feat(auth): 新增接口签名校验与退出登录功能

2025-12-03 12:59:51 +08:00
parent fdc024e58f
commit 6c7bec8ad3
6 changed files with 242 additions and 3 deletions
--- a/src/main/java/com/yolo/keyborad/Interceptor/SignInterceptor.java
+++ b/src/main/java/com/yolo/keyborad/Interceptor/SignInterceptor.java
@@ -0,0 +1,129 @@
 package com.yolo.keyborad.Interceptor;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.yolo.keyborad.utils.SignUtils;
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.http.MediaType;
 import org.springframework.util.StreamUtils;
 import org.springframework.web.servlet.HandlerInterceptor;
 import java.nio.charset.StandardCharsets;
 import java.time.Instant;
 import java.util.*;
 import java.util.concurrent.TimeUnit;
 public class SignInterceptor implements HandlerInterceptor {
    // appId -> secret 的映射（可从 DB 等处加载）
    private final Map<String, String> appSecretMap;
    private final ObjectMapper objectMapper = new ObjectMapper();
    private final StringRedisTemplate redisTemplate;
    // 允许时间误差 5 分钟
    private static final long ALLOW_TIME_DIFF_SECONDS = 300;
    // nonce 在 Redis 的有效期（建议比时间误差略长一点）
    private static final long NONCE_EXPIRE_SECONDS = 300;
    public SignInterceptor(Map<String, String> appSecretMap,
                           StringRedisTemplate redisTemplate) {
        this.appSecretMap = appSecretMap;
        this.redisTemplate = redisTemplate;
    }
    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        String appId = request.getHeader("X-App-Id");
        String timestamp = request.getHeader("X-Timestamp");
        String nonce = request.getHeader("X-Nonce");
        String sign = request.getHeader("X-Sign");
        if (appId == null || timestamp == null || nonce == null || sign == null) {
            writeError(response, 401, "Missing sign headers");
            return false;
        }
        String secret = appSecretMap.get(appId);
        if (secret == null) {
            writeError(response, 401, "Invalid appId");
            return false;
        }
        // 1. 时间戳校验（防止超时重放）
        long ts;
        try {
            ts = Long.parseLong(timestamp);
        } catch (NumberFormatException e) {
            writeError(response, 401, "Invalid timestamp");
            return false;
        }
        long now = Instant.now().getEpochSecond();
        if (Math.abs(now - ts) > ALLOW_TIME_DIFF_SECONDS) {
            writeError(response, 401, "Request expired");
            return false;
        }
        // 2. nonce 防重放（Redis + setIfAbsent）
        String nonceKey = buildNonceKey(appId, nonce);
        Boolean success = redisTemplate.opsForValue()
                .setIfAbsent(nonceKey, timestamp, NONCE_EXPIRE_SECONDS, TimeUnit.SECONDS);
        // success == null 也当 false 处理
        if (!Boolean.TRUE.equals(success)) {
            // 说明这个 appId + nonce 在有效期内已经被用过了
            writeError(response, 401, "Nonce already used");
            return false;
        }
        // 3. 收集所有参数并校验签名（跟之前一样）
        Map<String, String> params = new HashMap<>();
        params.put("appId", appId);
        params.put("timestamp", timestamp);
        params.put("nonce", nonce);
        // query 参数
        request.getParameterMap().forEach((k, v) -> {
            if (v != null && v.length > 0) {
                params.put(k, v[0]);
            }
        });
        // body 参数（content-type 为 json 时解析一次）
        String contentType = request.getContentType();
        if (contentType != null && contentType.contains(MediaType.APPLICATION_JSON_VALUE)) {
            String body = StreamUtils.copyToString(request.getInputStream(), StandardCharsets.UTF_8);
            if (!body.isEmpty()) {
                Map<String, Object> bodyMap = objectMapper.readValue(body, Map.class);
                bodyMap.forEach((k, v) -> {
                    if (v != null) {
                        params.put(k, String.valueOf(v));
                    }
                });
            }
        }
        String calculatedSign = SignUtils.sign(params, secret);
        if (!calculatedSign.equalsIgnoreCase(sign)) {
            writeError(response, 401, "Invalid sign");
            return false;
        }
        return true;
    }
    private String buildNonceKey(String appId, String nonce) {
        // 可以按需加上前缀，便于区分业务
        return "sign:nonce:" + appId + ":" + nonce;
    }
    private void writeError(HttpServletResponse response, int code, String msg) throws Exception {
        response.setStatus(code);
        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
        Map<String, Object> result = new HashMap<>();
        result.put("code", code);
        result.put("message", msg);
        response.getWriter().write(objectMapper.writeValueAsString(result));
    }
 }
--- a/src/main/java/com/yolo/keyborad/config/SaTokenConfigure.java
+++ b/src/main/java/com/yolo/keyborad/config/SaTokenConfigure.java
@@ -5,13 +5,33 @@ import cn.dev33.satoken.interceptor.SaInterceptor;
 import cn.dev33.satoken.router.SaHttpMethod;
 import cn.dev33.satoken.router.SaRouter;
 import cn.dev33.satoken.stp.StpUtil;
 import com.yolo.keyborad.Interceptor.SignInterceptor;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.data.redis.core.StringRedisTemplate;
 import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import java.util.HashMap;
@Configuration
 public class SaTokenConfigure implements WebMvcConfigurer {
    private final StringRedisTemplate redisTemplate;
    public SaTokenConfigure(StringRedisTemplate redisTemplate) {
