package com.iailab.module.system.service.oauth2; import cn.hutool.core.lang.Assert; import cn.hutool.core.util.ObjectUtil; import cn.hutool.core.util.StrUtil; import com.iailab.framework.common.enums.UserTypeEnum; import com.iailab.module.system.dal.dataobject.oauth2.OAuth2AccessTokenDO; import com.iailab.module.system.dal.dataobject.oauth2.OAuth2CodeDO; import com.iailab.module.system.dal.dataobject.user.AdminUserDO; import com.iailab.module.system.enums.ErrorCodeConstants; import com.iailab.module.system.service.auth.AdminAuthService; import org.springframework.stereotype.Service; import javax.annotation.Resource; import java.util.List; import static com.iailab.framework.common.exception.util.ServiceExceptionUtil.exception; /** * OAuth2 授予 Service 实现类 * * @author iailab */ @Service public class OAuth2GrantServiceImpl implements OAuth2GrantService { @Resource private OAuth2TokenService oauth2TokenService; @Resource private OAuth2CodeService oauth2CodeService; @Resource private AdminAuthService adminAuthService; @Override public OAuth2AccessTokenDO grantImplicit(Long userId, Integer userType, String clientId, List scopes) { return oauth2TokenService.createAccessToken(userId, userType, clientId, scopes); } @Override public String grantAuthorizationCodeForCode(Long userId, Integer userType, String clientId, List scopes, String redirectUri, String state) { return oauth2CodeService.createAuthorizationCode(userId, userType, clientId, scopes, redirectUri, state).getCode(); } @Override public OAuth2AccessTokenDO grantAuthorizationCodeForAccessToken(String clientId, String code, String redirectUri, String state) { OAuth2CodeDO codeDO = oauth2CodeService.consumeAuthorizationCode(code); Assert.notNull(codeDO, "授权码不能为空"); // 防御性编程 // 校验 clientId 是否匹配 if (!StrUtil.equals(clientId, codeDO.getClientId())) { throw exception(ErrorCodeConstants.OAUTH2_GRANT_CLIENT_ID_MISMATCH); } // 校验 redirectUri 是否匹配 if (!StrUtil.equals(redirectUri, codeDO.getRedirectUri())) { throw exception(ErrorCodeConstants.OAUTH2_GRANT_REDIRECT_URI_MISMATCH); } // 校验 state 是否匹配 state = StrUtil.nullToDefault(state, ""); // 数据库 state 为 null 时,会设置为 "" 空串 if (!StrUtil.equals(state, codeDO.getState())) { throw exception(ErrorCodeConstants.OAUTH2_GRANT_STATE_MISMATCH); } // 创建访问令牌 return oauth2TokenService.createAccessToken(codeDO.getUserId(), codeDO.getUserType(), codeDO.getClientId(), codeDO.getScopes()); } @Override public OAuth2AccessTokenDO grantPassword(String username, String password, String clientId, List scopes) { // 使用账号 + 密码进行登录 AdminUserDO user = adminAuthService.authenticate(username, password); Assert.notNull(user, "用户不能为空!"); // 防御性编程 // 创建访问令牌 return oauth2TokenService.createAccessToken(user.getId(), UserTypeEnum.ADMIN.getValue(), clientId, scopes); } @Override public OAuth2AccessTokenDO grantRefreshToken(String refreshToken, String clientId) { return oauth2TokenService.refreshAccessToken(refreshToken, clientId); } @Override public OAuth2AccessTokenDO grantClientCredentials(String clientId, List scopes) { // TODO iailab:项目中使用 OAuth2 解决的是三方应用的授权,内部的 SSO 等问题,所以暂时不考虑 client_credentials 这个场景 throw new UnsupportedOperationException("暂时不支持 client_credentials 授权模式"); } @Override public boolean revokeToken(String clientId, String accessToken) { // 先查询,保证 clientId 时匹配的 OAuth2AccessTokenDO accessTokenDO = oauth2TokenService.getAccessToken(accessToken); if (accessTokenDO == null || ObjectUtil.notEqual(clientId, accessTokenDO.getClientId())) { return false; } // 再删除 return oauth2TokenService.removeAccessToken(accessToken) != null; } }