From 6d7ac05d0f3bbd5d996196819ceb38dcbd19fdf7 Mon Sep 17 00:00:00 2001
From: iven <iven_h@qq.com>
Date: Wed, 3 Jun 2026 09:51:47 +0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20Token=20=E9=BB=91=E5=90=8D?=
 =?UTF-8?q?=E5=8D=95=E6=94=B9=E7=94=A8=20SHA-256=20=E6=9B=BF=E4=BB=A3=20Si?=
 =?UTF-8?q?pHash?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- access token 黑名单 hash 函数从 std::collections::DefaultHasher (SipHash)
  改为 sha2::Sha256，与 refresh token 存储一致
- SipHash 是非密码学 hash，理论上可被构造碰撞绕过黑名单检查
- SHA-256 提供密码学安全保证，且 sha2 已在 Cargo.toml 依赖中

审计 ID: S-01
---
 crates/erp-auth/src/middleware/jwt_auth.rs | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/crates/erp-auth/src/middleware/jwt_auth.rs b/crates/erp-auth/src/middleware/jwt_auth.rs
index a16f409..4ba2088 100644
--- a/crates/erp-auth/src/middleware/jwt_auth.rs
+++ b/crates/erp-auth/src/middleware/jwt_auth.rs
@@ -61,10 +61,12 @@ fn is_token_revoked(token: &str, _exp: i64) -> bool {
 }
 
 fn token_hash(token: &str) -> String {
-    use std::hash::{Hash, Hasher};
-    let mut hasher = std::collections::hash_map::DefaultHasher::new();
-    token.hash(&mut hasher);
-    format!("{:016x}", hasher.finish())
+    use sha2::{Digest, Sha256};
+    let mut hasher = Sha256::new();
+    hasher.update(token.as_bytes());
+    format!("{:016x}", u64::from_be_bytes(
+        hasher.finalize().as_slice()[0..8].try_into().unwrap_or([0u8; 8])
+    ))
 }
 
 /// JWT authentication middleware function.