166 lines
5.4 KiB
PHP
166 lines
5.4 KiB
PHP
<?php
|
||
|
||
declare(strict_types=1);
|
||
|
||
namespace app\api\controller\v1;
|
||
|
||
use ba\Random;
|
||
use Throwable;
|
||
use app\common\controller\Api;
|
||
use app\common\facade\Token;
|
||
use app\common\library\Auth as UserAuth;
|
||
use app\common\library\AgentJwt;
|
||
use app\common\model\MallUserAsset;
|
||
use app\admin\model\Admin;
|
||
use Webman\Http\Request;
|
||
use support\Response;
|
||
|
||
/**
|
||
* API v1 鉴权接口
|
||
*/
|
||
class Auth extends Api
|
||
{
|
||
/**
|
||
* Agent Token 类型
|
||
*/
|
||
public const TOKEN_TYPE = 'agent';
|
||
|
||
/**
|
||
* 时间戳有效范围(秒),防止重放攻击
|
||
*/
|
||
protected int $timeTolerance = 300;
|
||
|
||
/**
|
||
* 临时登录 token 有效期(秒)
|
||
*/
|
||
protected int $tempTokenExpire = 86400;
|
||
|
||
/**
|
||
* 获取鉴权 Token(GET 请求)
|
||
* 参数仅从 Query 读取:signature、secret、agent_id、time
|
||
* 返回:authtoken;失败返回 code=0 及失败信息
|
||
*/
|
||
public function authToken(Request $request): Response
|
||
{
|
||
$response = $this->initializeApi($request);
|
||
if ($response !== null) {
|
||
return $response;
|
||
}
|
||
|
||
$signature = $request->get('signature', '');
|
||
$secret = $request->get('secret', '');
|
||
$agentId = $request->get('agent_id', '');
|
||
$time = $request->get('time', '');
|
||
|
||
if ($signature === '' || $secret === '' || $agentId === '' || $time === '') {
|
||
return $this->error(__('Parameter signature/secret/agent_id/time can not be empty'));
|
||
}
|
||
|
||
$timestamp = intval($time);
|
||
if ($timestamp <= 0) {
|
||
return $this->error(__('Invalid timestamp'));
|
||
}
|
||
|
||
$now = time();
|
||
if ($timestamp < $now - $this->timeTolerance || $timestamp > $now + $this->timeTolerance) {
|
||
return $this->error(__('Timestamp expired'));
|
||
}
|
||
|
||
$admin = Admin::where('agent_id', $agentId)->find();
|
||
if (!$admin) {
|
||
return $this->error(__('Agent not found'));
|
||
}
|
||
|
||
$apiSecret = strval($admin->agent_api_secret ?? '');
|
||
if ($apiSecret === '') {
|
||
return $this->error(__('Agent not found'));
|
||
}
|
||
|
||
if ($apiSecret !== $secret) {
|
||
return $this->error(__('Invalid agent or secret'));
|
||
}
|
||
|
||
$expectedSignature = strtoupper(md5($agentId . $secret . $time));
|
||
if (!hash_equals($expectedSignature, $signature)) {
|
||
return $this->error(__('Invalid signature'));
|
||
}
|
||
|
||
$expire = intval(config('buildadmin.agent_auth.token_expire', 86400));
|
||
$payload = [
|
||
'agent_id' => $agentId,
|
||
'admin_id' => $admin->id,
|
||
];
|
||
$authtoken = AgentJwt::encode($payload, $expire);
|
||
|
||
return $this->success('', [
|
||
'authtoken' => $authtoken,
|
||
]);
|
||
}
|
||
|
||
/**
|
||
* H5 临时登录(GET/POST)
|
||
* 参数:username
|
||
* 写入或复用 mall_user_asset;签发 muser 类型 token(user_id 为资产表主键)
|
||
*/
|
||
public function temLogin(Request $request): Response
|
||
{
|
||
$response = $this->initializeApi($request);
|
||
if ($response !== null) {
|
||
return $response;
|
||
}
|
||
|
||
$enabled = config('buildadmin.agent_auth.temp_login_enable', false);
|
||
if (!$enabled) {
|
||
return $this->error(__('Temp login is disabled'));
|
||
}
|
||
|
||
$username = trim(strval($request->get('username', $request->post('username', ''))));
|
||
// 兼容:querystring 中未编码的 '+' 会被解析为空格(application/x-www-form-urlencoded 规则)
|
||
// 例如:/api/v1/temLogin?username=+607... 期望保留 '+',则从原始 querystring 提取并还原
|
||
if ($username !== '' && str_contains($username, ' ')) {
|
||
$qs = $request->queryString();
|
||
if (is_string($qs) && $qs !== '') {
|
||
foreach (explode('&', $qs) as $pair) {
|
||
if ($pair === '' || !str_contains($pair, '=')) {
|
||
continue;
|
||
}
|
||
[$k, $v] = explode('=', $pair, 2);
|
||
if (rawurldecode($k) === 'username') {
|
||
// 先把 %xx 解码;注意这里不把 '+' 当空格处理,从而保留 '+'
|
||
$username = trim(rawurldecode($v));
|
||
break;
|
||
}
|
||
}
|
||
}
|
||
}
|
||
if ($username === '') {
|
||
return $this->error(__('Parameter username can not be empty'));
|
||
}
|
||
|
||
try {
|
||
$asset = MallUserAsset::ensureForUsername($username);
|
||
} catch (Throwable $e) {
|
||
return $this->error($e->getMessage());
|
||
}
|
||
|
||
$token = Random::uuid();
|
||
$refreshToken = Random::uuid();
|
||
$expire = config('buildadmin.agent_auth.temp_login_expire', $this->tempTokenExpire);
|
||
$assetId = intval($asset->getKey());
|
||
Token::set($token, UserAuth::TOKEN_TYPE_MALL_USER, $assetId, $expire);
|
||
Token::set($refreshToken, UserAuth::TOKEN_TYPE_MALL_USER . '-refresh', $assetId, 2592000);
|
||
|
||
return $this->success('', [
|
||
'userInfo' => [
|
||
'id' => $assetId,
|
||
'username' => strval($asset->username ?? ''),
|
||
'nickname' => strval($asset->username ?? ''),
|
||
'playx_user_id' => strval($asset->playx_user_id ?? ''),
|
||
'token' => $token,
|
||
'refresh_token' => $refreshToken,
|
||
'expires_in' => $expire,
|
||
],
|
||
]);
|
||
}
|
||
}
|