feat: trans util

2025-05-23 12:58:21 +08:00
parent 50161f8c8a
commit 028dd8dd19
5 changed files with 898 additions and 0 deletions
--- a/jwtutil/go.mod
+++ b/jwtutil/go.mod
@@ -0,0 +1,18 @@
+module github.com/tx7do/go-utils/jwtutil
+
+go 1.23.0
+
+toolchain go1.24.1
+
+require (
+	github.com/golang-jwt/jwt/v5 v5.1.0
+	github.com/stretchr/testify v1.10.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+)
+
+replace github.com/tx7do/go-utils => ../
--- a/jwtutil/go.sum
+++ b/jwtutil/go.sum
@@ -0,0 +1,12 @@
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt/v5 v5.1.0 h1:UGKbA/IPjtS6zLcdB7i5TyACMgSbOTiR8qzXgw8HWQU=
+github.com/golang-jwt/jwt/v5 v5.1.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/jwtutil/jwt.go
+++ b/jwtutil/jwt.go
@@ -0,0 +1,351 @@
+package jwtutil
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"encoding/json"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// ParseJWTPayload 使用 github.com/golang-jwt/jwt/v5 从 JWT 中解析出 payload
+func ParseJWTPayload(tokenString string) (jwt.MapClaims, error) {
+	// 不验证签名，仅解析
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid token claims")
+	}
+
+	return claims, nil
+}
+
+// ParseJWTClaimsToStruct 解析 JWT 的负载部分，不验证签名，仅解析。
+func ParseJWTClaimsToStruct[T any](tokenString string) (*T, error) {
+	// 不验证签名，仅解析
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok {
+		return nil, fmt.Errorf("invalid token claims")
+	}
+
+	// 将 claims 转换为目标类型
+	claimsBytes, err := json.Marshal(claims)
+	if err != nil {
+		return nil, fmt.Errorf("failed to marshal claims: %v", err)
+	}
+
+	var ret T
+	err = json.Unmarshal(claimsBytes, &ret)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal claims: %v", err)
+	}
+
+	return &ret, nil
+}
+
+// VerifyJWT 验证 JWT 的签名
+func VerifyJWT(tokenString string, secretKey []byte) (jwt.MapClaims, error) {
+	// 解析并验证 JWT
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		// 确保使用的是 HMAC 签名方法
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return secretKey, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	// 验证 token 是否有效
+	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+		return claims, nil
+	}
+
+	return nil, fmt.Errorf("invalid token")
+}
+
+func GetJWTClaims(tokenString string) (map[string]interface{}, error) {
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
+// GenerateJWT 生成 JWT
+func GenerateJWT(mapClaims jwt.MapClaims, secretKey []byte, signingMethod jwt.SigningMethod) (string, error) {
+	// 检查密钥是否为空，密钥不能为空，否则会有安全隐患。
+	if len(secretKey) == 0 {
+		return "", fmt.Errorf("secret key cannot be empty")
+	}
+
+	// 创建一个新的 JWT Token
+	token := jwt.NewWithClaims(signingMethod, mapClaims)
+
+	// 使用 HMAC 签名方法签名 token
+	signedToken, err := token.SignedString(secretKey)
+	if err != nil {
+		return "", err
+	}
+
+	return signedToken, nil
+}
+
+// GenerateGenericJWT 生成 JWT
+func GenerateGenericJWT[T any](payload T, secretKey []byte, signingMethod jwt.SigningMethod) (string, error) {
+	// 检查密钥是否为空，密钥不能为空，否则会有安全隐患。
+	if len(secretKey) == 0 {
+		return "", fmt.Errorf("secret key cannot be empty")
+	}
+
+	// 将泛型 payload 转换为 jwt.MapClaims
+	claimsMap, err := ToMapClaims(payload)
+	if err != nil {
+		return "", fmt.Errorf("failed to convert payload to claims: %v", err)
+	}
+
+	// 创建一个新的 JWT Token
+	token := jwt.NewWithClaims(signingMethod, claimsMap)
+
+	// 使用 HMAC 签名方法签名 token
+	signedToken, err := token.SignedString(secretKey)
+	if err != nil {
+		return "", err
+	}
+
+	return signedToken, nil
+}
+
+// ToMapClaims 将泛型 payload 转换为 jwt.MapClaims
+func ToMapClaims[T any](payload T) (jwt.MapClaims, error) {
