lxm_library_java/JustAuth
1
0
Fork 0
mirror of synced 2026-04-25 11:08:49 +08:00
Code Issues Projects Releases Wiki Activity

State优化第一步:去掉AuthState工具类

Browse Source
This commit is contained in:
yadong.zhang
2019-07-25 22:32:55 +08:00
parent 7f725b579b
commit 55c4b391bc
24 changed files with 199 additions and 668 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java
View File

@@ -86,17 +86,18 @@ public class AuthAlipayRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("app_id", config.getClientId())
.queryParam("scope", "auth_user")
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}
}

7
src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
View File

@@ -79,18 +79,19 @@ public class AuthBaiduRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("display", "popup")
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}

9
src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java
View File

@@ -4,11 +4,11 @@ import cn.hutool.http.HttpResponse;
import com.alibaba.fastjson.JSONObject;
import me.zhyd.oauth.config.AuthConfig;
import me.zhyd.oauth.config.AuthSource;
import me.zhyd.oauth.enums.AuthUserGender;
import me.zhyd.oauth.exception.AuthException;
import me.zhyd.oauth.model.AuthCallback;
import me.zhyd.oauth.model.AuthToken;
import me.zhyd.oauth.model.AuthUser;
import me.zhyd.oauth.enums.AuthUserGender;
import me.zhyd.oauth.utils.UrlBuilder;
/**
@@ -71,18 +71,19 @@ public class AuthCodingRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("scope", "user")
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}
}

21
src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java
View File

@@ -2,7 +2,6 @@ package me.zhyd.oauth.request;
import cn.hutool.http.HttpRequest;
import cn.hutool.http.HttpResponse;
import lombok.Data;
import lombok.extern.slf4j.Slf4j;
import me.zhyd.oauth.config.AuthConfig;
import me.zhyd.oauth.config.AuthSource;
@@ -43,7 +42,6 @@ public abstract class AuthDefaultRequest implements AuthRequest {
public AuthResponse login(AuthCallback authCallback) {
try {
AuthChecker.checkCode(source == AuthSource.ALIPAY ? authCallback.getAuth_code() : authCallback.getCode());
AuthChecker.checkState(authCallback.getState(), config.getState());
AuthToken authToken = this.getAccessToken(authCallback);
AuthUser user = this.getUserInfo(authToken);
@@ -64,16 +62,31 @@ public abstract class AuthDefaultRequest implements AuthRequest {
/**
* 返回认证url可自行跳转页面
* <p>
* 不建议使用该方式获取授权地址,不带{@code state}的授权地址容易受到csrf攻击。
* 建议使用{@link AuthDefaultRequest#authorize(String)}方法生成授权地址,在回调方法中对{@code state}进行校验
*
* @return 返回授权地址
*/
@Deprecated
@Override
public String authorize() {
return this.authorize(null);
}
/**
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}
@@ -130,7 +143,7 @@ public abstract class AuthDefaultRequest implements AuthRequest {
}
/**
* 获取state如果为空 则默认当前日期的时间戳
* 获取state如果为空 则默认当前日期的时间戳
*
* @param state 原始的state
* @return 返回不为null的state

7
src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
View File

@@ -58,18 +58,19 @@ public class AuthDingTalkRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("appid", config.getClientId())
.queryParam("scope", "snsapi_login")
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}

7
src/main/java/me/zhyd/oauth/request/AuthDouyinRequest.java
View File

@@ -89,18 +89,19 @@ public class AuthDouyinRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_key", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("scope", "user_info")
.queryParam("state", getRealState(state))
.build();
}

8
src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java
View File

@@ -63,12 +63,4 @@ public class AuthGithubRequest extends AuthDefaultRequest {
.build();
}
/**
* 检查响应内容是否正确
*
* @param object 请求响应内容
*/
private void checkResponse(JSONObject object) {
}
}

8
src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java
View File

@@ -61,19 +61,19 @@ public class AuthGoogleRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* https://openidconnect.googleapis.com/v1/userinfo
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("scope", "openid%20email%20profile")
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}

