jwt (json web token)
简介
jwt 就不说了,是一种普遍的后端 api 授权方式,这个写完之后再写一个go版本和java版本的 :) 闲话少叙,怎么实现一个多用户认证呢,下面开始。
库 github.com/tymondesigns/jwt-auth
需求:
有一个用户表,一个管理员表,要求用户和管理员都可以登陆并且查看或者审核文章,做一个登陆接口获取token并且验证token
下面开始:
- 开始安装
composer require tymon/jwt-auth
- 发布配置文件
php artisan vendor:publish --provider="Tymon\JWTAuth\Providers\LaravelServiceProvider"- 用命令生成jwtkey
| 这条命令会在 .env 文件下生成一个加密密钥,如:JWT_SECRET=xadsfasdf | |
| php artisan jwt:secret |
- 进行一些配置
由于要用到多用户配置所以要配置多个模型
php artisan make:model User
php artisan make:model Admin
User.php 代码如下:
| namespace App\Models; | |
| use Illuminate\Database\Eloquent\Factories\HasFactory; | |
| use Illuminate\Foundation\Auth\User as Authenticatable; | |
| use Illuminate\Notifications\Notifiable; | |
| use Tymon\JWTAuth\Contracts\JWTSubject; | |
| class User extends Authenticatable implements JWTSubject // 必须实现JWTSubject接口 | |
| { | |
| use HasFactory, Notifiable; | |
| // Rest omitted for brevity | |
| /** | |
| * Get the identifier that will be stored in the subject claim of the JWT. | |
| * | |
| * @return mixed | |
| */ | |
| public function getJWTIdentifier(){ | |
| return $this->getKey(); | |
| } | |
| /** | |
| * Return a key value array, containing any custom claims to be added to the JWT. | |
| * | |
| * @return array | |
| */ | |
| public function getJWTCustomClaims(){ | |
| return []; | |
| } | |
| /** | |
| * The attributes that are mass assignable. | |
| * | |
| * @var array | |
| */ | |
| protected $guarded = ['id']; | |
| } |
Admin.php 代码如下:
| namespace App\Models; | |
| use Illuminate\Database\Eloquent\Factories\HasFactory; | |
| use Illuminate\Database\Eloquent\Model; | |
| use Tymon\JWTAuth\Contracts\JWTSubject; | |
| class Admin extends Model implements JWTSubject | |
| { | |
| use HasFactory; | |
| /** | |
| * @inheritDoc | |
| */ | |
| public function getJWTIdentifier(){ | |
| return $this->getKey(); | |
| } | |
| /** | |
| * @inheritDoc | |
| */ | |
| public function getJWTCustomClaims(){ | |
| return []; | |
| } | |
| } |
打开config/auth.php文件改为如下:
| return [ | |
| /* | |
| |-------------------------------------------------------------------------- | |
| | Authentication Defaults | |
| |-------------------------------------------------------------------------- | |
| | | |
| | This option controls the default authentication "guard" and password | |
| | reset options for your application. You may change these defaults | |
| | as required, but they're a perfect start for most applications. | |
| | | |
| */ | |
| 'defaults' => ['guard' => 'web','passwords' => 'users',], | |
| /* | |
| |-------------------------------------------------------------------------- | |
| | Authentication Guards | |
| |-------------------------------------------------------------------------- | |
| | | |
| | Next, you may define every authentication guard for your application. | |
| | Of course, a great default configuration has been defined for you | |
| | here which uses session storage and the Eloquent user provider. | |
| | | |
| | All authentication drivers have a user provider. This defines how the | |
| | users are actually retrieved out of your database or other storage | |
| | mechanisms used by this application to persist your user's data. | |
| | | |
| | Supported: "session", "token" | |
| | | |
| */ | |
| 'guards' => ['web' => ['driver' => 'session','provider' => 'users',], | |
