fix - 增加登陆安全校验

2026-01-14 15:11:15 +08:00 · 2026-01-14 15:11:15 +08:00 · 040e4a3365
commit 040e4a3365
parent 86dd6f7c7f
1 changed files with 5 additions and 8 deletions
--- a/workflow-engine-server/src/main/java/cn/axzo/workflow/server/controller/web/DangerOperationController.java
+++ b/workflow-engine-server/src/main/java/cn/axzo/workflow/server/controller/web/DangerOperationController.java
@ -3,7 +3,6 @@ package cn.axzo.workflow.server.controller.web;
 import cn.axzo.framework.domain.data.AssertUtil;
 import cn.axzo.riven.client.domain.ThirdPartyUserDTO;
 import cn.axzo.riven.client.feign.ThirdPartySyncApi;
-import cn.axzo.riven.client.req.ThirdPartyUserReq;
 import cn.axzo.workflow.common.model.request.bpmn.process.BpmnProcessInstanceAbortDTO;
 import cn.axzo.workflow.common.model.request.bpmn.process.BpmnProcessInstanceCancelDTO;
 import cn.axzo.workflow.common.model.request.bpmn.task.BpmnTaskAuditDTO;
@ -278,18 +277,16 @@ public class DangerOperationController {

            log.info("DingTalk User Response: {}", userInfoResponse);
            JSONObject userJson = JSON.parseObject(userInfoResponse);
-            String unionId = userJson.getString("unionId");
-            String openId = userJson.getString("openId");
            String nick = userJson.getString("nick");
+            String mobile = userJson.getString("mobile");

-            if (!StringUtils.hasText(openId) && !StringUtils.hasText(unionId)) {
+            if (!StringUtils.hasText(mobile)) {
                log.error("Failed to get user info: {}", userInfoResponse);
-                model.addAttribute("authError", "钉钉登录验证失败: 无法获取用户信息");
+                model.addAttribute("authError", "钉钉登录验证失败: 无法获取用户手机号");
                return "form";
            }

-            ThirdPartyUserReq build = ThirdPartyUserReq.builder().unionId(unionId).build();
-            List<ThirdPartyUserDTO> users = RpcExternalUtil.rpcApiResultProcessor(() -> thirdPartySyncApi.getUserInfos(build), "查询用户是否存在", build);
+            List<ThirdPartyUserDTO> users = RpcExternalUtil.rpcApiResultProcessor(() -> thirdPartySyncApi.getUserInfosByPhone(mobile), "查询用户是否存在", mobile);
            if (CollectionUtils.isEmpty(users)) {
                model.addAttribute("authError", "用户未授权！");
                return "form";
@ -297,7 +294,7 @@ public class DangerOperationController {


            // 3. 登录成功
-            log.info("DingTalk Login Success: nick={}, unionId={}", nick, unionId);
+            log.info("DingTalk Login Success: nick={}, mobile={}", nick, mobile);
            session.setAttribute("isAuthenticated", true);
            // 可以把用户信息也存进去
            session.setAttribute("dingUser", userJson);