├── .github └── workflows │ └── php.yml ├── .gitignore ├── .php-cs-fixer.php ├── LICENSE ├── README.md ├── composer.json ├── phpunit.xml ├── src ├── JWT.php ├── RedisHandler.php ├── config.php ├── exception │ ├── JWTCacheTokenException.php │ ├── JWTConfigException.php │ ├── JWTRefreshTokenExpiredException.php │ ├── JWTStoreRefreshTokenExpiredException.php │ ├── JWTTokenException.php │ └── JWTTokenExpiredException.php └── service │ └── RedisService.php └── tests ├── JwtTokenTest.php └── TestCase.php /.github/workflows/php.yml: -------------------------------------------------------------------------------- 1 | name: PHP Composer 2 | 3 | on: 4 | push: 5 | branches: [ "main" ] 6 | pull_request: 7 | branches: [ "main" ] 8 | 9 | permissions: 10 | contents: read 11 | 12 | jobs: 13 | build: 14 | 15 | runs-on: ubuntu-latest 16 | 17 | steps: 18 | - uses: actions/checkout@v3 19 | 20 | - name: Validate composer.json and composer.lock 21 | run: composer validate --strict 22 | 23 | - name: Cache Composer packages 24 | id: composer-cache 25 | uses: actions/cache@v3 26 | with: 27 | path: vendor 28 | key: ${{ runner.os }}-php-${{ hashFiles('**/composer.lock') }} 29 | restore-keys: | 30 | ${{ runner.os }}-php- 31 | 32 | - name: Install dependencies 33 | run: composer install --prefer-dist --no-progress 34 | 35 | # Add a test script to composer.json, for instance: "test": "vendor/bin/phpunit" 36 | # Docs: https://getcomposer.org/doc/articles/scripts.md 37 | 38 | # - name: Run test suite 39 | # run: composer run-script test 40 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | build 2 | vendor 3 | .idea 4 | .vscode 5 | .phpunit* 6 | composer.lock -------------------------------------------------------------------------------- /.php-cs-fixer.php: -------------------------------------------------------------------------------- 1 | exclude('tests') 6 | ->exclude('vendor') 7 | ->in(__DIR__) 8 | ; 9 | 10 | return (new PhpCsFixer\Config()) 11 | ->setUsingCache(false) 12 | ->setRules([ 13 | // '@PSR12' => true, 14 | '@PHP74Migration' => true, 15 | 'combine_consecutive_unsets' => true, // 多个unset,合并成一个 16 | 'class_attributes_separation' => true, 17 | 'heredoc_to_nowdoc' => true, // 删除配置中多余的空行和/或者空行。 18 | 'no_unreachable_default_argument_value' => false, // 在函数参数中,不能有默认值在非缺省值之前的参数。有风险 19 | 'no_useless_else' => true, // 删除无用的else 20 | 'no_useless_return' => true, // 删除函数末尾无用的return 21 | 'no_empty_phpdoc' => true, // 删除空注释 22 | 'no_empty_statement' => true, // 删除多余的分号 23 | 'no_leading_namespace_whitespace' => true, // 删除namespace声明行包含前导空格 24 | 'no_spaces_inside_parenthesis' => true, // 删除括号后内两端的空格 25 | 'no_trailing_whitespace' => true, // 删除非空白行末尾的空白 26 | 'no_unused_imports' => true, // 删除未使用的use语句 27 | 'no_whitespace_before_comma_in_array' => true, // 删除数组声明中,每个逗号前的空格 28 | 'no_whitespace_in_blank_line' => true, // 删除空白行末尾的空白 29 | 'ordered_class_elements' => true, 30 | 'ordered_imports' => ['sort_algorithm' => 'alpha'], 31 | 'line_ending' => true, 32 | 'single_quote' => true, 33 | 'array_syntax' => ['syntax' => 'short'], 34 | 'trailing_comma_in_multiline' => false, 35 | ]) 36 | ->setFinder($finder) 37 | ; 38 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # JSON Web Token (JWT) for Think plugin 2 | 3 | [![Latest Stable Version](http://poser.pugx.org/tinywan/think-jwt/v)](https://packagist.org/packages/tinywan/think-jwt) 4 | [![Total Downloads](http://poser.pugx.org/tinywan/think-jwt/downloads)](https://packagist.org/packages/tinywan/think-jwt) 5 | [![Daily Downloads](http://poser.pugx.org/tinywan/think-jwt/d/daily)](https://packagist.org/packages/tinywan/think-jwt) 6 | [![Latest Unstable Version](http://poser.pugx.org/tinywan/think-jwt/v/unstable)](https://packagist.org/packages/tinywan/think-jwt) 7 | [![License](http://poser.pugx.org/tinywan/think-jwt/license)](https://packagist.org/packages/tinywan/think-jwt) 8 | [![PHP Version Require](http://poser.pugx.org/tinywan/think-jwt/require/php)](https://packagist.org/packages/tinywan/think-jwt) 9 | 10 | > Json web token (JWT), 是为了在网络应用环境间传递声明而执行的一种基于JSON的开放标准((RFC 7519).该token被设计为紧凑且安全的,特别适用于分布式站点的单点登录(SSO)场景。 11 | 12 | JWT的声明一般被用来在身份提供者和服务提供者间传递被认证的用户身份信息,以便于从资源服务器获取资源,也可以增加一些额外的其它业务逻辑所必须的声明信息,该token也可直接被用于认证,也可被加密。 13 | 14 | ## 认证&授权流程 15 | 16 | ![image](https://user-images.githubusercontent.com/14959876/159104533-f51f0a57-e085-44ab-84d7-363a4bb1eda9.png) 17 | 18 | ## 签名流程 19 | 20 | 1. 用户使用用户名和口令到认证服务器上请求认证。 21 | 2. 认证服务器验证用户名和口令后,以服务器端生成JWT Token,这个token的生成过程如下: 22 | - 认证服务器还会生成一个 Secret Key(密钥) 23 | - 对JWT Header和JWT Payload分别求Base64。在Payload可能包括了用户的抽象ID和的过期时间。 24 | - 用密钥对JWT签名 `HMAC-SHA256(SecertKey, Base64UrlEncode(JWT-Header)+'.'+Base64UrlEncode(JWT-Payload))` 25 | 3. 然后把 base64(header).base64(payload).signature 作为 JWT token返回客户端。 26 | 4. 客户端使用JWT Token向应用服务器发送相关的请求。这个JWT Token就像一个临时用户权证一样。 27 | 28 | ## 安装 29 | 30 | ```phpregexp 31 | composer require tinywan/think-jwt 32 | ``` 33 | 34 | ## 使用 35 | 36 | ### 生成令牌 37 | 38 | ```php 39 | $user = [ 40 | 'uid' => 2022, 41 | 'name' => 'Tinywan', 42 | 'email' => 'Tinywan@163.com' 43 | ]; 44 | $token = \tinywan\JWT::generateToken($user); 45 | var_dump(json_encode($token)); 46 | ``` 47 | 48 | **输出(json格式)* 49 | 50 | ```json 51 | { 52 | "token_type": "Bearer", 53 | "expires_in": 36000, 54 | "access_token": "eyJ0eXAiOiJAUR-Gqtnk9LUPO8IDrLK7tjCwQZ7CI...", 55 | "refresh_token": "eyJ0eXAiOiJIEGkKprvcccccQvsTJaOyNy8yweZc..." 56 | } 57 | ``` 58 | 59 | **响应参数** 60 | 61 | | 参数|类型|描述|示例值| 62 | |:---|:---|:---|:---| 63 | |token_type| string |Token 类型 | Bearer | 64 | |expires_in| int |凭证有效时间,单位:秒 | 36000 | 65 | |access_token| string |访问凭证 | XXXXXXXXXXXXXXXXXXXX| 66 | |refresh_token| string | 刷新凭证(访问凭证过期使用 ) | XXXXXXXXXXXXXXXXXXX| 67 | 68 | ## 支持函数列表 69 | 70 | > 1、获取当前`uid` 71 | 72 | ```php 73 | $uid = \tinywan\JWT::getCurrentId(); 74 | ``` 75 | 76 | > 2、获取所有字段 77 | 78 | ```php 79 | $email = \tinywan\JWT::getExtend(); 80 | ``` 81 | 82 | > 3、获取自定义字段 83 | 84 | ```php 85 | $email = \tinywan\JWT::getExtendVal('email'); 86 | ``` 87 | 88 | > 4、刷新令牌(通过刷新令牌获取访问令牌) 89 | 90 | ```php 91 | $refreshToken = \tinywan\JWT::refreshToken(); 92 | ``` 93 | 94 | > 5、获令牌有效期剩余时长 95 | 96 | ```php 97 | $exp = \tinywan\JWT::getTokenExp(); 98 | ``` 99 | > 6、单设备登录。