diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java index f9dfdd2..bd2e73e 100644 --- a/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java +++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java @@ -102,14 +102,11 @@ public class UserAuthController { @RequestParam(value = "sign") String sign, HttpServletRequest request, HttpServletResponse response) throws IOException { - if (System.currentTimeMillis() - timestamp > 5000) { - throw BizException.wrap("签名已过期"); - } if (LoginUserUtil.getUserId().equals(userId)) { throw BizException.wrap("代登录用户无效"); } String targetUserId = String.valueOf(userId); - if (!agentLoginManage.agentLoginProxySignCheck(targetUserId, sign)) { + if (!agentLoginManage.agentLoginProxySignCheck(targetUserId, timestamp, sign)) { throw BizException.wrap("签名错误"); } String authCode = authCodeManage.generateAuthCode(targetUserId); @@ -120,8 +117,9 @@ public class UserAuthController { @PostMapping(value = "/getAuthCode", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE) public AuthCodeVO getAuthCode(@RequestParam(value = "userId") String userId, + @RequestParam(value = "timestamp") Long timestamp, @RequestParam(value = "sign") String sign) { - String authCode = authCodeManage.generateAuthCode(userId, sign); + String authCode = authCodeManage.generateAuthCode(userId, timestamp, sign); return new AuthCodeVO(authCode); } diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java index b2ce4d6..aafc454 100644 --- a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java +++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java @@ -23,9 +23,12 @@ public class AgentLoginManage { @Value("${agent-login.proxy.secret-key}") private String agentLoginProxySecretKey; - public boolean agentLoginProxySignCheck(String userId, String sign) { + public boolean agentLoginProxySignCheck(String userId, Long timestamp, String sign) { + if (System.currentTimeMillis() - timestamp > 5000) { + return false; + } HMac hmacMd5 = SecureUtil.hmacMd5(agentLoginProxySecretKey); - String digestHex = hmacMd5.digestHex(userId + "#" + LoginUserUtil.getUserId()); + String digestHex = hmacMd5.digestHex(userId + "#" + timestamp); return digestHex.equals(sign); } diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java index 409b0df..f3028a7 100644 --- a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java +++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java @@ -29,10 +29,10 @@ public class AuthCodeManage { private final CachePlusOps cachePlusOps; private final AuthCodeProperties authCodeProperties; - private String generateAuthCode(String userId, boolean checkSign, String sign) { + private String generateAuthCode(String userId, boolean checkSign, Long timestamp, String sign) { if (checkSign) { HMac hmacMd5 = SecureUtil.hmacMd5(authCodeProperties.getSecretKey()); - String digestHex = hmacMd5.digestHex(userId); + String digestHex = hmacMd5.digestHex(userId + "#" + timestamp); if (!digestHex.equals(sign)) { throw BizException.wrap("获取授权码失败:签名错误"); } @@ -44,12 +44,12 @@ public class AuthCodeManage { return authCode; } - public String generateAuthCode(String userId, String sign) { - return generateAuthCode(userId, true, sign); + public String generateAuthCode(String userId, Long timestamp, String sign) { + return generateAuthCode(userId, true, timestamp, sign); } public String generateAuthCode(String userId) { - return generateAuthCode(userId, false, null); + return generateAuthCode(userId, false, null, null); } public boolean authCodeCheck(String userId, String authCode) {