fix: 添加JWT RS256配置支持

- TokenConfig添加Algorithm和PublicKey字段 - 支持HS256(默认)和RS256/RS384/RS512 - 添加parseRSAPublicKey解析PEM格式公钥
2026-04-07 17:46:38 +08:00
parent 4bbd609ceb
commit 2689291e22
2 changed files with 30 additions and 0 deletions
--- a/supply-api/cmd/supply-api/main.go
+++ b/supply-api/cmd/supply-api/main.go
@@ -2,6 +2,8 @@ package main

 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"flag"
 	"fmt"
 	"log"
@@ -152,6 +154,7 @@ func main() {
 	// 初始化鉴权中间件
 	authConfig := middleware.AuthConfig{
 		SecretKey: cfg.Token.SecretKey,
+		PublicKey: parseRSAPublicKey(cfg.Token.PublicKey),
 		Issuer:    cfg.Token.Issuer,
 		CacheTTL:  cfg.Token.RevocationCacheTTL,
 		Enabled:   *env != "dev", // 开发模式禁用鉴权
@@ -675,3 +678,25 @@ func calculateOutboxBackoff(retryCount, maxRetries int) int {

 // Ensure domain.OutboxEvent is compatible with our conversion
 var _ = domain.OutboxEvent{}
+
+// parseRSAPublicKey 解析PEM格式的RSA公钥
+func parseRSAPublicKey(pemKey string) interface{} {
+	if pemKey == "" {
+		return nil
+	}
+	block, _ := pem.Decode([]byte(pemKey))
+	if block == nil {
+		return nil
+	}
+	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		// 尝试解析PKCS1公钥
+		rsaPub, err2 := x509.ParsePKCS1PublicKey(block.Bytes)
+		if err2 != nil {
+			log.Printf("警告: 解析RSA公钥失败: %v", err2)
+			return nil
+		}
+		return rsaPub
+	}
+	return pub
+}
--- a/supply-api/internal/config/config.go
+++ b/supply-api/internal/config/config.go
@@ -55,6 +55,8 @@ type RedisConfig struct {
 // TokenConfig Token运行时配置
 type TokenConfig struct {
 	SecretKey          string
+	PublicKey          string // RSA公钥内容（用于RS256验证）
+	Algorithm          string // 算法: HS256, HS384, HS512, RS256, RS384, RS512
 	Issuer             string
 	AccessTokenTTL     time.Duration
 	RefreshTokenTTL    time.Duration
@@ -149,6 +151,8 @@ func Load(env string) (*Config, error) {

 	// Token配置
 	cfg.Token.SecretKey = v.GetString("token.secret_key")
+	cfg.Token.PublicKey = v.GetString("token.public_key")
+	cfg.Token.Algorithm = v.GetString("token.algorithm")
 	cfg.Token.Issuer = v.GetString("token.issuer")
 	cfg.Token.AccessTokenTTL = v.GetDuration("token.access_token_ttl")
 	cfg.Token.RefreshTokenTTL = v.GetDuration("token.refresh_token_ttl")
@@ -196,6 +200,7 @@ func setDefaults(v *viper.Viper) {
 	v.SetDefault("token.access_token_ttl", 1*time.Hour)
 	v.SetDefault("token.refresh_token_ttl", 7*24*time.Hour)
 	v.SetDefault("token.revocation_cache_ttl", 30*time.Second)
+	v.SetDefault("token.algorithm", "HS256") // 默认HS256，可配置RS256

 	// Audit defaults
 	v.SetDefault("audit.buffer_size", 1000)