18 changed files with 651 additions and 0 deletions

JWTdemo資料夾→JWTdemo.csproj 開啟
<ImplicitUsings>enable</ImplicitUsings> //新增這兩行
<GenerateDocumentationFile>true</GenerateDocumentationFile> //新增這兩行
1.<GenerateDocumentationFile>true</GenerateDocumentationFile>:這個設定告訴編譯器生成 XML 註解檔案。當您的專案編譯時,它會將 XML 註解嵌入到組件中,以供 Swagger 或其他工具使用。
2.<NoWarn>$(NoWarn);1591</NoWarn>:這個設定用來抑制編譯器警告 1591。警告 1591 是指程式碼中的缺少 XML 註解的警告。這裡的設定的意思是告訴編譯器忽略這個特定的警告,因為您已經啟用了 XML 註解生成,而不希望因缺少註解而收到警告。

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 17
VisualStudioVersion = 17.7.34031.279
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "JWTdemo", "JWTdemo\JWTdemo.csproj", "{4C54D743-8EE0-44C9-8C9D-010A306C4AE7}"
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{4C54D743-8EE0-44C9-8C9D-010A306C4AE7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{4C54D743-8EE0-44C9-8C9D-010A306C4AE7}.Debug|Any CPU.Build.0 = Debug|Any CPU
{4C54D743-8EE0-44C9-8C9D-010A306C4AE7}.Release|Any CPU.ActiveCfg = Release|Any CPU
{4C54D743-8EE0-44C9-8C9D-010A306C4AE7}.Release|Any CPU.Build.0 = Release|Any CPU
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {5537568D-28F4-41EA-A9EE-89BAF86E4808}

namespace LoginSys_Hash_demo.Authorization;
public class AllowAnonymousAttribute : Attribute

using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.AspNetCore.Mvc;
using LoginSys_Hash_demo.Entities;
namespace LoginSys_Hash_demo.Authorization;
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
public class AuthorizeAttribute : Attribute, IAuthorizationFilter
public void OnAuthorization(AuthorizationFilterContext context)
// skip authorization if action is decorated with [AllowAnonymous] attribute
var allowAnonymous = context.ActionDescriptor.EndpointMetadata.OfType<AllowAnonymousAttribute>().Any();
if (allowAnonymous)
// authorization
var user = (User?)context.HttpContext.Items["User"];
if (user == null)
// not logged in or role not authorized
context.Result = new JsonResult(new { message = "Unauthorized" }) { StatusCode = StatusCodes.Status401Unauthorized };

namespace LoginSys_Hash_demo.Authorization;
public class JwtMiddleware
private readonly RequestDelegate _next;
public JwtMiddleware(RequestDelegate next)
_next = next;
public async Task Invoke(HttpContext context, IUserService userService, IJwtUtils jwtUtils)
var token = context.Request.Headers["Authorization"].FirstOrDefault()?.Split(" ").Last();
var userId = jwtUtils.ValidateJwtToken(token);
if (userId != null)
// attach user to context on successful jwt validation
context.Items["User"] = userService.GetById(userId.Value);
//var stop = "1";
await _next(context);

namespace LoginSys_Hash_demo.Authorization;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using LoginSys_Hash_demo.Entities;
using LoginSys_Hash_demo.Helpers;
public interface IJwtUtils
public string GenerateJwtToken(User user);
public int? ValidateJwtToken(string? token);
public class JwtUtils : IJwtUtils
private readonly AppSettings _appSettings;
public JwtUtils(IOptions<AppSettings> appSettings)
_appSettings = appSettings.Value;
if (string.IsNullOrEmpty(_appSettings.Secret))
throw new Exception("JWT secret not configured");
public string GenerateJwtToken(User user)
// generate token that is valid for 7 days
var tokenHandler = new JwtSecurityTokenHandler(); //實例化JWT令牌
var key = Encoding.ASCII.GetBytes(_appSettings.Secret!); //從配置中獲取應用程序密鑰,用於簽名令牌以確保其完整性和安全性
var tokenDescriptor = new SecurityTokenDescriptor //定義令牌格式其包含header(SigningCredentials).payload(expires和subject).signature(簽在header裡面)
Subject = new ClaimsIdentity(new[] { new Claim("id", user.Id.ToString()) }), //payload
Expires = DateTime.UtcNow.AddDays(7), //payload令牌過期時間
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature) //header
var token = tokenHandler.CreateToken(tokenDescriptor); //創建JWT令牌
return tokenHandler.WriteToken(token); //將JWT令牌轉為base64編碼
public int? ValidateJwtToken(string? token)
if (token == null)
return null;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(_appSettings.Secret!);
tokenHandler.ValidateToken(token, new TokenValidationParameters
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false,
// set clockskew to zero so tokens expire exactly at token expiration time (instead of 5 minutes later)
ClockSkew = TimeSpan.Zero
}, out SecurityToken validatedToken);
var jwtToken = (JwtSecurityToken)validatedToken;
var userId = int.Parse(jwtToken.Claims.First(x => x.Type == "id").Value);
// return user id from JWT token if validation successful
return userId;
// return null if validation fails
return null;
public bool ValidateToken(string token)
var tokenHandler = new JwtSecurityTokenHandler();
var jwtSecret = "your_jwt_secret"; // JWT 密钥,应与生成令牌时使用的密钥相匹配
var validationParameters = new TokenValidationParameters
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecret)),
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ClockSkew = TimeSpan.Zero // 设置为零以确保令牌过期时立即失效
SecurityToken validatedToken;
tokenHandler.ValidateToken(token, validationParameters, out validatedToken);
return true;
return false;

