perf(JWT): Short JWT payload key

1. Use official key `aud` to store user_id.
2. Short `secure_login_ip` to `ip`

CHANGELOG.md

@@ -22,6 +22,7 @@
 
 ### Fix
 - **Auth/Login:** Fix user can't login after commit `6009dc8` (d509127)
+- **Component:** Fix parent::onRequest{Before,After} miss (200926f)
 - **User:** Fix User Class miss in string format (3680444)
 
 ### Perf

apps/components/Auth.php

@@ -85,12 +85,12 @@ protected function loadCurUserIdFromCookies()
 
         $payload = JWTHelper::decode($user_session);
         if ($payload === false) return false;
-        if (!isset($payload['jti']) || !isset($payload['user_id'])) return false;
+        if (!isset($payload['jti']) || !isset($payload['aud'])) return false;
 
         // Check if user lock access ip ?
-        if (isset($payload['secure_login_ip'])) {
+        if (isset($payload['ip'])) {
             $now_ip_crc = sprintf('%08x', crc32(app()->request->getClientIp()));
-            if (strcasecmp($payload['secure_login_ip'], $now_ip_crc) !== 0) return false;
+            if (strcasecmp($payload['ip'], $now_ip_crc) !== 0) return false;
         }
 
         // Verity $jti is force expired or not by checking mapUserSessionToId
@@ -101,7 +101,7 @@ protected function loadCurUserIdFromCookies()
             ])->queryScalar();
             app()->redis->zAdd(Constant::mapUserSessionToId, $uid ?: 0, $payload['jti']);  // Store 0 if session -> uid is invalid
             if ($uid === false) return false;  // this session is not exist or marked as expired
-        } elseif ($expired_check != $payload['user_id']) return false;    // may return (double) 0 , which means already make invalid ; or it check if user obtain this session (may Overdesign)
+        } elseif ($expired_check != $payload['aud']) return false;    // may return (double) 0 , which means already make invalid ; or it check if user obtain this session (may Overdesign)
 
         $this->cur_user_jit = $payload['jti'];
 
@@ -114,7 +114,7 @@ protected function loadCurUserIdFromCookies()
             app()->response->setHeader('Strict-Transport-Security', 'max-age=1296000; includeSubDomains');
         }
 
-        return $payload['user_id'];
+        return $payload['aud'];
     }
 
     protected function loadCurUserIdFromPasskey()

apps/models/form/Auth/UserLoginForm.php

@@ -142,7 +142,6 @@ public function flush()
     private function createUserSession()
     {
         $timenow = time();
-        $login_ip = app()->request->getClientIp();
 
         do { // Generate unique JWT ID
             $jti = StringHelper::getRandomString(64);
@@ -155,6 +154,7 @@ private function createUserSession()
         $payload = [
             'iss' => config('base.site_url'),
             'sub' => config('base.site_generator'),
+            'aud' =>  $this->self['id'],  // Store User Id so we can quick check session status and load their information
             'iat' => $timenow,
             'jti' => $jti,
         ];
@@ -166,9 +166,11 @@ private function createUserSession()
         $payload['exp'] = $cookieExpire;
 
         // Custom Payload key
-        $payload['user_id'] = $this->self['id'];  // Store User Id so we can quick load their information
-        if ($this->securelogin === 'yes' || config('security.secure_login') > 1)
-            $payload['secure_login_ip'] = sprintf('%08x', crc32($login_ip));  // Store User Login IP ( in CRC32 format )
+        if ($this->securelogin === 'yes' || config('security.secure_login') > 1) {
+            $login_ip = app()->request->getClientIp();
+            $payload['ip'] = sprintf('%08x', crc32($login_ip));  // Store User Login IP ( in CRC32 format )
+        }
+
         if ($this->ssl || config('security.ssl_login') > 1)
             $payload['ssl'] = true;  // Store User want full ssl protect
 

framework/Http/Session.php

@@ -11,7 +11,7 @@
 class Session extends Component
 {
     // 保存的Key前缀
-    public $saveKeyPrefix = 'SESSION:';
+    public $saveKeyPrefix = 'Session:';
 
     // 生存时间
     public $maxLifetime = 7200;