feat: user auth.
This commit is contained in:
@@ -2,6 +2,7 @@ package controllers
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"hr_receiver/config"
|
||||
"hr_receiver/models"
|
||||
"hr_receiver/mqtt"
|
||||
"hr_receiver/util"
|
||||
@@ -82,7 +83,21 @@ func (sc *SystemDebugController) MqttWebSocket(c *gin.Context) {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid token"})
|
||||
return
|
||||
}
|
||||
if claims.Role != models.UserRoleSuperAdmin {
|
||||
|
||||
var user models.User
|
||||
if err := config.DB.First(&user, claims.UserID).Error; err != nil {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "user not found"})
|
||||
return
|
||||
}
|
||||
if !user.IsActive {
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "user is disabled"})
|
||||
return
|
||||
}
|
||||
if util.IsTokenRevoked(&user, claims) {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "token has been revoked"})
|
||||
return
|
||||
}
|
||||
if user.Role != models.UserRoleSuperAdmin {
|
||||
c.JSON(http.StatusForbidden, gin.H{"error": "super admin required"})
|
||||
return
|
||||
}
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
"gorm.io/gorm"
|
||||
@@ -23,6 +24,7 @@ type userAdminPayload struct {
|
||||
Password string `json:"password"`
|
||||
Phone *string `json:"phone"`
|
||||
RegionIDs []uint32 `json:"regionIds"`
|
||||
RevokeTokens *bool `json:"revokeTokens"`
|
||||
Role models.UserRole `json:"role"`
|
||||
Username string `json:"username"`
|
||||
}
|
||||
@@ -38,6 +40,7 @@ type userAdminListItem struct {
|
||||
RegionIDs []uint32 `json:"regionIds"`
|
||||
Regions []models.UserRegionBinding `json:"regions"`
|
||||
Role models.UserRole `json:"role"`
|
||||
TokenInvalidBefore int64 `json:"tokenInvalidBefore"`
|
||||
UpdatedAt int64 `json:"updated_at"`
|
||||
Username string `json:"username"`
|
||||
}
|
||||
@@ -161,6 +164,7 @@ func (uc *UserAdminController) Update(c *gin.Context) {
|
||||
}
|
||||
|
||||
if err := uc.DB.Transaction(func(tx *gorm.DB) error {
|
||||
revokeTokens := payload.RevokeTokens != nil && *payload.RevokeTokens
|
||||
updateData := map[string]interface{}{
|
||||
"username": user.Username,
|
||||
"email": user.Email,
|
||||
@@ -172,6 +176,9 @@ func (uc *UserAdminController) Update(c *gin.Context) {
|
||||
if strings.TrimSpace(payload.Password) != "" {
|
||||
updateData["password"] = user.Password
|
||||
}
|
||||
if revokeTokens {
|
||||
updateData["token_invalid_before"] = time.Now().UnixMilli()
|
||||
}
|
||||
if err := tx.Model(&models.User{}).Where("id = ?", user.ID).Updates(updateData).Error; err != nil {
|
||||
return err
|
||||
}
|
||||
@@ -211,6 +218,10 @@ func (uc *UserAdminController) Delete(c *gin.Context) {
|
||||
respondUserLookupError(c, err)
|
||||
return
|
||||
}
|
||||
if isProtectedAdminAccount(user.Username) {
|
||||
writeError(c, http.StatusBadRequest, "cannot delete protected admin user")
|
||||
return
|
||||
}
|
||||
currentUserID, _, ok := currentUser(c)
|
||||
if ok && currentUserID == user.ID {
|
||||
writeError(c, http.StatusBadRequest, "cannot delete current user")
|
||||
@@ -271,6 +282,7 @@ func (uc *UserAdminController) buildUserAdminItems(users []models.User) ([]userA
|
||||
RegionIDs: user.RegionIDs(),
|
||||
Regions: user.Regions,
|
||||
Role: user.Role,
|
||||
TokenInvalidBefore: user.TokenInvalidBefore,
|
||||
UpdatedAt: user.UpdatedAt,
|
||||
Username: user.Username,
|
||||
}
|
||||
@@ -336,6 +348,10 @@ func normalizeOptionalString(value *string) *string {
|
||||
return &trimmed
|
||||
}
|
||||
|
||||
func isProtectedAdminAccount(username string) bool {
|
||||
return strings.EqualFold(strings.TrimSpace(username), "admin")
|
||||
}
|
||||
|
||||
