👽 修改login方法的参数为AuthCallback，封装回调返回的参数、支持state参数、增加code和state参数校验

ac4ede74 · 智布道 · 9941ce7e · ac4ede74 · ac4ede74 · ac4ede74
31 changed file
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
    <groupId>me.zhyd.oauth</groupId>
    <artifactId>JustAuth</artifactId>
-    <version>1.7.1</version>
+    <version>1.8.0</version>
    <name>JustAuth</name>
    <url>https://gitee.com/yadong.zhang/JustAuth</url>

--- a/src/main/java/me/zhyd/oauth/config/AuthConfig.java
+++ b/src/main/java/me/zhyd/oauth/config/AuthConfig.java
@@ -40,6 +40,15 @@ public class AuthConfig {
     * 是否需要申请unionid，目前只针对qq登录
     * 注：qq授权登录时，获取unionid需要单独发送邮件申请权限。如果个人开发者账号中申请了该权限，可以将该值置为true，在获取openId时就会同步获取unionId
     * 参考链接：http://wiki.connect.qq.com/unionid%E4%BB%8B%E7%BB%8D
+     * <p>
+     * 1.7.1版本新增参数
     */
    private boolean unionId;
+    /**
+     * 一个神奇的参数，最好使用随机的不可测的内容，可以用来防止CSRF攻击
+     * <p>
+     * 1.8.0版本新增参数
+     */
+    private String state;
 }
--- a/src/main/java/me/zhyd/oauth/model/AuthCallback.java
+++ b/src/main/java/me/zhyd/oauth/model/AuthCallback.java
+package me.zhyd.oauth.model;
+import lombok.Getter;
+import lombok.Setter;
+/**
+ * 授权回调时的参数类
+ *
+ * @author yadong.zhang (yadong.zhang0415(a)gmail.com)
+ * @version 1.0
+ * @since 1.8
+ */
+@Getter
+@Setter
+public class AuthCallback {
+    /**
+     * 访问AuthorizeUrl后回调时带的参数code
+     */
+    private String code;
+    /**
+     * 访问AuthorizeUrl后回调时带的参数auth_code，该参数目前只使用于支付宝登录
+     */
+    private String auth_code;
+    /**
+     * 访问AuthorizeUrl后回调时带的参数state，用于和请求AuthorizeUrl前的state比较，防止CSRF攻击
+     */
+    private String state;
+}
--- a/src/main/java/me/zhyd/oauth/model/AuthResponse.java
+++ b/src/main/java/me/zhyd/oauth/model/AuthResponse.java
 package me.zhyd.oauth.model;
 import lombok.Builder;
-import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 import me.zhyd.oauth.request.ResponseStatus;
 /**
@@ -11,8 +12,9 @@ import me.zhyd.oauth.request.ResponseStatus;
 * @version 1.0
 * @since 1.8
 */
+@Getter
+@Setter
 @Builder
-@Data
 public class AuthResponse<T> {
    /**
     * 授权响应状态码

--- a/src/main/java/me/zhyd/oauth/model/AuthToken.java
+++ b/src/main/java/me/zhyd/oauth/model/AuthToken.java
@@ -2,6 +2,8 @@ package me.zhyd.oauth.model;
 import lombok.Builder;
 import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 /**
 * 授权所需的token
@@ -10,7 +12,8 @@ import lombok.Data;
 * @version 1.0
 * @since 1.8
 */
-@Data
+@Getter
+@Setter
 @Builder
 public class AuthToken {
    private String accessToken;

--- a/src/main/java/me/zhyd/oauth/model/AuthUser.java
+++ b/src/main/java/me/zhyd/oauth/model/AuthUser.java
@@ -2,6 +2,8 @@ package me.zhyd.oauth.model;
 import lombok.Builder;
 import lombok.Data;
+import lombok.Getter;
+import lombok.Setter;
 import me.zhyd.oauth.config.AuthSource;
 /**
@@ -11,8 +13,9 @@ import me.zhyd.oauth.config.AuthSource;
 * @version 1.0
 * @since 1.8
 */
+@Getter
+@Setter
 @Builder
-@Data
 public class AuthUser {
    /**
     * 用户名

