From ea8e6d7c1b21dba29280c517f6c7630c7c7f1f63 Mon Sep 17 00:00:00 2001 From: long <452591453@qq.com> Date: Wed, 20 May 2026 17:22:12 +0800 Subject: [PATCH] fix: switch asset token from file cache to database for reliability + always redirect on token invalid --- .../controller/asset/AssetAppController.php | 71 +++++++++++-------- server/sql/asset_user_token.sql | 4 ++ 2 files changed, 47 insertions(+), 28 deletions(-) create mode 100644 server/sql/asset_user_token.sql diff --git a/server/app/api/controller/asset/AssetAppController.php b/server/app/api/controller/asset/AssetAppController.php index 31c5fab2..9388b2bb 100644 --- a/server/app/api/controller/asset/AssetAppController.php +++ b/server/app/api/controller/asset/AssetAppController.php @@ -9,9 +9,28 @@ use think\facade\Db; class AssetAppController extends BaseApiController { - // 免登录验证的接口(使用独立 asset_token 体系,在方法内自行校验) + // 所有接口都免框架登录验证(使用独立 asset_token 体系,在方法内自行校验) public array $notNeedLogin = ['login', 'getResourceList', 'changePassword']; + /** token 有效期:7 天 */ + const TOKEN_EXPIRE = 86400 * 7; + + /** + * @notes 通过 token 获取当前用户(数据库校验) + */ + private function getAssetUser(): ?AssetUser + { + $token = $this->request->header('token'); + if (empty($token)) { + return null; + } + $user = AssetUser::where('token', $token) + ->where('token_expire_time', '>', time()) + ->where('status', 1) + ->find(); + return $user ?: null; + } + /** * @notes 小程序端登录 */ @@ -37,9 +56,11 @@ class AssetAppController extends BaseApiController return $this->fail('密码错误'); } - // 简单生成 token (实际项目中建议用 JWT 或 Redis 存储 token) - $token = md5($user->id . time() . 'secret'); - cache('asset_token_' . $token, $user->id, 86400 * 7); + // 生成 token 并持久化到数据库 + $token = md5($user->id . time() . uniqid('asset', true)); + $user->token = $token; + $user->token_expire_time = time() + self::TOKEN_EXPIRE; + $user->save(); return $this->success('登录成功', [ 'token' => $token, @@ -55,23 +76,17 @@ class AssetAppController extends BaseApiController */ public function getResourceList() { - $token = $this->request->header('token'); - if (empty($token)) { - return $this->fail('请先登录', [], -1); + $user = $this->getAssetUser(); + if (!$user) { + return $this->fail('登录已过期,请重新登录', [], -1); } - $userId = cache('asset_token_' . $token); - if (!$userId) { - return $this->fail('登录已过期', [], -1); - } - - $type = $this->request->get('type', 1); // 1:图片 2:视频 3:语音 + $type = $this->request->get('type', 1); $pageNo = $this->request->get('page_no', 1); $pageSize = $this->request->get('page_size', 20); - // 获取用户关联的资源 ID 列表 - $resourceIds = AssetUserResource::where('user_id', $userId)->column('resource_id'); - + $resourceIds = AssetUserResource::where('user_id', $user->id)->column('resource_id'); + if (empty($resourceIds)) { return $this->data([ 'lists' => [], @@ -101,22 +116,22 @@ class AssetAppController extends BaseApiController */ public function changePassword() { - $token = $this->request->header('token'); - if (empty($token)) { - return $this->fail('请先登录', [], -1); - } - - $userId = cache('asset_token_' . $token); - if (!$userId) { - return $this->fail('登录已过期', [], -1); + $user = $this->getAssetUser(); + if (!$user) { + return $this->fail('登录已过期,请重新登录', [], -1); } $oldPassword = $this->request->post('old_password'); $password = $this->request->post('password'); - - $user = AssetUser::find($userId); - if (!$user) { - return $this->fail('用户不存在', [], -1); + + if (empty($oldPassword)) { + return $this->fail('请输入原密码'); + } + if (empty($password)) { + return $this->fail('请输入新密码'); + } + if (strlen($password) < 6) { + return $this->fail('新密码至少6位'); } if (!password_verify($oldPassword, $user->password)) { diff --git a/server/sql/asset_user_token.sql b/server/sql/asset_user_token.sql new file mode 100644 index 00000000..30ea3f29 --- /dev/null +++ b/server/sql/asset_user_token.sql @@ -0,0 +1,4 @@ +-- 为 asset_user 表添加 token 持久化字段(替代 file cache,避免 GC 清理导致 token 丢失) +ALTER TABLE `zyt_asset_user` ADD COLUMN `token` varchar(64) DEFAULT '' COMMENT '登录token' AFTER `status`; +ALTER TABLE `zyt_asset_user` ADD COLUMN `token_expire_time` int(11) DEFAULT '0' COMMENT 'token过期时间戳' AFTER `token`; +ALTER TABLE `zyt_asset_user` ADD INDEX `idx_token` (`token`);