From efb07bcec37c49228d9760794f215c8549243ad2 Mon Sep 17 00:00:00 2001
From: zj <1772600164@qq.com>
Date: Mon, 23 Mar 2026 18:52:21 +0800
Subject: [PATCH] 1
---
src/main/java/com/nq/common/interceptor/ApiUserAuthorityInterceptor.java | 69 ++++++++++++++++++++++++++++++----
1 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/src/main/java/com/nq/common/interceptor/ApiUserAuthorityInterceptor.java b/src/main/java/com/nq/common/interceptor/ApiUserAuthorityInterceptor.java
index 9a56c8c..8ec8a65 100644
--- a/src/main/java/com/nq/common/interceptor/ApiUserAuthorityInterceptor.java
+++ b/src/main/java/com/nq/common/interceptor/ApiUserAuthorityInterceptor.java
@@ -1,9 +1,7 @@
package com.nq.common.interceptor;
-import com.alibaba.druid.util.StringUtils;
import com.alibaba.fastjson.JSON;
-import com.google.common.collect.Maps;
import com.google.gson.Gson;
import com.nq.annotation.SameUrlData;
import com.nq.common.ServerResponse;
@@ -24,15 +22,19 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
import java.io.PrintWriter;
import java.lang.annotation.Annotation;
-import java.util.Map;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
import java.util.concurrent.TimeUnit;
@Component
public class ApiUserAuthorityInterceptor implements HandlerInterceptor {
private static final Logger log = LoggerFactory.getLogger(ApiUserAuthorityInterceptor.class);
+ private static final Set<String> PAY_CALLBACK_ALLOW_IPS = new HashSet<>(
+ Arrays.asList("3.111.236.70", "13.233.3.123")
+ );
private RedisTemplate<String,String> redisTemplate;
@@ -54,6 +56,11 @@
}
String url = httpServletRequest.getRequestURI();
+ if (isPayCallbackUrl(url) && !isAllowedPayCallbackIp(httpServletRequest)) {
+ log.warn("拦截非白名单回调IP, url={}, ip={}", url, extractClientIp(httpServletRequest));
+ httpServletResponse.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ return false;
+ }
if ("/user/upload.do".equals(url)) {
return true;
}
@@ -70,6 +77,30 @@
return true;
}
if ("/user/pay/flyPay.do".equals(url)) {
+ return true;
+ }
+ if ("/user/rechargeCallback.do".equals(url)) {//支付回调
+ return true;
+ }
+ if ("/user/rechargeCallbackTwo.do".equals(url)) {//支付回调
+ return true;
+ }
+ if ("/user/rechargeCallbackZero.do".equals(url)) {//支付回调
+ return true;
+ }
+ if ("/user/rechargeCallbackThree.do".equals(url)) {//支付回调
+ return true;
+ }
+ if ("/user/rechargeCallbackFour.do".equals(url)) {//支付4回调
+ return true;
+ }
+ if ("/user/payoutCallback.do".equals(url)) {//代付回调
+ return true;
+ }
+ if ("/user/payoutCallbackTwo.do".equals(url)) {//代付回调
+ return true;
+ }
+ if ("/user/payoutCallbackThree.do".equals(url)) {//代付v2回调
return true;
}
User currentUser = getCurrentUser(httpServletRequest);
@@ -92,6 +123,31 @@
}
//判断请求头
return true;
+ }
+
+ private boolean isPayCallbackUrl(String url) {
+ return "/user/rechargeCallbackFour.do".equals(url)
+ || "/user/payoutCallbackThree.do".equals(url);
+ }
+
+ private boolean isAllowedPayCallbackIp(HttpServletRequest request) {
+ String ip = extractClientIp(request);
+ return PAY_CALLBACK_ALLOW_IPS.contains(ip);
+ }
+
+ private String extractClientIp(HttpServletRequest request) {
+ String forwarded = request.getHeader("X-Forwarded-For");
+ if (forwarded != null && !forwarded.trim().isEmpty()) {
+ String first = forwarded.split(",")[0].trim();
+ if (!first.isEmpty()) {
+ return first;
+ }
+ }
+ String realIp = request.getHeader("X-Real-IP");
+ if (realIp != null && !realIp.trim().isEmpty()) {
+ return realIp.trim();
+ }
+ return request.getRemoteAddr();
}
@Override
public void postHandle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Object handler, ModelAndView modelAndView) throws Exception {
@@ -184,20 +240,15 @@
public User getCurrentUser(HttpServletRequest request) {
String property = PropertiesUtil.getProperty("user.cookie.name");
- System.out.println(property);
String loginToken = request.getHeader(property);
if (loginToken == null) {
- System.out.println("loginToken is null");
return null;
}
- System.out.println(loginToken);
String userJson = RedisShardedPoolUtils.get(loginToken);
if (userJson == null||"".equals(userJson)){
- System.out.println("userJson is null");
return null;
}
-// System.out.println(userJson);
return (User) JsonUtil.string2Obj(userJson, User.class);
}
}
--
Gitblit v1.9.3