add jwt authentication middleware (#84)

* Add jwt authentication middleware

* Fix branch conflicts

Author: wu-clan

backend/app/api/v1/api.py

@@ -2,10 +2,10 @@
 # -*- coding: utf-8 -*-
 from typing import Annotated
 
-from fastapi import APIRouter, Query
+from fastapi import APIRouter, Query, Request
 
 from backend.app.common.casbin_rbac import DependsRBAC
-from backend.app.common.jwt import DependsUser, CurrentUser
+from backend.app.common.jwt import DependsJwtAuth
 from backend.app.common.pagination import PageDepends, paging_data
 from backend.app.common.response.response_schema import response_base
 from backend.app.database.db_mysql import CurrentSession
@@ -15,13 +15,13 @@
 router = APIRouter()
 
 
-@router.get('/{pk}', summary='获取接口详情', dependencies=[DependsUser])
+@router.get('/{pk}', summary='获取接口详情', dependencies=[DependsJwtAuth])
 async def get_api(pk: int):
     api = await ApiService.get(pk=pk)
     return response_base.success(data=api)
 
 
-@router.get('', summary='（模糊条件）分页获取所有接口', dependencies=[DependsUser, PageDepends])
+@router.get('', summary='（模糊条件）分页获取所有接口', dependencies=[DependsJwtAuth, PageDepends])
 async def get_all_apis(
     db: CurrentSession,
     name: Annotated[str | None, Query()] = None,
@@ -34,14 +34,14 @@ async def get_all_apis(
 
 
 @router.post('', summary='创建接口', dependencies=[DependsRBAC])
-async def create_api(obj: CreateApi, user: CurrentUser):
-    await ApiService.create(obj=obj, user_id=user.id)
+async def create_api(request: Request, obj: CreateApi):
+    await ApiService.create(obj=obj, user_id=request.user.id)
     return response_base.success()
 
 
 @router.put('/{pk}', summary='更新接口', dependencies=[DependsRBAC])
-async def update_api(pk: int, obj: UpdateApi, user: CurrentUser):
-    count = await ApiService.update(pk=pk, obj=obj, user_id=user.id)
+async def update_api(request: Request, pk: int, obj: UpdateApi):
+    count = await ApiService.update(pk=pk, obj=obj, user_id=request.user.id)
     if count > 0:
         return response_base.success()
     return response_base.fail()

backend/app/api/v1/auth/auth.py

@@ -7,7 +7,7 @@
 from fastapi_limiter.depends import RateLimiter
 from starlette.background import BackgroundTasks
 
-from backend.app.common.jwt import DependsUser, CurrentUser
+from backend.app.common.jwt import DependsJwtAuth
 from backend.app.common.response.response_schema import response_base
 from backend.app.schemas.token import LoginToken, SwaggerToken, NewToken
 from backend.app.schemas.user import Auth
@@ -42,14 +42,14 @@ async def user_login(request: Request, obj: Auth, background_tasks: BackgroundTa
     return response_base.success(data=data)
 
 
-@router.post('/new_token', summary='创建新 token', dependencies=[DependsUser])
+@router.post('/new_token', summary='创建新 token', dependencies=[DependsJwtAuth])
 async def create_new_token(refresh_token: Annotated[str, Query(...)]):
     access_token, access_expire = await AuthService.new_token(refresh_token)
     data = NewToken(access_token=access_token, access_token_expire_time=access_expire)
     return response_base.success(data=data)
 
 
-@router.post('/logout', summary='用户登出')
-async def user_logout(request: Request, current_user: CurrentUser):
-    await AuthService.logout(request=request, current_user=current_user)
+@router.post('/logout', summary='用户登出', dependencies=[DependsJwtAuth])
+async def user_logout(request: Request):
+    await AuthService.logout(request)
     return response_base.success()

backend/app/api/v1/login_log.py

@@ -5,7 +5,7 @@
 from fastapi import APIRouter, Query
 
 from backend.app.common.casbin_rbac import DependsRBAC
-from backend.app.common.jwt import DependsUser
+from backend.app.common.jwt import DependsJwtAuth
 from backend.app.common.pagination import paging_data, PageDepends
 from backend.app.common.response.response_schema import response_base
 from backend.app.database.db_mysql import CurrentSession
@@ -15,7 +15,7 @@
 router = APIRouter()
 
