OptimusX
/
OneAuth
mirror of https://github.com/veypi/OneAuth.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
v4
v3
v2
v1.2.0
v1.1.0
v1.1.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '99c1e0c148'
${ noResults }
OneAuth/api/auth/login.go

302 lines
8.6 KiB
Go
Raw Normal View History Unescape Escape

upgrade new version
4 months ago
//
// Copyright (C) 2024 veypi <i@veypi.com>
// 2025-03-04 16:08:06
// Distributed under terms of the MIT license.
//
package auth
import (
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
"net/http"
upgrade new version
4 months ago
"time"
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
"github.com/veypi/vbase/auth"
upgrade new version
4 months ago
"github.com/veypi/vbase/cfg"
"github.com/veypi/vbase/libs/crypto"
"github.com/veypi/vbase/libs/jwt"
"github.com/veypi/vbase/models"
"github.com/veypi/vigo"
)
// LoginRequest 登录请求
type LoginRequest struct {
Username string `json:"username" src:"json" desc:"用户名/邮箱/手机号"`
Password string `json:"password" src:"json" desc:"密码"`
CaptchaID string `json:"captcha_id,omitempty" src:"json" desc:"验证码ID"`
CaptchaCode string `json:"captcha_code,omitempty" src:"json" desc:"验证码"`
Remember bool `json:"remember,omitempty" src:"json" desc:"记住登录"`
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// AuthResponse 认证响应token 仅通过 HttpOnly Cookie 下发body 只含用户信息)
upgrade new version
4 months ago
type AuthResponse struct {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
AccessToken string `json:"access_token,omitempty"`
RefreshToken string `json:"refresh_token,omitempty"`
TokenType string `json:"token_type,omitempty"`
ExpiresIn int `json:"expires_in,omitempty"`
upgrade new version
4 months ago
User *UserInfo `json:"user"`
}
// UserInfo 用户信息
type UserInfo struct {
fix bug
4 months ago
ID string `json:"id"`
Username string `json:"username"`
Nickname string `json:"nickname"`
Email *string `json:"email"`
Avatar string `json:"avatar"`
upgrade new version
4 months ago
}
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
// LoginWithCodeRequest 验证码登录请求
type LoginWithCodeRequest struct {
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Type string `json:"type" src:"json" desc:"类型: email/sms"`
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
Target string `json:"target" src:"json" desc:"邮箱或手机号"`
Code string `json:"code" src:"json" desc:"验证码"`
}
// loginWithCode 验证码登录
func loginWithCode(x *vigo.X, req *LoginWithCodeRequest) (*AuthResponse, error) {
// 参数校验
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
if req.Type != "email" && req.Type != "sms" {
return nil, vigo.ErrInvalidArg.WithString("invalid type, must be email or sms")
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
if req.Target == "" || req.Code == "" {
return nil, vigo.ErrInvalidArg.WithString("target and code are required")
}
db := cfg.DB()
// 查找最新验证码
var verification models.VerificationCode
if err := db.Where("target = ? AND type = ? AND purpose = ?",
req.Target, req.Type, models.CodePurposeLogin).
