:lock: 修复安全问题。 绕过短信验证码

pigx-common/pigx-common-core/src/main/java/com/pig4cloud/pigx/common/core/constant/SecurityConstants.java

@@ -73,6 +73,11 @@ public interface SecurityConstants {
 	 * 手机号登录URL
 	 */
 	String SMS_TOKEN_URL = "/mobile/token/sms";
+
+	/**
+	 * 社交登录URL
+	 */
+	String SOCIAL_TOKEN_URL = "/mobile/token/social";
 	/**
 	 * 自定义登录URL
 	 */

pigx-gateway/src/main/java/com/pig4cloud/pigx/gateway/filter/ValidateCodeGatewayFilter.java

@@ -22,6 +22,7 @@ import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.pig4cloud.pigx.common.core.constant.CommonConstants;
 import com.pig4cloud.pigx.common.core.constant.SecurityConstants;
+import com.pig4cloud.pigx.common.core.constant.enums.LoginTypeEnum;
 import com.pig4cloud.pigx.common.core.exception.ValidateCodeException;
 import com.pig4cloud.pigx.common.core.util.R;
 import com.pig4cloud.pigx.common.core.util.WebUtils;
@@ -58,7 +59,8 @@ public class ValidateCodeGatewayFilter extends AbstractGatewayFilterFactory {
 
 			// 不是登录请求，直接向下执行
 			if (!StrUtil.containsAnyIgnoreCase(request.getURI().getPath()
-					, SecurityConstants.OAUTH_TOKEN_URL, SecurityConstants.SMS_TOKEN_URL)) {
+					, SecurityConstants.OAUTH_TOKEN_URL, SecurityConstants.SMS_TOKEN_URL
+					, SecurityConstants.SOCIAL_TOKEN_URL)) {
 				return chain.filter(exchange);
 			}
 
@@ -75,6 +77,16 @@ public class ValidateCodeGatewayFilter extends AbstractGatewayFilterFactory {
 					return chain.filter(exchange);
 				}
 
+				// 如果是社交登录，判断是否包含SMS
+				if (StrUtil.containsAnyIgnoreCase(request.getURI().getPath(), SecurityConstants.SOCIAL_TOKEN_URL)) {
+					String mobile = request.getQueryParams().getFirst("mobile");
+					if (StrUtil.containsAny(mobile, LoginTypeEnum.SMS.getType())) {
+						throw new ValidateCodeException("验证码不合法");
+					} else {
+						return chain.filter(exchange);
+					}
+				}
+
 				//校验验证码
 				checkCode(request);
 			} catch (Exception e) {

pigx-upms/pigx-upms-biz/src/main/java/com/pig4cloud/pigx/admin/handler/AbstractLoginHandler.java

@@ -25,6 +25,16 @@ import com.pig4cloud.pigx.admin.api.dto.UserInfo;
  */
 public abstract class AbstractLoginHandler implements LoginHandler {
 
+	/***
+	 * 数据合法性校验
+	 * @param loginStr 通过用户传入获取唯一标识
+	 * @return 默认不校验
+	 */
+	@Override
+	public Boolean check(String loginStr) {
+		return true;
+	}
+
 	/**
 	 * 处理方法
 	 *
@@ -33,6 +43,10 @@ public abstract class AbstractLoginHandler implements LoginHandler {
 	 */
 	@Override
 	public UserInfo handle(String loginStr) {
+		if (!check(loginStr)) {
+			return null;
+		}
+
 		String identify = identify(loginStr);
 		return info(identify);
 	}

pigx-upms/pigx-upms-biz/src/main/java/com/pig4cloud/pigx/admin/handler/LoginHandler.java

@@ -27,6 +27,13 @@ import com.pig4cloud.pigx.admin.api.dto.UserInfo;
  */
 public interface LoginHandler {
 
+	/***
+	 * 数据合法性校验
+	 * @param loginStr 通过用户传入获取唯一标识
+	 * @return
+	 */
+	Boolean check(String loginStr);
+
 	/**
 	 * 通过用户传入获取唯一标识
 	 *

pigx-upms/pigx-upms-biz/src/main/java/com/pig4cloud/pigx/admin/handler/SmsLoginHandler.java

@@ -35,6 +35,7 @@ import org.springframework.stereotype.Component;
 public class SmsLoginHandler extends AbstractLoginHandler {
 	private final SysUserService sysUserService;
 
+
 	/**
 	 * 验证码登录传入为手机号
 	 * 不用不处理