详解Go-JWT-RESTful身份认证教程_Golang_

 let tmpstr = base64(header)+base64(claims) let signature = encrypt(tmpstr,secret) //最后三者用"."连接,即： let token = base64(header)+"."+base64(claims)+"."+signature

 let tokenString = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Njc3Nzc5NjIsImp0aSI6IjUiLCJpYXQiOjE1Njc2OTE1NjIsImlzcyI6ImZlbGl4Lm1vam90di5jbiIsImlkIjo1LCJjcmVhdGVkX2F0IjoiMjAxOS0wOS0wNVQxMTo1Njo1OS41NjI1NDcwODYrMDg6MDAiLCJ1cGRhdGVkX2F0IjoiMjAxOS0wOS0wNVQxNjo1ODoyMC41NTYxNjAwOTIrMDg6MDAiLCJ1c2VybmFtZSI6ImVyaWMiLCJuaWNrX25hbWUiOiIiLCJlbWFpbCI6IjEyMzQ1NkBxcS5jb20iLCJtb2JpbGUiOiIiLCJyb2xlX2lkIjo4LCJzdGF0dXMiOjAsImF2YXRhciI6Ii8vdGVjaC5tb2pvdHYuY24vYXNzZXRzL2ltYWdlL2F2YXRhcl8zLnBuZyIsInJlbWFyayI6IiIsImZyaWVuZF9pZHMiOm51bGwsImthcm1hIjowLCJjb21tZW50X2lkcyI6bnVsbH0.tGjukvuE9JVjzDa42iGfh_5jIembO5YZBZDqLnaG6KQ' function parseTokenGetUser(jwtTokenString) { let base64Url = jwtTokenString.split('.')[1]; let base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/'); let jsonPayload = decodeURIComponent(atob(base64).split('').map(function (c) { return '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2); }).join('')); let user = JSON.parse(jsonPayload); localStorage.setItem("token", jwtTokenString); localStorage.setItem("expire_ts", user.exp); localStorage.setItem("user", jsonPayload); return user; } parseTokenGetUser(tokenString)

 r := gin.New() r.MaxMultipartMemory = 32 << 20 //sever static file in http's root path binStaticMiddleware, err := felixbin.NewGinStaticBinMiddleware("/") if err != nil { return err } //支持跨域 mwCORS := cors.New(cors.Config{ AllowOrigins: []string{"*"}, AllowMethods: []string{"PUT", "PATCH", "POST", "GET", "DELETE"}, AllowHeaders: []string{"Origin", "Authorization", "Content-Type"}, ExposeHeaders: []string{"Content-Type"}, AllowCredentials: true, AllowOriginFunc: func(origin string) bool { return true }, MaxAge: 2400 * time.Hour, }) r.Use(binStaticMiddleware, mwCORS) { r.POST("comment-login", internal.LoginCommenter) //评论用户登陆 r.POST("comment-register", internal.RegisterCommenter) //评论用户注册 } api := r.Group("api") api.POST("admin-login", internal.LoginAdmin) //管理后台登陆

 func LoginCommenter(c *gin.Context) { var mdl model.User err := c.ShouldBind(&mdl) if handleError(c, err) { return } //获取ip ip := c.ClientIP() //roleId 8 是评论系统的用户 data, err := mdl.Login(ip, 8) if handleError(c, err) { return } jsonData(c, data) }

 //Login func (m *User) Login(ip string, roleId uint) (string, error) { m.Id = 0 if m.Password == "" { return "", errors.New("password is required") } inputPassword := m.Password //获取登录的用户 err := db.Where("username = ? or email = ?", m.Username, m.Username).First(&m).Error if err != nil { return "", err } //校验用户角色 if (m.RoleId & roleId) != roleId { return "", fmt.Errorf("not role of %d", roleId) } //验证密码 //password is set to bcrypt check if err := bcrypt.CompareHashAndPassword([]byte(m.HashedPassword), []byte(inputPassword)); err != nil { return "", err } //防止密码泄露 m.Password = "" //生成jwt-string return jwtGenerateToken(m, time.Hour*24*365) } 

 package model import ( "errors" "fmt" "time" "github.com/dgrijalva/jwt-go" "github.com/sirupsen/logrus" ) var AppSecret = ""//viper.GetString会设置这个值(32byte长度) var AppIss = "github.com/libragen/felix"//这个值会被viper.GetString重写 //自定义payload结构体,不建议直接使用 dgrijalva/jwt-go `jwt.StandardClaims`结构体.因为他的payload包含的用户信息太少. type userStdClaims struct { jwt.StandardClaims *User } //实现 `type Claims interface` 的 `Valid() error` 方法,自定义校验内容 func (c userStdClaims) Valid() (err error) { if c.VerifyExpiresAt(time.Now().Unix(), true) == false { return errors.New("token is expired") } if !c.VerifyIssuer(AppIss, true) { return errors.New("token's issuer is wrong") } if c.User.Id < 1 { return errors.New("invalid user in jwt") } return } func jwtGenerateToken(m *User,d time.Duration) (string, error) { m.Password = "" expireTime := time.Now().Add(d) stdClaims := jwt.StandardClaims{ ExpiresAt: expireTime.Unix(), IssuedAt: time.Now().Unix(), Id: fmt.Sprintf("%d", m.Id), Issuer: AppIss, } uClaims := userStdClaims{ StandardClaims: stdClaims, User: m, } token := jwt.NewWithClaims(jwt.SigningMethodHS256, uClaims) // Sign and get the complete encoded token as a string using the secret tokenString, err := token.SignedString([]byte(AppSecret)) if err != nil { logrus.WithError(err).Fatal("config is wrong, can not generate jwt") } return tokenString, err } //JwtParseUser 解析payload的内容,得到用户信息 //gin-middleware 会使用这个方法 func JwtParseUser(tokenString string) (*User, error) { if tokenString == "" { return nil, errors.New("no token is found in Authorization Bearer") } claims := userStdClaims{} _, err := jwt.ParseWithClaims(tokenString, &claims, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } return []byte(AppSecret), nil }) if err != nil { return nil, err } return claims.User, err } 

 package internal import ( "net/http" "strings" "github.com/libragen/felix/model" "github.com/gin-gonic/gin" ) const contextKeyUserObj = "authedUserObj" const bearerLength = len("Bearer ") func ctxTokenToUser(c *gin.Context, roleId uint) { token, ok := c.GetQuery("_t") if !ok { hToken := c.GetHeader("Authorization") if len(hToken) < bearerLength { c.AbortWithStatusJSON(http.StatusPreconditionFailed, gin.H{"msg": "header Authorization has not Bearer token"}) return } token = strings.TrimSpace(hToken[bearerLength:]) } usr, err := model.JwtParseUser(token) if err != nil { c.AbortWithStatusJSON(http.StatusPreconditionFailed, gin.H{"msg": err.Error()}) return } if (usr.RoleId & roleId) != roleId { c.AbortWithStatusJSON(http.StatusPreconditionFailed, gin.H{"msg": "roleId 没有权限"}) return } //store the user Model in the context c.Set(contextKeyUserObj, *usr) c.Next() // after request } func MwUserAdmin(c *gin.Context) { ctxTokenToUser(c, 2) } func MwUserComment(c *gin.Context) { ctxTokenToUser(c, 8) }