默认是关闭,开启请修改配置文件`config/jwt.php` 100 | 101 | ```php 102 | 'is_single_device' => true, 103 | ``` 104 | > 7、获取当前用户信息(模型) 105 | 106 | ```php 107 | $user = \tinywan\JWT::getUser(); 108 | ``` 109 | 该配置项目`'user_model'`为一个匿名函数,默认返回空数组,可以根据自己项目ORM定制化自己的返回模型 110 | 111 | **ThinkORM** 配置 112 | ```php 113 | 'user_model' => function($uid) { 114 | // 返回一个数组 115 | return \think\facade\Db::table('resty_user') 116 | ->field('id,username,create_time') 117 | ->where('id',$uid) 118 | ->find(); 119 | } 120 | ``` 121 | 122 | ## 签名算法 123 | 124 | JWT 最常见的几种签名算法(JWA):`HS256(HMAC-SHA256)` 、`RS256(RSA-SHA256)` 还有 `ES256(ECDSA-SHA256)` 125 | 126 | **JWT 算法列表如下** 127 | ``` 128 | +--------------+-------------------------------+--------------------+ 129 | | "alg" Param | Digital Signature or MAC | Implementation | 130 | | Value | Algorithm | Requirements | 131 | +--------------+-------------------------------+--------------------+ 132 | | HS256 | HMAC using SHA-256 | Required | 133 | | HS384 | HMAC using SHA-384 | Optional | 134 | | HS512 | HMAC using SHA-512 | Optional | 135 | | RS256 | RSASSA-PKCS1-v1_5 using | Recommended | 136 | | | SHA-256 | | 137 | | RS384 | RSASSA-PKCS1-v1_5 using | Optional | 138 | | | SHA-384 | | 139 | | RS512 | RSASSA-PKCS1-v1_5 using | Optional | 140 | | | SHA-512 | | 141 | | ES256 | ECDSA using P-256 and SHA-256 | Recommended+ | 142 | | ES384 | ECDSA using P-384 and SHA-384 | Optional | 143 | | ES512 | ECDSA using P-521 and SHA-512 | Optional | 144 | | PS256 | RSASSA-PSS using SHA-256 and | Optional | 145 | | | MGF1 with SHA-256 | | 146 | | PS384 | RSASSA-PSS using SHA-384 and | Optional | 147 | | | MGF1 with SHA-384 | | 148 | | PS512 | RSASSA-PSS using SHA-512 and | Optional | 149 | | | MGF1 with SHA-512 | | 150 | | none | No digital signature or MAC | Optional | 151 | | | performed | | 152 | +--------------+-------------------------------+--------------------+ 153 | 154 | The use of "+" in the Implementation Requirements column indicates 155 | that the requirement strength is likely to be increased in a future 156 | version of the specification. 157 | ``` 158 | > 可以看到被标记为 Recommended 的只有 RS256 和 ES256。 159 | ### 对称加密算法 160 | 161 | > 插件安装默认使用`HS256 `对称加密算法。 162 | 163 | HS256 使用同一个`「secret_key」`进行签名与验证。一旦 `secret_key `泄漏,就毫无安全性可言了。因此 HS256 只适合集中式认证,签名和验证都必须由可信方进行。 164 | 165 | ### 非对称加密算法 166 | 167 | > RS256 系列是使用 RSA 私钥进行签名,使用 RSA 公钥进行验证。 168 | 169 | 公钥即使泄漏也毫无影响,只要确保私钥安全就行。RS256 可以将验证委托给其他应用,只要将公钥给他们就行。 