lxm_library_java/JustAuth
1
0
Fork 0
mirror of synced 2026-02-26 15:27:48 +08:00
Code Issues Projects Releases Wiki Activity

👽 修改login方法的参数为AuthCallback,封装回调返回的参数、支持state参数、增加code和state参数校验

Browse Source
This commit is contained in:
yadong.zhang
2019-06-27 19:39:21 +08:00
parent 9941ce7e2a
commit ac4ede74bf
31 changed files with 187 additions and 107 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
src/main/java/me/zhyd/oauth/utils/AuthConfigChecker.java → src/main/java/me/zhyd/oauth/utils/AuthChecker.java
View File

@@ -12,7 +12,7 @@ import me.zhyd.oauth.request.ResponseStatus;
* @version 1.0
* @since 1.8
*/
public class AuthConfigChecker {
public class AuthChecker {
/**
* 是否支持第三方登录
@@ -35,7 +35,7 @@ public class AuthConfigChecker {
* @param config config
* @param source source
*/
public static void check(AuthConfig config, AuthSource source) {
public static void checkConfig(AuthConfig config, AuthSource source) {
String redirectUri = config.getRedirectUri();
if (!GlobalAuthUtil.isHttpProtocol(redirectUri) && !GlobalAuthUtil.isHttpsProtocol(redirectUri)) {
throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
@@ -49,4 +49,36 @@ public class AuthConfigChecker {
throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
}
}
/**
* 校验回调传回的code
*
* @param code 回调时传回的code
*/
public static void checkCode(String code) {
if (StringUtils.isEmpty(code)) {
throw new AuthException(ResponseStatus.ILLEGAL_CODE);
}
}
/**
* 校验state的合法性防止被CSRF
*
* @param newState 新的state一般为回调时传回的state可能被篡改
* @param originalState 原始的state发起授权时向第三方平台传递的state
*/
public static void checkState(String newState, String originalState) {
// 如果原始state为空表示当前平台未使用state
if (StringUtils.isEmpty(originalState)) {
return;
}
// 如果授权之前使用了state但是回调时未返回state则表示当前请求为非法的请求可能正在被CSRF攻击
if (StringUtils.isEmpty(newState)) {
throw new AuthException(ResponseStatus.ILLEGAL_REQUEST);
}
// 如果授权前后的state不一致则表示当前请求为非法的请求新的state可能为伪造
if (!newState.equals(originalState)) {
throw new AuthException(ResponseStatus.ILLEGAL_REQUEST);
}
}
}

21
src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
View File

@@ -13,9 +13,9 @@ import java.text.MessageFormat;
*/
public class UrlBuilder {
private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}";
private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&state={5}";
private static final String GITHUB_USER_INFO_PATTERN = "{0}?access_token={1}";
private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&state=1&redirect_uri={2}";
private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&redirect_uri={2}&state={3}";
private static final String GOOGLE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&scope=openid%20email%20profile&redirect_uri={2}&state={3}";
private static final String GOOGLE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&grant_type=authorization_code";
@@ -23,7 +23,7 @@ public class UrlBuilder {
private static final String WEIBO_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
private static final String WEIBO_USER_INFO_PATTERN = "{0}?{1}";
private static final String WEIBO_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}";
private static final String WEIBO_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";
private static final String GITEE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
private static final String GITEE_USER_INFO_PATTERN = "{0}?access_token={1}";
@@ -103,10 +103,11 @@ public class UrlBuilder {
* @param clientSecret github 应用的Client Secret
* @param code github 授权前的code用来换token
* @param redirectUri 待跳转的页面
* @param state 随机字符串用于保持会话状态防止CSRF攻击
* @return full url
*/
public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri) {
return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri);
public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri, String state) {
return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
}
/**
@@ -124,10 +125,11 @@ public class UrlBuilder {
*
* @param clientId github 应用的Client ID
* @param redirectUrl github 应用授权成功后的回调地址
* @param state 随机字符串用于保持会话状态防止CSRF攻击
* @return full url
*/
public static String getGithubAuthorizeUrl(String clientId, String redirectUrl) {
return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl);
public static String getGithubAuthorizeUrl(String clientId, String redirectUrl, String state) {
return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
}
/**
@@ -158,10 +160,11 @@ public class UrlBuilder {
*
* @param clientId weibo 应用的Client ID
* @param redirectUrl weibo 应用授权成功后的回调地址
* @param state 随机字符串用于保持会话状态防止CSRF攻击
* @return full url
*/
public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl) {
return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl);
public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl, String state) {
return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
}
/**