using LoginSys_Hash_demo.Services;
using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore;
using LoginSys_Hash_demo.Models;
using LoginSys_Hash_demo.Authorization;
using System.Security.Cryptography;
using System.Text;
using LoginSys_Hash_demo.Entities;
namespace LoginSys_Hash_demo.Controllers
[Authorize] //有token才能使用class
public class UserController : ControllerBase
private readonly SqlContext _context;
private IUserService _userService;
public UserController(IUserService userService, SqlContext context)
_userService = userService;
_context = context;
/// <summary>
/// 測試註解
/// </summary>
public async Task<ActionResult<IEnumerable<LoginSys_Hash_demo.Entities.User>>> Getuser()
return await _context.chatuser.ToListAsync();
#region 使()
/// <summary>
/// 新增使用者(需權限)
/// </summary>
public async Task<IActionResult> Hash(AuthenticateRequest test)
if (await _context.chatuser.AnyAsync(u => u.Username == test.Username)) //帳號相同就error
return Content("error"); // 使用HTTP 409 Conflict状态码
int userCount = await _context.chatuser.CountAsync();
var aa = new User
Id = userCount + 1,
Username = test.Username,
Password = HashPassword(test.Password)
// 将用户添加到数据库
await _context.SaveChangesAsync();
return Content("success");
#region ()
/// <summary>
/// 登入驗證帳戶(無須權限)
/// </summary>
public async Task<IActionResult> Verifypassword(AuthenticateRequest test)
// 從DB中依使用者帳號去找尋該筆資料
var user = await _context.chatuser.SingleOrDefaultAsync(u => u.Username == test.Username);
if (user != null)
// Hash輸入的密碼與DB內的Hash密碼做比較
if (HashPassword(test.Password) == user.Password)
test.Password = HashPassword(test.Password);
var response = _userService.Authenticate(test);
// 將Token添加到Headers中
Response.Headers.Add("Authorization", "Bearer " + response.Token);
// 將token保存在Cookie或其他適當的位置
Response.Cookies.Append("token", response.Token);
return Ok(response);
// 密碼匹配,返回成功消息
return Content("error");
#region Hash加密
private string HashPassword(string password)
using (SHA256 sha256 = SHA256.Create())
byte[] hashBytes = sha256.ComputeHash(Encoding.UTF8.GetBytes(password));
StringBuilder builder = new StringBuilder();
foreach (byte b in hashBytes)
return builder.ToString();

using System.Text.Json.Serialization;
namespace LoginSys_Hash_demo.Entities
public class User
public int Id { get; set; }
public string? Name { get; set; }
public string? Username { get; set; }
[JsonIgnore] //這個就是當有人要get這個資料時會自動將其隱藏
public string? Password { get; set; }

namespace LoginSys_Hash_demo.Helpers
public class AppSettings
public string? Secret { get; set; }

<Project Sdk="Microsoft.NET.Sdk.Web">
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.7" />
<PackageReference Include="Microsoft.AspNetCore.Authorization" Version="6.0.7" />
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="7.0.11" />
<PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="7.0.11" />
<PackageReference Include="Swashbuckle.AspNetCore" Version="6.5.0" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.30.1" />

namespace LoginSys_Hash_demo.Models;
using System.ComponentModel.DataAnnotations;
public class AuthenticateRequest
public string? Username { get; set; }
public string? Password { get; set; }

namespace LoginSys_Hash_demo.Models;
using LoginSys_Hash_demo.Entities;
public class AuthenticateResponse
public int Id { get; set; }
public string? Name { get; set; }
public string? Username { get; set; }
public string Token { get; set; }
public AuthenticateResponse(User user, string token)
Id = user.Id;
Name = user.Name;
Username = user.Username;
Token = token;

