From 78988555b03d19d6298de63cd5d0854f5c3f6a4f Mon Sep 17 00:00:00 2001 From: "yadong.zhang" Date: Fri, 28 Jun 2019 21:33:49 +0800 Subject: [PATCH] =?UTF-8?q?:beers:=20=E5=AE=8C=E5=96=84=E7=99=BE=E5=BA=A6?= =?UTF-8?q?=E7=99=BB=E5=BD=95=EF=BC=8C=E5=A2=9E=E5=8A=A0gitee=E7=99=BB?= =?UTF-8?q?=E5=BD=95=E7=9A=84state=E6=A0=A1=E9=AA=8C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../zhyd/oauth/request/AuthBaiduRequest.java | 7 ++++- .../zhyd/oauth/request/AuthGiteeRequest.java | 2 +- .../zhyd/oauth/request/AuthGithubRequest.java | 2 +- .../java/me/zhyd/oauth/utils/UrlBuilder.java | 27 ++++++++++++------- update.md | 9 +++++++ 5 files changed, 35 insertions(+), 12 deletions(-) diff --git a/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java b/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java index 6eb936d..06f36bf 100644 --- a/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java +++ b/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java @@ -32,7 +32,12 @@ public class AuthBaiduRequest extends BaseAuthRequest { if (AuthBaiduErrorCode.OK != errorCode) { throw new AuthException(errorCode.getDesc()); } - return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build(); + return AuthToken.builder() + .accessToken(accessTokenObject.getString("access_token")) + .refreshToken(accessTokenObject.getString("refresh_token")) + .scope(accessTokenObject.getString("scope")) + .expireIn(accessTokenObject.getIntValue("expires_in")) + .build(); } @Override diff --git a/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java b/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java index 4833384..192f684 100644 --- a/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java +++ b/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java @@ -66,6 +66,6 @@ public class AuthGiteeRequest extends BaseAuthRequest { */ @Override public String authorize() { - return UrlBuilder.getGiteeAuthorizeUrl(config.getClientId(), config.getRedirectUri()); + return UrlBuilder.getGiteeAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState()); } } diff --git a/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java b/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java index d7245a9..bd60e1a 100644 --- a/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java +++ b/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java @@ -30,7 +30,7 @@ public class AuthGithubRequest extends BaseAuthRequest { @Override protected AuthToken getAccessToken(AuthCallback authCallback) { - String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config.getRedirectUri(), config.getState()); + String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config.getRedirectUri()); HttpResponse response = HttpRequest.post(accessTokenUrl).execute(); Map res = GlobalAuthUtil.parseStringToMap(response.body()); if (res.containsKey("error")) { diff --git a/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java b/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java index 8df5de4..2f0492b 100644 --- a/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java +++ b/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java @@ -13,7 +13,7 @@ import java.text.MessageFormat; */ public class UrlBuilder { - private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&state={5}"; + private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}"; private static final String GITHUB_USER_INFO_PATTERN = "{0}?access_token={1}"; private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&redirect_uri={2}&state={3}"; @@ -27,7 +27,7 @@ public class UrlBuilder { private static final String GITEE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}"; private static final String GITEE_USER_INFO_PATTERN = "{0}?access_token={1}"; - private static final String GITEE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}"; + private static final String GITEE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}"; private static final String DING_TALK_QRCONNECT_PATTERN = "{0}?appid={1}&response_type=code&scope=snsapi_login&state=STATE&redirect_uri={2}"; private static final String DING_TALK_USER_INFO_PATTERN = "{0}?signature={1}×tamp={2}&accessKey={3}"; @@ -96,6 +96,15 @@ public class UrlBuilder { private static final String TOUTIAO_USER_INFO_PATTERN = "{0}?client_key={1}&access_token={2}"; private static final String TOUTIAO_AUTHORIZE_PATTERN = "{0}?client_key={1}&redirect_uri={2}&state={3}&response_type=code&auth_only=1&display=0"; + /** + * 获取state,如果为空, 则默认去当前日期的时间戳 + * + * @param state state + */ + private static Object getState(String state) { + return StringUtils.isEmpty(state) ? String.valueOf(System.currentTimeMillis()) : state; + } + /** * 获取githubtoken的接口地址 * @@ -103,11 +112,10 @@ public class UrlBuilder { * @param clientSecret github 应用的Client Secret * @param code github 授权前的code,用来换token * @param redirectUri 待跳转的页面 - * @param state 随机字符串,用于保持会话状态,防止CSRF攻击 * @return full url */ - public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri, String state) { - return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state); + public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri) { + return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri); } /** @@ -129,7 +137,7 @@ public class UrlBuilder { * @return full url */ public static String getGithubAuthorizeUrl(String clientId, String redirectUrl, String state) { - return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state); + return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, getState(state)); } /** @@ -164,7 +172,7 @@ public class UrlBuilder { * @return full url */ public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl, String state) { - return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state); + return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, getState(state)); } /** @@ -195,10 +203,11 @@ public class UrlBuilder { * * @param clientId gitee 应用的Client ID * @param redirectUrl gitee 应用授权成功后的回调地址 + * @param state 随机字符串,用于保持会话状态,防止CSRF攻击 * @return json */ - public static String getGiteeAuthorizeUrl(String clientId, String redirectUrl) { - return MessageFormat.format(GITEE_AUTHORIZE_PATTERN, AuthSource.GITEE.authorize(), clientId, redirectUrl); + public static String getGiteeAuthorizeUrl(String clientId, String redirectUrl, String state) { + return MessageFormat.format(GITEE_AUTHORIZE_PATTERN, AuthSource.GITEE.authorize(), clientId, redirectUrl, getState(state)); } /** diff --git a/update.md b/update.md index 3a37de9..785a3d7 100644 --- a/update.md +++ b/update.md @@ -1,3 +1,12 @@ +### 2019/06/28 +1. 修复百度登录获取不到token失效时间的问题 +2. gitee增加state参数校验 + +### 2019/06/27 +1. 修改login方法的参数为AuthCallback,封装回调返回的参数 +2. 支持state参数 +3. 增加code和state参数校验 + ### 2019/06/25 qq授权登录时,需要获取`openId`作为`uuid`,在`1.6.1-beta`和`1.7.0`版本中,引入了`unionId`这一属性。获取`unionid`需要单独向qq团队**发送邮件**申请权限,鉴于这一申请权限的步骤比较麻烦(需要填写的内容比较多),所以在`AuthConfig`中增加了一个`unionId`属性,当为**true**时才会获取unionid,当为false时只获取openId。如果你需要该功能, 则在自行申请了相关权限后,将该属性置为true即可。关于unionId的参考链接:[UnionID介绍](http://wiki.connect.qq.com/unionid%E4%BB%8B%E7%BB%8D) -- GitLab