Order("created_at DESC").First(&verification).Error; err != nil {
return nil, vigo.ErrInvalidArg.WithString("invalid verification code")
}
// 检查验证码状态
maxAttempts, _ := models.GetSettingInt(models.SettingCodeMaxAttempt)
if maxAttempts == 0 {
maxAttempts = 3
}
if !verification.CanRetry(maxAttempts) {
return nil, vigo.ErrInvalidArg.WithString("verification code expired or max attempts exceeded")
}
// 验证code
if verification.Code != req.Code {
// 增加尝试次数
db.Model(&verification).UpdateColumn("attempts", verification.Attempts+1)
return nil, vigo.ErrInvalidArg.WithString("invalid verification code")
}
// 标记为已使用
now := time.Now()
verification.Status = models.CodeStatusUsed
verification.UsedAt = &now
db.Save(&verification)
// 查找用户
var user models.User
var queryErr error
if req.Type == "email" {
queryErr = db.Where("email = ?", req.Target).First(&user).Error
} else {
queryErr = db.Where("phone = ?", req.Target).First(&user).Error
}
if queryErr != nil {
return nil, vigo.ErrUnauthorized.WithString("user not found")
}
// 检查用户状态
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
// 生成token
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
return generateAuthResponseForUser(x, &user)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
feat(auth): Increment token version on login to revoke old sessions - Change login to call IncrTokenVersion instead of GetTokenVersion - Add IncrTokenVersion public function wrapping incrTokenVersion - Existing tokens become invalid when user logs in again
3 weeks ago
// generateAuthResponseForUser 为用户生成认证响应(登录时递增版本,踢掉旧会话)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
func generateAuthResponseForUser(x *vigo.X, user *models.User) (*AuthResponse, error) {
feat(auth): Increment token version on login to revoke old sessions - Change login to call IncrTokenVersion instead of GetTokenVersion - Add IncrTokenVersion public function wrapping incrTokenVersion - Existing tokens become invalid when user logs in again
3 weeks ago
version, err := auth.IncrTokenVersion(user.ID)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
tokenPair, err := jwt.GenerateTokenPair(user.ID, version)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 设置 HttpOnly Cookie浏览器自动携带body 仅返回用户信息
setTokenCookies(x, tokenPair)
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
return &AuthResponse{
User: &UserInfo{
ID: user.ID,
Username: user.Username,
Nickname: user.Nickname,
Email: user.Email,
Avatar: user.Avatar,
},
}, nil
}
upgrade new version
4 months ago
// login 用户登录
func login(x *vigo.X, req *LoginRequest) (*AuthResponse, error) {
// 查找用户
var user models.User
query := cfg.DB().Where("username = ? OR email = ? OR phone = ?", req.Username, req.Username, req.Username)
if err := query.First(&user).Error; err != nil {
refactor: 统一API错误类型处理
4 months ago
return nil, vigo.ErrUnauthorized.WithString("invalid username or password")
upgrade new version
4 months ago
}
// 检查用户状态
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
// 验证密码
if !crypto.VerifyPassword(req.Password, user.Password) {
refactor: 统一API错误类型处理
4 months ago
return nil, vigo.ErrUnauthorized.WithString("invalid username or password")
upgrade new version
4 months ago
}
// 更新最后登录时间
now := time.Now()
cfg.DB().Model(&user).Update("last_login_at", now)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 生成 token + Set-Cookie
return generateAuthResponseForUser(x, &user)
upgrade new version
4 months ago
}
// RefreshRequest 刷新请求
type RefreshRequest struct {
RefreshToken string `json:"refresh_token" src:"json" desc:"刷新令牌"`
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// refresh 刷新TokenToken Rotation严格验证版本并轮换
upgrade new version
4 months ago
func refresh(x *vigo.X, req *RefreshRequest) (*AuthResponse, error) {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
refreshToken := req.RefreshToken
// Body 为空时从 Cookie 读取
if refreshToken == "" {
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
if c, err := x.Request.Cookie(refreshCookieName()); err == nil {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
refreshToken = c.Value
}
}
if refreshToken == "" {
return nil, vigo.ErrTokenInvalid
}
claims, err := jwt.ParseToken(refreshToken)
upgrade new version
4 months ago
if err != nil {
if err == jwt.ErrExpiredToken {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenExpired
upgrade new version
4 months ago
}
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
