diff --git a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/GatewayApplication.java b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/GatewayApplication.java
index f827f1a..21aed7b 100644
--- a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/GatewayApplication.java
+++ b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/GatewayApplication.java
@@ -2,8 +2,10 @@ package com.qiuguo.iot.gateway;
 
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
 
 @SpringBootApplication
+@EnableDiscoveryClient
 public class GatewayApplication {
 
     public static void main(String[] args) {
diff --git a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/filter/AuthFilter.java b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/filter/AuthFilter.java
index bfcb409..f39604c 100644
--- a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/filter/AuthFilter.java
+++ b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/filter/AuthFilter.java
@@ -37,29 +37,28 @@ public class AuthFilter implements GlobalFilter, Ordered {
     public Mono<Void> filter(ServerWebExchange exchange, GatewayFilterChain chain) {
         ServerHttpRequest request = exchange.getRequest();
         String url = request.getPath().toString();
-        return chain.filter(exchange);
-        // if (xssProperties.getExcludeUrls().contains(url)) {
-        //     return chain.filter(exchange);
-        // }
-        //
-        // String api_token = exchange.getRequest().getHeaders().getFirst(UserAuthContains.API_TOKEN);
-        // String api_type = exchange.getRequest().getHeaders().getFirst(UserAuthContains.API_TYPE);
-        // if (ObjectUtils.isEmpty(api_token) || ObjectUtils.isEmpty(api_type)) {
-        //     return Mono.error(new RuntimeException("未登录"));
-        // }
-        // String key = RedisConstans.IOT_TOKEN.concat(api_token);
-        // return reactiveRedisTemplate.getExpire(key).map(Duration::getSeconds).flatMap(ttl -> {
-        //     if (ttl == -1) {
-        //         // 用户没登陆
-        //         return Mono.error(new RuntimeException("未登录"));
-        //     } else if (ttl <= 3600) {
-        //         // token 将要失效
-        //         return reactiveRedisTemplate.expire(key, Duration.ofDays(7)).then(chain.filter(exchange));
-        //     } else {
-        //         // 正常登录
-        //         return chain.filter(exchange);
-        //     }
-        // });
+        if (xssProperties.getExcludeUrls().contains(url)) {
+            return chain.filter(exchange);
+        }
+
+        String api_token = exchange.getRequest().getHeaders().getFirst(UserAuthContains.API_TOKEN);
+        String api_type = exchange.getRequest().getHeaders().getFirst(UserAuthContains.API_TYPE);
+        if (ObjectUtils.isEmpty(api_token) || ObjectUtils.isEmpty(api_type)) {
+            return Mono.error(new RuntimeException("未登录"));
+        }
+        String key = RedisConstans.IOT_TOKEN.concat(api_token);
+        return reactiveRedisTemplate.getExpire(key).map(Duration::getSeconds).flatMap(ttl -> {
+            if (ttl == -1) {
+                // 用户没登陆
+                return Mono.error(new RuntimeException("未登录"));
+            } else if (ttl <= 3600) {
+                // token 将要失效
+                return reactiveRedisTemplate.expire(key, Duration.ofDays(7)).then(chain.filter(exchange));
+            } else {
+                // 正常登录
+                return chain.filter(exchange);
+            }
+        });
     }
     
