feat: Enhance JWT handling and update dependencies (#38)

- Add note to README about jjwt 0.12.x exclusions in Maven/Gradle
- Update API and example pom files from version 0.2.4 to 0.2.5
- Introduce JWTBuilder, DefaultJWTBuilder, and ExampleJWTBuilder for JWT generation
- Refactor JWTOAuthClient to delegate JWT creation
- Implement RxJava for asynchronous chat event processing in example

Author: hanzeINGH

README.md

@@ -531,6 +531,41 @@ public void getAccessToken() {
 
 #### JWT OAuth App
 
+**Note**: The SDK uses jjwt version 0.11.5. If you are using jjwt version 0.12.x or above:
+
+1. You need to exclude jjwt dependencies when importing the SDK:
+
+for Maven:
+```xml
+<dependency>
+    <groupId>com.coze</groupId>
+    <artifactId>coze-api</artifactId>
+    <version>0.1.0</version>
+    <exclusions>
+        <exclusion>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-api</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-impl</artifactId>
+        </exclusion>
+        <exclusion>
+            <groupId>io.jsonwebtoken</groupId>
+            <artifactId>jjwt-jackson</artifactId>
+        </exclusion>
+    </exclusions>
+</dependency>
+```
+
+for Gradle:
+```
+implementation('com.coze:coze-api:0.1.0') {
+    exclude group: 'io.jsonwebtoken'
+}
+```
+2. Please refer to [ExampleJWTBuilder.java](example/src/main/java/example/auth/ExampleJWTBuilder.java) to implement your own JWT builder.
+
 Firstly, users need to access https://www.coze.com/open/oauth/apps. For the cn environment,
 users need to access https://www.coze.cn/open/oauth/apps to create an OAuth App of the type
 of Service application.

api/pom.xml

@@ -43,7 +43,7 @@
     </parent>
 
     <artifactId>coze-api</artifactId>
-    <version>0.2.4</version>
+    <version>0.2.5</version>
 
     <scm>
         <connection>scm:git:git://github.com/coze-dev/coze-java.git</connection>

api/src/main/java/com/coze/openapi/service/auth/DefaultJWTBuilder.java

@@ -0,0 +1,35 @@
+package com.coze.openapi.service.auth;
+
+import java.security.PrivateKey;
+import java.util.Map;
+
+import io.jsonwebtoken.JwtBuilder;
+import io.jsonwebtoken.Jwts;
+import io.jsonwebtoken.SignatureAlgorithm;
+import lombok.NoArgsConstructor;
+
+@NoArgsConstructor
+public class DefaultJWTBuilder implements JWTBuilder {
+
+  @Override
+  public String generateJWT(PrivateKey privateKey, Map<String, Object> header, JWTPayload payload) {
+    try {
+      JwtBuilder jwtBuilder =
+          Jwts.builder()
+              .setHeader(header)
+              .setIssuer(payload.getIss())
+              .setAudience(payload.getAud())
+              .setIssuedAt(payload.getIat())
+              .setExpiration(payload.getExp())
+              .setId(payload.getJti())
+              .signWith(privateKey, SignatureAlgorithm.RS256);
+      if (payload.getSessionName() != null) {
+        jwtBuilder.claim("session_name", payload.getSessionName());
+      }
+      return jwtBuilder.compact();
+
+    } catch (Exception e) {
+      throw new RuntimeException("Failed to generate JWT", e);
+    }
+  }
+}

api/src/main/java/com/coze/openapi/service/auth/JWTBuilder.java

@@ -0,0 +1,8 @@
+package com.coze.openapi.service.auth;
+
+import java.security.PrivateKey;
+import java.util.Map;
+
+public interface JWTBuilder {
+  String generateJWT(PrivateKey privateKey, Map<String, Object> header, JWTPayload payload);
+}

api/src/main/java/com/coze/openapi/service/auth/JWTOAuthClient.java

@@ -12,20 +12,24 @@
 import com.coze.openapi.client.auth.scope.Scope;
 import com.coze.openapi.service.utils.Utils;
 
-import io.jsonwebtoken.JwtBuilder;
-import io.jsonwebtoken.Jwts;
-import io.jsonwebtoken.SignatureAlgorithm;
 import lombok.Getter;
 
 public class JWTOAuthClient extends OAuthClient {
   @Getter private final Integer ttl;
   private final PrivateKey privateKey;
   private final String publicKey;
+  private final JWTBuilder jwtBuilder;
 
   protected JWTOAuthClient(JWTOAuthBuilder builder) throws Exception {
     super(builder);
+
     this.privateKey = parsePrivateKey(builder.privateKey);
     this.publicKey = builder.publicKey;
+    if (builder.jwtBuilder != null) {
+      this.jwtBuilder = builder.jwtBuilder;
+    } else {
+      this.jwtBuilder = new DefaultJWTBuilder();
+    }
     this.ttl = builder.ttl;
   }
 
