Skip to content

A
auth-master
Commit 77e94949 by 周海峰
Options

漏洞

parent 7bb638b8
正在显示 包含 104 行增加48 行删除
src/main/java/com/metro/auth/platform/controller/AuthController.java
......@@ -2,15 +2,13 @@ package com.metro.auth.platform.controller;
import com.metro.auth.platform.domain.ResultCode;
import com.metro.auth.platform.domain.ResultJson;
import com.metro.auth.platform.domain.auth.PlatformPersonnel;
import com.metro.auth.platform.domain.auth.User;
import com.metro.auth.platform.domain.auth.ResponseUserToken;
import com.metro.auth.platform.domain.auth.UserDetail;
import com.metro.auth.platform.domain.auth.*;
import com.metro.auth.platform.generallog.LogAnnotation;
import com.metro.auth.platform.http.HttpAPIService;
import com.metro.auth.platform.outlineapi.PlatformUrlManager;
import com.metro.auth.platform.service.AuthService;
import com.metro.auth.platform.utils.DateUtil;
import com.metro.auth.platform.utils.MailUtil;
import com.metro.auth.platform.utils.*;
import com.metro.auth.platform.wxmessage.ApiConfig;
import io.swagger.annotations.Api;
import io.swagger.annotations.ApiImplicitParam;
import io.swagger.annotations.ApiImplicitParams;
......@@ -20,6 +18,7 @@ import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.*;
import javax.annotation.Resource;
import javax.mail.MessagingException;
import javax.servlet.http.HttpServletRequest;
import javax.validation.Valid;
......@@ -38,16 +37,23 @@ public class AuthController {
private final AuthService authService;
@Value("${weixin-params.wx_getuserinfo}")
private String WX_GETUSERINFO;
@Resource
public HttpAPIService httpAPIService;
@Autowired
public AuthController(AuthService authService) {
this.authService = authService;
}
@LogAnnotation(operateContent="用户登录",operateType="登录")
@LogAnnotation(operateContent = "用户登录", operateType = "登录")
@PostMapping(value = "/login")
@ApiOperation(value = "登录", notes = "验证成功返回token,测试管理员账号:admin123,12345678")
public ResultJson<ResponseUserToken> login(
@Valid @RequestBody User user){
@Valid @RequestBody User user) {
final ResponseUserToken response = authService.login(user.getAccount(), user.getPassword());
return ResultJson.ok(response);
}
......@@ -55,7 +61,7 @@ public class AuthController {
@PostMapping(value = "/logout")
@ApiOperation(value = "登出", notes = "退出登录")
@ApiImplicitParams({@ApiImplicitParam(name = "Authorization", value = "Authorization token", required = true, dataType = "string", paramType = "header")})
public ResultJson logout(HttpServletRequest request){
public ResultJson logout(HttpServletRequest request) {
String token = request.getHeader(tokenHeader);
if (token == null) {
return ResultJson.failure(ResultCode.UNAUTHORIZED);
......@@ -67,16 +73,16 @@ public class AuthController {
@GetMapping(value = "/user")
@ApiOperation(value = "根据token获取用户信息", notes = "根据token获取用户信息")
@ApiImplicitParams({@ApiImplicitParam(name = "Authorization", value = "参数格式 token", required = true, dataType = "string", paramType = "header")})
public ResultJson getUser(HttpServletRequest request){
public ResultJson getUser(HttpServletRequest request) {
String token = request.getHeader(tokenHeader);
if (token == null) {
log.info(DateUtil.getCurTime()+ "token 为null 导致退出登录=============================================" );
log.info(DateUtil.getCurTime() + "token 为null 导致退出登录=============================================");
