před 1 dnem · d30cdb9800
--- a/java/src/main/java/com/payment/platform/core/security/JwtAuthFilter.java
+++ b/java/src/main/java/com/payment/platform/core/security/JwtAuthFilter.java
@@ -27,6 +27,7 @@ import org.springframework.web.filter.OncePerRequestFilter;
 
				 import java.io.IOException;
			
 
				 import java.nio.charset.StandardCharsets;
			
 
				 import java.time.Duration;
			
 
				+import java.util.Set;
			
 
				 
			
 
				 /**
			
 
				  * JWT 认证过滤器 — 对应 Python security.py + dependencies.py 中的 JWT 校验逻辑
			
@@ -47,9 +48,24 @@ public class JwtAuthFilter extends OncePerRequestFilter {
 
				     @Value("${jwt.sliding-expire:true}")
			
 
				     private boolean slidingExpire;
			
 
				 
			
 
				+    /** SecurityConfig 中与 whitelist 保持同步 — 带过期 token 访问这些 URL 不拦截 */
			
 
				+    private static final Set<String> WHITE_LIST_PATHS = Set.of(
			
 
				+        "/system/auth/login", "/system/auth/login/mini", "/system/auth/login/sms",
			
 
				+        "/system/auth/sms-code", "/system/auth/captcha/get", "/system/auth/logout",
			
 
				+        "/system/auth/token/refresh", "/system/auth/auto-login",
			
 
				+        "/system/user/register", "/system/user/forget/password",
			
 
				+        "/payment/notify/health", "/payment/notify/alipay"
			
 
				+    );
			
 
				+
			
 
				     @Override
			
 
				     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
			
 
				                                     FilterChain filterChain) throws ServletException, IOException {
			
 
				+        // 白名单 URL → 直接放行，不管 token 状态
			
 
				+        if (isWhitelisted(request)) {
			
 
				+            filterChain.doFilter(request, response);
			
 
				+            return;
			
 
				+        }
			
 
				+
			
 
				         String token = extractToken(request);
			
 
				 
			
 
				         // 无 token → 放行（permitAll 策略，由后续 @PreAuthorize 或 endpoint 自行检查）
			
@@ -165,6 +181,14 @@ public class JwtAuthFilter extends OncePerRequestFilter {
 
				         filterChain.doFilter(request, response);
			
 
				     }
			
 
				 
			
 
				+    private boolean isWhitelisted(HttpServletRequest request) {
			
 
				+        String uri = request.getRequestURI();
			
 
				+        for (String path : WHITE_LIST_PATHS) {
			
 
				+            if (uri.contains(path)) return true;
			
 
				+        }
			
 
				+        return false;
			
 
				+    }
			
 
				+
			
 
				     /** 写入 401 + code 10401 错误响应（对应 Python security.py L48） */
			
 
				     private void writeAuthError(HttpServletResponse response, ErrorCode errorCode) throws IOException {
			
 
				         response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);