继续推进 userId 混淆

account/account-service/src/main/java/cn/reghao/tnb/account/app/redis/RedisKeys.java

@@ -70,15 +70,15 @@ public class RedisKeys {
         return String.format("tnb:account:login:signkey:refresh:%s", refreshToken);
     }
 
-    public static String getAccessTokenKey(long userId, String loginId) {
+    public static String getAccessTokenKey(String userId, String loginId) {
         return String.format("tnb:account:login:%s:accesstoken:%s", userId, loginId);
     }
 
-    public static String getRefreshTokenKey(long userId, String loginId) {
+    public static String getRefreshTokenKey(String userId, String loginId) {
         return String.format("tnb:account:login:%s:refreshtoken:%s", userId, loginId);
     }
 
-    public static String getAuthTokenKey(long userId, Integer plat, String loginId) {
+    public static String getAuthTokenKey(String userId, Integer plat, String loginId) {
         return String.format("tnb:account:login:%s:authtoken:%s:%s", userId, plat, loginId);
     }
 

account/account-service/src/main/java/cn/reghao/tnb/account/app/security/handler/AuthSuccessHandlerImpl.java

@@ -103,6 +103,8 @@ public class AuthSuccessHandlerImpl implements AuthenticationSuccessHandler {
             accountLoginRet = new AccountLoginRet(userIdStr, loginId, plat, redirectPath);
         } else if (LoginPlat.android.getValue() == plat) {
             AccountInfo accountInfo = userAccountMapper.findAccountInfo(userId);
+            String userIdStr = userIdObfuscation.obfuscate(Long.parseLong(accountInfo.getUserId()));
+            accountInfo.setUserId(userIdStr);
             AccountToken accountToken = accountTokenService.grantUserToken(authToken);
             accountLoginRet = new AccountLoginRet(accountInfo, accountToken, redirectPath);
         }

account/account-service/src/main/java/cn/reghao/tnb/account/app/service/impl/AccountTokenServiceImpl.java

@@ -2,6 +2,7 @@ package cn.reghao.tnb.account.app.service.impl;
 
 import cn.reghao.jutil.jdk.security.RandomString;
 import cn.reghao.jutil.jdk.security.RsaCryptor;
+import cn.reghao.jutil.jdk.string.IDObfuscation;
 import cn.reghao.tnb.account.api.constant.TokenType;
 import cn.reghao.tnb.account.app.db.mapper.LoginAttemptsMapper;
 import cn.reghao.tnb.account.app.model.constant.LoginPlat;
@@ -49,10 +50,12 @@ public class AccountTokenServiceImpl implements AccountTokenService {
     private final UserAccountMapper userAccountMapper;
     private final LoginAttemptsMapper loginAttemptsMapper;
     private final PubkeyService pubkeyService;
+    private final IDObfuscation userIdObfuscation;
 
     public AccountTokenServiceImpl(RedisOps redisOps, RedisString redisString, RedisStringObject redisStringObject,
                                    UserAccountMapper userAccountMapper, LoginAttemptsMapper loginAttemptsMapper,
-                                   ServerProperties serverProperties, PubkeyService pubkeyService) {
+                                   ServerProperties serverProperties, PubkeyService pubkeyService,
+                                   IDObfuscation userIdObfuscation) {
         long sessionTimeout = serverProperties.getServlet().getSession().getTimeout().getSeconds();
         serverProperties.getTomcat().getBasedir();
         this.redisOps = redisOps;
@@ -61,6 +64,7 @@ public class AccountTokenServiceImpl implements AccountTokenService {
         this.userAccountMapper = userAccountMapper;
         this.loginAttemptsMapper = loginAttemptsMapper;
         this.pubkeyService = pubkeyService;
+        this.userIdObfuscation = userIdObfuscation;
     }
 
     @Override
@@ -134,7 +138,8 @@ public class AccountTokenServiceImpl implements AccountTokenService {
         int plat = refreshPayload.getPlat();
         String loginId = refreshPayload.getLoginId();
         long userId = refreshPayload.getUserId();
-        Object object = redisStringObject.get(RedisKeys.getAuthTokenKey(userId, plat, loginId));
+        String userIdStr = userIdObfuscation.obfuscate(userId);
+        Object object = redisStringObject.get(RedisKeys.getAuthTokenKey(userIdStr, plat, loginId));
         AccountAuthToken authToken = (AccountAuthToken) object;
 
         AccountToken accountToken = grantUserToken(authToken);
@@ -148,7 +153,8 @@ public class AccountTokenServiceImpl implements AccountTokenService {
 
     @Override
     public AccountToken grantUserToken(AccountAuthToken authToken) {
-        long userId = authToken.getUserId();
+        long userId1 = authToken.getUserId();
+        String userId = userIdObfuscation.obfuscate(userId1);
         int plat = authToken.getPlat();
         long accessExpireIn = 1000L*3600*24*7;
         long accessExpireAt = System.currentTimeMillis() + accessExpireIn;
@@ -263,11 +269,12 @@ public class AccountTokenServiceImpl implements AccountTokenService {
     }
 
