New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

关于刷新Token，如果是非root用户，逻辑是有些问题的吧 #91

Open

lihongyiyi opened this issue Aug 14, 2020 · 1 comment

lihongyiyi commented Aug 14, 2020 •

edited

如果刷新接口传过来的是无效token，并且登陆的是非root用户，那么鉴权的这个地方：

if config.C.IsDebugMode() {
	wrapUserAuthContext(c, config.C.Root.UserName)
	c.Next()
	return
}

直接将root作为userID设置到上下文。

然后继而执行到刷新接口的 RefreshToken 方法，ginplus.GetUserID(c) 拿到的始终root，并根据root作为userID生产新token，然而此时并不是root用户在请求资源，应该是有问题的

对这个问题:

能不能对接口增加传userID来实现，在RefreshToken中，单独验证token是否有效，如果有效，直接返回旧的token, 否则根据userID生的token呢？
或者单独验证token是否有效，如果有效，直接返回旧的token；否则调 jwt.ParseWithClaims（即使过期也能拿到Claims数据）获取userID，然后生产新token

The text was updated successfully, but these errors were encountered:

Owner

LyricTian commented Aug 30, 2020

这个地方是默认 debug 模式下使用 root 用户，方便开发模式下使用。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment