🍻 完善百度登录，增加gitee登录的state校验

78988555 · 智布道 · ac4ede74 · 78988555 · 78988555 · 78988555
5 changed file
--- a/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
@@ -32,7 +32,12 @@ public class AuthBaiduRequest extends BaseAuthRequest {
        if (AuthBaiduErrorCode.OK != errorCode) {
            throw new AuthException(errorCode.getDesc());
        }
-        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
+        return AuthToken.builder()
+                .accessToken(accessTokenObject.getString("access_token"))
+                .refreshToken(accessTokenObject.getString("refresh_token"))
+                .scope(accessTokenObject.getString("scope"))
+                .expireIn(accessTokenObject.getIntValue("expires_in"))
+                .build();
    }

    @Override

--- a/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java
@@ -66,6 +66,6 @@ public class AuthGiteeRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getGiteeAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getGiteeAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java
@@ -30,7 +30,7 @@ public class AuthGithubRequest extends BaseAuthRequest {

    @Override
    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config.getRedirectUri(), config.getState());
+        String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        Map<String, String> res = GlobalAuthUtil.parseStringToMap(response.body());
        if (res.containsKey("error")) {

--- a/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
+++ b/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
@@ -13,7 +13,7 @@ import java.text.MessageFormat;
 */
 public class UrlBuilder {

-    private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&state={5}";
+    private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}";
    private static final String GITHUB_USER_INFO_PATTERN = "{0}?access_token={1}";
    private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&redirect_uri={2}&state={3}";

@@ -27,7 +27,7 @@ public class UrlBuilder {

    private static final String GITEE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String GITEE_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String GITEE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}";
+    private static final String GITEE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";

    private static final String DING_TALK_QRCONNECT_PATTERN = "{0}?appid={1}&response_type=code&scope=snsapi_login&state=STATE&redirect_uri={2}";
    private static final String DING_TALK_USER_INFO_PATTERN = "{0}?signature={1}&timestamp={2}&accessKey={3}";
@@ -96,6 +96,15 @@ public class UrlBuilder {
    private static final String TOUTIAO_USER_INFO_PATTERN = "{0}?client_key={1}&access_token={2}";
    private static final String TOUTIAO_AUTHORIZE_PATTERN = "{0}?client_key={1}&redirect_uri={2}&state={3}&response_type=code&auth_only=1&display=0";

+    /**
+     * 获取state，如果为空， 则默认去当前日期的时间戳
+     *
+     * @param state state
+     */
+    private static Object getState(String state) {
+        return StringUtils.isEmpty(state) ? String.valueOf(System.currentTimeMillis()) : state;
+    }
+
    /**
     * 获取githubtoken的接口地址
     *
@@ -103,11 +112,10 @@ public class UrlBuilder {
     * @param clientSecret github 应用的Client Secret
     * @param code         github 授权前的code，用来换token
     * @param redirectUri  待跳转的页面
-     * @param state        随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri, String state) {
-        return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
+    public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri) {
+        return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri);
    }

    /**
@@ -129,7 +137,7 @@ public class UrlBuilder {
     * @return full url
     */
    public static String getGithubAuthorizeUrl(String clientId, String redirectUrl, String state) {
-        return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
+        return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -164,7 +172,7 @@ public class UrlBuilder {
     * @return full url
     */
    public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl, String state) {
-        return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
+        return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, getState(state));
    }

    /**
@@ -195,10 +203,11 @@ public class UrlBuilder {
     *
     * @param clientId    gitee 应用的Client ID
     * @param redirectUrl gitee 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return json
     */
-    public static String getGiteeAuthorizeUrl(String clientId, String redirectUrl) {
-        return MessageFormat.format(GITEE_AUTHORIZE_PATTERN, AuthSource.GITEE.authorize(), clientId, redirectUrl);
+    public static String getGiteeAuthorizeUrl(String clientId, String redirectUrl, String state) {
+        return MessageFormat.format(GITEE_AUTHORIZE_PATTERN, AuthSource.GITEE.authorize(), clientId, redirectUrl, getState(state));
    }

    /**

--- a/update.md
+++ b/update.md
+### 2019/06/28
+1. 修复百度登录获取不到token失效时间的问题
+2. gitee增加state参数校验
+
+### 2019/06/27
+1. 修改login方法的参数为AuthCallback，封装回调返回的参数
+2. 支持state参数
+3. 增加code和state参数校验
+
 ### 2019/06/25
 qq授权登录时，需要获取`openId`作为`uuid`，在`1.6.1-beta`和`1.7.0`版本中，引入了`unionId`这一属性。获取`unionid`需要单独向qq团队**发送邮件**申请权限，鉴于这一申请权限的步骤比较麻烦（需要填写的内容比较多），所以在`AuthConfig`中增加了一个`unionId`属性，当为**true**时才会获取unionid，当为false时只获取openId。如果你需要该功能， 则在自行申请了相关权限后，将该属性置为true即可。关于unionId的参考链接：[UnionID介绍](http://wiki.connect.qq.com/unionid%E4%BB%8B%E7%BB%8D)