[bug-4428]信息科反馈漏洞，需要修复

ibps-basic-root/modules/basic-response/src/main/java/com/lc/ibps/cloud/config/AuthorizationConfig.java

@@ -200,6 +200,7 @@ public class AuthorizationConfig {
 		ignoreUrls.add("/employee/registrationOutsiders/query");
 		ignoreUrls.add("/employee/satisfaction/save");
 		ignoreUrls.add("/employee/satisfaction/getQuestionnaireByQrCodeId");
+		ignoreUrls.add("/short/apply");
 
 		// swagger配置
 		ignoreUrls.add("/**/v2/api-docs");

ibps-comp-base-root/modules/comp-file-server-api/src/main/java/com/lc/ibps/file/server/api/IUploadService.java

@@ -42,6 +42,7 @@ public interface IUploadService {
 			@NotNull(message = "{com.lc.ibps.cloud.file}")
 			@RequestPart(name = "file", required = true)MultipartFile file);
 
+	@ApiOperation(value = "文件上传无需token", notes = "文件上传无需token")
 	@RequestMapping(value = "/sign", method = RequestMethod.POST, consumes = MediaType.MULTIPART_FORM_DATA_VALUE)
 	public APIResult<AttachmentPo> uploadFileSign(
 			@NotNull(message = "{com.lc.ibps.cloud.file}")

ibps-oauth-root/modules/oauth-core/src/main/java/com/lc/ibps/cloud/oauth/entity/AuthorizeVo.java

@@ -15,7 +15,7 @@ public class AuthorizeVo implements Serializable {
 	 */
 	private static final long serialVersionUID = -4236684971542032784L;
 	
-	@NotBlank(message = "{com.lc.ibps.switch.client.id}")
+	//@NotBlank(message = "{com.lc.ibps.switch.client.id}")
 	@ApiModelProperty(value = "申请应用时分配的AppKey")
 	private String client_id;
 	@NotBlank(message = "{com.lc.ibps.authorize.login.state}")

ibps-oauth-root/modules/oauth-core/src/main/java/com/lc/ibps/cloud/oauth/entity/SwitchVo.java

@@ -22,10 +22,10 @@ public class SwitchVo implements Serializable {
 	@NotBlank(message = "{com.lc.ibps.switch.grant.type}", groups = {Default.class , ValidationGroup.Group1.class})
 	@ApiModelProperty(value = "请求类型", example = "authorization_code/password_credentials/client_credentials/refresh_token")
 	private String grant_type;
-	@NotBlank(message = "{com.lc.ibps.switch.client.id}", groups = {Default.class , ValidationGroup.Group1.class})
+	//@NotBlank(message = "{com.lc.ibps.switch.client.id}", groups = {Default.class , ValidationGroup.Group1.class})
 	@ApiModelProperty(value = "申请应用时分配的AppKey")
 	private String client_id;
-	@NotBlank(message = "{com.lc.ibps.switch.client.secret}", groups = {Default.class , ValidationGroup.Group1.class})
+	//@NotBlank(message = "{com.lc.ibps.switch.client.secret}", groups = {Default.class , ValidationGroup.Group1.class})
 	@ApiModelProperty(value = "申请应用时分配的AppSecret")
 	private String client_secret;
 	@NotBlank(message = "{com.lc.ibps.switch.access.token}", groups = {Default.class , ValidationGroup.Group1.class})

ibps-oauth-root/modules/oauth-server2-default/src/main/java/com/lc/ibps/cloud/oauth/server/provider/AuthorizeProvider.java

@@ -93,7 +93,7 @@ public class AuthorizeProvider extends BaseProvider implements IAuthorizeService
 		logger.debug("request authorize");
 		APIResult<String> result = new APIResult<>();
 		
-		String clientId = authorizeVo.getClient_id();
+		String clientId = authorizationConfig.getDefaultClient();
 		String loginState = authorizeVo.getLogin_state();
 		String state = authorizeVo.getState();
 //		String redirectUri = authorizeVo.getRedirect_uri();

ibps-oauth-root/modules/oauth-server2-default/src/main/java/com/lc/ibps/cloud/oauth/server/provider/BaseProvider.java

