Merged
Conversation
✅ Deploy Preview for kcloud-platform-iot ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
审阅者指南为 authorization-code(授权码)认证流程及其测试添加验证码校验支持,将 CaptchaV 接入该授权方式对应的 AuthA 中,更新 authorization-code 认证的测试夹具和模拟对象以包含 UUID/captcha,并通过在 mybatis-plus-boot-starter 依赖中排除 mybatis-spring 来修复 Maven 构建问题。 带验证码校验的 authorization-code 认证时序图sequenceDiagram
actor Client
participant AuthService
participant AuthA
participant AuthParamValidator as AuthorizationCodeAuthParamValidator
participant ParamValidator
participant OAuth2ParamValidator
Client->>AuthService: send authorization_code auth request
AuthService->>AuthA: createAuthorizationCodeAuth()
activate AuthA
AuthA->>AuthA: getCaptchaVByAuthorizationCodeAuth()
AuthA->>AuthA: getCaptchaVByUsernamePasswordAuth()
AuthA->>AuthA: getParameterValue(Constants.UUID)
AuthA-->>AuthA: uuid
AuthA->>AuthA: getParameterValue(Constants.CAPTCHA)
AuthA-->>AuthA: captcha
AuthA-->>AuthService: AuthA with grantType AUTHORIZATION_CODE, userV, captchaV
deactivate AuthA
AuthService->>AuthParamValidator: validateAuth(authA)
activate AuthParamValidator
AuthParamValidator->>AuthA: getUserV()
AuthA-->>AuthParamValidator: userV
AuthParamValidator->>AuthA: getCaptchaV()
AuthA-->>AuthParamValidator: captchaV
AuthParamValidator->>ParamValidator: validate(validateName, ...validators)
activate ParamValidator
ParamValidator->>OAuth2ParamValidator: validateTenantCode(userV.tenantCode())
OAuth2ParamValidator-->>ParamValidator: tenantCodeValid
ParamValidator->>OAuth2ParamValidator: validateUuid(captchaV.uuid())
OAuth2ParamValidator-->>ParamValidator: uuidValid
ParamValidator->>OAuth2ParamValidator: validateCaptcha(captchaV.captcha())
OAuth2ParamValidator-->>ParamValidator: captchaValid
ParamValidator->>OAuth2ParamValidator: validateUsername(userV.username())
OAuth2ParamValidator-->>ParamValidator: usernameValid
ParamValidator->>OAuth2ParamValidator: validatePassword(userV.password())
OAuth2ParamValidator-->>ParamValidator: passwordValid
ParamValidator-->>AuthParamValidator: validationResult
deactivate ParamValidator
AuthParamValidator-->>AuthService: success or error
deactivate AuthParamValidator
AuthService-->>Client: auth success or failure
更新后的 AuthA 在 authorization-code 场景下处理验证码的类图classDiagram
class AuthA {
+GrantType grantType
+UserV userV
+CaptchaV captchaV
+AuthA createAuthorizationCodeAuth()
-CaptchaV getCaptchaVByAuthorizationCodeAuth()
-CaptchaV getCaptchaVByUsernamePasswordAuth()
}
class UserV {
+String tenantCode()
+String username()
+String password()
}
class CaptchaV {
+String uuid()
+String captcha()
}
class AuthorizationCodeAuthParamValidator {
+void validateAuth(AuthA authA)
}
class ParamValidator {
+void validate(String validateName, Object validator1, Object validator2, Object validator3, Object validator4, Object validator5)
}
class OAuth2ParamValidator {
+Object validateTenantCode(String tenantCode)
+Object validateUuid(String uuid)
+Object validateCaptcha(String captcha)
+Object validateUsername(String username)
+Object validatePassword(String password)
}
AuthA *-- UserV
AuthA *-- CaptchaV
AuthorizationCodeAuthParamValidator ..> AuthA
AuthorizationCodeAuthParamValidator ..> ParamValidator
AuthorizationCodeAuthParamValidator ..> OAuth2ParamValidator
文件级变更
技巧与命令与 Sourcery 交互
自定义你的体验打开你的 控制面板 以:
获取帮助Original review guide in EnglishReviewer's GuideAdds captcha validation support to authorization-code authentication flow and its tests, wires CaptchaV into AuthA for this grant type, updates the authorization-code auth test fixtures and mocks to include UUID/captcha, and fixes a Maven build issue by excluding mybatis-spring from the mybatis-plus-boot-starter dependency. Sequence diagram for authorization-code auth with captcha validationsequenceDiagram
actor Client
participant AuthService
participant AuthA
participant AuthParamValidator as AuthorizationCodeAuthParamValidator
participant ParamValidator
participant OAuth2ParamValidator
Client->>AuthService: send authorization_code auth request
AuthService->>AuthA: createAuthorizationCodeAuth()
activate AuthA
AuthA->>AuthA: getCaptchaVByAuthorizationCodeAuth()
AuthA->>AuthA: getCaptchaVByUsernamePasswordAuth()
AuthA->>AuthA: getParameterValue(Constants.UUID)
AuthA-->>AuthA: uuid
AuthA->>AuthA: getParameterValue(Constants.CAPTCHA)
AuthA-->>AuthA: captcha
