[webapp,manager]认证与TOKEN刷新

2022-01-30 10:56:52 +08:00
parent a8ad5d6b4d
commit 6b1db452dd
7 changed files with 177 additions and 87 deletions
--- a/manager/pom.xml
+++ b/manager/pom.xml
@@ -108,7 +108,7 @@
        <dependency>
            <groupId>com.usthe.sureness</groupId>
            <artifactId>spring-boot-starter-sureness</artifactId>
-            <version>1.0.6</version>
+            <version>1.0.6.beta1</version>
        </dependency>
    </dependencies>
--- a/manager/src/main/java/com/usthe/manager/controller/AccountController.java
+++ b/manager/src/main/java/com/usthe/manager/controller/AccountController.java
@@ -1,25 +1,29 @@
 package com.usthe.manager.controller;
 import com.usthe.common.entity.dto.Message;
 import com.usthe.manager.pojo.dto.LoginDto;
 import com.usthe.sureness.provider.SurenessAccount;
 import com.usthe.sureness.provider.SurenessAccountProvider;
 import com.usthe.sureness.provider.ducument.DocumentAccountProvider;
 import com.usthe.sureness.subject.SubjectSum;
 import com.usthe.sureness.util.JsonWebTokenUtil;
 import com.usthe.sureness.util.Md5Util;
-import com.usthe.sureness.util.SurenessContextHolder;
+import io.jsonwebtoken.Claims;
 import io.swagger.annotations.Api;
-import org.springframework.http.HttpStatus;
+import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 import javax.validation.constraints.NotNull;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
 import static com.usthe.common.util.CommonConstants.MONITOR_LOGIN_FAILED_CODE;
 import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@@ -32,87 +36,95 @@ import static org.springframework.http.MediaType.APPLICATION_JSON_VALUE;
@Api(tags = "认证注册TOKEN管理API")
@RestController()
@RequestMapping(value = "/account/auth", produces = {APPLICATION_JSON_VALUE})
@Slf4j
 public class AccountController {
    /**
     * TOKEN有效期时间 单位秒
     */
    private static final long PERIOD_TIME = 3600L;
    /**
     * account data provider
     */
    private SurenessAccountProvider accountProvider = new DocumentAccountProvider();
    /**
     * 账户密码登陆获取token
     * @param requestBody request
     * @return token与refresh token
     *
     */
    @PostMapping("/form")
-    public ResponseEntity<Message> authGetToken(@RequestBody Map<String,String> requestBody) {
+    @ApiOperation(value = "账户登陆", notes = "账户密码登陆获取关联用户信息")
    public ResponseEntity<Message<Map<String, String>>> authGetToken(@RequestBody LoginDto loginDto) {
-        String identifier = requestBody.get("identifier");
+        SurenessAccount account = accountProvider.loadAccount(loginDto.getIdentifier());
        String password = requestBody.get("password");
        SurenessAccount account = accountProvider.loadAccount(identifier);
        if (account == null || account.getPassword() == null) {
-            Message<Void> message = Message.<Void>builder().msg("账户密码错误")
+            Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("账户密码错误")
                    .code(MONITOR_LOGIN_FAILED_CODE).build();
            return ResponseEntity.ok(message);
        } else {
            String password = loginDto.getCredential();
            if (account.getSalt() != null) {
                password = Md5Util.md5(password + account.getSalt());
            }
            if (!account.getPassword().equals(password)) {
-                Message<Void> message = Message.<Void>builder().msg("账户密码错误")
+                Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("账户密码错误")
                        .code(MONITOR_LOGIN_FAILED_CODE).build();
                return ResponseEntity.ok(message);
            }
            if (account.isDisabledAccount() || account.isExcessiveAttempts()) {
-                Message<Void> message = Message.<Void>builder().msg("账户过期或被锁定")
+                Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("账户过期或被锁定")
                        .code(MONITOR_LOGIN_FAILED_CODE).build();
                return ResponseEntity.ok(message);
            }
        }
        // Get the roles the user has - rbac
        List<String> roles = account.getOwnRoles();
