增加登陆页面html文件，增加oidc登陆接口，通过请求接口获取登陆界面，oidc接口输入参数并重定向到前端返回的uri地址

2025-11-25 23:37:36 +08:00 · 2025-11-25 23:37:36 +08:00 · e485444975
commit e485444975
parent 7ca348a98f
6 changed files with 196 additions and 21 deletions
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -53,9 +53,21 @@ http {
        set $APP_PATH '/home/frankly/work/AuthPlatform';

        # 全局 CORS 配置 访问时允许跨域处理
-        add_header Access-Control-Allow-Origin *;
-        add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS';
-        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
+        # 允许所有域跨域访问（不推荐，出于安全考虑应指定具体域名）
+        add_header 'Access-Control-Allow-Origin' '*';
+        # 允许特定域跨域访问（推荐）
+        #add_header 'Access-Control-Allow-Origin' 'https://xxx.com';
+        # 允许的HTTP方法
+        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
+        # 允许的自定义请求头
+        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,Authorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Laction';
+        # 允许的暴露请求头
+        add_header 'Access-Control-Expose-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,Authorization,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range,Location';
+        # 允许携带Cookie
+        add_header 'Access-Control-Allow-Credentials' 'true';
+        # 预检请求的有效期（可选）
+        add_header 'Access-Control-Max-Age' 1728000;
+        # 如果请求方法是OPTIONS，则直接返回204状态码，不执行后续操作
        if ($request_method = 'OPTIONS') {
            return 204;
        }
--- a/oauth.html
+++ b/oauth.html
--- a/src/api/oauth/oauth.lua
+++ b/src/api/oauth/oauth.lua
@ -13,6 +13,12 @@ local routes = {
    --------------------------------------------
    ------------ OIDC OAuth2.0认证相关路由配置 ---
    --------------------------------------------
+    --登陆界面
+    {
+        paths = { "/yum/v1/oauth/v2/login" },
+        methods = { "GET" },
+        handler = oauthService.login,
+    },
    --获取授权码
    {
        paths = { "/yum/v1/oauth/v2/authorize" },
--- a/src/service/oauth/oauth.lua
+++ b/src/service/oauth/oauth.lua
@ -26,18 +26,41 @@ local function getUriArgs()
        ngx.req.read_body()
        -- 获取请求数据
        local body_data = ngx.req.get_body_data()
-        -- 验证json数据是否正确
-        local ok, data = pcall(cjson.decode, body_data)
-        if not ok then
-            return ngx.exit(ngx.HTTP_BAD_REQUEST)
+        print("body_data:", body_data)
+        local content_type = ngx.req.get_headers()["Content-Type"]
+        if content_type == "application/x-www-form-urlencoded" then
+            body_data, err = ngx.req.get_post_args()
+            if not body_data then
+                ngx.status = 500
+                ngx.say("获取表单数据失败: ", err)
+                ngx.exit(ngx.HTTP_BAD_REQUEST)
+            end
+            args = body_data
+        else
+            -- 验证json数据是否正确
+            local ok, data = pcall(cjson.decode, body_data)
+            if not ok then
+                print("json err:", ok)
+                return ngx.exit(ngx.HTTP_BAD_REQUEST)
+            end
+            args = data
        end
-        args = data
    elseif ngx.req.get_method() == "GET" then
        args = ngx.req.get_uri_args()
    end
    return args
 end