--- a/src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthAlipayRequest.java
@@ -10,6 +10,7 @@ import com.alipay.api.response.AlipayUserInfoShareResponse;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -34,15 +35,15 @@ public class AuthAlipayRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
        AlipaySystemOauthTokenRequest request = new AlipaySystemOauthTokenRequest();
        request.setGrantType("authorization_code");
-        request.setCode(code);
+        request.setCode(authCallback.getCode());
        AlipaySystemOauthTokenResponse response = null;
        try {
            response = this.alipayClient.execute(request);
        } catch (Exception e) {
-            throw new AuthException("Unable to get token from alipay using code [" + code + "]", e);
+            throw new AuthException("Unable to get token from alipay using code [" + authCallback.getCode() + "]", e);
        }
        if (!response.isSuccess()) {
            throw new AuthException(response.getSubMsg());

--- a/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthBaiduRequest.java
@@ -23,8 +23,8 @@ public class AuthBaiduRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getBaiduAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getBaiduAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject accessTokenObject = JSONObject.parseObject(response.body());

--- a/src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthCodingRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,12 +26,12 @@ public class AuthCodingRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getCodingAccessTokenUrl(config.getClientId(), config.getClientSecret(), code);
+        String accessTokenUrl = UrlBuilder.getCodingAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
        if (accessTokenObject.getIntValue("code") != 0) {
-            throw new AuthException("Unable to get token from coding using code [" + code + "]");
+            throw new AuthException("Unable to get token from coding using code [" + authCallback.getCode() + "]");
        }
        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthCsdnRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthCsdnRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,13 +26,13 @@ public class AuthCsdnRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getCsdnAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getCsdnAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
        if (accessTokenObject.containsKey("error_code")) {
-            throw new AuthException("Unable to get token from csdn using code [" + code + "]");
+            throw new AuthException("Unable to get token from csdn using code [" + authCallback.getCode() + "]");
        }
        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
@@ -7,10 +7,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthDingTalkErrorCode;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.GlobalAuthUtil;
 import me.zhyd.oauth.utils.UrlBuilder;
@@ -28,8 +25,8 @@ public class AuthDingTalkRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        return AuthToken.builder().accessCode(code).build();
+        return AuthToken.builder().accessCode(authCallback.getCode()).build();
    }
    @Override

--- a/src/main/java/me/zhyd/oauth/request/AuthDouyinRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDouyinRequest.java
@@ -6,10 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthResponse;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.UrlBuilder;
@@ -27,8 +24,8 @@ public class AuthDouyinRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getDouyinAccessTokenUrl(config.getClientId(), config.getClientSecret(), code);
+        String accessTokenUrl = UrlBuilder.getDouyinAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        return this.getToken(accessTokenUrl);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthFacebookRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthFacebookRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,9 +26,9 @@ public class AuthFacebookRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getFacebookAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getFacebookAccessTokenUrl(config.getClientId(), config.getClientSecret(),
-                .getRedirectUri());
+                authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject object = JSONObject.parseObject(response.body());

--- a/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGiteeRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,13 +26,13 @@ public class AuthGiteeRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getGiteeAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getGiteeAccessTokenUrl(config.getClientId(), config.getClientSecret(),
-                .getRedirectUri());
+                authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
        if (accessTokenObject.containsKey("error")) {
-            throw new AuthException("Unable to get token from gitee using code [" + code + "]");
+            throw new AuthException("Unable to get token from gitee using code [" + authCallback.getCode() + "]");
        }
        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGithubRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -28,9 +29,8 @@ public class AuthGithubRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getGithubAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config.getRedirectUri(), config.getState());
-                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        Map<String, String> res = GlobalAuthUtil.parseStringToMap(response.body());
        if (res.containsKey("error")) {
@@ -68,6 +68,6 @@ public class AuthGithubRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getGithubAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getGithubAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthGoogleRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,8 +26,8 @@ public class AuthGoogleRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getGoogleAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getGoogleAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject object = JSONObject.parseObject(response.body());