170 | 171 | > 以下为RS系列算法生成命令,仅供参考 172 | 173 | ### RS512 174 | 175 | ```php 176 | ssh-keygen -t rsa -b 4096 -E SHA512 -m PEM -P "" -f RS512.key 177 | openssl rsa -in RS512.key -pubout -outform PEM -out RS512.key.pub 178 | ``` 179 | 180 | ### RS512 181 | 182 | ```php 183 | ssh-keygen -t rsa -b 4096 -E SHA354 -m PEM -P "" -f RS384.key 184 | openssl rsa -in RS384.key -pubout -outform PEM -out RS384.key.pub 185 | ``` 186 | 187 | ### RS256 188 | 189 | ```php 190 | ssh-keygen -t rsa -b 4096 -E SHA256 -m PEM -P "" -f RS256.key 191 | openssl rsa -in RS256.key -pubout -outform PEM -out RS256.key.pub 192 | ``` 193 | 194 | ## 安全性 195 | 196 | https://www.w3cschool.cn/fastapi/fastapi-cmia3lcw.html 197 | 198 | ### 概念 199 | 200 | 有许多方法可以处理安全性、身份认证和授权等问题。而且这通常是一个复杂而「困难」的话题。在许多框架和系统中,仅处理安全性和身份认证就会花费大量的精力和代码(在许多情况下,可能占编写的所有代码的 50% 或更多)。 201 | 202 | Jwt 可帮助你以标准的方式轻松、快速地处理安全性,而无需研究和学习所有的安全规范。 203 | 204 | ### 场景 205 | 206 | 假设您在某个域中拥有后端API。并且您在另一个域或同一域的不同路径(或移动应用程序)中有一个前端。并且您希望有一种方法让前端使用用户名和密码与后端进行身份验证。我们可以使用OAuth2通过JWT来构建它。 207 | 208 | ### 认证流程 209 | 210 | - 用户在前端输入`username`和`password`,然后点击Enter。 211 | - 前端(在用户的浏览器中运行)发送一个`username`和`password`我们的API在一个特定的URL(以申报`tokenUrl="token"`)。 212 | - API 检查username和password,并用“令牌”响应(我们还没有实现任何这些)。“令牌”只是一个包含一些内容的字符串,我们稍后可以使用它来验证此用户。通常,令牌设置为在一段时间后过期。因此,用户稍后将不得不再次登录。如果代币被盗,风险就小了。它不像一个永久有效的密钥(在大多数情况下)。 213 | 前端将该令牌临时存储在某处。 214 | - 用户单击前端以转到前端 Web 应用程序的另一部分。 215 | - 前端需要从 API 获取更多数据。但它需要对该特定端点进行身份验证。因此,为了使用我们的 API 进行身份验证,它会发送`Authorization`一个值为`Bearer`加上令牌的标头。如果令牌包含`foobar`,则`Authorization`标头的内容将为:`Bearer foobar`。`注意:中间是有个空格`。 216 | -------------------------------------------------------------------------------- /composer.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "tinywan/think-jwt", 3 | "description": "JSON Web Token (JWT) for Think plugin", 4 | "type": "library", 5 | "license": "MIT", 6 | "require": { 7 | "php": "^7.1||^8.0", 8 | "ext-json": "*", 9 | "firebase/php-jwt": "^6.1"}, 10 | "autoload": { 11 | "psr-4": { 12 | "tinywan\\": "src" 13 | } 14 | }, 15 | "autoload-dev": { 16 | "psr-4": { 17 | "tinywan\\tests\\": "tests/" 18 | } 19 | }, 20 | "extra": { 21 | "think": { 22 | "config": { 23 | "jwt": "src/config.php" 24 | } 25 | } 26 | }, 27 | "require-dev": { 28 | "topthink/framework": "^6.0" 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /phpunit.xml: -------------------------------------------------------------------------------- 1 | 2 | 12 | 13 | 14 | ./tests 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/JWT.php: -------------------------------------------------------------------------------- 1 | getMessage()); 131 | } 132 | $secretKey = self::getPrivateKey($config); 133 | $extend['exp'] = time() + $config['access_exp']; 134 | return ['access_token' => self::makeToken($extend, $secretKey, $config['algorithms'])]; 135 | } 136 | 137 | /** 138 | * @desc: 生成令牌. 139 | * @param array $extend 140 | * @return array 141 | * @throws JWTConfigException 142 | */ 143 | public static function generateToken(array $extend): array 144 | { 145 | if (!isset($extend['id'])) { 146 | throw new JWTTokenException('缺少全局唯一字段:id'); 147 | } 148 | $config = self::_getConfig(); 