weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263
							package svc

import (
	"perms-system-server/internal/config"
	"perms-system-server/internal/loaders"
	"perms-system-server/internal/middleware"
	"perms-system-server/internal/model"

	"github.com/zeromicro/go-zero/core/limit"
	"github.com/zeromicro/go-zero/core/stores/redis"
	"github.com/zeromicro/go-zero/core/stores/sqlx"
	"github.com/zeromicro/go-zero/rest"
)

type ServiceContext struct {
	Config                config.Config
	JwtAuth               rest.Middleware
	ProductLoginRateLimit rest.Middleware
	AdminLoginRateLimit   rest.Middleware
	SyncRateLimit         rest.Middleware
	RefreshTokenRateLimit rest.Middleware
	GrpcLoginLimiter      *limit.PeriodLimit
	GrpcRefreshLimiter    *limit.PeriodLimit
	GrpcVerifyLimiter     *limit.PeriodLimit
	UsernameLoginLimit    *limit.PeriodLimit
	TokenOpLimiter        *limit.PeriodLimit
	UserDetailsLoader     *loaders.UserDetailsLoader
	*model.Models
}

func NewServiceContext(c config.Config) *ServiceContext {
	conn := sqlx.NewMysql(c.MySQL.DataSource)
	rds := redis.MustNewRedis(c.CacheRedis.Nodes[0].RedisConf)
	models := model.NewModels(conn, c.CacheRedis.Nodes, c.CacheRedis.KeyPrefix)
	udLoader := loaders.NewUserDetailsLoader(rds, c.CacheRedis.KeyPrefix, models)
	productLoginRL := middleware.NewRateLimitMiddleware(rds, 60, 30, c.CacheRedis.KeyPrefix+":rl:login:product", c.BehindProxy)
	adminLoginRL := middleware.NewRateLimitMiddleware(rds, 60, 20, c.CacheRedis.KeyPrefix+":rl:login:admin", c.BehindProxy)
	syncRlMiddleware := middleware.NewRateLimitMiddleware(rds, 60, 10, c.CacheRedis.KeyPrefix+":rl:sync", c.BehindProxy)
	refreshTokenRL := middleware.NewRateLimitMiddleware(rds, 60, 30, c.CacheRedis.KeyPrefix+":rl:refresh", c.BehindProxy)
	grpcLimiter := limit.NewPeriodLimit(60, 20, rds, c.CacheRedis.KeyPrefix+":rl:grpc:login")
	// gRPC refreshToken 一般低频操作（分钟级），限紧一点可以同时防签名爆破与并发刷新被用作会话劫持的放大器。
	grpcRefreshLimiter := limit.NewPeriodLimit(60, 30, rds, c.CacheRedis.KeyPrefix+":rl:grpc:refresh")
	// gRPC verifyToken 是下游每请求都会调用的热路径，阈值必须足够高；这里的作用是兜底防止下游被攻破后把权限中心当 token oracle 爆破。
	grpcVerifyLimiter := limit.NewPeriodLimit(60, 6000, rds, c.CacheRedis.KeyPrefix+":rl:grpc:verify")
	usernameLimiter := limit.NewPeriodLimit(300, 10, rds, c.CacheRedis.KeyPrefix+":rl:user")
	tokenOpLimiter := limit.NewPeriodLimit(60, 10, rds, c.CacheRedis.KeyPrefix+":rl:tokenop")

	return &ServiceContext{
		Config:                c,
		JwtAuth:               middleware.NewJwtAuthMiddleware(c.Auth.AccessSecret, udLoader).Handle,
		ProductLoginRateLimit: productLoginRL.Handle,
		AdminLoginRateLimit:   adminLoginRL.Handle,
		SyncRateLimit:         syncRlMiddleware.Handle,
		RefreshTokenRateLimit: refreshTokenRL.Handle,
		GrpcLoginLimiter:      grpcLimiter,
		GrpcRefreshLimiter:    grpcRefreshLimiter,
		GrpcVerifyLimiter:     grpcVerifyLimiter,
		UsernameLoginLimit:    usernameLimiter,
		TokenOpLimiter:        tokenOpLimiter,
		UserDetailsLoader:     udLoader,
		Models:                models,
	}
}