feat: 新增访问私有资源拦截注解,给需要的接口添加登陆校验注解 (#71)

* feat: 新增访问个人私有资源拦截注解 * feat: 给请求加上登陆校验注解和访问个人私有资源拦截注解 * fix: 重构fromId为userId * fix: 增加优先级概念,管理员鉴权放在登陆校验和个人私有资源校验之后
AchoBeta · Nov 27, 2024 · 7a9291d · 7a9291d
1 parent 9c49651
commit 7a9291d
Show file tree

Hide file tree

Showing 13 changed files with 141 additions and 7 deletions.
diff --git a/polaris-api/src/main/java/com/achobeta/api/dto/like/LikeRequestDTO.java b/polaris-api/src/main/java/com/achobeta/api/dto/like/LikeRequestDTO.java
@@ -18,7 +18,7 @@
 public class LikeRequestDTO {
     @NotBlank(message = "点赞的用户id不能为空")
     @FieldDesc(name = "点赞人id")
-    private String fromId;
+    private String userId;
     @NotBlank(message = "获赞的人id不能为空")
     @FieldDesc(name = "获赞人id")
     private String toId;

diff --git a/polaris-app/src/main/java/com/achobeta/aop/AuthVerifyAspect.java b/polaris-app/src/main/java/com/achobeta/aop/AuthVerifyAspect.java
@@ -10,6 +10,7 @@
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.reflect.MethodSignature;
+import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 
 import javax.annotation.Resource;
@@ -27,6 +28,7 @@
 @Aspect
 @Component
 @Slf4j
+@Order(Integer.MIN_VALUE+2)
 public class AuthVerifyAspect {
 
     @Resource

diff --git a/polaris-app/src/main/java/com/achobeta/aop/LoginVerificationAspect.java b/polaris-app/src/main/java/com/achobeta/aop/LoginVerificationAspect.java
@@ -10,6 +10,7 @@
 import org.aspectj.lang.annotation.Around;
 import org.aspectj.lang.annotation.Aspect;
 import org.aspectj.lang.annotation.Pointcut;
+import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 import org.springframework.web.context.request.RequestContextHolder;
 import org.springframework.web.context.request.ServletRequestAttributes;
@@ -28,6 +29,7 @@
 @Slf4j
 @Component
 @Aspect
+@Order(Integer.MIN_VALUE)
 public class LoginVerificationAspect {
 
     private final long EXPIRED = 100*1000;
@@ -87,7 +89,7 @@ public Object checkToken(ProceedingJoinPoint joinPoint) throws Throwable {
         }
 
         if(accessTokenExpired <= EXPIRED){
-            //如果token是持久化的或者已经超时失效也会进这里
+            //如果token已经超时失效也会进这里
             response.setHeader(ACCESS_TOKEN_NEED_REFRESH, "true");
         }
 

