TRKJ/EdgeAdmin
2
0
Fork 0
mirror of https://github.com/TeaOSLab/EdgeAdmin.git synced 2025-11-12 03:10:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

在管理员登录后才验证OTP

Browse Source
This commit is contained in:
GoEdgeLab
2023-02-04 16:44:33 +08:00
parent c86fb9a705
commit 0747227fc3
12 changed files with 384 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
internal/nodes/session_manager.go
View File

@@ -8,6 +8,7 @@ import (
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/iwind/TeaGo/actions" "github.com/iwind/TeaGo/actions"
"github.com/iwind/TeaGo/logs" "github.com/iwind/TeaGo/logs"
"strings"
) )
type SessionManager struct { type SessionManager struct {
@@ -30,6 +31,11 @@ func (this *SessionManager) Init(config *actions.SessionConfig) {
} }
func (this *SessionManager) Read(sid string) map[string]string { func (this *SessionManager) Read(sid string) map[string]string {
// 忽略OTP
if strings.HasSuffix(sid, "_otp") {
return map[string]string{}
}
var result = map[string]string{} var result = map[string]string{}
resp, err := this.rpcClient.LoginSessionRPC().FindLoginSession(this.rpcClient.Context(0), &pb.FindLoginSessionRequest{Sid: sid}) resp, err := this.rpcClient.LoginSessionRPC().FindLoginSession(this.rpcClient.Context(0), &pb.FindLoginSessionRequest{Sid: sid})
@@ -52,6 +58,11 @@ func (this *SessionManager) Read(sid string) map[string]string {
} }
func (this *SessionManager) WriteItem(sid string, key string, value string) bool { func (this *SessionManager) WriteItem(sid string, key string, value string) bool {
// 忽略OTP
if strings.HasSuffix(sid, "_otp") {
return false
}
_, err := this.rpcClient.LoginSessionRPC().WriteLoginSessionValue(this.rpcClient.Context(0), &pb.WriteLoginSessionValueRequest{ _, err := this.rpcClient.LoginSessionRPC().WriteLoginSessionValue(this.rpcClient.Context(0), &pb.WriteLoginSessionValueRequest{
Sid: sid, Sid: sid,
Key: key, Key: key,
@@ -65,6 +76,11 @@ func (this *SessionManager) WriteItem(sid string, key string, value string) bool
} }
func (this *SessionManager) Delete(sid string) bool { func (this *SessionManager) Delete(sid string) bool {
// 忽略OTP
if strings.HasSuffix(sid, "_otp") {
return false
}
_, err := this.rpcClient.LoginSessionRPC().DeleteLoginSession(this.rpcClient.Context(0), &pb.DeleteLoginSessionRequest{Sid: sid}) _, err := this.rpcClient.LoginSessionRPC().DeleteLoginSession(this.rpcClient.Context(0), &pb.DeleteLoginSessionRequest{Sid: sid})
if err != nil { if err != nil {
logs.Println("SESSION", "delete '"+sid+"' failed: "+err.Error()) logs.Println("SESSION", "delete '"+sid+"' failed: "+err.Error())

30
internal/web/actions/default/index/checkOTP.go
View File

@@ -1,30 +0,0 @@
package index
import (
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/iwind/TeaGo/actions"
)
// 检查是否需要OTP
type CheckOTPAction struct {
actionutils.ParentAction
}
func (this *CheckOTPAction) Init() {
this.Nav("", "", "")
}
func (this *CheckOTPAction) RunPost(params struct {
Username string
Must *actions.Must
}) {
checkResp, err := this.RPC().AdminRPC().CheckAdminOTPWithUsername(this.AdminContext(), &pb.CheckAdminOTPWithUsernameRequest{Username: params.Username})
if err != nil {
this.ErrorPage(err)
return
}
this.Data["requireOTP"] = checkResp.RequireOTP
this.Success()
}

49
internal/web/actions/default/index/index.go
View File

@@ -1,7 +1,6 @@
package index package index
import ( import (
"encoding/json"
"fmt" "fmt"
"github.com/TeaOSLab/EdgeAdmin/internal/configloaders" "github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const" teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
@@ -14,10 +13,8 @@ import (
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb" "github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/iwind/TeaGo/actions" "github.com/iwind/TeaGo/actions"
"github.com/iwind/TeaGo/maps"
"github.com/iwind/TeaGo/types" "github.com/iwind/TeaGo/types"
stringutil "github.com/iwind/TeaGo/utils/string" stringutil "github.com/iwind/TeaGo/utils/string"
"github.com/xlzd/gotp"
"time" "time"
) )
@@ -27,7 +24,8 @@ type IndexAction struct {
// 首页(登录页) // 首页(登录页)
var TokenSalt = stringutil.Rand(32) // TokenKey 加密用的密钥
var TokenKey = stringutil.Rand(32)
func (this *IndexAction) RunGet(params struct { func (this *IndexAction) RunGet(params struct {
From string From string
@@ -59,7 +57,7 @@ func (this *IndexAction) RunGet(params struct {
this.Data["menu"] = "signIn" this.Data["menu"] = "signIn"
var timestamp = fmt.Sprintf("%d", time.Now().Unix()) var timestamp = fmt.Sprintf("%d", time.Now().Unix())
this.Data["token"] = stringutil.Md5(TokenSalt+timestamp) + timestamp this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
this.Data["from"] = params.From this.Data["from"] = params.From
uiConfig, err := configloaders.LoadAdminUIConfig() uiConfig, err := configloaders.LoadAdminUIConfig()
@@ -93,6 +91,7 @@ func (this *IndexAction) RunPost(params struct {
Password string Password string
OtpCode string OtpCode string
Remember bool Remember bool
Must *actions.Must Must *actions.Must
Auth *helpers.UserShouldAuth Auth *helpers.UserShouldAuth
CSRF *actionutils.CSRF CSRF *actionutils.CSRF
@@ -112,7 +111,7 @@ func (this *IndexAction) RunPost(params struct {
this.Fail("请通过登录页面登录") this.Fail("请通过登录页面登录")
} }
var timestampString = params.Token[32:] var timestampString = params.Token[32:]
if stringutil.Md5(TokenSalt+timestampString) != params.Token[:32] { if stringutil.Md5(TokenKey+timestampString) != params.Token[:32] {
this.FailField("refresh", "登录页面已过期,请刷新后重试") this.FailField("refresh", "登录页面已过期,请刷新后重试")
} }
var timestamp = types.Int64(timestampString) var timestamp = types.Int64(timestampString)
@@ -123,6 +122,7 @@ func (this *IndexAction) RunPost(params struct {
rpcClient, err := rpc.SharedRPC() rpcClient, err := rpc.SharedRPC()
if err != nil { if err != nil {
this.Fail("服务器出了点小问题:" + err.Error()) this.Fail("服务器出了点小问题:" + err.Error())
return
} }
resp, err := rpcClient.AdminRPC().LoginAdmin(rpcClient.Context(0), &pb.LoginAdminRequest{ resp, err := rpcClient.AdminRPC().LoginAdmin(rpcClient.Context(0), &pb.LoginAdminRequest{
Username: params.Username, Username: params.Username,
@@ -136,6 +136,7 @@ func (this *IndexAction) RunPost(params struct {
} }
actionutils.Fail(this, err) actionutils.Fail(this, err)
return
} }
if !resp.IsOk { if !resp.IsOk {
@@ -145,31 +146,37 @@ func (this *IndexAction) RunPost(params struct {
} }
this.Fail("请输入正确的用户名密码") this.Fail("请输入正确的用户名密码")
return
} }
var adminId = resp.AdminId
// 检查OTP // 检查是否支持OTP
otpLoginResp, err := this.RPC().LoginRPC().FindEnabledLogin(this.AdminContext(), &pb.FindEnabledLoginRequest{ checkOTPResp, err := this.RPC().AdminRPC().CheckAdminOTPWithUsername(this.AdminContext(), &pb.CheckAdminOTPWithUsernameRequest{Username: params.Username})
AdminId: resp.AdminId, if err != nil {
Type: "otp", this.ErrorPage(err)
return
}
var requireOTP = checkOTPResp.RequireOTP
this.Data["requireOTP"] = requireOTP
if requireOTP {
this.Data["remember"] = params.Remember
var sid = this.Session().Sid
this.Data["sid"] = sid
_, err = this.RPC().LoginSessionRPC().WriteLoginSessionValue(this.AdminContext(), &pb.WriteLoginSessionValueRequest{
Sid: sid + "_otp",
Key: "adminId",
Value: types.String(adminId),
}) })
if err != nil { if err != nil {
this.ErrorPage(err) this.ErrorPage(err)
return return
} }
if otpLoginResp.Login != nil && otpLoginResp.Login.IsOn { this.Success()
var loginParams = maps.Map{}
err = json.Unmarshal(otpLoginResp.Login.ParamsJSON, &loginParams)
if err != nil {
this.ErrorPage(err)
return return
} }
secret := loginParams.GetString("secret")
if gotp.NewDefaultTOTP(secret).Now() != params.OtpCode {
this.Fail("请输入正确的OTP动态密码")
}
}
var adminId = resp.AdminId // 写入SESSION
params.Auth.StoreAdmin(adminId, params.Remember) params.Auth.StoreAdmin(adminId, params.Remember)
// 记录日志 // 记录日志

6
internal/web/actions/default/index/init.go
View File

@@ -7,9 +7,9 @@ import (
func init() { func init() {
TeaGo.BeforeStart(func(server *TeaGo.Server) { TeaGo.BeforeStart(func(server *TeaGo.Server) {
server. server.
Post("/checkOTP", new(CheckOTPAction)). Prefix("").
Prefix("/"). GetPost("/", new(IndexAction)).
GetPost("", new(IndexAction)). GetPost("/index/otp", new(OtpAction)).
EndAll() EndAll()
}) })
} }

154
internal/web/actions/default/index/otp.go Normal file
View File

@@ -0,0 +1,154 @@
// Copyright 2023 Liuxiangchao iwind.liu@gmail.com. All rights reserved. Official site: https://goedge.cn .
package index
import (
"encoding/json"
"fmt"
"github.com/TeaOSLab/EdgeAdmin/internal/configloaders"
teaconst "github.com/TeaOSLab/EdgeAdmin/internal/const"
"github.com/TeaOSLab/EdgeAdmin/internal/oplogs"
"github.com/TeaOSLab/EdgeAdmin/internal/rpc"
"github.com/TeaOSLab/EdgeAdmin/internal/setup"
"github.com/TeaOSLab/EdgeAdmin/internal/utils"
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/dao"
"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
"github.com/iwind/TeaGo/actions"
"github.com/iwind/TeaGo/maps"
stringutil "github.com/iwind/TeaGo/utils/string"
"github.com/xlzd/gotp"
"time"
)
type OtpAction struct {
actionutils.ParentAction
}
func (this *OtpAction) Init() {
this.Nav("", "", "")
}
func (this *OtpAction) RunGet(params struct {
From string
Sid string
Remember bool
}) {
// 检查系统是否已经配置过
if !setup.IsConfigured() {
this.RedirectURL("/setup")
return
}
//// 是否新安装
if setup.IsNewInstalled() {
this.RedirectURL("/setup/confirm")
return
}
this.Data["isUser"] = false
this.Data["menu"] = "signIn"
var timestamp = fmt.Sprintf("%d", time.Now().Unix())
this.Data["token"] = stringutil.Md5(TokenKey+timestamp) + timestamp
this.Data["from"] = params.From
this.Data["sid"] = params.Sid
uiConfig, err := configloaders.LoadAdminUIConfig()
if err != nil {
this.ErrorPage(err)
return
}
this.Data["systemName"] = uiConfig.AdminSystemName
this.Data["showVersion"] = uiConfig.ShowVersion
if len(uiConfig.Version) > 0 {
this.Data["version"] = uiConfig.Version
} else {
this.Data["version"] = teaconst.Version
}
this.Data["faviconFileId"] = uiConfig.FaviconFileId
this.Data["remember"] = params.Remember
this.Show()
}
func (this *OtpAction) RunPost(params struct {
Sid string
OtpCode string
Remember bool
Must *actions.Must
Auth *helpers.UserShouldAuth
}) {
if len(params.OtpCode) == 0 {
this.FailField("otpCode", "请输入正确的OTP动态密码")
return
}
var sid = params.Sid
if len(sid) == 0 || len(sid) > 64 {
this.Fail("参数错误请重新登录001")
return
}
sid += "_otp"
// 获取SESSION
sessionResp, err := this.RPC().LoginSessionRPC().FindLoginSession(this.AdminContext(), &pb.FindLoginSessionRequest{Sid: sid})
if err != nil {
this.ErrorPage(err)
return
}
var session = sessionResp.LoginSession
if session == nil || session.AdminId <= 0 {
this.Fail("参数错误请重新登录002")
return
}
var adminId = session.AdminId
// 检查OTP
otpLoginResp, err := this.RPC().LoginRPC().FindEnabledLogin(this.AdminContext(), &pb.FindEnabledLoginRequest{
AdminId: adminId,
Type: "otp",
})
if err != nil {
this.ErrorPage(err)
return
}
if otpLoginResp.Login != nil && otpLoginResp.Login.IsOn {
var loginParams = maps.Map{}
err = json.Unmarshal(otpLoginResp.Login.ParamsJSON, &loginParams)
if err != nil {
this.ErrorPage(err)
return
}
var secret = loginParams.GetString("secret")
if gotp.NewDefaultTOTP(secret).Now() != params.OtpCode {
this.FailField("otpCode", "请输入正确的OTP动态密码")
return
}
}
// 写入SESSION
params.Auth.StoreAdmin(adminId, params.Remember)
// 删除OTP SESSION
_, err = this.RPC().LoginSessionRPC().DeleteLoginSession(this.AdminContext(), &pb.DeleteLoginSessionRequest{Sid: sid})
if err != nil {
this.ErrorPage(err)
return
}
// 记录日志
rpcClient, err := rpc.SharedRPC()
if err != nil {
this.ErrorPage(err)
return
}
err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, "成功通过OTP验证登录系统", this.RequestRemoteIP())
if err != nil {
utils.PrintError(err)
}
this.Success()
}