AuthA-->>AuthService: AuthA with grantType AUTHORIZATION_CODE, userV, captchaV
deactivate AuthA
AuthService->>AuthParamValidator: validateAuth(authA)
activate AuthParamValidator
AuthParamValidator->>AuthA: getUserV()
AuthA-->>AuthParamValidator: userV
AuthParamValidator->>AuthA: getCaptchaV()
AuthA-->>AuthParamValidator: captchaV
AuthParamValidator->>ParamValidator: validate(validateName, ...validators)
activate ParamValidator
ParamValidator->>OAuth2ParamValidator: validateTenantCode(userV.tenantCode())
OAuth2ParamValidator-->>ParamValidator: tenantCodeValid
ParamValidator->>OAuth2ParamValidator: validateUuid(captchaV.uuid())
OAuth2ParamValidator-->>ParamValidator: uuidValid
ParamValidator->>OAuth2ParamValidator: validateCaptcha(captchaV.captcha())
OAuth2ParamValidator-->>ParamValidator: captchaValid
ParamValidator->>OAuth2ParamValidator: validateUsername(userV.username())
OAuth2ParamValidator-->>ParamValidator: usernameValid
ParamValidator->>OAuth2ParamValidator: validatePassword(userV.password())
OAuth2ParamValidator-->>ParamValidator: passwordValid
ParamValidator-->>AuthParamValidator: validationResult
deactivate ParamValidator
AuthParamValidator-->>AuthService: success or error
deactivate AuthParamValidator
AuthService-->>Client: auth success or failure
Class diagram for updated AuthA authorization-code captcha handlingclassDiagram
class AuthA {
+GrantType grantType
+UserV userV
+CaptchaV captchaV
+AuthA createAuthorizationCodeAuth()
-CaptchaV getCaptchaVByAuthorizationCodeAuth()
-CaptchaV getCaptchaVByUsernamePasswordAuth()
}
class UserV {
+String tenantCode()
+String username()
+String password()
}
class CaptchaV {
+String uuid()
+String captcha()
}
class AuthorizationCodeAuthParamValidator {
+void validateAuth(AuthA authA)
}
class ParamValidator {
+void validate(String validateName, Object validator1, Object validator2, Object validator3, Object validator4, Object validator5)
}
class OAuth2ParamValidator {
+Object validateTenantCode(String tenantCode)
+Object validateUuid(String uuid)
+Object validateCaptcha(String captcha)
+Object validateUsername(String username)
+Object validatePassword(String password)
}
AuthA *-- UserV
AuthA *-- CaptchaV
AuthorizationCodeAuthParamValidator ..> AuthA
AuthorizationCodeAuthParamValidator ..> ParamValidator
AuthorizationCodeAuthParamValidator ..> OAuth2ParamValidator
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Review Summary by QodoAdd captcha validation to authorization code auth and fix Maven build
WalkthroughsDescription• Add captcha validation to authorization code auth flow - Import CaptchaV and extract captcha from auth parameters - Validate UUID and captcha in AuthorizationCodeAuthParamValidator - Initialize captcha in createAuthorizationCodeAuth() method • Fix Maven build by excluding mybatis-spring dependency conflict - Add exclusion for org.mybatis:mybatis-spring in dynamic-datasource dependency • Update test cases to verify captcha validation - Add captcha validator mock verification in authorization code auth test - Update AuthorizationCodAuthParam record to include UUID and captcha fields Diagramflowchart LR
A["Authorization Code Auth"] -->|Extract| B["CaptchaV"]
B -->|Validate| C["UUID & Captcha"]
C -->|Pass| D["Auth Success"]
E["Maven Dependency"] -->|Exclude| F["mybatis-spring"]
F -->|Resolve| G["Build Success"]
File Changes1. laokou-service/laokou-auth/laokou-auth-app/src/main/java/org/laokou/auth/service/validator/AuthorizationCodeAuthParamValidator.java
|
Code Review by Qodo
1. Captcha endpoint mismatch
|
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (4)
WalkthroughThis pull request adds captcha validation support to the authorization code authentication flow. Changes include a pom.xml exclusion to prevent transitive mybatis-spring dependency, updates to the validator and domain model to retrieve and validate captcha/UUID during authorization code authentication, and corresponding test updates with a modified constructor signature. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
✨ Finishing Touches
🧪 Generate unit tests (beta)
📝 Coding Plan