if !jwt.IsRefreshToken(claims) {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
// 查找用户
var user models.User
if err := cfg.DB().First(&user, "id = ?", claims.UserID).Error; err != nil {
refactor: 重构认证模型和数据库结构
4 months ago
return nil, vigo.ErrTokenInvalid
upgrade new version
4 months ago
}
if user.Status != models.UserStatusActive {
return nil, vigo.ErrForbidden.WithString("user is disabled")
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 严格验证 refresh_token 版本并递增(版本不匹配=已泄露/已用)
newVersion, err := auth.ValidateRefreshAndRotate(claims.UserID, claims.Version)
if err != nil {
return nil, vigo.ErrTokenInvalid.WithString("refresh token is stale or already used")
fix bug
4 months ago
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 生成新 token pair新版本号
tokenPair, err := jwt.GenerateTokenPair(user.ID, newVersion)
upgrade new version
4 months ago
if err != nil {
return nil, vigo.ErrInternalServer.WithError(err)
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 更新 Cookiebody 仅返回用户信息
setTokenCookies(x, tokenPair)
upgrade new version
4 months ago
return &AuthResponse{
User: &UserInfo{
ID: user.ID,
Username: user.Username,
Nickname: user.Nickname,
Email: user.Email,
Avatar: user.Avatar,
},
}, nil
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// logout 用户登出(版本递增,全部 token 失效)
upgrade new version
4 months ago
func logout(x *vigo.X) error {
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
userID := cfg.Auth.UserID(x)
if userID == "" {
upgrade new version
4 months ago
return nil
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 递增 token 版本 → 已签发的所有 token 全部失效
if err := auth.RevokeAllTokens(userID); err != nil {
return vigo.ErrInternalServer.WithError(err)
upgrade new version
4 months ago
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// 清除 Cookie
clearTokenCookies(x)
upgrade new version
4 months ago
return nil
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// ========== Cookie 辅助函数 ==========
upgrade new version
4 months ago
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
func accessCookieName() string { return cfg.Global.JWT.CookiePrefix + "access" }
func refreshCookieName() string { return cfg.Global.JWT.CookiePrefix + "refresh" }
upgrade new version
4 months ago
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// setTokenCookies 设置 HttpOnly Cookie
func setTokenCookies(x *vigo.X, tokenPair *jwt.TokenPair) {
refreshTokenPath := Router.String() + "/refresh"
cp := cfg.Global.JWT.CookiePath
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: accessCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: tokenPair.AccessToken,
Path: cp,
MaxAge: int(cfg.Global.JWT.AccessExpiry.Seconds()),
HttpOnly: true,
Secure: x.Request.TLS != nil,
SameSite: http.SameSiteStrictMode,
})
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: refreshCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: tokenPair.RefreshToken,
Path: refreshTokenPath,
MaxAge: int(cfg.Global.JWT.RefreshExpiry.Seconds()),
HttpOnly: true,
Secure: x.Request.TLS != nil,
SameSite: http.SameSiteStrictMode,
})
}
upgrade new version
4 months ago
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// clearTokenCookies 清除 Cookie登出时调用
func clearTokenCookies(x *vigo.X) {
cp := cfg.Global.JWT.CookiePath
refreshTokenPath := Router.String() + "/refresh"
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: accessCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: "",
Path: cp,
MaxAge: -1,
HttpOnly: true,
})
http.SetCookie(x.ResponseWriter(), &http.Cookie{
feat(auth): add SMS/email verification code support for registration - Add validateRegisterCode function to verify codes during registration - Integrate Aliyun SMS SDK (dysmsapi-20170525) replacing placeholder - Make cookie names configurable via JWT CookiePrefix setting - Rename login type "phone" to "sms" for consistency - Add 1-minute TTL cache for setting values - Add $fetch wrapper replacing raw fetch calls across all UI pages - Add verification code inputs with countdown send buttons to register UI - Move CSS/JS assets from root.html to auth and default layouts - Add scope parameter to VBase permission check methods - Add i18n entries for verification code messages (zh/en) - Fix route guard to use next('/403') instead of router.push
2 weeks ago
Name: refreshCookieName(),
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
Value: "",
Path: refreshTokenPath,
MaxAge: -1,
HttpOnly: true,
})
upgrade new version
4 months ago
}