Go语言实现双Token登录的思路与实现
引言
在现代Web应用中,身份认证是保障系统安全的重要环节。传统的单Token认证方式存在一些安全隐患,如Token泄露可能导致长期风险。双Token机制(Access Token + Refresh Token)提供了更好的安全性和用户体验。本文将介绍如何使用Go语言实现双Token登录系统。
双Token机制概述
双Token机制包含两种令牌:
- Access Token:短期有效的令牌,用于访问受保护资源
- Refresh Token:长期有效的令牌,用于获取新的Access Token
这种机制的优势在于:
- Access Token有效期短,即使泄露影响有限
- Refresh Token不直接用于资源访问,降低了泄露风险
- 无需频繁重新登录,保持用户体验
实现思路
1. 数据结构设计
首先定义Token相关的数据结构:
type TokenDetails struct {AccessToken stringRefreshToken stringAccessUuid stringRefreshUuid stringAtExpires int64RtExpires int64
}type AccessDetails struct {AccessUuid stringUserId uint64
}
2. Token生成与存储
使用JWT(JSON Web Token)生成Token,并存储在Redis中:
func CreateToken(userid uint64) (*TokenDetails, error) {td := &TokenDetails{}td.AtExpires = time.Now().Add(time.Minute * 15).Unix()td.AccessUuid = uuid.New().String()td.RtExpires = time.Now().Add(time.Hour * 24 * 7).Unix()td.RefreshUuid = uuid.New().String()// 创建Access TokenatClaims := jwt.MapClaims{}atClaims["authorized"] = trueatClaims["access_uuid"] = td.AccessUuidatClaims["user_id"] = useridatClaims["exp"] = td.AtExpiresat := jwt.NewWithClaims(jwt.SigningMethodHS256, atClaims)td.AccessToken, _ = at.SignedString([]byte(os.Getenv("ACCESS_SECRET")))// 创建Refresh TokenrtClaims := jwt.MapClaims{}rtClaims["refresh_uuid"] = td.RefreshUuidrtClaims["user_id"] = useridrtClaims["exp"] = td.RtExpiresrt := jwt.NewWithClaims(jwt.SigningMethodHS256, rtClaims)td.RefreshToken, _ = rt.SignedString([]byte(os.Getenv("REFRESH_SECRET")))return td, nil
}func CreateAuth(userid uint64, td *TokenDetails) error {at := time.Unix(td.AtExpires, 0)rt := time.Unix(td.RtExpires, 0)now := time.Now()// 存储Access TokenerrAccess := client.Set(td.AccessUuid, strconv.Itoa(int(userid)), at.Sub(now)).Err()if errAccess != nil {return errAccess}// 存储Refresh TokenerrRefresh := client.Set(td.RefreshUuid, strconv.Itoa(int(userid)), rt.Sub(now)).Err()if errRefresh != nil {return errRefresh}return nil
}
3. 登录接口实现
func Login(c *gin.Context) {var user Userif err := c.ShouldBindJSON(&user); err != nil {c.JSON(http.StatusUnprocessableEntity, "Invalid json provided")return}// 验证用户凭据// ...// 生成Tokentd, err := CreateToken(user.ID)if err != nil {c.JSON(http.StatusUnprocessableEntity, err.Error())return}// 存储TokensaveErr := CreateAuth(user.ID, td)if saveErr != nil {c.JSON(http.StatusUnprocessableEntity, saveErr.Error())return}tokens := map[string]string{"access_token": td.AccessToken,"refresh_token": td.RefreshToken,}c.JSON(http.StatusOK, tokens)
}
4. Token刷新机制
func Refresh(c *gin.Context) {mapToken := map[string]string{}if err := c.ShouldBindJSON(&mapToken); err != nil {c.JSON(http.StatusUnprocessableEntity, err.Error())return}refreshToken := mapToken["refresh_token"]// 验证Refresh Tokentoken, err := jwt.Parse(refreshToken, func(token *jwt.Token) (interface{}, error) {if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])}return []byte(os.Getenv("REFRESH_SECRET")), nil})if err != nil {c.JSON(http.StatusUnauthorized, "Refresh token expired")return}// 检查Token是否有效if _, ok := token.Claims.(jwt.Claims); !ok && !token.Valid {c.JSON(http.StatusUnauthorized, err)return}// 提取claimsclaims, ok := token.Claims.(jwt.MapClaims)if ok && token.Valid {refreshUuid, ok := claims["refresh_uuid"].(string)if !ok {c.JSON(http.StatusUnprocessableEntity, err)return}userId, err := strconv.ParseUint(fmt.Sprintf("%.f", claims["user_id"]), 10, 64)if err != nil {c.JSON(http.StatusUnprocessableEntity, "Error occurred")return}// 删除旧的Refresh Tokendeleted, delErr := DeleteAuth(refreshUuid)if delErr != nil || deleted == 0 {c.JSON(http.StatusUnauthorized, "unauthorized")return}// 创建新的Token对ts, createErr := CreateToken(userId)if createErr != nil {c.JSON(http.StatusForbidden, createErr.Error())return}// 保存新的TokensaveErr := CreateAuth(userId, ts)if saveErr != nil {c.JSON(http.StatusForbidden, saveErr.Error())return}tokens := map[string]string{"access_token": ts.AccessToken,"refresh_token": ts.RefreshToken,}c.JSON(http.StatusCreated, tokens)} else {c.JSON(http.StatusUnauthorized, "refresh expired")}
}
5. 中间件实现Token验证
func TokenAuthMiddleware() gin.HandlerFunc {return func(c *gin.Context) {err := TokenValid(c.Request)if err != nil {c.JSON(http.StatusUnauthorized, err.Error())c.Abort()return}c.Next()}
}func TokenValid(r *http.Request) error {token, err := VerifyToken(r)if err != nil {return err}if _, ok := token.Claims.(jwt.Claims); !ok && !token.Valid {return err}return nil
}func VerifyToken(r *http.Request) (*jwt.Token, error) {tokenString := ExtractToken(r)token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])}return []byte(os.Getenv("ACCESS_SECRET")), nil})if err != nil {return nil, err}return token, nil
}func ExtractToken(r *http.Request) string {bearToken := r.Header.Get("Authorization")strArr := strings.Split(bearToken, " ")if len(strArr) == 2 {return strArr[1]}return ""
}
完整流程
- 用户登录:提供用户名密码,服务端验证后返回Access Token和Refresh Token
- 访问受保护资源:客户端在请求头中携带Access Token
- Access Token过期:服务端返回401错误
- 刷新Token:客户端使用Refresh Token请求新的Token对
- 继续访问:使用新的Access Token访问资源
总结
通过Go语言实现双Token认证机制,我们能够构建更安全的身份认证系统。这种机制在保证安全性的同时,也提供了良好的用户体验。实际应用中,可以根据业务需求调整Token的有效期和实现细节。
希望这篇文章对你理解和使用双Token认证有所帮助!
)
)
)
