From c5a76ba43623b260dc675847eaf3f089857ddccf Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sun, 29 Sep 2024 20:04:20 +0800
Subject: [PATCH 01/48] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E9=AA=8C=E8=AF=81=E9=98=B2=E7=88=86=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go               |   5 ++
 server/base/config.go            |   5 ++
 server/conf/server.toml          |  10 ++-
 server/handler/antiBruteForce.go | 130 +++++++++++++++++++++++++++++++
 server/handler/link_auth.go      |   3 +
 server/handler/server.go         |   2 +-
 6 files changed, 152 insertions(+), 3 deletions(-)
 create mode 100644 server/handler/antiBruteForce.go

diff --git a/server/base/cfg.go b/server/base/cfg.go
index 53d9a85..679d15e 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -84,6 +84,11 @@ type ServerConfig struct {
 
 	DisplayError    bool `json:"display_error"`
 	ExcludeExportIp bool `json:"exclude_export_ip"`
+
+	MaxBanCount         int `json:"max_ban_score"`
+	BanResetTime        int `json:"ban_reset_time"`
+	LockTime            int `json:"lock_time"`
+	UserStateExpiration int `json:"user_state_expiration"`
 }
 
 func initServerCfg() {
diff --git a/server/base/config.go b/server/base/config.go
index 6642659..93c0cb0 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -71,6 +71,11 @@ var configs = []config{
 
 	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
+
+	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数", ValInt: 5},
+	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 1},
+	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
+	{Typ: cfgInt, Name: "user_state_expiration", Usage: "用户状态的保存周期(秒),超过则清空计数", ValInt: 900},
 }
 
 var envs = map[string]string{}
diff --git a/server/conf/server.toml b/server/conf/server.toml
index 88ff491..d34871f 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -53,8 +53,14 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 
+#单位时间内最大尝试次数
+max_ban_score = 5
+#设置单位时间(秒)，超过则重置计数
+ban_reset_time = 10
+#超过最大尝试次数后的锁定时长(秒)
+lock_time = 300
+#用户状态的保存周期(秒),超过则清空计数
+user_state_expiration = 900
 
 #客户端显示详细错误信息(线上环境慎开启)
 display_error = true
-
-
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
new file mode 100644
index 0000000..48f1bbc
--- /dev/null
+++ b/server/handler/antiBruteForce.go
@@ -0,0 +1,130 @@
+package handler
+
+import (
+	"encoding/xml"
+	"io"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/bjdgyc/anylink/base"
+)
+
+// UserState 用于存储用户的登录状态
+type UserState struct {
+	FailureCount int
+	LastAttempt  time.Time
+	LockTime     time.Time
+}
+
+// 自定义 contextKey 类型，避免键冲突
+type contextKey string
+
+// 定义常量作为上下文的键
+const loginStatusKey contextKey = "login_status"
+
+// 用户状态映射
+var userStates = make(map[string]*UserState)
+var mu sync.Mutex
+
+func init() {
+	go cleanupUserStates()
+}
+
+// 清理过期的登录状态
+func cleanupUserStates() {
+	ticker := time.NewTicker(1 * time.Minute)
+	defer ticker.Stop()
+
+	for range ticker.C {
+		mu.Lock()
+		now := time.Now()
+		for username, state := range userStates {
+			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.UserStateExpiration)*time.Second {
+				delete(userStates, username)
+			}
+		}
+		mu.Unlock()
+	}
+}
+
+// 防爆破中间件
+func antiBruteForce(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// 如果最大验证失败次数为0，则不启用防爆破功能
+		if base.Cfg.MaxBanCount == 0 {
+			return
+		}
+		body, err := io.ReadAll(r.Body)
+		if err != nil {
+			http.Error(w, "Failed to read request body", http.StatusBadRequest)
+			return
+		}
+		r.Body.Close()
+
+		cr := ClientRequest{}
+		err = xml.Unmarshal(body, &cr)
+		if err != nil {
+			http.Error(w, "Failed to parse XML", http.StatusBadRequest)
+			return
+		}
+
+		username := cr.Auth.Username
+
+		// 更新用户登录状态
+		mu.Lock()
+		state, exists := userStates[username]
+		if !exists {
+			state = &UserState{}
+			userStates[username] = state
+		}
+		// 检查是否已超过锁定时间
+		if !state.LockTime.IsZero() {
+			if time.Now().After(state.LockTime) {
+				// 如果已经超过了锁定时间，重置失败计数和锁定时间
+				state.FailureCount = 0
+				state.LockTime = time.Time{}
+			} else {
+				// 如果还在锁定时间内，返回错误信息
+				http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
+				mu.Unlock()
+				return
+			}
+		}
+
+		// 如果超过时间窗口，重置失败计数
+		if time.Since(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
+			state.FailureCount = 0
+		}
+
+		state.LastAttempt = time.Now()
+		mu.Unlock()
+
+		// 重新设置请求体以便后续处理器可以访问
+		r.Body = io.NopCloser(strings.NewReader(string(body)))
+
+		// 调用下一个处理器
+		next.ServeHTTP(w, r)
+
+		// 从 context 中获取登录状态
+		loginStatus, ok := r.Context().Value(loginStatusKey).(bool)
+		if !ok {
+			// 如果没有找到登录状态，默认为登录失败
+			loginStatus = false
+		}
+
+		// 更新用户登录状态
+		mu.Lock()
+		defer mu.Unlock()
+
+		if !loginStatus {
+			state.FailureCount++
+			if state.FailureCount >= base.Cfg.MaxBanCount {
+				state.LockTime = time.Now().Add(time.Duration(base.Cfg.LockTime) * time.Second)
+			}
+		} else {
+			state.FailureCount = 0 // 成功登录后重置
+		}
+	})
+}
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index f4c9950..8924290 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -2,6 +2,7 @@ package handler
 
 import (
 	"bytes"
+	"context"
 	"crypto/md5"
 	"encoding/xml"
 	"fmt"
@@ -88,6 +89,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 用户密码校验
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
+		r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, false)) // 传递登录失败状态
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
@@ -101,6 +103,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		tplRequest(tpl_request, w, data)
 		return
 	}
+	r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, true)) // 传递登录成功状态
 	dbdata.UserActLogIns.Add(ua, userAgent)
 	// if !ok {
 	//	w.WriteHeader(http.StatusOK)
diff --git a/server/handler/server.go b/server/handler/server.go
index eadf549..2fc5baf 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -111,7 +111,7 @@ func initRoute() http.Handler {
 	})
 
 	r.HandleFunc("/", LinkHome).Methods(http.MethodGet)
-	r.HandleFunc("/", LinkAuth).Methods(http.MethodPost)
+	r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
 	r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
 	r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {

From 9e700830beb02cf5c0b5a0b8c05f674ac80e3a9a Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sun, 29 Sep 2024 21:09:15 +0800
Subject: [PATCH 02/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=9C=AA=E5=90=AF?=
 =?UTF-8?q?=E5=8A=A8=E9=98=B2=E7=88=86=E5=8A=9F=E8=83=BD=E5=AF=BC=E8=87=B4?=
 =?UTF-8?q?=E6=97=A0=E6=B3=95=E9=AA=8C=E8=AF=81=E7=9A=84Bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/config.go            | 2 +-
 server/conf/server.toml          | 2 +-
 server/handler/antiBruteForce.go | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/server/base/config.go b/server/base/config.go
index 93c0cb0..f676c19 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -72,7 +72,7 @@ var configs = []config{
 	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
 
-	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数", ValInt: 5},
+	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭防爆功能", ValInt: 5},
 	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 1},
 	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
 	{Typ: cfgInt, Name: "user_state_expiration", Usage: "用户状态的保存周期(秒),超过则清空计数", ValInt: 900},
diff --git a/server/conf/server.toml b/server/conf/server.toml
index d34871f..2d60201 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -53,7 +53,7 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 
-#单位时间内最大尝试次数
+#单位时间内最大尝试次数，0为关闭防爆功能
 max_ban_score = 5
 #设置单位时间(秒)，超过则重置计数
 ban_reset_time = 10
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 48f1bbc..c84902a 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -54,6 +54,7 @@ func antiBruteForce(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		// 如果最大验证失败次数为0，则不启用防爆破功能
 		if base.Cfg.MaxBanCount == 0 {
+			next.ServeHTTP(w, r)
 			return
 		}
 		body, err := io.ReadAll(r.Body)

