mojiahui/dafuweng-saiadmin6.x
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

优化登录接口以及中间件

Browse Source
This commit is contained in:
zhenhui
2026-03-05 16:20:18 +08:00
parent e5f83846b3
commit 39955a17a8
12 changed files with 268 additions and 516 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
server/app/api/cache/AuthTokenCache.php vendored
View File

@@ -1,54 +0,0 @@
<?php
declare(strict_types=1);
namespace app\api\cache;
use support\think\Cache;
/**
* 按设备标识存储当前有效的 auth-token同一设备只保留最新一个旧 token 自动失效
*/
class AuthTokenCache
{
private static function prefix(): string
{
return config('api.auth_token_device_prefix', 'api:auth_token:');
}
/**
* 设置该设备当前有效的 auth-token会覆盖同设备之前的 token使旧 token 失效)
* @param string $device 设备标识,如 dice
* @param string $token 完整 auth-token 字符串
* @param int $ttl 过期时间(秒),应与 auth_token_exp 一致
*/
public static function setDeviceToken(string $device, string $token, int $ttl): bool
{
if ($device === '' || $ttl <= 0) {
return false;
}
$key = self::prefix() . $device;
return Cache::set($key, $token, $ttl);
}
/**
* 获取该设备当前有效的 auth-token不存在或已过期返回 null
*/
public static function getDeviceToken(string $device): ?string
{
if ($device === '') {
return null;
}
$key = self::prefix() . $device;
$value = Cache::get($key);
return $value !== null && $value !== '' ? (string) $value : null;
}
/**
* 校验请求中的 token 是否为该设备当前唯一有效 token
*/
public static function isCurrentToken(string $device, string $token): bool
{
$current = self::getDeviceToken($device);
return $current !== null && $current === $token;
}
}

48
server/app/api/cache/UserCache.php vendored
View File

@@ -178,4 +178,52 @@ class UserCache
$current = self::getCurrentUserToken($userId); $current = self::getCurrentUserToken($userId);
return $current !== null && $current === $token; return $current !== null && $current === $token;
} }
/** 按 username 的登录会话 key 前缀token 中间件:存在即视为已登录) */
private static function sessionUsernamePrefix(): string
{
return config('api.session_username_prefix', 'api:user:session:');
}
private static function sessionExpire(): int
{
return (int) config('api.session_expire', 604800);
}
/** 设置 username 当前有效 tokenJWT重新登录会覆盖实现单点登录 */
public static function setSessionByUsername(string $username, string $token): bool
{
if ($username === '' || $token === '') {
return false;
}
$key = self::sessionUsernamePrefix() . $username;
return Cache::set($key, $token, self::sessionExpire());
}
/** 获取 username 当前在服务端登记的有效 tokenJWT不存在返回 null */
public static function getSessionTokenByUsername(string $username): ?string
{
if ($username === '') {
return null;
}
$key = self::sessionUsernamePrefix() . $username;
$val = Cache::get($key);
return $val !== null && $val !== '' ? (string) $val : null;
}
/** 检查 username 是否已有登录会话Redis 中是否存在当前 token */
public static function hasSessionByUsername(string $username): bool
{
return self::getSessionTokenByUsername($username) !== null;
}
/** 删除 username 登录会话(退出登录时调用) */
public static function deleteSessionByUsername(string $username): bool
{
if ($username === '') {
return false;
}
$key = self::sessionUsernamePrefix() . $username;
return Cache::delete($key);
}
} }

90
server/app/api/controller/AuthTokenController.php
View File

@@ -1,90 +0,0 @@
<?php
declare(strict_types=1);
namespace app\api\controller;
use support\Request;
use support\Response;
use Tinywan\Jwt\JwtToken;
use plugin\saiadmin\basic\OpenController;
use app\api\util\ReturnCode;
use app\api\cache\AuthTokenCache;
/**
* API 鉴权 Token 接口
* 仅支持 GET必传参数signature、secret、device、time签名规则signature = md5(device . secret . time)
* 后续所有 /api 接口调用均需在请求头携带此接口返回的 auth-token
*/
class AuthTokenController extends OpenController
{
/**
* 获取 auth-token
* GET /api/authToken
* 参数signature签名、secret密钥、device设备标识、time时间戳四者均为必传且非空
*/
public function index(Request $request): Response
{
if (strtoupper($request->method()) !== 'GET') {
return $this->fail('仅支持 GET 请求', ReturnCode::PARAMS_ERROR);
}
$param = $request->get();
$signature = trim((string) ($param['signature'] ?? ''));
$secret = trim((string) ($param['secret'] ?? ''));
$device = trim((string) ($param['device'] ?? ''));
$time = trim((string) ($param['time'] ?? ''));
if ($signature === '' || $secret === '' || $device === '' || $time === '') {
return $this->fail('signature、secret、device、time 均为必传且不能为空', ReturnCode::PARAMS_ERROR);
}
$serverSecret = trim((string) config('api.auth_token_secret', ''));
if ($serverSecret === '') {
return $this->fail('服务未配置 API_AUTH_TOKEN_SECRET', ReturnCode::PARAMS_ERROR);
}
if ($secret !== $serverSecret) {
return $this->fail('密钥错误', ReturnCode::FORBIDDEN);
}
$tolerance = (int) config('api.auth_token_time_tolerance', 300);
$now = time();
$ts = is_numeric($time) ? (int) $time : 0;
if ($ts <= 0 || abs($now - $ts) > $tolerance) {
return $this->fail('时间戳无效或已过期', ReturnCode::PARAMS_ERROR);
}
$sign = $this->getAuthToken($device, $serverSecret, $time);
if ($sign !== $signature) {
return $this->fail('签名验证失败', ReturnCode::FORBIDDEN);
}
$exp = (int) config('api.auth_token_exp', 86400);
$tokenResult = JwtToken::generateToken([
'id' => 0,
'plat' => 'api',
'device' => $device,
'access_exp' => $exp,
]);
// 同一设备只保留最新 token覆盖后旧 token 失效
AuthTokenCache::setDeviceToken($device, $tokenResult['access_token'], $exp);
return $this->success([
'auth-token' => $tokenResult['access_token'],
'expires_in' => $tokenResult['expires_in'],
]);
}
/**
* 生成签名signature = md5(device . secret . time)
*
* @param string $device 设备标识
* @param string $secret 密钥(来自配置)
* @param string $time 时间戳
* @return string
*/
private function getAuthToken(string $device, string $secret, string $time): string
{
return md5($device . $secret . $time);
}
}

11
server/app/api/controller/GameController.php
View File

@@ -7,7 +7,6 @@ use support\Request;
use support\Response; use support\Response;
use app\api\logic\GameLogic; use app\api\logic\GameLogic;
use app\api\logic\PlayStartLogic; use app\api\logic\PlayStartLogic;
use app\api\logic\UserLogic;
use app\api\util\ReturnCode; use app\api\util\ReturnCode;
use app\dice\model\play_record\DicePlayRecord; use app\dice\model\play_record\DicePlayRecord;
use app\dice\model\player\DicePlayer; use app\dice\model\player\DicePlayer;
@@ -23,12 +22,12 @@ class GameController extends OpenController
/** /**
* 购买抽奖券 * 购买抽奖券
* POST /api/game/buyLotteryTickets * POST /api/game/buyLotteryTickets
* header: auth-token, user-token由 CheckUserTokenMiddleware 注入 request->user_id * header: tokenTokenMiddleware 注入 request->player_id
* body: count = 1 | 5 | 101次/100coin, 5次/500coin, 10次/1000coin * body: count = 1 | 5 | 101次/100coin, 5次/500coin, 10次/1000coin
*/ */
public function buyLotteryTickets(Request $request): Response public function buyLotteryTickets(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$count = (int) $request->post('count', 0); $count = (int) $request->post('count', 0);
if (!in_array($count, [1, 5, 10], true)) { if (!in_array($count, [1, 5, 10], true)) {
return $this->fail('购买抽奖券错误', ReturnCode::PARAMS_ERROR); return $this->fail('购买抽奖券错误', ReturnCode::PARAMS_ERROR);
@@ -52,7 +51,7 @@ class GameController extends OpenController
/** /**
* 获取彩金池(中奖配置表) * 获取彩金池(中奖配置表)
* GET /api/game/lotteryPool * GET /api/game/lotteryPool
* header: auth-token * header: token
* 返回 DiceRewardConfig 列表(彩金池/中奖配置) * 返回 DiceRewardConfig 列表(彩金池/中奖配置)
*/ */
public function lotteryPool(Request $request): Response public function lotteryPool(Request $request): Response
@@ -64,12 +63,12 @@ class GameController extends OpenController
/** /**
* 开始游戏(抽奖一局) * 开始游戏(抽奖一局)
* POST /api/game/playStart * POST /api/game/playStart
* header: auth-token, user-token由 CheckUserTokenMiddleware 注入 request->user_id * header: tokenTokenMiddleware 注入 request->player_id
* body: rediction 必传0=无 1=中奖 * body: rediction 必传0=无 1=中奖
*/ */
public function playStart(Request $request): Response public function playStart(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$rediction = $request->post('rediction'); $rediction = $request->post('rediction');
if ($rediction === '' || $rediction === null) { if ($rediction === '' || $rediction === null) {
return $this->fail('请传递 rediction 参数', ReturnCode::PARAMS_ERROR); return $this->fail('请传递 rediction 参数', ReturnCode::PARAMS_ERROR);

