bugfix:网关token移除login-user头信息后重新赋值引用

(cherry picked from commit 3abfd365693361e27d8ab193959b2162d1b4347a)
2025-04-14 14:01:20 +00:00 · 2025-04-14 14:01:20 +00:00 · 58a38d0302
commit 58a38d0302
parent d1c204e11d
1 changed files with 6 additions and 5 deletions
--- a/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
+++ b/yudao-gateway/src/main/java/cn/iocoder/yudao/gateway/filter/security/TokenAuthenticationFilter.java
@ -81,9 +81,9 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {
    }

    @Override
-    public Mono<Void> filter(final ServerWebExchange exchange, GatewayFilterChain chain) {
+    public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
        // 移除 login-user 的请求头，避免伪造模拟
-        SecurityFrameworkUtils.removeLoginUser(exchange);
+        exchange = SecurityFrameworkUtils.removeLoginUser(exchange);

        // 情况一，如果没有 Token 令牌，则直接继续 filter
        String token = SecurityFrameworkUtils.obtainAuthorization(exchange);
@ -93,17 +93,18 @@ public class TokenAuthenticationFilter implements GlobalFilter, Ordered {

        // 情况二，如果有 Token 令牌，则解析对应 userId、userType、tenantId 等字段，并通过 通过 Header 转发给服务
        // 重要说明：defaultIfEmpty 作用，保证 Mono.empty() 情况，可以继续执行 `flatMap 的 chain.filter(exchange)` 逻辑，避免返回给前端空的 Response！！
+        ServerWebExchange finalExchange = exchange;
        return getLoginUser(exchange, token).defaultIfEmpty(LOGIN_USER_EMPTY).flatMap(user -> {
            // 1. 无用户，直接 filter 继续请求
            if (user == LOGIN_USER_EMPTY || // 下面 expiresTime 的判断，为了解决 token 实际已经过期的情况
                    user.getExpiresTime() == null || LocalDateTimeUtils.beforeNow(user.getExpiresTime())) {
-                return chain.filter(exchange);
+                return chain.filter(finalExchange);
            }

            // 2.1 有用户，则设置登录用户
-            SecurityFrameworkUtils.setLoginUser(exchange, user);
+            SecurityFrameworkUtils.setLoginUser(finalExchange, user);
            // 2.2 将 user 并设置到 login-user 的请求头，使用 json 存储值
-            ServerWebExchange newExchange = exchange.mutate()
+            ServerWebExchange newExchange = finalExchange.mutate()
                    .request(builder -> SecurityFrameworkUtils.setLoginUserHeader(builder, user)).build();
            return chain.filter(newExchange);
        });