From c2ce8085c2c027d8664007791e8e5c41ac4f1fa0 Mon Sep 17 00:00:00 2001
From: zhenhui <1276357500@qq.com>
Date: Mon, 30 Mar 2026 15:19:22 +0800
Subject: [PATCH] =?UTF-8?q?API=E6=8E=A5=E5=8F=A3-=E4=BC=98=E5=8C=96/?=
 =?UTF-8?q?=E5=88=9B=E5=BB=BA=E4=BF=9D=E5=AD=98jwt?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .env-example                           |  6 +++-
 app/api/controller/v1/Playx.php        |  9 +++++
 app/common/library/PlayxInboundJwt.php | 48 ++++++++++++++++++++++++++
 config/buildadmin.php                  |  4 +--
 config/playx.php                       |  5 +++
 5 files changed, 69 insertions(+), 3 deletions(-)
 create mode 100644 app/common/library/PlayxInboundJwt.php

diff --git a/.env-example b/.env-example
index a9e61eb..f34c445 100644
--- a/.env-example
+++ b/.env-example
@@ -24,8 +24,12 @@ PLAYX_POINTS_TO_CASH_RATIO=0.1
 PLAYX_RETURN_RATIO=0.1
 # 解锁比例：今日可领取上限 = yesterday_total_deposit * unlock_ratio
 PLAYX_UNLOCK_RATIO=0.1
-# Daily Push 签名校验密钥（建议从部署系统注入，避免写入代码/仓库）
+# Daily Push 签名校验密钥（HMAC，建议从部署系统注入，避免写入代码/仓库）
 PLAYX_DAILY_PUSH_SECRET=
+# 合作方回调 JWT 验签密钥（HS256，与对端私发密钥一致；与上一项可同时配置，则两种均需通过）
+PLAYX_PARTNER_JWT_SECRET=5590a339502b133f4d0c545c3cdad159a4827dfccb3f51bb110c56f9b96568ca
+# Agent authtoken（/api/v1/authToken）JWT 签名密钥；留空则使用下方 buildadmin.token.key
+AGENT_AUTH_JWT_SECRET=
 # token 会话缓存过期时间（秒）
 PLAYX_SESSION_EXPIRE_SECONDS=3600
 # PlayX API（商城调用 PlayX 时使用）
diff --git a/app/api/controller/v1/Playx.php b/app/api/controller/v1/Playx.php
index fcebd0d..f181db5 100644
--- a/app/api/controller/v1/Playx.php
+++ b/app/api/controller/v1/Playx.php
@@ -14,6 +14,7 @@ use app\common\model\MallPlayxDailyPush;
 use app\common\model\MallPlayxSession;
 use app\common\model\MallPlayxOrder;
 use app\common\model\MallPlayxUserAsset;
+use app\common\library\PlayxInboundJwt;
 use support\think\Db;
 use Webman\Http\Request;
 use support\Response;
@@ -156,6 +157,14 @@ class Playx extends Api
             return $response;
         }
 
+        $partnerJwtSecret = strval(config('playx.partner_jwt_secret', ''));
+        if ($partnerJwtSecret !== '') {
+            $authHeader = strval($request->header('authorization', ''));
+            if (!PlayxInboundJwt::verifyBearer($authHeader, $partnerJwtSecret)) {
+                return $this->error(__('Invalid or missing JWT'), null, 0, ['statusCode' => 401]);
+            }
+        }
+
         $body = $request->post();
         if (empty($body)) {
             $raw = $request->rawBody();
diff --git a/app/common/library/PlayxInboundJwt.php b/app/common/library/PlayxInboundJwt.php
new file mode 100644
index 0000000..ea4976f
--- /dev/null
+++ b/app/common/library/PlayxInboundJwt.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace app\common\library;
+
+use Firebase\JWT\JWT;
+use Firebase\JWT\Key;
+use Firebase\JWT\ExpiredException;
+use Firebase\JWT\SignatureInvalidException;
+
+/**
+ * PlayX / 合作方回调：校验 Authorization: Bearer JWT（HS256）
+ */
+class PlayxInboundJwt
+{
+    public const ALG = 'HS256';
+
+    /**
+     * 从 Authorization 头解析 Bearer token 并校验签名与有效期
+     */
+    public static function verifyBearer(string $authorizationHeader, string $secret): bool
+    {
+        if ($secret === '') {
+            return false;
+        }
+        $token = self::extractBearer($authorizationHeader);
+        if ($token === '') {
+            return false;
+        }
+        try {
+            JWT::decode($token, new Key($secret, self::ALG));
+
+            return true;
+        } catch (ExpiredException|SignatureInvalidException|\Throwable) {
+            return false;
+        }
+    }
+
+    public static function extractBearer(string $authorizationHeader): string
+    {
+        if (preg_match('/Bearer\s+(\S+)/i', $authorizationHeader, $m)) {
+            return $m[1];
+        }
+
+        return '';
+    }
+}
diff --git a/config/buildadmin.php b/config/buildadmin.php
index 63ee27a..67221a2 100644
--- a/config/buildadmin.php
+++ b/config/buildadmin.php
@@ -87,8 +87,8 @@ return [
         'agents'       => [
             // 'agent_001' => 'your_secret_key',
         ],
-        // JWT 签名密钥（留空则使用 token.key）
-        'jwt_secret'   => '',
+        // JWT 签名密钥（留空则使用 token.key）；建议 AGENT_AUTH_JWT_SECRET 注入
+        'jwt_secret'   => strval(env('AGENT_AUTH_JWT_SECRET', '')),
         // 是否启用 H5 临时登录接口 /api/v1/temLogin
         'temp_login_enable' => true,
         // Token 有效期（秒），默认 24 小时
diff --git a/config/playx.php b/config/playx.php
index 4bd4af4..888ea34 100644
--- a/config/playx.php
+++ b/config/playx.php
@@ -12,6 +12,11 @@ return [
     'points_to_cash_ratio' => floatval(env('PLAYX_POINTS_TO_CASH_RATIO', '0.1')),
     // Daily Push 签名校验（PlayX 调用商城时使用）
     'daily_push_secret' => strval(env('PLAYX_DAILY_PUSH_SECRET', '')),
+    /**
+     * 合作方 JWT 验签密钥（HS256）。非空时：daily-push 等回调需带 Authorization: Bearer
+     * 仅写入部署环境变量，勿提交仓库。
+     */
+    'partner_jwt_secret' => strval(env('PLAYX_PARTNER_JWT_SECRET', '')),
     // token 会话缓存过期时间（秒）
     'session_expire_seconds' => intval(env('PLAYX_SESSION_EXPIRE_SECONDS', '3600')),
     /**