tokenPair, err := jwt.GenerateTokenPair(user.ID, session.ID, session.Version)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 设置 HttpOnly Cookie浏览器自动携带body 仅返回用户信息
setTokenCookies(x, tokenPair)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
return &AuthResponse{
User: &UserInfo{
ID: user.ID,
Username: user.Username,
Nickname: user.Nickname,
Email: user.Email,
Avatar: user.Avatar,
},
}, nil
}
upgrade new version
4 months ago
// login 用户登录
func login(x *vigo.X, req *LoginRequest) (*AuthResponse, error) {
// 查找用户
var user models.User
query := cfg.DB().Where("username = ? OR email = ? OR phone = ?", req.Username, req.Username, req.Username)
if err := query.First(&user).Error; err != nil {
refactor: 统一API错误类型处理
4 months ago
return nil, vigo.ErrUnauthorized.WithString("invalid username or password")
upgrade new version
4 months ago
}
// 检查用户状态
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
// 验证密码
if !crypto.VerifyPassword(req.Password, user.Password) {
refactor: 统一API错误类型处理
4 months ago
return nil, vigo.ErrUnauthorized.WithString("invalid username or password")
upgrade new version
4 months ago
}
// 更新最后登录时间
now := time.Now()
cfg.DB().Model(&user).Update("last_login_at", now)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 生成 token + Set-Cookie
return generateAuthResponseForUser(x, &user)
upgrade new version
4 months ago
}
// RefreshRequest 刷新请求
type RefreshRequest struct {
RefreshToken string `json:"refresh_token" src:"json" desc:"刷新令牌"`
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// refresh 刷新TokenToken Rotation严格验证版本并轮换
upgrade new version
4 months ago
func refresh(x *vigo.X, req *RefreshRequest) (*AuthResponse, error) {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
refreshToken := req.RefreshToken
// Body 为空时从 Cookie 读取
if refreshToken == "" {
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
if c, err := x.Request.Cookie(refreshCookieName()); err == nil {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
refreshToken = c.Value
}
}
if refreshToken == "" {
return nil, vigo.ErrTokenInvalid
}
claims, err := jwt.ParseToken(refreshToken)
upgrade new version
4 months ago
if err != nil {
if err == jwt.ErrExpiredToken {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenExpired
upgrade new version
4 months ago
}
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
if !jwt.IsRefreshToken(claims) {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
// 查找用户
var user models.User
if err := cfg.DB().First(&user, "id = ?", claims.UserID).Error; err != nil {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
// Session 级别版本旋转(版本不匹配=已泄露/已用)
newVersion, err := auth.ValidateRefreshSession(claims.UserID, claims.SessionID, claims.Version)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
if err != nil {
return nil, vigo.ErrTokenInvalid.WithString("refresh token is stale or already used")
fix bug
4 months ago
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
// 生成新 token pair同一 session新版本号
tokenPair, err := jwt.GenerateTokenPair(user.ID, claims.SessionID, newVersion)
upgrade new version
4 months ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 更新 Cookiebody 仅返回用户信息
setTokenCookies(x, tokenPair)
upgrade new version
4 months ago
return &AuthResponse{
User: &UserInfo{
ID: user.ID,
Username: user.Username,
Nickname: user.Nickname,
Email: user.Email,
Avatar: user.Avatar,
},
}, nil
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
// logout 用户登出(仅撤销当前会话)
upgrade new version
4 months ago
func logout(x *vigo.X) error {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
userID := cfg.Auth.UserID(x)
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
sessionID := auth.GetCurrentSessionID(x)
if userID == "" || sessionID == "" {
clearTokenCookies(x)
upgrade new version
4 months ago
return nil
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
if err := auth.RevokeSession(userID, sessionID); err != nil {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
return vigo.ErrInternalServer.WithError(err)
upgrade new version
4 months ago
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
clearTokenCookies(x)
upgrade new version
4 months ago
return nil
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// ========== Cookie 辅助函数 ==========
upgrade new version
4 months ago
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
func accessCookieName() string { return cfg.Global.JWT.CookiePrefix + "access" }