     private void revokeUserToken(long userId, int plat, String loginId) {
-        String refreshToken = redisString.get(RedisKeys.getRefreshTokenKey(userId, loginId));
-        String accessToken = redisString.get(RedisKeys.getAccessTokenKey(userId, loginId));
-        String[] keys = List.of(RedisKeys.getRefreshTokenKey(userId, loginId),
-                        RedisKeys.getAccessTokenKey(userId, loginId),
-                        RedisKeys.getAuthTokenKey(userId ,plat, loginId),
+        String userIdStr = userIdObfuscation.obfuscate(userId);
+        String refreshToken = redisString.get(RedisKeys.getRefreshTokenKey(userIdStr, loginId));
+        String accessToken = redisString.get(RedisKeys.getAccessTokenKey(userIdStr, loginId));
+        String[] keys = List.of(RedisKeys.getRefreshTokenKey(userIdStr, loginId),
+                        RedisKeys.getAccessTokenKey(userIdStr, loginId),
+                        RedisKeys.getAuthTokenKey(userIdStr ,plat, loginId),
                         RedisKeys.getRefreshSignKeyKey(refreshToken),
                         RedisKeys.getAccessSignKeyKey(accessToken))
                 .toArray(new String[0]);

content/content-service/src/main/java/cn/reghao/tnb/content/app/config/web/TokenFilter.java

@@ -1,5 +1,6 @@
 package cn.reghao.tnb.content.app.config.web;
 
+import cn.reghao.jutil.jdk.string.IDObfuscation;
 import cn.reghao.jutil.web.ServletUtil;
 import cn.reghao.tnb.common.auth.LoginUser;
 import cn.reghao.tnb.common.auth.UserContext;
@@ -14,6 +15,12 @@ import java.io.IOException;
  */
 @Component
 public class TokenFilter implements Filter {
+    private final IDObfuscation userIdObfuscation;
+
+    public TokenFilter(IDObfuscation userIdObfuscation) {
+        this.userIdObfuscation = userIdObfuscation;
+    }
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
@@ -27,7 +34,7 @@ public class TokenFilter implements Filter {
         }
 
         String loginId = ServletUtil.getHeader("x-login-id");
-        LoginUser loginUser = new LoginUser(Long.parseLong(userId));
+        LoginUser loginUser = new LoginUser(userIdObfuscation.restore(userId));
         try (UserContext context = new UserContext(loginUser)) {
             chain.doFilter(request, response);
         }

file/file-service/src/main/java/cn/reghao/tnb/file/app/config/BeansConfig.java

@@ -0,0 +1,17 @@
+package cn.reghao.tnb.file.app.config;
+
+import cn.reghao.jutil.jdk.string.IDObfuscation;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @author reghao
+ * @date 2025-04-02 20:49:55
+ */
+@Configuration
+public class BeansConfig {
+    @Bean
+    public IDObfuscation userIdObfuscation() {
+        return new IDObfuscation(0x12345);
+    }
+}

file/file-service/src/main/java/cn/reghao/tnb/file/app/config/web/TokenFilter.java

@@ -1,5 +1,6 @@
 package cn.reghao.tnb.file.app.config.web;
 
+import cn.reghao.jutil.jdk.string.IDObfuscation;
 import cn.reghao.jutil.web.ServletUtil;
 import cn.reghao.tnb.common.auth.LoginUser;
 import cn.reghao.tnb.common.auth.UserContext;
@@ -14,6 +15,12 @@ import java.io.IOException;
  */
 @Component
 public class TokenFilter implements Filter {
+    private final IDObfuscation userIdObfuscation;
+
+    public TokenFilter(IDObfuscation userIdObfuscation) {
+        this.userIdObfuscation = userIdObfuscation;
+    }
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
@@ -22,8 +29,12 @@ public class TokenFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
         String userId = ServletUtil.getHeader("x-user-id");
+        if (userId == null) {
+            userId = "-1";
+        }
+
         String loginId = ServletUtil.getHeader("x-login-id");
-        LoginUser loginUser = new LoginUser(Long.parseLong(userId));
+        LoginUser loginUser = new LoginUser(userIdObfuscation.restore(userId));
         try (UserContext context = new UserContext(loginUser)) {
             chain.doFilter(request, response);
         }

user/user-service/src/main/java/cn/reghao/tnb/user/app/config/web/TokenFilter.java

@@ -1,5 +1,6 @@
 package cn.reghao.tnb.user.app.config.web;
 
+import cn.reghao.jutil.jdk.string.IDObfuscation;
 import cn.reghao.jutil.web.ServletUtil;
 import cn.reghao.tnb.common.auth.LoginUser;
 import cn.reghao.tnb.common.auth.UserContext;
@@ -14,6 +15,12 @@ import java.io.IOException;
  */
 @Component
 public class TokenFilter implements Filter {
+    private final IDObfuscation userIdObfuscation;
+
+    public TokenFilter(IDObfuscation userIdObfuscation) {
+        this.userIdObfuscation = userIdObfuscation;
+    }
+
     @Override
     public void init(FilterConfig filterConfig) throws ServletException {
     }
@@ -22,8 +29,12 @@ public class TokenFilter implements Filter {
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
             throws IOException, ServletException {
         String userId = ServletUtil.getHeader("x-user-id");
+        if (userId == null) {
+            userId = "-1";
+        }
+
         String loginId = ServletUtil.getHeader("x-login-id");
-        LoginUser loginUser = new LoginUser(Long.parseLong(userId));
+        LoginUser loginUser = new LoginUser(userIdObfuscation.restore(userId));
         try (UserContext context = new UserContext(loginUser)) {
             chain.doFilter(request, response);
         }