package jwt import ( "fmt" "time" "github.com/golang-jwt/jwt/v5" ) const ( AccessTokenDuration = 24 * time.Hour // Access Token 有效期 RefreshTokenDuration = 7 * 24 * time.Hour // Refresh Token 有效期 ) // JWTManager JWT 管理器 type JWTManager struct { secretKey string } // NewJWTManager 创建 JWT 管理器 func NewJWTManager(secretKey string) *JWTManager { return &JWTManager{ secretKey: secretKey, } } // Claims JWT Claims type Claims struct { UserID string `json:"user_id"` Username string `json:"username"` Role string `json:"role"` WorkspaceID string `json:"workspace_id"` TokenType string `json:"token_type"` jwt.RegisteredClaims } // Generate 生成 Access Token 和 Refresh Token func (m *JWTManager) Generate(userID, username, role, workspaceID string) (accessToken, refreshToken string, err error) { // 生成 Access Token accessClaims := &Claims{ UserID: userID, Username: username, Role: role, WorkspaceID: workspaceID, TokenType: "access", RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(time.Now().Add(AccessTokenDuration)), IssuedAt: jwt.NewNumericDate(time.Now()), }, } accessTokenObj := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims) accessToken, err = accessTokenObj.SignedString([]byte(m.secretKey)) if err != nil { return "", "", fmt.Errorf("failed to sign access token: %w", err) } // 生成 Refresh Token refreshClaims := &Claims{ UserID: userID, Username: username, Role: role, WorkspaceID: workspaceID, TokenType: "refresh", RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(time.Now().Add(RefreshTokenDuration)), IssuedAt: jwt.NewNumericDate(time.Now()), }, } refreshTokenObj := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims) refreshToken, err = refreshTokenObj.SignedString([]byte(m.secretKey)) if err != nil { return "", "", fmt.Errorf("failed to sign refresh token: %w", err) } return accessToken, refreshToken, nil } // Verify 验证 Token func (m *JWTManager) Verify(tokenString string) (userID, username string, err error) { claims, err := m.VerifyClaims(tokenString, "") if err != nil { return "", "", err } return claims.UserID, claims.Username, nil } func (m *JWTManager) VerifyAccess(tokenString string) (*Claims, error) { return m.VerifyClaims(tokenString, "access") } func (m *JWTManager) VerifyRefresh(tokenString string) (*Claims, error) { return m.VerifyClaims(tokenString, "refresh") } func (m *JWTManager) VerifyWithIssuedAt(tokenString string) (userID, username string, issuedAt int64, err error) { claims, err := m.VerifyClaims(tokenString, "access") if err != nil { return "", "", 0, err } return claims.UserID, claims.Username, claims.IssuedAt.Unix(), nil } func (m *JWTManager) VerifyClaims(tokenString, expectedType string) (*Claims, error) { token, err := jwt.ParseWithClaims(tokenString, &Claims{}, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } return []byte(m.secretKey), nil }) if err != nil { return nil, fmt.Errorf("failed to parse token: %w", err) } claims, ok := token.Claims.(*Claims) if !ok || !token.Valid { return nil, fmt.Errorf("invalid token") } if expectedType != "" && claims.TokenType != expectedType { return nil, fmt.Errorf("invalid token type") } if claims.IssuedAt == nil { return nil, fmt.Errorf("token missing issued_at") } return claims, nil } // Refresh 刷新 Token func (m *JWTManager) Refresh(refreshToken string) (string, error) { // 验证 Refresh Token claims, err := m.VerifyRefresh(refreshToken) if err != nil { return "", fmt.Errorf("invalid refresh token: %w", err) } // 生成新的 Access Token accessClaims := &Claims{ UserID: claims.UserID, Username: claims.Username, Role: claims.Role, WorkspaceID: claims.WorkspaceID, TokenType: "access", RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(time.Now().Add(AccessTokenDuration)), IssuedAt: jwt.NewNumericDate(time.Now()), }, } accessTokenObj := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims) newAccessToken, err := accessTokenObj.SignedString([]byte(m.secretKey)) if err != nil { return "", fmt.Errorf("failed to sign new access token: %w", err) } return newAccessToken, nil }