嘗試從零開始構建我的商城 (二) :使用JWT保護我們的資訊保安,完善Swagger配置
阿新 • • 發佈:2020-11-06
## 前言
### GitHub地址
> https://github.com/yingpanwang/MyShop/tree/dev_jwt
> 此文對應分支 dev_jwt
### 此文目的
上一篇文章中,我們使用Abp vNext構建了一個可以執行的簡單的API,但是整個站點沒有一個途徑去對我們的API訪問有限制,導致API完全是裸露在外的,如果要執行正常的商業API是完全不可行的,所以接下來我們會通過使用JWT(Json Web Toekn)的方式實現對API的訪問資料限制。
#### JWT簡介
###### 什麼是JWT
現在API一般是分散式且要求是無狀態的,所以傳統的Session無法使用,JWT其實類似於早期API基於Cookie自定義使用者認證的形式,只是JWT的設計更為緊湊和易於擴充套件開放,使用方式更加便利基於JWT的鑑權機制類似於http協議也是無狀態的,它不需要在服務端去保留使用者的認證資訊或者會話資訊。
###### JWT的組成
JWT (以下簡稱Token)的組成分為三部分 header,playload,signature 完整的Token長這樣
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoid2FuZ3lpbmdwYW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9tb2JpbGVwaG9uZSI6IjEyMiIsImV4cCI6MTYwNDI4MzczMSwiaXNzIjoiTXlTaG9wSXNzdWVyIiwiYXVkIjoiTXlTaG9wQXVkaWVuY2UifQ.U-2bEniEz82ECibBzk6C5tuj2JAdqISpbs5VrpA8W9s
**header**
包含型別及演算法資訊
``` JSON
{
"alg": "HS256",
"typ": "JWT"
}
```
通過base64加密後得到了
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
**playload**
包含標準的公開的生命和私有的宣告,不建議定義敏感資訊,因為該資訊是可以被解密的
部分公開的宣告
* iss: jwt簽發者
* aud: 接收jwt的一方
* exp: jwt的過期時間,這個過期時間必須要大於簽發時間
私有的宣告
* http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name : 名稱
* http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier: 標識
* http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone: 電話
``` JSON
{
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "wangyingpan",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "2",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone": "122",
"exp": 1604283731,
"iss": "MyShopIssuer",
"aud": "MyShopAudience"
}
```
通過base64加密後得到了
eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoid2FuZ3lpbmdwYW4iLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1laWRlbnRpZmllciI6IjIiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9tb2JpbGVwaG9uZSI6IjEyMiIsImV4cCI6MTYwNDI4MzczMSwiaXNzIjoiTXlTaG9wSXNzdWVyIiwiYXVkIjoiTXlTaG9wQXVkaWVuY2UifQ
**signature**
signature 由 三部分資訊組成,分別為base64加密後的**header**,**playload**用"."連線起來,通過宣告的演算法加密使用 服務端**secret** 作為鹽(**salt**)
三部分通過“.”連線起三部分組成了最終的Token
## 程式碼實踐
### 新增使用者服務
##### 1.Domain中定義使用者實體User
``` csharp
public class User:BaseGuidEntity
{
[Required]
public string Account { get; set; }
///
/// 名稱
///
public string NickName { get; set; }
///
/// 真實名稱
///
public string RealName { get; set; }
///
/// 年齡
///
public int Age { get; set; }
///
/// 手機號
///
public string Tel { get; set; }
///
/// 住址
///
public string Address { get; set; }
///
/// 密碼
///
public string Password { get; set; }
///
/// 使用者狀態
///
public UserStatusEnum UserStatus { get; set; }
}
public enum UserStatusEnum
{
Registered,//已註冊
Incompleted, // 未完善資訊
Completed,//完善資訊
Locked, // 鎖定
Deleted // 刪除
}
```
##### 2.EntityFrameworkCore 中新增Table
**UserCreatingExtension.cs**
``` csharp
public static class UserCreatingExtension
{
public static void ConfigureUserStore(this ModelBuilder builder)
{
Check.NotNull(builder, nameof(builder));
builder.Entity(option =>
{
option.ToTable("User");
option.ConfigureByConvention();
});
}
}
```
**MyShopDbContext.cs**
``` csharp
[ConnectionStringName("Default")]
public class MyShopDbContext:AbpDbContext
{
public MyShopDbContext(DbContextOptions options) : base(options)
{
}
protected override void OnModelCreating(ModelBuilder builder)
{
builder.ConfigureProductStore();
builder.ConfigureOrderStore();
builder.ConfigureOrderItemStore();
builder.ConfigureCategoryStore();
builder.ConfigureBasketAndItemsStore();
// 配置使用者表
builder.ConfigureUserStore();
}
public DbSet Products { get; set; }
public DbSet Orders { get; set; }
public DbSet OrderItems { get; set; }
public DbSet Categories { get; set; }
public DbSet Basket { get; set; }
public DbSet BasketItems { get; set; }
//新增使用者表
public DbSet Users { get; set; }
}
```
