提交配置校验

b9bd798e · 赵啸非 · fd103eb5 · b9bd798e
Commit b9bd798e authored Oct 09, 2024 by 赵啸非
Show whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

base-manager/src/main/java/com/mortals/xhx/base/framework/interceptor/AuthUserInterceptor.java ...s/xhx/base/framework/interceptor/AuthUserInterceptor.java +23 -1

No files found.
--- a/base-manager/src/main/java/com/mortals/xhx/base/framework/interceptor/AuthUserInterceptor.java
+++ b/base-manager/src/main/java/com/mortals/xhx/base/framework/interceptor/AuthUserInterceptor.java
 package com.mortals.xhx.base.framework.interceptor;
+import cn.hutool.core.util.StrUtil;
+import cn.hutool.http.HttpStatus;
 import com.alibaba.fastjson.JSONObject;
 import com.mortals.framework.annotation.UnAuth;
 import com.mortals.framework.common.Rest;
@@ -11,6 +13,7 @@ import com.mortals.framework.web.interceptor.BaseInterceptor;
 import com.mortals.xhx.base.framework.config.InterceptorConfig;
 import com.mortals.xhx.common.code.ApiRespCodeEnum;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 import org.springframework.util.ObjectUtils;
 import org.springframework.web.method.HandlerMethod;
@@ -19,6 +22,7 @@ import org.springframework.web.servlet.resource.ResourceHttpRequestHandler;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.lang.reflect.Method;
+import java.util.List;
 import static com.mortals.xhx.common.key.ErrorCode.*;
@@ -35,6 +39,9 @@ public class AuthUserInterceptor extends BaseInterceptor {
    @Autowired
    private IAuthTokenService authTokenService;
+    @Value("${trustedReferer:''}")
+    private String trustedReferer;
    @Override
    public int getOrder() {
        return Integer.MAX_VALUE - 9;
@@ -44,6 +51,21 @@ public class AuthUserInterceptor extends BaseInterceptor {
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
            throws Exception {
        //response.setContentType("application/json");
+        String referer = request.getHeader("Referer");
+        if (!ObjectUtils.isEmpty(referer)) {
+            referer = StrUtil.removeSuffix(referer, "/");
+            List<String> trustReferers = StrUtil.split(trustedReferer, ",");
+            if (!ObjectUtils.isEmpty(trustReferers)) {
+                if (!trustReferers.contains(referer)) {
+                    response.setStatus(HttpStatus.HTTP_BAD_REQUEST);
+                    return false;
+                }
+            }
+        }
        if (handler instanceof HandlerMethod) {
            HandlerMethod handlerMethod = (HandlerMethod) handler;
            Method method = handlerMethod.getMethod();
@@ -64,7 +86,7 @@ public class AuthUserInterceptor extends BaseInterceptor {
                if (!auth) {
                    //校验token不正常
                    String token = authTokenService.getToken(request);
-                    if(ObjectUtils.isEmpty(token)){
+                    if (ObjectUtils.isEmpty(token)) {
                        ServletUtils.renderString(response, JSONObject.toJSONString(Rest.fail(ERROR_TOKEN_UNAUTHORIZED, ERROR_TOKEN_UNAUTHORIZED_CONTENT)));
                        return false;
                    }