Merged
Conversation
✅ Deploy Preview for kcloud-platform-iot ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Reviewer's Guide重构登录/授权流程,以使用基于授权码的验证码端点,并在前端通过 UUID 获取验证码;调整静态资源路径和安全匹配规则;简化 MinIO 客户端异常处理;统一服务端转发头策略;移除自定义的 OAuth2 认证失败处理器,改用 Spring Security 默认行为。 授权码验证码获取与登录的时序图sequenceDiagram
actor User
participant Browser
participant AuthServer
User->>Browser: Open login page /login
Browser->>AuthServer: GET /login static resources img js
AuthServer-->>Browser: HTML CSS JS
Note over Browser: On page load getCaptcha is executed
Browser->>Browser: getUuid generate UUID
Browser->>AuthServer: GET v1/authorization-code/captchas/{uuid}
AuthServer-->>Browser: captcha image data (base64 or URL)
Browser->>Browser: Set hidden uuid field and captcha img src
User->>Browser: Enter tenant_code username password captcha
User->>Browser: Click login button
Browser->>AuthServer: POST /login
activate AuthServer
AuthServer->>AuthServer: Validate credentials and captcha by uuid
alt Authentication_success
AuthServer-->>Browser: 302 redirect to client redirect_uri
Browser->>User: Show target application
else Authentication_failure
AuthServer-->>Browser: 302 redirect /login?error
Browser->>AuthServer: GET /login?error
AuthServer-->>Browser: Login page with SPRING_SECURITY_LAST_EXCEPTION message
Browser->>User: Display error message
end
deactivate AuthServer
更新后的 MinIOStorage 以及移除的 OAuth2AuthenticationFailureHandler 的类图classDiagram
class MinIOStorage {
- MinioProperties minIO
- FileInfo fileInfo
+ MinioClient getObj()
+ void checkBucket(MinioClient minioClient) throws MinioException
+ void upload(MinioClient minioClient) throws MinioException
+ String getUrl(MinioClient minioClient) throws MinioException
+ void createBucket() throws MinioException
}
class OAuth2ResourceServerConfig {
+ SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http, OAuth2AuthorizationService authorizationService, OAuth2TokenGenerator tokenGenerator)
}
class OAuth2AuthenticationFailureHandler_removed {
+ void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
}
OAuth2ResourceServerConfig ..> MinIOStorage : may use for resource access
OAuth2ResourceServerConfig ..> OAuth2AuthenticationFailureHandler_removed : previous dependency removed
文件级变更
可能关联的需求/问题
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
Original review guide in EnglishReviewer's GuideRefactors the login/authorization flow to use an authorization-code captcha endpoint with UUID-based captcha retrieval on the front-end, adjusts static asset paths and security matchers, simplifies MinIO client exception handling, standardizes server forward-headers strategy, and removes the custom OAuth2 authentication failure handler in favor of the default behavior. Sequence diagram for authorization-code captcha retrieval and loginsequenceDiagram
actor User
participant Browser
participant AuthServer
User->>Browser: Open login page /login
Browser->>AuthServer: GET /login static resources img js
AuthServer-->>Browser: HTML CSS JS
Note over Browser: On page load getCaptcha is executed
Browser->>Browser: getUuid generate UUID
Browser->>AuthServer: GET v1/authorization-code/captchas/{uuid}
AuthServer-->>Browser: captcha image data (base64 or URL)
Browser->>Browser: Set hidden uuid field and captcha img src
User->>Browser: Enter tenant_code username password captcha
User->>Browser: Click login button
Browser->>AuthServer: POST /login
activate AuthServer
AuthServer->>AuthServer: Validate credentials and captcha by uuid
alt Authentication_success
AuthServer-->>Browser: 302 redirect to client redirect_uri
Browser->>User: Show target application
else Authentication_failure
AuthServer-->>Browser: 302 redirect /login?error
Browser->>AuthServer: GET /login?error
AuthServer-->>Browser: Login page with SPRING_SECURITY_LAST_EXCEPTION message
Browser->>User: Display error message
end
deactivate AuthServer
Class diagram for updated MinIOStorage and removed OAuth2AuthenticationFailureHandlerclassDiagram
class MinIOStorage {
- MinioProperties minIO
- FileInfo fileInfo
+ MinioClient getObj()
+ void checkBucket(MinioClient minioClient) throws MinioException