##### 3.遷移生成User表
首先新增使用者表定義
``` csharp
[ConnectionStringName("Default")]
public class DbMigrationsContext : AbpDbContext
{
public DbMigrationsContext(DbContextOptions options) : base(options)
{
}
protected override void OnModelCreating(ModelBuilder builder)
{
base.OnModelCreating(builder);
builder.ConfigureProductStore();
builder.ConfigureOrderStore();
builder.ConfigureOrderItemStore();
builder.ConfigureCategoryStore();
builder.ConfigureBasketAndItemsStore();
// 使用者配置
builder.ConfigureUserStore();
}
}
```
然後開啟程式包管理控制檯切換為遷移專案**MyShop.EntityFrameworkCore.DbMigration**並輸入
* >Add-Migration "AddUser"
* >Update-Database
此時User表就已經生成並對應Migration檔案
##### 4.Application中構建UserApplication
###### Api中新增配置AppSetting.json
``` csharp
"Jwt": {
"SecurityKey": "1111111111111111111111111111111",
"Issuer": "MyShopIssuer",
"Audience": "MyShopAudience",
"Expires": 30 // 過期分鐘
}
```
###### IUserApplicationService
``` csharp
namespace MyShop.Application.Contract.User
{
public interface IUserApplicationService
{
Task> Register(UserRegisterDto registerInfo, CancellationToken cancellationToken);
Task> Login(UserLoginDto loginInfo);
}
}
```
###### AutoMapper Profiles中新增對映
``` csharp
namespace MyShop.Application.AutoMapper.Profiles
{
public class MyShopApplicationProfile:Profile
{
public MyShopApplicationProfile()
{
CreateMap().ReverseMap();
CreateMap().ReverseMap();
CreateMap().ReverseMap();
CreateMap().ReverseMap();
CreateMap().ReverseMap();
// 使用者註冊資訊對映
CreateMap()
.ForMember(src=>src.UserStatus ,opt=>opt.MapFrom(src=> UserStatusEnum.Registered))
.ForMember(src=>src.Password , opt=>opt.MapFrom(src=> EncryptHelper.MD5Encrypt(src.Password,string.Empty)));
}
}
}
```
###### UserApplicationService
``` csharp
namespace MyShop.Application
{
///
/// 使用者服務
///
public class UserApplicationService : ApplicationService, IUserApplicationService
{
private readonly IConfiguration _configuration;
private readonly IRepository _userRepository;
///
/// 構造
///
/// 使用者倉儲
/// 配置資訊
public UserApplicationService(IRepository userRepository, IConfiguration configuration)
{
_userRepository = userRepository;
_configuration = configuration;
}
///
/// 登入
///
/// 登入資訊
///
public async Task> Login(UserLoginDto loginInfo)
{
if (string.IsNullOrEmpty(loginInfo.Account) || string.IsNullOrEmpty(loginInfo.Password))
return BaseResult.Failed("使用者名稱密碼不能為空!");
var user = await Task.FromResult(_userRepository.FirstOrDefault(p => p.Account == loginInfo.Account));
if (user == null)
{
return BaseResult.Failed("使用者名稱密碼錯誤!");
}
string md5Pwd = EncryptHelper.MD5Encrypt(loginInfo.Password);
if (user.Password != md5Pwd)
{
return BaseResult.Failed("使用者名稱密碼錯誤!");
}
var claims = GetClaims(user);
var token = GenerateToken(claims);
return BaseResult.Success(token);
}
///
/// 註冊
///
/// 註冊資訊
/// 取消令牌
///
public async Task> Register(UserRegisterDto registerInfo,CancellationToken cancellationToken)
{
var user = ObjectMapper.Map(registerInfo);
var registeredUser = await _userRepository.InsertAsync(user, true, cancellationToken);
var claims = GetClaims(user);
var token = GenerateToken(claims);
return BaseResult.Success(token);
}
#region Token生成
private IEnumerable GetClaims(User user)
{
var claims = new[]
{
new Claim(AbpClaimTypes.UserName,user.NickName),
new Claim(AbpClaimTypes.UserId,user.Id.ToString()),
new Claim(AbpClaimTypes.PhoneNumber,user.Tel),
new Claim(AbpClaimTypes.SurName, user.UserStatus == UserStatusEnum.Completed ?user.RealName:string.Empty)
};
return claims;
}
///
/// 生成token
///
/// 宣告
///
private TokenInfo GenerateToken(IEnumerable claims)
{
// 金鑰
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Jwt:SecurityKey"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
// 過期時間
int expires = string.IsNullOrEmpty(_configuration["Expires"]) ? 30 : Convert.ToInt32(_configuration["Expires"]);