func respondUserLookupError(c *gin.Context, err error) {
|
||||
if errors.Is(err, gorm.ErrRecordNotFound) {
|
||||
writeError(c, http.StatusNotFound, "user not found")
|
||||
|
||||
@@ -35,11 +35,6 @@ func JWTAuth() gin.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
role := claims.Role
|
||||
flavorType := claims.FlavorType
|
||||
regionIDs := claims.RegionIDs
|
||||
|
||||
if role == "" || flavorType == "" {
|
||||
var user models.User
|
||||
if err := config.DB.Preload("Regions").First(&user, claims.UserID).Error; err != nil {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "User not found"})
|
||||
@@ -51,17 +46,18 @@ func JWTAuth() gin.HandlerFunc {
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
role = user.Role
|
||||
flavorType = user.FlavorType
|
||||
regionIDs = user.RegionIDs()
|
||||
if util.IsTokenRevoked(&user, claims) {
|
||||
c.JSON(http.StatusUnauthorized, gin.H{"error": "Token has been revoked"})
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
|
||||
// 将用户信息存入上下文
|
||||
c.Set("userID", claims.UserID)
|
||||
c.Set("username", claims.Username)
|
||||
c.Set("role", role)
|
||||
c.Set("flavorType", flavorType)
|
||||
c.Set("regionIDs", regionIDs)
|
||||
c.Set("role", user.Role)
|
||||
c.Set("flavorType", user.FlavorType)
|
||||
c.Set("regionIDs", user.RegionIDs())
|
||||
|
||||
c.Next()
|
||||
}
|
||||
|
||||
@@ -43,6 +43,7 @@ type User struct {
|
||||
Role UserRole `gorm:"type:varchar(32);not null;default:'viewer';index" json:"role"`
|
||||
FlavorType UserFlavorType `gorm:"type:varchar(32);not null;default:'all';index" json:"flavorType"`
|
||||
IsActive bool `gorm:"not null;default:true;index" json:"isActive"`
|
||||
TokenInvalidBefore int64 `gorm:"not null;default:0" json:"tokenInvalidBefore"`
|
||||
Regions []UserRegionBinding `gorm:"foreignKey:UserID;constraint:OnDelete:CASCADE" json:"regions"`
|
||||
CreatedAt int64 `gorm:"not null" json:"created_at"`
|
||||
UpdatedAt int64 `gorm:"not null" json:"updated_at"`
|
||||
|
||||
+20
-5
@@ -20,8 +20,7 @@ type Claims struct {
|
||||
|
||||
// GenerateToken 生成JWT Token
|
||||
func GenerateToken(user *models.User) (string, error) {
|
||||
expirationTime := time.Now().Add(24 * 30 * time.Hour) // Token有效期24小时
|
||||
//expirationTime := time.Now().Add(1 * time.Second) // Token有效期24小时
|
||||
now := time.Now()
|
||||
|
||||
claims := &Claims{
|
||||
UserID: user.ID,
|
||||
@@ -30,12 +29,15 @@ func GenerateToken(user *models.User) (string, error) {
|
||||
FlavorType: user.FlavorType,
|
||||
RegionIDs: user.RegionIDs(),
|
||||
RegisteredClaims: jwt.RegisteredClaims{
|
||||
ExpiresAt: jwt.NewNumericDate(expirationTime),
|
||||
IssuedAt: jwt.NewNumericDate(time.Now()),
|
||||
NotBefore: jwt.NewNumericDate(time.Now()),
|
||||
IssuedAt: jwt.NewNumericDate(now),
|
||||
NotBefore: jwt.NewNumericDate(now),
|
||||
Issuer: "your-app-name",
|
||||
},
|
||||
}
|
||||
if user.FlavorType != models.UserFlavorHeartRate {
|
||||
expirationTime := now.Add(24 * 30 * time.Hour)
|
||||
claims.ExpiresAt = jwt.NewNumericDate(expirationTime)
|
||||
}
|
||||
|
||||
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
||||
tokenString, err := token.SignedString([]byte(ApiSecret))
|
||||
@@ -61,3 +63,16 @@ func ParseToken(tokenStr string) (*Claims, error) {
|
||||
|
||||
return claims, nil
|
||||
}
|
||||
|
||||
func IsTokenRevoked(user *models.User, claims *Claims) bool {
|
||||
if user == nil || claims == nil {
|
||||
return true
|
||||
}
|
||||
if user.TokenInvalidBefore <= 0 {
|
||||
return false
|
||||
}
|
||||
if claims.IssuedAt == nil {
|
||||
return true
|
||||
}
|
||||
return claims.IssuedAt.UnixMilli() <= user.TokenInvalidBefore
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user