7
src/main/java/me/zhyd/oauth/request/AuthLinkedinRequest.java
View File

@@ -182,18 +182,19 @@ public class AuthLinkedinRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("scope", "r_liteprofile%20r_emailaddress%20w_member_social")
.queryParam("state", getRealState(state))
.build();
}

7
src/main/java/me/zhyd/oauth/request/AuthMiRequest.java
View File

@@ -109,19 +109,20 @@ public class AuthMiRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("scope", "user/profile%20user/openIdV2%20user/phoneAndEmail")
.queryParam("skip_confirm", "false")
.queryParam("state", getRealState(state))
.build();
}

7
src/main/java/me/zhyd/oauth/request/AuthMicrosoftRequest.java
View File

@@ -102,19 +102,20 @@ public class AuthMicrosoftRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("response_mode", "query")
.queryParam("scope", "offline_access%20user.read%20mail.read")
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}

10
src/main/java/me/zhyd/oauth/request/AuthPinterestRequest.java
View File

@@ -69,14 +69,20 @@ public class AuthPinterestRequest extends AuthDefaultRequest {
return jsonObject.getJSONObject("60x60").getString("url");
}
/**
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("scope", "read_public")
.queryParam("state", getRealState(state))
.build();
}

11
src/main/java/me/zhyd/oauth/request/AuthRequest.java
View File

@@ -18,10 +18,21 @@ public interface AuthRequest {
*
* @return 返回授权地址
*/
@Deprecated
default String authorize() {
throw new AuthException(AuthResponseStatus.NOT_IMPLEMENTED);
}
/**
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
default String authorize(String state) {
throw new AuthException(AuthResponseStatus.NOT_IMPLEMENTED);
}
/**
* 第三方登录
*

10
src/main/java/me/zhyd/oauth/request/AuthStackOverflowRequest.java
View File

@@ -67,14 +67,20 @@ public class AuthStackOverflowRequest extends AuthDefaultRequest {
.build();
}
/**
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("scope", "read_inbox")
.queryParam("state", getRealState(state))
.build();
}

9
src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java
View File

@@ -4,11 +4,11 @@ import cn.hutool.http.HttpResponse;
import com.alibaba.fastjson.JSONObject;
import me.zhyd.oauth.config.AuthConfig;
import me.zhyd.oauth.config.AuthSource;
import me.zhyd.oauth.enums.AuthUserGender;
import me.zhyd.oauth.exception.AuthException;
import me.zhyd.oauth.model.AuthCallback;
import me.zhyd.oauth.model.AuthToken;
import me.zhyd.oauth.model.AuthUser;
import me.zhyd.oauth.enums.AuthUserGender;
import me.zhyd.oauth.utils.GlobalAuthUtil;
import me.zhyd.oauth.utils.UrlBuilder;
@@ -55,18 +55,19 @@ public class AuthTaobaoRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("view", "web")
.queryParam("state", getRealState(state))
.build();
}
}

7
src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java
View File

@@ -71,18 +71,19 @@ public class AuthTencentCloudRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_id", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("scope", "user")
.queryParam("state", getRealState(config.getState()))
.queryParam("state", getRealState(state))
.build();
}
}

7
src/main/java/me/zhyd/oauth/request/AuthToutiaoRequest.java
View File

@@ -65,19 +65,20 @@ public class AuthToutiaoRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("client_key", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("state", getRealState(config.getState()))
.queryParam("auth_only", 1)
.queryParam("display", 0)
.queryParam("state", getRealState(state))
.build();
}

7
src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java
View File

@@ -100,18 +100,19 @@ public class AuthWeChatRequest extends AuthDefaultRequest {
}
/**
* 返回认证url可自行跳转页面
* 返回带{@code state}参数的认证url授权回调时会带上这个{@code state}
*
* @param state state 验证授权流程的参数可以防止csrf
* @return 返回授权地址
*/
@Override
public String authorize() {
public String authorize(String state) {
return UrlBuilder.fromBaseUrl(source.authorize())
.queryParam("response_type", "code")
.queryParam("appid", config.getClientId())
.queryParam("redirect_uri", config.getRedirectUri())
.queryParam("scope", "snsapi_login")
.queryParam("state", getRealState(config.getState()).concat("#wechat_redirect"))
.queryParam("state", getRealState(state))
.build();
}