From fbeb4c68abac4c69e9556de560d62fff942c867a Mon Sep 17 00:00:00 2001 From: "yadong.zhang" Date: Sun, 28 Jun 2020 22:09:12 +0800 Subject: [PATCH] =?UTF-8?q?:alien:=20AuthConfig=20=E5=A2=9E=E5=8A=A0?= =?UTF-8?q?=E5=BF=BD=E7=95=A5=E6=A0=A1=E9=AA=8C=20state=20=E7=9A=84?= =?UTF-8?q?=E5=8F=82=E6=95=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../java/me/zhyd/oauth/config/AuthConfig.java | 19 +++++++++++++++++++ .../oauth/request/AuthDefaultRequest.java | 4 +++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/main/java/me/zhyd/oauth/config/AuthConfig.java b/src/main/java/me/zhyd/oauth/config/AuthConfig.java index e17bcd8..153585e 100644 --- a/src/main/java/me/zhyd/oauth/config/AuthConfig.java +++ b/src/main/java/me/zhyd/oauth/config/AuthConfig.java @@ -2,6 +2,7 @@ package me.zhyd.oauth.config; import com.xkcoding.http.config.HttpConfig; import lombok.*; +import me.zhyd.oauth.model.AuthCallback; /** * JustAuth配置类 @@ -79,4 +80,22 @@ public class AuthConfig { * @since 1.15.5 */ private HttpConfig httpConfig; + + /** + * 忽略校验 {@code state} 参数,默认不开启。当 {@code ignoreCheckState} 为 {@code true} 时, + * {@link me.zhyd.oauth.request.AuthDefaultRequest#login(AuthCallback)} 将不会校验 {@code state} 的合法性。 + * + * 使用场景:当且仅当使用自实现 {@code state} 校验逻辑时开启 + * + * 以下场景使用方案仅作参考: + * 1. 授权、登录为同端,并且全部使用 JustAuth 实现时,该值建议设为 {@code false}; + * 2. 授权和登录为不同端实现时,比如前端页面拼装 {@code authorizeUrl},并且前端自行对{@code state}进行校验, + * 后端只负责使用{@code code}获取用户信息时,该值建议设为 {@code true}; + * + * 如非特殊需要,不建议开启这个配置 + * + * 该方案主要为了解决以下类似场景的问题: + * @see https://github.com/justauth/JustAuth/issues/83 + */ + private boolean ignoreCheckState; } diff --git a/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java b/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java index fe17868..2418400 100644 --- a/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java +++ b/src/main/java/me/zhyd/oauth/request/AuthDefaultRequest.java @@ -74,7 +74,9 @@ public abstract class AuthDefaultRequest implements AuthRequest { public AuthResponse login(AuthCallback authCallback) { try { AuthChecker.checkCode(source, authCallback); - AuthChecker.checkState(authCallback.getState(), source, authStateCache); + if (!config.isIgnoreCheckState()) { + AuthChecker.checkState(authCallback.getState(), source, authStateCache); + } AuthToken authToken = this.getAccessToken(authCallback); AuthUser user = this.getUserInfo(authToken); -- GitLab