refactor(认证模块): 加密key校验 (#364)

2023-07-18 14:09:49 +08:00 · 2023-07-18 14:09:49 +08:00 · 0d8b175a15
parent ae7f083e95
commit 0d8b175a15
1 changed files with 12 additions and 2 deletions
--- a/jetlinks-manager/authentication-manager/src/main/java/org/jetlinks/community/auth/login/UserLoginLogicInterceptor.java
+++ b/jetlinks-manager/authentication-manager/src/main/java/org/jetlinks/community/auth/login/UserLoginLogicInterceptor.java
@ -13,6 +13,7 @@ import org.hswebframework.web.authorization.exception.AccessDenyException;
 import org.hswebframework.web.authorization.exception.AuthenticationException;
 import org.hswebframework.web.exception.ValidationException;
 import org.hswebframework.web.id.IDGenerator;
+import org.hswebframework.web.id.RandomIdGenerator;
 import org.hswebframework.web.logging.RequestInfo;
 import org.hswebframework.web.utils.DigestUtils;
 import org.jetlinks.core.utils.Reactors;
@ -95,11 +96,17 @@ public class UserLoginLogicInterceptor {
        }
    }

+    protected boolean isLegalEncryptId(String id) {
+        return RandomIdGenerator.timestampRangeOf(id, properties.getEncrypt().getKeyTtl());
+    }
+
    Mono<Void> doDecrypt(AuthorizationDecodeEvent event) {
        String encId = event
            .getParameter("encryptId")
            .map(String::valueOf)
-            .orElseThrow(() -> new ValidationException("encryptId", "encryptId is required"));
+            .filter(this::isLegalEncryptId)
+            //统一返回密码错误
+            .orElseThrow(() -> new AuthenticationException(AuthenticationException.ILLEGAL_PASSWORD));
        String redisKey = createEncRedisKey(encId);
        return redis
            .opsForValue()
@ -118,7 +125,7 @@ public class UserLoginLogicInterceptor {
                return Reactors.ALWAYS_FALSE;
            })
            .defaultIfEmpty(false)
-            .then(redis.opsForValue().delete(redisKey))
+            .flatMap(ignore -> redis.opsForValue().delete(redisKey).thenReturn(ignore))
            .doOnSuccess(success -> {
                if (!success) {
                    throw new AuthenticationException(AuthenticationException.ILLEGAL_PASSWORD);
@ -136,6 +143,9 @@ public class UserLoginLogicInterceptor {
    }

    private Mono<Void> recordAuthFailed(AbstractAuthorizationEvent event) {
+        if (!properties.getBlock().isEnabled()) {
+            return Mono.empty();
+        }
        return createBlockRedisKey(event)
            .flatMap(key -> redis
                .opsForValue()