@@ -21,6 +21,7 @@ import com.lc.ibps.base.db.tenant.utils.TenantUtil;
 import com.lc.ibps.base.framework.model.OperatorParamter;
 import com.lc.ibps.base.framework.table.ICommonDao;
 import com.lc.ibps.base.web.context.RequestContext;
+import com.lc.ibps.cloud.config.AuthorizationConfig;
 import com.lc.ibps.cloud.identifier.IdGenerator;
 import com.lc.ibps.cloud.identifier.config.IdConfig;
 import com.lc.ibps.cloud.oauth.constants.RedisKey;
@@ -121,6 +122,8 @@ public class BaseProvider extends GenericProvider {
 	protected UserLimitConfig userLimitConfig;
 	@Autowired
 	private IdConfig idConfig;
+	@Autowired
+	protected AuthorizationConfig authorizationConfig;
 
 	/**
 	 * 设置主岗位信息和主负责人信息

ibps-oauth-root/modules/oauth-server2-default/src/main/java/com/lc/ibps/cloud/oauth/server/provider/TokenProvider.java

@@ -1,21 +1,15 @@
 package com.lc.ibps.cloud.oauth.server.provider;
 
-import java.text.DateFormat;
 import java.text.SimpleDateFormat;
-import java.time.format.DateTimeFormatter;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
 
 import cn.hutool.json.JSONObject;
 import cn.hutool.json.JSONUtil;
-import com.lc.ibps.base.framework.id.UniqueIdUtil;
-import com.lc.ibps.base.web.context.ContextUtil;
 import com.lc.ibps.cloud.oauth.exception.*;
-import com.lc.ibps.cloud.oauth.server.util.LicUtil;
 import com.lc.ibps.org.party.persistence.entity.PartyEmployeePo;
 import com.lc.ibps.org.party.persistence.entity.PartyEntityPo;
 import org.apache.commons.lang3.StringUtils;
-import org.springframework.context.annotation.Bean;
 import org.springframework.data.redis.connection.DataType;
 import org.springframework.stereotype.Service;
 import org.springframework.util.Assert;
@@ -60,8 +54,6 @@ import io.swagger.annotations.Api;
 import io.swagger.annotations.ApiOperation;
 import io.swagger.annotations.ApiParam;
 
-import javax.validation.Valid;
-
 import static com.lc.ibps.api.base.constants.StateEnum.ERROR;
 import static com.lc.ibps.api.base.constants.StateEnum.SUCCESS;
 
@@ -159,8 +151,8 @@ public class TokenProvider extends BaseProvider implements ITokenService {
 		APIResult<TokenEntity> result = new APIResult<>();
 		try{
 			String grantType = accessTokenVo.getGrant_type();
-			String clientId = accessTokenVo.getClient_id();
-			String clientSecret = accessTokenVo.getClient_secret();
+			String clientId = authorizationConfig.getDefaultClient();
+			String clientSecret = authorizationConfig.getDefaultSecret();
 			String username = accessTokenVo.getUsername();
 			String password = accessTokenVo.getPassword();
 			String refreshToken = accessTokenVo.getRefresh_token();
@@ -280,8 +272,8 @@ public class TokenProvider extends BaseProvider implements ITokenService {
 		APIResult<TokenEntity> result = new APIResult<>();
 		try{
 			String grantType = switchVo.getGrant_type();
-			String clientId = switchVo.getClient_id();
-			String clientSecret = switchVo.getClient_secret();
+			String clientId = authorizationConfig.getDefaultClient();
+			String clientSecret = authorizationConfig.getDefaultSecret();
 			String username = switchVo.getUsername();
 			String accessToken = switchVo.getAccess_token();
 			//String redirectUri = accessTokenVo.getRedirect_uri();
@@ -357,8 +349,8 @@ public class TokenProvider extends BaseProvider implements ITokenService {
 		APIResult<TokenEntity> result = new APIResult<>();
 		try{
 			String grantType = switchVo.getGrant_type();
-			String clientId = switchVo.getClient_id();
-			String clientSecret = switchVo.getClient_secret();
+			String clientId = authorizationConfig.getDefaultClient();
+			String clientSecret = authorizationConfig.getDefaultSecret();
 			String accessToken = switchVo.getAccess_token();
 			String username = switchVo.getUsername();
 			//String redirectUri = accessTokenVo.getRedirect_uri();

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/controller/ShortActingTokenController.java

