net core SSO 单点登录和控制器中获取Token和UserId
控制器中注入
[ApiController] //[Authorize] [ServiceFilter(typeof(LDAPPLoginFilter))] [Route("/file/api/[controller]/[action]")] public class BaseController : ControllerBase { public ITokenHelper _tokenHelper; public IHttpContextAccessor _httpContext; /// <summary> /// 当前用户ID /// </summary> public string CurrentUserId { get{ var userId = "00185770cfb24ccca22e14f8b9111111"; if (_httpContext != null && _tokenHelper != null) { var tokenobj = _httpContext.HttpContext.Request.Headers["Authorization"].ToString(); //读取配置文件中 的 秘钥 var secretKey = ConfigurationManager.JwtTokenConfig["Secret"]; string token = tokenobj.Split(" ")[1].ToString();//剔除Bearer string mobile = "";//用户手机号 //验证jwt,同时取出来jwt里边的用户ID TokenType tokenType = _tokenHelper.ValiTokenState(token, secretKey , a => a["iss"] == "test.cn" && a["aud"] == "test" , action => { userId = action["id"]; mobile = action["phone_number"]; }); } return userId; } } } public FileServerController(ITokenHelper tokenHelper, IHttpContextAccessor httpContextAccessor) { _tokenHelper = tokenHelper; _httpContext = httpContextAccessor; }
调用
登录过滤器
/// <summary> /// 用户登录过滤器 /// 需要登录时 Check请求头中的token字段 /// </summary> public class LDAPPLoginFilter : Attribute, IActionFilter { private readonly ITokenHelper _tokenHelper; /// <summary> /// 通过依赖注入得到数据访问层实例 /// </summary> /// <param name="tokenHelper"></param> public LDAPPLoginFilter(ITokenHelper tokenHelper) { _tokenHelper = tokenHelper; } public void OnActionExecuted(ActionExecutedContext context) { } /// <summary> /// 操作过滤器 /// </summary> /// <param name="context">请求上下文</param> /// <param name="next">下一个过滤器或者终结点本身</param> /// <returns></returns> //async public override Task OnActionExecutionAsync(ActionExecutingContext context, ActionExecutionDelegate next) //{ // var descriptor = context.ActionDescriptor; // // 当未标记为 AllowAnonymous 时再执行 // if (!descriptor.EndpointMetadata.Any(p => p is IAllowAnonymous)) // { // context.HttpContext.Request.Headers.TryGetValue("token", out var tokens); // var token = tokens.FirstOrDefault(); // if (string.IsNullOrWhiteSpace(token)) // { // //如果没有token 直接返回 // context.Result = new UnauthorizedResult();//直接返回401 统一请求返回的话,这里修改成统一需要登录的请求实体 // } // else // { // var redisKey = $"_APP_Token_{token}"; // //存在token // var userInfo = RedisClient.GetValue<CommonUserModel>(redisKey); // if (userInfo == null) // { // context.Result = new UnauthorizedResult();//直接返回401 统一请求返回的话,这里修改成统一需要登录的请求实体 // return; // } // // RedisClient.SetValue(redisKey, userInfo, 180 * 24 * 60);//180天内登录一次就重新置成180天 暂时不启用,重复写入性能影响大,一个月写入一次。 写入缓存时需要设计 cachetime // await next(); // } // } //} /// <summary> /// 请求接口时进行拦截处理 /// </summary> /// <param name="context"></param> public void OnActionExecuting(ActionExecutingContext context) { //LawcaseEvidenceFilePreview if (context.ActionDescriptor.EndpointMetadata.Any(it => it.GetType() == typeof(NoLDAPPLoginFilter))) { return; } //Action 名称过滤 if (context.ActionDescriptor.DisplayName.Contains("ActionName")) { return; } //var ret = new Models.Commons.ResultInfoModel(); var ret = new AjaxResult(); try { //获取请求头中的Token var tokenobj = context.HttpContext.Request.Headers["Authorization"].ToString(); if (string.IsNullOrEmpty(tokenobj)) { ret.state = (int)ResultCodeEnum.ApiUnauthorized; ret.message = "接口未授权"; context.Result = new JsonResult(ret); return; } //读取配置文件中 的 秘钥 var secretKey = ConfigurationManager.JwtTokenConfig["Secret"]; string token = tokenobj.Split(" ")[1].ToString();//剔除Bearer string userId = string.Empty; string mobile = string.Empty;//用户手机号 //var token = getToken(context); //验证jwt,同时取出来jwt里边的用户ID TokenType tokenType = _tokenHelper.ValiTokenState(token, secretKey , a => a["iss"] == "test.cn" && a["aud"] == "test" , action => { userId = action["id"]; mobile = action["phone_number"]; }); if (tokenType == TokenType.FormError) { ret.state = (int)ResultCodeEnum.ApiUnauthorized; ret.message = "登录失效,请重新登录!";//token非法 context.Result = new JsonResult(ret); return; } if (tokenType == TokenType.Fail) { ret.state = (int)ResultCodeEnum.ApiUnauthorized; ret.message = "用户信息验证失败!";//token验证失败 context.Result = new JsonResult(ret); return; } if (tokenType == TokenType.Expired) { ret.state = (int)ResultCodeEnum.ApiUnauthorized; ret.message = "登录失效,请重新登录!"; context.Result = new JsonResult(ret); return; } if (string.IsNullOrEmpty(userId)) { //获取用户编号失败时,阻止用户继续访问接口 ret.state = (int)ResultCodeEnum.Error; ret.message = "用户信息丢失"; context.Result = new JsonResult(ret); return; } //自定义代码逻辑, 取出token中的 用户编号 进行 用户合法性验证即可 //。。。。。。。 } catch (Exception ex) { ret.state = (int)ResultCodeEnum.Error; ret.message = "请求来源非法" + ex.Message.ToString(); context.Result = new JsonResult(ret); return; } } }
/// <summary> /// /// </summary> public interface ITokenHelper { /// <summary> /// Token验证 /// </summary> /// <param name="encodeJwt">token</param> /// <param name="secretKey">secretKey</param> /// <param name="validatePayLoad">自定义各类验证; 是否包含那种申明,或者申明的值</param> /// <returns></returns> bool ValiToken(string encodeJwt, string secretKey, Func<Dictionary<string, string>, bool> validatePayLoad = null); /// <summary> /// 带返回状态的Token验证 /// </summary> /// <param name="encodeJwt">token</param> /// <param name="secretKey">secretKey</param> /// <param name="validatePayLoad">自定义各类验证; 是否包含那种申明,或者申明的值</param> /// <param name="action"></param> /// <returns></returns> TokenType ValiTokenState(string encodeJwt, string secretKey, Func<Dictionary<string, string>, bool> validatePayLoad, Action<Dictionary<string, string>> action); }
/// <summary> /// /// </summary> public class TokenHelper : ITokenHelper { /// <summary> /// 验证身份 验证签名的有效性 /// </summary> /// <param name="encodeJwt"></param> /// <param name="secretKey">配置文件中取出来的签名秘钥</param> /// <param name="validatePayLoad">自定义各类验证; 是否包含那种申明,或者申明的值, </param> public bool ValiToken(string encodeJwt, string secretKey, Func<Dictionary<string, string>, bool> validatePayLoad = null) { var success = true; var jwtArr = encodeJwt.Split('.'); if (jwtArr.Length < 3)//数据格式都不对直接pass return false; var payLoad = JsonConvert.DeserializeObject<Dictionary<string, string>>(Base64UrlEncoder.Decode(jwtArr[1])); //配置文件中取出来的签名秘钥 var hs256 = new HMACSHA256(Encoding.ASCII.GetBytes(secretKey)); //验证签名是否正确(把用户传递的签名部分取出来和服务器生成的签名匹配即可) success = success && string.Equals(jwtArr[2], Base64UrlEncoder.Encode(hs256.ComputeHash(Encoding.UTF8.GetBytes(string.Concat(jwtArr[0], ".", jwtArr[1]))))); if (!success) return success;//签名不正确直接返回 //其次验证是否在有效期内(也应该必须) var now = ToUnixEpochDate(DateTime.UtcNow); success = success && (now >= long.Parse(payLoad["nbf"].ToString()) && now < long.Parse(payLoad["exp"].ToString())); //不需要自定义验证不传或者传递null即可 if (validatePayLoad == null) return true; //再其次 进行自定义的验证 success = success && validatePayLoad(payLoad); return success; } /// <summary> /// 时间转换 /// </summary> /// <param name="date"></param> /// <returns></returns> private