From 2fedb281e8e189828c98482ab68bc2baf2e4ac7a Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Thu, 3 Oct 2024 23:29:41 +0800
Subject: [PATCH 03/48] =?UTF-8?q?1.=E9=87=8D=E6=9E=84=E9=98=B2=E7=88=86?=
 =?UTF-8?q?=E9=80=BB=E8=BE=91=EF=BC=8C=E5=9F=BA=E4=BA=8EIP+UserName?=
 =?UTF-8?q?=E9=94=81=E5=AE=9A=EF=BC=88=E5=8D=95=E4=BD=8D=E6=97=B6=E9=97=B4?=
 =?UTF-8?q?=E5=86=85=EF=BC=8C=E9=94=81=E5=AE=9A=E7=9B=B8=E5=90=8CIP?=
 =?UTF-8?q?=E4=B8=8B=E7=9A=84=E7=9B=B8=E5=90=8C=E7=94=A8=E6=88=B7=EF=BC=8C?=
 =?UTF-8?q?=E5=85=B6=E5=AE=83IP=E5=92=8C=E7=94=A8=E6=88=B7=E4=B8=8D?=
 =?UTF-8?q?=E5=BD=B1=E5=93=8D=EF=BC=89=202.=E5=A2=9E=E5=8A=A0=E5=9F=BA?=
 =?UTF-8?q?=E4=BA=8E=E7=94=A8=E6=88=B7=E7=9A=84=E5=85=A8=E5=B1=80=E9=94=81?=
 =?UTF-8?q?=E5=AE=9A=203.=E5=A2=9E=E5=8A=A0=E5=9F=BA=E4=BA=8EIP=E7=9A=84?=
 =?UTF-8?q?=E5=85=A8=E5=B1=80=E9=94=81=E5=AE=9A=204.=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E5=8D=95=E4=BD=8D=E6=97=B6=E9=97=B4=E5=86=85=E7=9A=84=E8=AF=B7?=
 =?UTF-8?q?=E6=B1=82=E9=A2=91=E7=8E=87=E9=99=90=E5=88=B6=EF=BC=88=E6=9A=82?=
 =?UTF-8?q?=E6=9C=AA=E5=BC=80=E6=94=BE=EF=BC=89?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go               |  17 +-
 server/base/config.go            |  13 +-
 server/conf/server.toml          |  21 +-
 server/handler/antiBruteForce.go | 368 +++++++++++++++++++++++++------
 4 files changed, 337 insertions(+), 82 deletions(-)

diff --git a/server/base/cfg.go b/server/base/cfg.go
index 679d15e..96dca98 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -85,10 +85,19 @@ type ServerConfig struct {
 	DisplayError    bool `json:"display_error"`
 	ExcludeExportIp bool `json:"exclude_export_ip"`
 
-	MaxBanCount         int `json:"max_ban_score"`
-	BanResetTime        int `json:"ban_reset_time"`
-	LockTime            int `json:"lock_time"`
-	UserStateExpiration int `json:"user_state_expiration"`
+	AntiBruteForce bool `json:"anti_brute_force"`
+
+	MaxBanCount  int `json:"max_ban_score"`
+	BanResetTime int `json:"ban_reset_time"`
+	LockTime     int `json:"lock_time"`
+
+	MaxGlobalUserBanCount  int `json:"max_global_user_ban_count"`
+	GlobalUserBanResetTime int `json:"global_user_ban_reset_time"`
+	GlobalUserLockTime     int `json:"global_user_lock_time"`
+
+	MaxGlobalIPBanCount  int `json:"max_global_ip_ban_count"`
+	GlobalIPBanResetTime int `json:"global_ip_ban_reset_time"`
+	GlobalIPLockTime     int `json:"global_ip_lock_time"`
 }
 
 func initServerCfg() {
diff --git a/server/base/config.go b/server/base/config.go
index f676c19..3fc434f 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -72,10 +72,19 @@ var configs = []config{
 	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
 
+	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
+
 	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭防爆功能", ValInt: 5},
-	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 1},
+	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 10},
 	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
-	{Typ: cfgInt, Name: "user_state_expiration", Usage: "用户状态的保存周期(秒),超过则清空计数", ValInt: 900},
+
+	{Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数", ValInt: 20},
+	{Typ: cfgInt, Name: "global_user_ban_reset_time", Usage: "全局用户设置单位时间(秒)", ValInt: 600},
+	{Typ: cfgInt, Name: "global_user_lock_time", Usage: "全局用户锁定时间(秒)", ValInt: 300},
+
+	{Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数", ValInt: 40},
+	{Typ: cfgInt, Name: "global_ip_ban_reset_time", Usage: "全局IP设置单位时间(秒)", ValInt: 1200},
+	{Typ: cfgInt, Name: "global_ip_lock_time", Usage: "全局IP锁定时间(秒)", ValInt: 300},
 }
 
 var envs = map[string]string{}
diff --git a/server/conf/server.toml b/server/conf/server.toml
index 2d60201..418a799 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -53,14 +53,29 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 
-#单位时间内最大尝试次数，0为关闭防爆功能
+#防爆全局开关
+anti_brute_force = true
+
+#单位时间内最大尝试次数，0为全局关闭防爆功能
 max_ban_score = 5
 #设置单位时间(秒)，超过则重置计数
 ban_reset_time = 10
 #超过最大尝试次数后的锁定时长(秒)
 lock_time = 300
-#用户状态的保存周期(秒),超过则清空计数
-user_state_expiration = 900
+
+#全局用户单位时间内最大尝试次数,0为关闭该功能
+max_global_user_ban_count = 20
+#全局用户设置单位时间(秒)
+global_user_ban_reset_time = 600
+#全局用户锁定时间(秒)
+global_user_lock_time = 300
+
+#全局IP单位时间内最大尝试次数，0为关闭该功能
+max_global_ip_ban_count = 40
+#全局IP设置单位时间(秒)
+global_ip_ban_reset_time = 1200
+#全局IP锁定时间(秒)
+global_ip_lock_time = 300
 
 #客户端显示详细错误信息(线上环境慎开启)
 display_error = true
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index c84902a..684a669 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -3,6 +3,8 @@ package handler
 import (
 	"encoding/xml"
 	"io"
+	"log"
+	"net"
 	"net/http"
 	"strings"
 	"sync"
@@ -11,58 +13,31 @@ import (
 	"github.com/bjdgyc/anylink/base"
 )
 
-// UserState 用于存储用户的登录状态
-type UserState struct {
-	FailureCount int
-	LastAttempt  time.Time
-	LockTime     time.Time
-}
-
 // 自定义 contextKey 类型，避免键冲突
 type contextKey string
 
 // 定义常量作为上下文的键
 const loginStatusKey contextKey = "login_status"
 
-// 用户状态映射
-var userStates = make(map[string]*UserState)
-var mu sync.Mutex
-
 func init() {
-	go cleanupUserStates()
-}
-
-// 清理过期的登录状态
-func cleanupUserStates() {
-	ticker := time.NewTicker(1 * time.Minute)
-	defer ticker.Stop()
-
-	for range ticker.C {
-		mu.Lock()
-		now := time.Now()
-		for username, state := range userStates {
-			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.UserStateExpiration)*time.Second {
-				delete(userStates, username)
-			}
-		}
-		mu.Unlock()
-	}
+	lockManager.startCleanupTicker()
 }
 
 // 防爆破中间件
 func antiBruteForce(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// 如果最大验证失败次数为0，则不启用防爆破功能
-		if base.Cfg.MaxBanCount == 0 {
+		// 防爆破功能全局开关
+		if !base.Cfg.AntiBruteForce {
 			next.ServeHTTP(w, r)
 			return
 		}
+
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			http.Error(w, "Failed to read request body", http.StatusBadRequest)
 			return
 		}
-		r.Body.Close()
+		defer r.Body.Close()
 
 		cr := ClientRequest{}
 		err = xml.Unmarshal(body, &cr)
@@ -72,35 +47,49 @@ func antiBruteForce(next http.Handler) http.Handler {
 		}
 
 		username := cr.Auth.Username
-
-		// 更新用户登录状态
-		mu.Lock()
-		state, exists := userStates[username]
-		if !exists {
-			state = &UserState{}
-			userStates[username] = state
-		}
-		// 检查是否已超过锁定时间
-		if !state.LockTime.IsZero() {
-			if time.Now().After(state.LockTime) {
-				// 如果已经超过了锁定时间，重置失败计数和锁定时间
-				state.FailureCount = 0
-				state.LockTime = time.Time{}
-			} else {
-				// 如果还在锁定时间内，返回错误信息
-				http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
-				mu.Unlock()
-				return
-			}
+		ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址，去掉端口号
+		if err != nil {
+			http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
+			return
 		}
 
-		// 如果超过时间窗口，重置失败计数
-		if time.Since(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
-			state.FailureCount = 0
+		now := time.Now()
+
+		// // 速率限制
+		// lockManager.mu.RLock()
+		// limiter, exists := lockManager.rateLimiter[ip]
+		// if !exists {
+		// 	limiter = rate.NewLimiter(rate.Limit(base.Cfg.RateLimit), base.Cfg.Burst)
+		// 	lockManager.rateLimiter[ip] = limiter
+		// }
+		// lockManager.mu.RUnlock()
+
+		// if !limiter.Allow() {
+		// 	log.Printf("Rate limit exceeded for IP %s. Try again later.", ip)
+		// 	http.Error(w, "Rate limit exceeded. Try again later.", http.StatusTooManyRequests)
+		// 	return
+		// }
+
+		// 检查全局 IP 锁定
+		if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) {
+			log.Printf("IP %s is globally locked. Try again later.", ip)
+			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
+			return
 		}
 
