修改token的加密方式为EDDSA

2023-05-08 21:30:09 +08:00 · 2023-05-08 21:30:09 +08:00 · 2e7de5db35
commit 2e7de5db35
parent 88a17b515b
4 changed files with 15 additions and 10 deletions
--- a/.env.development
+++ b/.env.development
@ -1,6 +1,7 @@
 API_PORT=3007
 API_HOST=0.0.0.0
-API_TOKEN_SECRET=sdf(**&*&xx2213
+API_TOKEN_SECRET_PRIVATE=-----BEGIN PRIVATE KEY-----\nMC4CAQAwBQYDK2VwBCIEIKdK/eFQ2+Q/ml4ruDAItNIwGnQMQm76UX0uecrna7V5\n-----END PRIVATE KEY-----
+API_TOKEN_SECRET_PUBLIC=-----BEGIN PUBLIC KEY-----\nMCowBQYDK2VwAyEAySgE/YiiI2fzpXaco+OWeDAKymEoqqLYYb6RKOEU1n8=\n-----END PUBLIC KEY-----
 API_TOKEN_EXPIRESIN=1d


--- a/src/controllers/mail.controller.ts
+++ b/src/controllers/mail.controller.ts
@ -36,7 +36,7 @@ class MailController extends BaseController {
    if (!record.verifyPassword(pass)) {
      throw new ZError(13, 'password error')
    }
-    const token = await res.jwtSign({ id: record.id })
+    const token = await res.jwtSign({ id: record.id, openid: record.openId, plat: PlatEnum.EMAIL })
    return { token: token }
  }

--- a/src/controllers/main.controllers.ts
+++ b/src/controllers/main.controllers.ts
@ -53,7 +53,7 @@ class MainController extends BaseController {
    if (payload.name) data.nickname = payload.name
    if (payload.picture) data.avatar = payload.picture
    let user = await Account.insertOrUpdate({ plat: PlatEnum.GOOGLE, openId }, data)
-    const ztoken = await res.jwtSign({ id: user.id })
+    const ztoken = await res.jwtSign({ id: user.id, openid: openId, plat: PlatEnum.GOOGLE })
    return { token: ztoken }
  }
 }
--- a/src/plugins/apiauth.ts
+++ b/src/plugins/apiauth.ts
@ -17,31 +17,35 @@ export interface ApiAuthOptions {
  secret: string
  expiresIn: string
 }
-
+const privateKey = process.env.API_TOKEN_SECRET_PRIVATE.replace(/\\n/g, '\n')
+const publicKey = process.env.API_TOKEN_SECRET_PUBLIC.replace(/\\n/g, '\n')
 const apiAuthPlugin: FastifyPluginAsync<ApiAuthOptions> = async function (fastify, opts) {
  fastify.register(require('@fastify/jwt'), {
-    secret: opts.secret,
-    sign: { expiresIn: opts.expiresIn },
+    secret: {
+      private: privateKey,
+      public: publicKey,
+    },
+    sign: { expiresIn: opts.expiresIn, algorithm: 'EdDSA' },
  })
  // 只有路由配置的role为anon才不需要过滤
  fastify.decorate('apiAuth', async function (request: FastifyRequest, reply: FastifyReply) {
    if (!request.roles || request.roles.indexOf('anon') == -1) {
      try {
        if (!request.token) {
-          return reply.send({ code: 11, msg: 'need login' })
+          return reply.send({ errcode: 11, errmsg: 'need login' })
        }
        //@ts-ignore
        const data = this.jwt.verify(request.token)
        if (!data || !data.id) {
-          return reply.send({ code: 10, msg: 'need login' })
+          return reply.send({ errcode: 10, errmsg: 'need login' })
        }
        let account = await Account.findById(data.id)
        if (!account) {
-          return reply.send({ code: 10, msg: 'need login' })
+          return reply.send({ errcode: 10, errmsg: 'need login' })
        }
        request.user = account
      } catch (err) {
-        return reply.send({ code: 401, msg: 'need auth' })
+        return reply.send({ errcode: 401, errmsg: 'need auth' })
      }
    }
  })