110
server/app/api/controller/UserController.php
View File

@@ -13,77 +13,85 @@ use app\dice\model\player_wallet_record\DicePlayerWalletRecord;
use plugin\saiadmin\basic\OpenController; use plugin\saiadmin\basic\OpenController;
/** /**
* API 用户登录/注册 * API 用户登录
* 需先携带 auth-token登录/注册成功后返回 user-token 与用户信息,用户信息已写入 Rediskey=base64(user_id)value=加密) * 登录接口 /api/user/Login 无需 token其余接口需在请求头携带 tokenbase64(username.-.time)),由 TokenMiddleware 鉴权并注入 request->player_id / request->player
*/ */
class UserController extends OpenController class UserController extends OpenController
{ {
/** /**
* 登录 * 登录JSON body
* POST /api/user/login * POST /api/user/Login
* body: phone (+60), password * body: { "username": "+60123456789", "password": "123456", "lang": "chs", "coin": 2000.00, "time": 1772692089 }
* 根据 username 查找或创建 DicePlayer按 coin 增减平台币,会话写 Redis返回带 token 的连接地址
*/ */
public function login(Request $request): Response public function Login(Request $request): Response
{ {
$phone = $request->post('phone', ''); $body = $request->rawBody();
$password = $request->post('password', ''); if ($body === '' || $body === null) {
if ($phone === '' || $password === '') { return $this->fail('请提交 JSON body', ReturnCode::PARAMS_ERROR);
return $this->fail('请填写手机号和密码', ReturnCode::PARAMS_ERROR); }
$data = json_decode($body, true);
if (!is_array($data)) {
return $this->fail('JSON 格式错误', ReturnCode::PARAMS_ERROR);
}
$username = trim((string) ($data['username'] ?? ''));
$password = trim((string) ($data['password'] ?? ''));
$lang = trim((string) ($data['lang'] ?? 'chs'));
$coin = isset($data['coin']) ? (float) $data['coin'] : 0.0;
$time = isset($data['time']) ? (string) $data['time'] : (string) time();
if ($username === '' || $password === '') {
return $this->fail('username、password 不能为空', ReturnCode::PARAMS_ERROR);
} }
$logic = new UserLogic();
$data = $logic->login($phone, $password);
return $this->success([
'user' => $data['user'],
'user-token' => $data['user-token'],
'user_id' => $data['user_id'],
]);
}
/** try {
* 注册 $logic = new UserLogic();
* POST /api/user/register $result = $logic->loginByUsername($username, $password, $lang, $coin, $time);
* body: phone (+60), password, nickname(可选) return $this->success([
*/ 'url' => $result['url'],
public function register(Request $request): Response 'token' => $result['token'],
{ 'lang' => $result['lang'],
$phone = $request->post('phone', ''); 'user_id' => $result['user_id'],
$password = $request->post('password', ''); 'user' => $result['user'],
$nickname = $request->post('nickname'); ]);
if ($phone === '' || $password === '') { } catch (\plugin\saiadmin\exception\ApiException $e) {
return $this->fail('请填写手机号和密码', ReturnCode::PARAMS_ERROR); return $this->fail($e->getMessage(), ReturnCode::PARAMS_ERROR);
} }
$logic = new UserLogic();
$data = $logic->register($phone, $password, $nickname ? (string) $nickname : null);
return $this->success([
'user' => $data['user'],
'user-token' => $data['user-token'],
'user_id' => $data['user_id'],
]);
} }
/** /**
* 退出登录 * 退出登录
* POST /api/user/logout * POST /api/user/logout
* header: user-token由 CheckUserTokenMiddleware 校验并注入 request->userToken * header: tokenJWT清除该 username 的 Redis 会话
*/ */
public function logout(Request $request): Response public function logout(Request $request): Response
{ {
$token = $request->userToken ?? UserLogic::getTokenFromRequest($request); $token = $request->header('token');
if ($token === '' || !UserLogic::logout($token)) { if ($token === null || $token === '') {
return $this->fail('退出失败或 token 已失效', ReturnCode::TOKEN_INVALID); $auth = $request->header('authorization');
if ($auth && stripos($auth, 'Bearer ') === 0) {
$token = trim(substr($auth, 7));
}
} }
$token = $token !== null ? trim((string) $token) : '';
if ($token === '') {
return $this->fail('请携带 token', ReturnCode::UNAUTHORIZED);
}
$username = UserLogic::getUsernameFromJwtPayload($token);
if ($username === null || $username === '') {
return $this->fail('token 无效', ReturnCode::TOKEN_INVALID);
}
UserCache::deleteSessionByUsername($username);
return $this->success('已退出登录'); return $this->success('已退出登录');
} }
/** /**
* 获取当前用户信息 * 获取当前用户信息
* GET /api/user/info * GET /api/user/info
* header: user-tokenCheckUserTokenMiddleware 校验并注入 request->user_id * header: token由 TokenMiddleware 校验并注入 request->player_id
* 返回id, username, phone, uid, name, coin, total_ticket_count
*/ */
public function info(Request $request): Response public function info(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$user = UserLogic::getCachedUser($userId); $user = UserLogic::getCachedUser($userId);
if (empty($user)) { if (empty($user)) {
return $this->fail('用户不存在', ReturnCode::NOT_FOUND); return $this->fail('用户不存在', ReturnCode::NOT_FOUND);
@@ -99,13 +107,13 @@ class UserController extends OpenController
} }
/** /**
* 获取钱包余额(优先读缓存,缓存未命中时从库拉取并回写缓存 * 获取钱包余额(优先读缓存)
* GET /api/user/balance * GET /api/user/balance
* header: user-tokenCheckUserTokenMiddleware 校验并注入 request->user_id * header: token由 TokenMiddleware 注入 request->player_id
*/ */
public function balance(Request $request): Response public function balance(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$user = UserLogic::getCachedUser($userId); $user = UserLogic::getCachedUser($userId);
if (empty($user)) { if (empty($user)) {
return $this->fail('用户不存在', ReturnCode::NOT_FOUND); return $this->fail('用户不存在', ReturnCode::NOT_FOUND);
@@ -124,12 +132,12 @@ class UserController extends OpenController
/** /**
* 玩家钱包流水 * 玩家钱包流水
* GET /api/user/walletRecord * GET /api/user/walletRecord
* header: user-tokenCheckUserTokenMiddleware 校验并注入 request->user_id * header: token由 TokenMiddleware 注入 request->player_id
* 参数: page 页码默认1, limit 每页条数默认10, create_time_min/create_time_max 创建时间范围(可选) * 参数: page 页码默认1, limit 每页条数默认10, create_time_min/create_time_max 创建时间范围(可选)
*/ */
public function walletRecord(Request $request): Response public function walletRecord(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$page = (int) $request->post('page', 1); $page = (int) $request->post('page', 1);
$limit = (int) $request->post('limit', 10); $limit = (int) $request->post('limit', 10);
if ($page < 1) { if ($page < 1) {
@@ -166,12 +174,12 @@ class UserController extends OpenController
/** /**
* 游玩记录 * 游玩记录
* GET /api/user/playGameRecord * GET /api/user/playGameRecord
* header: user-tokenCheckUserTokenMiddleware 校验并注入 request->user_id * header: token由 TokenMiddleware 注入 request->player_id
* 参数: page 页码默认1, limit 每页条数默认10, create_time_min/create_time_max 创建时间范围(可选) * 参数: page 页码默认1, limit 每页条数默认10, create_time_min/create_time_max 创建时间范围(可选)
*/ */
public function playGameRecord(Request $request): Response public function playGameRecord(Request $request): Response
{ {
$userId = UserLogic::getUserIdFromRequest($request) ?? 0; $userId = (int) ($request->player_id ?? 0);
$page = (int) $request->post('page', 1); $page = (int) $request->post('page', 1);
$limit = (int) $request->post('limit', 10); $limit = (int) $request->post('limit', 10);
if ($page < 1) { if ($page < 1) {

