修复第三方登录接口通过token获取用户信息漏洞

2025-09-07 12:47:46 +00:00 · 2025-02-11 11:37:55 +08:00
parent ad74b78134
commit 29248561d6
1 changed files with 9 additions and 1 deletions
--- a/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
+++ b/jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java
@@ -15,6 +15,7 @@ import me.zhyd.oauth.utils.StringUtils;
 import org.jeecg.common.api.vo.Result;
 import org.jeecg.common.constant.CommonConstant;
 import org.jeecg.common.constant.enums.MessageTypeEnum;
+import org.jeecg.common.system.api.ISysBaseAPI;
 import org.jeecg.common.system.util.JwtUtil;
 import org.jeecg.common.util.*;
 import org.jeecg.modules.base.service.BaseCommonService;
@@ -74,6 +75,9 @@ public class ThirdLoginController {
 	@Autowired
 	private ISysThirdAppConfigService appConfigService;

+	@Autowired
+	public ISysBaseAPI sysBaseAPI;
+
 	@RequestMapping("/render/{source}")
    public void render(@PathVariable("source") String source, HttpServletResponse response) throws IOException {
        log.info("第三方登录进入render：" + source);
@@ -228,7 +232,11 @@ public class ThirdLoginController {
 	public Result<JSONObject> getThirdLoginUser(@PathVariable("token") String token,@PathVariable("thirdType") String thirdType,@PathVariable("tenantId") String tenantId) throws Exception {
 		Result<JSONObject> result = new Result<JSONObject>();
 		String username = JwtUtil.getUsername(token);
-
+		//update-begin---author:chenrui ---date:20250210  for：[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
+		if (!TokenUtils.verifyToken(token, sysBaseAPI, redisUtil)) {
+			return Result.noauth("token验证失败");
+		}
+		//update-end---author:chenrui ---date:20250210  for：[QQYUN-11021]三方登录接口通过token获取用户信息漏洞修复------------
 		//1. 校验用户是否有效
 		SysUser sysUser = sysUserService.getUserByName(username);
 		result = sysUserService.checkUserIsEffective(sysUser);