149 | $config['access_exp'] = $extend['access_exp'] ?? $config['access_exp']; 150 | $config['refresh_exp'] = $extend['refresh_exp'] ?? $config['refresh_exp']; 151 | $payload = self::generatePayload($config, $extend); 152 | $secretKey = self::getPrivateKey($config); 153 | $token = [ 154 | 'token_type' => 'Bearer', 155 | 'expires_in' => $config['access_exp'], 156 | 'access_token' => self::makeToken($payload['accessPayload'], $secretKey, $config['algorithms']) 157 | ]; 158 | if (!isset($config['refresh_disable']) || (isset($config['refresh_disable']) && $config['refresh_disable'] === false)) { 159 | $refreshSecretKey = self::getPrivateKey($config, self::REFRESH_TOKEN); 160 | $token['refresh_token'] = self::makeToken($payload['refreshPayload'], $refreshSecretKey, $config['algorithms']); 161 | if (isset($config['refresh_is_store']) && $config['refresh_is_store'] === true) { 162 | RedisHandler::setRefreshToken((string) $extend['id'], $token['refresh_token'], $config['refresh_exp']); 163 | } 164 | } 165 | return $token; 166 | } 167 | 168 | /** 169 | * @desc: 验证令牌 170 | * @param int $tokenType 171 | * @param string|null $token 172 | * @return array 173 | * @throws JWTTokenException 174 | * @author Tinywan(ShaoBo Wan) 175 | */ 176 | public static function verify(int $tokenType = self::ACCESS_TOKEN, string $token = null): array 177 | { 178 | try { 179 | $token = $token ?? self::getTokenFromHeaders(); 180 | $config = self::_getConfig(); 181 | $extend = self::verifyToken($config, $token, $tokenType); 182 | if (isset($config['access_is_force']) && true === $config['access_is_force']) { 183 | self::isForceExpire($extend['iat'], $extend['exp'], $config['access_force_exp']); 184 | } 185 | return $extend; 186 | } catch (SignatureInvalidException $signatureInvalidException) { 187 | throw new JWTTokenException('身份验证令牌无效'); 188 | } catch (BeforeValidException $beforeValidException) { 189 | throw new JWTTokenException('身份验证令牌尚未生效'); 190 | } catch (ExpiredException $expiredException) { 191 | throw new JWTTokenExpiredException('身份验证会话已过期,请重新登录!'); 192 | } catch (JWTRefreshTokenExpiredException $forceExpiredException) { 193 | throw new JWTRefreshTokenExpiredException('身份验证会话已过期,请重新登录!(暴力)'); 194 | } catch (UnexpectedValueException $unexpectedValueException) { 195 | throw new JWTTokenException('获取的扩展字段不存在'); 196 | } catch (JWTCacheTokenException | \Exception $exception) { 197 | throw new JWTTokenException($exception->getMessage()); 198 | } 199 | } 200 | 201 | /** 202 | * @desc: 获取扩展字段. 203 | * @return array 204 | * @throws JwtTokenException 205 | */ 206 | private static function getTokenExtend(): array 207 | { 208 | return (array) self::verify()['extend']; 209 | } 210 | 211 | /** 212 | * @desc: 获令牌有效期剩余时长. 