在ASP.NET Core中,可以使用JWT(JSON Web Token)来验证和授权用户。当用户更改密码后,我们可以通过使之前的JWT-Token失效来阻止用户使用旧的令牌访问受保护的资源。
以下是通过将令牌添加到黑名单中使JWT-Token失效的示例代码:
public class BlacklistToken
{
public int Id { get; set; }
public string Token { get; set; }
public DateTime ExpireDate { get; set; }
}
public class BlacklistTokenDbContext : DbContext
{
public BlacklistTokenDbContext(DbContextOptions options) : base(options)
{
}
public DbSet BlacklistTokens { get; set; }
}
public class TokenManager
{
private readonly BlacklistTokenDbContext _dbContext;
private readonly IConfiguration _configuration;
public TokenManager(BlacklistTokenDbContext dbContext, IConfiguration configuration)
{
_dbContext = dbContext;
_configuration = configuration;
}
public void InvalidateToken(string token)
{
var blacklistToken = new BlacklistToken
{
Token = token,
ExpireDate = DateTime.UtcNow.AddMinutes(Convert.ToDouble(_configuration["Jwt:ExpirationMinutes"]))
};
_dbContext.BlacklistTokens.Add(blacklistToken);
_dbContext.SaveChanges();
}
public bool IsTokenBlacklisted(string token)
{
return _dbContext.BlacklistTokens.Any(t => t.Token == token && t.ExpireDate > DateTime.UtcNow);
}
}
public IActionResult ChangePassword()
{
// 更改密码逻辑...
// 使令牌失效
var userId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
var token = HttpContext.Request.Headers["Authorization"].ToString().Replace("Bearer ", string.Empty);
_tokenManager.InvalidateToken(token);
return Ok();
}
public class JwtAuthorizationFilter : IAuthorizationFilter
{
private readonly TokenManager _tokenManager;
public JwtAuthorizationFilter(TokenManager tokenManager)
{
_tokenManager = tokenManager;
}
public void OnAuthorization(AuthorizationFilterContext context)
{
var token = context.HttpContext.Request.Headers["Authorization"].ToString().Replace("Bearer ", string.Empty);
if (_tokenManager.IsTokenBlacklisted(token))
{
context.Result = new UnauthorizedResult();
}
}
}
通过以上步骤,在用户更改密码后,旧的JWT-Token将会被添加到黑名单中,后续使用该令牌访问受保护的资源时将会被拒绝。