From 5e4694b3fc3fe45cc062f18919ab9f920f0dc598 Mon Sep 17 00:00:00 2001
From: WendyYang <realwendyyang@qq.com>
Date: Thu, 4 Jan 2024 15:29:54 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E4=BB=A3=E7=99=BB=E5=BD=95?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../java/com/hz/pm/api/user/controller/UserAuthController.java |  8 +++-----
 .../main/java/com/hz/pm/api/user/manage/AgentLoginManage.java  |  7 +++++--
 .../main/java/com/hz/pm/api/user/manage/AuthCodeManage.java    | 10 +++++-----
 3 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java
index f9dfdd2..bd2e73e 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/controller/UserAuthController.java
@@ -102,14 +102,11 @@ public class UserAuthController {
                                 @RequestParam(value = "sign") String sign,
                                 HttpServletRequest request,
                                 HttpServletResponse response) throws IOException {
-        if (System.currentTimeMillis() - timestamp > 5000) {
-            throw BizException.wrap("签名已过期");
-        }
         if (LoginUserUtil.getUserId().equals(userId)) {
             throw BizException.wrap("代登录用户无效");
         }
         String targetUserId = String.valueOf(userId);
-        if (!agentLoginManage.agentLoginProxySignCheck(targetUserId, sign)) {
+        if (!agentLoginManage.agentLoginProxySignCheck(targetUserId, timestamp, sign)) {
             throw BizException.wrap("签名错误");
         }
         String authCode = authCodeManage.generateAuthCode(targetUserId);
@@ -120,8 +117,9 @@ public class UserAuthController {
 
     @PostMapping(value = "/getAuthCode", consumes = MediaType.APPLICATION_FORM_URLENCODED_VALUE)
     public AuthCodeVO getAuthCode(@RequestParam(value = "userId") String userId,
+                                  @RequestParam(value = "timestamp") Long timestamp,
                                   @RequestParam(value = "sign") String sign) {
-        String authCode = authCodeManage.generateAuthCode(userId, sign);
+        String authCode = authCodeManage.generateAuthCode(userId, timestamp, sign);
         return new AuthCodeVO(authCode);
     }
 
diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java
index b2ce4d6..aafc454 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AgentLoginManage.java
@@ -23,9 +23,12 @@ public class AgentLoginManage {
     @Value("${agent-login.proxy.secret-key}")
     private String agentLoginProxySecretKey;
 
-    public boolean agentLoginProxySignCheck(String userId, String sign) {
+    public boolean agentLoginProxySignCheck(String userId, Long timestamp, String sign) {
+        if (System.currentTimeMillis() - timestamp > 5000) {
+            return false;
+        }
         HMac hmacMd5 = SecureUtil.hmacMd5(agentLoginProxySecretKey);
-        String digestHex = hmacMd5.digestHex(userId + "#" + LoginUserUtil.getUserId());
+        String digestHex = hmacMd5.digestHex(userId + "#" + timestamp);
         return digestHex.equals(sign);
     }
 
diff --git a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java
index 409b0df..f3028a7 100644
--- a/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java
+++ b/hz-pm-api/src/main/java/com/hz/pm/api/user/manage/AuthCodeManage.java
@@ -29,10 +29,10 @@ public class AuthCodeManage {
     private final CachePlusOps cachePlusOps;
     private final AuthCodeProperties authCodeProperties;
 
-    private String generateAuthCode(String userId, boolean checkSign, String sign) {
+    private String generateAuthCode(String userId, boolean checkSign, Long timestamp, String sign) {
         if (checkSign) {
             HMac hmacMd5 = SecureUtil.hmacMd5(authCodeProperties.getSecretKey());
-            String digestHex = hmacMd5.digestHex(userId);
+            String digestHex = hmacMd5.digestHex(userId + "#" + timestamp);
             if (!digestHex.equals(sign)) {
                 throw BizException.wrap("获取授权码失败：签名错误");
             }
@@ -44,12 +44,12 @@ public class AuthCodeManage {
         return authCode;
     }
 
-    public String generateAuthCode(String userId, String sign) {
-        return generateAuthCode(userId, true, sign);
+    public String generateAuthCode(String userId, Long timestamp, String sign) {
+        return generateAuthCode(userId, true, timestamp, sign);
     }
 
     public String generateAuthCode(String userId) {
-        return generateAuthCode(userId, false, null);
+        return generateAuthCode(userId, false, null, null);
     }
 
     public boolean authCodeCheck(String userId, String authCode) {