59 lines
1.9 KiB
Python
59 lines
1.9 KiB
Python
from datetime import datetime, timedelta
|
||
from typing import Any, Dict, Optional
|
||
|
||
from fastapi import HTTPException, status
|
||
from jose import JWTError, jwt
|
||
from passlib.context import CryptContext
|
||
|
||
from .config import settings
|
||
|
||
# 统一的密码哈希上下文,后续如需切换算法只需在此维护
|
||
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
|
||
|
||
|
||
def hash_password(password: str) -> str:
|
||
"""对用户密码进行哈希处理,任何时候都不要存储明文密码。"""
|
||
return pwd_context.hash(password)
|
||
|
||
|
||
def verify_password(plain_password: str, hashed_password: str) -> bool:
|
||
"""验证明文密码是否匹配哈希值。"""
|
||
return pwd_context.verify(plain_password, hashed_password)
|
||
|
||
|
||
def create_access_token(
|
||
subject: str,
|
||
*,
|
||
expires_delta: Optional[timedelta] = None,
|
||
extra_claims: Optional[Dict[str, Any]] = None,
|
||
) -> str:
|
||
"""生成 JWT 访问令牌,默认过期时间读取自配置。"""
|
||
if expires_delta is None:
|
||
expires_delta = timedelta(minutes=settings.access_token_expire_minutes)
|
||
|
||
now = datetime.utcnow()
|
||
expire = now + expires_delta
|
||
|
||
to_encode: Dict[str, Any] = {"sub": subject, "iat": now, "exp": expire}
|
||
if extra_claims:
|
||
to_encode.update(extra_claims)
|
||
|
||
return jwt.encode(to_encode, settings.secret_key, algorithm=settings.jwt_algorithm)
|
||
|
||
|
||
def decode_access_token(token: str) -> Dict[str, Any]:
|
||
"""解析并校验 JWT,失败时抛出 401 异常。"""
|
||
credentials_exception = HTTPException(
|
||
status_code=status.HTTP_401_UNAUTHORIZED,
|
||
detail="无效的凭证",
|
||
headers={"WWW-Authenticate": "Bearer"},
|
||
)
|
||
try:
|
||
payload = jwt.decode(token, settings.secret_key, algorithms=[settings.jwt_algorithm])
|
||
except JWTError as exc:
|
||
raise credentials_exception from exc
|
||
|
||
if "sub" not in payload:
|
||
raise credentials_exception
|
||
return payload
|