| 'user' => ['driver' => 'jwt','provider' => 'users','hash' => false,],'admin' => ['driver' => 'jwt','provider' => 'admins','hash' => false,],], | |
| /* | |
| |-------------------------------------------------------------------------- | |
| | User Providers | |
| |-------------------------------------------------------------------------- | |
| | | |
| | All authentication drivers have a user provider. This defines how the | |
| | users are actually retrieved out of your database or other storage | |
| | mechanisms used by this application to persist your user's data. | |
| | | |
| | If you have multiple user tables or models you may configure multiple | |
| | sources which represent each model / table. These sources may then | |
| | be assigned to any extra authentication guards you have defined. | |
| | | |
| | Supported: "database", "eloquent" | |
| | | |
| */ | |
| 'providers' => ['users' => ['driver' => 'eloquent','model' => App\Models\User::class,],'admins' => [// key 对应上面的guards里面对应的 provider 'driver' => 'eloquent','model' => App\Models\Admin::class, // 这个模型继承了jwtSubject接口],], | |
| /* | |
| |-------------------------------------------------------------------------- | |
| | Resetting Passwords | |
| |-------------------------------------------------------------------------- | |
| | | |
| | You may specify multiple password reset configurations if you have more | |
| | than one user table or model in the application and you want to have | |
| | separate password reset settings based on the specific user types. | |
| | | |
| | The expire time is the number of minutes that the reset token should be | |
| | considered valid. This security feature keeps tokens short-lived so | |
| | they have less time to be guessed. You may change this as needed. | |
| | | |
| */ | |
| 'passwords' => ['users' => ['provider' => 'users','table' => 'password_resets','expire' => 60,'throttle' => 60,],], | |
| /* | |
| |-------------------------------------------------------------------------- | |
| | Password Confirmation Timeout | |
| |-------------------------------------------------------------------------- | |
| | | |
| | Here you may define the amount of seconds before a password confirmation | |
| | times out and the user is prompted to re-enter their password via the | |
| | confirmation screen. By default, the timeout lasts for three hours. | |
| | | |
| */ | |
| 'password_timeout' => 10800, | |
| ]; |
- 编写登陆接口
多说一句多端登陆接口一般都是通用的,可以放在各模块下,也可以用公共模块,此处用统一登陆接口
新建登陆控制器(此处用的是restfull api的控制器结构,你可以去掉–resource)
php artisan make:controller V1\common\AuthorizationController --resource
在 AuthorizationController.php 方法下放入以下代码:
记得在app\Http\Controllers\Controller.php里面use helpers;就是 dingo 扩展文件
| namespace App\Http\Controllers; | |
| use Dingo\Api\Routing\Helpers; | |
| use Illuminate\Foundation\Auth\Access\AuthorizesRequests; | |
| use Illuminate\Foundation\Bus\DispatchesJobs; | |
| use Illuminate\Foundation\Validation\ValidatesRequests; | |
| use Illuminate\Routing\Controller as BaseController; | |
| class Controller extends BaseController | |
| { | |
| use AuthorizesRequests, DispatchesJobs, ValidatesRequests;use Helpers; // 应用dingo的helpers | |
| } | |
| namespace App\Http\Controllers\V1\common; | |
| use App\Http\Controllers\Controller; | |
| use Illuminate\Http\Request; | |
| class AuthorizationController extends Controller | |
| { | |
| /** | |
| * Store a newly created resource in storage. | |
