diff --git a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java index 17f3d6b5..da6d202a 100644 --- a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java +++ b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java @@ -15,6 +15,7 @@ import me.zhyd.oauth.utils.StringUtils; import org.jeecg.common.api.vo.Result; import org.jeecg.common.constant.CommonConstant; import org.jeecg.common.constant.enums.MessageTypeEnum; +import org.jeecg.common.system.api.ISysBaseAPI; import org.jeecg.common.system.util.JwtUtil; import org.jeecg.common.util.*; import org.jeecg.modules.base.service.BaseCommonService; @@ -74,6 +75,9 @@ public class ThirdLoginController { @Autowired private ISysThirdAppConfigService appConfigService; + @Autowired + public ISysBaseAPI sysBaseAPI; + @RequestMapping("/render/{source}") public void render(@PathVariable("source") String source, HttpServletResponse response) throws IOException { log.info("第三方登录进入render:" + source); @@ -228,7 +232,11 @@ public class ThirdLoginController { public Result getThirdLoginUser(@PathVariable("token") String token,@PathVariable("thirdType") String thirdType,@PathVariable("tenantId") String tenantId) throws Exception { Result result = new Result(); String username = JwtUtil.getUsername(token); - + //update-begin---author:chenrui ---date:20250210 for:[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------ + if (!TokenUtils.verifyToken(token, sysBaseAPI, redisUtil)) { + return Result.noauth("token验证失败"); + } + //update-end---author:chenrui ---date:20250210 for:[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------ //1. 校验用户是否有效 SysUser sysUser = sysUserService.getUserByName(username); result = sysUserService.checkUserIsEffective(sysUser);