long ToUnixEpochDate(DateTime date) { return (long)Math.Round((date.ToUniversalTime() - new DateTimeOffset(1970, 1, 1, 0, 0, 0, TimeSpan.Zero)).TotalSeconds); } /// <summary> /// /// </summary> /// <param name="encodeJwt"></param> /// <param name="secretKey"></param> /// <param name="validatePayLoad"></param> /// <param name="action"></param> /// <returns></returns> public TokenType ValiTokenState(string encodeJwt, string secretKey, Func<Dictionary<string, string>, bool> validatePayLoad, Action<Dictionary<string, string>> action) { //iss: jwt签发者 //sub: jwt所面向的用户 //aud: 接收jwt的一方 //exp: jwt的过期时间,这个过期时间必须要大于签发时间 //nbf: 定义在什么时间之前,该jwt都是不可用的 //iat: jwt的签发时间 //jti: jwt的唯一身份标识,主要用来作为一次性token,从而回避重放攻击 var jwtArr = encodeJwt.Split('.'); if (jwtArr.Length < 3)//数据格式都不对直接pass return TokenType.FormError; //var header = JsonConvert.DeserializeObject<Dictionary<string, string>>(Base64UrlEncoder.Decode(jwtArr[0])); var payLoad = JsonConvert.DeserializeObject<Dictionary<string, string>>(Base64UrlEncoder.Decode(jwtArr[1])); var hs256 = new HMACSHA256(Encoding.ASCII.GetBytes(secretKey)); //验证签名是否正确(把用户传递的签名部分取出来和服务器生成的签名匹配即可) if (!string.Equals(jwtArr[2], Base64UrlEncoder.Encode(hs256.ComputeHash(Encoding.UTF8.GetBytes(string.Concat(jwtArr[0], ".", jwtArr[1])))))) return TokenType.FormError; var now = ToUnixEpochDate(DateTime.UtcNow); var nbf = long.Parse(payLoad["nbf"].ToString()); var exp = long.Parse(payLoad["exp"].ToString()); if (!(now >= nbf && now < exp)) { action(payLoad); return TokenType.Expired; } //不需要自定义验证不传或者传递null即可 if (validatePayLoad == null) { action(payLoad); return TokenType.Ok; } //再其次 进行自定义的验证 if (!validatePayLoad(payLoad)) return TokenType.Fail; //可能需要获取jwt摘要里边的数据,封装一下方便使用 action(payLoad); return TokenType.Ok; } }
public class TokenManagement { public string Secret { get; set; } public string Issuer { get; set; } public string Audience { get; set; } public int AccessExpiration { get; set; } public int RefreshExpiration { get; set; } }
public class NoLDAPPLoginFilter : Attribute, IActionFilter { public void OnActionExecuted(ActionExecutedContext context) { } public void OnActionExecuting(ActionExecutingContext context) { //var ret = new Models.Commons.ResultInfoModel(); //ret.Head.ErrorCode = 1000; //ret.Head.Msg = "成功!"; //context.Result = new JsonResult(ret); } }
/// <summary> /// 设置该方法不会进行AES加密和解密操作,直接传入参数和响应结果 /// </summary> [AttributeUsage(AttributeTargets.All, AllowMultiple = false, Inherited = true)] public class NoAESMiddlewareAttribute : Attribute { }
public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; LD.Code.ConfigurationManager.Configure(Configuration); //注册日志功能 LD.Code.LogFactory.ResisterLogger(); } public IConfiguration Configuration { get; } // This method gets called by the runtime. Use this method to add services to the container. public void ConfigureServices(IServiceCollection services) { //services.AddSwaggerGen(options => //{ // #region 文档格式化 // options.SwaggerDoc("v1", new OpenApiInfo // { // Version = "V1", // Title = "ASP.NET CORE WepbApi 3.1", // Description = "基于Asp.Net Core 3.1 实现文件上传下载", // Contact = new OpenApiContact // { // Name = "律盾", // Email = "lvduntech@lvdun.com" // }, // License = new OpenApiLicense // { // Name = "许可证", // } // }); // options.DocumentFilter<HiddenApiFilter>(); // #endregion //}); services.AddSwaggerGen(c => { c.SwaggerDoc("v1", new OpenApiInfo { Title = "XXX服务接口", Version = "v1" }); // 获取xml文件名 var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml"; // 获取xml文件路径 var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile); // 添加控制器层注释,true表示显示控制器注释 c.IncludeXmlComments(xmlPath, true); ////LD.Domain.xml //xmlFile = "LD.Domain.xml"; //xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile); //c.IncludeXmlComments(xmlPath, true); ////LD.Code.xml //xmlFile = "LD.Code.xml"; //xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile); //c.IncludeXmlComments(xmlPath, true); c.ResolveConflictingActions(apiDescriptions => apiDescriptions.First()); c.DocumentFilter<HiddenApiFilter>(); }); services.Configure<TokenManagement>(Configuration.GetSection("JwtTokenConfig")); var token = Configuration.GetSection("JwtTokenConfig").Get<TokenManagement>(); services.AddAuthentication(x => { x.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; x.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }).AddJwtBearer(x => { x.RequireHttpsMetadata = false; x.SaveToken = true; x.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(token.Secret)), ValidIssuer = token.Issuer, ValidAudience = token.Audience, ValidateIssuer = false, ValidateAudience = false }; }); LD.Services.RegisterIoc.Register(services); // ActionExecutingContext services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>(); services.AddTransient<ITokenHelper, TokenHelper>(); services.AddScoped<NoLDAPPLoginFilter>(); services.AddScoped<LDAPPLoginFilter>(); services.AddControllers(); //跨域 var corsstring = Configuration.GetSection("Cors").Value; string[] corsarray = corsstring.Split(','); services.AddCors(options => options.AddPolicy("CorsPolicy", builder => { builder.AllowAnyMethod().AllowAnyHeader() .WithOrigins(corsarray) .AllowCredentials(); })); } // This method gets called by the runtime. Use this method to configure the HTTP request pipeline. public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { //if (env.IsDevelopment()) //{ // app.UseDeveloperExceptionPage(); //} DocExpansion swaggeerDoc; //if (env.IsDevelopment()) //{ app.UseDeveloperExceptionPage(); swaggeerDoc = DocExpansion.List; //添加Swagger有关中间件 app.UseSwagger(); app.UseSwaggerUI(c => { c.SwaggerEndpoint("/swagger/v1/swagger.json", "FileServerAPI v1"); c.RoutePrefix = string.Empty; c.DocExpansion(DocExpansion.None); }); //} //else //{ // swaggeerDoc = DocExpansion.None; //} app.UseStaticFiles(); //app.UseStaticFiles(new StaticFileOptions //{ //设置不限制content-type // ServeUnknownFileTypes = true //}); app.UseHttpsRedirection(); app.UseRouting();//1.路由 app.UseCors("CorsPolicy"); app.UseAuthentication();//2.认证 app.UseAuthorization();//3.授权 app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); //app.UseSwagger(); //app.UseSwaggerUI(c => //{ // c.SwaggerEndpoint("/swagger/v1/swagger.json", "API V1"); //}); } }
public class Enum { /// <summary> /// 系统数据返回状态 /// </summary> public enum ResultCodeEnum { /// <summary> /// 失败 /// </summary> [Description("失败")] Error = 0, /// <summary> /// 成功 /// </summary> [Description("成功")] Success = 1, /// <summary> /// 接口未授权 /// </summary> [Description("接口未授权")] ApiUnauthorized = 401 } /// <summary> /// /// </summary> public enum TokenType { /// <summary> /// 验证成功 /// </summary> [Description("验证成功")] Ok, /// <summary> /// 验证失败 /// </summary> [Description("验证失败")] Fail, /// <summary> /// Token失效 /// </summary> [Description("Token失效")] Expired, /// <summary> /// Token非法 /// </summary> [Description("Token非法")] FormError } }