//生成token
var token = new JwtSecurityToken(
issuer: _configuration["Jwt:Issuer"],
audience: _configuration["Jwt:Audience"],
claims: claims,
expires: DateTime.Now.AddMinutes(expires),
signingCredentials: creds);
return new TokenInfo()
{
Expire = expires,
Token = new JwtSecurityTokenHandler().WriteToken(token)
};
}
#endregion
}
}
```
### 啟用認證並新增相關Swagger配置
在需要啟動認證的站點模組中新增以下程式碼(MyShopApiModule)
###### MyShopApiModule.cs
``` csharp
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.PlatformAbstractions;
using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models;
using MyShop.Admin.Application;
using MyShop.Admin.Application.Services;
using MyShop.Api.Middleware;
using MyShop.Application;
using MyShop.Application.Contract.Order;
using MyShop.Application.Contract.Product;
using MyShop.EntityFrameworkCore;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using Volo.Abp;
using Volo.Abp.AspNetCore;
using Volo.Abp.AspNetCore.Mvc;
using Volo.Abp.AspNetCore.Mvc.Conventions;
using Volo.Abp.AspNetCore.Mvc.ExceptionHandling;
using Volo.Abp.Autofac;
using Volo.Abp.Modularity;
namespace MyShop.Api
{
// 注意是依賴於AspNetCoreMvc 而不是 AspNetCore
[DependsOn(typeof(AbpAspNetCoreMvcModule),typeof(AbpAutofacModule))]
[DependsOn(typeof(MyShopApplicationModule),typeof(MyShopEntityFrameworkCoreModule),typeof(MyShopAdminApplicationModule))]
public class MyShopApiModule :AbpModule
{
public override void ConfigureServices(ServiceConfigurationContext context)
{
var service = context.Services;
// 配置jwt
ConfigureJwt(service);
// 配置跨域
ConfigureCors(service);
// 配置swagger
ConfigureSwagger(service);
service.Configure((AbpAspNetCoreMvcOptions options) =>
{
options.ConventionalControllers.Create(typeof(Application.ProductApplicationService).Assembly);
options.ConventionalControllers.Create(typeof(Application.OrderApplicationService).Assembly);
options.ConventionalControllers.Create(typeof(Application.UserApplicationService).Assembly);
options.ConventionalControllers.Create(typeof(Application.BasketApplicationService).Assembly);
options.ConventionalControllers.Create(typeof(Admin.Application.Services.ProductApplicationService).Assembly, options =>
{
options.RootPath = "admin";
});
});
}
public override void OnApplicationInitialization(ApplicationInitializationContext context)
{
var env = context.GetEnvironment();
var app = context.GetApplicationBuilder();
if (env.IsDevelopment())
{
app.UseDeveloperExceptionPage();
}
// 跨域
app.UseCors("AllowAll");
// swagger
app.UseSwagger();
app.UseSwaggerUI(options =>
{
options.SwaggerEndpoint("/swagger/v1/swagger.json", "MyShopApi");
});
app.UseRouting();
//新增jwt驗證 注意:必須先新增認證再新增授權中介軟體,且必須新增在UseRouting 和UseEndpoints之間
app.UseAuthentication();
app.UseAuthorization();
app.UseConfiguredEndpoints();
}
#region ServicesConfigure
private void ConfigureJwt(IServiceCollection services)
{
var configuration = services.GetConfiguration();
services
.AddAuthentication(options=>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options=>
{
options.RequireHttpsMetadata = false;// 開發環境為false
options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
{
ValidateIssuer = true,//是否驗證Issuer
ValidateAudience = true,//是否驗證Audience
ValidateLifetime = true,//是否驗證失效時間
ClockSkew = TimeSpan.FromSeconds(30), // 偏移時間,所以實際過期時間 = 給定過期時間+偏移時間
ValidateIssuerSigningKey = true,//是否驗證SecurityKey
ValidAudience = configuration["Jwt:Audience"],//Audience
ValidIssuer = configuration["Jwt:Issuer"],//Issuer,這兩項和前面簽發jwt的設定一致
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:SecurityKey"]))//拿到SecurityKey
};
// 事件
options.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = context =>
{
return Task.CompletedTask;
},
OnChallenge = context =>
{
// 驗證失敗
BaseResult