forbit duplicate submit

huanggang
1 parent 8e38b431
Showing 11 changed files with 315 additions and 59 deletions
cashier-boss/src/main/java/com/diligrp/cashier/boss/BossConfiguration.java
cashier-boss/src/main/java/com/diligrp/cashier/boss/controller/WechatPaymentController.java
cashier-boss/src/main/java/com/diligrp/cashier/boss/util/HttpUtils.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/Constants.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/codec/ByteCodec.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/codec/ObjectCodec.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/http/AntPathRequestMatcher.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/http/DuplicateSubmitFilter.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/http/HttpRequestMatcher.java
cashier-shared/src/main/java/com/diligrp/cashier/shared/http/OrRequestMatcher.java
cashier-trade/src/main/java/com/diligrp/cashier/trade/manager/PaymentResultManager.java
 package com.diligrp.cashier.boss;
  
+import com.diligrp.cashier.shared.http.DuplicateSubmitFilter;
 import com.diligrp.cashier.shared.mybatis.MybatisMapperSupport;
 import com.diligrp.cashier.shared.service.LifeCycle;
 import jakarta.annotation.Resource;
@@ -11,8 +12,10 @@ import org.springframework.boot.context.properties.ConfigurationProperties;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.web.filter.GenericFilterBean;
  
 import java.util.List;
+import java.util.concurrent.TimeUnit;
  
 @Configuration
 @ComponentScan("com.diligrp.cashier.boss")
@@ -28,6 +31,17 @@ public class BossConfiguration implements ApplicationRunner {
         return new CashierDeskProperties();
     }
  
+    @Bean
+    public GenericFilterBean duplicateSubmitFilter() {
+        // 配置防重复提交过滤器
+        DuplicateSubmitFilter.Builder builder = new DuplicateSubmitFilter.Builder();
+        builder.requestMatcher("/payment/cashier/submitOrder")
+            .forbidSubmit(1, TimeUnit.SECONDS)
+            .requestMatchers("/payment/cashier/orderPayment", "/payment/cashier/orderRefund")
+            .forbidSubmit(1200, TimeUnit.MILLISECONDS);
+        return builder.build();
+    }
+
     @Override
     public void run(ApplicationArguments args) throws Exception {
         List<LifeCycle> lifeCycles = lifeCycleProvider.stream().toList();
 package com.diligrp.cashier.boss.controller;
  
 import com.diligrp.cashier.boss.exception.BossServiceException;
-import com.diligrp.cashier.boss.util.HttpUtils;
 import com.diligrp.cashier.pipeline.core.WechatPartnerPipeline;
 import com.diligrp.cashier.pipeline.core.WechatPipeline;
 import com.diligrp.cashier.pipeline.domain.OnlinePaymentResponse;
@@ -17,6 +16,7 @@ import com.diligrp.cashier.pipeline.util.WechatStateUtils;
 import com.diligrp.cashier.shared.ErrorCode;
 import com.diligrp.cashier.shared.domain.Message;
 import com.diligrp.cashier.shared.util.DateUtils;
+import com.diligrp.cashier.shared.util.HttpUtils;
 import com.diligrp.cashier.shared.util.JsonUtils;
 import com.diligrp.cashier.trade.model.OnlinePayment;
 import com.diligrp.cashier.trade.service.ICashierPaymentService;
-package com.diligrp.cashier.boss.util;
-
-import com.diligrp.cashier.boss.Constants;
-import jakarta.servlet.http.HttpServletRequest;
-import jakarta.servlet.http.HttpServletResponse;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.nio.charset.StandardCharsets;
-
-/**
- * HTTP工具类
- */
-public final class HttpUtils {
-
-    private static final Logger LOG = LoggerFactory.getLogger(HttpUtils.class);
-
-    public static String httpBody(HttpServletRequest request) {
-        StringBuilder payload = new StringBuilder();
-        try {
-            String line;
-            BufferedReader reader = request.getReader();
-            while ((line = reader.readLine()) != null) {
-                payload.append(line);
-            }
-        } catch (IOException iex) {
-            LOG.error("Failed to extract http body", iex);
-        }
-
-        return payload.toString();
-    }
-
-    public static void sendResponse(HttpServletResponse response, String payload) {
-        try {
-            response.setContentType(Constants.CONTENT_TYPE);
-            byte[] responseBytes = payload.getBytes(StandardCharsets.UTF_8);
-            response.setContentLength(responseBytes.length);
-            response.getOutputStream().write(responseBytes);
-            response.flushBuffer();
-        } catch (IOException iex) {
-            LOG.error("Failed to write data packet back");
-        }
-    }
-}
 package com.diligrp.cashier.shared;
  
 public final class Constants {
-    public static final String SIGN_ALGORITHM = "SHA1WithRSA";
+    public static final String DUPLICATE_SUBMIT_KEY = "cashier:security:resubmit:%s";
  
     public static final String DATE_TIME_FORMAT = "yyyy-MM-dd HH:mm:ss";
  
