fix: response code error when unauthorized

api/src/main/java/com/databasir/api/config/security/DatabasirAuthenticationEntryPoint.java

@@ -1,26 +1,39 @@
 package com.databasir.api.config.security;
 
+import com.databasir.common.JsonData;
+import com.databasir.core.domain.DomainErrors;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
+import org.springframework.http.HttpStatus;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.stereotype.Service;
 
 import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
 
 @Service
 @RequiredArgsConstructor
 @Slf4j
 public class DatabasirAuthenticationEntryPoint implements AuthenticationEntryPoint {
 
+    private final ObjectMapper objectMapper;
+
     @Override
     public void commence(javax.servlet.http.HttpServletRequest request,
                          javax.servlet.http.HttpServletResponse response,
                          AuthenticationException authException) throws IOException, ServletException {
-        log.warn("验证未通过. 提示信息 - {} - {}", request.getRequestURI(), authException.getMessage());
-        response.sendError(HttpServletResponse.SC_UNAUTHORIZED, authException.getMessage());
+        log.warn("验证未通过. 提示信息 - {} - {} {}", request.getRequestURI(),
+                authException.getClass().getName(),
+                authException.getMessage());
+
+        DomainErrors err = DomainErrors.INVALID_REFRESH_TOKEN_OPERATION;
+        JsonData<Void> data = JsonData.error(err.getErrCode(), err.getErrMessage());
+        String jsonString = objectMapper.writeValueAsString(data);
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        response.getOutputStream().write(jsonString.getBytes(StandardCharsets.UTF_8));
     }
 
 }

core/src/main/java/com/databasir/core/domain/login/service/LoginService.java

@@ -45,8 +45,8 @@ public class LoginService {
         if (login.getRefreshTokenExpireAt().isBefore(LocalDateTime.now())) {
             throw DomainErrors.REFRESH_TOKEN_EXPIRED.exception();
         }
-        // access-token 未过期就开始刷新有可能是 refresh-token  泄露了，删除 refresh-token
-        if (login.getAccessTokenExpireAt().isAfter(LocalDateTime.now())) {
+        // access-token 未过期（允许一分钟的误差）就开始刷新有可能是 refresh-token  泄露了，删除 refresh-token
+        if (login.getAccessTokenExpireAt().isAfter(LocalDateTime.now().plusMinutes(1))) {
             log.warn("invalid access token refresh operation: request = {}, login = {}", request, login);
             loginDao.deleteByUserId(login.getUserId());
             throw DomainErrors.INVALID_REFRESH_TOKEN_OPERATION.exception();
@@ -58,6 +58,10 @@ public class LoginService {
                     log.warn("user not exists but refresh token exists for " + login.getRefreshToken());
                     return DomainErrors.INVALID_REFRESH_TOKEN_OPERATION.exception();
                 });
+        if (!user.getEnabled()) {
+            log.warn("user disabled but refresh token exists for " + login.getRefreshToken());
+            throw DomainErrors.INVALID_REFRESH_TOKEN_OPERATION.exception();
+        }
         String accessToken = jwtTokens.accessToken(user.getEmail());
         LocalDateTime accessTokenExpireAt = jwtTokens.expireAt(accessToken);
         loginDao.updateAccessToken(accessToken, accessTokenExpireAt, user.getId());