feat: 添加JWKS管理功能，支持基于用户token创建新token

2026-02-21 05:06:25 +08:00
parent 366a21d621
commit 77273bcfeb
11 changed files with 105 additions and 24 deletions
--- a/bun.config.mjs
+++ b/bun.config.mjs
@@ -17,6 +17,23 @@ await Bun.build({
  },
  external,
  env: 'KEVISUAL_*',
+  // 启用模块转换和优化
+  minify: false,
+  splitting: false,
+  sourcemap: 'external',
+  // 处理 CommonJS 到 ESM 的转换
+  plugins: [{
+    name: 'transform-requires',
+    setup(build) {
+      // 转换内置模块为 node: 前缀
+      build.onResolve({ filter: /^(path|fs|module|url|util|crypto|stream|buffer|events|http|https|net|os|querystring|zlib|cluster|child_process|worker_threads|perf_hooks|inspector|dgram|dns|tls|readline|repl|process|assert|vm|timers|constants|string_decoder|punycode|v8)$/ }, args => {
+        return {
+          path: `node:${args.path}`,
+          external: true
+        }
+      });
+    }
+  }]
 });

 // const cmd = `dts -i src/index.ts -o app.d.ts`;
--- a/src/app.ts
+++ b/src/app.ts
@@ -7,6 +7,7 @@ import { BailianProvider } from '@kevisual/ai';
 import * as schema from './db/schema.ts';
 import { config } from './modules/config.ts'
 import { db } from './modules/db.ts'
+
 export const router = useContextKey('router', () => new SimpleRouter());
 export const runtime = useContextKey('runtime', () => {
  return {
@@ -41,4 +42,5 @@ export const ai = useContextKey('ai', () => {
  });
 });