@@ -9,10 +9,6 @@ public final class Constants {
  
     public static final String TIME_FORMAT = "HH:mm:ss";
  
-    public static final int CORE_POOL_SIZE = Runtime.getRuntime().availableProcessors() + 1;
-
-    public static final int MAX_POOL_SIZE = 200;
-
     public final static String CONTENT_TYPE = "application/json;charset=UTF-8";
  
     public final static String PRODUCT_NAME = "cashier:";
 package com.diligrp.cashier.shared.codec;
  
+import java.io.IOException;
+
 public interface ByteCodec<T> {
  
-    T decode(byte[] payload);
+    T decode(byte[] payload) throws IOException;
  
-    byte[] encode(T payload);
+    byte[] encode(T payload) throws IOException;
 }
+package com.diligrp.cashier.shared.codec;
+
+import java.io.*;
+
+public final class ObjectCodec implements ByteCodec<Object> {
+
+    public static ByteCodec<Object> INSTANCE = new ObjectCodec();
+
+    @Override
+    public Object decode(byte[] payload)  throws IOException {
+        try (ObjectInputStream is = new ObjectInputStream(new ByteArrayInputStream(payload))) {
+            return is.readObject();
+        } catch (Exception ex) {
+            throw new IOException(ex);
+        }
+    }
+
+    @Override
+    public byte[] encode(Object payload) throws IOException {
+        ByteArrayOutputStream buffer = new ByteArrayOutputStream();
+        ObjectOutputStream os = new ObjectOutputStream(buffer);
+        os.writeObject(payload);
+        os.close();
+        return buffer.toByteArray();
+    }
+}
+package com.diligrp.cashier.shared.http;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.http.HttpMethod;
+import org.springframework.util.AntPathMatcher;
+import org.springframework.util.Assert;
+import org.springframework.util.PathMatcher;
+import org.springframework.util.StringUtils;
+import org.springframework.web.util.UrlPathHelper;
+
+public class AntPathRequestMatcher implements HttpRequestMatcher {
+
+    private final String pattern;
+
+    private final HttpMethod httpMethod;
+
+    private final PathMatcher matcher;
+
+    private final UrlPathHelper urlPathHelper;
+
+    public AntPathRequestMatcher(String pattern, HttpMethod httpMethod, boolean caseSensitive) {
+        Assert.hasText(pattern, "Pattern cannot be null or empty");
+        this.pattern = pattern;
+        this.httpMethod = httpMethod;
+        this.matcher = createPathMatcher(caseSensitive);
+        this.urlPathHelper = new UrlPathHelper();
+    }
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        if (this.httpMethod != null && StringUtils.hasText(request.getMethod()) &&
+            this.httpMethod != HttpMethod.valueOf(request.getMethod())) {
+            return false;
+        }
+        if (this.pattern.equals("/**")) {
+            return true;
+        }
+
+        String url = this.urlPathHelper.getPathWithinApplication(request);
+        return this.matcher.match(this.pattern, url);
+    }
+
+    private PathMatcher createPathMatcher(boolean caseSensitive) {
+        AntPathMatcher pathMatcher = new AntPathMatcher();
+        pathMatcher.setTrimTokens(false);
+        pathMatcher.setCaseSensitive(caseSensitive);
+        return pathMatcher;
+    }
+}
+package com.diligrp.cashier.shared.http;
+
+import com.diligrp.cashier.shared.Constants;
+import com.diligrp.cashier.shared.ErrorCode;
+import com.diligrp.cashier.shared.codec.StringCodec;
+import com.diligrp.cashier.shared.domain.Message;
+import com.diligrp.cashier.shared.exception.PlatformServiceException;
+import com.diligrp.cashier.shared.security.Md5Cipher;
+import com.diligrp.cashier.shared.util.HttpUtils;
+import com.diligrp.cashier.shared.util.JsonUtils;
+import jakarta.annotation.Resource;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.http.HttpMethod;
+import org.springframework.util.Assert;
+import org.springframework.util.ObjectUtils;
+import org.springframework.web.filter.GenericFilterBean;
+import org.springframework.web.util.ContentCachingRequestWrapper;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+import java.util.List;
+import java.util.concurrent.TimeUnit;
+
+/**
+ * 防重复提交过滤器
+ */
+public class DuplicateSubmitFilter extends GenericFilterBean {
+
+    private static final Logger LOG = LoggerFactory.getLogger(DuplicateSubmitFilter.class);
+
+    private final List<RequestMapping> mappings;
