team/tianyuan-api-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ab842d8694
tianyuan-api-server/apps/api/internal/middleware/apiauthinterceptormiddleware.go

113 lines
3.6 KiB
Go
Raw Normal View History

first commit
2024-10-02 00:57:17 +08:00
package middleware
import (
"context"
"errors"
"fmt"
"github.com/zeromicro/go-zero/core/logx"
"github.com/zeromicro/go-zero/core/stores/redis"
xhttp "github.com/zeromicro/x/http"
"tianyuan-api/apps/sentinel/client/secret"
"tianyuan-api/apps/sentinel/client/userproduct"
"tianyuan-api/apps/sentinel/client/whitelist"
"tianyuan-api/apps/sentinel/sentinel"
"net"
"net/http"
"strings"
)
type ApiAuthInterceptorMiddleware struct {
WhitelistRpc sentinel.WhitelistClient
SecretRpc sentinel.SecretClient
UserProductRpc sentinel.UserProductClient
Rds *redis.Redis
}
func NewApiAuthInterceptorMiddleware(
whitelistRpc sentinel.WhitelistClient,
secretRpc sentinel.SecretClient,
userProductRpc sentinel.UserProductClient,
rds *redis.Redis) *ApiAuthInterceptorMiddleware {
return &ApiAuthInterceptorMiddleware{
WhitelistRpc: whitelistRpc,
SecretRpc: secretRpc,
UserProductRpc: userProductRpc,
Rds: rds,
}
}
func (m *ApiAuthInterceptorMiddleware) Handle(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// 1. 查找IP白名单
clientIP := r.Header.Get("X-Forwarded-For")
if clientIP == "" {
clientIP = r.Header.Get("X-Real-IP")
}
if clientIP == "" {
clientIP, _, _ = net.SplitHostPort(r.RemoteAddr)
}
logx.Infof("当前请求IP%s", clientIP)
redisKey := "whitelist_ips"
isMember, err := m.Rds.SismemberCtx(r.Context(), redisKey, clientIP)
if err == nil && isMember {
// 如果缓存中存在该IP继续执行后续鉴权操作
// 此处不调用 next(w, r),而是继续后续鉴权逻辑
// 后续鉴权逻辑将继续执行
} else {
isAllowedResp, err := m.WhitelistRpc.MatchWhitelistByIp(r.Context(), &whitelist.MatchWhitelistByIpRequest{Ip: clientIP})
if err != nil {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("系统错误,请联系管理员"))
return
}
if !isAllowedResp.Match {
logx.Debugf("未经授权的IP%s", clientIP)
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("未经授权的IP"))
return
}
}
// 2、查找相关accessId
accessId := r.Header.Get("Access-Id")
if accessId == "" {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("缺少Access-Id"))
return
}
secrets, err := m.SecretRpc.GetSecretBySecretId(r.Context(), &secret.GetSecretBySecretIdRequest{SecretId: accessId})
if err != nil {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("系统错误"))
return
}
if secrets.Id == 0 {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("未经授权的AccessId"))
return
}
// 3、是否有开通该产品
userId := secrets.UserId
pathParts := strings.Split(r.URL.Path, "/")
productCode := pathParts[len(pathParts)-1]
userProductRedisKey := fmt.Sprintf("user_products:%d", userId)
isMemberUserProduct, err := m.Rds.SismemberCtx(r.Context(), userProductRedisKey, productCode)
if err == nil && isMemberUserProduct {
} else {
isUserProductAllowedResp, err := m.UserProductRpc.MatchingUserIdProductCode(r.Context(), &userproduct.MatchingUserIdProductCodeRequest{Id: userId, ProductCode: productCode})
if err != nil {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("系统错误,请联系管理员"))
return
}
if !isUserProductAllowedResp.Match {
xhttp.JsonBaseResponseCtx(r.Context(), w, errors.New("未开通此产品"))
return
}
}
// 将 userId 存入 context供后续逻辑使用
ctx := context.WithValue(r.Context(), "userId", userId)
ctx = context.WithValue(r.Context(), "secretKey", secrets.AesKey)
next(w, r.WithContext(ctx))
}
}
Reference in New Issue Copy Permalink