@@ -0,0 +1,36 @@
+package com.lc.ibps.business.controller;
+
+import com.lc.ibps.api.base.constants.StateEnum;
+import com.lc.ibps.base.core.util.I18nUtil;
+import com.lc.ibps.business.service.ShortActingTokenService;
+import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.cloud.provider.GenericProvider;
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@Api(tags = "获取短时效token")
+@RequestMapping("/short")
+@RestController
+public class ShortActingTokenController extends GenericProvider {
+
+    @Autowired
+    private ShortActingTokenService shortActingTokenService;
+
+    @ApiOperation("获取短时效token")
+    @PostMapping("/apply")
+    //@RateLimiter(value = 5, timeUnit = TimeUnit.MINUTES) // 每分钟最多5次
+    APIResult<String> apply(){
+        APIResult<String> result = new APIResult<>();
+        try {
+            result = shortActingTokenService.apply();
+        } catch (Exception e) {
+            setExceptionResult(result, StateEnum.ILLEGAL_REQUEST.getCode(), I18nUtil.getMessage(StateEnum.ILLEGAL_REQUEST.getCode() + ""), e);
+        }
+        return result;
+    }
+
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/intercept/TokenAuthInterceptor.java

@@ -0,0 +1,80 @@
+package com.lc.ibps.business.intercept;
+
+import com.lc.ibps.base.core.constants.StringPool;
+import com.lc.ibps.base.core.util.BeanUtils;
+import com.lc.ibps.cloud.oauth.client.filter.AbstractFilter;
+import com.lc.ibps.cloud.redis.utils.RedisUtil;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+@Component
+public class TokenAuthInterceptor extends AbstractFilter  {
+
+    private static final Set<String> NAMES = new HashSet<>(
+            Arrays.asList(
+                    "/employee/signInformation/query",
+                    "/employee/signInformation/save",
+                    "/employee/qRcode/query",
+                    "/employee/registrationOutsiders/query",
+                    "/employee/registrationOutsiders/save",
+                    "/employee/satisfaction/save",
+                    "/employee/satisfaction/getQuestionnaireByQrCodeId"
+            )
+    );
+
+    @Override
+    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
+        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
+
+        httpRequest.setCharacterEncoding(StringPool.UTF_8);
+        httpResponse.setCharacterEncoding(StringPool.UTF_8);
+        String uri = httpRequest.getRequestURI();
+        if (NAMES.contains(uri)){
+            // 1. 获取令牌（支持Header/参数）
+            //String token = httpRequest.getParameter("token");
+            String token = httpRequest.getHeader("x-authorization-access_token");
+            // 2. 令牌不存在
+            if (BeanUtils.isEmpty(token)) {
+                sendError(httpResponse, "访问令牌缺失");
+                return;
+            }
+            // 3. 验证Redis中的令牌
+            String key = "white_list_access_token:" + token;
+            Boolean exists = RedisUtil.redisTemplateString.hasKey(key);
+            if (exists == null || !exists) {
+                sendError(httpResponse, "令牌无效或已过期");
+                return;
+            }
+            // 4. 删除令牌（一次性使用）
+            Boolean del = RedisUtil.redisTemplateString.delete(key);
+            if(del != null && del){
+                filterChain.doFilter(servletRequest, servletResponse);
+            }else {
+                sendError(httpResponse, "令牌不存在");
+            }
+        }else {
+            filterChain.doFilter(servletRequest, servletResponse);
+        }
+    }
+
+    // 统一错误响应
+    private void sendError(HttpServletResponse response, String msg) throws IOException {
+        response.setStatus(401);
+        response.setContentType("application/json");
+        response.setCharacterEncoding("UTF-8");
+        response.getWriter().write(
+                String.format("{\"code\":%d,\"message\":\"%s\"}", 401, msg)
+        );
+    }
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/service/ShortActingTokenService.java

@@ -0,0 +1,10 @@
+package com.lc.ibps.business.service;
+
+import com.lc.ibps.cloud.entity.APIResult;
+
+public interface ShortActingTokenService {
+
+
+    APIResult<String> apply();
+
+}

ibps-provider-root/modules/provider-business/src/main/java/com/lc/ibps/business/service/impl/ShortActingTokenServiceImpl.java

@@ -0,0 +1,26 @@
+package com.lc.ibps.business.service.impl;
+
+import cn.hutool.core.lang.UUID;
+import com.lc.ibps.business.service.ShortActingTokenService;
+import com.lc.ibps.cloud.entity.APIResult;
+import com.lc.ibps.cloud.redis.utils.RedisUtil;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.stereotype.Service;
+
+import java.util.concurrent.TimeUnit;
+
+@Log4j2
+@Service
+public class ShortActingTokenServiceImpl implements ShortActingTokenService {
+
+
+    @Override
+    public APIResult<String> apply() {
+        APIResult<String> result = new APIResult<>();
+        String token = UUID.fastUUID().toString(true);
+        String key = "white_list_access_token:" + token;
+        RedisUtil.redisTemplateString.opsForValue().set(key,"short-acting-token",5 , TimeUnit.MINUTES);
+        result.setData(token);
+        return result;
+    }
+}