-export { schema };
+export { schema };
+
--- a/src/auth/models/jwks-manager.ts
+++ b/src/auth/models/jwks-manager.ts
--- a/src/auth/models/user-secret.ts
+++ b/src/auth/models/user-secret.ts
@@ -1,7 +1,7 @@
 import { useContextKey } from '@kevisual/context';
 import { Redis } from 'ioredis';
 import { User } from './user.ts';
-import { oauth } from '../oauth/auth.ts';
+import { oauth, jwksManager } from '../oauth/auth.ts';
 import { OauthUser } from '../oauth/oauth.ts';
 import { db } from '../../modules/db.ts';
 import { cfUserSecrets, cfUser } from '../../db/drizzle/schema.ts';
@@ -53,6 +53,10 @@ export class UserSecret {
   * @returns
   */
  static async verifyToken(token: string) {
+    if (token?.includes?.('.')) {
+      // 先尝试作为jwt token验证，如果验证成功则直接返回用户信息
+      return await jwksManager.verify(token);
+    }
    if (!oauth.isSecretKey(token)) {
      return await oauth.verifyToken(token);
    }
@@ -62,11 +66,11 @@ export class UserSecret {
    }
    console.log('verifyToken: try to verify as secret key');
    const userSecrets = await db.select().from(userSecretsTable).where(eq(userSecretsTable.token, token)).limit(1);
-    
+
    if (userSecrets.length === 0) {
      return null; // 如果没有找到对应的用户密钥，则返回null
    }
-    
+
    const userSecret = new UserSecret(userSecrets[0]);
    if (userSecret.isExpired()) {
      return null; // 如果用户密钥已过期，则返回null
@@ -97,13 +101,13 @@ export class UserSecret {
   */
  static async findOne(where: { token?: string; id?: string }): Promise<UserSecret | null> {
    let query = db.select().from(userSecretsTable);
-    
+
    if (where.token) {
      query = query.where(eq(userSecretsTable.token, where.token)) as any;
    } else if (where.id) {
      query = query.where(eq(userSecretsTable.id, where.id)) as any;
    }
-    
+
    const secrets = await query.limit(1);
    return secrets.length > 0 ? new UserSecret(secrets[0]) : null;
  }
@@ -119,12 +123,12 @@ export class UserSecret {
      owner: usersTable.owner,
      data: usersTable.data,
    }).from(usersTable).where(eq(usersTable.id, this.userId)).limit(1);
-    
+
    let org: any = null;
    if (users.length === 0) {
      return null; // 如果没有找到对应的用户，则返回null
    }
-    
+
    const user = users[0];
    const expiredTime = this.expiredTime ? new Date(this.expiredTime).getTime() : null;
    const oauthUser: Partial<OauthUser> = {
@@ -142,7 +146,7 @@ export class UserSecret {
        type: usersTable.type,
        owner: usersTable.owner,
      }).from(usersTable).where(eq(usersTable.id, this.orgId)).limit(1);
-      
+
      if (orgUsers.length > 0) {
        org = orgUsers[0];
        oauthUser.id = org.id;
@@ -164,7 +168,7 @@ export class UserSecret {
    const expiredTime = new Date(this.expiredTime);
    return now > expiredTime.getTime(); // 如果当前时间大于过期时间，则认为已过期
  }
-  
+
  /**
   *  检查是否过期，如果过期则更新状态为expired
   *  
@@ -225,7 +229,7 @@ export class UserSecret {
    await this.save();
    return token;
  }
-  
+
  static async createToken() {
    let token = oauth.generateSecretKey();
    // 确保生成的token是唯一的
@@ -234,7 +238,7 @@ export class UserSecret {
    }
    return token;
  }
-  
+
  /**
   *  根据 unionid 生成redis的key
   * `wxmp:unionid:token:${unionid}`
@@ -244,13 +248,13 @@ export class UserSecret {
  static wxRedisKey(unionid: string) {
    return `wxmp:unionid:token:${unionid}`;
  }
-  
+
  static getExpiredTime(expireDays?: number) {
    const defaultExpireDays = expireDays || 365;
    const expireTime = defaultExpireDays * 24 * 60 * 60 * 1000;
    return new Date(Date.now() + expireTime);
  }
-  
+
  static async createSecret(tokenUser: { id: string; uid?: string, title?: string }, expireDays = 365) {
    const token = await UserSecret.createToken();
    let userId = tokenUser.id;
@@ -259,18 +263,18 @@ export class UserSecret {
      userId = tokenUser.uid;
      orgId = tokenUser.id;
    }
-    
+
    const insertData: Partial<typeof userSecretsTable.$inferInsert> = {
      userId,
      token,
      title: tokenUser.title || randomString(6),
      expiredTime: UserSecret.getExpiredTime(expireDays).toISOString(),
    };
-    
+
    if (orgId !== null && orgId !== undefined) {
      insertData.orgId = orgId;
    }
-    
+
    const inserted = await db.insert(userSecretsTable).values(insertData).returning();

    return new UserSecret(inserted[0]);
--- a/src/auth/models/user.ts
+++ b/src/auth/models/user.ts
@@ -2,7 +2,7 @@ import { nanoid, customAlphabet } from 'nanoid';
 import { CustomError } from '@kevisual/router';
 import { useContextKey } from '@kevisual/context';
 import { Redis } from 'ioredis';
-import { oauth } from '../oauth/auth.ts';
+import { oauth, jwksManager } from '../oauth/auth.ts';
 import { cryptPwd } from '../oauth/salt.ts';
 import { OauthUser } from '../oauth/oauth.ts';
 import { db } from '../../modules/db.ts';
@@ -36,6 +36,9 @@ const userSecretsTable = cfUserSecrets;

 export const redis = useContextKey<Redis>('redis');

