修复jwt安全问题，新增server.jwtKey配置，不配置则使用server.projectName

demozx · Aug 19, 2024 · be702ad · be702ad
1 parent 6e62bf9
commit be702ad
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 2 deletions.
diff --git a/internal/logic/auth/auth.go b/internal/logic/auth/auth.go
@@ -3,6 +3,7 @@ package auth
 import (
 	"context"
 	"gf_cms/internal/logic/admin"
+	"gf_cms/internal/logic/util"
 	"gf_cms/internal/model"
 	"gf_cms/internal/service"
 	"time"
@@ -33,8 +34,8 @@ func init() {
 	service.RegisterAuth(New())
 
 	auth := jwt.New(&jwt.GfJWTMiddleware{
-		Realm:           "test zone",
-		Key:             []byte("secret key"),
+		Realm:           util.Util().ProjectName() + "_backend",
+		Key:             []byte(util.Util().JwtKey()),
 		Timeout:         time.Minute * 5,
 		MaxRefresh:      time.Minute * 5,
 		IdentityKey:     "id",

diff --git a/internal/logic/util/util.go b/internal/logic/util/util.go
@@ -78,6 +78,15 @@ func (*sUtil) ProjectName() string {
 	return ProjectName.String()
 }
 
+// JwtKey 获取JwtKey
+func (*sUtil) JwtKey() string {
+	jwtKey := Util().GetConfig("server.jwtKey")
+	if jwtKey == "" {
+		return ProjectName.String()
+	}
+	return jwtKey
+}
+
 // SystemRoot 获取SystemRoot
 func (*sUtil) SystemRoot() string {
 	return SystemRoot

diff --git a/internal/service/util.go b/internal/service/util.go
diff --git a/manifest/config/config.yaml.example b/manifest/config/config.yaml.example
@@ -2,6 +2,7 @@ server:
   projectName: "gf_cms"
   backendPrefix: "admin"
   address: ":8001"
+  jwtKey: "" # jwt密钥，不配置将使用projectName，为了安全一定要配置
   openapiPath: "/api.json"
   #  swaggerPath: "/swagger" #使用自定义SwaggerUI,需注释该行
   serverRoot: "resource/public"