解决SECBUGS-7

294b0420 · 技术部-任文超 · ff253f36 · 294b0420 · 294b0420 · 294b0420
Commit 294b0420 authored Nov 10, 2017 by 技术部-任文超
Showing with 37 additions and 5 deletions

.gitignore .gitignore +2 -1

Constants.java src/main/java/cn/quantgroup/xyqb/Constants.java +1 -0

UserController.java ...ntgroup/xyqb/controller/internal/user/UserController.java +34 -4

No files found.
--- a/.gitignore
+++ b/.gitignore
@@ -109,3 +109,4 @@ Temporary Items
 dump.rdb
 transaction-logs/
+.settings/
--- a/src/main/java/cn/quantgroup/xyqb/Constants.java
+++ b/src/main/java/cn/quantgroup/xyqb/Constants.java
@@ -37,6 +37,7 @@ public interface Constants {
  String REDIS_VERIFICATION_COUNT = "verification_code_count:";
  final Long Image_Need_Count=3L;
+  String REDIS_PASSWORD_ERROR_COUNT = "password_error_count:";
  /**
   * redis中token的key值前缀
   */

--- a/src/main/java/cn/quantgroup/xyqb/controller/internal/user/UserController.java
+++ b/src/main/java/cn/quantgroup/xyqb/controller/internal/user/UserController.java
@@ -204,12 +204,42 @@ public class UserController implements IBaseController {
    if (!ValidationUtil.validatePhoneNo(phoneNo)) {
      result.put("fail", JsonResult.buildErrorStateResult("登录失败", null));
    }
-    if (!smsService.validateFastLoginVerificationCode(phoneNo, verificationCode)) {
+    // 校验短信密码
+    validateFastLoginVerificationCode(result, phoneNo, verificationCode);
+    result.put("success", JsonResult.buildSuccessResult("", phoneNo));
+    return result;
+  }
+  /**
+   * 短信密码校验
+   * @param result - Map
+   * @param phoneNo - 登录手机号
+   * @param verificationCode - 短信密码
+   */
+  private void validateFastLoginVerificationCode(Map<String, JsonResult> result, String phoneNo, String verificationCode) {
+    if (smsService.validateFastLoginVerificationCode(phoneNo, verificationCode)) {
+      return;
+    }
+    // 短信密码错误时，给该账号添加计数器
+    String passwordErrorCountKey = Constants.REDIS_PASSWORD_ERROR_COUNT + phoneNo;
+    if (!stringRedisTemplate.hasKey(passwordErrorCountKey)) {
+      stringRedisTemplate.opsForValue().set(passwordErrorCountKey, String.valueOf(0), Constants.ONE_DAY, TimeUnit.SECONDS);
+    }
    LOGGER.info("用户快速登录，验证码校验失败,phoneNo:{} , verificationCode:{}", phoneNo, verificationCode);
+    // 密码错误计数
+    Long errorCount = stringRedisTemplate.opsForValue().increment(passwordErrorCountKey, 1L);
+    if(errorCount > Constants.Image_Need_Count){
+      // 短信密码错误次数超过上限，执行销毁
+      String verificationCodeKey = Constants.REDIS_PREFIX_VERIFICATION_CODE + phoneNo;
+      stringRedisTemplate.delete(verificationCodeKey);
+      // 短信密码错误计数器归零
+      stringRedisTemplate.opsForValue().set(passwordErrorCountKey, String.valueOf(0));
+      stringRedisTemplate.expire(passwordErrorCountKey, Constants.ONE_DAY, TimeUnit.SECONDS);
+      result.put("fail", JsonResult.buildErrorStateResult("错误次数过多，请重新获取短信验证码", null));
+    }else{
      result.put("fail", JsonResult.buildErrorStateResult("验证码不正确", null));
    }
-    result.put("success", JsonResult.buildSuccessResult("", phoneNo));
-    return result;
  }
  /**