 
-@router.get('', summary='获取所有登录日志', dependencies=[DependsUser, PageDepends])
+@router.get('', summary='获取所有登录日志', dependencies=[DependsJwtAuth, PageDepends])
 async def get_all_login_logs(db: CurrentSession):
     log_select = await LoginLogService.get_select()
     page_data = await paging_data(db, log_select, GetAllLoginLog)

backend/app/api/v1/user.py

@@ -4,7 +4,7 @@
 
 from fastapi import APIRouter, Query, Request
 
-from backend.app.common.jwt import DependsUser, CurrentUser, DependsSuperUser
+from backend.app.common.jwt import DependsJwtAuth
 from backend.app.common.pagination import paging_data, PageDepends
 from backend.app.common.response.response_schema import response_base
 from backend.app.database.db_mysql import CurrentSession
@@ -29,30 +29,30 @@ async def password_reset(obj: ResetPassword):
     return response_base.fail()
 
 
-@router.get('/{username}', summary='查看用户信息', dependencies=[DependsUser])
+@router.get('/{username}', summary='查看用户信息', dependencies=[DependsJwtAuth])
 async def get_user(username: str):
     current_user = await UserService.get_userinfo(username)
     data = GetAllUserInfo(**select_to_json(current_user))
     return response_base.success(data=data)
 
 
-@router.put('/{username}', summary='更新用户信息')
-async def update_userinfo(username: str, obj: UpdateUser, current_user: CurrentUser):
-    count = await UserService.update(username=username, current_user=current_user, obj=obj)
+@router.put('/{username}', summary='更新用户信息', dependencies=[DependsJwtAuth])
+async def update_userinfo(request: Request, username: str, obj: UpdateUser):
+    count = await UserService.update(request=request, username=username, obj=obj)
     if count > 0:
         return response_base.success()
     return response_base.fail()
 
 
-@router.put('/{username}/avatar', summary='更新头像')
-async def update_avatar(username: str, avatar: Avatar, current_user: CurrentUser):
-    count = await UserService.update_avatar(username=username, current_user=current_user, avatar=avatar)
+@router.put('/{username}/avatar', summary='更新头像', dependencies=[DependsJwtAuth])
+async def update_avatar(request: Request, username: str, avatar: Avatar):
+    count = await UserService.update_avatar(request=request, username=username, avatar=avatar)
     if count > 0:
         return response_base.success()
     return response_base.fail()
 
 
-@router.get('', summary='（模糊条件）分页获取所有用户', dependencies=[DependsUser, PageDepends])
+@router.get('', summary='（模糊条件）分页获取所有用户', dependencies=[DependsJwtAuth, PageDepends])
 async def get_all_users(
     db: CurrentSession,
     username: Annotated[str | None, Query()] = None,
@@ -64,33 +64,38 @@ async def get_all_users(
     return response_base.success(data=page_data)
 
 
-@router.post('/{pk}/super', summary='修改用户超级权限', dependencies=[DependsSuperUser])
-async def super_set(pk: int):
-    count = await UserService.update_permission(pk)
+@router.post('/{pk}/super', summary='修改用户超级权限', dependencies=[DependsJwtAuth])
+async def super_set(request: Request, pk: int):
+    count = await UserService.update_permission(request=request, pk=pk)
     if count > 0:
         return response_base.success()
     return response_base.fail()
 
 
-@router.post('/{pk}/action', summary='修改用户状态', dependencies=[DependsSuperUser])
-async def active_set(pk: int):
-    count = await UserService.update_active(pk)
+@router.post('/{pk}/action', summary='修改用户状态', dependencies=[DependsJwtAuth])
+async def active_set(request: Request, pk: int):
+    count = await UserService.update_active(request=request, pk=pk)
     if count > 0:
         return response_base.success()
     return response_base.fail()
 