6
web/views/@default/index/index.html
View File

@@ -41,12 +41,6 @@
<input type="password" v-model="password" placeholder="请输入密码" maxlength="200" @input="changePassword()" ref="passwordRef"/> <input type="password" v-model="password" placeholder="请输入密码" maxlength="200" @input="changePassword()" ref="passwordRef"/>
</div> </div>
</div> </div>
<div class="ui field" v-show="showOTP">
<div class="ui left icon input">
<i class="ui barcode icon"></i>
<input type="text" name="otpCode" placeholder="请输入OTP动态密码" maxlength="6"/>
</div>
</div>
<div class="ui field" v-if="rememberLogin"> <div class="ui field" v-if="rememberLogin">
<a href="" @click.prevent="showMoreOptions()">更多选项 <i class="icon angle" :class="{down:!moreOptionsVisible, up:moreOptionsVisible}"></i> </a> <a href="" @click.prevent="showMoreOptions()">更多选项 <i class="icon angle" :class="{down:!moreOptionsVisible, up:moreOptionsVisible}"></i> </a>
</div> </div>

16
web/views/@default/index/index.js
View File

@@ -9,8 +9,6 @@ Tea.context(function () {
this.password = "123456" this.password = "123456"
} }
this.showOTP = false
this.isSubmitting = false this.isSubmitting = false
this.$delay(function () { this.$delay(function () {
@@ -19,13 +17,7 @@ Tea.context(function () {
}); });
this.changeUsername = function () { this.changeUsername = function () {
this.$post("/checkOTP")
.params({
username: this.username
})
.success(function (resp) {
this.showOTP = resp.data.requireOTP
})
} }
this.changePassword = function () { this.changePassword = function () {
@@ -46,7 +38,11 @@ Tea.context(function () {
this.isSubmitting = false; this.isSubmitting = false;
}; };
this.submitSuccess = function () { this.submitSuccess = function (resp) {
if (resp.data.requireOTP) {
window.location = "/index/otp?sid=" + resp.data.sid + "&remember=" + (resp.data.remember ? 1 : 0) + "&from=" + window.encodeURIComponent(this.from)
return
}
if (this.from.length == 0) { if (this.from.length == 0) {
window.location = "/dashboard"; window.location = "/dashboard";
} else { } else {

42
web/views/@default/index/otp.css Normal file
View File

@@ -0,0 +1,42 @@
.form-box {
position: fixed;
top: 2em;
bottom: 0;
left: 0;
right: 0;
}
form {
position: fixed;
width: 21em;
top: 50%;
left: 50%;
margin-left: -10em;
margin-top: -16em;
}
form .header {
text-align: center;
font-size: 1em !important;
}
form p {
font-size: 0.8em;
margin-top: 0.3em;
margin-bottom: 0;
font-weight: normal;
padding: 0;
}
form .comment {
margin-top: 0.5em;
padding: 0.5em;
color: gray;
}
form .cancel-login {
text-align: center;
padding-top: 1em;
}
@media screen and (max-width: 512px) {
form {
width: 80%;
margin-left: -40%;
}
}
/*# sourceMappingURL=otp.css.map */