        this.redisTemplate = redisTemplate;
    }
    HashMap<String, String> appSecretMap = new HashMap<>();
    @Value("${appid}")
    private String appId;
    @Value("${appsecret}")
    private String appSecret;
    // 注册拦截器
    @Override
    public void addInterceptors(InterceptorRegistry registry) {
@@ -19,6 +39,10 @@ public class SaTokenConfigure implements WebMvcConfigurer {
        registry.addInterceptor(new SaInterceptor(handle -> StpUtil.checkLogin()))
                .addPathPatterns("/**")
                .excludePathPatterns(getExcludePaths());
        appSecretMap.put(appId, appSecret);
        registry.addInterceptor(new SignInterceptor(appSecretMap,redisTemplate))
                .addPathPatterns("/**")      // 需要签名校验的接口
                .excludePathPatterns(getExcludePaths()); // 不需要校验的接口;
    }
    private String[] getExcludePaths() {
        return new String[]{
@@ -41,7 +65,8 @@ public class SaTokenConfigure implements WebMvcConfigurer {
                "/demo/testSaveEmbed",
                "/demo/testSearch",
                "/demo/tsetSearchText",
-                "/file/upload"
+                "/file/upload",
                "/user/logout"
        };
    }
    @Bean
--- a/src/main/java/com/yolo/keyborad/controller/UserController.java
+++ b/src/main/java/com/yolo/keyborad/controller/UserController.java
@@ -1,5 +1,6 @@
 package com.yolo.keyborad.controller;
 import cn.dev33.satoken.stp.StpUtil;
 import com.yolo.keyborad.common.BaseResponse;
 import com.yolo.keyborad.common.ResultUtils;
 import com.yolo.keyborad.model.dto.AppleLoginReq;
@@ -40,5 +41,11 @@ public class UserController {
        return ResultUtils.success(appleService.login(appleLoginReq.getIdentityToken()));
    }
    @GetMapping("/logout")
    @Operation(summary = "退出登录", description = "退出登录接口")
    public BaseResponse<Boolean> logout() {
        StpUtil.logoutByTokenValue(StpUtil.getTokenValue());
        return ResultUtils.success(true);
    }
 }
--- a/src/main/java/com/yolo/keyborad/service/impl/AppleServiceImpl.java
+++ b/src/main/java/com/yolo/keyborad/service/impl/AppleServiceImpl.java
@@ -57,7 +57,8 @@ public class AppleServiceImpl implements IAppleService {
        // 2. 拆分三段 & 使用 Base64URL 解码
        String[] parts = identityToken.split("\\.");
        if (parts.length != 3) {
-            throw new BusinessException(ErrorCode.OPERATION_ERROR);
+            log.error("apple授权登录的token拆分失败，token={}", identityToken);
            throw new BusinessException(ErrorCode.APPLE_LOGIN_ERROR);
        }
        Base64.Decoder urlDecoder = Base64.getUrlDecoder();
--- a/src/main/java/com/yolo/keyborad/utils/SignUtils.java
+++ b/src/main/java/com/yolo/keyborad/utils/SignUtils.java
@@ -0,0 +1,74 @@
    package com.yolo.keyborad.utils;
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
 import java.nio.charset.StandardCharsets;
 import java.net.URLEncoder;
 import java.util.Map;
 import java.util.stream.Collectors;
 import java.util.TreeMap;
 public class SignUtils {
    private static final String HMAC_SHA256 = "HmacSHA256";
    /**
     * 生成签名
     * @param params 参与签名的参数（不含 sign 本身）
     * @param secret 密钥
     */
    public static String sign(Map<String, String> params, String secret) {
        // 1. 过滤掉空值和 sign 本身
        Map<String, String> filtered = params.entrySet().stream()
                .filter(e -> e.getValue() != null && !"sign".equalsIgnoreCase(e.getKey()))
                .collect(Collectors.toMap(
                        Map.Entry::getKey,
                        Map.Entry::getValue
                ));
        // 2. 按 key 字典序排序
        Map<String, String> sorted = new TreeMap<>(filtered);
        // 3. 拼接成 key=value&key2=value2...&secret=xxx
        StringBuilder sb = new StringBuilder();
        sorted.forEach((k, v) -> {
            if (sb.length() > 0) {
                sb.append("&");
            }
            sb.append(k).append("=").append(urlEncode(v));
        });
        sb.append("&secret=").append(urlEncode(secret));
        String data = sb.toString();
        return hmacSha256(data, secret);
    }
    private static String hmacSha256(String data, String secret) {
        try {
            Mac mac = Mac.getInstance(HMAC_SHA256);
            SecretKeySpec secretKey = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), HMAC_SHA256);
            mac.init(secretKey);
            byte[] bytes = mac.doFinal(data.getBytes(StandardCharsets.UTF_8));
            // 转十六进制小写
            StringBuilder sb = new StringBuilder();
            for (byte b : bytes) {
                String hex = Integer.toHexString(b & 0xff);
                if (hex.length() == 1) {
                    sb.append("0");
                }
                sb.append(hex);
            }
            return sb.toString();
        } catch (Exception e) {
            throw new RuntimeException("Sign error", e);
        }
    }
    private static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, StandardCharsets.UTF_8);
        } catch (Exception e) {
            return str;
        }
    }
 }
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -45,4 +45,7 @@ mybatis-plus:
    db-config:
      logic-delete-field: isDelete # 全局逻辑删除的实体字段名(since 3.3.0,配置后可以忽略不配置步骤2)
      logic-delete-value: 1 # 逻辑已删除值(默认为 1)
-      logic-not-delete-value: 0 # 逻辑未删除值(默认为 0)
+      logic-not-delete-value: 0 # 逻辑未删除值(默认为 0)
 appid: loveKeyboard
 appsecret: kZJM39HYvhxwbJkG1fmquQRVkQiLAh2H