【新增】 protection 模块新增 signature 实现 API 签名 #532
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
收到,最迟周末会 review 代码 |
YunaiV
reviewed
May 25, 2024
| /** | ||
| * 同一个请求多长时间内有效 默认 10分钟 | ||
| */ | ||
| long expireTime() default 600000L; |
There was a problem hiding this comment.
/**
* 幂等的超时时间,默认为 1 秒
*
* 注意,如果执行时间超过它,请求还是会进来
*/
int timeout() default 1;
/**
* 时间单位,默认为 SECONDS 秒
*/
TimeUnit timeUnit() default TimeUnit.SECONDS;
建议改成这个哈。
| /** | ||
| * url 客户端不需要传递,但是可以用来加签(如: /{id} 带有动态参数的 url ,如果没有动态参数可设置为 false 不进行加签) | ||
| */ | ||
| boolean urlEnable() default true; |
There was a problem hiding this comment.
这个字段,可以考虑删除。
因为大多数用不到,还是想尽量保持简洁哈。
| @Documented | ||
| @Target({ElementType.METHOD, ElementType.TYPE}) | ||
| @Retention(RetentionPolicy.RUNTIME) | ||
| public @interface Signature { |
There was a problem hiding this comment.
要不所有类,都加一个 Api前缀?
例如说,@ApiSignature
因为它只适合 HTTP API 场景,不像其它是全局方法
| // 校验 appId 是否能获取到对应的 appSecret | ||
| String appId = request.getHeader(signature.appId()); | ||
| String appSecret = signatureRedisDAO.getAppSecret(appId); | ||
| Assert.notNull(appSecret, "找不到对应的 appSecret"); |
| return false; | ||
| } | ||
| String nonce = request.getHeader(signature.nonce()); | ||
| if (StrUtil.isBlank(nonce) || nonce.length() < 10) { |
| @Before("@annotation(signature)") | ||
| public void beforePointCut(JoinPoint joinPoint, Signature signature) { | ||
| if (!verifySignature(signature, Objects.requireNonNull(ServletUtils.getRequest()))) { | ||
| log.info("[beforePointCut][方法{} 参数({}) 签名失败]", joinPoint.getSignature().toString(), |
There was a problem hiding this comment.
是不是把这里的 log.info 日志,拆解到失败的场景里,打印日志,这样更容易排查问题
| private String getRequestBody(HttpServletRequest request) { | ||
| CacheRequestBodyWrapper requestWrapper = new CacheRequestBodyWrapper(request); | ||
| // 获取 body | ||
| return new String(requestWrapper.getBody(), StandardCharsets.UTF_8); |
| @@ -23,6 +23,10 @@ public class CacheRequestBodyWrapper extends HttpServletRequestWrapper { | |||
| */ | |||
| private final byte[] body; | |||
|
|
|||
| public byte[] getBody() { | |||
There was a problem hiding this comment.
建议这里不要返回 body;
单测通过反射去拿下。框架封装,尽量收敛(少点属性)
|
蛮好的,基本没啥问题了。 加了点简化代码的建议,和项目的代码风格更一致 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.