halo/docs/authentication/README.md

# Halo 认证方式

目前 Halo 支持的认证方式有：

- 基本认证（Basic Auth）
- 表单登录（Form Login）

计划支持的认证方式有：
- [个人令牌认证（Personal Access Token）](https://github.com/halo-dev/halo/issues/1309)
- [OAuth2](https://oauth.net/2/)

## 基本认证

这是最简单的一种认证方式，通过简单设置 HTTP 请求头 `Authorization: Basic xxxyyyzzz==` 即可实现认证，访问 Halo API，例如：

```bash
╰─❯ curl -u "admin:P@88w0rd" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users

或者
╰─❯ echo -n "admin:P@88w0rd" | base64
YWRtaW46UEA4OHcwcmQ=
╰─❯ curl -H "Authorization: Basic YWRtaW46UEA4OHcwcmQ=" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users
```

## 表单认证

这是一种比较常用的认证方式，只需提供用户名和密码以及 `CSRF 令牌`（用于防止重复提交和跨站请求伪造）。

- 表单参数

    | 参数名     | 类型   | 说明                                  |
    | ---------- | ------ | ------------------------------------- |
    | username   | form   | 用户名                                |
    | password   | form   | 密码                                  |
    | _csrf      | form   | `CSRF` 令牌。由客户端随机生成。       |
    | XSRF-TOKEN | cookie | 跨站请求伪造令牌，和 `_csrf` 的值一致 |

- HTTP 200 响应

  仅在请求头 `Accept` 中包含 `application/json` 时发生，响应示例如下所示：

    ```bash
    ╰─❯ curl 'http://localhost:8090/login' \
      -H 'Accept: application/json' \
      -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
      -H 'Content-Type: application/x-www-form-urlencoded' \
      --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'
    ```

    ```bash
    < HTTP/1.1 200 OK
    < Vary: Origin
    < Vary: Access-Control-Request-Method
    < Vary: Access-Control-Request-Headers
    < Content-Type: application/json
    < Content-Length: 161
    < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    < Pragma: no-cache
    < Expires: 0
    < X-Content-Type-Options: nosniff
    < X-Frame-Options: DENY
    < X-XSS-Protection: 1 ; mode=block
    < Referrer-Policy: no-referrer
    < Set-Cookie: SESSION=d04db9f7-d2a6-4b7c-9845-ef790eb4a980; Path=/; HttpOnly; SameSite=Lax
    ```

    ```json
    {
      "username": "admin",
      "authorities": [
        {
          "authority": "ROLE_super-role"
        }
      ],
      "accountNonExpired": true,
      "accountNonLocked": true,
      "credentialsNonExpired": true,
      "enabled": true
    }
    ```

- HTTP 302 响应
  
  仅在请求头 `Accept` 中不包含 `application/json`才会发生，响应示例如下所示：

  ```bash
  ╰─❯ curl 'http://localhost:8090/login' \
    -H 'Accept: */*' \
    -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
    -H 'Content-Type: application/x-www-form-urlencoded' \
    --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'
  ```

  ```bash
  < HTTP/1.1 302 Found
  < Vary: Origin
  < Vary: Access-Control-Request-Method
  < Vary: Access-Control-Request-Headers
  < Location: /console/
  < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
  < Pragma: no-cache
  < Expires: 0
  < X-Content-Type-Options: nosniff
  < X-Frame-Options: DENY
  < X-XSS-Protection: 1 ; mode=block
  < Referrer-Policy: no-referrer
  < Set-Cookie: SESSION=9ce6ad3f-7eba-4de5-abca-650b4721c7ac; Path=/; HttpOnly; SameSite=Lax
  < content-length: 0
  ```

未来计划支持“记住我（Remember Me）”功能。
-												Refine logic of form login and logout (#2528)

#### What type of PR is this?

/kind improvement
/kind api-change
/area core
/milestone 2.0

#### What this PR does / why we need it:

Please see https://github.com/JohnNiang/halo/blob/b092b390b7d19a4dd7296de87474753ad2014e04/docs/authentication/README.md

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/2506

#### Special notes for your reviewer:

#### Does this PR introduce a user-facing change?

```release-note
优化系统登录和登出逻辑
```


											
										
										
											2022-10-11 08:04:14 +00:00
+								# Halo 认证方式
 								目前 Halo 支持的认证方式有：
 								- 基本认证（Basic Auth）
 								- 表单登录（Form Login）
 								计划支持的认证方式有：
 								- [个人令牌认证（Personal Access Token）](https://github.com/halo-dev/halo/issues/1309)
 								- [OAuth2](https://oauth.net/2/)
 								## 基本认证
 								这是最简单的一种认证方式，通过简单设置 HTTP 请求头 `Authorization: Basic xxxyyyzzz==` 即可实现认证，访问 Halo API，例如：
 								```bash
 								╰─❯ curl -u "admin:P@88w0rd" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users
 								或者
 								╰─❯ echo -n "admin:P@88w0rd" | base64
 								YWRtaW46UEA4OHcwcmQ=
 								╰─❯ curl -H "Authorization: Basic YWRtaW46UEA4OHcwcmQ=" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users
 								```
 								## 表单认证
 								这是一种比较常用的认证方式，只需提供用户名和密码以及 `CSRF 令牌`（用于防止重复提交和跨站请求伪造）。
 								- 表单参数
 								    | 参数名     | 类型   | 说明                                  |
 								    | ---------- | ------ | ------------------------------------- |
 								    | username   | form   | 用户名                                |
 								    | password   | form   | 密码                                  |
 								    | _csrf      | form   | `CSRF` 令牌。由客户端随机生成。       |
 								    | XSRF-TOKEN | cookie | 跨站请求伪造令牌，和 `_csrf` 的值一致 |
 								- HTTP 200 响应
 								  仅在请求头 `Accept` 中包含 `application/json` 时发生，响应示例如下所示：
 								    ```bash
 								    ╰─❯ curl 'http://localhost:8090/login' \
 								      -H 'Accept: application/json' \
 								      -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
 								      -H 'Content-Type: application/x-www-form-urlencoded' \
 								      --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'
 								    ```
 								    ```bash
 								    < HTTP/1.1 200 OK
 								    < Vary: Origin
 								    < Vary: Access-Control-Request-Method
 								    < Vary: Access-Control-Request-Headers
 								    < Content-Type: application/json
 								    < Content-Length: 161
 								    < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 								    < Pragma: no-cache
 								    < Expires: 0
 								    < X-Content-Type-Options: nosniff
 								    < X-Frame-Options: DENY
 								    < X-XSS-Protection: 1 ; mode=block
 								    < Referrer-Policy: no-referrer
 								    < Set-Cookie: SESSION=d04db9f7-d2a6-4b7c-9845-ef790eb4a980; Path=/; HttpOnly; SameSite=Lax
 								    ```
 								    ```json
 								    {
 								      "username": "admin",
 								      "authorities": [
 								        {
 								          "authority": "ROLE_super-role"
 								        }
 								      ],
 								      "accountNonExpired": true,
 								      "accountNonLocked": true,
 								      "credentialsNonExpired": true,
 								      "enabled": true
 								    }
 								    ```
 								- HTTP 302 响应
 								  仅在请求头 `Accept` 中不包含 `application/json`才会发生，响应示例如下所示：
 								  ```bash
 								  ╰─❯ curl 'http://localhost:8090/login' \
 								    -H 'Accept: */*' \
 								    -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
 								    -H 'Content-Type: application/x-www-form-urlencoded' \
 								    --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'
 								  ```
 								  ```bash
 								  < HTTP/1.1 302 Found
 								  < Vary: Origin
 								  < Vary: Access-Control-Request-Method
 								  < Vary: Access-Control-Request-Headers
 								  < Location: /console/
 								  < Cache-Control: no-cache, no-store, max-age=0, must-revalidate
 								  < Pragma: no-cache
 								  < Expires: 0
 								  < X-Content-Type-Options: nosniff
 								  < X-Frame-Options: DENY
 								  < X-XSS-Protection: 1 ; mode=block
 								  < Referrer-Policy: no-referrer
 								  < Set-Cookie: SESSION=9ce6ad3f-7eba-4de5-abca-650b4721c7ac; Path=/; HttpOnly; SameSite=Lax
 								  < content-length: 0
 								  ```
 								未来计划支持“记住我（Remember Me）”功能。