diff --git a/polaris-app/src/main/java/com/achobeta/aop/SelfPermissionVerificationAspect.java b/polaris-app/src/main/java/com/achobeta/aop/SelfPermissionVerificationAspect.java
@@ -0,0 +1,79 @@
+package com.achobeta.aop;
+
+import com.achobeta.domain.login.model.valobj.TokenVO;
+import com.achobeta.types.enums.GlobalServiceStatusCode;
+import com.achobeta.types.exception.AppException;
+import lombok.extern.slf4j.Slf4j;
+import org.aspectj.lang.ProceedingJoinPoint;
+import org.aspectj.lang.annotation.Around;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Pointcut;
+import org.springframework.core.annotation.Order;
+import org.springframework.stereotype.Component;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * @Author: 严豪哲
+ * @Description: 访问个人私有资源权限拦截器
+ * @Date: 2024/11/27 21:40
+ * @Version: 1.0
+ */
+
+@Slf4j
+@Component
+@Aspect
+@Order(Integer.MIN_VALUE+1)
+public class SelfPermissionVerificationAspect {
+
+    private final String TOKENINFO = "tokenInfo";
+
+    /**
+     * 拦截入口
+     */
+    @Pointcut("@annotation(com.achobeta.types.constraint.SelfPermissionVerification)")
+    public void pointCut(){
+    }
+
+    /**
+     * 拦截处理
+     * @param joinPoint joinPoint 信息
+     * @return result
+     * @throws Throwable if any
+     */
+    @Around("pointCut()")
+    public Object checkToken(ProceedingJoinPoint joinPoint) throws Throwable {
+
+        //获取当前请求信息
+        ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+        HttpServletRequest request = attributes.getRequest();
+
+        //获取token信息
+        TokenVO tokenVO = (TokenVO) request.getAttribute(TOKENINFO);
+
+        //正常不会进到这 因为登陆校验在本校验之前
+        if(tokenVO == null || tokenVO.getUserId() == null){
+            log.info("登陆校验未通过,tokenInfo为空,无法获取userId");
+            throw new AppException(String.valueOf(GlobalServiceStatusCode.LOGIN_UNKNOWN_ERROR.getCode()), GlobalServiceStatusCode.LOGIN_UNKNOWN_ERROR.getMessage());
+        }
+
+        //这里如果再从redis里面获取token信息,token可能过期失效,所以这里不获取用登录校验处传来的
+        String tokenUserId = String.valueOf(tokenVO.getUserId());
+
+        // 获取用户ID
+        Object arg = joinPoint.getArgs()[0];
+        String targetUserId = (String) arg.getClass().getMethod("getUserId").invoke(arg);
+
+        // 校验用户ID是否相同
+        if (tokenUserId.equals(targetUserId)) {
+            log.info("当前用户访问的是个人私有资源,用户id相同,可以放行,userId:{}",tokenUserId);
+            return joinPoint.proceed();
+        } else {
+            log.info("当前用户访问的是个人私有资源,用户id不相同,不可以放行,userId:{}",tokenUserId);
+            throw new AppException(String.valueOf(GlobalServiceStatusCode.USER_NO_PERMISSION.getCode()), GlobalServiceStatusCode.USER_NO_PERMISSION.getMessage());
+        }
+
+    }
+}
diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/AnnounceController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/AnnounceController.java
@@ -4,6 +4,7 @@
 import com.achobeta.domain.announce.model.valobj.UserAnnounceVO;
 import com.achobeta.domain.announce.service.IAnnounceService;
 import com.achobeta.types.Response;
+import com.achobeta.types.constraint.LoginVerification;
 import com.achobeta.types.enums.GlobalServiceStatusCode;
 import com.achobeta.types.exception.AppException;
 import lombok.RequiredArgsConstructor;
@@ -32,6 +33,7 @@ public class AnnounceController implements com.achobeta.api.IAnnounceService {
      * @return
      */
     @GetMapping("/getUserAnnounce")
+    @LoginVerification
     @Override
     public Response<GetUserAnnounceResponseDTO> getUserAnnounce(@Valid GetUserAnnounceRequestDTO getUserAnnounceRequestDTO) {
         try {
@@ -55,6 +57,7 @@ public Response<GetUserAnnounceResponseDTO> getUserAnnounce(@Valid GetUserAnnoun
     }
 
     @Override
+    @LoginVerification
     @PostMapping("/readUserAnnounce")
     public Response readAnnounce(@Valid @RequestBody ReadAnnounceRequestDTO readAnnounceRequestDTO) {
         try {
@@ -76,6 +79,7 @@ public Response readAnnounce(@Valid @RequestBody ReadAnnounceRequestDTO readAnno
     }
 
     @Override
+    @LoginVerification
     @GetMapping("/getAnnounceCount")
     public Response<GetUserAnnounceCountResponseDTO> getUserAnnounceCount(@Valid GetUserAnnounceCountRequestDTO getUserAnnounceCountRequestDTO) {
         try {
@@ -94,6 +98,7 @@ public Response<GetUserAnnounceCountResponseDTO> getUserAnnounceCount(@Valid Get
     }
 
     @Override
+    @LoginVerification
     @PostMapping("/readAllAnnounce")
     public Response readAllAnnounce(@Valid @RequestBody ReadAllAnnounceRequestDTO readAllAnnounceRequestDTO) {
         try {

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/AuthController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/AuthController.java
@@ -3,6 +3,7 @@
 import com.achobeta.api.dto.AuthRequestDTO;
 import com.achobeta.types.Response;
 import com.achobeta.types.annotation.AuthVerify;
+import com.achobeta.types.constraint.LoginVerification;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.validation.annotation.Validated;
@@ -32,6 +33,7 @@ public class AuthController {
      * @return
      */
     @GetMapping("test")
+    @LoginVerification
     @AuthVerify("TEAM_DELETE")
     public Response test(@Valid AuthRequestDTO authRequestDTO) {
         log.info("进入鉴权测试接口，参数：{}", authRequestDTO);