using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using LoginSys_Hash_demo.Authorization;
using LoginSys_Hash_demo.Helpers;
using System.Configuration;
using System.Reflection;
using LoginSys_Hash_demo.Services;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using Microsoft.OpenApi.Models;
var builder = WebApplication.CreateBuilder(args);
// Add services to the container.
var connectionString = "Server=localhost;UserID=postgres;Password=vip125125;Database=postgres;port=5432;";
builder.Services.AddDbContext<SqlContext>(opt => opt.UseNpgsql(connectionString));
var services = builder.Services;
var jwtSettings = builder.Configuration.GetSection("AppSettings").Get<AppSettings>();
.AddJwtBearer(options =>
options.TokenValidationParameters = new TokenValidationParameters
ValidateIssuer = false,
ValidateAudience = false,
ValidateIssuerSigningKey = true,
//ValidIssuer = "your_issuer",
// ValidAudience = "your_audience",
ClockSkew = TimeSpan.Zero,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSettings.Secret))
services.AddSwaggerGen(c =>
c.SwaggerDoc("v1", new OpenApiInfo { Title = "LoginSys_Hash_demo", Version = "v1" });
// Configure Swagger to use JWT authentication
c.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme
Description = "JWT Authorization header using the Bearer scheme",
Name = "Authorization",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
Scheme = "Bearer"
// 将JWT令牌作为所有端点的要求添加到Swagger文档
c.AddSecurityRequirement(new OpenApiSecurityRequirement
new OpenApiSecurityScheme
Reference = new OpenApiReference
Type = ReferenceType.SecurityScheme,
Id = "Bearer"
new string[] { }
// configure DI for application services
services.AddScoped<IJwtUtils, JwtUtils>();
services.AddScoped<IUserService, UserService>();
// 注册 HttpClient 服务
builder.Services.AddSwaggerGen(options =>
var xmlFilename = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
options.IncludeXmlComments(Path.Combine(AppContext.BaseDirectory, xmlFilename));
var app = builder.Build();
// global cors policy
//在 ASP.NET Core 中啟用 CORS (跨原始來源要求)
// Shows UseCors with CorsPolicyBuilder.
app.UseCors(x => x
// custom jwt auth middleware
if (app.Environment.IsDevelopment())
app.UseSwaggerUI(c =>
c.SwaggerEndpoint("/swagger/v1/swagger.json", "LoginSys_Hash_demo");

"$schema": "https://json.schemastore.org/launchsettings.json",
"iisSettings": {
"windowsAuthentication": false,
"anonymousAuthentication": true,
"iisExpress": {
"applicationUrl": "http://localhost:23800",
"sslPort": 44344
"profiles": {
"LoginSys_Hash_demo": {
"commandName": "Project",
"dotnetRunMessages": true,
"launchBrowser": true,
"launchUrl": "swagger",
"applicationUrl": "https://localhost:7079;http://localhost:5246",
"environmentVariables": {
"IIS Express": {
"commandName": "IISExpress",
"launchBrowser": true,
"launchUrl": "swagger",
"environmentVariables": {

using Microsoft.EntityFrameworkCore;
using LoginSys_Hash_demo.Entities;
namespace LoginSys_Hash_demo.Services
public class SqlContext : DbContext
public SqlContext(DbContextOptions<SqlContext> options) : base(options)
AppContext.SetSwitch("Npgsql.EnableLegacyTimestampBehavior", true);
AppContext.SetSwitch("Npgsql.DisableDateTimeInfinityConversions", true);
public DbSet<User>chatuser { get; set; } = null!;
protected override void OnModelCreating(ModelBuilder builder)
builder.Entity<User>().HasKey(o => new { o.Id }); //Primary Key

using LoginSys_Hash_demo.Authorization;
using LoginSys_Hash_demo.Services;
using LoginSys_Hash_demo.Entities;
using LoginSys_Hash_demo.Models;
public interface IUserService
AuthenticateResponse? Authenticate(AuthenticateRequest model);
IEnumerable<User> GetAll();
User? GetById(int id);
public class UserService : IUserService
// users hardcoded for simplicity, store in a db with hashed passwords in production applications
private List<User> user_test = new List<User>
new User { Id = 1, FirstName = "Test", LastName = "User", Username = "test", Password = "test" },
new User { Id = 2, FirstName = "Test", LastName = "User", Username = "admin", Password = "admin" }
public DbSet<User> user_test { get; set; } = null!;
public List<User> GetUsers ()
return _dbContext.user_test.ToList();
private readonly IJwtUtils _jwtUtils;
public UserService(IJwtUtils jwtUtils, SqlContext dbContext)
_jwtUtils = jwtUtils;
_dbContext = dbContext;
private readonly SqlContext _dbContext;
public AuthenticateResponse? Authenticate(AuthenticateRequest model)
var user = _dbContext.chatuser.SingleOrDefault(x => x.Username == model.Username && x.Password == model.Password);
// return null if user not found
if (user == null) return null;
// authentication successful so generate jwt token
var token = _jwtUtils.GenerateJwtToken(user);
return new AuthenticateResponse(user, token);
public IEnumerable<User> GetAll()
return _dbContext.chatuser;
public User? GetById(int id)
return _dbContext.chatuser.FirstOrDefault(x => x.Id == id);

"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"

"AppSettings": {
"Secret": "Leo token test jwt park spaces lab 124"
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
"AllowedHosts": "*"