+ void upload(MinioClient minioClient) throws MinioException
+ String getUrl(MinioClient minioClient) throws MinioException
+ void createBucket() throws MinioException
}
class OAuth2ResourceServerConfig {
+ SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http, OAuth2AuthorizationService authorizationService, OAuth2TokenGenerator tokenGenerator)
}
class OAuth2AuthenticationFailureHandler_removed {
+ void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception)
}
OAuth2ResourceServerConfig ..> MinIOStorage : may use for resource access
OAuth2ResourceServerConfig ..> OAuth2AuthenticationFailureHandler_removed : previous dependency removed
File-Level Changes
Possibly linked issues
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (2)
📒 Files selected for processing (15)
WalkthroughThis pull request updates the HTTP/2 forward headers strategy across multiple services from Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Possibly related PRs
Suggested labels
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 OpenGrep (1.16.4)laokou-common/laokou-common-oss/src/main/java/org/laokou/common/oss/template/MinIOStorage.java┌──────────────┐ �[32m✔�[39m �[1mOpengrep OSS�[0m �[1m Loading rules from local config...�[0m Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can approve the review once all CodeRabbit's comments are resolved.Enable the |
ⓘ You are approaching your monthly quota for Qodo. Upgrade your plan Review Summary by QodoOptimize authorization code login with Axios integration and configuration standardization
WalkthroughsDescription• Refactored authorization code login flow with improved frontend implementation using Axios HTTP client library • Updated login forms in both standalone and standard auth services with dynamic captcha loading via getCaptcha() function • Refactored form fields: replaced tenant with tenant_code, added hidden uuid field for captcha request tracking • Added default credentials for testing (tenant_code: laokouyun, username: admin, password: admin123) • Changed background image URLs from absolute paths to relative paths for better portability • Simplified MinIO exception handling by consolidating multiple specific exceptions into single MinioException parent class • Updated import statements in MinIO storage to use io.minio.Http instead of io.minio.http.Method • Standardized forward-headers-strategy configuration from native to framework across all services (gateway, auth, logstash, OSS, generator, report, admin, network) • Added route permissions for static resources (/img/**, /js/**) in auth service configuration • Removed OAuth2 authentication failure handler class as part of login flow optimization Diagramflowchart LR
A["Login Form<br/>HTML"] -->|"Axios HTTP<br/>Requests"| B["Captcha<br/>Endpoint"]
A -->|"Form Fields<br/>tenant_code, uuid"| C["Backend<br/>Auth Service"]
D["MinIO Storage<br/>Exception Handling"] -->|"Simplified<br/>to MinioException"| E["Error Processing"]
F["All Services<br/>Configuration"] -->|"forward-headers-strategy<br/>native → framework"| G["Gateway &<br/>Services"]
C -->|"Static Resources<br/>/img/**, /js/**"| H["Frontend<br/>Assets"]
File Changes1. laokou-common/laokou-common-oss/src/main/java/org/laokou/common/oss/template/MinIOStorage.java
|
Code Review by Qodo
1. Login blocked by gateway
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - 我发现了两个问题,并给出了一些整体性的反馈:
- 登录表单现在对 tenant_code/username/password 使用了硬编码的默认值,这在非演示环境中存在风险;建议移除这些默认值,或者只在开发/特定 profile 模板中启用。
- 隐藏的
uuid输入框被标记为required,但只会通过getCaptcha()来赋值,如果 JS 或验证码请求失败,表单可能会变得不可用;建议取消必填限制,或在验证码请求失败时添加错误处理/降级方案。 - 在
MinIOStorage中,方法签名被收紧为只抛出MinioException,但 MinIO 客户端 API 实际上还可能抛出其他受检异常(例如IOException、NoSuchAlgorithmException);请确保这些异常要么仍然在方法签名中声明,要么被正确包装/处理,以保持编译和错误处理逻辑的一致性。
给 AI Agents 的提示
Please address the comments from this code review:
## Overall Comments
- The login form now hardcodes default tenant_code/username/password values, which is risky for non-demo environments; consider removing these defaults or gating them behind a dev/profile-specific template.