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/DeviceController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/DeviceController.java
@@ -5,6 +5,8 @@
 import com.achobeta.domain.device.model.valobj.UserCommonDevicesVO;
 import com.achobeta.domain.device.service.IDeviceService;
 import com.achobeta.types.Response;
+import com.achobeta.types.constraint.LoginVerification;
+import com.achobeta.types.constraint.SelfPermissionVerification;
 import com.achobeta.types.enums.GlobalServiceStatusCode;
 import com.achobeta.types.exception.AppException;
 import lombok.RequiredArgsConstructor;
@@ -32,6 +34,8 @@ public class DeviceController implements com.achobeta.api.IDeviceService {
      * @return
      */
     @GetMapping("/getDevices")
+    @LoginVerification
+    @SelfPermissionVerification
     @Override
     public Response<GetUserDeviceResponseDTO> getDevices(@Valid  GetUserDeviceRequestDTO getUserDeviceRequestDTO) {
         try {

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/LikeController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/LikeController.java
@@ -3,6 +3,8 @@
 import com.achobeta.api.dto.like.LikeRequestDTO;
 import com.achobeta.domain.like.service.ILikeService;
 import com.achobeta.types.Response;
+import com.achobeta.types.constraint.LoginVerification;
+import com.achobeta.types.constraint.SelfPermissionVerification;
 import com.achobeta.types.enums.GlobalServiceStatusCode;
 import com.achobeta.types.exception.AppException;
 import lombok.RequiredArgsConstructor;
@@ -26,23 +28,25 @@ public class LikeController implements com.achobeta.api.ILikeService {
     private final ILikeService service;
 
     @Override
+    @LoginVerification
+    @SelfPermissionVerification
     @PostMapping("/like")
     public Response like(@Valid @RequestBody LikeRequestDTO likeRequestDTO) {
         try {
             log.info("点赞系统开始，fromId:{} toId:{} liked:{}",
-                    likeRequestDTO.getFromId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
-            service.Like(likeRequestDTO.getFromId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
+                    likeRequestDTO.getUserId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
+            service.Like(likeRequestDTO.getUserId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
             log.info("点赞系统结束，fromId:{} toId:{} liked:{}",
-                    likeRequestDTO.getFromId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
+                    likeRequestDTO.getUserId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked());
             return Response.SYSTEM_SUCCESS();
         } catch (AppException e){
             log.error("fromId:{} toId:{} liked:{} 已知异常e:{}",
-                    likeRequestDTO.getFromId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked(), e.getMessage(), e);
+                    likeRequestDTO.getUserId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked(), e.getMessage(), e);
             return Response.CUSTOMIZE_ERROR(GlobalServiceStatusCode.REQUEST_NOT_VALID);
         }
         catch (Exception e) {
             log.error("fromId:{} toId:{} liked:{}",
-                    likeRequestDTO.getFromId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked(), e);
+                    likeRequestDTO.getUserId(),likeRequestDTO.getToId(),likeRequestDTO.isLiked(), e);
             return Response.SERVICE_ERROR(e.getMessage());
         }
     }

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/ReadController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/ReadController.java
@@ -13,6 +13,7 @@
 import javax.validation.constraints.Min;
 
 import com.achobeta.types.constraint.LoginVerification;
+import com.achobeta.types.constraint.SelfPermissionVerification;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
 import org.springframework.validation.annotation.Validated;
@@ -43,6 +44,7 @@ public class ReadController implements IReadService {
      */
     @PostMapping("render")
     @LoginVerification
+    @SelfPermissionVerification
     @Override
     public Response<RenderResponseDTO> render(@Valid @RequestBody RenderRequestDTO renderRequestDTO) {
         try {

