nginx-lua实现简单权限控制

2019独角兽企业重金招聘Python工程师标准>>> hot3.png

1,依赖软件:nginx(openresty) mysql(存储用户表)redis(存储用户登录token,有效期1周)

create table account(
    uid integer not null auto_increment,
    username varchar(64),
    password varchar(64),
    email varchar(256),
    primary key(uid),
    unique key email(email)
);

nginx配置文件如下:

location = /account {
    lua_need_request_body on;
    content_by_lua_file /usr/local/FRIENDS/code_lua/account.lua;
}

location = /api {
    access_by_lua '
        local tokentool = require "tokentool"
        local args = ngx.req.get_uri_args(10)
        if args.token == nil then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        local ret = tokentool.has_token(args.token)
        if ret == ngx.null then
            ngx.exit(ngx.HTTP_FORBIDDEN)
        elseif ret == false then
            ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end
    ';

    content_by_lua '
        ngx.say("token ok")
    ';
}

2,依赖库:nginx-lua , lua-redis(读取redis), lua-mysql(读取mysql), lua-string(加解密)

3,代码如下:

account.lua(入口)

local mysql = require "resty.mysql"
local tokentool = require "tokentool"

-- post only
local method = ngx.req.get_method()
if method ~= "POST" then
    ngx.exit(ngx.HTTP_FORBIDDEN)
    return
end

-- get args
local args = ngx.req.get_uri_args(10)
if args.act ~= "register" and args.act ~= "login" and args.act ~= "logout" and args.act ~= "updatepwd" then
    ngx.exit(ngx.HTTP_BAD_REQUEST)
    return
end

local postargs = ngx.req.get_post_args(10)

-- connect to mysql;
local function connect()
    local db, err = mysql:new()
    if not db then
        return false
    end
    db:set_timeout(1000)
    
    local ok, err, errno, sqlstate = db:connect{
        host = "127.0.0.1",
        port = 3306,
        database = "friends",
        user = "root",
        password = "",
        max_packet_size = 1024 * 1024 }
    
    if not ok then
        return false
    end
    return db
end


function register(pargs)
    if pargs.username == nil then
        pargs.username = ""
    end
    if pargs.email == nil or pargs.password == nil then
        ngx.exit(ngx.HTTP_BAD_REQUEST)
        return
    end
    
    local db = connect()
    if db == false then
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        return
    end
    
    local res, err, errno, sqlstate = db:query("insert into account(username, password, email) "
                             .. "values (\'".. pargs.username .."\',\'".. pargs.password .."\',\'".. pargs.email .."\')")
    if not res then
        ngx.exit(ngx.HTTP_NOT_ALLOWED)
        return
    end

    local uid = res.insert_id
    local token, rawtoken = tokentool.gen_token(uid)

    local ret = tokentool.add_token(token, rawtoken)
    if ret == true then
        ngx.say(token)
    else
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    end
end

function login(pargs)
    if pargs.email == nil or pargs.password == nil then
        ngx.exit(ngx.HTTP_BAD_REQUEST)
        return
    end
    
    local db = connect()
    if db == false then
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        return
    end
    
    local res, err, errno, sqlstate = db:query("select uid from account where email=\'".. pargs.email .."\' and password=\'".. pargs.password .."\' limit 1", 1)
    if not res then
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        return
    end
    --local cjson = require "cjson"
    --ngx.say(cjson.encode(res))
    if res[1] == nil then
        ngx.exit(ngx.HTTP_FORBIDDEN)
    end
    local uid = res[1].uid
    local token, rawtoken = tokentool.gen_token(uid)

    local ret = tokentool.add_token(token, rawtoken)
    if ret == true then
        ngx.say(token)
    else
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    end
end

function logout(pargs)
    if pargs.token == nil then
        ngx.exit(ngx.HTTP_BAD_REQUEST)
        return
    end

    tokentool.del_token(pargs.token)
    ngx.say("ok")
end

-- to be done
function updatepwd(pargs)
    local db = connect()
    if db == false then
        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        return
    end
    ngx.say(pargs.username .. pargs.newpassword)
end

if args.act == "register" then
    register(postargs)
elseif args.act == "login" then
    login(postargs)
elseif args.act == "updatepwd" then
    updatepwd(postargs)
elseif args.act == "logout" then
    logout(postargs)
end

