✨ Present azp in token

2024-07-28 19:50:49 +08:00
parent ebbfd7450c
commit 94aed49092
3 changed files with 19 additions and 9 deletions
--- a/pkg/internal/services/jwt.go
+++ b/pkg/internal/services/jwt.go
@ -11,8 +11,9 @@ import (
 type PayloadClaims struct {
 	jwt.RegisteredClaims

-	SessionID string `json:"sed"`
-	Type      string `json:"typ"`
+	AuthorizedParties string `json:"azp,omitempty"`
+	SessionID         string `json:"sed"`
+	Type              string `json:"typ"`
 }

 const (
@ -21,8 +22,16 @@ const (
 )

 func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time) (string, error) {
+	var azp string
+	for _, item := range aud {
+		if item != InternalTokenAudience {
+			azp = item
+			break
+		}
+	}
+
 	tk := jwt.NewWithClaims(jwt.SigningMethodHS512, PayloadClaims{
-		jwt.RegisteredClaims{
+		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   sub,
 			Audience:  aud,
 			Issuer:    fmt.Sprintf("https://%s", viper.GetString("domain")),
@ -31,8 +40,9 @@ func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time) (st
 			IssuedAt:  jwt.NewNumericDate(time.Now()),
 			ID:        id,
 		},
-		sed,
-		typ,
+		AuthorizedParties: azp,
+		SessionID:         sed,
+		Type:              typ,
 	})

 	return tk.SignedString([]byte(viper.GetString("secret")))
--- a/pkg/internal/services/ticket.go
+++ b/pkg/internal/services/ticket.go
@ -11,6 +11,8 @@ import (
 	"github.com/samber/lo"
 )

+const InternalTokenAudience = "passport"
+
 func DetectRisk(user models.Account, ip, ua string) bool {
 	var clue int64
 	if err := database.C.
@ -41,7 +43,7 @@ func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {

 	ticket = models.AuthTicket{
 		Claims:              []string{"*"},
-		Audiences:           []string{"passport"},
+		Audiences:           []string{InternalTokenAudience},
 		IpAddress:           ip,
 		UserAgent:           ua,
 		RequireMFA:          requireMFA,