return ResultJson.failure(ResultCode.UNAUTHORIZED);
}else{
log.info("当前===============================================================token"+token);
} else {
log.info("当前===============================================================token" + token);
}
UserDetail userDetail = authService.getUserByToken(token);
if (userDetail==null){
if (userDetail == null) {
log.info("查询用户信息失败");
}
return ResultJson.ok(userDetail);
......@@ -86,10 +92,10 @@ public class AuthController {
@GetMapping(value = "/refresh")
@ApiImplicitParams({@ApiImplicitParam(name = "Authorization", value = "参数格式 token", required = true, dataType = "string", paramType = "header")})
public ResultJson refreshAndGetAuthenticationToken(
HttpServletRequest request){
HttpServletRequest request) {
String token = request.getHeader(tokenHeader);
ResponseUserToken response = authService.refresh(token);
if(response == null) {
if (response == null) {
return ResultJson.failure(ResultCode.BAD_REQUEST, "token无效");
} else {
return ResultJson.ok(response);
......@@ -99,6 +105,7 @@ public class AuthController {
/**
* 功能描述: <br>扫码登录
* 〈〉
*
* @Param: [userId]
* @Return: [userId]
* @Author: zhouy
......@@ -106,9 +113,9 @@ public class AuthController {
*/
@GetMapping(value = "/qrcodelogin/{userId}")
public ResultJson<ResponseUserToken> qrcodelogin(@PathVariable String userId){
public ResultJson<ResponseUserToken> qrcodelogin(@PathVariable String userId) {
final PlatformPersonnel platformPersonnel = authService.findUserInfoByaccount(userId);
if(platformPersonnel==null){
if (platformPersonnel == null) {
return ResultJson.failure(ResultCode.FORBIDDEN);
}
final ResponseUserToken response = authService.login(platformPersonnel.getAccount(), platformPersonnel.getPassword());
......@@ -116,72 +123,103 @@ public class AuthController {
}
/**
*
* @param user
* @return
*/
@LogAnnotation(operateContent="用户内网扫码登录",operateType="登录")
@LogAnnotation(operateContent = "用户内网扫码登录", operateType = "登录")
@PostMapping(value = "/logincode")
// @ApiOperation(value = "登录", notes = "根据随机码登录")
public ResultJson<ResponseUserToken> logincode(@Valid @RequestBody User user){
public ResultJson<ResponseUserToken> logincode(@Valid @RequestBody User user) {
//根据code查用户账户和密码
PlatformPersonnel platformPersonnel = authService.findUserInfoByCode(user.getCode());
if (platformPersonnel!=null){
final ResponseUserToken response= authService.login(platformPersonnel.getAccount(), platformPersonnel.getPassword());
if (platformPersonnel != null) {
final ResponseUserToken response = authService.login(platformPersonnel.getAccount(), platformPersonnel.getPassword());
return ResultJson.ok(response);
}else{
} else {
return ResultJson.ok(false);
}
}
@PostMapping(value = "/savecode")
public ResultJson savecode(@Valid @RequestBody User user){
int flag= authService.updateCodeByUserid(user.getAccount() ,user.getCode());
if (flag>0){
// 弃用20260606
// @PostMapping(value = "/savecode")
// public ResultJson savecode(@Valid @RequestBody User user) {
// int flag = authService.updateCodeByUserid(user.getAccount(), user.getCode());
// if (flag > 0) {
// return ResultJson.ok(ResultCode.SUCCESS);
// } else {
// return ResultJson.failure(ResultCode.RESPONSE_ERROR);
// }
// }
/**
* 功能描述: 手机扫码登录
* zhf 20260606
*
* @param saveSqCodeReq 参数对象,包含企业微信用户code和登录验证码