+type TokenOptions = {
+  expire?: number; // 过期时间，单位秒
+}
 /**
 * 用户模型,使用 Drizzle ORM
 */
@@ -69,7 +72,7 @@ export class User {
   * @param uid
   * @returns
   */
-  async createToken(uid?: string, loginType?: 'default' | 'plugin' | 'month' | 'season' | 'year' | 'week', expand: any = {}) {
+  async createToken(uid?: string, loginType?: 'default' | 'plugin' | 'month' | 'season' | 'year' | 'week' | 'jwks', opts: TokenOptions = {}) {
    const { id, username, type } = this;
    const oauthUser: OauthUser = {
      id,
@@ -81,7 +84,21 @@ export class User {
    if (uid) {
      oauthUser.orgId = id;
    }
-    const token = await oauth.generateToken(oauthUser, { type: loginType, hasRefreshToken: true, ...expand });
+    if (loginType === 'jwks') {
+      const accessToken = await jwksManager.sign({
+        sub: 'user:' + this.id,
+        name: this.username,
+      });
+      const expiresIn = opts?.expire ?? 2 * 3600; // 2 hours
+      return {
+        accessToken: accessToken,
+        refreshToken: null,
+        token: accessToken,
+        refreshTokenExpiresIn: null,
+        accessTokenExpiresIn: expiresIn
+      };
+    }
+    const token = await oauth.generateToken(oauthUser, { type: loginType, hasRefreshToken: true, ...opts });
    return {
      accessToken: token.accessToken,
      refreshToken: token.refreshToken,
--- a/src/auth/oauth/auth.ts
+++ b/src/auth/oauth/auth.ts
@@ -1,6 +1,7 @@
 import { OAuth, RedisTokenStore } from './oauth.ts';
 import { useContextKey } from '@kevisual/context';
 import { Redis } from 'ioredis';
+import { manager } from '../models/jwks-manager.ts';

 export const oauth = useContextKey('oauth', () => {
  const redis = useContextKey<Redis>('redis');
@@ -16,3 +17,7 @@ export const oauth = useContextKey('oauth', () => {
  const oauth = new OAuth(store);
  return oauth;
 });
+
+export const jwksManager = useContextKey('jwksManager', () => manager);
+
+await manager.init()
--- a/src/auth/oauth/index.ts
+++ b/src/auth/oauth/index.ts
@@ -1,2 +1,3 @@
 export * from './oauth.ts';
-export * from './salt.ts';
+export * from './salt.ts';
+export * from './auth.ts';
--- a/src/routes-simple/routes/jwks.ts
+++ b/src/routes-simple/routes/jwks.ts
@@ -1,5 +1,5 @@
 import { router } from '@/app.ts'
-import { manager } from '@/modules/jwks/index.ts'
+import { manager } from '@/auth/models/jwks-manager.ts'
 router.all('/api/convex/jwks.json', async (req, res) => {
  const jwks = await manager.getJWKS()
  res.setHeader('Content-Type', 'application/json');
--- a/src/routes/user/index.ts
+++ b/src/routes/user/index.ts
@@ -17,4 +17,6 @@ import './secret-key/list.ts';

 import './wx-login.ts'

-import './cnb-login.ts';
+import './cnb-login.ts';
+
+import './jwks.ts';
--- a/src/routes/user/jwks.ts
+++ b/src/routes/user/jwks.ts
@@ -0,0 +1,33 @@
+import { app } from '@/app.ts'
+import { UserModel } from '@/auth/index.ts';
+import z from 'zod';
+
+app.route({
+  path: 'user',
+  key: 'token-create',
+  description: '根据用户token创建一个新的token，主要用于临时访问',
+  middleware: ['auth'],
+  metadata: {
+    args: {
+      loginType: z.enum(['jwks']).optional(),
+    }
+  }
+}).define(async (ctx) => {
+  const user = await UserModel.getUserByToken(ctx.query.token);
+  const loginType = ctx.query?.loginType ?? 'jwks';
+  if (!user) {
+    ctx.throw(404, 'user not found');
+  }
+  if (loginType !== 'jwks') {
+    ctx.throw(400, 'unsupported login type');
+  }
+  let expire = ctx.query.expire ?? 24 * 3600;
+  // 大于24小时的过期时间需要管理员权限
+  if (expire > 24 * 3600) {
+    expire = 2 * 3600;
+  }
+  const value = await user.createToken(null, loginType, {
+    expire: expire, // 24小时过期
+  })
+  ctx.body = value
+}).addTo(app)
--- a/src/test/jwks.ts
+++ b/src/test/jwks.ts
@@ -1,4 +1,4 @@
-import { manager } from '@/modules/jwks/index.ts'
+import { manager } from '@/auth/models/jwks-manager.ts'

 await manager.init()