-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ISSUE #12060] fix too large ttl when auth disabled #12090
Conversation
fix issue alibaba#12060 1. fix too large ttl when auth disabled 2. generate a valid token when key is valid even if auth disabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
我的想法是在AUTH_DISABLED_TOKEN的prefix或者suffix添加时间戳,然后在getTTl的时候把prefix或者suffix取出来计算剩余的ttl时间。
@@ -103,10 +103,13 @@ public String createToken(Authentication authentication) { | |||
* @return token | |||
*/ | |||
public String createToken(String userName) { | |||
if (!authConfigs.isAuthEnabled()) { | |||
// create a token when auth enabled or nacos.core.auth.plugin.nacos.token.secret.key is configured | |||
if (!authConfigs.isAuthEnabled() && null == jwtParser) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
应该不用判断jwtParser,如果未开启鉴权,无论是有jwtParser应该都不需要计算jwtparser的
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
而且下面有校验jwtparser
该提交目的其实是为了nacos服务端在客户端不感知的情况下自由切换鉴权开关。
其中第1条返回AUTH_DISABLED_TOKEN,第2条报错应正确配置key,第4条正常鉴权,与当前实现无殊。 本次提交期望是在第3种场景下,服务端仍能正确返回客户端token,这样服务端能在新老版本客户端不感知的情况下开启鉴权,无需使客户端等待9/10ttl后再获取正确token。 因此,我在createToken的方法中返回AUTH_DISABLED_TOKEN时增加校验盐值有效性的条件。同时,将checkParser方法放到else if判断里是为了避免前述改动使服务端在 |
ok |
CI can't pass, please fit it |
What is the purpose of the change
fix issue #12060
Brief changelog
Verifying this change
XXXX
Follow this checklist to help us incorporate your contribution quickly and easily:
[ISSUE #123] Fix UnknownException when host config not exist
. Each commit in the pull request should have a meaningful subject line and body.mvn -B clean package apache-rat:check findbugs:findbugs -Dmaven.test.skip=true
to make sure basic checks pass. Runmvn clean install -DskipITs
to make sure unit-test pass. Runmvn clean test-compile failsafe:integration-test
to make sure integration-test pass.