update 优化 SaReactorFilter 过滤器判断 token 客户端 id 是否有效 ;

2 years ago · 460cdbd87a
parent 6acbb39db0
commit 460cdbd87a
7 changed files with 25 additions and 0 deletions
--- a/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/EmailAuthStrategy.java
+++ b/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/EmailAuthStrategy.java
@ -59,6 +59,7 @@ public class EmailAuthStrategy implements IAuthStrategy {
        // 例如: 后台用户30分钟过期 app用户1天过期
        model.setTimeout(client.getTimeout());
        model.setActiveTimeout(client.getActiveTimeout());
+        model.setExtra(LoginHelper.CLIENT_KEY, clientId);
        // 生成token
        LoginHelper.login(loginUser, model);

--- a/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/PasswordAuthStrategy.java
+++ b/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/PasswordAuthStrategy.java
@ -72,6 +72,7 @@ public class PasswordAuthStrategy implements IAuthStrategy {
        // 例如: 后台用户30分钟过期 app用户1天过期
        model.setTimeout(client.getTimeout());
        model.setActiveTimeout(client.getActiveTimeout());
+        model.setExtra(LoginHelper.CLIENT_KEY, clientId);
        // 生成token
        LoginHelper.login(loginUser, model);

--- a/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/SmsAuthStrategy.java
+++ b/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/SmsAuthStrategy.java
@ -59,6 +59,7 @@ public class SmsAuthStrategy implements IAuthStrategy {
        // 例如: 后台用户30分钟过期 app用户1天过期
        model.setTimeout(client.getTimeout());
        model.setActiveTimeout(client.getActiveTimeout());
+        model.setExtra(LoginHelper.CLIENT_KEY, clientId);
        // 生成token
        LoginHelper.login(loginUser, model);

--- a/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/SocialAuthStrategy.java
+++ b/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/SocialAuthStrategy.java
@ -96,6 +96,7 @@ public class SocialAuthStrategy implements IAuthStrategy {
        // 例如: 后台用户30分钟过期 app用户1天过期
        model.setTimeout(client.getTimeout());
        model.setActiveTimeout(client.getActiveTimeout());
+        model.setExtra(LoginHelper.CLIENT_KEY, clientId);
        // 生成token
        LoginHelper.login(loginUser, model);

--- a/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/XcxAuthStrategy.java
+++ b/ruoyi-auth/src/main/java/org/dromara/auth/service/impl/XcxAuthStrategy.java
@ -54,6 +54,7 @@ public class XcxAuthStrategy implements IAuthStrategy {
        // 例如: 后台用户30分钟过期 app用户1天过期
        model.setTimeout(client.getTimeout());
        model.setActiveTimeout(client.getActiveTimeout());
+        model.setExtra(LoginHelper.CLIENT_KEY, clientId);
        // 生成token
        LoginHelper.login(loginUser, model);

--- a/ruoyi-common/ruoyi-common-satoken/src/main/java/org/dromara/common/satoken/utils/LoginHelper.java
+++ b/ruoyi-common/ruoyi-common-satoken/src/main/java/org/dromara/common/satoken/utils/LoginHelper.java
@ -35,6 +35,7 @@ public class LoginHelper {
    public static final String LOGIN_USER_KEY = "loginUser";
    public static final String TENANT_KEY = "tenantId";
    public static final String USER_KEY = "userId";
+    public static final String CLIENT_KEY = "clientid";

    /**
     * 登录系统 基于 设备类型
--- a/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
+++ b/ruoyi-gateway/src/main/java/org/dromara/gateway/filter/AuthFilter.java
@ -1,13 +1,19 @@
 package org.dromara.gateway.filter;

+import cn.dev33.satoken.exception.NotLoginException;
+import cn.dev33.satoken.reactor.context.SaReactorSyncHolder;
 import cn.dev33.satoken.reactor.filter.SaReactorFilter;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
 import cn.dev33.satoken.util.SaResult;
 import org.dromara.common.core.constant.HttpStatus;
+import org.dromara.common.core.utils.ServletUtils;
+import org.dromara.common.core.utils.StringUtils;
+import org.dromara.common.satoken.utils.LoginHelper;
 import org.dromara.gateway.config.properties.IgnoreWhiteProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.server.reactive.ServerHttpRequest;

 /**
 * [Sa-Token 权限认证] 拦截器
@ -35,6 +41,19 @@ public class AuthFilter {
                        // 检查是否登录 是否有token
                        StpUtil.checkLogin();

+                        // 检查 header 里的 clientId 与 token 里的是否一致
+                        ServerHttpRequest request = SaReactorSyncHolder.getContext().getRequest();
+                        String headerCid = request.getHeaders().getFirst(LoginHelper.CLIENT_KEY);
+                        String clientId = StpUtil.getExtra(LoginHelper.CLIENT_KEY).toString();
+                        if (!StringUtils.equals(headerCid, clientId)) {
+                            // token 无效
+                            throw NotLoginException.newInstance(
+                                StpUtil.getLoginType(),
+                                NotLoginException.INVALID_TOKEN,
+                                NotLoginException.NOT_TOKEN_MESSAGE,
+                                StpUtil.getTokenValue());
+                        }
+
                        // 有效率影响 用于临时测试
                        // if (log.isDebugEnabled()) {
                        //     log.debug("剩余有效时间: {}", StpUtil.getTokenTimeout());