--- a/src/main/java/me/zhyd/oauth/request/AuthLinkedinRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthLinkedinRequest.java
@@ -7,10 +7,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthResponse;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.StringUtils;
 import me.zhyd.oauth.utils.UrlBuilder;
@@ -29,8 +26,8 @@ public class AuthLinkedinRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getLinkedinAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getLinkedinAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        return this.getToken(accessTokenUrl);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthMiRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthMiRequest.java
@@ -7,10 +7,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthResponse;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.UrlBuilder;
 import java.text.MessageFormat;
@@ -30,8 +27,8 @@ public class AuthMiRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getMiAccessTokenUrl(config.getClientId(), config.getClientSecret(), config.getRedirectUri(), code);
+        String accessTokenUrl = UrlBuilder.getMiAccessTokenUrl(config.getClientId(), config.getClientSecret(), config.getRedirectUri(), authCallback.getCode());
        return getToken(accessTokenUrl);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthMicrosoftRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthMicrosoftRequest.java
@@ -7,10 +7,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthResponse;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.UrlBuilder;
 import java.util.HashMap;
@@ -29,9 +26,9 @@ public class AuthMicrosoftRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
        String accessTokenUrl = UrlBuilder.getMicrosoftAccessTokenUrl(config.getClientId(), config.getClientSecret(), config
-                .getRedirectUri(), code);
+                .getRedirectUri(), authCallback.getCode());
        return getToken(accessTokenUrl);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthOschinaRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,13 +26,13 @@ public class AuthOschinaRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getOschinaAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getOschinaAccessTokenUrl(config.getClientId(), config.getClientSecret(),
-                .getRedirectUri());
+                authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        JSONObject accessTokenObject = JSONObject.parseObject(response.body());
        if (accessTokenObject.containsKey("error")) {
-            throw new AuthException("Unable to get token from oschina using code [" + code + "]");
+            throw new AuthException("Unable to get token from oschina using code [" + authCallback.getCode() + "]");
        }
        return AuthToken.builder().accessToken(accessTokenObject.getString("access_token")).build();
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthQqRequest.java
@@ -7,6 +7,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -30,13 +31,13 @@ public class AuthQqRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getQqAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getQqAccessTokenUrl(config.getClientId(), config.getClientSecret(),
-                .getRedirectUri());
+                authCallback.getCode(), config.getRedirectUri());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
        Map<String, String> accessTokenObject = GlobalAuthUtil.parseStringToMap(response.body());
        if (!accessTokenObject.containsKey("access_token")) {
-            throw new AuthException("Unable to get token from qq using code [" + code + "]");
+            throw new AuthException("Unable to get token from qq using code [" + authCallback.getCode() + "]");
        }
        return AuthToken.builder()
                .accessToken(accessTokenObject.get("access_token"))

--- a/src/main/java/me/zhyd/oauth/request/AuthRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthRequest.java
 package me.zhyd.oauth.request;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthResponse;
 import me.zhyd.oauth.model.AuthToken;
@@ -23,10 +24,10 @@ public interface AuthRequest {
    /**
     * 第三方登录
     *
-     * @param code 通过authorize换回的code
+     * @param authCallback 用于接收回调参数的实体
     * @return 返回登录成功后的用户信息
     */
-    default AuthResponse login(String code) {
+    default AuthResponse login(AuthCallback authCallback) {
        throw new AuthException(ResponseStatus.NOT_IMPLEMENTED);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthTaobaoRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -26,8 +27,8 @@ public class AuthTaobaoRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        return AuthToken.builder().accessCode(code).build();
+        return AuthToken.builder().accessCode(authCallback.getCode()).build();
    }
    @Override

