提升社交登录安全性

febs-auth/src/main/java/cc/mrbird/febs/auth/service/impl/FebsUserDetailServiceImpl.java

@@ -43,7 +43,7 @@ public class FebsUserDetailServiceImpl implements UserDetailsService {
             String password = systemUser.getPassword();
             String loginType = (String) httpServletRequest.getAttribute(ParamsConstant.LOGIN_TYPE);
             if (StringUtils.equals(loginType, SocialConstant.SOCIAL_LOGIN)) {
-                password = passwordEncoder.encode(SocialConstant.SOCIAL_LOGIN_PASSWORD);
+                password = passwordEncoder.encode(SocialConstant.getSocialLoginPassword());
             }
 
             List<GrantedAuthority> grantedAuthorities = AuthorityUtils.NO_AUTHORITIES;

febs-auth/src/main/java/cc/mrbird/febs/auth/service/impl/SocialLoginServiceImpl.java

@@ -203,7 +203,7 @@ public class SocialLoginServiceImpl implements SocialLoginService {
         Map<String, String> requestParameters = new HashMap<>(5);
         requestParameters.put(ParamsConstant.GRANT_TYPE, GrantTypeConstant.PASSWORD);
         requestParameters.put(USERNAME, user.getUsername());
-        requestParameters.put(PASSWORD, SocialConstant.SOCIAL_LOGIN_PASSWORD);
+        requestParameters.put(PASSWORD, SocialConstant.setSocialLoginPassword());
 
         String grantTypes = String.join(StringConstant.COMMA, clientDetails.getAuthorizedGrantTypes());
         TokenRequest tokenRequest = new TokenRequest(requestParameters, clientDetails.getClientId(), clientDetails.getScope(), grantTypes);

febs-common/febs-common-core/src/main/java/cc/mrbird/febs/common/core/entity/constant/SocialConstant.java

@@ -1,10 +1,34 @@
 package cc.mrbird.febs.common.core.entity.constant;
 
+import org.apache.commons.lang3.RandomStringUtils;
+
 /**
  * @author MrBird
  */
 public interface SocialConstant {
 
     String SOCIAL_LOGIN = "social_login";
-    String SOCIAL_LOGIN_PASSWORD = "febs_social_login_password";
+    ThreadLocal<String> PASSWORD_THREAD_LOCAL = new ThreadLocal<>();
+
+    /**
+     * 获取随机生成的密码
+     *
+     * @return String 密码
+     */
+    static String getSocialLoginPassword() {
+        String password = PASSWORD_THREAD_LOCAL.get();
+        PASSWORD_THREAD_LOCAL.remove();
+        return password;
+    }
+
+    /**
+     * 设置随机生成的密码
+     *
+     * @return String 密码
+     */
+    static String setSocialLoginPassword() {
+        String randomPassword = RandomStringUtils.randomAlphanumeric(64);
+        PASSWORD_THREAD_LOCAL.set(randomPassword);
+        return randomPassword;
+    }
 }