当前位置:首页 > 使用 JWT 保护好你的 Lumen

使用 JWT 保护好你的 Lumen

发布于 2018-06-06 阅读 321 次 框架 Lumen PHP

依赖

lumen:5.6
php:   7.0

jwt-auth 安装

composer require tymon/jwt-auth:"^1.0@dev"
#指定安装1.0的版本,0.5版本 lumen下有问题

注册服务

启动文件 bootstrap/app.php 中添加

// 取消 AuthServiceProvider注释,开启 Auth 认证服务
$app->register(App\Providers\AuthServiceProvider::class);

// 注册 JWTAuth 服务
$app->register(Tymon\JWTAuth\Providers\LumenServiceProvider::class);

注册 auth 认证中间件 bootstrap/app.php

$app->routeMiddleware([
    'auth' => App\Http\Middleware\Authenticate::class,
]);

生成密钥

php artisan jwt:secret
#会在 .env 中生成 JWT_SECRET

配置 user 认证模型

app/Models/User.php

namespace App\Models;

use Illuminate\Auth\Authenticatable;
use Laravel\Lumen\Auth\Authorizable;
use Illuminate\Database\Eloquent\Model;
use Tymon\JWTAuth\Contracts\JWTSubject;
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;

class User extends Model implements AuthenticatableContract, AuthorizableContract,JWTSubject
{
    use Authenticatable, Authorizable;

    protected $table = 'users';

    /**
     * The attributes that are mass assignable.
     *
     * @var array
     */
    protected $fillable = [
        'name', 'email',
    ];

    /**
     * The attributes excluded from the model's JSON form.
     *
     * @var array
     */
    protected $hidden = [
        'password',
    ];

    // Rest omitted for brevity

    /**
     * Get the identifier that will be stored in the subject claim of the JWT.
     *
     * @return mixed
     */
    public function getJWTIdentifier()
    {
        return $this->getKey();
    }

    /**
     * Return a key value array, containing any custom claims to be added to the JWT.
     *
     * @return array
     */
    public function getJWTCustomClaims()
    {
        return [];
    }

}

配置 auth 认证

添加默认api认证 config/auth.php 关于 config 配置文件使用可以查看 Lumen的配置文件使用

'defaults' => [
    'guard'     => 'api',
    'passwords' => 'users',
],

配置 api 认证驱动和服务

'guards' => [
    'api' => [
        'driver'   => 'jwt',  // jwt 认证
        'provider' => 'user',
    ],
],

配置 api.user 服务

'providers' => [
    'user' => [
        'driver' => 'eloquent',              // 驱动类型
        'model'  => App\Models\User::class,  // user 模型
    ],
],

登陆授权,发放令牌

用户登陆后,生成令牌返回给客户端
登陆控制器中:Http/Auth/AuthController.php

/**
 * 用户登陆
 *
 * @param Request $request
 * @return \Illuminate\Http\JsonResponse json
 */
public function login(Request $request)
{
    $credentials = $credentials = $request->only('email', 'password');

    $token = app('auth')->attempt($credentials);
    if (! $token ) {
        return response()->json(['error' => 'Unauthorized'], 401);
    }

    return response()->json(compact('token'));
}

//token 返回:
//"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sdS5sb2NhbC5jb21cL3NpZ25pbiIsImlhdCI6MTUyODI4MTQ1MCwiZXhwIjoxNTI4MjgxNTEwLCJuYmYiOjE1MjgyODE0NTAsImp0aSI6ImRuV010S2x0a201dktyNm4iLCJzdWIiOjgsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.yzdN5Q9y8RaJpVW8-uqPdYAAJ6bHhmE28JBa9_IH7I0"

权限校验

给需要登陆权限的模块添加 api.auth 认证中间件

$router->group(['middleware' => 'api.auth'], function () use ($router) {

    $router->post('/admin', 'Admin\IndexController@index');
    ...
    //需要登陆认证的controller
});

构造请求

客户端在登陆获取返回的 token 后,每次携带上 token 就可以访问相关受保护的接口了

方法一:在header头中添加 Authorization 认证

Authorization: Bearer token

//for example:
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sdS5sb2NhbC5jb21cL3NpZ25pbiIsImlhdCI6MTUyODI4MTQ1MCwiZXhwIjoxNTI4MjgxNTEwLCJuYmYiOjE1MjgyODE0NTAsImp0aSI6ImRuV010S2x0a201dktyNm4iLCJzdWIiOjgsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.yzdN5Q9y8RaJpVW8-uqPdYAAJ6bHhmE28JBa9_IH7I0

图示

方法二:在请求参数中携带 token

//for example:
token : eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9sdS5sb2NhbC5jb21cL3NpZ25pbiIsImlhdCI6MTUyODI4MTQ1MCwiZXhwIjoxNTI4MjgxNTEwLCJuYmYiOjE1MjgyODE0NTAsImp0aSI6ImRuV010S2x0a201dktyNm4iLCJzdWIiOjgsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.yzdN5Q9y8RaJpVW8-uqPdYAAJ6bHhmE28JBa9_IH7I0

图示

JWT常用配置

常用配置

//用于加密生成 token 的 secret
JWT_SECRET = secret_str

//token 有效的时间长度(以分钟为单位),默认为1小时
//可以将其设置为空,以产生永不过期的标记
JWT_TTL = 60

//token 刷新的时间(以分钟为单位)。默认的时间为 2 周
JWT_REFRESH_TTL = 20160

//token 签名的散列算法。
JWT_ALGO = 'HS256'

jwt配置文件位置

/vendor/tymon/jwt-auth/config/config.php