- The hidden `uuid` input is marked `required` but is only populated by `getCaptcha()`, so if JS or the captcha request fails the form may become unusable; consider making it non-required or adding error handling/fallback when the captcha call fails.
- In `MinIOStorage`, the method signatures were narrowed to only throw `MinioException` while the MinIO client APIs can also throw other checked exceptions (e.g. `IOException`, `NoSuchAlgorithmException`); ensure these are either still declared or properly wrapped/handled to keep compilation and error handling consistent.
## Individual Comments
### Comment 1
<location path="laokou-service/laokou-standalone/laokou-standalone-auth/laokou-standalone-auth-start/src/main/resources/templates/login.html" line_range="144-151" />
<code_context>
+ return v.toString(16);
+ });
+ }
+ function getCaptcha() {
+ const uuid = getUuid()
+ document.getElementById("uuid").value = uuid
+ axios.get("v1/authorization-code/captchas/" + uuid).then(res => {
+ document.getElementById("captcha-img").src = res.data.data
+ })
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Captcha loading has no error handling, which can degrade the login experience.
If the captcha request fails (network/server issue), the image stays blank and the user can’t proceed or recover. Add error handling (e.g. a `.catch(...)` to display an error and/or trigger a retry) and consider regenerating the `uuid` so the form isn’t stuck on a failed captcha.
```suggestion
function getCaptcha() {
const uuid = getUuid();
const uuidInput = document.getElementById("uuid");
const captchaImg = document.getElementById("captcha-img");
// 如果关键元素不存在,直接返回避免报错
if (!uuidInput || !captchaImg) {
console.error("Captcha elements not found on the page.");
return;
}
uuidInput.value = uuid;
captchaImg.alt = "验证码加载中...";
axios
.get("v1/authorization-code/captchas/" + uuid)
.then(res => {
captchaImg.src = res.data.data;
captchaImg.alt = "看不清?点击刷新验证码";
})
.catch(err => {
console.error("Failed to load captcha.", err);
// 清空图片,避免展示旧的或损坏的图片
captchaImg.removeAttribute("src");
captchaImg.alt = "验证码加载失败,点击重试";
// 简单用户提示;如果项目有全局消息组件,可替换为全局提示
alert("验证码加载失败,请检查网络后点击验证码重试。");
});
}
const captchaImg = document.getElementById("captcha-img");
if (captchaImg) {
// 允许用户点击验证码重新获取,避免因为一次请求失败而卡死
captchaImg.addEventListener("click", getCaptcha);
}
getCaptcha();
```
</issue_to_address>
### Comment 2
<location path="laokou-common/laokou-common-oss/src/main/java/org/laokou/common/oss/template/MinIOStorage.java" line_range="77-81" />
<code_context>
- protected String getUrl(MinioClient minioClient) throws ServerException, InsufficientDataException,
- ErrorResponseException, IOException, NoSuchAlgorithmException, InvalidKeyException,
- InvalidResponseException, XmlParserException, InternalException {
+ protected String getUrl(MinioClient minioClient) throws MinioException {
GetPresignedObjectUrlArgs objectUrlArgs = GetPresignedObjectUrlArgs.builder()
.bucket(this.minIO.getBucketName())
.object(fileInfo.name())
- .method(Method.GET)
+ .method(Http.Method.GET)
.expiry(5, TimeUnit.DAYS)
.build();
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `Http.Method.GET` with MinIO’s `GetPresignedObjectUrlArgs` looks inconsistent and may not compile.
This previously used MinIO’s `io.minio.http.Method.GET`, but now passes `Http.Method.GET` into `.method(...)`. Unless `Http.Method` is the same type as `io.minio.http.Method`, this will fail to compile or be rejected by the builder. Please either keep using MinIO’s `Method` enum or add an explicit conversion from `Http.Method` to the type expected by `GetPresignedObjectUrlArgs.builder().method(...)`.
</issue_to_address>帮我变得更有用!请在每条评论上点 👍 或 👎,我会根据你的反馈改进后续的 Review。
Original comment in English
Hey - I've found 2 issues, and left some high level feedback:
- The login form now hardcodes default tenant_code/username/password values, which is risky for non-demo environments; consider removing these defaults or gating them behind a dev/profile-specific template.
- The hidden
uuidinput is markedrequiredbut is only populated bygetCaptcha(), so if JS or the captcha request fails the form may become unusable; consider making it non-required or adding error handling/fallback when the captcha call fails. - In
MinIOStorage, the method signatures were narrowed to only throwMinioExceptionwhile the MinIO client APIs can also throw other checked exceptions (e.g.IOException,NoSuchAlgorithmException); ensure these are either still declared or properly wrapped/handled to keep compilation and error handling consistent.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The login form now hardcodes default tenant_code/username/password values, which is risky for non-demo environments; consider removing these defaults or gating them behind a dev/profile-specific template.
- The hidden `uuid` input is marked `required` but is only populated by `getCaptcha()`, so if JS or the captcha request fails the form may become unusable; consider making it non-required or adding error handling/fallback when the captcha call fails.
- In `MinIOStorage`, the method signatures were narrowed to only throw `MinioException` while the MinIO client APIs can also throw other checked exceptions (e.g. `IOException`, `NoSuchAlgorithmException`); ensure these are either still declared or properly wrapped/handled to keep compilation and error handling consistent.
## Individual Comments
### Comment 1
<location path="laokou-service/laokou-standalone/laokou-standalone-auth/laokou-standalone-auth-start/src/main/resources/templates/login.html" line_range="144-151" />
<code_context>
+ return v.toString(16);
+ });
+ }
+ function getCaptcha() {
+ const uuid = getUuid()
+ document.getElementById("uuid").value = uuid
+ axios.get("v1/authorization-code/captchas/" + uuid).then(res => {
+ document.getElementById("captcha-img").src = res.data.data
+ })
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Captcha loading has no error handling, which can degrade the login experience.
If the captcha request fails (network/server issue), the image stays blank and the user can’t proceed or recover. Add error handling (e.g. a `.catch(...)` to display an error and/or trigger a retry) and consider regenerating the `uuid` so the form isn’t stuck on a failed captcha.