 
-@router.post('/{pk}/multi', summary='修改用户多点登录状态')
-async def multi_set(request: Request, pk: int, current_user: CurrentUser):
-    count = await UserService.update_multi_login(request=request, pk=pk, current_user=current_user)
+@router.post('/{pk}/multi', summary='修改用户多点登录状态', dependencies=[DependsJwtAuth])
+async def multi_set(request: Request, pk: int):
+    count = await UserService.update_multi_login(request=request, pk=pk)
     if count > 0:
         return response_base.success()
     return response_base.fail()
 
 
-@router.delete('/{username}', summary='用户注销', description='用户注销 != 用户退出，注销之后用户将从数据库删除')
-async def delete_user(username: str, current_user: CurrentUser):
-    count = await UserService.delete(username=username, current_user=current_user)
+@router.delete(
+    path='/{username}',
+    summary='用户注销',
+    description='用户注销 != 用户登出，注销之后用户将从数据库删除',
+    dependencies=[DependsJwtAuth],
+)
+async def delete_user(request: Request, username: str):
+    count = await UserService.delete(request=request, username=username)
     if count > 0:
         return response_base.success()
     return response_base.fail()

backend/app/common/casbin_rbac.py

@@ -5,7 +5,7 @@
 from fastapi import Request, Depends
 
 from backend.app.common.exception.errors import AuthorizationError
-from backend.app.common.jwt import CurrentUser
+from backend.app.common.jwt import DependsJwtAuth
 from backend.app.core.conf import settings
 from backend.app.core.path_conf import RBAC_MODEL_CONF
 from backend.app.database.db_mysql import async_engine
@@ -26,18 +26,18 @@ async def get_casbin_enforcer() -> casbin.Enforcer:
 
         return enforcer
 
-    async def rbac_verify(self, request: Request, user: CurrentUser) -> None:
+    async def rbac_verify(self, request: Request, _: str = DependsJwtAuth) -> None:
         """
         权限校验，超级用户跳过校验，默认拥有所有权限
 
         :param request:
-        :param user:
+        :param _:
         :return:
         """
-        user_uuid = user.user_uuid
-        user_roles = user.roles
+        user_uuid = request.user.user_uuid
+        user_roles = request.user.roles
         role_data_scope = [role.data_scope for role in user_roles]
-        super_user = user.is_superuser
+        super_user = request.user.is_superuser
         path = request.url.path
         method = request.method
 

backend/app/common/jwt.py

@@ -8,13 +8,12 @@
 from jose import jwt
 from passlib.context import CryptContext
 from pydantic import ValidationError
-from typing_extensions import Annotated
+from sqlalchemy.ext.asyncio import AsyncSession
 
 from backend.app.common.exception.errors import AuthorizationError, TokenError
 from backend.app.common.redis import redis_client
 from backend.app.core.conf import settings
 from backend.app.crud.crud_user import UserDao
-from backend.app.database.db_mysql import CurrentSession
 from backend.app.models import User
 
 pwd_context = CryptContext(schemes=['bcrypt'], deprecated='auto')
@@ -139,7 +138,7 @@ def jwt_decode(token: str) -> tuple[int, list[int]]:
     return user_id, role_ids
 
 
-async def jwt_authentication(token: str = Depends(oauth2_schema)) -> dict[str, int]:
+async def jwt_authentication(token: str) -> dict[str, int]:
     """
     JWT authentication
 
@@ -154,9 +153,9 @@ async def jwt_authentication(token: str = Depends(oauth2_schema)) -> dict[str, i
     return {'sub': user_id}
 
 
-async def get_current_user(db: CurrentSession, data: dict = Depends(jwt_authentication)) -> User:
+async def get_current_user(db: AsyncSession, data: dict) -> User:
     """
-    Get the current user through tokens
+    Get the current user through token
 
     :param db:
     :param data:
@@ -169,24 +168,18 @@ async def get_current_user(db: CurrentSession, data: dict = Depends(jwt_authenti
     return user
 
 
-async def get_current_is_superuser(user: User = Depends(get_current_user)):
+async def superuser_verify(request: Request) -> bool:
     """
     Verify the current user permissions through token
 
-    :param user:
+    :param request:
     :return:
     """
-    is_superuser = user.is_superuser
+    is_superuser = request.user.is_superuser
     if not is_superuser:
         raise AuthorizationError
     return is_superuser
 