@@ -79,37 +83,23 @@ public OAuthToken getAccessToken(Integer ttl, Scope scope, String sessionName) {
   private OAuthToken doGetAccessToken(Integer ttl, Scope scope, String sessionName) {
     GetAccessTokenReq.GetAccessTokenReqBuilder builder = GetAccessTokenReq.builder();
     builder.grantType(GrantType.JWT_CODE.getValue()).durationSeconds(ttl).scope(scope);
-
-    return getAccessToken(this.generateJWT(ttl, sessionName), builder.build());
-  }
-
-  private String generateJWT(int ttl, String sessionName) {
-    try {
-      long now = System.currentTimeMillis() / 1000;
-
-      // 构建 JWT header
-      Map<String, Object> header = new HashMap<>();
-      header.put("alg", "RS256");
-      header.put("typ", "JWT");
-      header.put("kid", this.publicKey);
-
-      JwtBuilder jwtBuilder =
-          Jwts.builder()
-              .setHeader(header)
-              .setIssuer(this.clientID)
-              .setAudience(this.hostName)
-              .setIssuedAt(new Date(now * 1000))
-              .setExpiration(new Date((now + ttl) * 1000))
-              .setId(Utils.genRandomSign(16))
-              .signWith(privateKey, SignatureAlgorithm.RS256);
-      if (sessionName != null) {
-        jwtBuilder.claim("session_name", sessionName);
-      }
-      return jwtBuilder.compact();
-
-    } catch (Exception e) {
-      throw new RuntimeException("Failed to generate JWT", e);
-    }
+    Map<String, Object> header = new HashMap<>();
+    header.put("alg", "RS256");
+    header.put("typ", "JWT");
+    header.put("kid", this.publicKey);
+    long now = System.currentTimeMillis() / 1000;
+
+    JWTPayload payload =
+        JWTPayload.builder()
+            .iss(this.clientID)
+            .aud(this.hostName)
+            .exp(new Date((now + this.ttl) * 1000))
+            .iat(new Date(now * 1000))
+            .sessionName(sessionName)
+            .jti(Utils.genRandomSign(16))
+            .build();
+    return getAccessToken(
+        this.jwtBuilder.generateJWT(privateKey, header, payload), builder.build());
   }
 
   private PrivateKey parsePrivateKey(String privateKeyPEM) throws Exception {
@@ -129,6 +119,7 @@ public static class JWTOAuthBuilder extends OAuthBuilder<JWTOAuthBuilder> {
     private Integer ttl;
     private String publicKey;
     private String privateKey;
+    private JWTBuilder jwtBuilder;
 
     public JWTOAuthBuilder publicKey(String publicKey) {
       this.publicKey = publicKey;
@@ -145,6 +136,12 @@ public JWTOAuthBuilder privateKey(String privateKey) {
       return this;
     }
 
+    // If you are using jjwt version 0.12.x or above, you need to handle JWT parsing by yourself
+    public JWTOAuthBuilder jwtBuilder(JWTBuilder jwtBuilder) {
+      this.jwtBuilder = jwtBuilder;
+      return this;
+    }
+
     @Override
     protected JWTOAuthBuilder self() {
       return this;

api/src/main/java/com/coze/openapi/service/auth/JWTPayload.java

@@ -0,0 +1,18 @@
+package com.coze.openapi.service.auth;
+
+import java.util.Date;
+
+import lombok.*;
+
+@Data
+@Builder
+@AllArgsConstructor
+@NoArgsConstructor
+public class JWTPayload {
+  @NonNull private String iss;
+  @NonNull private String aud;
+  @NonNull private Date iat;
+  @NonNull private Date exp;
+  @NonNull private String jti;
+  private String sessionName;
+}

api/src/main/java/com/coze/openapi/service/service/common/AbstractEventCallback.java

@@ -5,6 +5,8 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.nio.charset.StandardCharsets;
+import java.util.concurrent.ExecutorService;
+import java.util.concurrent.Executors;
 
 import org.slf4j.Logger;
 
@@ -24,71 +26,99 @@ public abstract class AbstractEventCallback<T> implements Callback<ResponseBody>
   private static final ObjectMapper mapper = Utils.defaultObjectMapper();
   private static final Logger logger = CozeLoggerFactory.getLogger();
 
+  private final ExecutorService backgroundExecutor;
   protected FlowableEmitter<T> emitter;
 
   public AbstractEventCallback(FlowableEmitter<T> emitter) {
     this.emitter = emitter;
+    this.backgroundExecutor = Executors.newSingleThreadExecutor();
+
+    emitter.setCancellable(backgroundExecutor::shutdownNow);
   }
 
