diff --git a/backend/src/main/java/io/dataease/auth/filter/JWTFilter.java b/backend/src/main/java/io/dataease/auth/filter/JWTFilter.java index eca5609c22..a68673c3c1 100644 --- a/backend/src/main/java/io/dataease/auth/filter/JWTFilter.java +++ b/backend/src/main/java/io/dataease/auth/filter/JWTFilter.java @@ -1,5 +1,6 @@ package io.dataease.auth.filter; +import com.auth0.jwt.algorithms.Algorithm; import io.dataease.auth.entity.ASKToken; import io.dataease.auth.entity.JWTToken; import io.dataease.auth.entity.SysUserEntity; @@ -115,9 +116,9 @@ public class JWTFilter extends BasicHttpAuthenticationFilter { DataEaseException.throwException(Translator.get("i18n_not_find_user")); } String password = user.getPassword(); - + Algorithm algorithm = Algorithm.HMAC256(password); + JWTUtils.verifySign(algorithm, token); String newToken = JWTUtils.sign(tokenInfo, password); - // 设置响应的Header头新Token HttpServletResponse httpServletResponse = (HttpServletResponse) response; httpServletResponse.addHeader("Access-Control-Expose-Headers", "RefreshAuthorization"); diff --git a/backend/src/main/java/io/dataease/auth/util/JWTUtils.java b/backend/src/main/java/io/dataease/auth/util/JWTUtils.java index ebdb72a180..dd10059a6f 100644 --- a/backend/src/main/java/io/dataease/auth/util/JWTUtils.java +++ b/backend/src/main/java/io/dataease/auth/util/JWTUtils.java @@ -35,15 +35,23 @@ public class JWTUtils { * @return 是否正确 */ public static boolean verify(String token, TokenInfo tokenInfo, String secret) { + Algorithm algorithm = Algorithm.HMAC256(secret); Verification verification = JWT.require(algorithm) .withClaim("username", tokenInfo.getUsername()) .withClaim("userId", tokenInfo.getUserId()); JWTVerifier verifier = verification.build(); + + verifySign(algorithm, token); verifier.verify(token); return true; } + public static void verifySign(Algorithm algorithm, String token) { + DecodedJWT decode = JWT.decode(token); + algorithm.verify(decode); + } + /** * 获得token中的信息无需secret解密也能获得 *