VampireAchao opened a new pull request, #5600: URL: https://github.com/apache/shenyu/pull/5600
<!-- Describe your PR here; e.g. Fixes #issueNo --> <!-- Thank you for proposing a pull request. This template will guide you through the essential steps necessary for a pull request. --> Make sure that: - [x] You have read the [contribution guidelines](https://shenyu.apache.org/community/contributor-guide). - [x] You submit test cases (unit or integration tests) that back your changes. - [x] Your local test passed `./mvnw clean install -Dmaven.javadoc.skip=true`. **Overview:** This pull request addresses the business requirement that a new login session should invalidate all previous login sessions for the same user. This is achieved by introducing a `client_id` field, which uniquely identifies each login session. The `client_id` is included in the JWT token and validated on each request to ensure that only the latest session remains active. **Changes Introduced:** 1. **Backend Enhancements:** - Added a `client_id` field to the user model to track the current session's client ID. - Updated the authentication process to generate a new `client_id` upon each login. - Modified `JwtUtils` to include the `client_id` in the generated JWT token and to extract it during token validation. 2. **ShiroRealm Modifications:** - Added logic in `ShiroRealm` to extract the `client_id` from the JWT token. - Implemented a check to compare the extracted `client_id` with the one stored in the user's session data. - If the `client_id` from the token does not match the stored `client_id`, an `AuthenticationException` is thrown, thus invalidating the token. **Detailed Code Changes:** **1. User Model:** - Introduced a new field `currentClientId` to store the active client ID for each user session. **2. JwtUtils Modifications:** - Modified the `generateToken` method to include the `client_id` in the JWT payload. - Added a method to extract `client_id` from the JWT token. **3. ShiroRealm Enhancements:** ```java @Override protected AuthenticationInfo doGetAuthenticationInfo(final AuthenticationToken authenticationToken) { String token = (String) authenticationToken.getCredentials(); if (StringUtils.isEmpty(token)) { return null; } String userName = JwtUtils.getIssuer(token); if (StringUtils.isEmpty(userName)) { throw new AuthenticationException("userName is null"); } String clientIdFromToken = JwtUtils.getClientId(token); DashboardUserVO dashboardUserVO = dashboardUserService.findByUserName(userName); if (dashboardUserVO == null) { throw new AuthenticationException(String.format("userName(%s) cannot be found.", userName)); } if (StringUtils.isNotEmpty(dashboardUserVO.getClientId()) && !StringUtils.equals(dashboardUserVO.getClientId(), clientIdFromToken)) { throw new AuthenticationException("clientId is invalid or does not match"); } if (!JwtUtils.verifyToken(token, dashboardUserVO.getPassword())) { throw new AuthenticationException("token is error."); } return new SimpleAuthenticationInfo(UserInfo.builder() .userName(userName) .userId(dashboardUserVO.getId()) .build(), token, this.getName()); } ``` **Impact:** This update ensures that a new login invalidates all previous tokens, enhancing the security by preventing multiple active sessions using the same credentials. This mechanism is crucial for applications where session integrity and security are paramount. **Testing:** - Unit tests have been added to verify the generation, inclusion, and validation of the `client_id` in JWT tokens. - Integration tests ensure that old tokens are invalidated upon new logins and that valid tokens are correctly authenticated. **Documentation:** Relevant documentation sections have been updated to describe the new `client_id` field and its role in session validation. **Conclusion:** This PR significantly enhances the security framework of Apache ShenYu by ensuring that only the latest login session is valid. It provides a robust mechanism to prevent unauthorized access through token reuse, aligning with best practices for session management. Your feedback and suggestions are highly appreciated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@shenyu.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