 
-# User Annotated
-CurrentUser = Annotated[User, Depends(get_current_user)]
-CurrentSuperUser = Annotated[bool, Depends(get_current_is_superuser)]
-# Token dependency injection
-CurrentJwtAuth = Annotated[dict, Depends(jwt_authentication)]
-# Permission dependency injection
-DependsUser = Depends(get_current_user)
-DependsSuperUser = Depends(get_current_is_superuser)
+# Jwt verify dependency
+DependsJwtAuth = Depends(oauth2_schema)

backend/app/core/conf.py

@@ -91,6 +91,7 @@ def validator_api_url(cls, values):
     # Middleware
     MIDDLEWARE_CORS: bool = True
     MIDDLEWARE_GZIP: bool = True
+    MIDDLEWARE_JWT_AUTH: bool = True
     MIDDLEWARE_ACCESS: bool = False
 
     # Casbin

backend/app/core/registrar.py

@@ -5,6 +5,7 @@
 from fastapi import FastAPI
 from fastapi_limiter import FastAPILimiter
 from fastapi_pagination import add_pagination
+from starlette.middleware.authentication import AuthenticationMiddleware
 
 from backend.app.api.routers import v1
 from backend.app.common.exception.exception_handler import register_exception
@@ -105,6 +106,11 @@ def register_middleware(app: FastAPI):
         from fastapi.middleware.gzip import GZipMiddleware
 
         app.add_middleware(GZipMiddleware)
+    # JWT auth
+    if settings.MIDDLEWARE_JWT_AUTH:
+        from backend.app.middleware.jwt_auth_middleware import JwtAuthMiddleware
+
+        app.add_middleware(AuthenticationMiddleware, backend=JwtAuthMiddleware())
     # Api access logs
     if settings.MIDDLEWARE_ACCESS:
         from backend.app.middleware.access_middleware import AccessMiddleware

backend/app/middleware/jwt_auth_middleware.py

@@ -0,0 +1,27 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+from starlette.authentication import AuthenticationBackend
+from fastapi import Request
+
+from backend.app.common import jwt
+from backend.app.database.db_mysql import async_db_session
+
+
+class JwtAuthMiddleware(AuthenticationBackend):
+    """JWT 认证中间件"""
+
+    async def authenticate(self, request: Request):
+        auth = request.headers.get('Authorization')
+        if not auth:
+            return
+
+        scheme, token = auth.split()
+        if scheme.lower() != 'bearer':
+            return
+
+        sub = await jwt.jwt_authentication(token)
+
+        async with async_db_session() as db:
+            user = await jwt.get_current_user(db, data=sub)
+
+        return auth, user

backend/app/services/auth_service.py

@@ -10,12 +10,11 @@
 
 from backend.app.common import jwt
 from backend.app.common.exception import errors
-from backend.app.common.jwt import get_token, jwt_decode
+from backend.app.common.jwt import get_token
 from backend.app.common.redis import redis_client
 from backend.app.core.conf import settings
 from backend.app.crud.crud_user import UserDao
 from backend.app.database.db_mysql import async_db_session
-from backend.app.models import User
 from backend.app.schemas.user import Auth
 from backend.app.services.login_log_service import LoginLogService
 
@@ -93,12 +92,11 @@ async def new_token(refresh_token: str) -> tuple[str, datetime]:
             return access_new_token, access_new_token_expire_time
 
     @staticmethod
-    async def logout(*, request: Request, current_user: User) -> NoReturn:
+    async def logout(request: Request) -> NoReturn:
         token = get_token(request)
-        user_id, _ = jwt_decode(token)
-        if current_user.is_multi_login:
-            key = f'{settings.TOKEN_REDIS_PREFIX}:{user_id}:{token}'
+        if request.user.is_multi_login:
+            key = f'{settings.TOKEN_REDIS_PREFIX}:{request.user.id}:{token}'
             await redis_client.delete(key)
         else:
-            prefix = f'{settings.TOKEN_REDIS_PREFIX}:{user_id}:'
+            prefix = f'{settings.TOKEN_REDIS_PREFIX}:{request.user.id}:'
             await redis_client.delete_prefix(prefix)