1
web/views/@default/index/otp.css.map Normal file
View File

@@ -0,0 +1 @@
{"version":3,"sources":["otp.less"],"names":[],"mappings":"AAAA;EACI,eAAA;EACA,QAAA;EACA,SAAA;EACA,OAAA;EACA,QAAA;;AAGJ;EACI,eAAA;EACA,WAAA;EACA,QAAA;EACA,SAAA;EACA,kBAAA;EACA,iBAAA;;AANJ,IAQC;EACC,kBAAA;EACA,yBAAA;;AAVF,IAaC;EACC,gBAAA;EACA,iBAAA;EACA,gBAAA;EACA,mBAAA;EACA,UAAA;;AAlBF,IAqBC;EACC,iBAAA;EACA,cAAA;EACA,WAAA;;AAxBF,IA2BC;EACC,kBAAA;EACA,gBAAA;;AAIF,mBAAqC;EACjC;IACI,UAAA;IACA,iBAAA","file":"otp.css"}

55
web/views/@default/index/otp.html Normal file
View File

@@ -0,0 +1,55 @@
<!doctype html>
<html lang="zh">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
{$if eq .faviconFileId 0}
<link rel="shortcut icon" href="/images/favicon.png"/>
{$else}
<link rel="shortcut icon" href="/ui/image/{$ .faviconFileId}"/>
{$end}
<title>登录{$.systemName} - 二次验证</title>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=0">
{$TEA.VUE}
{$TEA.SEMANTIC}
<script type="text/javascript" src="/js/md5.min.js"></script>
<script type="text/javascript" src="/js/utils.js"></script>
<script type="text/javascript" src="/js/sweetalert2/dist/sweetalert2.all.min.js"></script>
<script type="text/javascript" src="/js/components.js"></script>
</head>
<body>
<div>
{$template "/menu"}
<div class="form-box">
<form method="post" class="ui form" data-tea-action="$" data-tea-before="submitBefore"
data-tea-done="submitDone" data-tea-success="submitSuccess" autocomplete="off">
<input type="hidden" name="sid" :value="sid"/>
<input type="hidden" name="remember" :value="remember ? 1 : 0"/>
<div class="ui segment stacked">
<div class="ui header">
登录{$.systemName}
</div>
<div class="ui field">
为了保护你的账户安全需要进行OTP二次身份验证。
</div>
<div class="ui field">
<div class="ui left icon input">
<i class="ui barcode icon"></i>
<input type="text" name="otpCode" placeholder="请输入OTP动态密码" maxlength="6"/>
</div>
</div>
<button class="ui button primary fluid" type="submit" v-if="!isSubmitting">验证</button>
<button class="ui button primary fluid disabled" type="submit" v-if="isSubmitting">验证中...</button>
<div class="ui field cancel-login">
<a :href="'/?from=' + encodedFrom">&laquo; 取消登录</a>
</div>
</div>
</form>
</div>
</div>
</body>
</html>

31
web/views/@default/index/otp.js Normal file
View File

@@ -0,0 +1,31 @@
Tea.context(function () {
this.isSubmitting = false
this.encodedFrom = window.encodeURIComponent(this.from)
this.$delay(function () {
this.$find("form input[name='otpCode']").focus()
});
// 更多选项
this.moreOptionsVisible = false;
this.showMoreOptions = function () {
this.moreOptionsVisible = !this.moreOptionsVisible;
};
this.submitBefore = function () {
this.isSubmitting = true;
};
this.submitDone = function () {
this.isSubmitting = false;
};
this.submitSuccess = function (resp) {
if (this.from.length == 0) {
window.location = "/dashboard";
} else {
window.location = this.from;
}
};
});

47
web/views/@default/index/otp.less Normal file
View File

@@ -0,0 +1,47 @@
.form-box {
position: fixed;
top: 2em;
bottom: 0;
left: 0;
right: 0;
}
form {
position: fixed;
width: 21em;
top: 50%;
left: 50%;
margin-left: -10em;
margin-top: -16em;
.header {
text-align: center;
font-size: 1em !important;
}
p {
font-size: 0.8em;
margin-top: 0.3em;
margin-bottom: 0;
font-weight: normal;
padding: 0;
}
.comment {
margin-top: 0.5em;
padding: 0.5em;
color: gray;
}
.cancel-login {
text-align: center;
padding-top: 1em;
}
}
@media screen and (max-width: 512px) {
form {
width: 80%;
margin-left: -40%;
}
}