210
server/app/api/logic/UserLogic.php
View File

@@ -33,78 +33,6 @@ class UserLogic
} }
} }
/**
* 登录:手机号 + 密码,返回用户信息与 user-token并写入 Redis 缓存
*/
public function login(string $phone, string $password): array
{
self::validatePhone($phone);
$user = DicePlayer::where('phone', $phone)->find();
if (!$user) {
throw new ApiException('手机号未注册');
}
if ((int) $user->status !== self::STATUS_NORMAL) {
throw new ApiException('账号已被禁用');
}
$hashed = $this->hashPassword($password);
if ($user->password !== $hashed) {
throw new ApiException('密码错误');
}
$userArr = $user->hidden(['password'])->toArray();
UserCache::setUser((int) $user->id, $userArr);
$userToken = $this->generateUserToken((int) $user->id);
// 同一用户只保留最新一次登录的 token旧 token 自动失效
UserCache::setCurrentUserToken((int) $user->id, $userToken);
return [
'user' => $userArr,
'user-token' => $userToken,
'user_id' => (int) $user->id,
];
}
/**
* 注册:手机号 + 密码(+60创建玩家并返回用户信息与 user-token写入 Redis
*/
public function register(string $phone, string $password, ?string $nickname = null): array
{
self::validatePhone($phone);
if (strlen($password) < 6) {
throw new ApiException('密码至少 6 位');
}
$exists = DicePlayer::where('phone', $phone)->find();
if ($exists) {
throw new ApiException('该手机号已注册');
}
$user = new DicePlayer();
$user->phone = $phone;
$user->username = $phone;
if ($nickname !== null && $nickname !== '') {
$user->name = $nickname;
}
// name 未传时由 DicePlayer::onBeforeInsert 默认设为 uid
$user->password = $this->hashPassword($password);
$user->status = self::STATUS_NORMAL;
$user->save();
$userArr = $user->hidden(['password'])->toArray();
UserCache::setUser((int) $user->id, $userArr);
$userToken = $this->generateUserToken((int) $user->id);
// 同一用户只保留最新一次登录的 token旧 token 自动失效
UserCache::setCurrentUserToken((int) $user->id, $userToken);
return [
'user' => $userArr,
'user-token' => $userToken,
'user_id' => (int) $user->id,
];
}
/** /**
* 与 DicePlayerLogic 一致的密码加密md5(salt . password) * 与 DicePlayerLogic 一致的密码加密md5(salt . password)
*/ */
@@ -114,97 +42,83 @@ class UserLogic
} }
/** /**
* 生成 user-tokenJWTplat=api_userid=user_id * 登录JSONusername, password, lang, coin, time
* 存在则校验密码并更新 coin累加不存在则创建用户并写入 coin。
* 将会话写入 Redis返回 token 与前端连接地址。
*/ */
private function generateUserToken(int $userId): string public function loginByUsername(string $username, string $password, string $lang, float $coin, string $time): array
{ {
$exp = config('api.user_token_exp', 604800); $username = trim($username);
$result = JwtToken::generateToken([ if ($username === '') {
'id' => $userId, throw new ApiException('username 不能为空');
'plat' => 'api_user', }
$player = DicePlayer::where('username', $username)->find();
if ($player) {
$hashed = $this->hashPassword($password);
if ($player->password !== $hashed) {
throw new ApiException('密码错误');
}
$currentCoin = (float) $player->coin;
$player->coin = $currentCoin + $coin;
$player->save();
} else {
$player = new DicePlayer();
$player->username = $username;
$player->phone = $username;
$player->password = $this->hashPassword($password);
$player->status = self::STATUS_NORMAL;
$player->coin = $coin;
$player->save();
}
$exp = (int) config('api.session_expire', 604800);
$tokenResult = JwtToken::generateToken([
'id' => (int) $player->id,
'username' => $username,
'plat' => 'api_login',
'access_exp' => $exp, 'access_exp' => $exp,
]); ]);
return $result['access_token']; $token = $tokenResult['access_token'];
UserCache::setSessionByUsername($username, $token);
$userArr = $player->hidden(['password'])->toArray();
UserCache::setUser((int) $player->id, $userArr);
$baseUrl = rtrim(config('api.login_url_base', 'https://127.0.0.1:6777'), '/');
$lang = in_array($lang, ['chs', 'en'], true) ? $lang : 'chs';
$tokenInUrl = str_replace('%3D', '=', urlencode($token));
$url = $baseUrl . '?token=' . $tokenInUrl . '&lang=' . $lang;
return [
'url' => $url,
'token' => $token,
'lang' => $lang,
'user_id' => (int) $player->id,
'user' => $userArr,
];
} }
/** /**
* 从请求中解析 user-tokenheader: user-token 或 Authorization: Bearer * 从 JWT 中解析 username仅解码 payload不校验签名与过期用于退出时清除会话
* @param object $request 需有 header(string $name) 方法
*/ */
public static function getTokenFromRequest(object $request): string public static function getUsernameFromJwtPayload(string $token): ?string
{ {
$token = $request->header('user-token') ?? ''; $parts = explode('.', $token);
if ($token !== '') { if (count($parts) !== 3) {
return trim((string) $token);
}
$auth = $request->header('authorization');
if ($auth && stripos($auth, 'Bearer ') === 0) {
return trim(substr($auth, 7));
}
return '';
}
/**
* 从请求获取当前用户 ID优先 request->user_id否则从 header 的 user-token 解析
* 中间件未正确注入时仍可兜底解析
* @param object $request 需有 user_id 属性及 header() 方法
*/
public static function getUserIdFromRequest(object $request): ?int
{
$id = $request->user_id ?? null;
if ($id !== null && (int) $id > 0) {
return (int) $id;
}
$token = self::getTokenFromRequest($request);
if ($token === '') {
return null; return null;
} }
return self::getUserIdFromToken($token); $payload = base64_decode(strtr($parts[1], '-_', '+/'), true);
} if ($payload === false) {
/**
* 根据 user-token 获取 user_id不写缓存仅解析 JWT
* 若 token 已通过退出接口加入黑名单,返回 null
*/
public static function getUserIdFromToken(string $userToken): ?int
{
if (UserCache::isTokenBlacklisted($userToken)) {
return null; return null;
} }
try { $data = json_decode($payload, true);
$decoded = JwtToken::verify(1, $userToken); if (!is_array($data)) {
$extend = $decoded['extend'] ?? [];
if (($extend['plat'] ?? '') !== 'api_user') {
return null;
}
$id = $extend['id'] ?? null;
if ($id === null) {
return null;
}
$userId = (int) $id;
// 同一用户只允许当前登记的 token 生效,重新登录/注册后旧 token 失效
if (!UserCache::isCurrentUserToken($userId, $userToken)) {
return null;
}
return $userId;
} catch (\Throwable $e) {
return null; return null;
} }
} $extend = $data['extend'] ?? $data;
$username = $extend['username'] ?? null;
/** return $username !== null ? trim((string) $username) : null;
* 退出登录:将当前 user-token 加入黑名单,使该 token 失效
*/
public static function logout(string $userToken): bool
{
try {
$decoded = JwtToken::verify(1, $userToken);
$exp = (int) ($decoded['exp'] ?? 0);
$ttl = $exp > time() ? $exp - time() : 86400;
return UserCache::addTokenToBlacklist($userToken, $ttl);
} catch (\Throwable $e) {
return false;
}
} }
/** /**