```suggestion
function getCaptcha() {
const uuid = getUuid();
const uuidInput = document.getElementById("uuid");
const captchaImg = document.getElementById("captcha-img");
// 如果关键元素不存在,直接返回避免报错
if (!uuidInput || !captchaImg) {
console.error("Captcha elements not found on the page.");
return;
}
uuidInput.value = uuid;
captchaImg.alt = "验证码加载中...";
axios
.get("v1/authorization-code/captchas/" + uuid)
.then(res => {
captchaImg.src = res.data.data;
captchaImg.alt = "看不清?点击刷新验证码";
})
.catch(err => {
console.error("Failed to load captcha.", err);
// 清空图片,避免展示旧的或损坏的图片
captchaImg.removeAttribute("src");
captchaImg.alt = "验证码加载失败,点击重试";
// 简单用户提示;如果项目有全局消息组件,可替换为全局提示
alert("验证码加载失败,请检查网络后点击验证码重试。");
});
}
const captchaImg = document.getElementById("captcha-img");
if (captchaImg) {
// 允许用户点击验证码重新获取,避免因为一次请求失败而卡死
captchaImg.addEventListener("click", getCaptcha);
}
getCaptcha();
```
</issue_to_address>
### Comment 2
<location path="laokou-common/laokou-common-oss/src/main/java/org/laokou/common/oss/template/MinIOStorage.java" line_range="77-81" />
<code_context>
- protected String getUrl(MinioClient minioClient) throws ServerException, InsufficientDataException,
- ErrorResponseException, IOException, NoSuchAlgorithmException, InvalidKeyException,
- InvalidResponseException, XmlParserException, InternalException {
+ protected String getUrl(MinioClient minioClient) throws MinioException {
GetPresignedObjectUrlArgs objectUrlArgs = GetPresignedObjectUrlArgs.builder()
.bucket(this.minIO.getBucketName())
.object(fileInfo.name())
- .method(Method.GET)
+ .method(Http.Method.GET)
.expiry(5, TimeUnit.DAYS)
.build();
</code_context>
<issue_to_address>
**issue (bug_risk):** Using `Http.Method.GET` with MinIO’s `GetPresignedObjectUrlArgs` looks inconsistent and may not compile.
This previously used MinIO’s `io.minio.http.Method.GET`, but now passes `Http.Method.GET` into `.method(...)`. Unless `Http.Method` is the same type as `io.minio.http.Method`, this will fail to compile or be rejected by the builder. Please either keep using MinIO’s `Method` enum or add an explicit conversion from `Http.Method` to the type expected by `GetPresignedObjectUrlArgs.builder().method(...)`.
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Comment on lines
+144
to
+151
| function getCaptcha() { | ||
| const uuid = getUuid() | ||
| document.getElementById("uuid").value = uuid | ||
| axios.get("v1/authorization-code/captchas/" + uuid).then(res => { | ||
| document.getElementById("captcha-img").src = res.data.data | ||
| }) | ||
| } | ||
| getCaptcha() |
There was a problem hiding this comment.
suggestion (bug_risk): 验证码加载过程没有错误处理,会影响登录体验。
如果验证码请求失败(网络/服务端问题),图片会保持空白,用户既无法继续也无法恢复。建议添加错误处理(例如使用 .catch(...) 显示错误并/或触发重试),并考虑在验证码获取失败时重新生成 uuid,避免表单卡在一次失败的验证码请求上。
Suggested change
| function getCaptcha() { | |
| const uuid = getUuid() | |
| document.getElementById("uuid").value = uuid | |
| axios.get("v1/authorization-code/captchas/" + uuid).then(res => { | |
| document.getElementById("captcha-img").src = res.data.data | |
| }) | |
| } | |
| getCaptcha() | |
| function getCaptcha() { | |
| const uuid = getUuid(); | |
| const uuidInput = document.getElementById("uuid"); | |
| const captchaImg = document.getElementById("captcha-img"); | |
| // 如果关键元素不存在,直接返回避免报错 | |
| if (!uuidInput || !captchaImg) { | |
| console.error("Captcha elements not found on the page."); | |
| return; | |
| } | |
| uuidInput.value = uuid; | |
| captchaImg.alt = "验证码加载中..."; | |
| axios | |
| .get("v1/authorization-code/captchas/" + uuid) | |
| .then(res => { | |
| captchaImg.src = res.data.data; | |
| captchaImg.alt = "看不清?点击刷新验证码"; | |
| }) | |
| .catch(err => { | |
| console.error("Failed to load captcha.", err); | |
| // 清空图片,避免展示旧的或损坏的图片 | |
| captchaImg.removeAttribute("src"); | |
| captchaImg.alt = "验证码加载失败,点击重试"; | |
| // 简单用户提示;如果项目有全局消息组件,可替换为全局提示 | |
| alert("验证码加载失败,请检查网络后点击验证码重试。"); | |
| }); | |
| } | |
| const captchaImg = document.getElementById("captcha-img"); | |
| if (captchaImg) { | |
| // 允许用户点击验证码重新获取,避免因为一次请求失败而卡死 | |
| captchaImg.addEventListener("click", getCaptcha); | |
| } | |
| getCaptcha(); |
Original comment in English
suggestion (bug_risk): Captcha loading has no error handling, which can degrade the login experience.
