Merge pull request #68 from phper666/67-使用application场景

#67 1、修复SSO模式下，token偶发失效的问题 2、时间改为使用系统默认时区
phper666 · Aug 13, 2023 · 198a082 · 198a082
2 parents 6edc5df + 2fb2db6
commit 198a082
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 8 deletions.
diff --git a/src/JWT.php b/src/JWT.php
@@ -152,7 +152,7 @@ public function getToken(string $scene, array $claims): Plain
             $uniqid = $this->getScene() . "_" . $claims[$ssoKey];
         }
 
-        $clock = SystemClock::fromUTC();
+        $clock = SystemClock::fromSystemTimezone();
         $now = $clock->now();
         $expiresAt = $clock->now()->modify('+' . $jwtSceneConfig['ttl'] . ' second');
         $builder = $this->lcobucciJwtConfiguration->builder(ChainedFormatter::withUnixTimestampDates())->issuedBy($issuedBy);
@@ -184,7 +184,6 @@ public function getToken(string $scene, array $claims): Plain
             // Configures the expiration time of the token (exp claim) 到期时间
             ->expiresAt($expiresAt);
 
-
         $token = $builder->getToken($this->lcobucciJwtConfiguration->signer(), $this->lcobucciJwtConfiguration->signingKey());
         if ($loginType == JWTConstant::SSO) {
             $this->addTokenBlack($token, true);
@@ -310,18 +309,26 @@ public function addTokenBlack(Plain $token, bool $addByCreateTokenMethod = false
     {
         $sceneConfig = $this->getSceneConfigByToken($token);
         $claims = $token->claims();
+
         if ($sceneConfig['blacklist_enabled']) {
+            $iatTime = TimeUtil::getCarbonTimeByTokenTime($claims->get(RegisteredClaims::ISSUED_AT));
             $cacheKey = $this->getCacheKey($sceneConfig, $claims->get(RegisteredClaims::ID));
             if ($sceneConfig['login_type'] == JWTConstant::MPOP) {
                 $blacklistGracePeriod = $sceneConfig['blacklist_grace_period'];
-                $iatTime = TimeUtil::getCarbonTimeByTokenTime($claims->get(RegisteredClaims::ISSUED_AT));
                 $validUntil = $iatTime->addSeconds($blacklistGracePeriod)->getTimestamp();
             } else {
                 /**
                  * 为什么要取当前的时间戳？
                  * 是为了在单点登录下，让这个时间前当前用户生成的token都失效，可以把这个用户在多个端都踢下线
                  */
-                $validUntil = TimeUtil::now()->subSeconds(1)->getTimestamp();
+                $validUntil = TimeUtil::now()->subSeconds()->getTimestamp();
+                // fix: SSO模式签发时间可能会跟黑名单缓存校验时间一致,因为创建token是先签发，后加入黑名单，所以就算获取当前时间-1秒，也还有可能一致
+                // 处理方式是：
+                // 如果是创建token，则使用token的签发时间-1秒为黑名单缓存校验时间
+                // 如果是刷新token，则使用当前时间-1秒为黑名单校验缓存时间(刷新token是先加入加入黑名单，后生成token)
+                if ($addByCreateTokenMethod) {
+                    $validUntil = $iatTime->subSeconds()->getTimestamp();
+                }
             }
 
             /**
@@ -370,7 +377,6 @@ public function refreshToken(string $token = null): Plain
         if($token == null) {
             $token = JWTUtil::getToken($this->request);
         }
-
         $token = $this->tokenToPlain($token);
 
         // TODO emm....这里是否要做失败处理?
@@ -545,7 +551,7 @@ protected function isAsymmetric(): bool
      */
     protected function validationConstraints(DataSet $claims, Configuration $configuration)
     {
-        $clock = SystemClock::fromUTC();
+        $clock = SystemClock::fromSystemTimezone();
         $validationConstraints = [
             new IdentifiedBy($claims->get(RegisteredClaims::ID)),
             new IssuedBy($claims->get(RegisteredClaims::ISSUER)),

diff --git a/src/Util/TimeUtil.php b/src/Util/TimeUtil.php
@@ -19,7 +19,7 @@ class TimeUtil
      */
     public static function now()
     {
-        return Carbon::now('UTC');
+        return Carbon::now(date_default_timezone_get());
     }
 
     /**
@@ -31,7 +31,7 @@ public static function now()
      */
     public static function timestamp($timestamp)
     {
-        return Carbon::createFromTimestampUTC($timestamp)->timezone('UTC');
+        return Carbon::createFromTimestamp($timestamp, date_default_timezone_get());
     }
 
     /**