109
server/app/api/middleware/CheckAuthTokenMiddleware.php
View File

@@ -1,109 +0,0 @@
<?php
declare(strict_types=1);
namespace app\api\middleware;
use support\Log;
use Webman\Http\Request;
use Webman\Http\Response;
use Webman\MiddlewareInterface;
use Tinywan\Jwt\JwtToken;
use Tinywan\Jwt\Exception\JwtTokenException;
use Tinywan\Jwt\Exception\JwtTokenExpiredException;
use app\api\util\ReturnCode;
use app\api\cache\AuthTokenCache;
use plugin\saiadmin\exception\ApiException;
/**
* 仅校验 auth-token 请求头
* 白名单路径(如 /api/authToken不校验其它接口必须携带有效 auth-token 或 Authorization: Bearer <token>,且必须通过 JWT 签名与 plat=api 校验
*/
class CheckAuthTokenMiddleware implements MiddlewareInterface
{
/** 不需要 auth-token 的路径 */
private const WHITELIST = [
'api/authToken',
];
/** JWT 至少为 xxx.yyy.zzz 三段 */
private const JWT_PARTS_MIN = 3;
public function process(Request $request, callable $handler): Response
{
$path = trim((string) $request->path(), '/');
if ($this->isWhitelist($path)) {
return $handler($request);
}
$token = $this->getAuthTokenFromRequest($request);
if ($token === '') {
throw new ApiException('请携带 auth-token', ReturnCode::UNAUTHORIZED);
}
if (!$this->looksLikeJwt($token)) {
throw new ApiException('auth-token 格式无效', ReturnCode::TOKEN_INVALID);
}
$decoded = $this->verifyAuthToken($token);
$extend = $decoded['extend'] ?? [];
if (($extend['plat'] ?? '') !== 'api') {
throw new ApiException('auth-token 无效(非 API 凭证)', ReturnCode::TOKEN_INVALID);
}
// 同一设备只允许一个 auth-token 生效,非当前 token 视为已失效
$device = (string) ($extend['device'] ?? '');
if ($device !== '' && !AuthTokenCache::isCurrentToken($device, $token)) {
throw new ApiException('auth-token 已失效(该设备已签发新凭证,请使用新 auth-token', ReturnCode::TOKEN_INVALID);
}
return $handler($request);
}
private function getAuthTokenFromRequest(Request $request): string
{
$token = $request->header('auth-token');
if ($token !== null && $token !== '') {
return trim((string) $token);
}
$auth = $request->header('authorization');
if ($auth && stripos($auth, 'Bearer ') === 0) {
return trim(substr($auth, 7));
}
return '';
}
private function looksLikeJwt(string $token): bool
{
$parts = explode('.', $token);
return count($parts) >= self::JWT_PARTS_MIN;
}
/**
* 校验 auth-token 有效性签名、过期、iss 等),无效或过期必抛 ApiException
*/
private function verifyAuthToken(string $token): array
{
try {
return JwtToken::verify(1, $token);
} catch (JwtTokenExpiredException $e) {
Log::error('auth-token 已过期, 报错信息' . $e);
throw new ApiException('auth-token 已过期', ReturnCode::TOKEN_INVALID);
} catch (JwtTokenException $e) {
Log::error('auth-token 无效, 报错信息' . $e);
throw new ApiException($e->getMessage() ?: 'auth-token 无效', ReturnCode::TOKEN_INVALID);
} catch (\Throwable $e) {
Log::error('auth-token 校验失败, 报错信息' . $e);
throw new ApiException('auth-token 校验失败', ReturnCode::TOKEN_INVALID);
}
}
private function isWhitelist(string $path): bool
{
foreach (self::WHITELIST as $prefix) {
if ($path === $prefix || str_starts_with($path, $prefix . '/')) {
return true;
}
}
return false;
}
}

42
server/app/api/middleware/CheckUserTokenMiddleware.php
View File

@@ -1,42 +0,0 @@
<?php
declare(strict_types=1);
namespace app\api\middleware;
use Webman\Http\Request;
use Webman\Http\Response;
use Webman\MiddlewareInterface;
use app\api\logic\UserLogic;
use app\api\util\ReturnCode;
use plugin\saiadmin\exception\ApiException;
/**
* 校验 user-token 请求头
* 从 header 读取 user-token 或 Authorization: Bearer <user-token>,校验通过后将 user_id、userToken 写入 request 供控制器使用
*/
class CheckUserTokenMiddleware implements MiddlewareInterface
{
public function process(Request $request, callable $handler): Response
{
$token = $request->header('user-token');
if (empty($token)) {
$auth = $request->header('authorization');
if ($auth && stripos($auth, 'Bearer ') === 0) {
$token = trim(substr($auth, 7));
}
}
if (empty($token)) {
throw new ApiException('请携带 user-token', ReturnCode::UNAUTHORIZED);
}
$userId = UserLogic::getUserIdFromToken($token);
if ($userId === null) {
throw new ApiException('user-token 无效或已过期', ReturnCode::TOKEN_INVALID);
}
$request->user_id = $userId;
$request->userToken = $token;
return $handler($request);
}
}

78
server/app/api/middleware/TokenMiddleware.php Normal file
View File

@@ -0,0 +1,78 @@
<?php
declare(strict_types=1);
namespace app\api\middleware;
use app\api\cache\UserCache;
use app\api\util\ReturnCode;
use app\dice\model\player\DicePlayer;
use plugin\saiadmin\exception\ApiException;
use Tinywan\Jwt\JwtToken;
use Tinywan\Jwt\Exception\JwtTokenException;
use Tinywan\Jwt\Exception\JwtTokenExpiredException;
use Webman\Http\Request;
use Webman\Http\Response;
use Webman\MiddlewareInterface;
/**
* 校验 token 请求头JWT
* 解码 JWT 取 username与 Redis 中当前有效 token 比对;不一致则旧 token 已失效,请重新登录
* 通过后注入 request->player_id、request->player
*/
class TokenMiddleware implements MiddlewareInterface
{
public function process(Request $request, callable $handler): Response
{
$token = $request->header('token');
if ($token === null || $token === '') {
$auth = $request->header('authorization');
if ($auth && stripos($auth, 'Bearer ') === 0) {
$token = trim(substr($auth, 7));
}
}
$token = $token !== null ? trim((string) $token) : '';
if ($token === '') {
throw new ApiException('请携带 token', ReturnCode::UNAUTHORIZED);
}
try {
$decoded = JwtToken::verify(1, $token);
} catch (JwtTokenExpiredException $e) {
throw new ApiException('token 已过期,请重新登录', ReturnCode::TOKEN_INVALID);
} catch (JwtTokenException $e) {
throw new ApiException('token 无效', ReturnCode::TOKEN_INVALID);
} catch (\Throwable $e) {
throw new ApiException('token 格式无效', ReturnCode::TOKEN_INVALID);
}
$extend = $decoded['extend'] ?? [];
if ((string) ($extend['plat'] ?? '') !== 'api_login') {
throw new ApiException('token 无效', ReturnCode::TOKEN_INVALID);
}
$username = trim((string) ($extend['username'] ?? ''));
if ($username === '') {
throw new ApiException('token 无效', ReturnCode::TOKEN_INVALID);
}
$currentToken = UserCache::getSessionTokenByUsername($username);
if ($currentToken === null || $currentToken === '') {
$player = DicePlayer::where('username', $username)->find();
if (!$player) {
throw new ApiException('请注册', ReturnCode::TOKEN_INVALID);
}
throw new ApiException('请重新登录', ReturnCode::TOKEN_INVALID);
}
if ($currentToken !== $token) {
throw new ApiException('请重新登录(当前账号已在其他处登录)', ReturnCode::TOKEN_INVALID);
}
$player = DicePlayer::where('username', $username)->find();
if (!$player) {
UserCache::deleteSessionByUsername($username);
throw new ApiException('请重新登录', ReturnCode::TOKEN_INVALID);
}
$request->player_id = (int) $player->id;
$request->player = $player;
return $handler($request);
}
}

6
server/config/api.php
View File

@@ -3,6 +3,12 @@
* API 鉴权与用户相关配置 * API 鉴权与用户相关配置
*/ */
return [ return [
// 登录成功返回的连接地址前缀,如 https://127.0.0.1:6777
'login_url_base' => env('API_LOGIN_URL_BASE', 'https://127.0.0.1:6777'),
// 按 username 存储的登录会话 Redis key 前缀,用于 token 中间件校验
'session_username_prefix' => env('API_SESSION_USERNAME_PREFIX', 'api:user:session:'),
// 登录会话过期时间(秒),默认 7 天
'session_expire' => (int) env('API_SESSION_EXPIRE', 604800),
// auth-token 签名密钥(与客户端约定,用于 /api/authToken 的 signature 校验,必填) // auth-token 签名密钥(与客户端约定,用于 /api/authToken 的 signature 校验,必填)
'auth_token_secret' => env('API_AUTH_TOKEN_SECRET', ''), 'auth_token_secret' => env('API_AUTH_TOKEN_SECRET', ''),
// auth-token 时间戳允许误差(秒),防重放,默认 300 秒 // auth-token 时间戳允许误差(秒),防重放,默认 300 秒

18
server/config/route.php
View File

@@ -13,19 +13,14 @@
*/ */
use Webman\Route; use Webman\Route;
use app\api\middleware\CheckAuthTokenMiddleware; use app\api\middleware\TokenMiddleware;
use app\api\middleware\CheckUserTokenMiddleware;
// 仅需 auth-token 的路由组authToken 接口在中间件内白名单跳过) // 登录接口:无需 token提交 JSON 获取带 token 的连接地址
Route::group('/api', function () { Route::group('/api', function () {
Route::any('/authToken', [app\api\controller\AuthTokenController::class, 'index']); Route::any('/user/Login', [app\api\controller\UserController::class, 'Login']);
Route::any('/user/login', [app\api\controller\UserController::class, 'login']); })->middleware([]);
Route::any('/user/register', [app\api\controller\UserController::class, 'register']);
})->middleware([
CheckAuthTokenMiddleware::class,
]);
// 需 auth-token + user-token 的路由组 // 其余接口:仅经 token 中间件鉴权header: tokenbase64(username.-.time)
Route::group('/api', function () { Route::group('/api', function () {
Route::any('/user/logout', [app\api\controller\UserController::class, 'logout']); Route::any('/user/logout', [app\api\controller\UserController::class, 'logout']);
Route::any('/user/info', [app\api\controller\UserController::class, 'info']); Route::any('/user/info', [app\api\controller\UserController::class, 'info']);
@@ -36,6 +31,5 @@ Route::group('/api', function () {
Route::any('/game/lotteryPool', [app\api\controller\GameController::class, 'lotteryPool']); Route::any('/game/lotteryPool', [app\api\controller\GameController::class, 'lotteryPool']);
Route::any('/game/playStart', [app\api\controller\GameController::class, 'playStart']); Route::any('/game/playStart', [app\api\controller\GameController::class, 'playStart']);
})->middleware([ })->middleware([
CheckAuthTokenMiddleware::class, TokenMiddleware::class,
CheckUserTokenMiddleware::class,
]); ]);

8
server/support/Request.php
View File

@@ -20,11 +20,11 @@ namespace support;
*/ */
class Request extends \Webman\Http\Request class Request extends \Webman\Http\Request
{ {
/** 由 CheckUserTokenMiddleware 注入:当前用户 ID */ /** 由 TokenMiddleware 注入:当前玩家 IDDicePlayer.id */
public ?int $user_id = null; public ?int $player_id = null;
/** 由 CheckUserTokenMiddleware 注入:当前 user-token 原始字符串 */ /** 由 TokenMiddleware 注入:当前玩家模型实例 */
public ?string $userToken = null; public $player = null;
/** /**
* 获取参数增强方法 * 获取参数增强方法