-        long periodTime = 3600L;
+        // 签发TOKEN
-        // issue jwt
+        String issueToken = JsonWebTokenUtil.issueJwt(loginDto.getIdentifier(), PERIOD_TIME, roles);
-        String jwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+        Map<String, Object> customClaimMap = new HashMap<>(1);
-                "token-server", periodTime, roles);
+        customClaimMap.put("refresh", true);
-        // issue refresh jwt
+        String issueRefresh = JsonWebTokenUtil.issueJwt(loginDto.getIdentifier(), PERIOD_TIME << 5, customClaimMap);
        String refreshJwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
                "token-server-refresh", periodTime, roles);
        Map<String, String> resp = new HashMap<>(2);
-        resp.put("token", jwt);
+        resp.put("token", issueToken);
-        resp.put("refreshToken", refreshJwt);
+        resp.put("refreshToken", issueRefresh);
-        return ResponseEntity.ok().body(new Message(resp));
+        return ResponseEntity.ok(new Message<>(resp));
    }
-    /**
+    @GetMapping("/refresh/{refreshToken}")
-     * 账户密码登陆获取token
+    @ApiOperation(value = "TOKEN刷新", notes = "使用刷新TOKEN重新获取TOKEN")
-     * @param requestBody request
+    public ResponseEntity<Message<Map<String, String>>> refreshToken(
-     * @return token与refresh token
+            @ApiParam(value = "刷新TOKEN", example = "xxx")
-     *
+            @PathVariable("refreshToken") @NotNull String refreshToken) {
-     */
+        String userId;
-    @PostMapping("/refresh")
+        boolean isRefresh;
-    public ResponseEntity<Message> refreshToken(@RequestBody Map<String,String> requestBody) {
+        try {
-
+            Claims claims = JsonWebTokenUtil.parseJwt(refreshToken);
-        SubjectSum subjectSum = SurenessContextHolder.getBindSubject();
+            userId = String.valueOf(claims.getSubject());
-        if (subjectSum == null) {
+            isRefresh = claims.get("refresh", Boolean.class);
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        } catch (Exception e) {
            log.info(e.getMessage());
            Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("刷新TOKEN过期或错误")
                    .code(MONITOR_LOGIN_FAILED_CODE).build();
            return ResponseEntity.ok(message);
        }
-        String identifier = String.valueOf(subjectSum.getPrincipal());
+        if (userId == null || !isRefresh) {
-
+            Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("非法的刷新TOKEN")
-        // Get the roles the user has - rbac
+                    .code(MONITOR_LOGIN_FAILED_CODE).build();
-        List<String> roles = (List<String>) subjectSum.getRoles();
+            return ResponseEntity.ok(message);
-        long periodTime = 3600L;
+        }
-        // issue jwt
+        SurenessAccount account = accountProvider.loadAccount(userId);
-        String jwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+        if (account == null) {
-                "token-server", periodTime, roles);
+            Message<Map<String, String>> message = Message.<Map<String, String>>builder().msg("TOKEN对应的账户不存在")
-        // issue refresh jwt
+                    .code(MONITOR_LOGIN_FAILED_CODE).build();
-        String refreshJwt = JsonWebTokenUtil.issueJwt(UUID.randomUUID().toString(), identifier,
+            return ResponseEntity.ok(message);
-                "token-server-refresh", periodTime, roles);
+        }
        List<String> roles = account.getOwnRoles();
        // 签发TOKEN
        String issueToken = JsonWebTokenUtil.issueJwt(userId, PERIOD_TIME, roles);
        Map<String, Object> customClaimMap = new HashMap<>(1);
        customClaimMap.put("refresh", true);
        String issueRefresh = JsonWebTokenUtil.issueJwt(userId, PERIOD_TIME << 5, customClaimMap);
        Map<String, String> resp = new HashMap<>(2);
-        resp.put("token", jwt);
+        resp.put("token", issueToken);
-        resp.put("refreshToken", refreshJwt);
+        resp.put("refreshToken", issueRefresh);
-        return ResponseEntity.ok().body(new Message<>(resp));
