diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/JwtService.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/JwtService.java index b6a661fe..b6ea29a8 100644 --- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/JwtService.java +++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/JwtService.java @@ -10,7 +10,7 @@ import java.util.Map; */ public interface JwtService { - String build(Map body); + String build(Map body, String extraSk); - Map parse(String jwt); + Map parse(String jwt, String extraSk); } diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImpl.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImpl.java index 6c7f1f38..15cb49bb 100644 --- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImpl.java +++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImpl.java @@ -4,6 +4,7 @@ import com.google.common.collect.Maps; import io.jsonwebtoken.*; import io.jsonwebtoken.io.Decoders; import io.jsonwebtoken.security.Keys; +import org.apache.commons.lang3.StringUtils; import org.springframework.beans.factory.annotation.Value; import org.springframework.stereotype.Service; import tech.powerjob.server.auth.jwt.JwtService; @@ -44,9 +45,9 @@ public class JwtServiceImpl implements JwtService { ; @Override - public String build(Map body) { + public String build(Map body, String extraSk) { - final String secret = secretProvider.fetchSecretKey(); + final String secret = fetchSk(extraSk); return innerBuild(secret, jwtExpireTime, body); } @@ -62,8 +63,15 @@ public class JwtServiceImpl implements JwtService { } @Override - public Map parse(String jwt) { - return innerParse(secretProvider.fetchSecretKey(), jwt); + public Map parse(String jwt, String extraSk) { + return innerParse(fetchSk(extraSk), jwt); + } + + private String fetchSk(String extraSk) { + if (StringUtils.isEmpty(extraSk)) { + return secretProvider.fetchSecretKey(); + } + return secretProvider.fetchSecretKey().concat(extraSk); } static Map innerParse(String secret, String jwtStr) { diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/PowerJobAuthServiceImpl.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/PowerJobAuthServiceImpl.java index 0460fefa..f716f93a 100644 --- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/PowerJobAuthServiceImpl.java +++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/PowerJobAuthServiceImpl.java @@ -42,7 +42,7 @@ public class PowerJobAuthServiceImpl implements PowerJobAuthService { private static final String JWT_NAME = "power_jwt"; - private static final String KEY_USERID = "userId"; + private static final String KEY_USERNAME = "userName"; @Autowired public PowerJobAuthServiceImpl(List loginServices, JwtService jwtService, UserInfoRepository userInfoRepository, UserRoleRepository userRoleRepository) { @@ -100,8 +100,8 @@ public class PowerJobAuthServiceImpl implements PowerJobAuthService { @Override public Optional ifLogin(HttpServletRequest httpServletRequest) { - final Optional userIdOpt = parseUserId(httpServletRequest); - return userIdOpt.flatMap(aLong -> userInfoRepository.findById(aLong).map(userInfoDO -> { + final Optional userNameOpt = parseUserName(httpServletRequest); + return userNameOpt.flatMap(uname -> userInfoRepository.findByUsername(uname).map(userInfoDO -> { PowerJobUser powerJobUser = new PowerJobUser(); BeanUtils.copyProperties(userInfoDO, powerJobUser); return powerJobUser; @@ -144,7 +144,7 @@ public class PowerJobAuthServiceImpl implements PowerJobAuthService { return false; } - private Optional parseUserId(HttpServletRequest httpServletRequest) { + private Optional parseUserName(HttpServletRequest httpServletRequest) { // header、cookie 都能获取 String jwtStr = httpServletRequest.getHeader(JWT_NAME); if (StringUtils.isEmpty(jwtStr)) { @@ -157,14 +157,14 @@ public class PowerJobAuthServiceImpl implements PowerJobAuthService { if (StringUtils.isEmpty(jwtStr)) { return Optional.empty(); } - final Map jwtBodyMap = jwtService.parse(jwtStr); - final Object userId = jwtBodyMap.get(KEY_USERID); + final Map jwtBodyMap = jwtService.parse(jwtStr, null); + final Object userName = jwtBodyMap.get(KEY_USERNAME); - if (userId == null) { + if (userName == null) { return Optional.empty(); } - return Optional.of(Long.parseLong(String.valueOf(userId))); + return Optional.of(String.valueOf(userName)); } private BizLoginService fetchBizLoginService(LoginContext loginContext) { @@ -179,8 +179,9 @@ public class PowerJobAuthServiceImpl implements PowerJobAuthService { private void fillJwt(PowerJobUser powerJobUser) { Map jwtMap = Maps.newHashMap(); - jwtMap.put(KEY_USERID, powerJobUser.getId()); + // 不能下发 userId,容易被轮询爆破 + jwtMap.put(KEY_USERNAME, powerJobUser.getUsername()); - powerJobUser.setJwtToken(jwtService.build(jwtMap)); + powerJobUser.setJwtToken(jwtService.build(jwtMap, null)); } } diff --git a/powerjob-server/powerjob-server-auth/src/test/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImplTest.java b/powerjob-server/powerjob-server-auth/src/test/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImplTest.java index e60f77aa..19a6cfe6 100644 --- a/powerjob-server/powerjob-server-auth/src/test/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImplTest.java +++ b/powerjob-server/powerjob-server-auth/src/test/java/tech/powerjob/server/auth/jwt/impl/JwtServiceImplTest.java @@ -20,6 +20,7 @@ class JwtServiceImplTest { Map body = Maps.newHashMap(); body.put("userId", 277); body.put("name", "tjq"); + body.put("language", "简体中文"); final String jwtToken = JwtServiceImpl.innerBuild("tjq", 2, body); log.info("[JWT] token: {}", jwtToken);