-		state.LastAttempt = time.Now()
-		mu.Unlock()
+		// 检查全局用户锁定
+		if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) {
+			log.Printf("User %s is globally locked. Try again later.", username)
+			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
+			return
+		}
+
+		// 检查单个用户的 IP 锁定
+		if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) {
+			log.Printf("IP %s is locked for user %s. Try again later.", ip, username)
+			http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
+			return
+		}
 
 		// 重新设置请求体以便后续处理器可以访问
 		r.Body = io.NopCloser(strings.NewReader(string(body)))
@@ -109,23 +98,256 @@ func antiBruteForce(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 
 		// 从 context 中获取登录状态
-		loginStatus, ok := r.Context().Value(loginStatusKey).(bool)
-		if !ok {
-			// 如果没有找到登录状态，默认为登录失败
-			loginStatus = false
-		}
+		loginStatus, _ := r.Context().Value(loginStatusKey).(bool)
 
 		// 更新用户登录状态
-		mu.Lock()
-		defer mu.Unlock()
-
-		if !loginStatus {
-			state.FailureCount++
-			if state.FailureCount >= base.Cfg.MaxBanCount {
-				state.LockTime = time.Now().Add(time.Duration(base.Cfg.LockTime) * time.Second)
-			}
-		} else {
-			state.FailureCount = 0 // 成功登录后重置
-		}
+		lockManager.updateGlobalIPLock(ip, now, loginStatus)
+		lockManager.updateGlobalUserLock(username, now, loginStatus)
+		lockManager.updateUserIPLock(username, ip, now, loginStatus)
 	})
 }
+
+type LockState struct {
+	FailureCount int
+	LockTime     time.Time
+	LastAttempt  time.Time
+}
+
+type LockManager struct {
+	mu          sync.RWMutex
+	ipLocks     map[string]*LockState            // 全局IP锁定状态
+	userLocks   map[string]*LockState            // 全局用户锁定状态
+	ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
+	// rateLimiter   map[string]*rate.Limiter         // 速率限制器
+	cleanupTicker *time.Ticker
+}
+
+var lockManager = &LockManager{
+	ipLocks:     make(map[string]*LockState),
+	userLocks:   make(map[string]*LockState),
+	ipUserLocks: make(map[string]map[string]*LockState),
+	// rateLimiter: make(map[string]*rate.Limiter),
+}
+
+func (lm *LockManager) startCleanupTicker() {
+	lm.cleanupTicker = time.NewTicker(1 * time.Minute)
+	go func() {
+		for range lm.cleanupTicker.C {
+			lm.cleanupExpiredLocks()
+		}
+	}()
+}
+
+// 定期清理过期的锁定
+func (lm *LockManager) cleanupExpiredLocks() {
+	go func() {
+		for range time.Tick(5 * time.Minute) {
+			now := time.Now()
+
+			var ipKeys, userKeys []string
+			var IPuserKeys []struct{ user, ip string }
+
+			lm.mu.Lock()
+			for ip, state := range lm.ipLocks {
+				if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
+					ipKeys = append(ipKeys, ip)
+				}
+			}
+
+			for user, state := range lm.userLocks {
+				if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
+					userKeys = append(userKeys, user)
+				}
+			}
+
+			for user, ipMap := range lm.ipUserLocks {
+				for ip, state := range ipMap {
+					if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
+						IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
+					}
+				}
+			}
+			lm.mu.Unlock()
+
+			lm.mu.Lock()
+			for _, ip := range ipKeys {
+				delete(lm.ipLocks, ip)
+			}
+			for _, user := range userKeys {
+				delete(lm.userLocks, user)
+			}
+			for _, key := range IPuserKeys {
+				delete(lm.ipUserLocks[key.user], key.ip)
+				if len(lm.ipUserLocks[key.user]) == 0 {
+					delete(lm.ipUserLocks, key.user)
+				}
+			}
+			lm.mu.Unlock()
+		}
+	}()
+}
+
+// 检查全局 IP 锁定
+func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
+	lm.mu.RLock()
+	defer lm.mu.RUnlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		return false
+	}
+
+	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
+		return true
+	}
+
+	// 如果超过时间窗口，重置失败计数
+	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	}
+
+	return false
+}
+
+// 检查全局用户锁定
+func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.RLock()
+	defer lm.mu.RUnlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		return false
+	}
+
+	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
+		return true
+	}
+
+	// 如果超过时间窗口，重置失败计数
+	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	}
+
+	return false
+}
+
+// 检查单个用户的 IP 锁定
+func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.RLock()
+	defer lm.mu.RUnlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		return false
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		return false
+	}
+
+	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
+		return true
+	}
+
+	// 如果超过时间窗口，重置失败计数
+	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	}
+
+	return false
+}
+
+// 更新全局 IP 锁定状态
+func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool) {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		state = &LockState{}
+		lm.ipLocks[ip] = state
+	}
+
+	if success {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	} else {
+		state.FailureCount++
+		if state.FailureCount >= base.Cfg.MaxGlobalIPBanCount {
+			state.LockTime = now.Add(time.Duration(base.Cfg.GlobalIPLockTime) * time.Second)
+		}
+	}
+	state.LastAttempt = now
+}
+
+// 更新全局用户锁定状态
+func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		state = &LockState{}
+		lm.userLocks[username] = state
+	}
+
+	if success {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	} else {
+		state.FailureCount++
+		if state.FailureCount >= base.Cfg.MaxGlobalUserBanCount {
+			state.LockTime = now.Add(time.Duration(base.Cfg.GlobalUserLockTime) * time.Second)
+		}
+	}
+	state.LastAttempt = now
+}
+
+// 更新单个用户的 IP 锁定状态
+func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		userIPMap = make(map[string]*LockState)
+		lm.ipUserLocks[username] = userIPMap
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		state = &LockState{}
+		userIPMap[ip] = state
+	}
+
+	if success {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	} else {
+		state.FailureCount++
+		if state.FailureCount >= base.Cfg.MaxBanCount {
+			state.LockTime = now.Add(time.Duration(base.Cfg.LockTime) * time.Second)
+		}
+	}
+	state.LastAttempt = now
+}

From f195ae2d3023c696d97230735e83d8992f98b5af Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Fri, 4 Oct 2024 00:17:56 +0800
Subject: [PATCH 04/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/antiBruteForce.go | 70 ++++++++++++++------------------
 1 file changed, 30 insertions(+), 40 deletions(-)

diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 684a669..507856c 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -197,16 +197,13 @@ func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
 		return false
 	}
 
+	// 如果超过时间窗口，重置失败计数
+	lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalIPBanResetTime)
+
 	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
 		return true
 	}
 
-	// 如果超过时间窗口，重置失败计数
-	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	}
-
 	return false
 }
 
@@ -224,16 +221,13 @@ func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool
 		return false
 	}
 
+	// 如果超过时间窗口，重置失败计数
+	lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalUserBanResetTime)
+
 	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
 		return true
 	}
 
-	// 如果超过时间窗口，重置失败计数
-	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	}
-
 	return false
 }
 
@@ -256,16 +250,13 @@ func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool
 		return false
 	}
 
+	// 如果超过时间窗口，重置失败计数
+	lm.resetLockStateIfExpired(state, now, base.Cfg.BanResetTime)
+
 	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
 		return true
 	}
 
-	// 如果超过时间窗口，重置失败计数
-	if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	}
-
 	return false
 }
 
@@ -280,16 +271,7 @@ func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool
 		lm.ipLocks[ip] = state
 	}
 
-	if success {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	} else {
-		state.FailureCount++
-		if state.FailureCount >= base.Cfg.MaxGlobalIPBanCount {
-			state.LockTime = now.Add(time.Duration(base.Cfg.GlobalIPLockTime) * time.Second)
-		}
-	}
-	state.LastAttempt = now
+	lm.updateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
 }
 
 // 更新全局用户锁定状态
@@ -307,16 +289,7 @@ func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, succ
 		lm.userLocks[username] = state
 	}
 
-	if success {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	} else {
-		state.FailureCount++
-		if state.FailureCount >= base.Cfg.MaxGlobalUserBanCount {
-			state.LockTime = now.Add(time.Duration(base.Cfg.GlobalUserLockTime) * time.Second)
-		}
-	}
-	state.LastAttempt = now
+	lm.updateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
 }
 
 // 更新单个用户的 IP 锁定状态
@@ -340,14 +313,31 @@ func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, succ
 		userIPMap[ip] = state
 	}
 
+	lm.updateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
+}
+
+// 更新锁定状态
+func (lm *LockManager) updateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
 	if success {
 		state.FailureCount = 0
 		state.LockTime = time.Time{}
 	} else {
 		state.FailureCount++
-		if state.FailureCount >= base.Cfg.MaxBanCount {
-			state.LockTime = now.Add(time.Duration(base.Cfg.LockTime) * time.Second)
+		if state.FailureCount >= maxBanCount {
+			state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
 		}
 	}
 	state.LastAttempt = now
 }
+
+// 超过时间窗口时重置锁定状态
+func (lm *LockManager) resetLockStateIfExpired(state *LockState, now time.Time, resetTime int) {
+	if state == nil || state.LastAttempt.IsZero() {
+		return
+	}
+
+	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+	}
+}

From 59748fe39506b16c35ed01f8d1d3564d485c3836 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Fri, 4 Oct 2024 11:55:46 +0800
Subject: [PATCH 05/48] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E9=94=81=E5=AE=9A?=
 =?UTF-8?q?=E7=8A=B6=E6=80=81=E8=AE=B0=E5=BD=95=E7=94=9F=E5=91=BD=E5=91=A8?=
 =?UTF-8?q?=E6=9C=9F=E9=85=8D=E7=BD=AE=E9=A1=B9=EF=BC=8C=E4=BC=98=E5=8C=96?=
 =?UTF-8?q?=E6=B8=85=E7=90=86=E5=86=85=E5=AD=98=E7=9A=84=E5=AE=9A=E6=97=B6?=
 =?UTF-8?q?=E5=99=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go               |  2 +
 server/base/config.go            |  8 +--
 server/conf/server.toml          |  7 ++-
 server/handler/antiBruteForce.go | 86 ++++++++++++++++----------------
 4 files changed, 54 insertions(+), 49 deletions(-)

diff --git a/server/base/cfg.go b/server/base/cfg.go
index 96dca98..d0afc8f 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -98,6 +98,8 @@ type ServerConfig struct {
 	MaxGlobalIPBanCount  int `json:"max_global_ip_ban_count"`
 	GlobalIPBanResetTime int `json:"global_ip_ban_reset_time"`
 	GlobalIPLockTime     int `json:"global_ip_lock_time"`
+
+	GlobalLockStateExpirationTime int `json:"global_lock_state_expiration_time"`
 }
 
 func initServerCfg() {
diff --git a/server/base/config.go b/server/base/config.go
index 3fc434f..cd10674 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -74,17 +74,19 @@ var configs = []config{
 
 	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
 
-	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭防爆功能", ValInt: 5},
+	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭该功能", ValInt: 5},
 	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 10},
 	{Typ: cfgInt, Name: "lock_time", Usage: "超过最大尝试次数后的锁定时长(秒)", ValInt: 300},
 
-	{Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数", ValInt: 20},
+	{Typ: cfgInt, Name: "max_global_user_ban_count", Usage: "全局用户单位时间内最大尝试次数，0为关闭该功能", ValInt: 20},
 	{Typ: cfgInt, Name: "global_user_ban_reset_time", Usage: "全局用户设置单位时间(秒)", ValInt: 600},
 	{Typ: cfgInt, Name: "global_user_lock_time", Usage: "全局用户锁定时间(秒)", ValInt: 300},
 
-	{Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数", ValInt: 40},
+	{Typ: cfgInt, Name: "max_global_ip_ban_count", Usage: "全局IP单位时间内最大尝试次数，0为关闭该功能", ValInt: 40},
 	{Typ: cfgInt, Name: "global_ip_ban_reset_time", Usage: "全局IP设置单位时间(秒)", ValInt: 1200},
 	{Typ: cfgInt, Name: "global_ip_lock_time", Usage: "全局IP锁定时间(秒)", ValInt: 300},
+
+	{Typ: cfgInt, Name: "global_lock_state_expiration_time", Usage: "全局锁定状态的保存生命周期(秒),超过则删除记录", ValInt: 3600},
 }
 
 var envs = map[string]string{}
diff --git a/server/conf/server.toml b/server/conf/server.toml
index 418a799..eb8706b 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -53,10 +53,10 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 
-#防爆全局开关
+#防爆破全局开关
 anti_brute_force = true
 
-#单位时间内最大尝试次数，0为全局关闭防爆功能
+#单位时间内最大尝试次数，0为关闭该功能
 max_ban_score = 5
 #设置单位时间(秒)，超过则重置计数
 ban_reset_time = 10
@@ -77,5 +77,8 @@ global_ip_ban_reset_time = 1200
 #全局IP锁定时间(秒)
 global_ip_lock_time = 300
 
+#全局锁定状态的保存生命周期(秒),超过则删除记录
+global_lock_state_expiration_time = 3600
+
 #客户端显示详细错误信息(线上环境慎开启)
 display_error = true
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 507856c..8a8a888 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -20,7 +20,9 @@ type contextKey string
 const loginStatusKey contextKey = "login_status"
 
 func init() {
-	lockManager.startCleanupTicker()
+	if base.Cfg.AntiBruteForce {
+		lockManager.startCleanupTicker()
+	}
 }
 
 // 防爆破中间件
@@ -130,7 +132,7 @@ var lockManager = &LockManager{
 }
 
 func (lm *LockManager) startCleanupTicker() {
-	lm.cleanupTicker = time.NewTicker(1 * time.Minute)
+	lm.cleanupTicker = time.NewTicker(5 * time.Minute)
 	go func() {
 		for range lm.cleanupTicker.C {
 			lm.cleanupExpiredLocks()
@@ -140,51 +142,47 @@ func (lm *LockManager) startCleanupTicker() {
 
 // 定期清理过期的锁定
 func (lm *LockManager) cleanupExpiredLocks() {
-	go func() {
-		for range time.Tick(5 * time.Minute) {
-			now := time.Now()
+	now := time.Now()
 
-			var ipKeys, userKeys []string
-			var IPuserKeys []struct{ user, ip string }
+	var ipKeys, userKeys []string
+	var IPuserKeys []struct{ user, ip string }
 
-			lm.mu.Lock()
-			for ip, state := range lm.ipLocks {
-				if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalIPBanResetTime)*time.Second {
-					ipKeys = append(ipKeys, ip)
-				}
-			}
-
-			for user, state := range lm.userLocks {
-				if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalUserBanResetTime)*time.Second {
-					userKeys = append(userKeys, user)
-				}
-			}
-
-			for user, ipMap := range lm.ipUserLocks {
-				for ip, state := range ipMap {
-					if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.BanResetTime)*time.Second {
-						IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
-					}
-				}
-			}
-			lm.mu.Unlock()
-
-			lm.mu.Lock()
-			for _, ip := range ipKeys {
-				delete(lm.ipLocks, ip)
-			}
-			for _, user := range userKeys {
-				delete(lm.userLocks, user)
-			}
-			for _, key := range IPuserKeys {
-				delete(lm.ipUserLocks[key.user], key.ip)
-				if len(lm.ipUserLocks[key.user]) == 0 {
-					delete(lm.ipUserLocks, key.user)
-				}
-			}
-			lm.mu.Unlock()
+	lm.mu.Lock()
+	for ip, state := range lm.ipLocks {
+		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			ipKeys = append(ipKeys, ip)
 		}
-	}()
+	}
+
+	for user, state := range lm.userLocks {
+		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			userKeys = append(userKeys, user)
+		}
+	}
+
+	for user, ipMap := range lm.ipUserLocks {
+		for ip, state := range ipMap {
+			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+				IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
+			}
+		}
+	}
+	lm.mu.Unlock()
+
+	lm.mu.Lock()
+	for _, ip := range ipKeys {
+		delete(lm.ipLocks, ip)
+	}
+	for _, user := range userKeys {
+		delete(lm.userLocks, user)
+	}
+	for _, key := range IPuserKeys {
+		delete(lm.ipUserLocks[key.user], key.ip)
+		if len(lm.ipUserLocks[key.user]) == 0 {
+			delete(lm.ipUserLocks, key.user)
+		}
+	}
+	lm.mu.Unlock()
 }
 
 // 检查全局 IP 锁定

From c8cb9c163ab426dbc9f3f90d2f2fdb017069cfab Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Fri, 4 Oct 2024 16:02:24 +0800
Subject: [PATCH 06/48] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=85=A8=E5=B1=80IP?=
 =?UTF-8?q?=E7=99=BD=E5=90=8D=E5=8D=95=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go               |  3 +-
 server/base/config.go            |  1 +
 server/conf/server.toml          |  1 +
 server/handler/antiBruteForce.go | 86 ++++++++++++++++++++++++++------
 server/handler/start.go          |  2 +
 5 files changed, 77 insertions(+), 16 deletions(-)

diff --git a/server/base/cfg.go b/server/base/cfg.go
index d0afc8f..6c31310 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -85,7 +85,8 @@ type ServerConfig struct {
 	DisplayError    bool `json:"display_error"`
 	ExcludeExportIp bool `json:"exclude_export_ip"`
 
-	AntiBruteForce bool `json:"anti_brute_force"`
+	AntiBruteForce bool   `json:"anti_brute_force"`
+	IPWhitelist    string `json:"ip_whitelist"`
 
 	MaxBanCount  int `json:"max_ban_score"`
 	BanResetTime int `json:"ban_reset_time"`
diff --git a/server/base/config.go b/server/base/config.go
index cd10674..65084d4 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -73,6 +73,7 @@ var configs = []config{
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
 
 	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
+	{Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"},
 
 	{Typ: cfgInt, Name: "max_ban_score", Usage: "单位时间内最大尝试次数，0为关闭该功能", ValInt: 5},
 	{Typ: cfgInt, Name: "ban_reset_time", Usage: "设置单位时间(秒)，超过则重置计数", ValInt: 10},
diff --git a/server/conf/server.toml b/server/conf/server.toml
index eb8706b..d54702e 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -55,6 +55,7 @@ iptables_nat = true
 
 #防爆破全局开关
 anti_brute_force = true
+ip_whitelist = "192.168.90.1,172.16.0.0/24"
 
 #单位时间内最大尝试次数，0为关闭该功能
 max_ban_score = 5
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 8a8a888..77be83a 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -18,10 +18,15 @@ type contextKey string
 
 // 定义常量作为上下文的键
 const loginStatusKey contextKey = "login_status"
+const defaultGlobalLockStateExpirationTime = 3600
 
-func init() {
+func initAntiBruteForce() {
 	if base.Cfg.AntiBruteForce {
+		if base.Cfg.GlobalLockStateExpirationTime <= 0 {
+			base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
+		}
 		lockManager.startCleanupTicker()
+		lockManager.initIPWhitelist()
 	}
 }
 
@@ -56,6 +61,12 @@ func antiBruteForce(next http.Handler) http.Handler {
 		}
 
 		now := time.Now()
+		// 检查IP是否在白名单中
+		if lockManager.isWhitelisted(ip) {
+			r.Body = io.NopCloser(strings.NewReader(string(body)))
+			next.ServeHTTP(w, r)
+			return
+		}
 
 		// // 速率限制
 		// lockManager.mu.RLock()
@@ -114,23 +125,69 @@ type LockState struct {
 	LockTime     time.Time
 	LastAttempt  time.Time
 }
+type IPWhitelists struct {
+	IP   net.IP
+	CIDR *net.IPNet
+}
 
 type LockManager struct {
-	mu          sync.RWMutex
-	ipLocks     map[string]*LockState            // 全局IP锁定状态
-	userLocks   map[string]*LockState            // 全局用户锁定状态
-	ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
+	mu           sync.Mutex
+	ipLocks      map[string]*LockState            // 全局IP锁定状态
+	userLocks    map[string]*LockState            // 全局用户锁定状态
+	ipUserLocks  map[string]map[string]*LockState // 单用户IP锁定状态
+	ipWhitelists []IPWhitelists                   // 全局IP白名单，包含IP地址和CIDR范围
 	// rateLimiter   map[string]*rate.Limiter         // 速率限制器
 	cleanupTicker *time.Ticker
 }
 
 var lockManager = &LockManager{
-	ipLocks:     make(map[string]*LockState),
-	userLocks:   make(map[string]*LockState),
-	ipUserLocks: make(map[string]map[string]*LockState),
+	ipLocks:      make(map[string]*LockState),
+	userLocks:    make(map[string]*LockState),
+	ipUserLocks:  make(map[string]map[string]*LockState),
+	ipWhitelists: make([]IPWhitelists, 0),
 	// rateLimiter: make(map[string]*rate.Limiter),
 }
 
+// 初始化IP白名单
+func (lm *LockManager) initIPWhitelist() {
+	ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
+	for _, ipWhitelist := range ipWhitelist {
+		ipWhitelist = strings.TrimSpace(ipWhitelist)
+		if ipWhitelist == "" {
+			continue
+		}
+
+		_, ipNet, err := net.ParseCIDR(ipWhitelist)
+		if err == nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
+			continue
+		}
+
+		ip := net.ParseIP(ipWhitelist)
+		if ip != nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
+			continue
+		}
+	}
+}
+
+// 检查 IP 是否在白名单中
+func (lm *LockManager) isWhitelisted(ip string) bool {
+	clientIP := net.ParseIP(ip)
+	if clientIP == nil {
+		return false
+	}
+	for _, ipWhitelist := range lm.ipWhitelists {
+		if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
+			return true
+		}
+		if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
+			return true
+		}
+	}
+	return false
+}
+
 func (lm *LockManager) startCleanupTicker() {
 	lm.cleanupTicker = time.NewTicker(5 * time.Minute)
 	go func() {
@@ -187,8 +244,8 @@ func (lm *LockManager) cleanupExpiredLocks() {
 
 // 检查全局 IP 锁定
 func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
-	lm.mu.RLock()
-	defer lm.mu.RUnlock()
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
 
 	state, exists := lm.ipLocks[ip]
 	if !exists {
@@ -211,14 +268,13 @@ func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool
 	if username == "" {
 		return false
 	}
-	lm.mu.RLock()
-	defer lm.mu.RUnlock()
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
 
 	state, exists := lm.userLocks[username]
 	if !exists {
 		return false
 	}
-
 	// 如果超过时间窗口，重置失败计数
 	lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalUserBanResetTime)
 
@@ -235,8 +291,8 @@ func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool
 	if username == "" {
 		return false
 	}
-	lm.mu.RLock()
-	defer lm.mu.RUnlock()
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
 
 	userIPMap, userExists := lm.ipUserLocks[username]
 	if !userExists {
diff --git a/server/handler/start.go b/server/handler/start.go
index 5f4637d..e582739 100644
--- a/server/handler/start.go
+++ b/server/handler/start.go
@@ -17,6 +17,8 @@ func Start() {
 	sessdata.Start()
 	cron.Start()
 
+	initAntiBruteForce() //初始化防爆破定时器和IP白名单
+
 	// 开启服务器转发
 	err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})
 	if err != nil {

From 1c6fc446c94f709deb1a1661bfa86caf51abe27d Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Fri, 4 Oct 2024 19:22:23 +0800
Subject: [PATCH 07/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=97=A0=E6=B3=95?=
 =?UTF-8?q?=E8=87=AA=E5=8A=A8=E8=A7=A3=E9=94=81=E7=9A=84Bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/conf/server.toml          |  4 +++-
 server/handler/antiBruteForce.go | 10 +++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/server/conf/server.toml b/server/conf/server.toml
index d54702e..5dbf53d 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -55,12 +55,14 @@ iptables_nat = true
 
 #防爆破全局开关
 anti_brute_force = true
+#全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围
 ip_whitelist = "192.168.90.1,172.16.0.0/24"
 
+#锁定时间最好不要超过单位时间
 #单位时间内最大尝试次数，0为关闭该功能
 max_ban_score = 5
 #设置单位时间(秒)，超过则重置计数
-ban_reset_time = 10
+ban_reset_time = 600
 #超过最大尝试次数后的锁定时长(秒)
 lock_time = 300
 
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 77be83a..947a8a9 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -384,12 +384,20 @@ func (lm *LockManager) updateLockState(state *LockState, now time.Time, success
 	state.LastAttempt = now
 }
 
-// 超过时间窗口时重置锁定状态
+// 超过窗口时间和锁定时间时重置锁定状态
 func (lm *LockManager) resetLockStateIfExpired(state *LockState, now time.Time, resetTime int) {
 	if state == nil || state.LastAttempt.IsZero() {
 		return
 	}
 
+	// 如果超过锁定时间，重置锁定状态
+	if !state.LockTime.IsZero() && now.After(state.LockTime) {
+		state.FailureCount = 0
+		state.LockTime = time.Time{}
+		return
+	}
+
+	// 如果超过窗口时间，重置失败计数
 	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
 		state.FailureCount = 0
 		state.LockTime = time.Time{}

From 11bd9861e5e9c44007d38eb56fb4c4894313c245 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Mon, 7 Oct 2024 17:11:56 +0800
Subject: [PATCH 08/48] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=BC=B9=E7=AA=97?=
 =?UTF-8?q?=E8=BE=93=E5=85=A5OTP=E5=8A=A8=E6=80=81=E7=A0=81=E7=9A=84?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go            |  16 +--
 server/handler/antiBruteForce.go |   7 +-
 server/handler/link_auth.go      | 106 +++++++--------
 server/handler/link_auth_otp.go  | 222 +++++++++++++++++++++++++++++++
 server/handler/link_base.go      |   3 +
 server/handler/server.go         |   1 +
 6 files changed, 288 insertions(+), 67 deletions(-)
 create mode 100644 server/handler/link_auth_otp.go

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index a84ddaf..18db099 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -117,13 +117,13 @@ func checkLocalUser(name, pwd, group string) error {
 	}
 	// 判断otp信息
 	pinCode := pwd
-	if !v.DisableOtp {
-		pinCode = pwd[:pl-6]
-		otp := pwd[pl-6:]
-		if !checkOtp(name, otp, v.OtpSecret) {
-			return fmt.Errorf("%s %s", name, "动态码错误")
-		}
-	}
+	// if !v.DisableOtp {
+	// 	pinCode = pwd[:pl-6]
+	// 	otp := pwd[pl-6:]
+	// 	if !CheckOtp(name, otp, v.OtpSecret) {
+	// 		return fmt.Errorf("%s %s", name, "动态码错误")
+	// 	}
+	// }
 
 	// 判断用户密码
 	if pinCode != v.PinCode {
@@ -171,7 +171,7 @@ func init() {
 }
 
 // 判断令牌信息
-func checkOtp(name, otp, secret string) bool {
+func CheckOtp(name, otp, secret string) bool {
 	key := fmt.Sprintf("%s:%s", name, otp)
 
 	userOtpMux.Lock()
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 947a8a9..248f8d2 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -3,7 +3,6 @@ package handler
 import (
 	"encoding/xml"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"strings"
@@ -85,21 +84,21 @@ func antiBruteForce(next http.Handler) http.Handler {
 
 		// 检查全局 IP 锁定
 		if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) {
-			log.Printf("IP %s is globally locked. Try again later.", ip)
+			base.Warn("IP", ip, "is globally locked. Try again later.")
 			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
 		}
 
 		// 检查全局用户锁定
 		if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) {
-			log.Printf("User %s is globally locked. Try again later.", username)
+			base.Warn("User", username, "is globally locked. Try again later.")
 			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
 		}
 
 		// 检查单个用户的 IP 锁定
 		if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) {
-			log.Printf("IP %s is locked for user %s. Try again later.", ip, username)
+			base.Warn("IP", ip, "is locked for user", username, "Try again later.")
 			http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
 		}
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 8924290..fe0be6d 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -3,11 +3,9 @@ package handler
 import (
 	"bytes"
 	"context"
-	"crypto/md5"
 	"encoding/xml"
 	"fmt"
 	"io"
-	"net"
 	"net/http"
 	"net/http/httputil"
 	"strings"
@@ -47,7 +45,10 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()
 
-	cr := ClientRequest{}
+	cr := &ClientRequest{
+		RemoteAddr: r.RemoteAddr,
+		UserAgent:  userAgent,
+	}
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
 		base.Error(err)
@@ -78,7 +79,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// 用户活动日志
-	ua := dbdata.UserActLog{
+	ua := &dbdata.UserActLog{
 		Username:        cr.Auth.Username,
 		GroupName:       cr.GroupSelect,
 		RemoteAddr:      r.RemoteAddr,
@@ -86,6 +87,11 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		DeviceType:      cr.DeviceId.DeviceType,
 		PlatformVersion: cr.DeviceId.PlatformVersion,
 	}
+
+	sessionData := &AuthSession{
+		ClientRequest: cr,
+		UserActLog:    ua,
+	}
 	// TODO 用户密码校验
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
@@ -93,7 +99,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
-		dbdata.UserActLogIns.Add(ua, userAgent)
+		dbdata.UserActLogIns.Add(*ua, userAgent)
 
 		w.WriteHeader(http.StatusOK)
 		data := RequestData{Group: cr.GroupSelect, Groups: dbdata.GetGroupNamesNormal(), Error: "用户名或密码错误"}
@@ -104,72 +110,62 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, true)) // 传递登录成功状态
-	dbdata.UserActLogIns.Add(ua, userAgent)
-	// if !ok {
-	//	w.WriteHeader(http.StatusOK)
-	//	data := RequestData{Group: cr.GroupSelect, Groups: base.Cfg.UserGroups, Error: "请先激活用户"}
-	//	tplRequest(tpl_request, w, data)
-	//	return
-	// }
+	dbdata.UserActLogIns.Add(*ua, userAgent)
 
-	// 创建新的session信息
-	sess := sessdata.NewSession("")
-	sess.Username = cr.Auth.Username
-	sess.Group = cr.GroupSelect
-	oriMac := cr.MacAddressList.MacAddress
-	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
-	sess.UserAgent = userAgent
-	sess.DeviceType = ua.DeviceType
-	sess.PlatformVersion = ua.PlatformVersion
-	sess.RemoteAddr = r.RemoteAddr
-	// 获取客户端mac地址
-	sess.UniqueMac = true
-	macHw, err := net.ParseMAC(oriMac)
+	v := &dbdata.User{}
+	err = dbdata.One("Username", cr.Auth.Username, v)
 	if err != nil {
-		var sum [16]byte
-		if sess.UniqueIdGlobal != "" {
-			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
-		} else {
-			sum = md5.Sum([]byte(sess.Token))
-			sess.UniqueMac = false
-		}
-		macHw = sum[0:5] // 5个byte
-		macHw = append([]byte{0x02}, macHw...)
-		sess.MacAddr = macHw.String()
+		base.Error("Failed to get TOTP secret for user:", cr.Auth.Username, err)
+		http.Error(w, "Failed to get TOTP secret", http.StatusInternalServerError)
+		return
 	}
-	sess.MacHw = macHw
-	// 统一macAddr的格式
-	sess.MacAddr = macHw.String()
+	// 用户otp验证
+	if !v.DisableOtp {
+		sessionID, err := GenerateSessionID()
+		if err != nil {
+			base.Error("Failed to generate session ID: ", err)
+			http.Error(w, "Failed to generate session ID", http.StatusInternalServerError)
+			return
+		}
 
-	other := &dbdata.SettingOther{}
-	_ = dbdata.SettingGet(other)
-	rd := RequestData{SessionId: sess.Sid, SessionToken: sess.Sid + "@" + sess.Token,
-		Banner: other.Banner, ProfileName: base.Cfg.ProfileName, ProfileHash: profileHash, CertHash: certHash}
-	w.WriteHeader(http.StatusOK)
-	tplRequest(tpl_complete, w, rd)
-	base.Info("login", cr.Auth.Username, userAgent)
+		sessionData.ClientRequest.Auth.OtpSecret = v.OtpSecret
+		SessStore.SaveAuthSession(sessionID, sessionData)
+
+		SetCookie(w, "auth-session-id", sessionID, 0)
+
+		data := RequestData{}
+		w.WriteHeader(http.StatusOK)
+		tplRequest(tpl_otp, w, data)
+		return
+	}
+
+	CreateSession(w, r, sessionData)
 }
 
 const (
 	tpl_request = iota
 	tpl_complete
+	tpl_otp
 )
 
 func tplRequest(typ int, w io.Writer, data RequestData) {
-	if typ == tpl_request {
+	switch typ {
+	case tpl_request:
 		t, _ := template.New("auth_request").Parse(auth_request)
 		_ = t.Execute(w, data)
-		return
-	}
+	case tpl_complete:
+		if data.Banner != "" {
+			buf := new(bytes.Buffer)
+			_ = xml.EscapeText(buf, []byte(data.Banner))
+			data.Banner = buf.String()
+		}
 
-	if data.Banner != "" {
-		buf := new(bytes.Buffer)
-		_ = xml.EscapeText(buf, []byte(data.Banner))
-		data.Banner = buf.String()
+		t, _ := template.New("auth_complete").Parse(auth_complete)
+		_ = t.Execute(w, data)
+	case tpl_otp:
+		t, _ := template.New("auth_otp").Parse(auth_otp)
+		_ = t.Execute(w, data)
 	}
-
-	t, _ := template.New("auth_complete").Parse(auth_complete)
-	_ = t.Execute(w, data)
 }
 
 // 设置输出信息
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
new file mode 100644
index 0000000..313aa63
--- /dev/null
+++ b/server/handler/link_auth_otp.go
@@ -0,0 +1,222 @@
+package handler
+
+import (
+	"crypto/md5"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/xml"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"sync"
+
+	"github.com/bjdgyc/anylink/base"
+	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/sessdata"
+)
+
+var SessStore = NewSessionStore()
+
+type AuthSession struct {
+	ClientRequest *ClientRequest
+	UserActLog    *dbdata.UserActLog
+}
+
+// 存储临时会话信息
+type SessionStore struct {
+	session map[string]*AuthSession
+	mu      sync.Mutex
+}
+
+func NewSessionStore() *SessionStore {
+	return &SessionStore{
+		session: make(map[string]*AuthSession),
+	}
+}
+
+func (s *SessionStore) SaveAuthSession(sessionID string, session *AuthSession) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.session[sessionID] = session
+}
+
+func (s *SessionStore) GetAuthSession(sessionID string) (*AuthSession, error) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+
+	session, exists := s.session[sessionID]
+	if !exists {
+		return nil, fmt.Errorf("auth session not found")
+	}
+
+	return session, nil
+}
+
+func (s *SessionStore) DeleteAuthSession(sessionID string) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	delete(s.session, sessionID)
+}
+
+func GenerateSessionID() (string, error) {
+	b := make([]byte, 32)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate session ID: %w", err)
+	}
+
+	hash := sha256.Sum256(b)
+	sessionID := base64.URLEncoding.EncodeToString(hash[:])
+	return sessionID, nil
+}
+
+func SetCookie(w http.ResponseWriter, name, value string, maxAge int) {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    value,
+		MaxAge:   maxAge,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteLaxMode,
+	}
+	http.SetCookie(w, cookie)
+}
+
+func GetCookie(r *http.Request, name string) (string, error) {
+	cookie, err := r.Cookie(name)
+	if err != nil {
+		return "", fmt.Errorf("failed to get cookie: %v", err)
+	}
+	return cookie.Value, nil
+}
+
+func DeleteCookie(w http.ResponseWriter, name string) {
+	cookie := &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	}
+	http.SetCookie(w, cookie)
+}
+func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
+	cr := authSession.ClientRequest
+	ua := authSession.UserActLog
+
+	sess := sessdata.NewSession("")
+	sess.Username = cr.Auth.Username
+	sess.Group = cr.GroupSelect
+	oriMac := cr.MacAddressList.MacAddress
+	sess.UniqueIdGlobal = cr.DeviceId.UniqueIdGlobal
+	sess.UserAgent = cr.UserAgent
+	sess.DeviceType = ua.DeviceType
+	sess.PlatformVersion = ua.PlatformVersion
+	sess.RemoteAddr = cr.RemoteAddr
+	// 获取客户端mac地址
+	sess.UniqueMac = true
+	macHw, err := net.ParseMAC(oriMac)
+	if err != nil {
+		var sum [16]byte
+		if sess.UniqueIdGlobal != "" {
+			sum = md5.Sum([]byte(sess.UniqueIdGlobal))
+		} else {
+			sum = md5.Sum([]byte(sess.Token))
+			sess.UniqueMac = false
+		}
+		macHw = sum[0:5] // 5个byte
+		macHw = append([]byte{0x02}, macHw...)
+		sess.MacAddr = macHw.String()
+	}
+	sess.MacHw = macHw
+	// 统一macAddr的格式
+	sess.MacAddr = macHw.String()
+
+	other := &dbdata.SettingOther{}
+	dbdata.SettingGet(other)
+	rd := RequestData{
+		SessionId:    sess.Sid,
+		SessionToken: sess.Sid + "@" + sess.Token,
+		Banner:       other.Banner,
+		ProfileName:  base.Cfg.ProfileName,
+		ProfileHash:  profileHash,
+		CertHash:     certHash,
+	}
+
+	w.WriteHeader(http.StatusOK)
+	tplRequest(tpl_complete, w, rd)
+	base.Info("login", cr.Auth.Username, cr.UserAgent)
+}
+
+func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
+	sessionID, err := GetCookie(r, "auth-session-id")
+	if err != nil {
+		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+		return
+	}
+
+	sessionData, err := SessStore.GetAuthSession(sessionID)
+	if err != nil {
+		http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+		return
+	}
+
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	cr := ClientRequest{}
+	err = xml.Unmarshal(body, &cr)
+	if err != nil {
+		base.Error(err)
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	ua := sessionData.UserActLog
+	username := sessionData.ClientRequest.Auth.Username
+	otpSecret := sessionData.ClientRequest.Auth.OtpSecret
+	otp := cr.Auth.SecondaryPassword
+
+	if !dbdata.CheckOtp(username, otp, otpSecret) {
+		base.Warn("OTP 动态码错误", r.RemoteAddr)
+		ua.Info = "OTP 动态码错误"
+		ua.Status = dbdata.UserAuthFail
+		dbdata.UserActLogIns.Add(*ua, sessionData.ClientRequest.UserAgent)
+
+		w.WriteHeader(http.StatusOK)
+		data := RequestData{Error: "OTP 动态码错误"}
+		if base.Cfg.DisplayError {
+			data.Error = "OTP 动态码错误"
+		}
+		tplRequest(tpl_otp, w, data)
+		return
+	}
+	CreateSession(w, r, sessionData)
+
+	// 删除临时会话信息
+	SessStore.DeleteAuthSession(sessionID)
+	// DeleteCookie(w, "auth-session-id")
+}
+
+var auth_otp = `<?xml version="1.0" encoding="UTF-8"?>
+<config-auth client="vpn" type="auth-request" aggregate-auth-version="2">
+    <auth id="otp-verification">
+        <title>OTP 动态码验证</title>
+        <message>请输入您的 OTP 动态码</message>
+        {{if .Error}}
+        <error id="otp-verification" param1="{{.Error}}" param2="">验证失败:  %s</error>
+        {{end}}		
+        <form method="post" action="/otp-verification">
+            <input type="password" name="secondary_password" label="OTP"/>
+        </form>
+    </auth>
+</config-auth>`
diff --git a/server/handler/link_base.go b/server/handler/link_base.go
index c46da15..95c3e5d 100644
--- a/server/handler/link_base.go
+++ b/server/handler/link_base.go
@@ -17,6 +17,8 @@ type ClientRequest struct {
 	Version              string         `xml:"version"`                     // 客户端版本号
 	GroupAccess          string         `xml:"group-access"`                // 请求的地址
 	GroupSelect          string         `xml:"group-select"`                // 选择的组名
+	RemoteAddr           string         `xml:"remote_addr"`
+	UserAgent            string         `xml:"user_agent"`
 	SessionId            string         `xml:"session-id"`
 	SessionToken         string         `xml:"session-token"`
 	Auth                 auth           `xml:"auth"`
@@ -27,6 +29,7 @@ type ClientRequest struct {
 type auth struct {
 	Username          string `xml:"username"`
 	Password          string `xml:"password"`
+	OtpSecret         string `xml:"otp_secret"`
 	SecondaryPassword string `xml:"secondary_password"`
 }
 
diff --git a/server/handler/server.go b/server/handler/server.go
index 2fc5baf..bf0a140 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -114,6 +114,7 @@ func initRoute() http.Handler {
 	r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
 	r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
+	r.HandleFunc("/otp-verification", LinkAuth_otp)
 	r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
 		b, _ := os.ReadFile(base.Cfg.Profile)
 		w.Write(b)

From fd383b92f5701a1a43e141b7e60bb67c92b56368 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Mon, 7 Oct 2024 17:31:21 +0800
Subject: [PATCH 09/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E4=BD=BF=E7=94=A8?=
 =?UTF-8?q?=E7=AC=AC=E4=B8=89=E6=96=B9=E9=AA=8C=E8=AF=81=E6=96=B9=E5=BC=8F?=
 =?UTF-8?q?=E6=97=A0=E6=B3=95=E5=BB=BA=E7=AB=8B=E8=BF=9E=E6=8E=A5=E7=9A=84?=
 =?UTF-8?q?Bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index fe0be6d..cabe728 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -115,8 +115,8 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	v := &dbdata.User{}
 	err = dbdata.One("Username", cr.Auth.Username, v)
 	if err != nil {
-		base.Error("Failed to get TOTP secret for user:", cr.Auth.Username, err)
-		http.Error(w, "Failed to get TOTP secret", http.StatusInternalServerError)
+		base.Info("正在使用第三方认证方式登录")
+		CreateSession(w, r, sessionData)
 		return
 	}
 	// 用户otp验证

From 4c219a3127324a2ade6d42249bd1558288a49534 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Tue, 8 Oct 2024 00:15:59 +0800
Subject: [PATCH 10/48] =?UTF-8?q?=E5=88=A0=E9=99=A4CheckUser=E6=B5=8B?=
 =?UTF-8?q?=E8=AF=95=E5=8D=95=E5=85=83=E7=9A=84otp=E9=AA=8C=E8=AF=81?=
 =?UTF-8?q?=E6=B5=8B=E8=AF=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user_test.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/server/dbdata/user_test.go b/server/dbdata/user_test.go
index 2238837..ea54918 100644
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -4,7 +4,6 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
-	"github.com/xlzd/gotp"
 )
 
 func TestCheckUser(t *testing.T) {
@@ -30,10 +29,10 @@ func TestCheckUser(t *testing.T) {
 	ast.Nil(err)
 