+        return ResponseEntity.ok(new Message<>(resp));
    }
 }
--- a/manager/src/main/java/com/usthe/manager/pojo/dto/LoginDto.java
+++ b/manager/src/main/java/com/usthe/manager/pojo/dto/LoginDto.java
@@ -0,0 +1,39 @@
 package com.usthe.manager.pojo.dto;
 import io.swagger.annotations.ApiModel;
 import io.swagger.annotations.ApiModelProperty;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import org.hibernate.validator.constraints.Range;
 import javax.validation.constraints.NotBlank;
 import static io.swagger.annotations.ApiModelProperty.AccessMode.READ_ONLY;
 /**
 * 登陆注册账户信息传输体 username phone email
 * @author tomsun28
 * @date 20:36 2019-08-01
 */
@Data
@Builder
@AllArgsConstructor
@NoArgsConstructor
@ApiModel(description = "账户信息传输体")
 public class LoginDto {
    @ApiModelProperty(value = "类型", example = "1", accessMode = READ_ONLY, position = 0)
    @Range(min = 0, max = 4, message = "1.账户(邮箱用户名手机号)密码登陆 2.github登陆 3.微信登陆")
    private Byte type;
    @ApiModelProperty(value = "用户标识", example = "1", accessMode = READ_ONLY, position = 0)
    @NotBlank(message = "Identifier can not null")
    private String identifier;
    @ApiModelProperty(value = "密钥", example = "1", accessMode = READ_ONLY, position = 0)
    @NotBlank(message = "Credential can not null")
    private String credential;
 }
--- a/web-app/src/app/core/interceptor/default.interceptor.ts
+++ b/web-app/src/app/core/interceptor/default.interceptor.ts
@@ -16,6 +16,8 @@ import { NzNotificationService } from 'ng-zorro-antd/notification';
 import { BehaviorSubject, Observable, of, throwError } from 'rxjs';
 import { catchError, filter, mergeMap, switchMap, take } from 'rxjs/operators';
 import { Message } from '../../pojo/Message';
 import { AuthService } from '../../service/auth.service';
 import { LocalStorageService } from '../../service/local-storage.service';
 const CODE_MESSAGE: { [key: number]: string } = {
@@ -25,7 +27,7 @@ const CODE_MESSAGE: { [key: number]: string } = {
  204: '删除数据成功。',
  400: '发出的请求有错误，服务器没有进行新建或修改数据的操作。',
  401: '用户没有权限（令牌、用户名、密码错误）。',
-  403: '用户得到授权，但是访问是被禁止的。',
+  403: '用户无权限访问此资源。',
  404: '发出的请求针对的是不存在的记录，服务器没有进行操作。',
  406: '请求的格式不可得。',
  409: '请求与服务器端目标资源的当前状态相冲突',
@@ -42,11 +44,11 @@ const CODE_MESSAGE: { [key: number]: string } = {
 */
@Injectable()
 export class DefaultInterceptor implements HttpInterceptor {
-  private refreshTokenEnabled = environment.api.refreshTokenEnabled;
+  // 是否正在刷新TOKEN过程
  private refreshToking = false;
  private refreshToken$: BehaviorSubject<any> = new BehaviorSubject<any>(null);
-  constructor(private injector: Injector, private storageSvc: LocalStorageService) {}
+  constructor(private injector: Injector, private authSvc: AuthService, private storageSvc: LocalStorageService) {}
  private get notification(): NzNotificationService {
    return this.injector.get(NzNotificationService);
@@ -61,19 +63,20 @@ export class DefaultInterceptor implements HttpInterceptor {
  }
  private checkStatus(ev: HttpResponseBase): void {
    // if (ev.status >= 200 && ev.status < 500) {
    //   return;
    // }
    const errorText = CODE_MESSAGE[ev.status] || ev.statusText;
-    this.notification.error(`抱歉服务器繁忙 ${ev.status}: ${ev.url}`, errorText);
+    console.warn(` ${ev.status}: ${ev.url}`, errorText);
    this.notification.error(` ${ev.status}: ${ev.url}`, errorText);
  }
  /**
   * 刷新 Token 请求
   */
-  private refreshTokenRequest(): Observable<any> {
+  private refreshTokenRequest(): Observable<Message<any>> {
    const refreshToken = this.storageSvc.getRefreshToken();
-    return this.http.post(`/account/auth/refresh`, null, null, { headers: { Authorization: `Bearer ${refreshToken}` } });
+    if (refreshToken == null) {
      return throwError('refreshToken is null.');
    }
    return this.authSvc.refreshToken(refreshToken);
  }
  // #region 刷新Token方式一：使用 401 重新刷新 Token
@@ -95,32 +98,38 @@ export class DefaultInterceptor implements HttpInterceptor {
    // 3、尝试调用刷新 Token
    this.refreshToking = true;
    this.refreshToken$.next(null);
    return this.refreshTokenRequest().pipe(