--- a/src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthTencentCloudRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -25,12 +26,12 @@ public class AuthTencentCloudRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getTencentCloudAccessTokenUrl(config.getClientId(), config.getClientSecret(), code);
+        String accessTokenUrl = UrlBuilder.getTencentCloudAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
        JSONObject object = JSONObject.parseObject(response.body());
        if (object.getIntValue("code") != 0) {
-            throw new AuthException("Unable to get token from tencent cloud using code [" + code + "]: " + object.get("msg"));
+            throw new AuthException("Unable to get token from tencent cloud using code [" + authCallback.getCode() + "]: " + object.get("msg"));
        }
        return AuthToken.builder().accessToken(object.getString("access_token")).build();
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthToutiaoRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthToutiaoRequest.java
@@ -6,10 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthToken;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToutiaoErrorCode;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.UrlBuilder;
 /**
@@ -26,8 +23,8 @@ public class AuthToutiaoRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getToutiaoAccessTokenUrl(config.getClientId(), config.getClientSecret(), code);
+        String accessTokenUrl = UrlBuilder.getToutiaoAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        HttpResponse response = HttpRequest.get(accessTokenUrl).execute();
        JSONObject object = JSONObject.parseObject(response.body());

--- a/src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthWeChatRequest.java
@@ -6,10 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
-import me.zhyd.oauth.model.AuthResponse;
+import me.zhyd.oauth.model.*;
-import me.zhyd.oauth.model.AuthToken;
-import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.model.AuthUserGender;
 import me.zhyd.oauth.utils.UrlBuilder;
 /**
@@ -31,8 +28,8 @@ public class AuthWeChatRequest extends BaseAuthRequest {
     * @return 所有信息
     */
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getWeChatAccessTokenUrl(config.getClientId(), config.getClientSecret(), code);
+        String accessTokenUrl = UrlBuilder.getWeChatAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode());
        return this.getToken(accessTokenUrl);
    }

--- a/src/main/java/me/zhyd/oauth/request/AuthWeiboRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthWeiboRequest.java
@@ -6,6 +6,7 @@ import com.alibaba.fastjson.JSONObject;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
 import me.zhyd.oauth.model.AuthUserGender;
@@ -28,14 +29,14 @@ public class AuthWeiboRequest extends BaseAuthRequest {
    }
    @Override
-    protected AuthToken getAccessToken(String code) {
+    protected AuthToken getAccessToken(AuthCallback authCallback) {
-        String accessTokenUrl = UrlBuilder.getWeiboAccessTokenUrl(config.getClientId(), config.getClientSecret(), code, config
+        String accessTokenUrl = UrlBuilder.getWeiboAccessTokenUrl(config.getClientId(), config.getClientSecret(), authCallback.getCode(), config
                .getRedirectUri());
        HttpResponse response = HttpRequest.post(accessTokenUrl).execute();
        String accessTokenStr = response.body();
        JSONObject accessTokenObject = JSONObject.parseObject(accessTokenStr);
        if (accessTokenObject.containsKey("error")) {
-            throw new AuthException("Unable to get token from weibo using code [" + code + "]:" + accessTokenObject.getString("error_description"));
+            throw new AuthException("Unable to get token from weibo using code [" + authCallback.getCode() + "]:" + accessTokenObject.getString("error_description"));
        }
        return AuthToken.builder()
                .accessToken(accessTokenObject.getString("access_token"))
@@ -81,6 +82,6 @@ public class AuthWeiboRequest extends BaseAuthRequest {
     */
    @Override
    public String authorize() {
-        return UrlBuilder.getWeiboAuthorizeUrl(config.getClientId(), config.getRedirectUri());
+        return UrlBuilder.getWeiboAuthorizeUrl(config.getClientId(), config.getRedirectUri(), config.getState());
    }
 }
--- a/src/main/java/me/zhyd/oauth/request/BaseAuthRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/BaseAuthRequest.java
@@ -4,10 +4,11 @@ import lombok.Data;
 import me.zhyd.oauth.config.AuthConfig;
 import me.zhyd.oauth.config.AuthSource;
 import me.zhyd.oauth.exception.AuthException;
+import me.zhyd.oauth.model.AuthCallback;
 import me.zhyd.oauth.model.AuthResponse;
 import me.zhyd.oauth.model.AuthToken;
 import me.zhyd.oauth.model.AuthUser;
-import me.zhyd.oauth.utils.AuthConfigChecker;
+import me.zhyd.oauth.utils.AuthChecker;
 /**
 * @author yadong.zhang (yadong.zhang0415(a)gmail.com)
@@ -22,21 +23,24 @@ public abstract class BaseAuthRequest implements AuthRequest {
    public BaseAuthRequest(AuthConfig config, AuthSource source) {
        this.config = config;
        this.source = source;
-        if (!AuthConfigChecker.isSupportedAuth(config, source)) {
+        if (!AuthChecker.isSupportedAuth(config, source)) {
            throw new AuthException(ResponseStatus.PARAMETER_INCOMPLETE);
        }
        // 校验配置合法性
-        AuthConfigChecker.check(config, source);
+        AuthChecker.checkConfig(config, source);
    }
-    protected abstract AuthToken getAccessToken(String code);
+    protected abstract AuthToken getAccessToken(AuthCallback authCallback);
    protected abstract AuthUser getUserInfo(AuthToken authToken);
    @Override
-    public AuthResponse login(String code) {
+    public AuthResponse login(AuthCallback authCallback) {
        try {
-            AuthToken authToken = this.getAccessToken(code);
+            AuthChecker.checkCode(authCallback.getCode());
+            AuthChecker.checkState(authCallback.getState(), config.getState());
+            AuthToken authToken = this.getAccessToken(authCallback);
            AuthUser user = this.getUserInfo(authToken);
            return AuthResponse.builder().code(ResponseStatus.SUCCESS.getCode()).data(user).build();
        } catch (Exception e) {