+	payloadBytes, err := json.Marshal(payload)
+	if err != nil {
+		return nil, err
+	}
+
+	var claims jwt.MapClaims
+	err = json.Unmarshal(payloadBytes, &claims)
+	if err != nil {
+		return nil, err
+	}
+
+	return claims, nil
+}
+
+// RefreshJWT 刷新JWT
+func RefreshJWT(tokenString string, secretKey []byte, newExpiration time.Time) (string, error) {
+	// 解析 JWT 的 payload
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return "", err
+	}
+
+	// 更新过期时间
+	claims["exp"] = newExpiration.Unix()
+
+	// 生成新的 JWT
+	newToken, err := GenerateJWT(claims, secretKey, jwt.SigningMethodHS256)
+	if err != nil {
+		return "", err
+	}
+
+	return newToken, nil
+}
+
+// GenerateJWTWithHeader 生成带自定义头部的JWT
+func GenerateJWTWithHeader(payload jwt.MapClaims, secretKey []byte, signingMethod jwt.SigningMethod, customHeader map[string]interface{}) (string, error) {
+	// 检查密钥是否为空
+	if len(secretKey) == 0 {
+		return "", fmt.Errorf("secret key cannot be empty")
+	}
+
+	// 创建一个新的 JWT Token
+	token := jwt.NewWithClaims(signingMethod, payload)
+
+	// 添加自定义头部
+	for key, value := range customHeader {
+		token.Header[key] = value
+	}
+
+	// 使用密钥签名生成 JWT
+	signedToken, err := token.SignedString(secretKey)
+	if err != nil {
+		return "", err
+	}
+
+	return signedToken, nil
+}
+
+// ExtractJWTFromRequest 从请求中提取JWT
+func ExtractJWTFromRequest(r *http.Request) (string, error) {
+	// 从 Authorization Header 中提取 JWT
+	authHeader := r.Header.Get("Authorization")
+	if authHeader == "" {
+		return "", fmt.Errorf("authorization header is missing")
+	}
+
+	// 检查是否以 "Bearer " 开头
+	const bearerPrefix = "Bearer "
+	if len(authHeader) <= len(bearerPrefix) || authHeader[:len(bearerPrefix)] != bearerPrefix {
+		return "", fmt.Errorf("invalid authorization header format")
+	}
+
+	// 提取 JWT 部分
+	token := authHeader[len(bearerPrefix):]
+	return token, nil
+}
+
+// GenerateShortLivedJWT 生成短期有效的JWT
+func GenerateShortLivedJWT(payload jwt.MapClaims, secretKey []byte, signingMethod jwt.SigningMethod, duration time.Duration) (string, error) {
+	// 检查密钥是否为空
+	if len(secretKey) == 0 {
+		return "", fmt.Errorf("secret key cannot be empty")
+	}
+
+	// 设置过期时间
+	expirationTime := time.Now().Add(duration).Unix()
+	payload["exp"] = expirationTime
+
+	// 创建一个新的 JWT Token
+	token := jwt.NewWithClaims(signingMethod, payload)
+
+	// 使用密钥签名生成 JWT
+	signedToken, err := token.SignedString(secretKey)
+	if err != nil {
+		return "", err
+	}
+
+	return signedToken, nil
+}
+
+// ValidateJWTAudience 验证JWT受众
+func ValidateJWTAudience(tokenString string, expectedAudience string) (bool, error) {
+	// 解析 JWT 的 payload
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return false, err
+	}
+
+	// 获取 `aud` 字段
+	audience, err := claims.GetAudience()
+	if err != nil {
+		return false, err
+	}
+
+	// 验证 `aud` 是否包含预期值
+	for _, aud := range audience {
+		if aud == expectedAudience {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+// ValidateJWTAlgorithm 验证JWT算法
+func ValidateJWTAlgorithm(tokenString string, expectedAlgorithm string) (bool, error) {
+	// 使用 jwt.Parser 解析 JWT，不验证签名
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return false, err
+	}
+
+	// 获取 `alg` 字段
+	alg, ok := token.Header["alg"].(string)
+	if !ok {
+		return false, fmt.Errorf("invalid or missing algorithm in token header")
+	}
+
+	// 验证算法是否符合预期
+	if alg != expectedAlgorithm {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// IsJWTExpired 检查JWT是否过期
+func IsJWTExpired(tokenString string) (bool, error) {
+	// 解析 JWT 的 payload
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return false, err
+	}
