From 29248561d6eb730704166bf6e6d6382b4d14f904 Mon Sep 17 00:00:00 2001
From: JEECG <445654970@qq.com>
Date: Tue, 11 Feb 2025 11:37:55 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E7=AC=AC=E4=B8=89=E6=96=B9?=
 =?UTF-8?q?=E7=99=BB=E5=BD=95=E6=8E=A5=E5=8F=A3=E9=80=9A=E8=BF=87token?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E7=94=A8=E6=88=B7=E4=BF=A1=E6=81=AF=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../system/controller/ThirdLoginController.java        | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
index 17f3d6b5..da6d202a 100644
--- a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
+++ b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
@@ -15,6 +15,7 @@ import me.zhyd.oauth.utils.StringUtils;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.enums.MessageTypeEnum;
+import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.util.*;
 import org.jeecg.modules.base.service.BaseCommonService;
@@ -74,6 +75,9 @@ public class ThirdLoginController {
 	@Autowired
 	private ISysThirdAppConfigService appConfigService;
 
+	@Autowired
+	public ISysBaseAPI sysBaseAPI;
+
 	@RequestMapping("/render/{source}")
     public void render(@PathVariable("source") String source, HttpServletResponse response) throws IOException {
         log.info("第三方登录进入render：" + source);
@@ -228,7 +232,11 @@ public class ThirdLoginController {
 	public Result<JSONObject> getThirdLoginUser(@PathVariable("token") String token,@PathVariable("thirdType") String thirdType,@PathVariable("tenantId") String tenantId) throws Exception {
 		Result<JSONObject> result = new Result<JSONObject>();
 		String username = JwtUtil.getUsername(token);
-
+		//update-begin---author:chenrui ---date:20250210  for：[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
+		if (!TokenUtils.verifyToken(token, sysBaseAPI, redisUtil)) {
+			return Result.noauth("token验证失败");
+		}
+		//update-end---author:chenrui ---date:20250210  for：[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
 		//1. 校验用户是否有效
 		SysUser sysUser = sysUserService.getUserByName(username);
 		result = sysUserService.checkUserIsEffective(sysUser);