From a9718e0504079b3ebfc206df7410c9e7bf6a78ee Mon Sep 17 00:00:00 2001
From: wanglei <34475144@qqcom>
Date: Thu, 13 Nov 2025 23:01:04 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AF=B9=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
 =?UTF-8?q?=E8=BF=9B=E8=A1=8C=E6=B5=8B=E8=AF=95=EF=BC=8C=E5=B9=B6=E8=BF=94?=
 =?UTF-8?q?=E5=9B=9E=E6=AD=A3=E7=A1=AE=E7=9A=84=E6=95=B0=E6=8D=AE=E5=86=85?=
 =?UTF-8?q?=E5=AE=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/api/oauth/oauth.lua     | 18 ------------------
 src/service/oauth/oauth.lua | 31 ++++++++++++++++---------------
 src/util/authcode.lua       |  8 ++++++--
 3 files changed, 22 insertions(+), 35 deletions(-)

diff --git a/src/api/oauth/oauth.lua b/src/api/oauth/oauth.lua
index 1892641..4aeb27b 100644
--- a/src/api/oauth/oauth.lua
+++ b/src/api/oauth/oauth.lua
@@ -25,36 +25,18 @@ local routes = {
         methods = { "GET", "POST" },
         handler = oauthService.token,
     },
-    --通过用户名和密码进行验证
-    {
-        paths = { "/yum/v1/oauth/v2/login" },
-        methods = { "POST" },
-        handler = oauthService.login,
-    },
     --根据Access-Token获取相应用户的账户信息
     {
         paths = { "/yum/v1/oauth/v2/userinfo" },
         methods = { "POST" },
         handler = oauthService.userinfo,
     },
-    --回收Access-Token
-    {
-        paths = { "/yum/v1/oauth/v2/logout" },
-        methods = { "POST" },
-        handler = oauthService.logout,
-    },
     --根据Refresh-Token刷新Access-Token
     {
         paths = { "/yum/v1/oauth/v2/refresh" },
         methods = { "GET", "POST" },
         handler = oauthService.refresh,
     },
-    --验证token是否有效
-    {
-        paths = { "/yum/v1/oauth/v2/checklogin" },
-        methods = { "POST" },
-        handler = oauthService.checklogin,
-    },
 }
 
 -- 初始化路由
diff --git a/src/service/oauth/oauth.lua b/src/service/oauth/oauth.lua
index 4da0608..a60c1da 100644
--- a/src/service/oauth/oauth.lua
+++ b/src/service/oauth/oauth.lua
@@ -62,7 +62,7 @@ function _M:authorize()
         return
     end
     -- 4. 生成授权码（随机字符串，确保唯一性）（用户ID、客户端ID、scope、生成时间）
-    local auth_code, err = authcode.create("123456", args.client_id, ngx.var.request_uri, args.scope)
+    local auth_code, err = authcode.create("123456", args.client_id, args.redirect_uri, args.scope)
     if not auth_code then
         ngx.log(ngx.ERR, "生成授权码失败: ", err)
         ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
@@ -72,7 +72,7 @@ function _M:authorize()
     local redirect_url = args.redirect_uri .. "?code=" .. code .. "&state=" .. args.state
     local rest = {}
     rest.redirect_uri = args.redirect_uri
-    rest.code = code
+    rest.code = auth_code
     rest.state = args.state
     local result = resp:json(ngx.HTTP_OK, rest)
     resp:send(result)
@@ -112,7 +112,7 @@ function _M:token()
         return
     end
     -- 3. 校验 code 有效性
-    local code_data, err = authcode.consume(args.code, args.client_id)
+    local code_data, err = authcode.consume(args.code)--, args.client_id)
     if not code_data then
         ngx.log(ngx.ERR, "授权码验证失败: ", err)
         ngx.exit(ngx.HTTP_BAD_REQUEST)
@@ -120,17 +120,17 @@ function _M:token()
     -- 4、验证redirect_url地址的正确性
     local request_uri = code_data.redirect_uri
     print("token request_uri:", request_uri)
-    if request_uri ~= args.redirect_url then
-        --print("token redirect_url:", request_uri, args.redirect_url)
+    if request_uri ~= args.redirect_uri then
+        print("token redirect_url:", request_uri, args.redirect_uri)
         local login_url = "/login?redirect=" .. ngx.escape_uri(request_uri)
         local result = resp:json(ngx.HTTP_MOVED_TEMPORARILY, login_url)
         resp:send(result)
         return
     end
-    -- 6. 生成密钥对
+    -- 5. 生成密钥对
     local pub_key, priv_key, err = rsa.generate_rsa_keys(2048)
     if err then
-        --print("密钥生成失败: ", err)
+        print("密钥生成失败: ", err)
         local result = resp:json(0x00001)
         resp:send(result)
         return
@@ -144,7 +144,7 @@ function _M:token()
     --print("token scope:", scope)
     local access_token_ttl = 10 * 60  --十分钟
     local refresh_token_ttl = 7 * 24 * 3600   --7天
-    -- 7 生成新 Access Token
+    -- 6 生成新 Access Token
     local access_payload = {
         sub = user_id,  -- 用户ID
         client_id = client_id,
@@ -157,7 +157,7 @@ function _M:token()
         payload = access_payload
     })
 