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/TeamController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/TeamController.java
@@ -11,6 +11,7 @@
 import com.achobeta.types.Response;
 import com.achobeta.types.annotation.AuthVerify;
 import com.achobeta.types.common.Constants;
+import com.achobeta.types.constraint.LoginVerification;
 import com.achobeta.types.exception.AppException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -47,6 +48,7 @@ public class TeamController implements ITeamService {
      */
     @Override
     @DeleteMapping("member")
+    @LoginVerification
     @AuthVerify("MEMBER:MEMBER_DELETE")
     public Response<DeleteMemberResponseDTO> deleteMember(@Valid DeleteMemberRequestDTO requestDTO) {
         try {
@@ -83,6 +85,7 @@ public Response<DeleteMemberResponseDTO> deleteMember(@Valid DeleteMemberRequest
      */
     @Override
     @PostMapping("member")
+    @LoginVerification
     @AuthVerify("MEMBER:MEMBER_ADD")
     public Response<AddMemberResponseDTO> addMember(@Valid @RequestBody AddMemberRequestDTO requestDTO) {
         try {
@@ -133,6 +136,7 @@ public Response<AddMemberResponseDTO> addMember(@Valid @RequestBody AddMemberReq
      */
     @Override
     @PutMapping("member/detail")
+    @LoginVerification
     @AuthVerify("MEMBER:MEMBER_MODIFY")
     public Response<ModifyMemberInfoResponseDTO> modifyMemberInfo(@Valid @RequestBody ModifyMemberInfoRequestDTO requestDTO) {
         String teamId = requestDTO.getTeamId();
@@ -161,6 +165,7 @@ public Response<ModifyMemberInfoResponseDTO> modifyMemberInfo(@Valid @RequestBod
      * 查看团队成员信息详情接口
      */
     @GetMapping("/member/detail")
+    @LoginVerification
     @Override
     public Response<QueryMemberInfoResponseDTO> queryMemberInfo(@Valid QueryMemberInfoRequestDTO requestDTO) {
         try {
@@ -206,6 +211,7 @@ public Response<QueryMemberInfoResponseDTO> queryMemberInfo(@Valid QueryMemberIn
      */
     @PutMapping("structure")
     @Override
+    @LoginVerification
     @AuthVerify("STRUCTURE:STRUCTURE_MODIFY")
     public Response<ModifyStructureResponseDTO> modifyStructure(@Valid @RequestBody ModifyStructureRequestDTO modifyStructureRequestDTO) {
         try {
@@ -261,6 +267,7 @@ public Response<ModifyStructureResponseDTO> modifyStructure(@Valid @RequestBody
      * @return
      */
     @Override
+    @LoginVerification
     @GetMapping("/member/list")
     public Response<ResponseMemberListDTO> queryMemberList(@Valid RequestMemberListDTO requestMemberListDTO) {
         try {
@@ -298,6 +305,7 @@ public Response<ResponseMemberListDTO> queryMemberList(@Valid RequestMemberListD
      */
     @GetMapping("structure")
     @Override
+    @LoginVerification
     @AuthVerify("STRUCTURE:STRUCTURE_VIEW")
     public Response<QueryStructureResponseDTO> queryStructure(@Valid QueryStructureRequestDTO querystructureRequestDTO) {
         try {

diff --git a/polaris-trigger/src/main/java/com/achobeta/trigger/http/UserController.java b/polaris-trigger/src/main/java/com/achobeta/trigger/http/UserController.java
@@ -12,6 +12,7 @@
 
 import com.achobeta.types.Response;
 import com.achobeta.types.common.Constants;
+import com.achobeta.types.constraint.LoginVerification;
 import com.achobeta.types.exception.AppException;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
@@ -44,6 +45,7 @@ public class UserController implements IUserService {
      * @date 2024/11/9
      */
     @PutMapping("info")
+    @LoginVerification
     @Override
     public Response<ModifyUserInfoResponseDTO> modifyUserInfo(@Valid @RequestBody ModifyUserInfoRequestDTO modifyUserInfoRequestDTO) {
         try {
@@ -85,6 +87,7 @@ public Response<ModifyUserInfoResponseDTO> modifyUserInfo(@Valid @RequestBody Mo
      * @date 2024/11/6
      */
     @GetMapping("info")
+    @LoginVerification
     @Override
     public Response<QueryUserInfoResponseDTO> queryUserCenterInfo(@Valid QueryUserInfoRequestDTO queryUserInfoRequestDTO) {
         try {

diff --git a/polaris-types/src/main/java/com/achobeta/types/constraint/LoginVerification.java b/polaris-types/src/main/java/com/achobeta/types/constraint/LoginVerification.java
@@ -5,6 +5,12 @@
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 
+/**
+ * @Author: 严豪哲
+ * @Description: 登录验证注解
+ * @Date: 2024/11/18 10:27
+ * @Version: 1.0
+ */
 @Target(ElementType.METHOD)
 @Retention(RetentionPolicy.RUNTIME)
 public @interface LoginVerification {

diff --git a/polaris-types/src/main/java/com/achobeta/types/constraint/SelfPermissionVerification.java b/polaris-types/src/main/java/com/achobeta/types/constraint/SelfPermissionVerification.java
@@ -0,0 +1,17 @@
+package com.achobeta.types.constraint;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * @Author: 严豪哲
+ * @Description: 访问个人私有资源权限注解
+ * @Date: 2024/11/27 21:40
+ * @Version: 1.0
+ */
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface SelfPermissionVerification {
+}