增加 state 值校验

sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/dao/SaOAuth2Dao.java

@@ -158,6 +158,17 @@ public interface SaOAuth2Dao {
 		}
 	}
 
+	/**
+	 * 持久化：state
+	 * @param state /
+	 */
+	default void saveState(String state) {
+		if( ! SaFoxUtil.isEmpty(state)) {
+			long ttl = SaOAuth2Manager.getServerConfig().getCodeTimeout();
+			getSaTokenDao().set(splicingStateSaveKey(state), state, ttl);
+		}
+	}
+
 
 	// ------------------- delete数据
 
@@ -262,6 +273,14 @@ public interface SaOAuth2Dao {
 		getSaTokenDao().delete(splicingGrantScopeKey(clientId, loginId));
 	}
 
+	/**
+	 * 删除：state记录
+	 * @param state /
+	 */
+	default void deleteGrantScope(String state) {
+		getSaTokenDao().delete(splicingStateSaveKey(state));
+	}
+
 
 	// ------------------- get 数据
 
@@ -372,6 +391,18 @@ public interface SaOAuth2Dao {
 		return SaOAuth2Manager.getDataConverter().convertScopeStringToList(value);
 	}
 
+	/**
+	 * 获取：state
+	 * @param state /
+	 * @return /
+	 */
+	default String getState(String state) {
+		if(SaFoxUtil.isEmpty(state)) {
+			return null;
+		}
+		return getSaTokenDao().get(splicingStateSaveKey(state));
+	}
+
 
 	// ------------------- 拼接key
 
@@ -469,6 +500,15 @@ public interface SaOAuth2Dao {
 		return getSaTokenConfig().getTokenName() + ":oauth2:grant-scope:" + clientId + ":" + loginId;
 	}
 
+	/**
+	 * 拼接key：state 参数持久化
+	 * @param state /
+	 * @return key
+	 */
+	default String splicingStateSaveKey(String state) {
+		return getSaTokenConfig().getTokenName() + ":oauth2:state:" + state;
+	}
+
 
 	// -------- bean 对象代理
 

sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerate.java

@@ -91,4 +91,10 @@ public interface SaOAuth2DataGenerate {
      */
     void revokeAccessToken(String accessToken);
 
+    /**
+     * 检查 state 是否被重复使用
+     * @param state /
+     */
+    void checkState(String state);
+
 }

sa-token-plugin/sa-token-oauth2/src/main/java/cn/dev33/satoken/oauth2/data/generate/SaOAuth2DataGenerateDefaultImpl.java

@@ -245,6 +245,7 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
     public String buildRedirectUri(String redirectUri, String code, String state) {
         String url = SaFoxUtil.joinParam(redirectUri, SaOAuth2Consts.Param.code, code);
         if( ! SaFoxUtil.isEmpty(state)) {
+            checkState(state);
             url = SaFoxUtil.joinParam(url, SaOAuth2Consts.Param.state, state);
         }
         return url;
@@ -261,6 +262,7 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
     public String buildImplicitRedirectUri(String redirectUri, String token, String state) {
         String url = SaFoxUtil.joinSharpParam(redirectUri, SaOAuth2Consts.Param.token, token);
         if( ! SaFoxUtil.isEmpty(state)) {
+            checkState(state);
             url = SaFoxUtil.joinSharpParam(url, SaOAuth2Consts.Param.state, state);
         }
         return url;
@@ -291,5 +293,18 @@ public class SaOAuth2DataGenerateDefaultImpl implements SaOAuth2DataGenerate {
         dao.deleteRefreshTokenIndex(at.clientId, at.loginId);
     }
 
+    /**
+     * 检查 state 是否被重复使用
+     * @param state /
+     */
+    @Override
+    public void checkState(String state) {
+        String value = SaOAuth2Manager.getDao().getState(state);
+        if(SaFoxUtil.isNotEmpty(value)) {
+            throw new SaOAuth2Exception("多次请求的 state 不可重复: " + state);
+        }
+        SaOAuth2Manager.getDao().saveState(state);
+    }
+
 }