+
+    @Resource
+    private StringRedisTemplate stringRedisTemplate;
+
+    public DuplicateSubmitFilter(List<RequestMapping> mappings) {
+        this.mappings = mappings;
+    }
+
+    @Override
+    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
+        HttpServletRequest httpRequest = (HttpServletRequest) request;
+        for (RequestMapping mapping : this.mappings) {
+            try {
+                if (mapping.match((HttpServletRequest) request)) {
+                    LOG.debug("{} filtered", this.getClass().getSimpleName());
+                    // 缓存当前请求以便可以重复读取请求数据
+                    request = new ContentCachingRequestWrapper(httpRequest);
+                    String requestId = requestId((ContentCachingRequestWrapper) request);
+                    String requestKey = String.format(Constants.DUPLICATE_SUBMIT_KEY, requestId);
+                    Boolean success = stringRedisTemplate.opsForValue().setIfAbsent(requestKey,
+                        requestId, mapping.getDuration(), mapping.getTimeUnit());
+                    if (success == null || !success) {
+                        Message<?> message = Message.failure(ErrorCode.OPERATION_NOT_ALLOWED, "请求重复提交，访问被拒绝");
+                        HttpUtils.sendResponse((HttpServletResponse) response, JsonUtils.toJsonString(message));
+                        return;
+                    }
+                }
+            } catch (PlatformServiceException ex) {
+                throw ex;
+            } catch (Exception ex) {
+                LOG.error("防重复提交过滤器处理失败", ex);
+                Message<?> message = Message.failure(ErrorCode.SYSTEM_UNKNOWN_ERROR, "防重复提交过滤器处理失败");
+                HttpUtils.sendResponse((HttpServletResponse) response, JsonUtils.toJsonString(message));
+                return;
+            }
+        }
+
+        chain.doFilter(request, response);
+    }
+
+    @Override
+    public void afterPropertiesSet() throws ServletException {
+        super.afterPropertiesSet();
+        Assert.notEmpty(mappings, "duplicate submit request setting must be specified");
+    }
+
+    public static class RequestMapping {
+        private final HttpRequestMatcher requestMatcher;
+
+        private final long duration;
+
+        private final TimeUnit timeUnit;
+
+        public RequestMapping(HttpRequestMatcher requestMatcher, long duration, TimeUnit timeUnit) {
+            this.requestMatcher = requestMatcher;
+            this.duration = duration;
+            this.timeUnit = timeUnit;
+        }
+
+        public boolean match(HttpServletRequest request) {
+            return this.requestMatcher.matches(request);
+        }
+
+        public long getDuration() {
+            return duration;
+        }
+
+        public TimeUnit getTimeUnit() {
+            return timeUnit;
+        }
+    }
+
+    private String requestId(ContentCachingRequestWrapper request) throws Exception {
+        String requestURI = request.getRequestURI();
+        String queryString = request.getQueryString();
+        if (!ObjectUtils.isEmpty(queryString)) {
+            requestURI = requestURI.concat("?").concat(queryString);
+        }
+
+        byte[] uri = StringCodec.INSTANCE.encode(requestURI);
+        byte[] body = request.getContentAsByteArray();
+        byte[] data = new byte[uri.length + body.length];
+        System.arraycopy(uri, 0, data, 0, uri.length);
+        System.arraycopy(body, 0, data, uri.length, body.length);
+
+        return Base64.getEncoder().encodeToString(Md5Cipher.encrypt(data));
+    }
+
+    public static class Builder {
+
+        private final List<RequestMapping> mappings = new ArrayList<>();
+
+        public RequestMappingBuilder requestMatcher(String pattern) {
+            return requestMatcher(null, pattern);
+        }
+
+        public RequestMappingBuilder requestMatcher(HttpMethod method, String pattern) {
+            Assert.hasText(pattern, "patterns must not be empty");
+            return new RequestMappingBuilder(new AntPathRequestMatcher(pattern, method, true));
+        }
+
+        public RequestMappingBuilder requestMatchers(String... patterns) {
+            return requestMatchers(null, patterns);
+        }
+
+        public RequestMappingBuilder requestMatchers(HttpMethod method, String... patterns) {
+            Assert.notEmpty(patterns, "patterns must not be empty");
+            List<HttpRequestMatcher> requestMatchers = new ArrayList<>(patterns.length);
+            for (String pattern : patterns) {
+                requestMatchers.add(new AntPathRequestMatcher(pattern, method, true));
+            }
+            return new RequestMappingBuilder(new OrRequestMatcher(requestMatchers));
+        }
+
+        public DuplicateSubmitFilter build() {
+            return new DuplicateSubmitFilter(Collections.unmodifiableList(this.mappings));
+        }
+
+        public class RequestMappingBuilder {
+            private final HttpRequestMatcher requestMatcher;
+
+            public RequestMappingBuilder(HttpRequestMatcher requestMatcher) {
+                this.requestMatcher = requestMatcher;
+            }
+
+            public Builder forbidSubmit(long duration, TimeUnit timeUnit) {
+                Assert.isTrue(duration > 0, "Invalid duration");
+                Assert.notNull(timeUnit, "timeUnit must not be null");
+                Builder.this.mappings.add(new RequestMapping(requestMatcher, duration, timeUnit));
+                return Builder.this;
+            }
+        }
+    }
+}
+package com.diligrp.cashier.shared.http;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+public interface HttpRequestMatcher {
+    boolean matches(HttpServletRequest request);
+}
+package com.diligrp.cashier.shared.http;
+
+import jakarta.servlet.http.HttpServletRequest;
+
+import java.util.Arrays;
+import java.util.List;
+
+public class OrRequestMatcher implements HttpRequestMatcher {
+    private final List<HttpRequestMatcher> requestMatchers;
+
+    public OrRequestMatcher(List<HttpRequestMatcher> requestMatchers) {
+        this.requestMatchers = requestMatchers;
+    }
+
+    public OrRequestMatcher(HttpRequestMatcher... requestMatchers) {
+        this(Arrays.asList(requestMatchers));
+    }
+
+    @Override
+    public boolean matches(HttpServletRequest request) {
+        for (HttpRequestMatcher matcher : this.requestMatchers) {
+            if (matcher.matches(request)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    @Override
+    public String toString() {
+        return "Or " + this.requestMatchers;
+    }
+}
@@ -76,7 +76,7 @@ public class PaymentResultManager {
      * 通知业务系统退款处理结果
      */
     public void notifyRefundResult(String uri, OnlineRefundResult refundResult) {
-        LOG.info("Notifying online payment result: {}, {}", refundResult.getTradeId(), refundResult.getRefundId());
+        LOG.info("Notifying online refund result: {}, {}", refundResult.getTradeId(), refundResult.getRefundId());
         ThreadPoolService.getIoThreadPoll().submit(() -> {
             List<IPaymentEventListener> lifeCycles = eventListeners.stream().toList();
             if (!lifeCycles.isEmpty()) {
@@ -86,7 +86,7 @@ public class PaymentResultManager {
                     try {
                         listener.onEvent(refundEvent);
                     } catch (Exception ex) {
-                        LOG.error("Failed to notify payment refund result", ex);
+                        LOG.error("Failed to notify online refund result", ex);
                     }
                 }
             }
@@ -95,13 +95,13 @@ public class PaymentResultManager {
                 ThreadPoolService.getIoThreadPoll().submit(() -> {
                     try {
                         String payload = JsonUtils.toJsonString(refundResult);
-                        LOG.info("Notifying online payment refund result: {}", payload);
+                        LOG.info("Notifying online refund result: {}", payload);
                         ServiceEndpointSupport.HttpResult httpResult = new NotifyHttpClient(uri).send(payload);
                         if (httpResult.statusCode != 200) {
-                            LOG.error("Failed to notify payment refund result");
+                            LOG.error("Failed to notify online refund result");
                         }
                     } catch (Exception ex) {
-                        LOG.error("Failed to notify payment refund result", ex);
+                        LOG.error("Failed to notify online refund result", ex);
                     }
                 });
             }