OptimusX
/
OneAuth
mirror of https://github.com/veypi/OneAuth.git
3
0
Fork 0
Code Issues Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
v3
v2
v1.0.0
v0.1.0
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9518a9be21'
${ noResults }
OneAuth/auth/middleware.go

138 lines
3.6 KiB
Go
Raw Blame History Unescape Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

// Copyright (C) 2024 veypi <i@veypi.com>
// 2025-03-04 16:08:06
// Distributed under terms of the MIT license.
package auth
import (
"encoding/json"
"fmt"
"strings"
"time"
"github.com/veypi/vbase/cfg"
"github.com/veypi/vbase/libs/cache"
"github.com/veypi/vbase/libs/jwt"
"github.com/veypi/vbase/models"
"github.com/veypi/vigo"
)
// orgMemberCache 组织成员身份缓存结构
type orgMemberCache struct {
IsMember bool `json:"is_member"`
RoleCodes []string `json:"role_codes"`
}
// AuthMiddleware 统一认证中间件
// 1. JWT认证: 解析token验证有效性设置用户信息
// 2. 组织上下文: 如果请求包含org_id验证用户成员身份设置组织信息
// 使用Redis缓存组织成员身份和角色信息减少数据库查询
func AuthMiddleware() func(*vigo.X) error {
return func(x *vigo.X) error {
// === 1. JWT 认证部分 ===
tokenString := extractToken(x)
if tokenString == "" {
return vigo.ErrUnauthorized.WithString("missing token")
}
// 解析token
claims, err := jwt.ParseToken(tokenString)
if err != nil {
if err == jwt.ErrExpiredToken {
return vigo.ErrTokenExpired
}
return vigo.ErrTokenInvalid
}
// 检查token是否在黑名单中
if cache.IsEnabled() {
blacklisted, _ := cache.IsTokenBlacklisted(claims.ID)
if blacklisted {
return vigo.ErrUnauthorized.WithString("token has been revoked")
}
}
// 将用户信息存入上下文
x.Set("user_id", claims.UserID)
x.Set("user_name", claims.Username)
x.Set("user_orgs", claims.Orgs)
x.Set("token_claims", claims)
// === 2. 组织上下文部分 ===
orgID := x.Request.Header.Get("X-Org-ID")
if orgID == "" {
orgID = x.Request.URL.Query().Get("org_id")
}
if orgID == "" {
// 没有指定组织,仅完成用户认证
return nil
}
// 尝试从缓存获取组织成员信息
var roleCodes []string
var isMember bool
if cache.IsEnabled() {
cacheKey := fmt.Sprintf("auth:org_member:%s:%s", claims.UserID, orgID)
cachedData, err := cache.Get(cacheKey)
if err == nil && cachedData != "" {
var cached orgMemberCache
if err := json.Unmarshal([]byte(cachedData), &cached); err == nil {
isMember = cached.IsMember
roleCodes = cached.RoleCodes
}
}
}
// 缓存未命中,查询数据库
if roleCodes == nil {
// 验证用户是否为组织成员
var member models.OrgMember
err := cfg.DB().Where("org_id = ? AND user_id = ? AND status = ?",
orgID, claims.UserID, models.MemberStatusActive).First(&member).Error
isMember = err == nil
if isMember {
// 查询用户的角色
cfg.DB().Model(&models.UserRole{}).
Joins("JOIN roles ON user_roles.role_id = roles.id").
Where("user_roles.user_id = ? AND user_roles.org_id = ?", claims.UserID, orgID).
Pluck("roles.code", &roleCodes)
}
// 写入缓存
if cache.IsEnabled() {
cacheData := orgMemberCache{
IsMember: isMember,
RoleCodes: roleCodes,
}
if data, err := json.Marshal(cacheData); err == nil {
cacheKey := fmt.Sprintf("auth:org_member:%s:%s", claims.UserID, orgID)
// 缓存5分钟
cache.Set(cacheKey, string(data), 5*time.Minute)
}
}
}
if !isMember {
return vigo.ErrForbidden.WithString("you are not a member of this organization")
}
x.Set("org_id", orgID)
x.Set("org_roles", roleCodes)
return nil
}
}
func extractToken(x *vigo.X) string {
auth := x.Request.Header.Get("Authorization")
if auth != "" {
if len(auth) > 7 && strings.HasPrefix(auth, "Bearer ") {
return auth[7:]
}
}
return x.Request.URL.Query().Get("access_token")
}
Reference in New Issue View Git Blame Copy Permalink