添加请求token验证

hx-base/src/main/java/com/fjhx/base/system/SysLoginController.java

@@ -86,6 +86,7 @@ public class SysLoginController {
     @GetMapping("getInfo")
     public AjaxResult getInfo() {
         SysUser user = SecurityUtils.getLoginUser().getUser();
+        user.setPassword(null);
         // 角色集合
         Set<String> roles = permissionService.getRolePermission(user);
         // 权限集合

ruoyi-framework/src/main/java/com/ruoyi/framework/web/service/TokenService.java

@@ -4,6 +4,7 @@ import com.ruoyi.common.constant.CacheConstants;
 import com.ruoyi.common.constant.Constants;
 import com.ruoyi.common.core.domain.model.LoginUser;
 import com.ruoyi.common.core.redis.RedisCache;
+import com.ruoyi.common.exception.ServiceException;
 import com.ruoyi.common.utils.ServletUtils;
 import com.ruoyi.common.utils.StringUtils;
 import com.ruoyi.common.utils.ip.AddressUtils;
@@ -13,13 +14,15 @@ import eu.bitwalker.useragentutils.UserAgent;
 import io.jsonwebtoken.Claims;
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.stereotype.Component;
 
+import javax.crypto.Cipher;
+import javax.crypto.spec.SecretKeySpec;
 import javax.servlet.http.HttpServletRequest;
-import java.util.HashMap;
-import java.util.Map;
+import java.util.*;
 import java.util.concurrent.TimeUnit;
 
 /**
@@ -27,6 +30,7 @@ import java.util.concurrent.TimeUnit;
  *
  * @author ruoyi
  */
+@Slf4j
 @Component
 public class TokenService {
     protected static final long MILLIS_SECOND = 1000;
@@ -192,6 +196,11 @@ public class TokenService {
      */
     private String getToken(HttpServletRequest request) {
         String token = request.getHeader(header);
+        //token添加新的解码规则
+        if (StringUtils.isNotEmpty(token)) {
+            String randomStr = request.getHeader("Randomnumber");
+            token = decodeToken(token, randomStr);
+        }
         if (StringUtils.isNotEmpty(token) && token.startsWith(Constants.TOKEN_PREFIX)) {
             token = token.replace(Constants.TOKEN_PREFIX, "");
         }
@@ -201,4 +210,38 @@ public class TokenService {
     private String getTokenKey(String uuid) {
         return CacheConstants.LOGIN_TOKEN_KEY + uuid;
     }
+
+    /**
+     * 解析解密后的token
+     *
+     * @param data      加密后的密文
+     * @param randomStr 20位随机字符
+     * @return 解密出的token
+     */
+    private String decodeToken(String data, String randomStr) {
+        try {
+            // 获取密钥
+            SecretKeySpec secretKey = new SecretKeySpec("N[9f%2gKyo7(GNv3".getBytes(), "AES");
+            // 解析密文
+            Cipher cipher = Cipher.getInstance("AES");
+            cipher.init(Cipher.DECRYPT_MODE, secretKey);
+            byte[] doFinal = cipher.doFinal(Base64.getDecoder().decode(data));
+            String decrypt = new String(doFinal, "UTF-8");
+            int decryptLength = decrypt.length();
+            // 解析token
+            String decodeRandomStr = decrypt.substring(decryptLength - 20);
+            String decodeTime = decrypt.substring(decryptLength - 33, decryptLength - 20);
+            String decodeToken = decrypt.substring(0, decryptLength - 33);
+            // 校验token
+            long newTime = new Date().getTime();
+            //时间戳有效时间5秒内
+            if (newTime - Long.parseLong(decodeTime) > 5000 || !Objects.equals(randomStr, decodeRandomStr)) {
+                throw new ServiceException("非法请求,无效用户令牌");
+            }
+            return decodeToken;
+        } catch (Exception e) {
+            log.error(e.getMessage(), e);
+            throw new ServiceException("非法请求,用户令牌解析失败");
+        }
+    }
 }