213 | * @param int $tokenType 214 | * @return int 215 | */ 216 | public static function getTokenExp(int $tokenType = self::ACCESS_TOKEN): int 217 | { 218 | return (int) self::verify($tokenType)['exp'] - time(); 219 | } 220 | 221 | /** 222 | * @desc: 223 | * @return string 224 | * @throws JwtTokenException 225 | */ 226 | private static function getTokenFromHeaders(): string 227 | { 228 | $authorization = request()->header('authorization'); 229 | if (!$authorization || 'undefined' == $authorization) { 230 | throw new JWTTokenException('身份验证会话已过期,请重新登录!'); 231 | } 232 | 233 | if (self::REFRESH_TOKEN != substr_count($authorization, '.')) { 234 | throw new JWTTokenException('身份验证会话已过期,请重新登录!'); 235 | } 236 | 237 | if (2 != count(explode(' ', $authorization))) { 238 | throw new JWTTokenException('Bearer验证中的凭证格式有误,中间必须有个空格'); 239 | } 240 | 241 | [$type, $token] = explode(' ', $authorization); 242 | if ('Bearer' !== $type) { 243 | throw new JWTTokenException('接口认证方式需为Bearer'); 244 | } 245 | if (!$token || 'undefined' === $token) { 246 | throw new JWTTokenException('尝试获取的Authorization信息不存在'); 247 | } 248 | 249 | return $token; 250 | } 251 | 252 | /** 253 | * @desc: 校验令牌 254 | * @param array $config 255 | * @param string $token 256 | * @param int $tokenType 257 | * @return array 258 | * @author Tinywan(ShaoBo Wan) 259 | */ 260 | private static function verifyToken(array $config, string $token, int $tokenType): array 261 | { 262 | $publicKey = self::ACCESS_TOKEN == $tokenType ? self::getPublicKey($config['algorithms']) : self::getPublicKey($config['algorithms'], self::REFRESH_TOKEN); 263 | BaseJWT::$leeway = $config['leeway']; 264 | 265 | $decoded = BaseJWT::decode($token, new Key($publicKey, $config['algorithms'])); 266 | $token = json_decode(json_encode($decoded), true); 267 | if ($config['is_single_device']) { 268 | RedisHandler::verifyToken($config['cache_token_pre'], (string) $token['extend']['id'], request()->ip()); 269 | } 270 | return $token; 271 | } 272 | 273 | /** 274 | * @desc: 生成令牌. 275 | * @param array $payload 载荷信息 276 | * @param string $secretKey 签名key 277 | * @param string $algorithms 算法 278 | * @return string 279 | */ 280 | private static function makeToken(array $payload, string $secretKey, string $algorithms): string 281 | { 282 | return BaseJWT::encode($payload, $secretKey, $algorithms); 283 | } 284 | 285 | /** 286 | * @desc: 获取加密载体 287 | * @param array $config 288 | * @param array $extend 289 | * @return array 290 | * @author Tinywan(ShaoBo Wan) 291 | */ 292 | private static function generatePayload(array $config, array $extend): array 293 | { 294 | if ($config['is_single_device']) { 295 | RedisHandler::generateToken([ 296 | 'id' => $extend['id'], 297 | 'ip' => request()->ip(), 298 | 'extend' => json_encode($extend), 299 | 'cache_token_ttl' => $config['cache_token_ttl'], 300 | 'cache_token_pre' => $config['cache_token_pre'] 301 | ]); 302 | } 303 | $basePayload = [ 304 | 'iss' => $config['iss'], // 签发者 305 | 'aud' => $config['iss'], // 接收该JWT的一方 306 | 'iat' => time(), // 签发时间 307 | 'nbf' => time() + ($config['nbf'] ?? 