If the captcha request fails (network/server issue), the image stays blank and the user can’t proceed or recover. Add error handling (e.g. a .catch(...) to display an error and/or trigger a retry) and consider regenerating the uuid so the form isn’t stuck on a failed captcha.
Suggested change
| function getCaptcha() { | |
| const uuid = getUuid() | |
| document.getElementById("uuid").value = uuid | |
| axios.get("v1/authorization-code/captchas/" + uuid).then(res => { | |
| document.getElementById("captcha-img").src = res.data.data | |
| }) | |
| } | |
| getCaptcha() | |
| function getCaptcha() { | |
| const uuid = getUuid(); | |
| const uuidInput = document.getElementById("uuid"); | |
| const captchaImg = document.getElementById("captcha-img"); | |
| // 如果关键元素不存在,直接返回避免报错 | |
| if (!uuidInput || !captchaImg) { | |
| console.error("Captcha elements not found on the page."); | |
| return; | |
| } | |
| uuidInput.value = uuid; | |
| captchaImg.alt = "验证码加载中..."; | |
| axios | |
| .get("v1/authorization-code/captchas/" + uuid) | |
| .then(res => { | |
| captchaImg.src = res.data.data; | |
| captchaImg.alt = "看不清?点击刷新验证码"; | |
| }) | |
| .catch(err => { | |
| console.error("Failed to load captcha.", err); | |
| // 清空图片,避免展示旧的或损坏的图片 | |
| captchaImg.removeAttribute("src"); | |
| captchaImg.alt = "验证码加载失败,点击重试"; | |
| // 简单用户提示;如果项目有全局消息组件,可替换为全局提示 | |
| alert("验证码加载失败,请检查网络后点击验证码重试。"); | |
| }); | |
| } | |
| const captchaImg = document.getElementById("captcha-img"); | |
| if (captchaImg) { | |
| // 允许用户点击验证码重新获取,避免因为一次请求失败而卡死 | |
| captchaImg.addEventListener("click", getCaptcha); | |
| } | |
| getCaptcha(); |
Comment on lines
+77
to
+81
| protected String getUrl(MinioClient minioClient) throws MinioException { | ||
| GetPresignedObjectUrlArgs objectUrlArgs = GetPresignedObjectUrlArgs.builder() | ||
| .bucket(this.minIO.getBucketName()) | ||
| .object(fileInfo.name()) | ||
| .method(Method.GET) | ||
| .method(Http.Method.GET) |
There was a problem hiding this comment.
issue (bug_risk): 在 MinIO 的 GetPresignedObjectUrlArgs 中使用 Http.Method.GET 看起来前后不一致,并且可能无法通过编译。
之前这里使用的是 MinIO 的 io.minio.http.Method.GET,现在改成向 .method(...) 传入 Http.Method.GET。除非 Http.Method 和 io.minio.http.Method 是同一种类型,否则这段代码要么无法编译,要么会被 builder 拒绝。请继续使用 MinIO 的 Method 枚举,或者添加一个从 Http.Method 转换为 GetPresignedObjectUrlArgs.builder().method(...) 所需类型的显式转换。
Original comment in English
issue (bug_risk): Using Http.Method.GET with MinIO’s GetPresignedObjectUrlArgs looks inconsistent and may not compile.
