135 lines
4.2 KiB
PHP
135 lines
4.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Middleware;
|
|
|
|
use App\Model\ApiKey;
|
|
use App\Model\User;
|
|
use Hyperf\HttpServer\Contract\ResponseInterface as HttpResponse;
|
|
use Psr\Http\Message\ResponseInterface;
|
|
use Psr\Http\Message\ServerRequestInterface;
|
|
use Psr\Http\Server\MiddlewareInterface;
|
|
use Psr\Http\Server\RequestHandlerInterface;
|
|
use Qbhy\HyperfAuth\AuthManager;
|
|
use Qbhy\HyperfAuth\Exception\UnauthorizedException;
|
|
|
|
class AuthMiddleware implements MiddlewareInterface
|
|
{
|
|
public function __construct(
|
|
protected AuthManager $auth,
|
|
protected HttpResponse $response
|
|
) {
|
|
}
|
|
|
|
public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
|
{
|
|
// 1. 尝试 JWT Bearer Token 认证
|
|
$bearer_token = $this->extractBearerToken($request);
|
|
if ($bearer_token !== null) {
|
|
return $this->authenticateByJwt($request, $handler);
|
|
}
|
|
|
|
// 2. 尝试 API Key 认证
|
|
$api_key = $request->getHeaderLine('X-API-Key');
|
|
if ($api_key !== '') {
|
|
return $this->authenticateByApiKey($api_key, $request, $handler);
|
|
}
|
|
|
|
// 3. 无认证凭据
|
|
return $this->response->json([
|
|
'code' => 401,
|
|
'message' => '未授权,请先登录',
|
|
])->withStatus(401);
|
|
}
|
|
|
|
/**
|
|
* JWT Token 认证
|
|
*/
|
|
protected function authenticateByJwt(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
|
{
|
|
try {
|
|
$user = $this->auth->guard('jwt')->user();
|
|
|
|
if (!$user) {
|
|
return $this->response->json([
|
|
'code' => 401,
|
|
'message' => '未授权,请先登录',
|
|
])->withStatus(401);
|
|
}
|
|
|
|
// 检查用户状态
|
|
if ($user instanceof User && $user->status !== 1) {
|
|
return $this->response->json([
|
|
'code' => 403,
|
|
'message' => '账号已被禁用',
|
|
])->withStatus(403);
|
|
}
|
|
} catch (UnauthorizedException $e) {
|
|
return $this->response->json([
|
|
'code' => 401,
|
|
'message' => 'Token 无效或已过期',
|
|
])->withStatus(401);
|
|
} catch (\Throwable $e) {
|
|
return $this->response->json([
|
|
'code' => 500,
|
|
'message' => '认证失败: ' . $e->getMessage(),
|
|
])->withStatus(500);
|
|
}
|
|
|
|
return $handler->handle($request);
|
|
}
|
|
|
|
/**
|
|
* API Key 认证
|
|
*/
|
|
protected function authenticateByApiKey(string $plain_key, ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
|
|
{
|
|
$api_key = ApiKey::findByPlainKey($plain_key);
|
|
|
|
if (!$api_key) {
|
|
return $this->response->json([
|
|
'code' => 401,
|
|
'message' => 'API Key 无效或已过期',
|
|
])->withStatus(401);
|
|
}
|
|
|
|
$user = $api_key->user;
|
|
|
|
if (!$user || $user->status !== 1) {
|
|
return $this->response->json([
|
|
'code' => 403,
|
|
'message' => '账号已被禁用',
|
|
])->withStatus(403);
|
|
}
|
|
|
|
// 更新最后使用时间
|
|
$api_key->last_used_at = \Carbon\Carbon::now();
|
|
$api_key->save();
|
|
|
|
// 通过 JWT guard 登录用户,生成 token 并注入请求头,使后续代码可通过 auth->guard('jwt')->user() 获取用户
|
|
$token = $this->auth->guard('jwt')->login($user);
|
|
$request = $request->withHeader('Authorization', 'Bearer ' . $token);
|
|
|
|
// 将带 Authorization 头的新请求写回协程 Context,确保 JwtGuard 代理对象能读到
|
|
\Hyperf\Context\Context::set(ServerRequestInterface::class, $request);
|
|
|
|
return $handler->handle($request);
|
|
}
|
|
|
|
/**
|
|
* 从请求头提取 Bearer Token
|
|
*/
|
|
protected function extractBearerToken(ServerRequestInterface $request): ?string
|
|
{
|
|
$header = $request->getHeaderLine('Authorization');
|
|
|
|
if ($header !== '' && str_starts_with($header, 'Bearer ')) {
|
|
$token = substr($header, 7);
|
|
return $token !== '' ? $token : null;
|
|
}
|
|
|
|
return null;
|
|
}
|
|
}
|