JWT:
JSON WEB TOKEN 用来解决跨域认证的问题,服务器认证后,生成JSON对象返回给客户端,服务器不保存session数据,所有数据都保存在客户端,每次请求都发回给服务器.
JWT结构:
image.png
http://www.ruanyifeng.com/blog/2018/07/json_web_token-tutorial.html
1. header
{
"alg": "HS256", // 签名的算法默认是 HMAC SHA256
"typ": "JWT" // 令牌的类型
}
2. payload
官方规定了7个官方字段
- iss (issuer):签发人
- exp (expiration time):过期时间
- sub (subject):主题
- aud (audience):受众
- nbf (Not Before):生效时间
- iat (Issued At):签发时间
- jti (JWT ID):编号
除了官方字段,可更具自己的服务自定义字段如:
{
"account": "123",
"role": "superAdmin"
}
3. signature
对前面两个部分的签名。防止数据被篡改。使用header中指定的签名算法(默认是HMAC SHA256),按照下面的公式产生签名
HAMCSHA256(
base64UrlEncode(header) + '.' +
base64UrlEncode(payload),
secret // 密钥,这个密钥只有服务器知道
)
nest实现jwt
流程
- 客户端用户进行登录请求
- 服务端拿到请求后,根据参数查询用户表
- 若匹配到用户,将用户信息进行签证,并颁发token
- 客户端拿到token后,存储在某一个地方,在之后的请求中都带上token
- 服务端收到带token的请求后,直接根据签证进行校验,无需进行查询用户信息
1 用户登录
user.controller.ts
@Post('login')
async login(
@Body()
data: LoginUserDto,
): Promise<THttpResponse<LoginUserCmd>> {
// 前端加密密码需要解密
// data.password = this.utilService.encryption(data.password);
data.password = this.utilService.decryption(data.password);
let result = await this.userService.login(data);
// 业务错误直接返回
if (result.errorCode) {
return result;
}
// 颁发 token
const tokenInfo = await this.authService.genToken({
account: result.account,
name: result.name,
roles: result.roles,
permissions: result.permissions,
department: result.department,
number: result.number,
email: result.email,
type: result.type,
});
result.accesstoken = tokenInfo.accesstoken;
result.refreshToken = tokenInfo.refreshToken;
return { result };
}
2. 颁发token
auth.service.ts:
@Injectable()
export class AuthService {
constructor(
private readonly userService: UserService,
private readonly jwtService: JwtService,
) // private readonly redisService: RedisService,
{}
// 生成 accesstoken refreshToken
async genToken(payload: JwtPayload): Promise<any> {
const accesstoken = this.jwtService.sign(payload);
const refreshToken = this.jwtService.sign(payload, {
expiresIn: jwtConstants.refreshTokenExpiresIn,
});
return { accesstoken, refreshToken };
}
auth.module.ts
import { forwardRef, Module } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
import { PassportModule } from '@nestjs/passport';
import { UserModule } from '../user/user.module';
import { AuthService } from './auth.service';
import { jwtConstants } from './constants';
import { JwtStrategy } from './strategies/jwt.strategy';
@Module({
imports: [
forwardRef(() => UserModule),
PassportModule,
JwtModule.register({
secret: jwtConstants.secret,
signOptions: { expiresIn: jwtConstants.accessTokenExpiresIn },
}),
],
providers: [AuthService, JwtStrategy],
exports: [AuthService],
})
export class AuthModule {}
3. 验证获取token
jwt.strategy.ts:
import { Injectable } from '@nestjs/common';
import { PassportStrategy } from '@nestjs/passport';
import { ExtractJwt, Strategy } from 'passport-jwt';
import { jwtConstants } from '../constants';
import { JwtPayload } from '../jwt-payload.interface';
import { getNamespace } from 'cls-hooked';
import { PublicJwtPayload } from '../public-jwt-payload.interface';
@Injectable()
export class JwtStrategy extends PassportStrategy(Strategy) {
constructor() {
super({
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
ignoreExpiration: false,
secretOrKey: jwtConstants.secret,
});
}
async validate(payload: JwtPayload & PublicJwtPayload) {
if (payload.clientId) {
// 公共接口部分
return {
clientId: payload.clientId,
secret: payload.secret,
};
} else {
// 全局注入用户信息
getNamespace('create-nest-app').set('user', {
id: payload.id,
account: payload.account,
number: payload.number,
});
// 返回的对象注入到 request.user
return {
account: payload.account,
name: payload.name,
roles: payload.roles,
permissions: payload.permissions,
department: payload.department,
number: payload.number,
email: payload.email,
type: payload.type,
};
}
}
}
