fix: switch asset token from file cache to database for reliability + always redirect on token invalid

This commit is contained in:
2026-05-20 17:22:12 +08:00
parent 076cd0fcf9
commit ea8e6d7c1b
2 changed files with 47 additions and 28 deletions
@@ -9,9 +9,28 @@ use think\facade\Db;
class AssetAppController extends BaseApiController
{
// 登录验证的接口(使用独立 asset_token 体系,在方法内自行校验)
// 所有接口都免框架登录验证(使用独立 asset_token 体系,在方法内自行校验)
public array $notNeedLogin = ['login', 'getResourceList', 'changePassword'];
/** token 有效期:7 天 */
const TOKEN_EXPIRE = 86400 * 7;
/**
* @notes 通过 token 获取当前用户(数据库校验)
*/
private function getAssetUser(): ?AssetUser
{
$token = $this->request->header('token');
if (empty($token)) {
return null;
}
$user = AssetUser::where('token', $token)
->where('token_expire_time', '>', time())
->where('status', 1)
->find();
return $user ?: null;
}
/**
* @notes 小程序端登录
*/
@@ -37,9 +56,11 @@ class AssetAppController extends BaseApiController
return $this->fail('密码错误');
}
// 简单生成 token (实际项目中建议用 JWT 或 Redis 存储 token)
$token = md5($user->id . time() . 'secret');
cache('asset_token_' . $token, $user->id, 86400 * 7);
// 生成 token 并持久化到数据库
$token = md5($user->id . time() . uniqid('asset', true));
$user->token = $token;
$user->token_expire_time = time() + self::TOKEN_EXPIRE;
$user->save();
return $this->success('登录成功', [
'token' => $token,
@@ -55,23 +76,17 @@ class AssetAppController extends BaseApiController
*/
public function getResourceList()
{
$token = $this->request->header('token');
if (empty($token)) {
return $this->fail('请先登录', [], -1);
$user = $this->getAssetUser();
if (!$user) {
return $this->fail('登录已过期,请重新登录', [], -1);
}
$userId = cache('asset_token_' . $token);
if (!$userId) {
return $this->fail('登录已过期', [], -1);
}
$type = $this->request->get('type', 1); // 1:图片 2:视频 3:语音
$type = $this->request->get('type', 1);
$pageNo = $this->request->get('page_no', 1);
$pageSize = $this->request->get('page_size', 20);
// 获取用户关联的资源 ID 列表
$resourceIds = AssetUserResource::where('user_id', $userId)->column('resource_id');
$resourceIds = AssetUserResource::where('user_id', $user->id)->column('resource_id');
if (empty($resourceIds)) {
return $this->data([
'lists' => [],
@@ -101,22 +116,22 @@ class AssetAppController extends BaseApiController
*/
public function changePassword()
{
$token = $this->request->header('token');
if (empty($token)) {
return $this->fail('请先登录', [], -1);
}
$userId = cache('asset_token_' . $token);
if (!$userId) {
return $this->fail('登录已过期', [], -1);
$user = $this->getAssetUser();
if (!$user) {
return $this->fail('登录已过期,请重新登录', [], -1);
}
$oldPassword = $this->request->post('old_password');
$password = $this->request->post('password');
$user = AssetUser::find($userId);
if (!$user) {
return $this->fail('用户不存在', [], -1);
if (empty($oldPassword)) {
return $this->fail('请输入原密码');
}
if (empty($password)) {
return $this->fail('请输入新密码');
}
if (strlen($password) < 6) {
return $this->fail('新密码至少6位');
}
if (!password_verify($oldPassword, $user->password)) {
+4
View File
@@ -0,0 +1,4 @@
-- 为 asset_user 表添加 token 持久化字段(替代 file cache,避免 GC 清理导致 token 丢失)
ALTER TABLE `zyt_asset_user` ADD COLUMN `token` varchar(64) DEFAULT '' COMMENT '登录token' AFTER `status`;
ALTER TABLE `zyt_asset_user` ADD COLUMN `token_expire_time` int(11) DEFAULT '0' COMMENT 'token过期时间戳' AFTER `token`;
ALTER TABLE `zyt_asset_user` ADD INDEX `idx_token` (`token`);