1.重构websocket连接

2026-05-27 10:28:39 +08:00
parent a7c2a29764
commit 8f5ba977a4
12 changed files with 1101 additions and 144 deletions
--- a/app/common/service/GameWebSocketAuthHelper.php
+++ b/app/common/service/GameWebSocketAuthHelper.php
@@ -0,0 +1,224 @@
+<?php
+
+declare(strict_types=1);
+
+namespace app\common\service;
+
+use app\common\facade\Token;
+use app\common\library\Auth;
+use support\Redis;
+use Throwable;
+
+/**
+ * WebSocket 握手鉴权助手（与 HTTP §1.3 对齐）：
+ *
+ * 两种合法身份：
+ * 1) **mobile（H5/移动端）**：URL Query 必须带 `auth_token` + `user_token`，校验通过后绑定 user_id；
+ *    分发器对 user 级主题（bet.win 等）按 user_id 过滤，只发本人。
+ * 2) **admin（后台联调/实时对局页）**：URL Query 必须带 `auth_token` + `admin_ws_token`；
+ *    `admin_ws_token` 由后台 `wsConfig` 接口签发并写入 Redis（短时签名）。绑定 user_id=0，
+ *    分发器对该连接不做 user 级过滤，可观测全量推送（用于运维/联调）。
+ *
+ * 任一身份通过即可建连；都不满足则拒绝握手。
+ *
+ * 返回结构：
+ * [
+ *   'ok'      => bool,
+ *   'user_id' => int,
+ *   'mode'    => 'mobile' | 'admin' | '',
+ *   'admin_id'=> int,
+ *   'reason'  => string,
+ *   'auth_token' => string,
+ *   'user_token' => string,
+ *   'admin_ws_token' => string,
+ * ]
+ */
+final class GameWebSocketAuthHelper
+{
+    /** admin_ws_token 在 Redis 中的 key 前缀；value 存 admin_id，TTL 由 issueAdminWsToken 决定 */
+    private const ADMIN_TOKEN_REDIS_PREFIX = 'dfw:v1:ws:admin_token:';
+    private const ADMIN_TOKEN_DEFAULT_TTL = 7200;
+
+    /**
+     * @param array<string, mixed> $query  解析后的 URL Query 参数
+     * @return array{ok:bool, user_id:int, mode:string, admin_id:int, reason:string, auth_token:string, user_token:string, admin_ws_token:string}
+     */
+    public static function authorize(array $query): array
+    {
+        $authToken = self::pickFirstString($query, ['auth_token', 'auth-token', 'authToken']);
+        $userToken = self::pickFirstString($query, ['user_token', 'user-token', 'userToken', 'token']);
+        $adminWsToken = self::pickFirstString($query, ['admin_ws_token', 'admin-ws-token', 'adminWsToken']);
+
+        // ===== Admin 旁路：只校验 admin_ws_token（由后台 wsConfig 签发，已隐含管理员身份） =====
+        if ($adminWsToken !== '') {
+            $adminId = self::validateAdminWsToken($adminWsToken);
+            if ($adminId > 0) {
+                return [
+                    'ok' => true,
+                    'user_id' => 0,
+                    'mode' => 'admin',
+                    'admin_id' => $adminId,
+                    'reason' => '',
+                    'auth_token' => $authToken,
+                    'user_token' => $userToken,
+                    'admin_ws_token' => $adminWsToken,
+                ];
+            }
+            return self::deny('admin-ws-token invalid or expired', $authToken, $userToken, $adminWsToken);
+        }
+
+        // ===== Mobile（H5）：必须同时校验 auth-token + user-token =====
+        if ($authToken === '') {
+            return self::deny('missing auth-token', '', $userToken, '');
+        }
+        $authData = Token::get($authToken);
+        if (!is_array($authData) || ($authData['type'] ?? '') !== 'auth-token') {
+            return self::deny('invalid auth-token type', $authToken, $userToken, '');
+        }
+        $authExpire = filter_var($authData['expire_time'] ?? 0, FILTER_VALIDATE_INT);
+        if ($authExpire === false || $authExpire < time()) {
+            return self::deny('auth-token expired', $authToken, $userToken, '');
+        }
+
+        if ($userToken === '') {
+            return self::deny('missing user-token', $authToken, '', '');
+        }
+        $userData = Token::get($userToken);
+        if (!is_array($userData) || ($userData['type'] ?? '') !== Auth::TOKEN_TYPE) {
+            return self::deny('invalid user-token type', $authToken, $userToken, '');
+        }
+        $userExpire = filter_var($userData['expire_time'] ?? 0, FILTER_VALIDATE_INT);
+        if ($userExpire === false || $userExpire < time()) {
+            return self::deny('user-token expired', $authToken, $userToken, '');
+        }
+        $userId = filter_var($userData['user_id'] ?? 0, FILTER_VALIDATE_INT);
+        if ($userId === false || $userId <= 0) {
+            return self::deny('user-token has no user_id', $authToken, $userToken, '');
+        }
+
+        return [
+            'ok' => true,
+            'user_id' => (int) $userId,
+            'mode' => 'mobile',
+            'admin_id' => 0,
+            'reason' => '',
+            'auth_token' => $authToken,
+            'user_token' => $userToken,
+            'admin_ws_token' => '',
+        ];
+    }
+
+    /**
+     * 为已登录的后台管理员签发短时 admin-ws-token；返回 [token, ttl]。
+     * 调用方：app/admin/controller/test/GameCurrentStatus::wsConfig、app/admin/controller/game/Live::wsConfig
+     */
+    public static function issueAdminWsToken(int $adminId, ?int $ttl = null): array
+    {
+        if ($adminId <= 0) {
+            return ['token' => '', 'ttl' => 0];
+        }
+        $ttl = ($ttl !== null && $ttl > 0) ? $ttl : self::ADMIN_TOKEN_DEFAULT_TTL;
+        try {
+            $token = bin2hex(random_bytes(20));
+        } catch (Throwable) {
+            $token = md5(uniqid('admin_ws_', true) . microtime(true) . random_int(0, PHP_INT_MAX));
+        }
+        try {
+            Redis::setEx(self::ADMIN_TOKEN_REDIS_PREFIX . $token, $ttl, (string) $adminId);
+        } catch (Throwable) {
+            return ['token' => '', 'ttl' => 0];
+        }
+        return ['token' => $token, 'ttl' => $ttl];
+    }
+
+    /**
+     * 校验 admin-ws-token；返回 admin_id（>0 表示有效），0 表示无效/过期。
+     */
+    public static function validateAdminWsToken(string $token): int
+    {
+        $token = trim($token);
+        if ($token === '' || strlen($token) > 96) {
+            return 0;
+        }
+        try {
+            $raw = Redis::get(self::ADMIN_TOKEN_REDIS_PREFIX . $token);
+        } catch (Throwable) {
+            return 0;
+        }
+        if ($raw === false || $raw === null || $raw === '') {
+            return 0;
+        }
+        $adminId = filter_var($raw, FILTER_VALIDATE_INT);
+        return $adminId === false ? 0 : (int) $adminId;
+    }
+
+    /**
+     * 从 ws header 中解析 GET 行 Query（Workerman 在 onWebSocketConnect($connection, $request) 时
+     * $request 可能为字符串或对象；为兼容，这里允许直接传 URI Query 字符串）。
+     *
+     * @return array<string, string>
+     */
+    public static function parseQueryString(string $queryString): array
+    {
+        $queryString = trim($queryString);
+        if ($queryString === '') {
+            return [];
+        }
+        if ($queryString[0] === '?') {
+            $queryString = substr($queryString, 1);
+        }
+        $out = [];
+        parse_str($queryString, $out);
+        $clean = [];
+        foreach ($out as $k => $v) {
+            if (!is_string($k)) {
+                continue;
+            }
+            if (is_string($v)) {
+                $clean[$k] = $v;
+            } elseif (is_scalar($v)) {
+                $clean[$k] = (string) $v;
+            }
+        }
+        return $clean;
+    }
+
+    /**
+     * @param array<string, mixed> $query
+     * @param list<string> $keys
+     */
+    private static function pickFirstString(array $query, array $keys): string
+    {
+        foreach ($keys as $k) {
+            if (!isset($query[$k])) {
+                continue;
+            }
+            $v = $query[$k];
+            if (!is_scalar($v)) {
+                continue;
+            }
+            $s = trim((string) $v);
+            if ($s !== '') {
+                return $s;
+            }
+        }
+        return '';
+    }
+
+    /**
+     * @return array{ok:bool, user_id:int, mode:string, admin_id:int, reason:string, auth_token:string, user_token:string, admin_ws_token:string}
+     */
+    private static function deny(string $reason, string $authToken, string $userToken, string $adminWsToken): array
+    {
+        return [
+            'ok' => false,
+            'user_id' => 0,
+            'mode' => '',
+            'admin_id' => 0,
+            'reason' => $reason,
+            'auth_token' => $authToken,
+            'user_token' => $userToken,
+            'admin_ws_token' => $adminWsToken,
+        ];
+    }
+}