+
+	// 获取 `exp` 字段
+	exp, err := claims.GetExpirationTime()
+	if err != nil {
+		return false, err
+	}
+
+	// 检查当前时间是否超过 `exp`
+	if time.Now().After(exp.Time) {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// GetJWTHeader 获取JWT头部
+func GetJWTHeader(tokenString string) (map[string]interface{}, error) {
+	// 使用 jwt.Parser 解析 JWT，不验证签名
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	token, _, err := parser.ParseUnverified(tokenString, jwt.MapClaims{})
+	if err != nil {
+		return nil, err
+	}
+
+	return token.Header, nil
+}
+
+// ValidateJWTIssuer 验证JWT发行者
+func ValidateJWTIssuer(tokenString string, expectedIssuer string) (bool, error) {
+	// 解析 JWT 的 payload
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return false, err
+	}
+
+	// 获取 `iss` 字段
+	issuer, err := claims.GetIssuer()
+	if err != nil {
+		return false, err
+	}
+
+	// 验证 `iss` 是否符合预期
+	if issuer != expectedIssuer {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+// GetJWTIssuedAt 获取JWT签发时间
+func GetJWTIssuedAt(tokenString string) (*time.Time, error) {
+	claims, err := ParseJWTPayload(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	iat, err := claims.GetIssuedAt()
+	if err != nil {
+		return nil, err
+	}
+
+	return &iat.Time, nil
+}
--- a/jwtutil/jwt_test.go
+++ b/jwtutil/jwt_test.go
@@ -0,0 +1,516 @@
+package jwtutil
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestParseJWTPayload(t *testing.T) {
+	var secretKey = []byte("secret")
+
+	// 测试有效的 JWT 负载解析
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": 1672728000,
+	}, secretKey, jwt.SigningMethodHS256)
+	if err != nil {
+		t.Fatalf("failed to create token: %v", err)
+	}
+
+	result, err := ParseJWTPayload(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, result)
+	assert.Equal(t, "userId", result["sub"])
+	assert.Equal(t, float64(1672728000), result["exp"]) // 注意：JSON 解码后数字为 float64
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	result, err = ParseJWTPayload(invalidToken)
+	assert.Error(t, err)
+	assert.Nil(t, result)
+
+	// 测试空字符串
+	result, err = ParseJWTPayload("")
+	assert.Error(t, err)
+	assert.Nil(t, result)
+}
+
+func TestParseJWTClaimsToStruct(t *testing.T) {
+	// 测试有效的 JWT 负载解析
+	type Payload struct {
+		Sub string `json:"sub"`
+		Exp int64  `json:"exp"`
+	}
+
+	var secretKey = []byte("secret")
+
+	// 验证签名以生成有效的 token
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": 1672728000,
+	}, secretKey, jwt.SigningMethodHS256)
+	if err != nil {
+		t.Fatalf("failed to create token: %v", err)
+	}
+
+	result, err := ParseJWTClaimsToStruct[Payload](token)
+	assert.NoError(t, err)
+	assert.NotNil(t, result)
+	assert.Equal(t, "userId", result.Sub)
+	assert.Equal(t, int64(1672728000), result.Exp)
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	result, err = ParseJWTClaimsToStruct[Payload](invalidToken)
+	assert.Error(t, err)
+	assert.Nil(t, result)
+
+	// 测试空字符串
+	result, err = ParseJWTClaimsToStruct[Payload]("")
+	assert.Error(t, err)
+	assert.Nil(t, result)
+}
+
+func TestVerifyJWT(t *testing.T) {
+	// 测试有效的 JWT 验证
+	secretKey := []byte("secret")
+
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+	}, secretKey, jwt.SigningMethodHS256)
+	if err != nil {
+		t.Fatalf("failed to create token: %v", err)
+	}
+
+	result, err := VerifyJWT(token, secretKey)
+	assert.NoError(t, err)
+	assert.NotNil(t, result)
+	assert.Equal(t, "userId", result["sub"])
+
+	// 测试无效的签名
+	invalidSecretKey := []byte("invalid_secret")
+	result, err = VerifyJWT(token, invalidSecretKey)
+	assert.Error(t, err)
+	assert.Nil(t, result)
+
+	// 测试无效的 JWT 格式
+	invalidToken := "invalid.token.string"
+	result, err = VerifyJWT(invalidToken, secretKey)
+	assert.Error(t, err)
+	assert.Nil(t, result)
+
+	// 测试空字符串
+	result, err = VerifyJWT("", secretKey)
+	assert.Error(t, err)
+	assert.Nil(t, result)
+}
+
+func TestGenerateGenericJWT(t *testing.T) {
+	// 定义测试用的 payload 和密钥
+	type Payload struct {
+		Sub string `json:"sub"`
+		Exp int64  `json:"exp"`
+	}
+	secretKey := []byte("secret")
+	payload := Payload{
+		Sub: "userId",
+		Exp: 1672728000,
+	}
+
+	// 测试生成有效的 JWT
+	token, err := GenerateGenericJWT(payload, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	// 验证生成的 JWT 是否正确
+	parsedPayload, err := ParseJWTClaimsToStruct[Payload](token)
+	assert.NoError(t, err)
+	assert.NotNil(t, parsedPayload)
+	assert.Equal(t, payload.Sub, parsedPayload.Sub)
+	assert.Equal(t, payload.Exp, parsedPayload.Exp)
+
+	// 测试使用空密钥生成 JWT
+	emptySecretKey := []byte("")
+	token, err = GenerateGenericJWT(payload, emptySecretKey, jwt.SigningMethodHS256)
+	assert.Error(t, err)
+	assert.Empty(t, token)
+}
+
+func TestGenerateJWT(t *testing.T) {
+	// 定义测试用的 payload 和密钥
+	payload := jwt.MapClaims{
+		"sub": "userId",
+		"exp": 1672728000,
+	}
+	secretKey := []byte("secret")
+
+	// 测试生成有效的 JWT
+	token, err := GenerateJWT(payload, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	// 验证生成的 JWT 是否正确
+	parsedPayload, err := ParseJWTPayload(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, parsedPayload)
+	assert.Equal(t, payload["sub"], parsedPayload["sub"])
+	assert.Equal(t, float64(payload["exp"].(int)), parsedPayload["exp"].(float64)) // 注意：JSON 解码后数字为 float64
+
+	// 测试使用空密钥生成 JWT
+	emptySecretKey := []byte("")
+	token, err = GenerateJWT(payload, emptySecretKey, jwt.SigningMethodHS256)
+	assert.Error(t, err)
+	assert.Empty(t, token)
+}
+
+func TestRefreshJWT(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 创建一个初始的 JWT
+	originalToken, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": time.Now().Add(1 * time.Hour).Unix(),
+	}, secretKey, jwt.SigningMethodHS256)
+	if err != nil {
+		t.Fatalf("failed to create token: %v", err)
+	}
+
+	// 刷新 JWT，设置新的过期时间
+	newExpiration := time.Now().Add(2 * time.Hour)
+	refreshedToken, err := RefreshJWT(originalToken, secretKey, newExpiration)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, refreshedToken)
+
+	// 验证刷新后的 JWT 是否包含新的过期时间
+	claims, err := ParseJWTPayload(refreshedToken)
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+
+	exp, ok := claims["exp"].(float64)
+	assert.True(t, ok)
+	assert.Equal(t, newExpiration.Unix(), int64(exp))
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	_, err = RefreshJWT(invalidToken, secretKey, newExpiration)
+	assert.Error(t, err)
+
+	// 测试空字符串
+	_, err = RefreshJWT("", secretKey, newExpiration)
+	assert.Error(t, err)
+}
+
+func TestGenerateJWTWithHeader(t *testing.T) {
+	// 定义测试用的 payload、密钥和自定义头部
+	payload := jwt.MapClaims{
+		"sub": "userId",
+		"exp": time.Now().Add(1 * time.Hour).Unix(),
+	}
+	secretKey := []byte("secret")
+	customHeader := map[string]interface{}{
+		"kid": "key-id-123",
+	}
+
+	// 测试生成有效的 JWT
+	token, err := GenerateJWTWithHeader(payload, secretKey, jwt.SigningMethodHS256, customHeader)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	// 验证生成的 JWT 是否包含自定义头部
+	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
+	parsedToken, _, err := parser.ParseUnverified(token, jwt.MapClaims{})
+	assert.NoError(t, err)
+	assert.NotNil(t, parsedToken)
+
+	// 检查头部是否包含自定义字段
+	assert.Equal(t, "key-id-123", parsedToken.Header["kid"])
+
+	// 测试使用空密钥生成 JWT
+	emptySecretKey := []byte("")
