feat(oauth2): 新增 SaOAuth2Strategy.instance.userAuthorizeClientCheck 策略，用于检查指定用户是否可以授权指定应用

2025-06-28 04:35:16 +08:00 · 2025-05-13 03:59:35 +08:00 · 2025-05-13 03:59:35 +08:00 · 0ed0c277df
commit 0ed0c277df
parent f1089f697c
3 changed files with 27 additions and 10 deletions
--- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java
+++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java
@ -88,9 +88,8 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
        CodeModel cm = dao.getCode(code);
        SaOAuth2AuthorizationCodeException.throwBy(cm == null, "无效 code: " + code, code, SaOAuth2ErrorCode.CODE_30110);

-        // 2、删除旧Token，TODO 目测不用删，保存索引的时候如果超出了会自动删
-//        dao.deleteAccessToken(dao.getAccessTokenList(cm.clientId, cm.loginId));
-//        dao.deleteRefreshToken(dao.getRefreshTokenValue(cm.clientId, cm.loginId));
+        // 2、开发者自定义的授权前置检查
+        SaOAuth2Strategy.instance.userAuthorizeClientCheck.run(cm.loginId, cm.clientId);

        // 3、生成token
        AccessTokenModel at = dataConverter.convertCodeToAccessToken(cm);
@ -128,7 +127,10 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
        RefreshTokenModel rt = dao.getRefreshToken(refreshToken);
        SaOAuth2RefreshTokenException.throwBy(rt == null, "无效 refresh_token: " + refreshToken, refreshToken, SaOAuth2ErrorCode.CODE_30111);

-        // 如果配置了[每次刷新产生新的Refresh-Token]
+        // 开发者自定义的授权前置检查
+        SaOAuth2Strategy.instance.userAuthorizeClientCheck.run(rt.loginId, rt.clientId);
+
+        // 如果配置了 [每次刷新产生新的Refresh-Token]
        SaClientModel clientModel = SaOAuth2Manager.getDataLoader().getClientModelNotNull(rt.clientId);
        if(clientModel.getIsNewRefresh()) {
            // 删除旧 Refresh-Token
@ -174,6 +176,9 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
 //            dao.deleteRefreshToken(dao.getRefreshTokenValue(ra.clientId, ra.loginId));
 //        }

+        // 1、开发者自定义的授权前置检查
+        SaOAuth2Strategy.instance.userAuthorizeClientCheck.run(ra.loginId, ra.clientId);
+
        // 2、生成 新Access-Token
        String newAtValue = SaOAuth2Strategy.instance.createAccessToken.execute(ra.clientId, ra.loginId, ra.scopes);
        AccessTokenModel at = new AccessTokenModel(newAtValue, ra.clientId, ra.loginId, ra.scopes);
--- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/processor/SaOAuth2ServerProcessor.java
+++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/processor/SaOAuth2ServerProcessor.java
@ -122,20 +122,24 @@ public class SaOAuth2ServerProcessor {
 		checkAuthorizeResponseType(responseType, req, cfg);

 		// 2、如果尚未登录, 则先去登录
-		if( ! SaOAuth2Manager.getStpLogic().isLogin()) {
+		Object loginId = SaOAuth2Manager.getStpLogic().getLoginIdDefaultNull();
+		if( loginId == null) {
 			return SaOAuth2Strategy.instance.notLoginView.get();
 		}

 		// 3、构建请求 Model
-		RequestAuthModel ra = SaOAuth2Manager.getDataResolver().readRequestAuthModel(req, SaOAuth2Manager.getStpLogic().getLoginId());
+		RequestAuthModel ra = SaOAuth2Manager.getDataResolver().readRequestAuthModel(req, loginId);

-		// 4、校验：重定向域名是否合法
+		// 4、开发者自定义的授权前置检查
+		SaOAuth2Strategy.instance.userAuthorizeClientCheck.run(ra.loginId, ra.clientId);
+
+		// 5、校验：重定向域名是否合法
 		oauth2Template.checkRedirectUri(ra.clientId, ra.redirectUri);

-		// 5、校验：此次申请的Scope，该Client是否已经签约
+		// 6、校验：此次申请的Scope，该Client是否已经签约
 		oauth2Template.checkContractScope(ra.clientId, ra.scopes);

-		// 6、判断：如果此次申请的Scope，该用户尚未授权，则转到授权页面
+		// 7、判断：如果此次申请的Scope，该用户尚未授权，则转到授权页面
 		boolean isNeedCarefulConfirm = oauth2Template.isNeedCarefulConfirm(ra.loginId, ra.clientId, ra.scopes);
 		if(isNeedCarefulConfirm) {
 			SaClientModel cm = oauth2Template.checkClientModel(ra.clientId);
@ -144,7 +148,7 @@ public class SaOAuth2ServerProcessor {
 			}
 		}

-		// 7、判断授权类型，重定向到不同地址
+		// 8、判断授权类型，重定向到不同地址
 		// 		如果是 授权码式，则：开始重定向授权，下放code
 		if(ResponseType.code.equals(ra.responseType)) {
 			CodeModel codeModel = dataGenerate.generateCode(ra);
--- a/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/strategy/SaOAuth2Strategy.java
+++ b/sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/strategy/SaOAuth2Strategy.java
@ -16,6 +16,7 @@
 package cn.dev33.satoken.oauth2.strategy;

 import cn.dev33.satoken.SaManager;
+import cn.dev33.satoken.fun.SaTwoParamFunction;
 import cn.dev33.satoken.oauth2.SaOAuth2Manager;
 import cn.dev33.satoken.oauth2.config.SaOAuth2ServerConfig;
 import cn.dev33.satoken.oauth2.consts.GrantType;
@ -260,6 +261,13 @@ public final class SaOAuth2Strategy {
 	 */
 	public SaOAuth2DoLoginHandleFunction doLoginHandle = (name, pwd) -> SaResult.error();

+	/**
+	 * OAuth-Server端：用户在授权指定 client 前的检查，如果检查不通过，请直接抛出异常
+	 */
+	public SaTwoParamFunction<Object, String> userAuthorizeClientCheck = (loginId, clientId) -> {
+
+	};
+


 }