      switchMap(res => {
-        // 通知后续请求继续执行
+        // 判断刷新TOKEN是否正确
        this.refreshToking = false;
-        this.refreshToken$.next(res);
+        if (res.code === 0 && res.data != undefined) {
-        // 重新保存新 token
+          let token = res.data.token;
-        let token = res.token;
+          let refreshToken = res.data.refreshToken;
-        let refreshToken = res.refreshToken;
+          if (token != undefined) {
            this.storageSvc.storageAuthorizationToken(token);
            this.storageSvc.storageRefreshToken(refreshToken);
            // 通知后续请求继续执行
            this.refreshToken$.next(token);
            // 重新发起请求
            return next.handle(this.reAttachToken(req));
          } else {
            console.warn(`flush new token failed. ${res.msg}`);
            return throwError('flush new token failed.');
          }
        } else {
          console.warn(`flush new token failed. ${res.msg}`);
          return throwError('flush new token failed.');
        }
      }),
      catchError(err => {
        // token 刷新失败
        console.warn(`flush new token failed. ${err.msg}`);
        this.refreshToking = false;
        this.toLogin();
        return throwError(err);
      })
    );
  }
  /**
   * 重新附加新 Token 信息
   *
   */
  private reAttachToken(req: HttpRequest<any>): HttpRequest<any> {
    let token = this.storageSvc.getAuthorizationToken();
    return req.clone({
@@ -158,8 +167,6 @@ export class DefaultInterceptor implements HttpInterceptor {
    return next.handle(newReq).pipe(
      mergeMap(httpEvent => {
        if (httpEvent instanceof HttpResponseBase) {
          // todo 处理成功状态响应
          return of(httpEvent);
        } else {
          return of(httpEvent);
@@ -169,12 +176,7 @@ export class DefaultInterceptor implements HttpInterceptor {
        // 处理失败响应，处理token过期自动刷新
        switch (err.status) {
          case 401:
-            if (this.refreshTokenEnabled) {
+            return this.tryRefreshToken(err, newReq, next);
              return this.tryRefreshToken(err, req, next);
            }
            this.toLogin();
            break;
          case 403:
          case 404:
          case 500:
            this.goTo(`/exception/${err.status}?url=${req.urlWithParams}`);
@@ -191,7 +193,6 @@ export class DefaultInterceptor implements HttpInterceptor {
            break;
        }
        this.checkStatus(err);
        console.warn(`${err.status} == ${err.message}`);
        return throwError(err);
      })
    );
--- a/web-app/src/app/layout/basic/widgets/notify.component.ts
+++ b/web-app/src/app/layout/basic/widgets/notify.component.ts
@@ -60,6 +60,10 @@ export class HeaderNotifyComponent implements OnInit {
        if (message.code === 0) {
          let page = message.data;
          let alerts = page.content;
          if (alerts == undefined) {
            this.loading = false;
            return;
          }
          this.data[0].list = [];
          alerts.forEach(alert => {
            let item = {
--- a/web-app/src/app/service/auth.service.spec.ts
+++ b/web-app/src/app/service/auth.service.spec.ts
@@ -0,0 +1,16 @@
 import { TestBed } from '@angular/core/testing';
 import { AuthService } from './auth.service';
 describe('AuthService', () => {
  let service: AuthService;
  beforeEach(() => {
    TestBed.configureTestingModule({});
    service = TestBed.inject(AuthService);
  });
  it('should be created', () => {
    expect(service).toBeTruthy();
  });
 });
--- a/web-app/src/app/service/auth.service.ts
+++ b/web-app/src/app/service/auth.service.ts
@@ -0,0 +1,18 @@
 import { HttpClient, HttpParams } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 import { Observable } from 'rxjs';
 import { Message } from '../pojo/Message';
 const account_auth_refresh_uri = '/account/auth/refresh';
@Injectable({
  providedIn: 'root'
 })
 export class AuthService {
  constructor(private http: HttpClient) {}
  public refreshToken(refreshToken: string): Observable<Message<any>> {
    return this.http.get<Message<any>>(`${account_auth_refresh_uri}/${refreshToken}`);
  }
 }