func refreshCookieName() string { return cfg.Global.JWT.CookiePrefix + "refresh" }
upgrade new version
4 months ago
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// setTokenCookies 设置 HttpOnly Cookie
func setTokenCookies(x *vigo.X, tokenPair *jwt.TokenPair) {
refreshTokenPath := Router.String() + "/refresh"
cp := cfg.Global.JWT.CookiePath
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: accessCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: tokenPair.AccessToken,
Path: cp,
MaxAge: int(cfg.Global.JWT.AccessExpiry.Seconds()),
HttpOnly: true,
Secure: x.Request.TLS != nil,
SameSite: http.SameSiteStrictMode,
})
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: refreshCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: tokenPair.RefreshToken,
Path: refreshTokenPath,
MaxAge: int(cfg.Global.JWT.RefreshExpiry.Seconds()),
HttpOnly: true,
Secure: x.Request.TLS != nil,
SameSite: http.SameSiteStrictMode,
})
}
upgrade new version
4 months ago
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// clearTokenCookies 清除 Cookie登出时调用
func clearTokenCookies(x *vigo.X) {
cp := cfg.Global.JWT.CookiePath
refreshTokenPath := Router.String() + "/refresh"
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: accessCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: "",
Path: cp,
MaxAge: -1,
HttpOnly: true,
})
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: refreshCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: "",
Path: refreshTokenPath,
MaxAge: -1,
HttpOnly: true,
})
upgrade new version
4 months ago
}
feat(auth): replace user-level token version with session-based authentication - Replace global user token version with per-session versioning in JWT claims - Add session CRUD operations with DB + Redis dual-write caching strategy - Create/list/revoke individual sessions and batch revoke other sessions - Update login flow to create sessions with device info and IP extraction - Update refresh flow to validate and rotate session-level token version - Update logout to revoke only the current session instead of all tokens - Add session management UI page with device/browser detection and relative time display - Add i18n keys for session management in both Chinese and English - Add sessions route and navigation menu items in both default and icon layouts
4 days ago
// ========== 设备信息提取 ==========
// extractDeviceInfo 从请求中提取设备信息和 IP
func extractDeviceInfo(r *http.Request) (deviceInfo, ip string) {
// IP
ip = r.Header.Get("X-Forwarded-For")
if ip == "" {
ip = r.Header.Get("X-Real-IP")
}
if ip == "" {
ip = r.RemoteAddr
}
// 取第一个 IPX-Forwarded-For 可能含多个)
if idx := strings.IndexByte(ip, ','); idx != -1 {
ip = strings.TrimSpace(ip[:idx])
}
// 去掉端口号RemoteAddr 格式为 IP:port
if host, _, err := net.SplitHostPort(ip); err == nil {
ip = host
}
// User-Agent截断到 300 字符)
ua := r.UserAgent()
if len(ua) > 300 {
ua = ua[:300]
}
deviceInfo = ua
return
}
// ========== 会话管理 API ==========
// SessionInfo 会话信息
type SessionInfo struct {
ID string `json:"id"`
DeviceInfo string `json:"device_info"`
IP string `json:"ip"`
CreatedAt time.Time `json:"created_at"`
ExpiresAt time.Time `json:"expires_at"`
IsCurrent bool `json:"is_current"`
}
// listSessions 获取当前用户所有活跃会话
func listSessions(x *vigo.X) ([]SessionInfo, error) {
userID := cfg.Auth.UserID(x)
if userID == "" {
return nil, vigo.ErrUnauthorized
}
sessions, err := auth.ListSessions(userID)
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
}
currentSID := auth.GetCurrentSessionID(x)
result := make([]SessionInfo, 0, len(sessions))
for _, s := range sessions {
result = append(result, SessionInfo{
ID: s.ID,
DeviceInfo: s.DeviceInfo,
IP: s.IP,
CreatedAt: s.CreatedAt,
ExpiresAt: s.ExpiresAt,
IsCurrent: s.ID == currentSID,
})
}
return result, nil
}
// RevokeSessionRequest 撤销会话请求
type RevokeSessionRequest struct {
ID string `json:"id" src:"path" desc:"会话ID"`
}
// revokeSession 撤销指定会话
func revokeSession(x *vigo.X, req *RevokeSessionRequest) error {
userID := cfg.Auth.UserID(x)
if userID == "" {
return vigo.ErrUnauthorized
}
if err := auth.RevokeSession(userID, req.ID); err != nil {
return vigo.ErrInternalServer.WithError(err)
}
return nil
}
// revokeOtherSessions 批量撤销除当前外的所有会话
func revokeOtherSessions(x *vigo.X) error {
userID := cfg.Auth.UserID(x)
sessionID := auth.GetCurrentSessionID(x)
if userID == "" || sessionID == "" {
return vigo.ErrUnauthorized
}
if err := auth.RevokeOtherSessions(userID, sessionID); err != nil {
return vigo.ErrInternalServer.WithError(err)
}
return nil
}