This previously used MinIO’s io.minio.http.Method.GET, but now passes Http.Method.GET into .method(...). Unless Http.Method is the same type as io.minio.http.Method, this will fail to compile or be rejected by the builder. Please either keep using MinIO’s Method enum or add an explicit conversion from Http.Method to the type expected by GetPresignedObjectUrlArgs.builder().method(...).
![qodo-code-review[bot]](https://avatars.githubusercontent.com/in/484649?s=60&v=4){kind=small}
| - /doc.html=laokou-gateway | ||
| - /webjars/**=laokou-gateway | ||
| - /ws=laokou-gateway | ||
| - /api/login=laokou-gateway |
There was a problem hiding this comment.
1. Login blocked by gateway 🐞 Bug ✓ Correctness
网关移除了 /api/login 的放行规则后,AuthFilter 会对未带 Authorization 的登录页请求直接返回 401,导致授权码登录页不可访问。由于 auth 服务 context-path 为 /api 且 LoginController 映射 /login,登录页实际路径为 /api/login。
Agent Prompt
### Issue description
Gateway 的 `request-matcher.ignore-patterns.GET` 中移除了 `/api/login`,而 `AuthFilter` 对未命中放行列表且缺少 `Authorization` 的请求会直接返回 401,导致登录页(`/api/login`)无法访问。
### Issue Context
- auth 服务 `server.servlet.context-path=/api`,`GET /login` 实际对外为 `/api/login`。
- 登录页还会加载静态资源(例如 `/api/js/**`, `/api/img/**`),如通过网关访问也应同步放行。
### Fix Focus Areas
- laokou-cloud/laokou-gateway/src/main/resources/application.yml[190-207]
- laokou-cloud/laokou-gateway/src/main/java/org/laokou/gateway/filter/AuthFilter.java[64-86]
- laokou-service/laokou-auth/laokou-auth-start/src/main/resources/application.yml[30-55]
- laokou-service/laokou-auth/laokou-auth-adapter/src/main/java/org/laokou/auth/web/LoginController.java[24-38]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
+108
to
121
| <input id="uuid" name="uuid" type="text" autocomplete="new-password" hidden="hidden" placeholder="请输入唯一标识" required/> | ||
| </div> | ||
|
|
||
| <div class="form-item row" style="width: 100%;"> | ||
| <input id="username" name="username" type="text" placeholder="请输入用户名" required/> | ||
| <input id="tenant_code" name="tenant_code" autocomplete="new-password" value="laokouyun" type="text" placeholder="请输入租户编号" required autofocus/> | ||
| </div> | ||
|
|
||
| <div class="form-item row" style="width: 100%;"> | ||
| <input id="password" name="password" type="password" placeholder="请输入密码" required/> | ||
| <input id="username" name="username" type="text" autocomplete="new-password" value="admin" placeholder="请输入用户名" required/> | ||
| </div> | ||
|
|
||
| <div class="form-item row" style="width: 100%;"> | ||
| <input id="password" name="password" type="password" autocomplete="new-password" value="admin123" placeholder="请输入密码" required/> | ||
| </div> |
There was a problem hiding this comment.
