jwt · wml_code

### 第一種引用第三方 `composer require firebase/php-jwt` ~~~ <?php namespace app\service; use Firebase\JWT\JWT; use Firebase\JWT\Key; class JwtService { /** * 創建token * @param $login_id * @param $login_type * @param $exp * @param $ttl * @return string */ static function createToken($login_id,$login_type,$exp=7*24*3600,$ttl=24*3600): string { $key = getenv("TOKEN_KEY"); $payload = array( // "iss" => "http://example.org",//暫時用不到 // "aud" => "http://example.com",//暫時用不到 "iat" => time(), "nbf" => time(), "exp" => time()+$exp,//過期時間 "ttl" => time()+$exp+$ttl,//刷新時間 "login_id" => $login_id, "login_type" => $login_type, ); return JWT::encode($payload,$key,'HS256'); } /** * 解析token * @param $token * @return array */ static function analyseToken($token): array { $key = getenv("TOKEN_KEY"); $decode = JWT::decode($token, new Key($key, 'HS256')); //失效 if(time() > $decode->ttl){ return noticeMsg(300,"令牌失效"); } //過期 if(time() > $decode->exp){ $token = JwtService::createToken($decode->login_id,$decode->login_type); return noticeMsg(201,"令牌已刷新請保存新令牌",[ 'login_id' => $decode->login_id, 'login_type' => $decode->login_type, 'token' => $token ]); } return noticeMsg(200,"success",[ 'login_id' => $decode->login_id, 'login_type' => $decode->login_type, ]); } } ~~~ ~~~ 標準聲明：JWT標準規定的聲明，但不是必須填寫的；標準聲明字段：接收該JWT的一方 iss: jwt簽發者 sub: jwt所面向的用戶 aud: 接收jwt的一方 exp: jwt的過期時間，過期時間必須要大于簽發時間 nbf: 定義在什么時間之前，某個時間點后才能訪問 iat: jwt的簽發時間 ttl : 刷新時間 jti: jwt的唯一身份標識，主要用來作為一次性token。其他聲明：自己定義的字段，因為這部分是可以解開的，建議不要加入敏感信息，這里的data就是我自己定義的聲明 ~~~ ~~~ public function jwt(Request $request) { $key = "wml123456789"; $payload = array( "iss" => "http://example.org", "aud" => "http://example.com", "iat" => time(), "nbf" => time(), "exp" => time()+2,//過期時間 "ttl" => time()+4//刷新時間 ); /** * IMPORTANT: * You must specify supported algorithms for your application. See * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40 * for a list of spec-compliant algorithms. */ $jwt = JWT::encode($payload, $key, 'HS256');//生成 token try { $decoded = JWT::decode($jwt, new Key($key, 'HS256'));//驗證token echo '<pre>'; var_dump($decoded); } catch(\Firebase\JWT\SignatureInvalidException $e) { //簽名不正確 echo $e->getMessage(); }catch(\Firebase\JWT\BeforeValidException $e) { // 簽名在某個時間點之后才能用 echo $e->getMessage(); }catch(\Firebase\JWT\ExpiredException $e) { // token過期 echo $e->getMessage(); }catch(\Exception $e) { //其他錯誤 echo $e->getMessage(); } return 'end'; } ~~~ ### 手寫的第二種生成 token ~~~ $token = (new jwt())->aud('app')->sub($info->id)->ttl(7*24*60)->get_token(); ~~~ 校驗 token ~~~ $jwt = new jwt(); $res = $jwt->parse_toekn($request);//檢測token是否為空 if(is_array($res)) return response(errorMsg($res[1],$res[0])); $res = $jwt->check_sign();//檢測token是否正確 if(is_array($res)) return response(errorMsg($res[1],$res[0])); $res = $jwt->check();//檢測token是否過期 if(is_array($res)) return response(errorMsg($res[1],$res[0])); if($jwt->body_arr->aud != $source) return response(errorMsg(493,"token 驗證失敗!!")); // 將id掛載到request中 return ['login_id' => $jwt->body_arr->sub]; ~~~ jwt.php ~~~ <?php // 自定義jwt class jwt{ // 簽名算法 private $alg = 'sha256'; // 令牌的類型 private $typ = 'JWT'; // 簽發人 private $iss; // 主題 private $sub = 'token'; // 受眾 private $aud; // 過期時間 private $exp; // 生效時間，在此之前是無效的 private $nbf; // 簽發時間 private $iat; // 編號 private $jti; // 過期時間 private $ttl = 120; // 過期刷新時間 private $refresh_ttl = 240; // 頭部數據 private $head; // 頭部數組 public $head_arr; // 載體 private $body; // 載體數組 public $body_arr; // 簽名 private $sign; // token public $token; // jwt秘鑰 private $jwt_secret; // 生成頭部 public function __construct(){ $this->jwt_secret = getenv('JWT_SECRET'); $this->ttl = getenv('JWT_TTL') ? getenv('JWT_TTL') : $this->ttl; $this->refresh_ttl = getenv('JWT_REFRESH_TTL') ? getenv('JWT_REFRESH_TTL') : $this->refresh_ttl; } // 設置過期時間 public function ttl($m){ $this->ttl = $m; return $this; } // 設置刷新時間 public function refresh_ttl($m){ $this->refresh_ttl = $m; return $this; } // 設置主題 public function sub($m){ $this->sub = $m; return $this; } // 設置受眾 public function aud($m){ $this->aud = $m; return $this; } // 生成jwt頭 protected function set_head(){ $this->head_arr = [ 'alg' => $this->alg, 'typ' => $this->typ, ]; $this->head = $this->base64url_encode(json_encode($this->head_arr)); } // 生成jwt載荷 protected function set_body(){ $this->iat = time(); $this->body_arr = [ 'sub' => $this->sub, 'aud' => $this->aud, 'iat' => $this->iat, 'exp' => $this->iat + $this->ttl * 60, ]; $this->body = $this->base64url_encode(json_encode($this->body_arr)); } // 設置簽名 protected function set_sign(){ $this->set_head(); $this->set_body(); $this->sign = $this->base64url_encode(hash_hmac('sha256', $this->head . '.' . $this->body, $this->jwt_secret)); } public function check_sign(){ $sign = $this->base64url_encode(hash_hmac('sha256', $this->head . '.' . $this->body, $this->jwt_secret)); if($sign != $this->sign) return [493, 'token簽名錯誤']; } // 設置token protected function set_token(){ $this->set_sign(); $this->token = $this->head . '.' . $this->body . '.' . $this->sign; } // 重置token protected function reset_token(){ $this->set_token(); return $this->token; } // 生成jwt public function get_token(){ if($this->token){ return $this->token; } return $this->reset_token(); } // 添加需要解析的token public function add_token($token){ $this->token = $token; return $this; } // 解析token public function parse_toekn($request){ $token = $request->token ?? ''; $token = $token ? $token : $this->token; if(!$token){ // 從header中獲取 $app_token = $request->header('Authorization', ''); if(empty($app_token)){ return [493,"token格式不正確"]; } $token = explode(' ', $app_token); if(!isset($token[1])) return [493,"token不存在"]; $token = $token[1]; } $this->token = $token; $arr = explode('.', $token); $this->head = $arr[0]; $this->head_arr = json_decode(base64_decode($arr[0])); $this->body = $arr[1]; $this->body_arr = json_decode(base64_decode($arr[1])); $this->exp = $this->body_arr->exp; $this->sign = $arr[2]; // $this->check_sign(); return $this; } // 驗證token有效期 public function check(){ // 驗證token有效期 if($this->exp < time()){ return [493, 'token過期']; } return $this; } // 刷新token public function refresh_token(){ $this->can_refresh(); $this->sub = $this->body_arr->sub; $this->aud = $this->body_arr->aud; return $this->reset_token(); } // 是否能刷新token private function can_refresh(){ if(!$this->token){ return [493, 'token不存在']; } // 驗證token能否刷新 if($this->exp < (time() - $this->refresh_ttl * 60)){ return [493, 'token刷新期已過']; } return $this; } // 生成base64 protected function base64url_encode($data) { return rtrim(strtr(base64_encode($data), '+/', '-_'), '='); } } ~~~