--- a/src/main/java/me/zhyd/oauth/request/ResponseStatus.java
+++ b/src/main/java/me/zhyd/oauth/request/ResponseStatus.java
@@ -14,6 +14,8 @@ public enum ResponseStatus {
    NO_AUTH_SOURCE(5004, "AuthSource cannot be null"),
    UNIDENTIFIED_PLATFORM(5005, "Unidentified platform"),
    ILLEGAL_REDIRECT_URI(5006, "Illegal redirect uri"),
+    ILLEGAL_REQUEST(5007, "Illegal request"),
+    ILLEGAL_CODE(5008, "Illegal code"),
    ;
    private int code;

--- a/src/main/java/me/zhyd/oauth/utils/AuthConfigChecker.java
+++ b/src/main/java/me/zhyd/oauth/utils/AuthConfigChecker.java
@@ -12,7 +12,7 @@ import me.zhyd.oauth.request.ResponseStatus;
 * @version 1.0
 * @since 1.8
 */
-public class AuthConfigChecker {
+public class AuthChecker {
    /**
     * 是否支持第三方登录
@@ -35,7 +35,7 @@ public class AuthConfigChecker {
     * @param config config
     * @param source source
     */
-    public static void check(AuthConfig config, AuthSource source) {
+    public static void checkConfig(AuthConfig config, AuthSource source) {
        String redirectUri = config.getRedirectUri();
        if (!GlobalAuthUtil.isHttpProtocol(redirectUri) && !GlobalAuthUtil.isHttpsProtocol(redirectUri)) {
            throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
@@ -49,4 +49,36 @@ public class AuthConfigChecker {
            throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
        }
    }
+    /**
+     * 校验回调传回的code
+     *
+     * @param code 回调时传回的code
+     */
+    public static void checkCode(String code) {
+        if (StringUtils.isEmpty(code)) {
+            throw new AuthException(ResponseStatus.ILLEGAL_CODE);
+        }
+    }
+    /**
+     * 校验state的合法性防止被CSRF
+     *
+     * @param newState      新的state，一般为回调时传回的state（可能被篡改）
+     * @param originalState 原始的state，发起授权时向第三方平台传递的state
+     */
+    public static void checkState(String newState, String originalState) {
+        // 如果原始state为空，表示当前平台未使用state
+        if (StringUtils.isEmpty(originalState)) {
+            return;
+        }
+        // 如果授权之前使用了state，但是回调时未返回state，则表示当前请求为非法的请求，可能正在被CSRF攻击
+        if (StringUtils.isEmpty(newState)) {
+            throw new AuthException(ResponseStatus.ILLEGAL_REQUEST);
+        }
+        // 如果授权前后的state不一致，则表示当前请求为非法的请求，新的state可能为伪造
+        if (!newState.equals(originalState)) {
+            throw new AuthException(ResponseStatus.ILLEGAL_REQUEST);
+        }
+    }
 }
--- a/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
+++ b/src/main/java/me/zhyd/oauth/utils/UrlBuilder.java
@@ -13,9 +13,9 @@ import java.text.MessageFormat;
 */
 public class UrlBuilder {
-    private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}";
+    private static final String GITHUB_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&state={5}";
    private static final String GITHUB_USER_INFO_PATTERN = "{0}?access_token={1}";
-    private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&state=1&redirect_uri={2}";