2. Hardcoded admin credentials 🐞 Bug ⛨ Security
两个 login.html 模板将 tenant_code/username/password 预填为 laokouyun/admin/admin123,任何未认证访问者都能直接看到并一键尝试该组合,存在明显账号安全风险。
Agent Prompt
### Issue description
登录页模板硬编码并预填了 `tenant_code` / `username` / `password`(`laokouyun` / `admin` / `admin123`)。这会把“默认凭据”暴露给所有访问者,并显著降低账号安全性。
### Issue Context
这是服务端渲染模板(Thymeleaf),任何未认证访问者都可查看页面源代码或直接看到输入框中的默认值。
### Fix Focus Areas
- laokou-service/laokou-auth/laokou-auth-start/src/main/resources/templates/login.html[111-121]
- laokou-service/laokou-standalone/laokou-standalone-auth/laokou-standalone-auth-start/src/main/resources/templates/login.html[111-121]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
Comment on lines
123
to
+152
| <div class="form-item"> | ||
| <div class="row"> | ||
| <input id="captcha" name="captcha" type="text" placeholder="请输入验证码" required/> | ||
| <img class="captcha" th:src="@{/captcha}" alt="captcha" | ||
| onclick="this.src='/captcha?ts='+Date.now()"/> | ||
| <input id="captcha" name="captcha" autocomplete="new-password" type="text" placeholder="请输入验证码" required/> | ||
| <img id="captcha-img" class="captcha" alt="验证码" onclick="getCaptcha()"/> | ||
| </div> | ||
| </div> | ||
|
|
||
| <button class="btn" type="submit">登 录</button> | ||
| </form> | ||
| </div> | ||
| <script> | ||
| function getUuid() { | ||
| if (window.crypto && crypto.randomUUID) { | ||
| return crypto.randomUUID(); | ||
| } | ||
| return 'xxxxxxxx-xxxx-4xxx-yxxx-xxxxxxxxxxxx'.replace(/[xy]/g, function(c) { | ||
| const r = Math.random() * 16 | 0; | ||
| const v = c === 'x' ? r : (r & 0x3 | 0x8); | ||
| return v.toString(16); | ||
| }); | ||
| } | ||
| function getCaptcha() { | ||
| const uuid = getUuid() | ||
| document.getElementById("uuid").value = uuid | ||
| axios.get("v1/authorization-code/captchas/" + uuid).then(res => { | ||
| document.getElementById("captcha-img").src = res.data.data | ||
| }) | ||
| } | ||
| getCaptcha() | ||
| </script> |
There was a problem hiding this comment.
3. Captcha not validated server-side 🐞 Bug ⛨ Security
登录页强制填写 uuid/captcha 并从 /v1/authorization-code/captchas/{uuid} 获取验证码,但当前 formLogin 认证链路使用默认
DaoAuthenticationProvider,未看到对 uuid/captcha 的服务端校验,验证码形同虚设且可被直接绕过。
Agent Prompt
### Issue description
登录页引入了 `uuid`/`captcha` 并要求用户填写,但当前 Spring Security 的 formLogin 认证链路未实现对这些参数的服务端校验,导致验证码只存在于前端交互层面,攻击者可直接 POST `/login` 绕过。
### Issue Context
- GET `/v1/authorization-code/captchas/{uuid}` 会生成验证码并写入 Redis(key 由控制器使用 `RedisKeyUtils.getAuthorizationCodeAuthCaptchaKey(uuid)` 生成),并返回 base64 图片。
- 但 formLogin 使用默认认证流程(DaoAuthenticationProvider),默认只校验 username/password。
### Fix Focus Areas
- laokou-service/laokou-auth/laokou-auth-start/src/main/resources/templates/login.html[107-152]
- laokou-service/laokou-auth/laokou-auth-app/src/main/java/org/laokou/auth/command/query/CaptchaGetQryExe.java[40-51]
- laokou-service/laokou-auth/laokou-auth-infrastructure/src/main/java/org/laokou/auth/config/OAuth2ResourceServerConfig.java[49-72]
- laokou-service/laokou-auth/laokou-auth-infrastructure/src/main/java/org/laokou/auth/config/OAuth2AuthorizationServerConfig.java[176-186]
ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
改进跨认证服务及其支撑组件的登录/授权码流程的认证流与基础设施。
新功能:
改进:
MinioException,并更新 API 调用方式。framework转发请求头策略,以改进代理/请求头处理。Original summary in English
Summary by Sourcery
Improve the authentication flow and infrastructure for the login/authorization code process across auth services and supporting components.
New Features:
Enhancements:
frameworkforward-headers strategy for better proxy/header handling.Summary by CodeRabbit
New Features
Bug Fixes
Chores