     
diff --git a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/handler/GatewayExceptionHandler.java b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/handler/GatewayExceptionHandler.java
index 9b3840c..68d8c5e 100644
--- a/iot-gateway/src/main/java/com/qiuguo/iot/gateway/handler/GatewayExceptionHandler.java
+++ b/iot-gateway/src/main/java/com/qiuguo/iot/gateway/handler/GatewayExceptionHandler.java
@@ -35,6 +35,8 @@ public class GatewayExceptionHandler implements ErrorWebExceptionHandler {
         } else if (ex instanceof ResponseStatusException) {
             ResponseStatusException responseStatusException = (ResponseStatusException) ex;
             msg = responseStatusException.getMessage();
+        } else if (ex instanceof RuntimeException) {
+            msg = ex.getMessage();
         } else {
             msg = "内部服务器错误";
         }
diff --git a/iot-gateway/src/main/resources/bootstrap-dev.yml b/iot-gateway/src/main/resources/bootstrap-dev.yml
index 32efc31..bf1ee97 100644
--- a/iot-gateway/src/main/resources/bootstrap-dev.yml
+++ b/iot-gateway/src/main/resources/bootstrap-dev.yml
@@ -1,12 +1,12 @@
 spring:
   cloud:
-#    config:
-#      # 如果本地配置优先级高，那么 override-none 设置为 true，包括系统环境变量、本地配置文件等配置
-#      override-none: true
-#      # 如果想要远程配置优先级高，那么 allow-override 设置为 false，如果想要本地配置优先级高那么 allow-override 设置为 true
-#      allow-override: true
-#      # 只有系统环境变量或者系统属性才能覆盖远程配置文件的配置，本地配置文件中配置优先级低于远程配置；注意本地配置文件不是系统属性
-#      override-system-properties: false
+    config:
+      # 如果本地配置优先级高，那么 override-none 设置为 true，包括系统环境变量、本地配置文件等配置
+      override-none: true
+      # 如果想要远程配置优先级高，那么 allow-override 设置为 false，如果想要本地配置优先级高那么 allow-override 设置为 true
+      allow-override: true
+      # 只有系统环境变量或者系统属性才能覆盖远程配置文件的配置，本地配置文件中配置优先级低于远程配置；注意本地配置文件不是系统属性
+      override-system-properties: false
     nacos:
       discovery:
         # 服务注册地址
@@ -27,4 +27,36 @@ spring:
     host: 192.168.8.146
     port: 32030
     password: 123456
-    timeout: 5000
\ No newline at end of file
+    timeout: 5000
+  gateway:
+    routes:
+      - id: qiuguo-iot-box-user-api
+        uri: lb://qiuguo-iot-box-user-api
+        predicates:
+          - Path=/iot-user/**
+        filters:
+          # 转发时去掉一层路径
+          - StripPrefix=1
+    globalcors:
+      corsConfigurations:
+        '[/**]':
+          # 允许携带认证信息
+          allow-credentials: true
+          # 允许跨域的源(网站域名/ip)，设置*为全部
+          allowedOriginPatterns: "*"
+          # 允许跨域的method， 默认为GET和OPTIONS，设置*为全部
+          allowedMethods: "*"
+          # 允许跨域请求里的head字段，设置*为全部
+          allowedHeaders: "*"
+# 安全配置
+security:
+  # 防止XSS攻击
+  xss:
+    enabled: true
+    # 排除的路径
+    exclude-urls:
+      - /iot-user/user/login/pwd
+#application:
+#  cors:
+#    allowed-crigin-patterns:
+#      - /iot-user/user/user/login/pwd
diff --git a/iot-modules/iot-box-user-api/src/main/java/com/qiuguo/iot/user/api/IotBoxUserApiApplication.java b/iot-modules/iot-box-user-api/src/main/java/com/qiuguo/iot/user/api/IotBoxUserApiApplication.java
index 17269cf..02e52b7 100644
--- a/iot-modules/iot-box-user-api/src/main/java/com/qiuguo/iot/user/api/IotBoxUserApiApplication.java
+++ b/iot-modules/iot-box-user-api/src/main/java/com/qiuguo/iot/user/api/IotBoxUserApiApplication.java
@@ -4,12 +4,14 @@ import com.tuya.connector.spring.annotations.ConnectorScan;
 import org.hswebframework.web.crud.annotation.EnableEasyormRepository;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.cloud.client.discovery.EnableDiscoveryClient;
 import org.springframework.context.annotation.EnableAspectJAutoProxy;
 
 @SpringBootApplication(scanBasePackages = {"com.qiuguo.iot.user.api", "com.qiuguo.iot.data.service"})
 @EnableEasyormRepository(value = "com.qiuguo.iot.data.entity.*")
 @ConnectorScan(basePackages = "com.qiuguo.iot.user.api.service")
 @EnableAspectJAutoProxy
+@EnableDiscoveryClient
 public class IotBoxUserApiApplication {
 
     public static void main(String[] args) {
diff --git a/pom.xml b/pom.xml
index e6afd1b..0c069c1 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,7 @@
         <spring.cloud.version>3.1.7</spring.cloud.version>
         <spring.boot.version>2.7.15</spring.boot.version>
         <spring.boot.maven.plugin.version>2.7.14</spring.boot.maven.plugin.version>
-        <lombok.version>1.18.12</lombok.version>
+        <lombok.version>1.18.14</lombok.version>
         <redis.boot.reactor.version>2.7.14</redis.boot.reactor.version>
     </properties>
     <dependencyManagement>