我的 API 没有授权它自己生成的令牌
My API does not authorize it's own generated tokens
我一直在与我的 API 作斗争,因为它不接受我的代币。我使用自己的签名密钥和凭据通过 class 生成令牌。有谁知道我做错了什么,也许这可以帮助社区的其他成员?
我该怎么办:
我使用生成的 API 令牌请求 GET 请求。在 https://danzai.pidepormi.com/products 中 returns 未经授权。
示例生成的令牌(1 天生命周期):eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImFsZXhAbWljcm9tYXIubmV0IiwibmJmIjoxNjQ2OTExNDgxLCJleHAiOjE2NDY5OTc4ODEsImlhdCI6MTY0NjkxMTQ4MSwiaXNzIjoiZGFuemFpLW9yZGVyZm9ybWUtYXBpIiwiYXVkIjoiZGFuemFpLW9yZGVyZm9ybWUtYXBwIn0.GTGafndN-GH-45mQbktKPF7EtSI3BQkyOSkAMISSUUo
您可以通过将令牌与此签名放在一起来检查令牌是否有效:Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t! in https://jwt.io/
我留下本案涉及的classes:
产品控制器:
[Authorize]
[HttpGet("/products")]
public async Task<ActionResult<List<Product>>> GetProducts()
{
database = DatabaseModel.GetDatabase(configuration);
List<Product> productsToReturn = new();
productsToReturn = ProductMethods.GetProducts(database);
if(productsToReturn.Count > 0)
{
return Ok(productsToReturn);
}
else if(productsToReturn.Count == 0)
{
return NoContent();
}
else
{
return BadRequest();
}
}
产品 class 和 ProductMethods:
public class Product
{
public int id { get; set; }
public string name { get; set; }
public string description { get; set; }
public string image_url { get; set; }
public bool available { get; set; }
public string family_name { get; set; }
public string subfamily_name { get; set; }
public List<Supplier> suppliers { get; set; }
public Supplier selectedSupplier { get; set; }
}
public static class ProductMethods
{
public static List<Product> GetProducts(IDataBase database)
{
try
{
List<Product> productsToReturn = new();
database.StartTransaction();
string SQLText = "SELECT * FROM OBTENERPRODUCTOS";
FbCommand SQLCommand = new FbCommand();
SQLCommand.CommandText = SQLText;
DataTable dataTableProducts = database.Select(SQLCommand);
database.CommitTransaction();
if (dataTableProducts.Rows.Count > 0)
{
foreach (DataRow dataRowProducts in dataTableProducts.Rows)
{
Product productToAdd = new();
Supplier supplierToAdd = new();
if (dataRowProducts["CODIGO"] != DBNull.Value) productToAdd.id = Convert.ToInt32(dataRowProducts["CODIGO"]);
if (dataRowProducts["DESCRIPCION"] != DBNull.Value) productToAdd.description = Convert.ToString(dataRowProducts["DESCRIPCION"]);
if (dataRowProducts["PRECIO"] != DBNull.Value) supplierToAdd.price = Convert.ToDouble(dataRowProducts["PRECIO"]);
if (dataRowProducts["NOMBRE_FAMILIA"] != DBNull.Value) productToAdd.family_name = Convert.ToString(dataRowProducts["NOMBRE_FAMILIA"]);
if (dataRowProducts["NOMBRE_SUBFAMILIA"] != DBNull.Value) productToAdd.subfamily_name = Convert.ToString(dataRowProducts["NOMBRE_SUBFAMILIA"]);
if (dataRowProducts["URL_IMAGEN"] != DBNull.Value) productToAdd.image_url = Convert.ToString(dataRowProducts["URL_IMAGEN"]);
if (dataRowProducts["ID_PROVEEDOR"] != DBNull.Value) supplierToAdd.id = Convert.ToInt32(dataRowProducts["ID_PROVEEDOR"]);
if (dataRowProducts["NOMBRE_PROVEEDOR"] != DBNull.Value) supplierToAdd.name = Convert.ToString(dataRowProducts["NOMBRE_PROVEEDOR"]);
if (dataRowProducts["ACTIVO"] != DBNull.Value) supplierToAdd.active = Convert.ToBoolean(dataRowProducts["ACTIVO"]);
productToAdd.suppliers.Add(supplierToAdd);
productsToReturn.Add(productToAdd);
}
return productsToReturn;
}
else
{
return productsToReturn;
}
}
catch (Exception ex)
{
Console.Error.WriteLine(ex.Message);
Console.Error.WriteLine(ex.InnerException);
database.RollBackTransaction();
throw;
}
}
}
经过身份验证的用户 class:
public class AuthenticatedUser : IIdentity
{
public AuthenticatedUser(string authenticateType, bool isAuthenticated, string email)
{
AuthenticationType = authenticateType;
IsAuthenticated = isAuthenticated;
Name = email;
}
public string AuthenticationType { get; }
public bool IsAuthenticated { get; }
public string Name { get; }
}
}
令牌class:
public class Token
{
public Token() { }
public string token { get; set; }
public DateTime expires { get; set; }
}
JwtToken class:
public class JwtToken
{
private const string SECRET_KEY = "Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t!";
public static readonly SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
public static Token GenerateJwtToken(string email)
{
SigningCredentials credentials = new SigningCredentials(SIGNING_KEY, SecurityAlgorithms.HmacSha256);
AuthenticatedUser authenticatedUser = new(JwtBearerDefaults.AuthenticationScheme, true, email);
SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(authenticatedUser),
Issuer = "danzai-orderforme-api",
Audience = "danzai-orderforme-app",
IssuedAt = DateTime.UtcNow,
SigningCredentials = credentials,
Expires = DateTime.UtcNow.AddMinutes(1440),
};
JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken = securityTokenHandler.CreateToken(securityTokenDescriptor);
string tokenString = securityTokenHandler.WriteToken(securityToken);
Token tokenToReturn = new();
tokenToReturn.token = tokenString;
tokenToReturn.expires = securityToken.ValidTo;
return tokenToReturn;
}
public static string ReadTokenUser(String accessToken)
{
var tokenHandler = new JwtSecurityTokenHandler();
if (accessToken.Contains("Bearer ")) accessToken = accessToken.Split(' ')[1];
var token = tokenHandler.ReadToken(accessToken) as JwtSecurityToken;
string email = token.Claims.First(claim => claim.Type == "unique_name").Value;
return email;
}
}
最后程序 class:
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
StartupUtils.CopyAppSettings(args[0]);
string SECRET_KEY = "Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t!";
SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "JwtBearer";
options.DefaultChallengeScheme = "JwtBearer";
})
.AddJwtBearer("JwtBearer", jwtOptions =>
{
jwtOptions.TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = SIGNING_KEY,
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = "danzai-orderforme-api",
ValidAudience = "danzai-orderforme-app",
RequireSignedTokens = true,
ClockSkew = TimeSpan.Zero
};
});
builder.Services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo { Title = "danzai-orderforme_api", Version = "v1" });
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
Description = "Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
Scheme = "bearer",
BearerFormat = "JWT"
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
},
new List<string>()
}
});
});
var app = builder.Build();
app.UseCors(options =>
{
//string[] allowedOrigins = { "*" };
//options.WithOrigins(allowedOrigins);
options.AllowAnyMethod();
options.AllowAnyHeader();
options.AllowCredentials();
options.SetIsOriginAllowed(origin => true);
});
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.UseAuthentication();
app.MapControllers();
app.Run();
您只需更改以下行的顺序:
app.UseAuthorization();
app.UseAuthentication();
到
app.UseAuthentication();
app.UseAuthorization();
那行得通。
我一直在与我的 API 作斗争,因为它不接受我的代币。我使用自己的签名密钥和凭据通过 class 生成令牌。有谁知道我做错了什么,也许这可以帮助社区的其他成员?
我该怎么办: 我使用生成的 API 令牌请求 GET 请求。在 https://danzai.pidepormi.com/products 中 returns 未经授权。
示例生成的令牌(1 天生命周期):eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1bmlxdWVfbmFtZSI6ImFsZXhAbWljcm9tYXIubmV0IiwibmJmIjoxNjQ2OTExNDgxLCJleHAiOjE2NDY5OTc4ODEsImlhdCI6MTY0NjkxMTQ4MSwiaXNzIjoiZGFuemFpLW9yZGVyZm9ybWUtYXBpIiwiYXVkIjoiZGFuemFpLW9yZGVyZm9ybWUtYXBwIn0.GTGafndN-GH-45mQbktKPF7EtSI3BQkyOSkAMISSUUo
您可以通过将令牌与此签名放在一起来检查令牌是否有效:Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t! in https://jwt.io/
我留下本案涉及的classes:
产品控制器:
[Authorize]
[HttpGet("/products")]
public async Task<ActionResult<List<Product>>> GetProducts()
{
database = DatabaseModel.GetDatabase(configuration);
List<Product> productsToReturn = new();
productsToReturn = ProductMethods.GetProducts(database);
if(productsToReturn.Count > 0)
{
return Ok(productsToReturn);
}
else if(productsToReturn.Count == 0)
{
return NoContent();
}
else
{
return BadRequest();
}
}
产品 class 和 ProductMethods:
public class Product
{
public int id { get; set; }
public string name { get; set; }
public string description { get; set; }
public string image_url { get; set; }
public bool available { get; set; }
public string family_name { get; set; }
public string subfamily_name { get; set; }
public List<Supplier> suppliers { get; set; }
public Supplier selectedSupplier { get; set; }
}
public static class ProductMethods
{
public static List<Product> GetProducts(IDataBase database)
{
try
{
List<Product> productsToReturn = new();
database.StartTransaction();
string SQLText = "SELECT * FROM OBTENERPRODUCTOS";
FbCommand SQLCommand = new FbCommand();
SQLCommand.CommandText = SQLText;
DataTable dataTableProducts = database.Select(SQLCommand);
database.CommitTransaction();
if (dataTableProducts.Rows.Count > 0)
{
foreach (DataRow dataRowProducts in dataTableProducts.Rows)
{
Product productToAdd = new();
Supplier supplierToAdd = new();
if (dataRowProducts["CODIGO"] != DBNull.Value) productToAdd.id = Convert.ToInt32(dataRowProducts["CODIGO"]);
if (dataRowProducts["DESCRIPCION"] != DBNull.Value) productToAdd.description = Convert.ToString(dataRowProducts["DESCRIPCION"]);
if (dataRowProducts["PRECIO"] != DBNull.Value) supplierToAdd.price = Convert.ToDouble(dataRowProducts["PRECIO"]);
if (dataRowProducts["NOMBRE_FAMILIA"] != DBNull.Value) productToAdd.family_name = Convert.ToString(dataRowProducts["NOMBRE_FAMILIA"]);
if (dataRowProducts["NOMBRE_SUBFAMILIA"] != DBNull.Value) productToAdd.subfamily_name = Convert.ToString(dataRowProducts["NOMBRE_SUBFAMILIA"]);
if (dataRowProducts["URL_IMAGEN"] != DBNull.Value) productToAdd.image_url = Convert.ToString(dataRowProducts["URL_IMAGEN"]);
if (dataRowProducts["ID_PROVEEDOR"] != DBNull.Value) supplierToAdd.id = Convert.ToInt32(dataRowProducts["ID_PROVEEDOR"]);
if (dataRowProducts["NOMBRE_PROVEEDOR"] != DBNull.Value) supplierToAdd.name = Convert.ToString(dataRowProducts["NOMBRE_PROVEEDOR"]);
if (dataRowProducts["ACTIVO"] != DBNull.Value) supplierToAdd.active = Convert.ToBoolean(dataRowProducts["ACTIVO"]);
productToAdd.suppliers.Add(supplierToAdd);
productsToReturn.Add(productToAdd);
}
return productsToReturn;
}
else
{
return productsToReturn;
}
}
catch (Exception ex)
{
Console.Error.WriteLine(ex.Message);
Console.Error.WriteLine(ex.InnerException);
database.RollBackTransaction();
throw;
}
}
}
经过身份验证的用户 class:
public class AuthenticatedUser : IIdentity
{
public AuthenticatedUser(string authenticateType, bool isAuthenticated, string email)
{
AuthenticationType = authenticateType;
IsAuthenticated = isAuthenticated;
Name = email;
}
public string AuthenticationType { get; }
public bool IsAuthenticated { get; }
public string Name { get; }
}
}
令牌class:
public class Token
{
public Token() { }
public string token { get; set; }
public DateTime expires { get; set; }
}
JwtToken class:
public class JwtToken
{
private const string SECRET_KEY = "Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t!";
public static readonly SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
public static Token GenerateJwtToken(string email)
{
SigningCredentials credentials = new SigningCredentials(SIGNING_KEY, SecurityAlgorithms.HmacSha256);
AuthenticatedUser authenticatedUser = new(JwtBearerDefaults.AuthenticationScheme, true, email);
SecurityTokenDescriptor securityTokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(authenticatedUser),
Issuer = "danzai-orderforme-api",
Audience = "danzai-orderforme-app",
IssuedAt = DateTime.UtcNow,
SigningCredentials = credentials,
Expires = DateTime.UtcNow.AddMinutes(1440),
};
JwtSecurityTokenHandler securityTokenHandler = new JwtSecurityTokenHandler();
SecurityToken securityToken = securityTokenHandler.CreateToken(securityTokenDescriptor);
string tokenString = securityTokenHandler.WriteToken(securityToken);
Token tokenToReturn = new();
tokenToReturn.token = tokenString;
tokenToReturn.expires = securityToken.ValidTo;
return tokenToReturn;
}
public static string ReadTokenUser(String accessToken)
{
var tokenHandler = new JwtSecurityTokenHandler();
if (accessToken.Contains("Bearer ")) accessToken = accessToken.Split(' ')[1];
var token = tokenHandler.ReadToken(accessToken) as JwtSecurityToken;
string email = token.Claims.First(claim => claim.Type == "unique_name").Value;
return email;
}
}
最后程序 class:
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
StartupUtils.CopyAppSettings(args[0]);
string SECRET_KEY = "Lnk&_sZYp@6rMgSm9Gl9vpzgO8m1?3JzpbCQ7U3y$=kR1n75*Rx6=p_$vd$aP2?7t!";
SymmetricSecurityKey SIGNING_KEY = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SECRET_KEY));
builder.Services.AddControllers();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "JwtBearer";
options.DefaultChallengeScheme = "JwtBearer";
})
.AddJwtBearer("JwtBearer", jwtOptions =>
{
jwtOptions.TokenValidationParameters = new TokenValidationParameters()
{
IssuerSigningKey = SIGNING_KEY,
ValidateIssuer = true,
ValidateAudience = true,
ValidIssuer = "danzai-orderforme-api",
ValidAudience = "danzai-orderforme-app",
RequireSignedTokens = true,
ClockSkew = TimeSpan.Zero
};
});
builder.Services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new OpenApiInfo { Title = "danzai-orderforme_api", Version = "v1" });
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
{
Description = "Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
Scheme = "bearer",
BearerFormat = "JWT"
});
c.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{
new OpenApiSecurityScheme
{
Reference = new OpenApiReference { Type = ReferenceType.SecurityScheme, Id = "Bearer" }
},
new List<string>()
}
});
});
var app = builder.Build();
app.UseCors(options =>
{
//string[] allowedOrigins = { "*" };
//options.WithOrigins(allowedOrigins);
options.AllowAnyMethod();
options.AllowAnyHeader();
options.AllowCredentials();
options.SetIsOriginAllowed(origin => true);
});
if (app.Environment.IsDevelopment())
{
app.UseSwagger();
app.UseSwaggerUI();
}
app.UseHttpsRedirection();
app.UseAuthorization();
app.UseAuthentication();
app.MapControllers();
app.Run();
您只需更改以下行的顺序:
app.UseAuthorization();
app.UseAuthentication();
到
app.UseAuthentication();
app.UseAuthorization();
那行得通。