使用本地SID二次校验增强管理系统安全性

2025-11-03 20:40:26 +08:00 · 2024-04-08 10:24:10 +08:00
parent af4d19ee5a
commit fcd69a4e65
12 changed files with 195 additions and 24 deletions
--- a/internal/web/actions/default/index/index.go
+++ b/internal/web/actions/default/index/index.go
@@ -21,6 +21,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/systemconfigs"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/lists"
+	"github.com/iwind/TeaGo/rands"
 	"github.com/iwind/TeaGo/types"
 	stringutil "github.com/iwind/TeaGo/utils/string"
 	"net"
@@ -236,7 +237,10 @@ func (this *IndexAction) RunPost(params struct {
 	}

 	// 写入SESSION
-	params.Auth.StoreAdmin(adminId, params.Remember)
+	var localSid = rands.HexString(32)
+	this.Data["localSid"] = localSid
+	this.Data["ip"] = loginutils.RemoteIP(&this.ActionObject)
+	params.Auth.StoreAdmin(adminId, params.Remember, localSid)

 	// 记录日志
 	err = dao.SharedLogDAO.CreateAdminLog(rpcClient.Context(adminId), oplogs.LevelInfo, this.Request.URL.Path, langs.DefaultMessage(codes.AdminLogin_LogSuccess, params.Username), loginutils.RemoteIP(&this.ActionObject), codes.AdminLogin_LogSuccess, []any{params.Username})
--- a/internal/web/actions/default/index/otp.go
+++ b/internal/web/actions/default/index/otp.go
@@ -19,6 +19,7 @@ import (
 	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
 	"github.com/iwind/TeaGo/actions"
 	"github.com/iwind/TeaGo/maps"
+	"github.com/iwind/TeaGo/rands"
 	stringutil "github.com/iwind/TeaGo/utils/string"
 	"github.com/xlzd/gotp"
 	"time"
@@ -132,7 +133,10 @@ func (this *OtpAction) RunPost(params struct {
 	}

 	// 写入SESSION
-	params.Auth.StoreAdmin(adminId, params.Remember)
+	var localSid = rands.HexString(32)
+	this.Data["localSid"] = localSid
+	this.Data["ip"] = loginutils.RemoteIP(&this.ActionObject)
+	params.Auth.StoreAdmin(adminId, params.Remember, localSid)

 	// 删除OTP SESSION
 	_, err = this.RPC().LoginSessionRPC().DeleteLoginSession(this.AdminContext(), &pb.DeleteLoginSessionRequest{Sid: sid})
--- a/internal/web/actions/default/login/init.go
+++ b/internal/web/actions/default/login/init.go
@@ -0,0 +1,14 @@
+package login
+
+import (
+	"github.com/iwind/TeaGo"
+)
+
+func init() {
+	TeaGo.BeforeStart(func(server *TeaGo.Server) {
+		server.
+			Prefix("/login").
+			GetPost("/validate", new(ValidateAction)).
+			EndAll()
+	})
+}
--- a/internal/web/actions/default/login/validate.go
+++ b/internal/web/actions/default/login/validate.go
@@ -0,0 +1,74 @@
+// Copyright 2024 GoEdge CDN goedge.cdn@gmail.com. All rights reserved. Official site: https://goedge.cn .
+
+package login
+
+import (
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/index/loginutils"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/rands"
+	"net"
+)
+
+type ValidateAction struct {
+	actionutils.ParentAction
+}
+
+func (this *ValidateAction) Init() {
+	this.Nav("", "", "")
+}
+
+func (this *ValidateAction) RunGet(params struct {
+	From string
+}) {
+	this.Data["from"] = params.From
+
+	this.Show()
+}
+
+func (this *ValidateAction) RunPost(params struct {
+	Must *actions.Must
+
+	LocalSid string
+	Ip       string
+}) {
+	var isOk bool
+
+	defer func() {
+		this.Data["isOk"] = isOk
+
+		if !isOk {
+			loginutils.UnsetCookie(&this.ActionObject)
+			this.Session().Delete()
+		}
+
+		this.Success()
+	}()
+
+	if len(params.LocalSid) == 0 || len(params.LocalSid) != 32 {
+		return
+	}
+	if len(params.Ip) == 0 {
+		return
+	}
+
+	if net.ParseIP(params.Ip) == nil {
+		return
+	}
+
+	if params.LocalSid == this.Session().GetString("@localSid") {
+		isOk = true
+
+		// renew ip and local sid
+		var newIP = loginutils.RemoteIP(&this.ActionObject)
+		var newLocalSid = rands.HexString(32)
+
+		this.Session().Write("@ip", newIP)
+		this.Session().Write("@localSid", newLocalSid)
+
+		this.Data["ip"] = newIP
+		this.Data["localSid"] = newLocalSid
+
+		return
+	}
+}