Merge pull request #1286 from dataease/pr@dev@fix_token_security

fix: token验签逻辑错误

backend/src/main/java/io/dataease/auth/filter/JWTFilter.java

@@ -1,5 +1,6 @@
 package io.dataease.auth.filter;
 
+import com.auth0.jwt.algorithms.Algorithm;
 import io.dataease.auth.entity.ASKToken;
 import io.dataease.auth.entity.JWTToken;
 import io.dataease.auth.entity.SysUserEntity;
@@ -115,9 +116,9 @@ public class JWTFilter extends BasicHttpAuthenticationFilter {
             DataEaseException.throwException(Translator.get("i18n_not_find_user"));
         }
         String password = user.getPassword();
-
+        Algorithm algorithm = Algorithm.HMAC256(password);
+        JWTUtils.verifySign(algorithm, token);
         String newToken = JWTUtils.sign(tokenInfo, password);
-
         // 设置响应的Header头新Token
         HttpServletResponse httpServletResponse = (HttpServletResponse) response;
         httpServletResponse.addHeader("Access-Control-Expose-Headers", "RefreshAuthorization");

backend/src/main/java/io/dataease/auth/util/JWTUtils.java

@@ -35,15 +35,23 @@ public class JWTUtils {
      * @return 是否正确
      */
     public static boolean verify(String token, TokenInfo tokenInfo, String secret) {
+
         Algorithm algorithm = Algorithm.HMAC256(secret);
         Verification verification = JWT.require(algorithm)
                 .withClaim("username", tokenInfo.getUsername())
                 .withClaim("userId", tokenInfo.getUserId());
         JWTVerifier verifier = verification.build();
+
+        verifySign(algorithm, token);
         verifier.verify(token);
         return true;
     }
 
+    public static void verifySign(Algorithm algorithm, String token) {
+        DecodedJWT decode = JWT.decode(token);
+        algorithm.verify(decode);
+    }
+
     /**
      * 获得token中的信息无需secret解密也能获得
      *