+    private static final String GITHUB_AUTHORIZE_PATTERN = "{0}?client_id={1}&redirect_uri={2}&state={3}";
    private static final String GOOGLE_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&scope=openid%20email%20profile&redirect_uri={2}&state={3}";
    private static final String GOOGLE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&code={3}&redirect_uri={4}&grant_type=authorization_code";
@@ -23,7 +23,7 @@ public class UrlBuilder {
    private static final String WEIBO_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String WEIBO_USER_INFO_PATTERN = "{0}?{1}";
-    private static final String WEIBO_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}";
+    private static final String WEIBO_AUTHORIZE_PATTERN = "{0}?client_id={1}&response_type=code&redirect_uri={2}&state={3}";
    private static final String GITEE_ACCESS_TOKEN_PATTERN = "{0}?client_id={1}&client_secret={2}&grant_type=authorization_code&code={3}&redirect_uri={4}";
    private static final String GITEE_USER_INFO_PATTERN = "{0}?access_token={1}";
@@ -103,10 +103,11 @@ public class UrlBuilder {
     * @param clientSecret github 应用的Client Secret
     * @param code         github 授权前的code，用来换token
     * @param redirectUri  待跳转的页面
+     * @param state        随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri) {
+    public static String getGithubAccessTokenUrl(String clientId, String clientSecret, String code, String redirectUri, String state) {
-        return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri);
+        return MessageFormat.format(GITHUB_ACCESS_TOKEN_PATTERN, AuthSource.GITHUB.accessToken(), clientId, clientSecret, code, redirectUri, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
    }
    /**
@@ -124,10 +125,11 @@ public class UrlBuilder {
     *
     * @param clientId    github 应用的Client ID
     * @param redirectUrl github 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getGithubAuthorizeUrl(String clientId, String redirectUrl) {
+    public static String getGithubAuthorizeUrl(String clientId, String redirectUrl, String state) {
-        return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl);
+        return MessageFormat.format(GITHUB_AUTHORIZE_PATTERN, AuthSource.GITHUB.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
    }
    /**
@@ -158,10 +160,11 @@ public class UrlBuilder {
     *
     * @param clientId    weibo 应用的Client ID
     * @param redirectUrl weibo 应用授权成功后的回调地址
+     * @param state       随机字符串，用于保持会话状态，防止CSRF攻击
     * @return full url
     */
-    public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl) {
+    public static String getWeiboAuthorizeUrl(String clientId, String redirectUrl, String state) {
-        return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl);
+        return MessageFormat.format(WEIBO_AUTHORIZE_PATTERN, AuthSource.WEIBO.authorize(), clientId, redirectUrl, StringUtils.isEmpty(state) ? System.currentTimeMillis() : state);
    }
    /**