Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

服务端如果不存在refreshTokenKey,应该不能颁发access_token吧? #17

Open
ANDYGE opened this issue Aug 22, 2021 · 0 comments
Open

服务端如果不存在refreshTokenKey,应该不能颁发access_token吧? #17

ANDYGE opened this issue Aug 22, 2021 · 0 comments

Comments

@ANDYGE
Copy link

ANDYGE commented Aug 22, 2021 

 //获取到锁
                String refreshTokenKey= SecurityConsts.PREFIX_SHIRO_REFRESH_TOKEN + account;
                if(jedisUtils.exists(refreshTokenKey)){
                    //检查redis中的时间戳与token的时间戳是否一致
                    String tokenTimeStamp = jedisUtils.get(refreshTokenKey);
                    String tokenMillis= JwtUtil.getClaim(authorization,SecurityConsts.CURRENT_TIME_MILLIS);
                    if(!tokenMillis.equals(tokenTimeStamp)){
                        throw new TokenExpiredException(String.format("账户%s的令牌无效", account));
                    }
                }
/***如果不存在应该抛出异常了吧,而不应再在颁发新的token,否则任何一个过期的或者盗用的access_token都可以获取新颁发的令牌了----**/
                //时间戳一致,则颁发新的令牌
                String newToken = userService.genToken(account, currentTimeMillis);

上面检查是否存在refresh_token,如果存在判断时间是否一致,如不一致,则抛出异常,但是如果不存在refresh_token,也会直接执行下面颁发令牌的代码,不知道是不是我理解错了或者忽略了什么地方?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ANDYGE