+	token, err = GenerateJWTWithHeader(payload, emptySecretKey, jwt.SigningMethodHS256, customHeader)
+	assert.Error(t, err)
+	assert.Empty(t, token)
+}
+
+func TestExtractJWTFromRequest(t *testing.T) {
+	// 测试有效的 Authorization Header
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Authorization", "Bearer valid.jwt.token")
+	token, err := ExtractJWTFromRequest(req)
+	assert.NoError(t, err)
+	assert.Equal(t, "valid.jwt.token", token)
+
+	// 测试缺少 Authorization Header
+	req = httptest.NewRequest(http.MethodGet, "/", nil)
+	token, err = ExtractJWTFromRequest(req)
+	assert.Error(t, err)
+	assert.Equal(t, "authorization header is missing", err.Error())
+	assert.Empty(t, token)
+
+	// 测试无效的 Authorization Header 格式
+	req = httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Authorization", "InvalidFormat")
+	token, err = ExtractJWTFromRequest(req)
+	assert.Error(t, err)
+	assert.Equal(t, "invalid authorization header format", err.Error())
+	assert.Empty(t, token)
+
+	// 测试空的 Bearer Token
+	req = httptest.NewRequest(http.MethodGet, "/", nil)
+	req.Header.Set("Authorization", "Bearer ")
+	token, err = ExtractJWTFromRequest(req)
+	assert.Error(t, err)
+	assert.Empty(t, token)
+}
+
+func TestGenerateShortLivedJWT(t *testing.T) {
+	secretKey := []byte("secret")
+	payload := jwt.MapClaims{
+		"sub": "userId",
+	}
+
+	// 测试生成短期有效的 JWT
+	duration := 1 * time.Hour
+	token, err := GenerateShortLivedJWT(payload, secretKey, jwt.SigningMethodHS256, duration)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	// 验证生成的 JWT 是否包含正确的过期时间
+	claims, err := ParseJWTPayload(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+
+	exp, ok := claims["exp"].(float64)
+	assert.True(t, ok)
+	expectedExp := time.Now().Add(duration).Unix()
+	assert.InDelta(t, expectedExp, int64(exp), 5) // 允许 5 秒的时间误差
+
+	// 测试空密钥
+	emptySecretKey := []byte("")
+	token, err = GenerateShortLivedJWT(payload, emptySecretKey, jwt.SigningMethodHS256, duration)
+	assert.Error(t, err)
+	assert.Empty(t, token)
+}
+
+func TestValidateJWTAudience(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 创建一个包含受众的 JWT
+	token, err := GenerateJWT(jwt.MapClaims{
+		"aud": []string{"audience1", "audience2"},
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	// 测试受众验证成功
+	valid, err := ValidateJWTAudience(token, "audience1")
+	assert.NoError(t, err)
+	assert.True(t, valid)
+
+	// 测试受众验证失败
+	valid, err = ValidateJWTAudience(token, "audience3")
+	assert.NoError(t, err)
+	assert.False(t, valid)
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	valid, err = ValidateJWTAudience(invalidToken, "audience1")
+	assert.Error(t, err)
+	assert.False(t, valid)
+
+	// 测试空字符串
+	valid, err = ValidateJWTAudience("", "audience1")
+	assert.Error(t, err)
+	assert.False(t, valid)
+}
+
+func TestValidateJWTAlgorithm(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试有效的 JWT 算法验证
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	valid, err := ValidateJWTAlgorithm(token, "HS256")
+	assert.NoError(t, err)
+	assert.True(t, valid)
+
+	// 测试无效的算法
+	valid, err = ValidateJWTAlgorithm(token, "RS256")
+	assert.NoError(t, err)
+	assert.False(t, valid)
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	valid, err = ValidateJWTAlgorithm(invalidToken, "HS256")
+	assert.Error(t, err)
+	assert.False(t, valid)
+
+	// 测试空字符串
+	valid, err = ValidateJWTAlgorithm("", "HS256")
+	assert.Error(t, err)
+	assert.False(t, valid)
+}
+
+func TestIsJWTExpired(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试未过期的 JWT
+	notExpiredToken, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": time.Now().Add(1 * time.Hour).Unix(),
