1.修复：geteway中取customerId的逻辑漏洞

5 years ago · 71b2ee3a2b
1 changed files with 26 additions and 16 deletions
--- a/epmet-gateway/src/main/java/com/epmet/filter/CpAuthGatewayFilterFactory.java
+++ b/epmet-gateway/src/main/java/com/epmet/filter/CpAuthGatewayFilterFactory.java
@ -76,6 +76,31 @@ public class CpAuthGatewayFilterFactory extends AbstractGatewayFilterFactory<CpA

 			String customerId = "";

+			if (baseTokenDto != null) {
+				if (AppClientConstant.APP_RESI.equals(baseTokenDto.getApp())) {
+					// 居民端
+					TokenDto resiTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, TokenDto.class);
+					if (resiTokenDto != null) {
+						customerId = resiTokenDto.getCustomerId();
+						baseTokenDto = resiTokenDto;
+					}
+				} else if (AppClientConstant.APP_GOV.equals(baseTokenDto.getApp())) {
+					// 政府端
+					GovTokenDto govTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, GovTokenDto.class);
+					if (govTokenDto != null) {
+						customerId = govTokenDto.getCustomerId();
+						baseTokenDto = govTokenDto;
+					}
+				} else if(AppClientConstant.APP_OPER.equals(baseTokenDto.getApp())){
+					//运营端
+					TokenDto resiTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, TokenDto.class);
+					if (resiTokenDto != null) {
+						customerId = resiTokenDto.getCustomerId();
+						baseTokenDto = resiTokenDto;
+					}
+				}
+			}
+
 			//需要认证
 			if (needAuth(requestUri)) {
 				if (StringUtils.isBlank(token)) {
@ -83,22 +108,7 @@ public class CpAuthGatewayFilterFactory extends AbstractGatewayFilterFactory<CpA
 				}
 				// 校验token
 				try {
-					if (AppClientConstant.APP_RESI.equals(baseTokenDto.getApp())) {
-						// 居民端
-						TokenDto resiTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, TokenDto.class);
-						validateTokenDto(resiTokenDto, token);
-						customerId = resiTokenDto.getCustomerId();
-					} else if (AppClientConstant.APP_GOV.equals(baseTokenDto.getApp())) {
-						// 政府端
-						GovTokenDto govTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, GovTokenDto.class);
-						validateTokenDto(govTokenDto, token);
-						customerId = govTokenDto.getCustomerId();
-					} else if(AppClientConstant.APP_OPER.equals(baseTokenDto.getApp())){
-						//运营端
-						TokenDto resiTokenDto = getLoginUserInfoByToken(token, jwtTokenUtils, cpUserDetailRedis, TokenDto.class);
-						validateTokenDto(resiTokenDto, token);
-						customerId = resiTokenDto.getCustomerId();
-					}
+					validateTokenDto(baseTokenDto, token);
 				} catch (RenException e) {
 					return response(exchange,new Result<>().error(e.getCode(),e.getMsg()));
 				}