   @Override
   public void onResponse(Call<ResponseBody> call, Response<ResponseBody> response) {
-    BufferedReader reader = null;
-
-    try {
-      String logID = Utils.getLogID(response);
-      if (!response.isSuccessful()) {
-        logger.warn("HTTP error: " + response.code() + " " + response.message());
-        String errStr = response.errorBody().string();
-        CozeError error = mapper.readValue(errStr, CozeError.class);
-        throw new CozeApiException(
-            Integer.valueOf(response.code()), error.getErrorMessage(), logID);
-      }
-
-      // 检查 response body 是否为 BaseResponse 格式
-      String contentType = response.headers().get("Content-Type");
-      if (contentType != null && contentType.contains("application/json")) {
-        String respStr = response.body().string();
-        BaseResponse<?> baseResp = mapper.readValue(respStr, BaseResponse.class);
-        if (baseResp.getCode() != 0) {
-          logger.warn("API error: {} {}", baseResp.getCode(), baseResp.getMsg());
-          throw new CozeApiException(baseResp.getCode(), baseResp.getMsg(), logID);
-        }
-        return;
-      }
-
-      InputStream in = response.body().byteStream();
-      reader = new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8));
-      String line;
-
-      while (!emitter.isCancelled() && (line = reader.readLine()) != null) {
-        if (processLine(line, reader, logID)) {
-          break;
-        }
-      }
-
-      emitter.onComplete();
-
-    } catch (Throwable t) {
-      onFailure(call, t);
-    } finally {
-      if (reader != null) {
-        try {
-          reader.close();
-        } catch (IOException e) {
-          // do nothing
-        }
-        if (response.body() != null) {
-          response.body().close();
-        }
-      }
-    }
+    // 将整个处理过程移到后台线程
+    backgroundExecutor.execute(
+        () -> {
+          BufferedReader reader = null;
+
+          try {
+            String logID = Utils.getLogID(response);
+            if (!response.isSuccessful()) {
+              logger.warn("HTTP error: " + response.code() + " " + response.message());
+              String errStr = response.errorBody().string();
+              CozeError error = mapper.readValue(errStr, CozeError.class);
+              CozeApiException exception =
+                  new CozeApiException(
+                      Integer.valueOf(response.code()), error.getErrorMessage(), logID);
+              emitter.onError(exception);
+              return;
+            }
+
+            // 检查 response body 是否为 BaseResponse 格式
+            String contentType = response.headers().get("Content-Type");
+            if (contentType != null && contentType.contains("application/json")) {
+              String respStr = response.body().string();
+              try {
+                BaseResponse<?> baseResp = mapper.readValue(respStr, BaseResponse.class);
+                if (baseResp.getCode() != 0) {
+                  logger.warn("API error: {} {}", baseResp.getCode(), baseResp.getMsg());
+                  CozeApiException exception =
+                      new CozeApiException(baseResp.getCode(), baseResp.getMsg(), logID);
+                  emitter.onError(exception);
+                  return;
+                }
+                emitter.onComplete();
+                return;
+              } catch (Exception e) {
+                logger.error("Failed to parse JSON response: {}", respStr, e);
+                CozeApiException exception =
+                    new CozeApiException(
+                        -1, "Failed to parse JSON response: " + e.getMessage(), logID);
+                emitter.onError(exception);
+                return;
+              }
+            }
+
+            InputStream in = response.body().byteStream();
+            reader = new BufferedReader(new InputStreamReader(in, StandardCharsets.UTF_8));
+            String line;
+
+            while (!emitter.isCancelled() && (line = reader.readLine()) != null) {
+              if (processLine(line, reader, logID)) {
+                break;
+              }
+            }
+
+            emitter.onComplete();
+
+          } catch (Throwable t) {
+            onFailure(call, t);
+          } finally {
+            if (reader != null) {
+              try {
+                reader.close();
+              } catch (IOException e) {
+                // do nothing
+              }
+              if (response.body() != null) {
+                response.body().close();
+              }
+            }
+          }
+        });
   }
 
   protected abstract boolean processLine(String line, BufferedReader reader, String logID)
       throws IOException;
 
   @Override
   public void onFailure(Call<ResponseBody> call, Throwable t) {
-    emitter.onError(t);
+    try {
+      emitter.onError(t);
+    } finally {
+      backgroundExecutor.shutdown();
+    }
   }
 }

api/src/main/java/com/coze/openapi/service/utils/UserAgentInterceptor.java

@@ -24,7 +24,7 @@ public Response intercept(Chain chain) throws IOException {
     return chain.proceed(request);
   }
 
-  public static final String VERSION = "0.2.4";
+  public static final String VERSION = "0.2.5";
   private static final ObjectMapper objectMapper = new ObjectMapper();
 
   /** 获取操作系统版本 */

api/src/test/java/com/coze/openapi/service/auth/JWTOAuthClientTest.java

@@ -64,6 +64,7 @@ void setUp() throws Exception {
             .publicKey("test_public_key")
             .privateKey(TEST_PRIVATE_KEY)
             .ttl(900)
+            .jwtBuilder(new DefaultJWTBuilder())
             .build();
     TestUtils.setField(client, "api", mockApi);
   }