From 86a3c1f97b3fa1522f3c829b928fe9b88b260221 Mon Sep 17 00:00:00 2001
From: lzh <sickone075@gmail.com>
Date: Thu, 23 Apr 2026 20:24:52 +0800
Subject: [PATCH] =?UTF-8?q?fix(@vben/web-antd):=20SSO=20callback=20?=
 =?UTF-8?q?=E6=94=B9=E8=B5=B0=20body=20=E4=BC=A0=E9=80=92=20code/state?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

授权 code 原先以 query 形式发给 /system/sso/callback，会被 nginx access
log、浏览器历史和 Referer 捕获。改走 POST body，与后端 @RequestBody
SsoCallbackReqVO 对齐，避免一次性码泄露给中间层。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/web-antd/src/api/core/sso.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/apps/web-antd/src/api/core/sso.ts b/apps/web-antd/src/api/core/sso.ts
index 162dbcb49..1665627b1 100644
--- a/apps/web-antd/src/api/core/sso.ts
+++ b/apps/web-antd/src/api/core/sso.ts
@@ -36,12 +36,11 @@ export async function ssoCallback(
   redirectUri: string,
   state?: string,
 ): Promise<SsoApi.SsoCallbackResult> {
+  // 走 body 而非 query：避免 code 落入浏览器历史 / nginx access log。
+  // 后端对应 @RequestBody SsoCallbackReqVO。
   const raw = await requestClient.post<SsoApi.SsoCallbackRawResult>(
     '/system/sso/callback',
-    null,
-    {
-      params: { clientId, code, redirectUri, state },
-    },
+    { clientId, code, redirectUri, state },
   );
   return {
     accessToken: raw.access_token,