♻ 修改部分代码

pom.xml

@@ -54,7 +54,7 @@
     <maven-source.version>2.2.1</maven-source.version>
     <maven-compiler.version>3.7.0</maven-compiler.version>
     <maven.test.skip>true</maven.test.skip>
-    <hutool-version>4.6.0</hutool-version>
+    <hutool-version>4.6.1</hutool-version>
     <lombok-version>1.18.4</lombok-version>
     <junit-version>4.11</junit-version>
     <fastjson-version>1.2.58</fastjson-version>
@@ -89,7 +89,7 @@
       <groupId>com.alipay.sdk</groupId>
       <artifactId>alipay-sdk-java</artifactId>
       <version>${alipay-sdk-version}</version>
-      <scope>compile</scope>
+      <scope>provided</scope>
     </dependency>
     <dependency>
       <groupId>org.slf4j</groupId>

src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java

@@ -43,6 +43,7 @@ public abstract class AuthDefaultRequest implements AuthRequest {
     public AuthResponse login(AuthCallback authCallback) {
         try {
             AuthChecker.checkCode(source == AuthSource.ALIPAY ? authCallback.getAuth_code() : authCallback.getCode());
+            AuthChecker.checkState(authCallback);
 
             AuthToken authToken = this.getAccessToken(authCallback);
             AuthUser user = this.getUserInfo(authToken);

src/main/java/me/zhyd/oauth/request/AuthPinterestRequest.java

@@ -92,6 +92,7 @@ public class AuthPinterestRequest extends AuthDefaultRequest {
      * @param authToken token
      * @return 返回获取userInfo的url
      */
+    @Override
     protected String userInfoUrl(AuthToken authToken) {
         return UrlBuilder.fromBaseUrl(source.userInfo())
             .queryParam("access_token", authToken.getAccessToken())

src/main/java/me/zhyd/oauth/utils/AuthChecker.java

@@ -3,6 +3,7 @@ package me.zhyd.oauth.utils;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthResponseStatus;
 
 /**
@@ -22,7 +23,8 @@ public class AuthChecker {
      * @since 1.6.1-beta
      */
     public static boolean isSupportedAuth(AuthConfig config, AuthSource source) {
-        boolean isSupported = StringUtils.isNotEmpty(config.getClientId()) && StringUtils.isNotEmpty(config.getClientSecret()) && StringUtils.isNotEmpty(config.getRedirectUri());
+        boolean isSupported = StringUtils.isNotEmpty(config.getClientId()) && StringUtils.isNotEmpty(config.getClientSecret()) && StringUtils
+            .isNotEmpty(config.getRedirectUri());
         if (isSupported && AuthSource.ALIPAY == source) {
             isSupported = StringUtils.isNotEmpty(config.getAlipayPublicKey());
         }
@@ -65,4 +67,15 @@ public class AuthChecker {
             throw new AuthException(AuthResponseStatus.ILLEGAL_CODE);
         }
     }
+
+    /**
+     * 校验回调传回的state
+     *
+     * @param authCallback 回调
+     */
+    public static void checkState(AuthCallback authCallback) {
+        if (!authCallback.checkState()) {
+            throw new AuthException(AuthResponseStatus.ILLEGAL_REQUEST);
+        }
+    }
 }