github
/
jeecg-boot
mirror of https://github.com/jeecgboot/jeecg-boot
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

修复第三方登录接口通过token获取用户信息漏洞

pull/7765/head^2
JEECG 2025-02-11 11:37:55 +08:00
parent ad74b78134
commit 29248561d6
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
View File

@ -15,6 +15,7 @@ import me.zhyd.oauth.utils.StringUtils;
import org.jeecg.common.api.vo.Result; import org.jeecg.common.api.vo.Result;
import org.jeecg.common.constant.CommonConstant; import org.jeecg.common.constant.CommonConstant;
import org.jeecg.common.constant.enums.MessageTypeEnum; import org.jeecg.common.constant.enums.MessageTypeEnum;
import org.jeecg.common.system.api.ISysBaseAPI;
import org.jeecg.common.system.util.JwtUtil; import org.jeecg.common.system.util.JwtUtil;
import org.jeecg.common.util.*; import org.jeecg.common.util.*;
import org.jeecg.modules.base.service.BaseCommonService; import org.jeecg.modules.base.service.BaseCommonService;
@ -74,6 +75,9 @@ public class ThirdLoginController {
@Autowired @Autowired
private ISysThirdAppConfigService appConfigService; private ISysThirdAppConfigService appConfigService;
@Autowired
public ISysBaseAPI sysBaseAPI;
@RequestMapping("/render/{source}") @RequestMapping("/render/{source}")
public void render(@PathVariable("source") String source, HttpServletResponse response) throws IOException { public void render(@PathVariable("source") String source, HttpServletResponse response) throws IOException {
log.info("第三方登录进入render" + source); log.info("第三方登录进入render" + source);
@ -228,7 +232,11 @@ public class ThirdLoginController {
public Result<JSONObject> getThirdLoginUser(@PathVariable("token") String token,@PathVariable("thirdType") String thirdType,@PathVariable("tenantId") String tenantId) throws Exception { public Result<JSONObject> getThirdLoginUser(@PathVariable("token") String token,@PathVariable("thirdType") String thirdType,@PathVariable("tenantId") String tenantId) throws Exception {
Result<JSONObject> result = new Result<JSONObject>(); Result<JSONObject> result = new Result<JSONObject>();
String username = JwtUtil.getUsername(token); String username = JwtUtil.getUsername(token);
//update-begin---author:chenrui ---date:20250210 for[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
if (!TokenUtils.verifyToken(token, sysBaseAPI, redisUtil)) {
return Result.noauth("token验证失败");
}
//update-end---author:chenrui ---date:20250210 for[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
//1. 校验用户是否有效 //1. 校验用户是否有效
SysUser sysUser = sysUserService.getUserByName(username); SysUser sysUser = sysUserService.getUserByName(username);
result = sysUserService.checkUserIsEffective(sysUser); result = sysUserService.checkUserIsEffective(sysUser);