0), // 某个时间点后才能访问 308 | 'exp' => time() + $config['access_exp'], // 过期时间 309 | 'extend' => $extend // 自定义扩展信息 310 | ]; 311 | $resPayLoad['accessPayload'] = $basePayload; 312 | $basePayload['exp'] = time() + $config['refresh_exp']; 313 | $resPayLoad['refreshPayload'] = $basePayload; 314 | 315 | return $resPayLoad; 316 | } 317 | 318 | /** 319 | * @desc: 根据签名算法获取【公钥】签名值 320 | * @param string $algorithm 算法 321 | * @param int $tokenType 类型 322 | * @return string 323 | * @author Tinywan(ShaoBo Wan) 324 | */ 325 | private static function getPublicKey(string $algorithm, int $tokenType = self::ACCESS_TOKEN): string 326 | { 327 | $config = self::_getConfig(); 328 | switch ($algorithm) { 329 | case 'HS256': 330 | $key = self::ACCESS_TOKEN == $tokenType ? $config['access_secret_key'] : $config['refresh_secret_key']; 331 | break; 332 | case 'RS512': 333 | case 'RS256': 334 | $key = self::ACCESS_TOKEN == $tokenType ? $config['access_public_key'] : $config['refresh_public_key']; 335 | break; 336 | default: 337 | $key = $config['access_secret_key']; 338 | } 339 | 340 | return $key; 341 | } 342 | 343 | /** 344 | * @desc: 根据签名算法获取【私钥】签名值 345 | * @param array $config 配置文件 346 | * @param int $tokenType 令牌类型 347 | * @return string 348 | * @author Tinywan(ShaoBo Wan) 349 | */ 350 | private static function getPrivateKey(array $config, int $tokenType = self::ACCESS_TOKEN): string 351 | { 352 | switch ($config['algorithms']) { 353 | case 'HS256': 354 | $key = self::ACCESS_TOKEN == $tokenType ? $config['access_secret_key'] : $config['refresh_secret_key']; 355 | break; 356 | case 'RS512': 357 | case 'RS256': 358 | $key = self::ACCESS_TOKEN == $tokenType ? $config['access_private_key'] : $config['refresh_private_key']; 359 | break; 360 | default: 361 | $key = $config['access_secret_key']; 362 | } 363 | 364 | return $key; 365 | } 366 | 367 | /** 368 | * @desc: 获取配置文件 369 | * @return array 370 | * @throws JWTConfigException 371 | */ 372 | private static function _getConfig(): array 373 | { 374 | $config = config('jwt'); 375 | if (empty($config)) { 376 | throw new JWTConfigException('jwt.php 配置文件不存在'); 377 | } 378 | return $config; 379 | } 380 | 381 | /** 382 | * @desc: 存储校验刷新令牌 383 | * @param string $tokenId 384 | * @param string $refreshToken 385 | * @author Tinywan(ShaoBo Wan) 386 | */ 387 | private static function checkStoreRefreshToken(string $tokenId, string $refreshToken): void 388 | { 389 | $storeRefreshToken = RedisHandler::getRefreshToken($tokenId); 390 | if (false === $storeRefreshToken) { 391 | throw new JWTStoreRefreshTokenExpiredException('存储刷新令牌已被删除'); 392 | } 393 | 394 | if ($storeRefreshToken != $refreshToken) { 395 | throw new JWTStoreRefreshTokenExpiredException('存储刷新令牌和请求刷新令牌不一致'); 396 | } 397 | } 398 | 399 | /** 400 | * @desc: 删除刷新令牌 401 | * @param string $tokenId 402 | * @return int 403 | * @author Tinywan(ShaoBo Wan) 404 | */ 405 | public static function deleteRefreshToken(string $tokenId): int 406 | { 407 | return RedisHandler::deleteRefreshToken($tokenId); 408 | } 409 | 410 | /** 411 | * @desc: 是否强制过期 412 | * @param int $iat 签发时间 413 | * @param int $exp 过期时间 414 | * @param int $forceExpire 强制过期时间 415 | * @author Tinywan(ShaoBo Wan) 416 | */ 417 | private static function isForceExpire(int $iat, int $exp, int $forceExpire) 418 | { 419 | if (($iat + $forceExpire) < $exp) { 420 | throw new JWTRefreshTokenExpiredException('暴力提前过期'); 421 | } 422 | } 423 | 424 | } 425 | -------------------------------------------------------------------------------- /src/RedisHandler.php: -------------------------------------------------------------------------------- 1 | true, 11 | 12 | // 算法类型 HS256、HS384、HS512、RS256、RS384、RS512、ES256、ES384、Ed25519 13 | 'algorithms' => 'HS256', 14 | 15 | // access令牌秘钥 16 | 'access_secret_key' => '2022d3d3LmJq', 17 | 18 | // access令牌过期时间,单位:秒。默认 2 小时 19 | 'access_exp' => 7200, 20 | 21 | // 是否开启访问令牌强制提前过期 22 | 'access_is_force' => false, 23 | 24 | // access令牌强制过期时间,默认和access令牌过期时间一致,如果想让已经发放的令牌提前过期,可以缩短该过期时间 25 | // 单位:秒。默认 2 小时 26 | 'access_force_exp' => 7200, 27 | 28 | // refresh令牌秘钥 29 | 'refresh_secret_key' => '2022KTxigxc9o50c', 30 | 31 | // refresh令牌过期时间,单位:秒。默认 7 天 32 | 'refresh_exp' => 604800, 33 | 34 | // refresh令牌强制过期时间,默认和refresh令牌过期时间一致,如果想让已经发放的令牌提前过期,可以缩短该过期时间 35 | // 单位:秒。默认 2 小时 36 | 'refresh_force_exp' => 604800, 37 | 38 | // refresh 令牌是否禁用,默认不禁用 false 39 | 'refresh_disable' => false, 40 | 41 | // refresh 存储,该存储依赖于Redis 42 | 'refresh_is_store' => false, 43 | 44 | // 令牌签发者 45 | 'iss' => 'think.tinywan.cn', 46 | 47 | // 某个时间点后才能访问,单位秒。(如:30 表示当前时间30秒后才能使用) 48 | 'nbf' => 60, 49 | 50 | // 时钟偏差冗余时间,单位秒。建议这个余地应该不大于几分钟。 51 | 'leeway' => 60, 52 | 53 | // 单设备登录 54 | 'is_single_device' => false, 55 | 56 | // 缓存令牌时间,单位:秒。默认 7 天 57 | 'cache_token_ttl' => 604800, 58 | 59 | // 缓存令牌前缀 60 | 'cache_token_pre' => 'JWT:TOKEN:', 61 | 62 | // 用户信息模型 63 | 'user_model' => function($uid){ 64 | return []; 65 | }, 66 | 67 | /** 68 | * access令牌私钥 69 | */ 70 | 'access_private_key' => << << << <<connect(config('cache.stores.redis.host'), config('cache.stores.redis.port')); 220 | static::instance()->auth(config('cache.stores.redis.password')); 221 | return static::$instance; 222 | } 223 | 224 | /** 225 | * @param string $name 226 | * @param array $arguments 227 | * @return mixed 228 | */ 229 | public static function __callStatic(string $name, array $arguments) 230 | { 231 | return static::connection()->{$name}(... $arguments); 232 | } 233 | } 234 | -------------------------------------------------------------------------------- /tests/JwtTokenTest.php: -------------------------------------------------------------------------------- 1 | 2022, 25 | 'name' => 'Tinywan', 26 | 'email' => 'Tinywan@163.com' 27 | ]; 28 | $token = Jwt::generateToken($user); 29 | self::assertIsArray($token); 30 | } 31 | } -------------------------------------------------------------------------------- /tests/TestCase.php: -------------------------------------------------------------------------------- 1 |