update token handling logic #83
Conversation
|
For related comments, please see: #44 (comment) |
|
Hi, @downdawn Now it is ready for review. |
|
Hi, @wu-clan |
The token processing logic there is controlled by the front end and should not be implemented in the back end, which is only responsible for the interface |
|
Or did I miss your point? |
The refresh token is not controlled by the front end, so it is not safe. unless there is a special need |
|
As discussed here, the first login returns the token and the refresh token, and the subsequent front-end can generate a new token based on the refresh token. We only need to provide an interface for generating a new token. |
|
Yes, but it already exists in this PR. |
|
Ok, we can merge this pr first, and make adjustments later |
backend/app/api/v1/auth/auth.py
Outdated
| token = get_token(request) | ||
| user_id, _ = jwt_decode(token) | ||
| refresh_token, refresh_expire = await UserService.refresh_token(user_id=user_id, custom_time=custom_time) | ||
| @router.get('/refresh_token', summary='获取刷新 token', dependencies=[DependsUser]) |
There was a problem hiding this comment.
What is the purpose of providing an interface for refreshing token creation and acquisition?
Isn't the refresh token only created and returned when logging in?
backend/app/common/jwt.py
Outdated
| return token, expire | ||
| refresh_token = jwt.encode(to_encode, settings.TOKEN_SECRET_KEY, settings.TOKEN_ALGORITHM) | ||
| prefix = f'{settings.TOKEN_REFRESH_REDIS_PREFIX}:{sub}:' | ||
| await redis_client.delete_prefix(prefix) |
There was a problem hiding this comment.
Why delete all refresh tokens of this user?
backend/app/services/user_service.py
Outdated
| if not current_user.is_superuser: | ||
| if not pk == current_user.id: | ||
| raise errors.AuthorizationError | ||
| if await UserDao.get(db, pk): |
There was a problem hiding this comment.
if not await UserDao.get(db, pk):
raise errors.NotFoundError(msg='用户不存在')
There was a problem hiding this comment.
There is already get_multi_login inside, it seems a bit confusing here?
| @@ -218,4 +161,10 @@ async def delete(*, username: str, current_user: User) -> int: | |||
| if not input_user: | |||
| raise errors.NotFoundError(msg='用户不存在') | |||
| count = await UserDao.delete(db, input_user.id) | |||
| prefix = [ | |||
There was a problem hiding this comment.
Log out here to delete all tokens of the user. If it is a multi-point login, is it also logged out in other places?
|
Now it's ready |
WIP.