From 3714621173c606c4c58439ed8941100ce9ddea14 Mon Sep 17 00:00:00 2001
From: Codex Assistant <codex@example.com>
Date: 星期三, 05 十一月 2025 15:10:49 +0800
Subject: [PATCH] bug

---
 backend/src/main/java/com/rongyichuang/auth/util/JwtUtil.java |   30 ++++++++++++++++++++++++++++--
 1 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/backend/src/main/java/com/rongyichuang/auth/util/JwtUtil.java b/backend/src/main/java/com/rongyichuang/auth/util/JwtUtil.java
index 489d0f8..6207646 100644
--- a/backend/src/main/java/com/rongyichuang/auth/util/JwtUtil.java
+++ b/backend/src/main/java/com/rongyichuang/auth/util/JwtUtil.java
@@ -8,6 +8,9 @@
 import org.springframework.stereotype.Component;
 
 import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.Date;
 
 /**
@@ -38,7 +41,7 @@
         Date now = new Date();
         Date expiryDate = new Date(now.getTime() + jwtExpiration);
 
-        SecretKey key = Keys.hmacShaKeyFor(jwtSecret.getBytes());
+        SecretKey key = getSigningKey();
 
         JwtBuilder builder = Jwts.builder()
                 .setSubject(userId.toString())
@@ -56,6 +59,29 @@
         }
 
         return builder.signWith(key, SignatureAlgorithm.HS256).compact();
+    }
+
+    /**
+     * 鏍规嵁閰嶇疆鐨勫瘑閽ョ敓鎴愭弧瓒� HMAC-SHA 瑕佹眰鐨勭鍚嶅瘑閽ワ細
+     * - 鑻ユ槑鏂囧瘑閽ラ暱搴︿笉瓒� 256 bit锛屼娇鐢� SHA-256 琛嶇敓涓� 256-bit
+     * - 淇濇寔瀵圭幇鏈� app.jwt.secret 鐨勫吋瀹癸紝涓嶄慨鏀归厤缃敭鍚嶆垨鍏跺畠閫昏緫
+     */
+    private SecretKey getSigningKey() {
+        try {
+            byte[] keyBytes = jwtSecret.getBytes(StandardCharsets.UTF_8);
+            if (keyBytes.length < 32) {
+                MessageDigest digest = MessageDigest.getInstance("SHA-256");
+                keyBytes = digest.digest(keyBytes);
+            }
+            if (keyBytes.length < 32) {
+                byte[] padded = new byte[32];
+                System.arraycopy(keyBytes, 0, padded, 0, Math.min(keyBytes.length, 32));
+                keyBytes = padded;
+            }
+            return new SecretKeySpec(keyBytes, "HmacSHA256");
+        } catch (Exception e) {
+            throw new RuntimeException("鍒濆鍖朖WT绛惧悕瀵嗛挜澶辫触", e);
+        }
     }
 
     /**
@@ -111,7 +137,7 @@
      * 浠巘oken涓В鏋怌laims
      */
     private Claims getClaimsFromToken(String token) {
-        SecretKey key = Keys.hmacShaKeyFor(jwtSecret.getBytes());
+        SecretKey key = getSigningKey();
         return Jwts.parserBuilder()
                 .setSigningKey(key)
                 .build()

--
Gitblit v1.8.0