+function _M:login()
+    --读取oauth login界面文件
+    local current_dir = ngx.var.APP_PATH
+    local html = current_dir.."/oauth.html"
+    local file = io.open(html, "r")
+    local content = file:read("*a")
+    file:close()
+    ngx.say(content)
+end
+
 --获取授权码
 function _M:authorize()
    local args = getUriArgs()
@ -72,10 +95,7 @@ function _M:authorize()
    local user, err = client.validate(client_id, redirect_uri)
    if user == nil then
        -- 重定向到登录页，携带当前授权请求参数（登录后跳转回来）
-        --local login_url = "/login?redirect=" .. ngx.escape_uri(ngx.var.request_uri)
-        --print("authorize login_url:", login_url)
-        --ngx.redirect(login_url)
-        resp:response(status.USER_NOT_LOGIN)
+        self:login()
        return
    end
    -- 4. 生成授权码（随机字符串，确保唯一性）（用户ID、客户端ID、scope、生成时间）
@ -128,12 +148,22 @@ local function authorizatePassword(args)
    end
    -- 5.存储用户信息，证明用户已经登陆
    client.create(userid, client_id, uri_callback)
-    -- 6.返回结果
-    local rest = {}
-    rest.redirect_uri = redirect_uri
-    rest.code = auth_code
-    resp:response(status.MOVED_TEMPORARILY, rest)
-    --resp:response(status.MOVED_TEMPORARILY, rest)
+    -- 6.Callback 端点用表单 POST 重定向（避免 URL 参数过长）
+    ngx.status = 302  -- 302 保留请求方法
+    ngx.header["Location"] = redirect_uri.."?code="..auth_code
+    ngx.exit(ngx.HTTP_OK)
+
+    -- 目标地址：绝对 URL（替换为你的实际地址）
+    --local target_url = redirect_uri.."?code="..auth_code --("特殊字符/中文")
+    --ngx.redirect(target_url, 302)
+    -- 设置 302 跳转
+    --ngx.status = 302
+    --ngx.header["Location"] = target_url
+    ---- 禁用缓存，避免浏览器缓存跳转
+    --ngx.header["Cache-Control"] = "no-store, no-cache, must-revalidate"
+    --ngx.header["Pragma"] = "no-cache"
+    ---- 终止请求，确保响应不被覆盖
+    --ngx.exit(ngx.HTTP_OK)
 end

 -- 通过code形式进行认证
@ -196,7 +226,18 @@ local function authorizateCode(args)
    end
    -- 7.返回结果
    ret.redirect_uri = redirect_uri
+    -- 4.返回结果
    resp:response(status.SUCCESS, ret)
+    do return end
+
+    --ngx.header["Location"] = redirect_uri;
+    --ngx.status = ngx.HTTP_MOVED_TEMPORARILY;  -- 设置状态码为302
+    --ngx.say("response body for 302 redirect.");  -- 发送自定义消息体
+    ----resp:response(status.MOVED_TEMPORARILY, ret)
+    --ngx.exec(redirect_uri, { ret = ret })
+    ngx.status = 302  -- 302 保留请求方法
+    ngx.header["Location"] = redirect_uri
+    ngx.exit(ngx.HTTP_OK)
 end

 -- 刷新令牌
@ -242,7 +283,10 @@ function _M:token()
        ngx.exit(ngx.HTTP_BAD_REQUEST)
    end
    local grant_type = args.grant_type
-    --print("grant_type类型: ", grant_type)
+    local client_id = args.client_id
+    local client_secret = args.client_secret
+    local redirect_uri = args.redirect_uri
+    print("grant_type类型: ", grant_type, " client_id:", client_id, " client_secret:", client_secret, " redirect_uri:", redirect_uri)
    if grant_type == "password" then
        authorizatePassword(args)
    elseif grant_type == "authorization_code" then
--- a/src/util/status.lua
+++ b/src/util/status.lua
@ -22,7 +22,7 @@ local _M = {
    -- 成功状态码
    SUCCESS = { code = 200, message = "操作成功" },

-    MOVED_TEMPORARILY = { code = 304, message = "跳转URI" },
+    MOVED_TEMPORARILY = { code = 302, message = "跳转URI" },
    --[[
    HTTP_SPECIAL_RESPONSE(300, "操作成功"),
    HTTP_MOVED_PERMANENTLY(301, "操作成功"),
--- a/src/validator/oauth/oauth.lua
+++ b/src/validator/oauth/oauth.lua
@ -55,8 +55,9 @@ local schemaUserPasswd = {
        client_secret = { type = "string" },
        username = { type = "string" },
        password = { type = "string" },
+        redirect_uri = { type = "string" },
    },
-    required = { "grant_type", "client_id", "client_secret", "username", "password" }
+    required = { "grant_type", "client_id", "client_secret", "username", "password", "redirect_uri" }
 }

 --通过用户名和密码进行认证