Merge remote-tracking branch 'origin/bonus-jyy-smart-canteen' into bonus-jyy-smart-canteen

2025-07-01 08:55:11 +08:00 · 2025-07-01 08:55:11 +08:00 · 3204f868fe
parent f85497ce6b 5e83e5dbdd
commit 3204f868fe
5 changed files with 92 additions and 4 deletions
--- a/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java
+++ b/bonus-auth/src/main/java/com/bonus/auth/controller/TokenController.java
@ -4,6 +4,7 @@ import com.alibaba.fastjson.JSONObject;
 import com.bonus.auth.config.LoginType;
 import com.bonus.auth.factory.LoginStrategyFactory;
 import com.bonus.auth.form.LoginBody;
+import com.bonus.auth.form.LoginIsAdminBody;
 import com.bonus.auth.form.RegisterBody;
 import com.bonus.auth.service.*;
 import com.bonus.common.core.constant.CacheConstants;
@ -92,7 +93,7 @@ public class TokenController {
    private String iwsH5Url;

    @PostMapping("isAdmin")
-    public R<?> isAdmin(@RequestBody LoginBody form) {
+    public R<?> isAdmin(@RequestBody LoginIsAdminBody form) {
        if (!config.isAdmin()) {
            return R.ok(false);
        }
--- a/bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java
+++ b/bonus-auth/src/main/java/com/bonus/auth/form/LoginIsAdminBody.java
@ -0,0 +1,23 @@
+package com.bonus.auth.form;
+
+import com.bonus.auth.config.LoginType;
+import com.bonus.auth.config.VerificationCodeType;
+import lombok.Data;
+
+/**
+ * 用户登录对象
+ *
+ * @author bonus
+ */
+@Data
+public class LoginIsAdminBody {
+    /**
+     * 用户名
+     */
+    private String username;
+
+    /**
+     * 用户密码
+     */
+    private String password;
+}
--- a/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java
+++ b/bonus-common/bonus-common-core/src/main/java/com/bonus/common/core/web/page/TableSupport.java
@ -1,7 +1,9 @@
 package com.bonus.common.core.web.page;

+import com.bonus.common.core.exception.ServiceException;
 import com.bonus.common.core.text.Convert;
 import com.bonus.common.core.utils.ServletUtils;
+import com.bonus.common.core.utils.StringUtils;

 /**
 * 表格数据处理
@ -41,6 +43,7 @@ public class TableSupport
     */
    public static PageDomain getPageDomain()
    {
+        isValidPageParams(PAGE_SIZE, PAGE_NUM);
        PageDomain pageDomain = new PageDomain();
        pageDomain.setPageNum(Convert.toInt(ServletUtils.getParameter(PAGE_NUM), 1));
        pageDomain.setPageSize(Convert.toInt(ServletUtils.getParameter(PAGE_SIZE), 10));
@ -54,4 +57,18 @@ public class TableSupport
    {
        return getPageDomain();
    }
+
+    public static void isValidPageParams(String... paramNames) {
+        for(String paramName : paramNames) {
+            String valueStr = ServletUtils.getParameter(paramName);
+            if (StringUtils.isNotBlank(valueStr)) {
+                try {
+                    Integer.parseInt(valueStr.trim());
+                } catch (NumberFormatException e) {
+                    throw new ServiceException("无效的分页参数");
+                }
+            }
+        }
+    }
+
 }
--- a/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java
+++ b/bonus-gateway/src/main/java/com/bonus/gateway/config/GlobalCorsConfig.java
@ -1,5 +1,10 @@
 package com.bonus.gateway.config;

+import cn.hutool.core.collection.CollUtil;
+import com.alibaba.nacos.common.utils.JacksonUtils;
+import com.bonus.gateway.config.properties.CorsProperties;
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.web.cors.CorsConfiguration;
@ -11,7 +16,10 @@ import org.springframework.web.util.pattern.PathPatternParser;
 * Description： 全局跨域配置
 */
@Configuration
+@Slf4j
 public class GlobalCorsConfig {
+    @Autowired
+    private CorsProperties corsProperties;
    @Bean
    public CorsWebFilter corsFilter() {
        // 创建一个新的CorsConfiguration对象，用于配置跨域请求
@ -19,9 +27,16 @@ public class GlobalCorsConfig {
        // 允许所有的HTTP请求方法（GET, POST, PUT, DELETE等）
        config.addAllowedMethod("*");
        // 允许所有的域名发起的请求 比如http://localhost:8080、
-        config.addAllowedOrigin("*");
-        // 允许所有的域名发起的请求（支持正则表达式） 比如http://localhost:8080
-        config.addAllowedOriginPattern("*");
+        log.info("允许的域名：{}", corsProperties.getAllowedOrigins());
+        if(CollUtil.isNotEmpty(corsProperties.getAllowedOrigins())) {
+            for(String cors : corsProperties.getAllowedOrigins()) {
+                config.addAllowedOrigin(cors);
+            }
+        }else {
+            config.addAllowedOrigin("*");
+            // 允许所有的域名发起的请求（支持正则表达式） 比如http://localhost:8080
+            config.addAllowedOriginPattern("*");
+        }
        // 允许所有的请求头部信息 比如token、Content-Type
        config.addAllowedHeader("*");
        // 创建一个UrlBasedCorsConfigurationSource对象，并使用PathPatternParser进行路径匹配
--- a/bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java
+++ b/bonus-gateway/src/main/java/com/bonus/gateway/config/properties/CorsProperties.java
@ -0,0 +1,32 @@
+package com.bonus.gateway.config.properties;
+
+import org.springframework.boot.context.properties.ConfigurationProperties;
+import org.springframework.cloud.context.config.annotation.RefreshScope;
+import org.springframework.context.annotation.Configuration;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * XSS跨站脚本配置
+ * 
+ * @author bonus
+ */
+@Configuration
+@RefreshScope
+@ConfigurationProperties(prefix = "security.cors")
+public class CorsProperties
+{
+    /**
+     * 合法源
+     */
+    private List<String> allowedOrigins = new ArrayList<>();
+
+    public List<String> getAllowedOrigins() {
+        return allowedOrigins;
+    }
+
+    public void setAllowedOrigins(List<String> allowedOrigins) {
+        this.allowedOrigins = allowedOrigins;
+    }
+}