🚑 增加alipay授权参数的验证，修改部分命名

65daa059 · 智布道 · 25424023 · 65daa059 · 65daa059 · 65daa059
3 changed file
--- a/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
+++ b/src/main/java/me/zhyd/oauth/request/AuthDingTalkRequest.java
@@ -34,11 +34,11 @@ public class AuthDingTalkRequest extends BaseAuthRequest {
    protected AuthUser getUserInfo(AuthToken authToken) {
        String code = authToken.getAccessCode();
        // 根据timestamp, appSecret计算签名值
-        String stringToSign = System.currentTimeMillis() + "";
-        String urlEncodeSignature = GlobalAuthUtil.generateDingTalkSignature(config.getClientSecret(), stringToSign);
+        String timestamp = System.currentTimeMillis() + "";
+        String urlEncodeSignature = GlobalAuthUtil.generateDingTalkSignature(config.getClientSecret(), timestamp);
        JSONObject param = new JSONObject();
        param.put("tmp_auth_code", code);
-        HttpResponse response = HttpRequest.post(UrlBuilder.getDingTalkUserInfoUrl(urlEncodeSignature, stringToSign, config.getClientId()))
+        HttpResponse response = HttpRequest.post(UrlBuilder.getDingTalkUserInfoUrl(urlEncodeSignature, timestamp, config.getClientId()))
                .body(param.toJSONString())
                .execute();
        String userInfo = response.body();

--- a/src/main/java/me/zhyd/oauth/utils/AuthConfigChecker.java
+++ b/src/main/java/me/zhyd/oauth/utils/AuthConfigChecker.java
@@ -40,8 +40,13 @@ public class AuthConfigChecker {
        if (!GlobalAuthUtil.isHttpProtocol(redirectUri) && !GlobalAuthUtil.isHttpsProtocol(redirectUri)) {
            throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
        }
+        // facebook的回调地址必须为https的链接
        if (AuthSource.FACEBOOK == source && !GlobalAuthUtil.isHttpsProtocol(redirectUri)) {
            throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
        }
+        // 支付宝在创建回调地址时，不允许使用localhost或者127.0.0.1
+        if (AuthSource.ALIPAY == source && GlobalAuthUtil.isLocalHost(redirectUri)) {
+            throw new AuthException(ResponseStatus.ILLEGAL_REDIRECT_URI);
+        }
    }
 }
--- a/src/main/java/me/zhyd/oauth/utils/GlobalAuthUtil.java
+++ b/src/main/java/me/zhyd/oauth/utils/GlobalAuthUtil.java
@@ -25,9 +25,9 @@ public class GlobalAuthUtil {
    private static final String DEFAULT_ENCODING = "UTF-8";
    private static final String ALGORITHM = "HmacSHA256";

-    public static String generateDingTalkSignature(String canonicalString, String secret) {
+    public static String generateDingTalkSignature(String secretKey, String timestamp) {
        try {
-            byte[] signData = sign(canonicalString.getBytes(DEFAULT_ENCODING), secret.getBytes(DEFAULT_ENCODING));
+            byte[] signData = sign(secretKey.getBytes(DEFAULT_ENCODING), timestamp.getBytes(DEFAULT_ENCODING));
            return urlEncode(new String(Base64.encode(signData, false)));
        } catch (UnsupportedEncodingException ex) {
            throw new AuthException("Unsupported algorithm: " + DEFAULT_ENCODING, ex);
@@ -98,4 +98,9 @@ public class GlobalAuthUtil {
        }
        return url.startsWith("https://");
    }
+
+    public static boolean isLocalHost(String url) {
+        return StringUtils.isEmpty(url) || url.contains("127.0.0.1") || url.contains("localhost");
+    }
+
 }