From 2689291e225ab6e123b3366d00bbfb8ae5549bb4 Mon Sep 17 00:00:00 2001
From: Your Name <your.email@example.com>
Date: Tue, 7 Apr 2026 17:46:38 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E6=B7=BB=E5=8A=A0JWT=20RS256=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E6=94=AF=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- TokenConfig添加Algorithm和PublicKey字段
- 支持HS256(默认)和RS256/RS384/RS512
- 添加parseRSAPublicKey解析PEM格式公钥
---
 supply-api/cmd/supply-api/main.go    | 25 +++++++++++++++++++++++++
 supply-api/internal/config/config.go |  5 +++++
 2 files changed, 30 insertions(+)

diff --git a/supply-api/cmd/supply-api/main.go b/supply-api/cmd/supply-api/main.go
index a149a5a7..e095d9f5 100644
--- a/supply-api/cmd/supply-api/main.go
+++ b/supply-api/cmd/supply-api/main.go
@@ -2,6 +2,8 @@ package main
 
 import (
 	"context"
+	"crypto/x509"
+	"encoding/pem"
 	"flag"
 	"fmt"
 	"log"
@@ -152,6 +154,7 @@ func main() {
 	// 初始化鉴权中间件
 	authConfig := middleware.AuthConfig{
 		SecretKey: cfg.Token.SecretKey,
+		PublicKey: parseRSAPublicKey(cfg.Token.PublicKey),
 		Issuer:    cfg.Token.Issuer,
 		CacheTTL:  cfg.Token.RevocationCacheTTL,
 		Enabled:   *env != "dev", // 开发模式禁用鉴权
@@ -675,3 +678,25 @@ func calculateOutboxBackoff(retryCount, maxRetries int) int {
 
 // Ensure domain.OutboxEvent is compatible with our conversion
 var _ = domain.OutboxEvent{}
+
+// parseRSAPublicKey 解析PEM格式的RSA公钥
+func parseRSAPublicKey(pemKey string) interface{} {
+	if pemKey == "" {
+		return nil
+	}
+	block, _ := pem.Decode([]byte(pemKey))
+	if block == nil {
+		return nil
+	}
+	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
+	if err != nil {
+		// 尝试解析PKCS1公钥
+		rsaPub, err2 := x509.ParsePKCS1PublicKey(block.Bytes)
+		if err2 != nil {
+			log.Printf("警告: 解析RSA公钥失败: %v", err2)
+			return nil
+		}
+		return rsaPub
+	}
+	return pub
+}
diff --git a/supply-api/internal/config/config.go b/supply-api/internal/config/config.go
index 6158bc26..1e06277e 100644
--- a/supply-api/internal/config/config.go
+++ b/supply-api/internal/config/config.go
@@ -55,6 +55,8 @@ type RedisConfig struct {
 // TokenConfig Token运行时配置
 type TokenConfig struct {
 	SecretKey          string
+	PublicKey          string // RSA公钥内容（用于RS256验证）
+	Algorithm          string // 算法: HS256, HS384, HS512, RS256, RS384, RS512
 	Issuer             string
 	AccessTokenTTL     time.Duration
 	RefreshTokenTTL    time.Duration
@@ -149,6 +151,8 @@ func Load(env string) (*Config, error) {
 
 	// Token配置
 	cfg.Token.SecretKey = v.GetString("token.secret_key")
+	cfg.Token.PublicKey = v.GetString("token.public_key")
+	cfg.Token.Algorithm = v.GetString("token.algorithm")
 	cfg.Token.Issuer = v.GetString("token.issuer")
 	cfg.Token.AccessTokenTTL = v.GetDuration("token.access_token_ttl")
 	cfg.Token.RefreshTokenTTL = v.GetDuration("token.refresh_token_ttl")
@@ -196,6 +200,7 @@ func setDefaults(v *viper.Viper) {
 	v.SetDefault("token.access_token_ttl", 1*time.Hour)
 	v.SetDefault("token.refresh_token_ttl", 7*24*time.Hour)
 	v.SetDefault("token.revocation_cache_ttl", 30*time.Second)
+	v.SetDefault("token.algorithm", "HS256") // 默认HS256，可配置RS256
 
 	// Audit defaults
 	v.SetDefault("audit.buffer_size", 1000)