OptimusX
/
OneAuth
mirror of https://github.com/veypi/OneAuth.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
v4
v3
v2
v1.2.0
v1.1.0
v1.1.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c21c766b6a'
${ noResults }
OneAuth/libs/jwt/jwt.go

152 lines
3.8 KiB
Go
Raw Normal View History Unescape Escape

upgrade new version
4 months ago
//
// Copyright (C) 2024 veypi <i@veypi.com>
// 2025-03-04 16:08:06
// Distributed under terms of the MIT license.
//
upgrade
4 months ago
package jwt
import (
"errors"
"fmt"
"time"
"github.com/golang-jwt/jwt/v5"
"github.com/google/uuid"
upgrade new version
4 months ago
"github.com/veypi/vbase/cfg"
upgrade
4 months ago
)
var (
ErrInvalidToken = errors.New("invalid token")
ErrExpiredToken = errors.New("token expired")
ErrTokenRevoked = errors.New("token revoked")
)
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// Claims JWT声明精简版仅存鉴权必需字段
upgrade
4 months ago
type Claims struct {
jwt.RegisteredClaims
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
UserID string `json:"uid"`
Type string `json:"type"` // "access" / "refresh"
Version int64 `json:"ver"` // token 版本号,用于撤销
upgrade
4 months ago
}
// TokenPair Token对
type TokenPair struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
TokenType string `json:"token_type"`
ExpiresIn int `json:"expires_in"`
}
// GenerateTokenPair 生成token对
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
func GenerateTokenPair(userID string, version int64) (*TokenPair, error) {
accessToken, err := GenerateAccessToken(userID, version)
upgrade
4 months ago
if err != nil {
return nil, err
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
refreshToken, err := GenerateRefreshToken(userID, version)
upgrade
4 months ago
if err != nil {
return nil, err
}
return &TokenPair{
AccessToken: accessToken,
RefreshToken: refreshToken,
TokenType: "Bearer",
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
ExpiresIn: int(cfg.Global.JWT.AccessExpiry.Seconds()),
upgrade
4 months ago
}, nil
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// GenerateAccessToken 生成访问令牌(轻量,仅存 UserID + Version
func GenerateAccessToken(userID string, version int64) (string, error) {
upgrade
4 months ago
now := time.Now()
claims := Claims{
RegisteredClaims: jwt.RegisteredClaims{
ID: uuid.New().String(), // jti
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
Issuer: cfg.Global.JWT.Issuer,
upgrade
4 months ago
Subject: userID,
refactor(auth): 重构认证系统,支持多种验证方式和 OAuth 提供商管理 - 新增验证模块(api/verification),统一处理短信和邮件验证码发送 - 新增邮件发送功能(libs/email),支持 SMTP 协议 - 重构短信模块(libs/sms),简化阿里云和腾讯云短信接口 - 新增 OAuth 提供商管理 API(api/oauth/providers),支持 CRUD 操作 - 新增系统设置管理 API(api/settings),支持动态配置更新 - 重构认证方式管理(api/auth/methods),支持启用/禁用多种登录方式 - 删除旧的 sms_providers 和 sms API 模块,迁移至新验证体系 - 新增数据库模型:verification、email、oauth_provider、oauth_templates、setting - 更新配置文档,增加新功能的使用说明
4 months ago
Audience: jwt.ClaimStrings{"vbase"},
upgrade
4 months ago
IssuedAt: jwt.NewNumericDate(now),
NotBefore: jwt.NewNumericDate(now),
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
ExpiresAt: jwt.NewNumericDate(now.Add(cfg.Global.JWT.AccessExpiry)),
upgrade
4 months ago
},
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
UserID: userID,
Type: "access",
Version: version,
upgrade
4 months ago
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
return token.SignedString([]byte(cfg.Global.JWT.Secret))
upgrade
4 months ago
}
// GenerateRefreshToken 生成刷新令牌
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
func GenerateRefreshToken(userID string, version int64) (string, error) {
upgrade
4 months ago
now := time.Now()
claims := Claims{
RegisteredClaims: jwt.RegisteredClaims{
ID: uuid.New().String(),
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
Issuer: cfg.Global.JWT.Issuer,
upgrade
4 months ago
Subject: userID,
IssuedAt: jwt.NewNumericDate(now),
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
ExpiresAt: jwt.NewNumericDate(now.Add(cfg.Global.JWT.RefreshExpiry)),
upgrade
4 months ago
},
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
UserID: userID,
Type: "refresh",
Version: version,
upgrade
4 months ago
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
return token.SignedString([]byte(cfg.Global.JWT.Secret))
upgrade
4 months ago
}
// ParseToken 解析Token
func ParseToken(tokenString string) (*Claims, error) {
token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) {
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
}
refactor: Rename Config to Global and simplify app initialization - Rename cfg.Config to cfg.Global for consistency - Simplify cli/main.go to use vbase.App.Run() pattern - Update init.go to create app with vigo.New and Init function - Update all references from cfg.Config to cfg.Global across api, libs, models, and tests - Fix VBase constructor parameter order in ui/vbase.js - Update ui/env.js to use new VBase('vb', '/') initialization
4 months ago
return []byte(cfg.Global.JWT.Secret), nil
upgrade
4 months ago
})
if err != nil {
if errors.Is(err, jwt.ErrTokenExpired) {
return nil, ErrExpiredToken
}
return nil, ErrInvalidToken
}
if claims, ok := token.Claims.(*Claims); ok && token.Valid {
return claims, nil
}
return nil, ErrInvalidToken
}
// GetJTI 获取Token ID
func GetJTI(tokenString string) (string, error) {
claims, err := ParseToken(tokenString)
if err != nil {
return "", err
}
return claims.ID, nil
}
// IsAccessToken 是否是访问令牌
func IsAccessToken(claims *Claims) bool {
return claims.Type == "access"
}
// IsRefreshToken 是否是刷新令牌
func IsRefreshToken(claims *Claims) bool {
return claims.Type == "refresh"
}
refactor(auth): Migrate token delivery to HttpOnly Cookie with version-based revocation - Replace JWT in response body with HttpOnly Cookie (vb_access/vb_refresh) to prevent XSS token theft - Add Redis-based token version management with ±1 tolerance for multi-tab concurrent refresh - Implement strict refresh token rotation: version must match exactly, increment on each refresh - Simplify JWT Claims to only carry UserID + Type + Version, remove user profile fields - Remove session-based token tracking and cache blacklist in favor of version increment revocation - Remove getAuthHeaders, wrapAxios, wrapFetch, isExpired from frontend VBase client - Remove client-side token/localStorage management, frontend now relies on Cookie auto-attach - Add CookiePath config option and change default access token expiry from 24h to 15min - Update Vigo app initialization to use functional options pattern - Add empty-body cookie read fallback in refresh endpoint
3 weeks ago
// GetSecret 获取当前 JWT Secret空则回退 Key
func GetSecret() string {
s := cfg.Global.JWT.Secret
if s == "" {
s = string(cfg.Global.Key)
}
return s
}