New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pig和pigx都存在问题，使用手机验证码方式登录，只需要手机号不需要验证码就可以登录 #428

Closed

lltx opened this issue Sep 13, 2021 · 6 comments

Collaborator

lltx commented Sep 13, 2021

版本信息

pig版本:所有版本
操作系统:windows
是否修改包名: 否

###问题描述（包括回显步骤、截图）

使用密码模式的code和randomStr，可以绕开手机验证码登录的code进行登录

步骤如下：

打开普通的登录页面获取randomStr和code
code：8fba
randomStr：22711557219999347

根据上一步获取的code和randomStr构造手机登录的url进行登录

https://pigx.pig4cloud.com/auth/mobile/token/sms?mobile=SMS@17034642889&grant_type=mobile&code=8fba&randomStr=22711557219999347

###解决方案
请求中的mobile参数不为空，就只能通过mobile来获取redis中的code，不要再通过randomStr来获取code

Collaborator Author

lltx commented Sep 13, 2021

https://gitee.com/log4j/pig/issues/ILN1L

Collaborator Author

lltx commented Sep 13, 2021

1.我不是会员
2.普通版本也存在这个问题，不止pigx

Collaborator Author

lltx commented Sep 13, 2021

@xiaofeifei112 开源版没有手机和社交登陆

Collaborator Author

lltx commented Sep 13, 2021

@xiaofeifei112 非常感谢

Collaborator Author

lltx commented Sep 13, 2021

我不是会员，咋个去会员群提bug？

Collaborator Author

lltx commented Sep 13, 2021

我专门去办个会员，提交一个bug？

lltx closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment