fix: pass token via cookie instead of header

controller/jwt.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
-	"strings"
 	"time"
 	"woord-core-service/global"
 
@@ -12,7 +11,10 @@ import (
 	"github.com/golang-jwt/jwt/v4"
 )
 
-const AuthUserKey = "user"
+const (
+	AuthUserKey  = "_user"
+	AuthTokenKey = "_token"
+)
 
 var (
 	ErrNotLoggedIn  = fmt.Errorf("请先登录")
@@ -49,16 +51,16 @@ func parseToken(tokenString string) (uint, error) {
 // JWT 认证中间件
 func JWTAuth() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		// 获取 Authorization 请求头
-		auth := strings.Split(c.GetHeader("Authorization"), " ")
-		if len(auth) < 2 || auth[0] != "Bearer" {
+		// 从 Cookie 获取 JWT
+		token, err := c.Cookie(AuthTokenKey)
+		if err != nil {
 			respondError(c, http.StatusUnauthorized, ErrNotLoggedIn)
 			c.Abort()
 			return
 		}
 
 		// 解析 JWT
-		userID, err := parseToken(auth[1])
+		userID, err := parseToken(token)
 		if err != nil {
 			respondError(c, http.StatusUnauthorized, ErrInvalidToken)
 			c.Abort()

controller/users.go

@@ -3,6 +3,7 @@ package controller
 import (
 	"errors"
 	"net/http"
+	"time"
 	"woord-core-service/model"
 
 	"github.com/gin-gonic/gin"
@@ -43,11 +44,6 @@ type LoginRequest struct {
 	Password string `form:"password" binding:"required"`
 }
 
-type LoginResponse struct {
-	*model.UserResult `json:"user"`
-	Token             string `json:"token"`
-}
-
 // 登录
 func Login(c *gin.Context) {
 	var request LoginRequest
@@ -75,10 +71,9 @@ func Login(c *gin.Context) {
 		return
 	}
 
-	respondOK(c, &LoginResponse{
-		UserResult: user,
-		Token:      token,
-	})
+	c.SetCookie(AuthTokenKey, token, int(720*time.Hour), "", "word.regmsif.cf", true, true)
+
+	respondOK(c, user)
 }
 
 // 获取当前用户

main.go

@@ -15,21 +15,27 @@ import (
 )
 
 func main() {
+	global.SecretKey = []byte(os.Getenv("SECRET_KEY"))
+
 	var err error
 	// 连接数据库
 	global.DB, err = gorm.Open(sqlite.Open(os.Getenv("DB_PATH")), &gorm.Config{})
 	if err != nil {
 		panic(err)
 	}
-	// 自动迁移 schema
+	// 自动迁移 Schema
 	global.DB.AutoMigrate(&model.User{}, &model.Dict{}, &model.Word{})
 
-	global.SecretKey = []byte(os.Getenv("SECRET_KEY"))
-	// 创建 session 存储
-	store := gormsessions.NewStore(global.DB, true, global.SecretKey)
-
 	r := gin.Default()
-	r.Use(cors.Default())
+
+	// 配置 CORS
+	config := cors.DefaultConfig()
+	config.AllowOrigins = []string{"https://word.regmsif.cf"}
+	config.AllowCredentials = true
+	r.Use(cors.New(config))
+
+	// 创建 Session 存储
+	store := gormsessions.NewStore(global.DB, true, global.SecretKey)
 	r.Use(sessions.Sessions("_session", store))
 
 	r.POST("/user/register", controller.Register)