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 OpenGrep (1.16.4)laokou-service/laokou-auth/laokou-auth-app/src/main/java/org/laokou/auth/service/validator/AuthorizationCodeAuthParamValidator.java┌──────────────┐ �[32m✔�[39m �[1mOpengrep OSS�[0m �[1m Loading rules from local config...�[0m laokou-service/laokou-auth/laokou-auth-domain/src/main/java/org/laokou/auth/model/AuthA.java┌──────────────┐ �[32m✔�[39m �[1mOpengrep OSS�[0m �[1m Loading rules from local config...�[0m laokou-service/laokou-auth/laokou-auth-domain/src/test/java/org/laokou/auth/model/DomainServiceTest.java┌──────────────┐ �[32m✔�[39m �[1mOpengrep OSS�[0m �[1m Loading rules from local config...�[0m Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - 我在这里给出了一些总体反馈:
AuthA中新的getCaptchaVByAuthorizationCodeAuth方法只是简单地代理到getCaptchaVByUsernamePasswordAuth;建议内联这次调用,直接使用已有方法,以避免额外的一层间接调用。
给 AI 代理的提示
Please address the comments from this code review:
## Overall Comments
- The new `getCaptchaVByAuthorizationCodeAuth` method in `AuthA` is just delegating to `getCaptchaVByUsernamePasswordAuth`; consider inlining this call and using the existing method directly to avoid an extra indirection.帮我变得更有用!请在每条评论上点击 👍 或 👎,我会根据你的反馈改进后续的评审。
Original comment in English
Hey - I've left some high level feedback:
- The new
getCaptchaVByAuthorizationCodeAuthmethod inAuthAis just delegating togetCaptchaVByUsernamePasswordAuth; consider inlining this call and using the existing method directly to avoid an extra indirection.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The new `getCaptchaVByAuthorizationCodeAuth` method in `AuthA` is just delegating to `getCaptchaVByUsernamePasswordAuth`; consider inlining this call and using the existing method directly to avoid an extra indirection.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
Comment on lines
+41
to
+48
| CaptchaV captchaV = authA.getCaptchaV(); | ||
| ParamValidator.validate(authA.getValidateName(), | ||
| // 校验租户编码 | ||
| OAuth2ParamValidator.validateTenantCode(userV.tenantCode()), | ||
| // 校验UUID | ||
| OAuth2ParamValidator.validateUuid(captchaV.uuid()), | ||
| // 校验验证码 | ||
| OAuth2ParamValidator.validateCaptcha(captchaV.captcha()), |
There was a problem hiding this comment.
1. Captcha endpoint mismatch 🐞 Bug ✓ Correctness
Authorization-code login now validates captcha using the AUTHORIZATION_CODE captcha cache key, but the /login page still fetches captcha images from the username-password captcha endpoint/key, so the user-entered captcha will not match the key checked during authentication and login will fail.
Agent Prompt
## Issue description
Authorization-code login now validates captcha against `auth:authorization-code:captcha:<uuid>`, but the login page loads captcha images from `/api/v1/username-password/captchas/{uuid}` (key `auth:username-password:captcha:<uuid>`). This key mismatch causes captcha validation failures and blocks `/login`.
## Issue Context
Backend:
- `AuthA.getCaptchaCacheKeyByAuth()` uses `RedisKeyUtils.getAuthorizationCodeAuthCaptchaKey` for `GrantType.AUTHORIZATION_CODE`.
- `CaptchasController` exposes `/v1/authorization-code/captchas/{uuid}` that reads the same key.
Frontend (login template):
- Still calls `/api/v1/username-password/captchas/{uuid}` in both the fallback form image and Vue refresh logic.
## Fix Focus Areas
- laokou-service/laokou-auth/laokou-auth-start/src/main/resources/templates/login.html[181-193]
- laokou-service/laokou-auth/laokou-auth-start/src/main/resources/templates/login.html[257-271]
## Expected change
- Replace `/api/v1/username-password/captchas/` with `/api/v1/authorization-code/captchas/` in:
- the `<img th:src=...>` and its `onclick` handler
- the Vue `refreshCaptcha()` fetch URL
- (Optional) Update any UI labels/help text if they refer specifically to “username-password captcha”.
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #5872 +/- ##
============================================
+ Coverage 58.26% 58.33% +0.06%
- Complexity 1144 1146 +2
============================================
Files 270 270
Lines 5358 5364 +6
Branches 339 339
============================================
+ Hits 3122 3129 +7
+ Misses 2060 2059 -1
Partials 176 176 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
为授权码认证流程添加验证码校验支持,并修复相关的 Maven 构建问题。
新功能:
缺陷修复:
mybatis-plus-boot-starter中排除有冲突的mybatis-spring依赖,以解决 Maven 构建错误。改进:
Original summary in English
Summary by Sourcery
Add captcha validation support to authorization code authentication flow and fix related Maven build issues.
New Features:
Bug Fixes:
Enhancements:
Summary by CodeRabbit