Update the logic for create new token (#516)

Author: wu-clan

backend/app/admin/api/v1/auth/auth.py

@@ -35,9 +35,9 @@ async def user_login(
     return response_base.success(data=data)
 
 
-@router.post('/token/new', summary='创建新 token', dependencies=[DependsJwtAuth])
+@router.post('/token/new', summary='创建新 token')
 async def create_new_token(request: Request, response: Response) -> ResponseSchemaModel[GetNewToken]:
-    data = await auth_service.new_token(request=request, response=response)
+    data = await auth_service.new_token(request=request)
     return response_base.success(data=data)
 
 

backend/app/admin/service/auth_service.py

@@ -132,26 +132,22 @@ async def login(
                 return data
 
     @staticmethod
-    async def new_token(*, request: Request, response: Response) -> GetNewToken:
+    async def new_token(*, request: Request) -> GetNewToken:
         refresh_token = request.cookies.get(settings.COOKIE_REFRESH_TOKEN_KEY)
         if not refresh_token:
-            raise errors.TokenError(msg='Refresh Token 丢失，请重新登录')
+            raise errors.TokenError(msg='Refresh Token 已过期，请重新登录')
         try:
             user_id = jwt_decode(refresh_token).id
         except Exception:
             raise errors.TokenError(msg='Refresh Token 无效')
-        if request.user.id != user_id:
-            raise errors.TokenError(msg='Refresh Token 无效')
         async with async_db_session() as db:
-            token = get_token(request)
             user = await user_dao.get(db, user_id)
             if not user:
                 raise errors.NotFoundError(msg='用户名或密码有误')
             elif not user.status:
                 raise errors.AuthorizationError(msg='用户已被锁定, 请联系统管理员')
             new_token = await create_new_token(
                 user_id=str(user.id),
-                token=token,
                 refresh_token=refresh_token,
                 multi_login=user.is_multi_login,
                 # extra info
@@ -163,13 +159,6 @@ async def new_token(*, request: Request, response: Response) -> GetNewToken:
                 browser=request.state.browser,
                 device_type=request.state.device,
             )
-            response.set_cookie(
-                key=settings.COOKIE_REFRESH_TOKEN_KEY,
-                value=new_token.new_refresh_token,
-                max_age=settings.COOKIE_REFRESH_TOKEN_EXPIRE_SECONDS,
-                expires=timezone.f_utc(new_token.new_refresh_token_expire_time),
-                httponly=True,
-            )
             data = GetNewToken(
                 access_token=new_token.new_access_token,
                 access_token_expire_time=new_token.new_access_token_expire_time,

backend/common/dataclasses.py

@@ -38,8 +38,6 @@ class RequestCallNext:
 class NewToken:
     new_access_token: str
     new_access_token_expire_time: datetime
-    new_refresh_token: str
-    new_refresh_token_expire_time: datetime
     session_uuid: str
 
 

backend/common/security/jwt.py

@@ -116,36 +116,23 @@ async def create_refresh_token(user_id: str, multi_login: bool) -> RefreshToken:
     return RefreshToken(refresh_token=refresh_token, refresh_token_expire_time=expire)
 
 
-async def create_new_token(user_id: str, token: str, refresh_token: str, multi_login: bool, **kwargs) -> NewToken:
+async def create_new_token(user_id: str, refresh_token: str, multi_login: bool, **kwargs) -> NewToken:
     """
     Generate new token
 
     :param user_id:
-    :param token
     :param refresh_token:
     :param multi_login:
     :param kwargs: Access token extra information
     :return:
     """
     redis_refresh_token = await redis_client.get(f'{settings.TOKEN_REFRESH_REDIS_PREFIX}:{user_id}:{refresh_token}')
     if not redis_refresh_token or redis_refresh_token != refresh_token:
-        raise TokenError(msg='Refresh Token 已过期')
-
-    token_payload = jwt_decode(token)
+        raise TokenError(msg='Refresh Token 已过期，请重新登录')
     new_access_token = await create_access_token(user_id, multi_login, **kwargs)
-    new_refresh_token = await create_refresh_token(user_id, multi_login)
-    keys = [
-        f'{settings.TOKEN_REDIS_PREFIX}:{user_id}:{token_payload.session_uuid}',
-        f'{settings.TOKEN_REFRESH_REDIS_PREFIX}:{user_id}:{refresh_token}',
-    ]
-    for key in keys:
-        await redis_client.delete(key)
-
     return NewToken(
         new_access_token=new_access_token.access_token,
         new_access_token_expire_time=new_access_token.access_token_expire_time,
-        new_refresh_token=new_refresh_token.refresh_token,
-        new_refresh_token_expire_time=new_refresh_token.refresh_token_expire_time,
         session_uuid=new_access_token.session_uuid,
     )
 
@@ -233,8 +220,8 @@ async def jwt_authentication(token: str) -> CurrentUserIns:
     """
     token_payload = jwt_decode(token)
     user_id = token_payload.id
-    token_verify = await redis_client.get(f'{settings.TOKEN_REDIS_PREFIX}:{user_id}:{token_payload.session_uuid}')
-    if not token_verify:
+    redis_token = await redis_client.get(f'{settings.TOKEN_REDIS_PREFIX}:{user_id}:{token_payload.session_uuid}')
+    if not redis_token or token != redis_token:
         raise TokenError(msg='Token 已过期')
     cache_user = await redis_client.get(f'{settings.JWT_USER_REDIS_PREFIX}:{user_id}')
     if not cache_user: