From 3abfd365693361e27d8ab193959b2162d1b4347a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=8F=B8=E5=BE=92=E4=BF=8A=E6=9D=B0?=
 <situjunjie@vip.qq.com>
Date: Mon, 14 Apr 2025 14:01:20 +0000
Subject: [PATCH] =?UTF-8?q?bugfix:=E7=BD=91=E5=85=B3token=E7=A7=BB?=
 =?UTF-8?q?=E9=99=A4login-user=E5=A4=B4=E4=BF=A1=E6=81=AF=E5=90=8E?=
 =?UTF-8?q?=E9=87=8D=E6=96=B0=E8=B5=8B=E5=80=BC=E5=BC=95=E7=94=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../filter/security/TokenAuthenticationFilter.java    | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
index e02a4bb62..2bc7f84ef 100644
--- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
+++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
@@ -81,9 +81,9 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
     }
 
     @Override
-    public Mono<Void> filter(final ServerWebExchange exchange, GatewayFilterChain chain) {
+    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         // 移除 login-user 的请求头，避免伪造模拟
-        SecurityFrameworkUtils.removeLoginUser(exchange);
+        exchange = SecurityFrameworkUtils.removeLoginUser(exchange);
 
         // 情况一，如果没有 Token 令牌，则直接继续 filter
         String token = SecurityFrameworkUtils.obtainAuthorization(exchange);
@@ -93,17 +93,18 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
 
         // 情况二，如果有 Token 令牌，则解析对应 userId、userType、tenantId 等字段，并通过 通过 Header 转发给服务
         // 重要说明：defaultIfEmpty 作用，保证 Mono.empty() 情况，可以继续执行 `flatMap 的 chain.filter(exchange)` 逻辑，避免返回给前端空的 Response！！
+        ServerWebExchange finalExchange = exchange;
         return getLoginUser(exchange, token).defaultIfEmpty(LOGIN_USER_EMPTY).flatMap(user -> {
             // 1. 无用户，直接 filter 继续请求
             if (user == LOGIN_USER_EMPTY || // 下面 expiresTime 的判断，为了解决 token 实际已经过期的情况
                     user.getExpiresTime() == null || LocalDateTimeUtils.beforeNow(user.getExpiresTime())) {
-                return chain.filter(exchange);
+                return chain.filter(finalExchange);
             }
 
             // 2.1 有用户，则设置登录用户
-            SecurityFrameworkUtils.setLoginUser(exchange, user);
+            SecurityFrameworkUtils.setLoginUser(finalExchange, user);
             // 2.2 将 user 并设置到 login-user 的请求头，使用 json 存储值
-            ServerWebExchange newExchange = exchange.mutate()
+            ServerWebExchange newExchange = finalExchange.mutate()
                     .request(builder -> SecurityFrameworkUtils.setLoginUserHeader(builder, user)).build();
             return chain.filter(newExchange);
         });