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, notExpiredToken)
+
+	isExpired, err := IsJWTExpired(notExpiredToken)
+	assert.NoError(t, err)
+	assert.False(t, isExpired)
+
+	// 测试已过期的 JWT
+	expiredToken, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": time.Now().Add(-1 * time.Hour).Unix(),
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, expiredToken)
+
+	isExpired, err = IsJWTExpired(expiredToken)
+	assert.NoError(t, err)
+	assert.True(t, isExpired)
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	isExpired, err = IsJWTExpired(invalidToken)
+	assert.Error(t, err)
+	assert.False(t, isExpired)
+
+	// 测试空字符串
+	isExpired, err = IsJWTExpired("")
+	assert.Error(t, err)
+	assert.False(t, isExpired)
+}
+
+func TestGetJWTHeader(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试有效的 JWT 头部解析
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	header, err := GetJWTHeader(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, header)
+	assert.Equal(t, "JWT", header["typ"])
+	assert.Equal(t, "HS256", header["alg"])
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	header, err = GetJWTHeader(invalidToken)
+	assert.Error(t, err)
+	assert.Nil(t, header)
+
+	// 测试空字符串
+	header, err = GetJWTHeader("")
+	assert.Error(t, err)
+	assert.Nil(t, header)
+}
+
+func TestValidateJWTIssuer(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试有效的发行者验证
+	token, err := GenerateJWT(jwt.MapClaims{
+		"iss": "trusted-issuer",
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	valid, err := ValidateJWTIssuer(token, "trusted-issuer")
+	assert.NoError(t, err)
+	assert.True(t, valid)
+
+	// 测试无效的发行者
+	valid, err = ValidateJWTIssuer(token, "untrusted-issuer")
+	assert.NoError(t, err)
+	assert.False(t, valid)
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	valid, err = ValidateJWTIssuer(invalidToken, "trusted-issuer")
+	assert.Error(t, err)
+	assert.False(t, valid)
+
+	// 测试空字符串
+	valid, err = ValidateJWTIssuer("", "trusted-issuer")
+	assert.Error(t, err)
+	assert.False(t, valid)
+}
+
+func TestGetJWTIssuedAt(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试有效的 JWT 签发时间
+	issuedAt := time.Now().Add(-1 * time.Hour).Unix()
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"iat": issuedAt,
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	iat, err := GetJWTIssuedAt(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, iat)
+	assert.Equal(t, issuedAt, iat.Unix())
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	iat, err = GetJWTIssuedAt(invalidToken)
+	assert.Error(t, err)
+	assert.Nil(t, iat)
+
+	// 测试空字符串
+	iat, err = GetJWTIssuedAt("")
+	assert.Error(t, err)
+	assert.Nil(t, iat)
+}
+
+func TestGetJWTClaims(t *testing.T) {
+	secretKey := []byte("secret")
+
+	// 测试有效的 JWT
+	token, err := GenerateJWT(jwt.MapClaims{
+		"sub": "userId",
+		"exp": time.Now().Add(1 * time.Hour).Unix(),
+	}, secretKey, jwt.SigningMethodHS256)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	claims, err := GetJWTClaims(token)
+	assert.NoError(t, err)
+	assert.NotNil(t, claims)
+	assert.Equal(t, "userId", claims["sub"])
+
+	// 测试无效的 JWT
+	invalidToken := "invalid.token.string"
+	claims, err = GetJWTClaims(invalidToken)
+	assert.Error(t, err)
+	assert.Nil(t, claims)
+
+	// 测试空字符串
+	claims, err = GetJWTClaims("")
+	assert.Error(t, err)
+	assert.Nil(t, claims)
+}
--- a/tag.bat
+++ b/tag.bat
@@ -4,6 +4,7 @@ git tag bank_card/v1.1.5
 git tag geoip/v1.1.5
 git tag translator/v1.1.2
 git tag copierutil/v0.0.3
+git tag jwtutil/v0.0.1

 git tag entgo/v1.1.28
 git tag gorm/v1.1.6