TencentBlueKing · owenlxu · Oct 12, 2023 · Oct 11, 2023
diff --git a/.../boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/config/RouteConfiguration.kt b/.../boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/config/RouteConfiguration.kt
@@ -74,6 +74,7 @@ class RouteConfiguration(
         before(RouteConfiguration::initArtifactContext)
         filter(permissionFilterFunction::filter)
         POST("/login/{projectId}/{repoName}", loginHandler::login)
+        POST("/token/refresh/{projectId}/{repoName}", loginHandler::refresh)
 
         "/service/block".nest {
             GET("/list$DEFAULT_MAPPING_URI", fsNodeHandler::listBlocks)

diff --git a/...fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/filter/PermissionFilterFunction.kt b/...fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/filter/PermissionFilterFunction.kt
@@ -44,9 +44,12 @@ class PermissionFilterFunction(private val securityManager: SecurityManager) : C
     private val matcher = AntPathMatcher()
     override suspend fun filter(
         request: ServerRequest,
-        next: suspend (ServerRequest) -> ServerResponse
+        next: suspend (ServerRequest) -> ServerResponse,
     ): ServerResponse {
-        if (request.path().startsWith("/login") || request.path().startsWith("/service")) {
+        if (request.path().startsWith("/login") ||
+            request.path().startsWith("/service") ||
+            request.path().startsWith("/token")
+        ) {
             return next(request)
         }
         val action = request.getAction()
@@ -92,7 +95,7 @@ class PermissionFilterFunction(private val securityManager: SecurityManager) : C
             "/node/delete/**",
             "/node/mkdir/**",
             "/node/set-length/**",
-            "/block/**"
+            "/block/**",
         )
     }
 }
diff --git a/...nd/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/handler/LoginHandler.kt b/...nd/fs/boot-fs-server/src/main/kotlin/com/tencent/bkrepo/fs/server/handler/LoginHandler.kt
@@ -50,7 +50,7 @@ import org.springframework.web.reactive.function.server.ServerResponse
 class LoginHandler(
     private val permissionService: PermissionService,
     private val securityManager: SecurityManager,
-    private val rAuthClient: RAuthClient
+    private val rAuthClient: RAuthClient,
 ) {
 
     /**
@@ -70,7 +70,11 @@ class LoginHandler(
         if (tokenRes.data != true) {
             throw AuthenticationException()
         }
+        val token = createToken(projectId, repoName, username)
+        return ReactiveResponseBuilder.success(token)
+    }
 
+    private suspend fun createToken(projectId: String, repoName: String, username: String): String {
         val claims = mutableMapOf(JWT_CLAIMS_REPOSITORY to "$projectId/$repoName")
         val writePermit = permissionService.checkPermission(projectId, repoName, PermissionAction.WRITE, username)
         if (writePermit) {
@@ -83,8 +87,20 @@ class LoginHandler(
         }
         val token = securityManager.generateToken(
             subject = username,
-            claims = claims
+            claims = claims,
         )
-        return ReactiveResponseBuilder.success(token)
+        return token
+    }
+
+    suspend fun refresh(request: ServerRequest): ServerResponse {
+        val token = request.headers().header(HttpHeaders.AUTHORIZATION).firstOrNull().orEmpty()
+        val jws = securityManager.validateToken(token)
+        val claims = jws.body
+        val username = claims.subject
+        val parts = claims[JWT_CLAIMS_REPOSITORY].toString().split("/")
+        val projectId = parts[0]
+        val repoName = parts[1]
+        val newToken = createToken(projectId, repoName, username)
+        return ReactiveResponseBuilder.success(newToken)
     }
 }