yudao
/
spring-cloud
mirror of https://gitee.com/zhijiantianya/yudao-cloud.git
3
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

optimize HTTP接口签名功能 防重放攻击从nonce -> appId+nonce维度

pull/130/head
1351515658@qq.com 2024-07-31 11:35:07 +08:00
parent 9194e094e6
commit 99bef36c90
3 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
yudao-framework/yudao-spring-boot-starter-protection/src/main/java/cn/iocoder/yudao/framework/signature/core/aop/ApiSignatureAspect.java
View File

@ -69,7 +69,7 @@ public class ApiSignatureAspect {
// 3. 将 nonce 记入缓存,防止重复使用(重点二:此处需要将 ttl 设定为允许 timestamp 时间差的值 x 2 // 3. 将 nonce 记入缓存,防止重复使用(重点二:此处需要将 ttl 设定为允许 timestamp 时间差的值 x 2
String nonce = request.getHeader(signature.nonce()); String nonce = request.getHeader(signature.nonce());
signatureRedisDAO.setNonce(nonce, signature.timeout() * 2, signature.timeUnit()); signatureRedisDAO.setNonce(appId, nonce, signature.timeout() * 2, signature.timeUnit());
return true; return true;
} }
@ -113,7 +113,7 @@ public class ApiSignatureAspect {
} }
// 3. 检查 nonce 是否存在,有且仅能使用一次 // 3. 检查 nonce 是否存在,有且仅能使用一次
return signatureRedisDAO.getNonce(nonce) == null; return signatureRedisDAO.getNonce(appId, nonce) == null;
} }
/** /**

14
yudao-framework/yudao-spring-boot-starter-protection/src/main/java/cn/iocoder/yudao/framework/signature/core/redis/ApiSignatureRedisDAO.java
View File

@ -22,7 +22,7 @@ public class ApiSignatureRedisDAO {
* VALUE String * VALUE String
* *
*/ */
private static final String SIGNATURE_NONCE = "api_signature_nonce:%s"; private static final String SIGNATURE_NONCE = "api_signature_nonce:%s:%s";
/** /**
* *
@ -36,16 +36,16 @@ public class ApiSignatureRedisDAO {
// ========== 验签随机数 ========== // ========== 验签随机数 ==========
public String getNonce(String nonce) { public String getNonce(String appId, String nonce) {
return stringRedisTemplate.opsForValue().get(formatNonceKey(nonce)); return stringRedisTemplate.opsForValue().get(formatNonceKey(appId, nonce));
} }
public void setNonce(String nonce, int time, TimeUnit timeUnit) { public void setNonce(String appId, String nonce, int time, TimeUnit timeUnit) {
stringRedisTemplate.opsForValue().set(formatNonceKey(nonce), "", time, timeUnit); stringRedisTemplate.opsForValue().set(formatNonceKey(appId, nonce), "", time, timeUnit);
} }
private static String formatNonceKey(String key) { private static String formatNonceKey(String appId, String nonce) {
return String.format(SIGNATURE_NONCE, key); return String.format(SIGNATURE_NONCE, appId, nonce);
} }
// ========== 签名密钥 ========== // ========== 签名密钥 ==========

2
yudao-framework/yudao-spring-boot-starter-protection/src/test/java/cn/iocoder/yudao/framework/signature/core/ApiSignatureTest.java
View File

@ -69,7 +69,7 @@ public class ApiSignatureTest {
// 断言结果 // 断言结果
assertTrue(result); assertTrue(result);
// 断言调用 // 断言调用
verify(signatureRedisDAO).setNonce(eq(nonce), eq(120), eq(TimeUnit.SECONDS)); verify(signatureRedisDAO).setNonce(eq(appId),eq(nonce), eq(120), eq(TimeUnit.SECONDS));
} }
} }