History

John Niang af8860ffb6 Refine logic of form login and logout (#2528 ) #### What type of PR is this? /kind improvement /kind api-change /area core /milestone 2.0 #### What this PR does / why we need it: Please see `b092b390b7/docs/authentication/README.md` #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/2506 #### Special notes for your reviewer: #### Does this PR introduce a user-facing change? ```release-note 优化系统登录和登出逻辑 ```	2022-10-11 08:04:14 +00:00
..
README.md	Refine logic of form login and logout (#2528 )	2022-10-11 08:04:14 +00:00

Refine logic of form login and logout (#2528 )

#### What type of PR is this?

/kind improvement
/kind api-change
/area core
/milestone 2.0

#### What this PR does / why we need it:

Please see b092b390b7/docs/authentication/README.md

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/2506

#### Special notes for your reviewer:

#### Does this PR introduce a user-facing change?

```release-note
优化系统登录和登出逻辑
```

2022-10-11 08:04:14 +00:00

README.md Refine logic of form login and logout (#2528 ) 2022-10-11 08:04:14 +00:00

README.md

Halo 认证方式

目前 Halo 支持的认证方式有：

基本认证（Basic Auth）
表单登录（Form Login）

计划支持的认证方式有：

基本认证

这是最简单的一种认证方式，通过简单设置 HTTP 请求头 Authorization: Basic xxxyyyzzz== 即可实现认证，访问 Halo API，例如：

╰─❯ curl -u "admin:P@88w0rd" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users

或者
╰─❯ echo -n "admin:P@88w0rd" | base64
YWRtaW46UEA4OHcwcmQ=
╰─❯ curl -H "Authorization: Basic YWRtaW46UEA4OHcwcmQ=" -H "Accept: application/json" http://localhost:8090/api/v1alpha1/users

表单认证

这是一种比较常用的认证方式，只需提供用户名和密码以及 CSRF 令牌（用于防止重复提交和跨站请求伪造）。

表单参数

参数名	类型	说明
username	form	用户名
password	form	密码
_csrf	form	`CSRF` 令牌。由客户端随机生成。
XSRF-TOKEN	cookie	跨站请求伪造令牌，和 `_csrf` 的值一致

HTTP 200 响应

仅在请求头 Accept 中包含 application/json 时发生，响应示例如下所示：

╰─❯ curl 'http://localhost:8090/login' \
  -H 'Accept: application/json' \
  -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'

< HTTP/1.1 200 OK
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Content-Type: application/json
< Content-Length: 161
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1 ; mode=block
< Referrer-Policy: no-referrer
< Set-Cookie: SESSION=d04db9f7-d2a6-4b7c-9845-ef790eb4a980; Path=/; HttpOnly; SameSite=Lax

{
  "username": "admin",
  "authorities": [
    {
      "authority": "ROLE_super-role"
    }
  ],
  "accountNonExpired": true,
  "accountNonLocked": true,
  "credentialsNonExpired": true,
  "enabled": true
}

HTTP 302 响应

仅在请求头 Accept 中不包含 application/json才会发生，响应示例如下所示：

╰─❯ curl 'http://localhost:8090/login' \
  -H 'Accept: */*' \
  -H 'Cookie: XSRF-TOKEN=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5' \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  --data-raw '_csrf=1ff67e0c-6f2c-4cf9-afb5-81bc1015b8e5&username=admin&password=P@88w0rd'

< HTTP/1.1 302 Found
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Location: /console/
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-XSS-Protection: 1 ; mode=block
< Referrer-Policy: no-referrer
< Set-Cookie: SESSION=9ce6ad3f-7eba-4de5-abca-650b4721c7ac; Path=/; HttpOnly; SameSite=Lax
< content-length: 0

未来计划支持“记住我（Remember Me）”功能。

README.md Unescape Escape

Halo 认证方式

基本认证

表单认证

README.md