Added new components security-bundle and security-http (#58)

* Added new components security-bundle and security-http

.github/workflows/close-pull-request.yml

@@ -0,0 +1,13 @@
+name: Close Pull Request
+
+on:
+  pull_request_target:
+    types: [ opened ]
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: superbrothers/close-pull-request@v3
+        with:
+          comment: "Hi, this is a READ-ONLY repository, please submit your PR on the https://github.com/mineadmin/components repository.<br><br> This Pull Request will close automatically.<br><br> Thanks! "

.github/workflows/release.yml

@@ -0,0 +1,24 @@
+on:
+  push:
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+name: Release
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Create Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref }}
+          release_name: Release ${{ github.ref }}
+          draft: false
+          prerelease: false

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 MineAdmin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,3 @@
+# MineAdmin security http component
+
+内置了一套基础的 jwt 认证机制，可以用于简单的 api 接口的认证。

composer.json

@@ -0,0 +1,39 @@
+{
+  "name": "mineadmin/security-http",
+  "description": "MineAdmin Security http component",
+  "type": "library",
+  "license": "MIT",
+  "authors": [
+    {
+      "name": "xmo",
+      "email": "[email protected]",
+      "role": "Developer"
+    },
+    {
+      "name": "zds",
+      "email": "[email protected]",
+      "role": "Developer"
+    }
+  ],
+  "require": {
+    "php": ">=8.1",
+    "mineadmin/http-server": "2.0.x-dev",
+    "mineadmin/security-bundle": "2.0.x-dev",
+    "lcobucci/jwt": "^5.2"
+  },
+  "autoload": {
+    "psr-4": {
+      "Mine\\Security\\Http\\": "src/"
+    }
+  },
+  "autoload-dev": {
+    "psr-4": {
+      "Mine\\Security\\Http\\Tests\\": "tests/"
+    }
+  },
+  "extra": {
+    "hyperf": {
+      "config": "Mine\\Security\\Http\\ConfigProvider"
+    }
+  }
+}

publish/security.php

@@ -0,0 +1,142 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+use Mine\Security\Http\Jwt\Black\CacheBlack;
+use Mine\Security\Http\UserProvider;
+use Mine\SecurityBundle\Context\Context;
+
+use function Hyperf\Support\env;
+
+return [
+    /*
+     * user provider class
+     */
+    'provider' => UserProvider::class,
+    /*
+     * entity class
+     */
+    'entity' => 'App\Models\User',
+    /*
+     * An object that attempts to provide a security context
+     */
+    'context' => Context::class,
+    'jwt' => [
+        'login_type' => env('JWT_LOGIN_TYPE', 'mpop'), //  登录方式，sso为单点登录，mpop为多点登录
+
+        /*
+         * 单点登录自定义数据中必须存在uid的键值，这个key你可以自行定义，只要自定义数据中存在该键即可
+         */
+        'sso_key' => 'uid',
+
+        'secret' => env('JWT_SECRET', 'phper666'), // 非对称加密使用字符串,请使用自己加密的字符串
+
+        /*
+         * JWT 权限keys
+         * 对称算法: HS256, HS384 & HS512 使用 `JWT_SECRET`.
+         * 非对称算法: RS256, RS384 & RS512 / ES256, ES384 & ES512 使用下面的公钥私钥.
+         */
+        'keys' => [
+            'public' => env('JWT_PUBLIC_KEY'), // 公钥，例如：'file:///path/to/public/key'
+            'private' => env('JWT_PRIVATE_KEY'), // 私钥，例如：'file:///path/to/private/key'
+        ],
+
+        'ttl' => env('JWT_TTL', 7200), // token过期时间，单位为秒
+
+        'alg' => env('JWT_ALG', 'HS256'), // jwt的hearder加密算法
+
+        /*
+         * 支持的算法
+         */
+        'supported_algs' => [
+            'HS256' => 'Lcobucci\JWT\Signer\Hmac\Sha256',
+            'HS384' => 'Lcobucci\JWT\Signer\Hmac\Sha384',
+            'HS512' => 'Lcobucci\JWT\Signer\Hmac\Sha512',
+            'ES256' => 'Lcobucci\JWT\Signer\Ecdsa\Sha256',
+            'ES384' => 'Lcobucci\JWT\Signer\Ecdsa\Sha384',
+            'ES512' => 'Lcobucci\JWT\Signer\Ecdsa\Sha512',
+            'RS256' => 'Lcobucci\JWT\Signer\Rsa\Sha256',
+            'RS384' => 'Lcobucci\JWT\Signer\Rsa\Sha384',
+            'RS512' => 'Lcobucci\JWT\Signer\Rsa\Sha512',
+        ],
+
+        /*
+         * 对称算法名称
+         */
+        'symmetry_algs' => [
+            'HS256',
+            'HS384',
+            'HS512',
+        ],
+
+        /*
+         * 非对称算法名称
+         */
+        'asymmetric_algs' => [
+            'RS256',
+            'RS384',
+            'RS512',
+            'ES256',
+            'ES384',
+            'ES512',
+        ],
+
+        /*
+         * 是否开启黑名单，单点登录和多点登录的注销、刷新使原token失效，必须要开启黑名单，目前黑名单缓存只支持hyperf缓存驱动
+         */
+        'blacklist_enabled' => env('JWT_BLACKLIST_ENABLED', true),
+
+        /*
+         * 黑名单的宽限时间 单位为：秒，注意：如果使用单点登录，该宽限时间无效
+         */
+        'blacklist_grace_period' => env('JWT_BLACKLIST_GRACE_PERIOD', 0),
+
+        /*
+         * 黑名单缓存token时间，注意：该时间一定要设置比token过期时间要大一点，默认为1天,最好设置跟过期时间一样
+         */
+        'blacklist_cache_ttl' => env('JWT_TTL', 86400),
+
+        'blacklist_prefix' => 'mineadmin_jwt', // 黑名单缓存的前缀
+        'black' => CacheBlack::class, // 黑名单实现类，默认使用hyperf缓存驱动
+
+        /*
+         * 区分不同场景的token，比如你一个项目可能会有多种类型的应用接口鉴权,下面自行定义，我只是举例子
+         * 下面的配置会自动覆盖根配置，比如application1会里面的数据会覆盖掉根数据
+         * 下面的scene会和根数据合并
+         * scene必须存在一个default
+         * 什么叫根数据，这个配置的一维数组，除了scene都叫根配置
+         */
+        'scene' => [
+            'default' => [],
+            'application1' => [
+                'secret' => 'application1', // 非对称加密使用字符串,请使用自己加密的字符串
+                'login_type' => 'sso', //  登录方式，sso为单点登录，mpop为多点登录
+                'sso_key' => 'uid',
+                'ttl' => 7200, // token过期时间，单位为秒
+                'blacklist_cache_ttl' => env('JWT_TTL', 7200), // 黑名单缓存token时间，注意：该时间一定要设置比token过期时间要大一点，默认为100秒,最好设置跟过期时间一样
+            ],
+            'application2' => [
+                'secret' => 'application2', // 非对称加密使用字符串,请使用自己加密的字符串
+                'login_type' => 'sso', //  登录方式，sso为单点登录，mpop为多点登录
+                'sso_key' => 'uid',
+                'ttl' => 7200, // token过期时间，单位为秒
+                'blacklist_cache_ttl' => env('JWT_TTL', 7200), // 黑名单缓存token时间，注意：该时间一定要设置比token过期时间要大一点，默认为100秒,最好设置跟过期时间一样
+            ],
+            'application3' => [
+                'secret' => 'application3', // 非对称加密使用字符串,请使用自己加密的字符串
+                'login_type' => 'mppo', //  登录方式，sso为单点登录，mpop为多点登录
+                'ttl' => 7200, // token过期时间，单位为秒
+                'blacklist_cache_ttl' => env('JWT_TTL', 7200), // 黑名单缓存token时间，注意：该时间一定要设置比token过期时间要大一点，默认为100秒,最好设置跟过期时间一样
+            ],
+        ],
+        // 是否验证当前场景配置是否是生成当前的token的配置，需要配合自定义中间件实现，false会根据当前token拿到原来的场景配置，并且验证当前token
+        'independentTokenVerify' => false,
+    ],
+];

src/Attribute/CurrentUser.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+
+namespace Mine\Security\Http\Attribute;
+
+use Hyperf\Di\Annotation\AbstractAnnotation;
+
+#[\Attribute(\Attribute::TARGET_PARAMETER)]
+class CurrentUser extends AbstractAnnotation {}

src/ConfigProvider.php

@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+
+namespace Mine\Security\Http;
+
+class ConfigProvider
+{
+    public function __invoke(): array
+    {
+        return [
+            'publish' => [
+                [
+                    'id' => 'security-http',
+                    'description' => 'Security http configure',
+                    'source' => dirname(__DIR__) . '/publish/security.php',
+                    'destination' => BASE_PATH . '/config/autoload/security.php',
+                ],
+            ],
+        ];
+    }
+}

src/Constant/TokenValidConstant.php

@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+
+namespace Mine\Security\Http\Constant;
+
+class TokenValidConstant
+{
+    // token expired
+    public const EXPIRE = 41;
+
+    // The token is blacklisted.
+    public const IN_BLACKLIST = 42;
+
+    // Failed token data verification
+    public const PARSER_DATA_VALID = 43;
+
+    // Can't find the token.
+    public const TOKEN_NOT_FOUND = 44;
+}

src/Contract/BlackContract.php

@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+
+namespace Mine\Security\Http\Contract;
+
+use Lcobucci\JWT\UnencryptedToken;
+
+interface BlackContract
+{
+    /**
+     * Add Token to Blacklist.
+     */
+    public function add(UnencryptedToken $token, array $config = []): bool;
+
+    /**
+     * Determine if a token has been blacklisted.
+     */
+    public function has(array $claims, array $config = []): bool;
+
+    /**
+     * Blacklisting removes the token, the key is the jit in the token.
+     * @param mixed $key
+     */
+    public function remove($key, array $config = []): void;
+
+    /**
+     * Clear all blacklists.
+     */
+    public function clear(array $config = []): void;
+}

src/Exception/JwtConfigException.php

@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * This file is part of MineAdmin.
+ *
+ * @link     https://www.mineadmin.com
+ * @document https://doc.mineadmin.com
+ * @contact  [email protected]
+ * @license  https://github.com/mineadmin/MineAdmin/blob/master/LICENSE
+ */
+
+namespace Mine\Security\Http\Exception;
+
+class JwtConfigException extends \Exception
+{
+    public function __construct($message = '', $code = 0, ?\Throwable $previous = null)
+    {
+        parent::__construct($message, $code, $previous);
+    }
+}