| * | |
| * @param \Illuminate\Http\Request $request | |
| * @return \Illuminate\Http\Response | |
| */ | |
| public function store(Request $request){ | |
| $guard = $request->guard;// 区分是user还是admin type就是guard | |
| if (!config('auth.guards.' . $guard)) { | |
| return $this->response->errorUnauthorized('用户类型不存在'); | |
| } | |
| $credentials = []; // 登陆验证字段 | |
| switch ($guard) { | |
| case 'user': | |
| $credentials = $request->only(['email', 'password']); | |
| break; | |
| case 'admin': | |
| $credentials = $request->only(['account', 'password']); | |
| break; | |
| } | |
| $token = auth($guard)->attempt($credentials); | |
| if (!$token){ | |
| return $this->response()->errorUnauthorized('账号或密码错误'); | |
| } | |
| return $this->respondWithToken($token,$guard); // type就是guard | |
| } | |
| /** | |
| * Get the authenticated User. | |
| * | |
| * @return \Illuminate\Http\JsonResponse | |
| */ | |
| public function me(){ | |
| return $this->user();// 一般用auth($guard)->user();至于如何用this需要再中间件里面处理详情请看第`5`章 | |
| } | |
| /** | |
| * Log the user out (Invalidate the token). | |
| * | |
| * @return \Illuminate\Http\JsonResponse | |
| */ | |
| public function logout($guard){ | |
| auth($guard)->logout(); | |
| return $this->response()->array(['message' => '退出登陆']); | |
| } | |
| /** | |
| * Refresh a token. | |
| * 刷新token,如果开启黑名单,以前的token便会失效。 | |
| * 值得注意的是用上面的getToken再获取一次Token并不算做刷新,两次获得的Token是并行的,即两个都可用。 | |
| * @return \Illuminate\Http\JsonResponse | |
| */ | |
| public function refresh($guard){ | |
| return $this->respondWithToken(auth($guard)->refresh()); | |
| } | |
| /** | |
| * Get the token array structure. | |
| * | |
| * @param string $token | |
| * | |
| * @return \Illuminate\Http\JsonResponse | |
| */ | |
| protected function respondWithToken($token, $guard){ | |
| return response()->json(['access_token' => $token,'token_type' => 'bearer','expires_in' => auth($guard)->factory()->getTTL() * 60]); | |
| } | |
| } |
新增登陆路由文件:
| // 公共路由 | |
| $api->group(['as' => 'common', 'prefix' => 'common', 'namespace' => 'Common', 'middleware' => []], function ($api) {// 登录获取token | |
| $api->post('authorization', 'AuthorizationController@store')->name('.authorizations.store'); | |
| }); |
访问:
| email:hansen.idella@example.com | |
| guard:user | |
| password:123456 |
homestead.test/api/common/authoriza...
传入对应参数,就可以了
| {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9ob21lc3RlYWQudGVzdFwvYXBpXC9jb21tb25cL2F1dGhvcml6YXRpb24iLCJpYXQiOjE2MTAwOTg0NDUsImV4cCI6MTYxMDEwMjA0NSwibmJmIjoxNjEwMDk4NDQ1LCJqdGkiOiJzYkFFZXdJbzFLWjZrU0IyIiwic3ViIjoxLCJwcnYiOiIyM2JkNWM4OTQ5ZjYwMGFkYjM5ZTcwMWM0MDA4NzJkYjdhNTk3NmY3In0.61tRyGj-iD3-rEzLti1GLzgCJ35of_88-4-R0PQi_5E","token_type": "bearer","expires_in": 3600 | |
| } |
传入:
| guard:admin | |
| password:123456 | |
| account:38129 |
返回
| {"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9ob21lc3RlYWQudGVzdFwvYXBpXC9jb21tb25cL2F1dGhvcml6YXRpb24iLCJpYXQiOjE2MTAzNTM5MjUsImV4cCI6MTYxODEyOTkyNSwibmJmIjoxNjEwMzUzOTI1LCJqdGkiOiJLNW1ZenZsOEY3N1A0azl0Iiwic3ViIjoxLCJwcnYiOiJkZjg4M2RiOTdiZDA1ZWY4ZmY4NTA4MmQ2ODZjNDVlODMyZTU5M2E5In0.NYZKW2wbfMPAjLF-d-oA88OMrCNo8WHy7wAM_zhxlzU","token_type": "bearer","expires_in": 7776000 | |
| } |
另外配置jwt文件:
.env文件下面加上
| # jwt | |
| JWT_SECRET=VN3L60yj9zjcwwX0W70Ep6grzOlFe5QE | |
| JWT_TTL=129600 #3 * 30 * 24 * 60 #token过期时间 单位为分钟 3个月 | |
| JWT_REFRESH_TTL=20160 #刷新token过期时间 单位为分钟 |