 

tokentool.lua(用redis存取token,放到序号为1的redis库中) 

module("tokentool", package.seeall)
local redis = require "resty.redis"
local aes = require "resty.aes"
local str = require "resty.string"

local alive_time = 3600 * 24 * 7
local redis_host = "127.0.0.1"
local redis_port = 6379

local function connect()
    local red = redis:new()
    red:set_timeout(1000)
    local ok, err = red:connect(redis_host, redis_port)
    if not ok then
        return false
    end
    ok, err = red:select(1)
    if not ok then
        return false
    end
    return red
end

function add_token(token, raw_token)
    local red = connect()
    if red == false then
        return false
    end

    local ok, err = red:setex(token, alive_time, raw_token)
    if not ok then
        return false
    end
    return true
end

function del_token(token)
    local red = connect()
    if red == false then
        return
    end
    red:del(token)
end

function has_token(token)
    local red = connect()
    if red == false then
        return false
    end

    local res, err = red:get(token)
    if not res then
        return false
    end
    return res
end

-- generate token
function gen_token(uid)
    local rawtoken = uid .. " " .. ngx.now()
    local aes_128_cbc_md5 = aes:new("friends_secret_key")
    local encrypted = aes_128_cbc_md5:encrypt(rawtoken)
    local token = str.to_hex(encrypted)
    return token, rawtoken
end

 

使用方法:

1,注册用户,返回token
curl -d "[email protected]&password=12345" http://localhost/account?act=register
2,登录,返回token
curl -d "[email protected]&password=12345" http://localhost/account?act=login
3,注销,删除token,返回ok
curl -d "token=0bab442cd24cd055b58665d4156939655d72a7c282c916778ef2c63be9971085" http://localhost/account?act=logout

结合codeigniter还需做如下配置

if (!-e $request_filename) {
    rewrite ^/(.*)$ /index.php/$1 last;
    break;
}

location ~ \.php($|/) {
    access_by_lua '
        local tokentool = require "tokentool"
        local args = ngx.req.get_uri_args(10)
        if args.token == nil then
                ngx.exit(ngx.HTTP_FORBIDDEN)
        end
        local ret = tokentool.has_token(args.token)
        if ret == ngx.null then
                ngx.exit(ngx.HTTP_FORBIDDEN)
        elseif ret == false then
                ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
        end
        ngx.req.set_uri_args({token=ret})
    ';
    fastcgi_pass   127.0.0.1:9000;
    fastcgi_index  index.php;
    fastcgi_split_path_info ^(.+\.php)(.*)$;
    fastcgi_param   PATH_INFO $fastcgi_path_info;
    fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
    include        fastcgi_params;
}

 

需要在网站根目录放置空文件account,不然nginx处理/account时会走到找不到request_filename的这个location里面。

附(ngx-lua的long-polling实现):

--[[ nginx.conf
    location /message {
        default_type text/plain;
        access_by_lua '
            local tokentool = require "tokentool"
            local args = ngx.req.get_uri_args(10)
            if args.token == nil then
                    ngx.exit(ngx.HTTP_FORBIDDEN)
            end
                local ret = tokentool.has_token(args.token)
            if ret == ngx.null then
                    ngx.exit(ngx.HTTP_FORBIDDEN)
            elseif ret == false then
                    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
            end
            ngx.req.set_uri_args({token=ret})
        ';

        content_by_lua_file                     /usr/local/FRIENDS/code_lua/message.lua;
    }
--]]

-- message.lua

local redis = require "resty.redis"

local redis_host = "127.0.0.1"
local redis_port = 6379

local function connect()
    local red = redis:new()
    red:set_timeout(1000 * 1000)
    local ok, err = red:connect(redis_host, redis_port)
    if not ok then
        return false
    end

    return red
end

local function string_split (string, split)
    local list = {}
    local pos = 1
    if string.find("", split, 1) then -- this would result in endless loops
    end
    while 1 do
        local first, last = string.find(string, split, pos)
        if first then -- found
            table.insert(list, string.sub(string, pos, first-1))
            pos = last+1
        else
            table.insert(list, string.sub(string, pos))
            break
        end
    end

    return list
end

local args = ngx.req.get_uri_args()
local params = string_split(args.token, ' ')
local mymailbox = params[1] .. "_mailbox"

local red = connect()
if red == false then
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    return
end

local res, err = red:llen(mymailbox)
if err ~= nil then
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
    return
end

if res == 0 then
    res, err = red:brpop(mymailbox, 1000)
    ngx.print('[')
    for k, v in ipairs(res) do
        if k == 2 then
            ngx.print(v)
        end
    end
    ngx.print(']')
else
    if res > 10 then
        res = 10
    end
    local i = 0
    ngx.print('[')
    for i=0, res - 1, 1 do
        local msg, _ =  red:rpop(mymailbox)
        ngx.print(msg)
        if i ~= res - 1 then
            ngx.print(',')
        end
    end
    ngx.print(']')
end
ngx.exit(ngx.HTTP_OK)

 

转载于:https://my.oschina.net/mickelfeng/blog/1548474

你可能感兴趣的:(nginx-lua实现简单权限控制)