-    -- 8 生成新 Refresh Token（滚动刷新）
+    -- 7 生成新 Refresh Token（滚动刷新）
     local refresh_payload = {
         sub = user_id,
         client_id = client_id,
@@ -170,7 +170,7 @@ function _M:token()
         payload = refresh_payload
     })
 
-    -- 9、生存id_token
+    -- 8、生存id_token
     -- 创建JWT的payload
     local payload = {
         iss = request_uri,
@@ -193,7 +193,7 @@ function _M:token()
         return
     end
     --ngx.say("Generated JWT: ", jwt_obj)
-    -- 10. 返回结果
+    -- 9. 返回结果
     local ret = {}
     ret.access_token = new_access_token
     ret.token_type = "Bearer"
@@ -209,13 +209,13 @@ function _M:userinfo()
     --获取用户认证数据信息
     local auth_header = ngx.var.http_Authorization
 
-    --如果请求头中没有令牌，则直接返回401
+    -- 1.如果请求头中没有令牌，则直接返回401
     if auth_header == nil or auth_header == "" then
         ngx.log(ngx.WARN, "没有找到令牌数据")
         ngx.status = ngx.HTTP_UNAUTHORIZED
         ngx.exit(ngx.HTTP_UNAUTHORIZED)
     end
-    --查找令牌中的Bearer前缀字符
+    -- 2.查找令牌中的Bearer前缀字符
     local data = {}
     data.Authorization = auth_header
     local ok = validator.validateUserinfo(data)
@@ -224,7 +224,7 @@ function _M:userinfo()
         ngx.status = ngx.HTTP_UNAUTHORIZED
         ngx.exit(ngx.HTTP_UNAUTHORIZED)
     end
-    --获取token的数据值
+    -- 3.获取token的数据值
     local token = string.sub(auth_header,8)
     --校验令牌
     local pub_key, priv_key, err = rsa.generate_rsa_keys(2048)
@@ -234,6 +234,7 @@ function _M:userinfo()
         resp:send(result)
         return
     end
+    -- 5.对token进行验证
     print("userinfo pubkey:", pub_key)
     local jwt_obj = jwt:verify(pub_key, token)
     --如果校验结果中的verified==false，则表示令牌无效
@@ -249,7 +250,7 @@ function _M:userinfo()
         ngx.status = ngx.HTTP_UNAUTHORIZED
         ngx.exit(ngx.HTTP_UNAUTHORIZED)
     end
-    --获取token中的信息进行所需用户的信息返回
+    -- 6.获取token中的信息进行所需用户的信息返回
     local ret = {}
     ret.sub = 248289761001
     ret.name = "Jane Doe"
diff --git a/src/util/authcode.lua b/src/util/authcode.lua
index 2da9777..d0eaa70 100644
--- a/src/util/authcode.lua
+++ b/src/util/authcode.lua
@@ -6,18 +6,20 @@
 
 local str = require "resty.string"
 local random = require "resty.random"
+local cjson = require("cjson.safe")
 
 local _M = {}
 
--- 生成随机授权码（20字节）
+-- 生成随机授权码（16字节）
 local function generate_code()
-    local random_bytes = random.bytes(20, true)
+    local random_bytes = random.bytes(16)
     return str.to_hex(random_bytes)
 end
 
 -- 存储授权码（有效期5分钟）
 function _M.create(user_id, client_id, redirect_uri, scope)
     local code = generate_code()
+    print("authorize code:", code)
     local code_key = "auth_code-"..code
     local code_data = cjson.encode({
         user_id = user_id,
@@ -45,9 +47,11 @@ function _M.consume(code, client_id)
     shared_dict:delete(code_key)
 
     local code_data = cjson.decode(data)
+    --[[
     if code_data.client_id ~= client_id then
         return nil, "客户端不匹配"
     end
+    --]]
     if code_data.expires_at < ngx.time() then
         return nil, "授权码已过期"
     end