* @return 验证结果
*/
@PostMapping("/saveSqCode")
public ResultJson saveSqCode(@Valid @RequestBody SaveSqCodeReq saveSqCodeReq) {
log.info("参数为=={}", JSONUtil.toJson(saveSqCodeReq));
String url = WX_GETUSERINFO + SpringUtil.getBean(ApiConfig.class).getAccessToken() + "&code=" + saveSqCodeReq.getCode();
log.info("构建URL为=={}", url);
String wxuserinfo = httpAPIService.doGet(url);
String errmsg = (String) JSONUtil.getStringFromJSONObject(wxuserinfo, "errmsg");
if (!"ok".equals(errmsg)) {
log.info("获取微信用户信息失败,错误信息为=={}", wxuserinfo);
return ResultJson.failure(ResultCode.UNAUTHORIZED);
}
String userId = (String) JSONUtil.getStringFromJSONObject(wxuserinfo, "UserId");
int flag = authService.updateCodeByUserid(userId, saveSqCodeReq.getLoginCode());
if (flag > 0) {
return ResultJson.ok(ResultCode.SUCCESS);
}else{
} else {
return ResultJson.failure(ResultCode.RESPONSE_ERROR);
}
}
/**
* 根据邮箱保存code
*
* @param user
* @return
*/
@PostMapping(value = "/savecodeByemail")
public ResultJson savecodeByemail(@Valid @RequestBody User user){
int flag= authService.updateCodeByUserid(user.getAccount() ,user.getCode());
if (flag>0){
public ResultJson savecodeByemail(@Valid @RequestBody User user) {
int flag = authService.updateCodeByUserid(user.getAccount(), user.getCode());
if (flag > 0) {
return ResultJson.ok(ResultCode.SUCCESS);
}else{
} else {
return ResultJson.failure(ResultCode.RESPONSE_ERROR);
}
}
/**
* 检验邮箱,如果存在发送邮件验证码
*
* @param user
* @return
*/
@PostMapping(value = "/sendcodeToEmail")
public ResultJson sendcodeToEmail(@Valid @RequestBody User user){
public ResultJson sendcodeToEmail(@Valid @RequestBody User user) {
//查询email是否存在,存在则把验证码发送到邮箱
String email=user.getAccount();
boolean sendstatus=false;
PlatformPersonnel platformPersonnel= authService.findUserInfoByemail(email);
if (platformPersonnel !=null){
String email = user.getAccount();
boolean sendstatus = false;
PlatformPersonnel platformPersonnel = authService.findUserInfoByemail(email);
if (platformPersonnel != null) {
//发送邮件
String url = PlatformUrlManager.EMAIL_URL +"?account="+platformPersonnel.getAccount()+"&code=" + user.getCode();
String url = PlatformUrlManager.EMAIL_URL + "?account=" + platformPersonnel.getAccount() + "&code=" + user.getCode();
String emailMsg = "<h3>授权请点击下面的超链接</h3><a href='" + url + "'> 点击授权 </a>";
MailUtil.sendMail(email,"内网平台登录授权",emailMsg,new String[]{""});
sendstatus=true;
if (sendstatus){
return ResultJson.ok(ResultCode.SEND_SUCCESS);
}else{
return ResultJson.ok(ResultCode.SEND_ERROR);
}
}else{
MailUtil.sendMail(email, "内网平台登录授权", emailMsg, new String[]{""});
sendstatus = true;
if (sendstatus) {
return ResultJson.ok(ResultCode.SEND_SUCCESS);
} else {
return ResultJson.ok(ResultCode.SEND_ERROR);
}
} else {
return ResultJson.failure(ResultCode.RESPONSE_ERROR);
}
}
......
src/main/java/com/metro/auth/platform/domain/auth/SaveSqCodeReq.java 0 → 100644
package com.metro.auth.platform.domain.auth;
import lombok.Data;
import javax.validation.constraints.NotEmpty;
@Data
public class SaveSqCodeReq {
/**
* 企业微信用户code,必填项,企业微信登录时会返回code,通过code可以获取用户信息
*/
@NotEmpty(message = "code不能为空")
private String code;
/**
* 登录验证码,必填项,登录时会返回登录验证码,通过登录验证码可以获取用户信息
*/
@NotEmpty(message = "loginCode不能为空")
private String loginCode;
}
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论