 	// 验证 PinCode + OtpSecret
-	totp := gotp.NewDefaultTOTP(u.OtpSecret)
-	secret := totp.Now()
-	err = CheckUser("aaa", u.PinCode+secret, group)
-	ast.Nil(err)
+	// totp := gotp.NewDefaultTOTP(u.OtpSecret)
+	// secret := totp.Now()
+	// err = CheckUser("aaa", u.PinCode+secret, group)
+	// ast.Nil(err)
 
 	// 单独验证密码
 	u.DisableOtp = true

From 1c5b269aa31a916dcfdab8e85093e8d74dcf6ed7 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 22 Oct 2024 13:22:45 +0800
Subject: [PATCH 11/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9=20postgres=20=E9=93=BE?=
 =?UTF-8?q?=E6=8E=A5=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 0fce86e..cdaa584 100644
--- a/README.md
+++ b/README.md
@@ -59,7 +59,6 @@ AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试
 >
 > <img src="doc/screenshot/qq2.jpg" width="400" />
 
-
 ### 使用问题
 
 > 对于测试环境，可以直接进行测试，需要客户端取消勾选【阻止不受信任的服务器(Block connections to untrusted servers)】
@@ -161,11 +160,11 @@ sudo ./anylink
 >
 > 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)
 
-| db_type  | db_source                                              |
-|----------|--------------------------------------------------------|
-| sqlite3  | ./conf/anylink.db                                      |
-| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8 |
-| postgres | user:password@localhost/anylink?sslmode=verify-full    |
+| db_type  | db_source                                                      |
+|----------|----------------------------------------------------------------|
+| sqlite3  | ./conf/anylink.db                                              |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8         |
+| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full |
 
 > 示例配置文件
 >

From c0c15815f9e8f24eb35671a2a037edfaf46ee943 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 22 Oct 2024 14:14:10 +0800
Subject: [PATCH 12/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go            |  7 ++++
 server/sessdata/online.go     | 67 +++++++++++++++++++----------------
 version                       |  2 +-
 web/src/pages/user/Online.vue |  5 ++-
 4 files changed, 49 insertions(+), 32 deletions(-)

diff --git a/server/base/cfg.go b/server/base/cfg.go
index 6c31310..fba15f0 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -2,9 +2,11 @@ package base
 
 import (
 	"fmt"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"os"
 	"path/filepath"
 	"reflect"
+	"strings"
 )
 
 const (
@@ -123,6 +125,11 @@ func initServerCfg() {
 
 	if Cfg.JwtSecret == defaultJwt {
 		fmt.Fprintln(os.Stderr, "=== 使用默认的jwt_secret有安全风险，请设置新的jwt_secret ===")
+
+		// 安全问题，自动生成新的密钥
+		jwtSecret, _ := utils.RandSecret(40, 60)
+		jwtSecret = strings.Trim(jwtSecret, "=")
+		Cfg.JwtSecret = jwtSecret
 	}
 
 	fmt.Printf("ServerCfg: %+v \n", Cfg)
diff --git a/server/sessdata/online.go b/server/sessdata/online.go
index 8785c19..89c39d7 100644
--- a/server/sessdata/online.go
+++ b/server/sessdata/online.go
@@ -11,21 +11,22 @@ import (
 )
 
 type Online struct {
-	Token            string    `json:"token"`
-	Username         string    `json:"username"`
-	Group            string    `json:"group"`
-	MacAddr          string    `json:"mac_addr"`
-	UniqueMac        bool      `json:"unique_mac"`
-	Ip               net.IP    `json:"ip"`
-	RemoteAddr       string    `json:"remote_addr"`
-	TunName          string    `json:"tun_name"`
-	Mtu              int       `json:"mtu"`
-	Client           string    `json:"client"`
-	BandwidthUp      string    `json:"bandwidth_up"`
-	BandwidthDown    string    `json:"bandwidth_down"`
-	BandwidthUpAll   string    `json:"bandwidth_up_all"`
-	BandwidthDownAll string    `json:"bandwidth_down_all"`
-	LastLogin        time.Time `json:"last_login"`
+	Token             string    `json:"token"`
+	Username          string    `json:"username"`
+	Group             string    `json:"group"`
+	MacAddr           string    `json:"mac_addr"`
+	UniqueMac         bool      `json:"unique_mac"`
+	Ip                net.IP    `json:"ip"`
+	RemoteAddr        string    `json:"remote_addr"`
+	TransportProtocol string    `json:"transport_protocol"`
+	TunName           string    `json:"tun_name"`
+	Mtu               int       `json:"mtu"`
+	Client            string    `json:"client"`
+	BandwidthUp       string    `json:"bandwidth_up"`
+	BandwidthDown     string    `json:"bandwidth_down"`
+	BandwidthUpAll    string    `json:"bandwidth_up_all"`
+	BandwidthDownAll  string    `json:"bandwidth_down_all"`
+	LastLogin         time.Time `json:"last_login"`
 }
 
 type Onlines []Online
@@ -90,22 +91,28 @@ func GetOnlineSess(search_cate string, search_text string, show_sleeper bool) []
 		}
 
 		if show_sleeper || v.IsActive {
+			transportProtocol := "TCP"
+			dSess := cSess.GetDtlsSession()
+			if dSess != nil {
+				transportProtocol = "UDP"
+			}
 			val := Online{
-				Token:            v.Token,
-				Ip:               cSess.IpAddr,
-				Username:         v.Username,
-				Group:            v.Group,
-				MacAddr:          v.MacAddr,
-				UniqueMac:        v.UniqueMac,
-				RemoteAddr:       cSess.RemoteAddr,
-				TunName:          cSess.IfName,
-				Mtu:              cSess.Mtu,
-				Client:           cSess.Client,
-				BandwidthUp:      utils.HumanByte(cSess.BandwidthUpPeriod.Load()) + "/s",
-				BandwidthDown:    utils.HumanByte(cSess.BandwidthDownPeriod.Load()) + "/s",
-				BandwidthUpAll:   utils.HumanByte(cSess.BandwidthUpAll.Load()),
-				BandwidthDownAll: utils.HumanByte(cSess.BandwidthDownAll.Load()),
-				LastLogin:        v.LastLogin,
+				Token:             v.Token,
+				Ip:                cSess.IpAddr,
+				Username:          v.Username,
+				Group:             v.Group,
+				MacAddr:           v.MacAddr,
+				UniqueMac:         v.UniqueMac,
+				RemoteAddr:        cSess.RemoteAddr,
+				TransportProtocol: transportProtocol,
+				TunName:           cSess.IfName,
+				Mtu:               cSess.Mtu,
+				Client:            cSess.Client,
+				BandwidthUp:       utils.HumanByte(cSess.BandwidthUpPeriod.Load()) + "/s",
+				BandwidthDown:     utils.HumanByte(cSess.BandwidthDownPeriod.Load()) + "/s",
+				BandwidthUpAll:    utils.HumanByte(cSess.BandwidthUpAll.Load()),
+				BandwidthDownAll:  utils.HumanByte(cSess.BandwidthDownAll.Load()),
+				LastLogin:         v.LastLogin,
 			}
 			datas = append(datas, val)
 		}
diff --git a/version b/version
index e96a871..d61567c 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-0.12.2
\ No newline at end of file
+0.12.3
\ No newline at end of file
diff --git a/web/src/pages/user/Online.vue b/web/src/pages/user/Online.vue
index 2ba25ad..d3a2b49 100644
--- a/web/src/pages/user/Online.vue
+++ b/web/src/pages/user/Online.vue
@@ -99,7 +99,10 @@
             prop="remote_addr"
             label="远端地址">
         </el-table-column>
-
+        <el-table-column
+            prop="transport_protocol"
+            label="传输协议">
+        </el-table-column>
         <el-table-column
             prop="tun_name"
             label="虚拟网卡">

From a0569b09f2b88e5cd04876b3d121f342f87ed9d7 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 23 Oct 2024 17:34:03 +0800
Subject: [PATCH 13/48] =?UTF-8?q?=E4=BC=98=E5=8C=96ip=E5=88=86=E9=85=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/sessdata/ip_pool.go   | 145 +++++++++++++++++++++++------------
 web/src/pages/user/IpMap.vue |   1 +
 2 files changed, 96 insertions(+), 50 deletions(-)

diff --git a/server/sessdata/ip_pool.go b/server/sessdata/ip_pool.go
index e1971a5..8d49496 100644
--- a/server/sessdata/ip_pool.go
+++ b/server/sessdata/ip_pool.go
@@ -13,11 +13,9 @@ import (
 var (
 	IpPool   = &ipPoolConfig{}
 	ipActive = map[string]bool{}
-	// ipKeep and ipLease  ipAddr => type
-	// ipLease   = map[string]bool{}
+	// ipKeep and ipLease  ipAddr => macAddr
+	// ipKeep    = map[string]string{}
 	ipPoolMux sync.Mutex
-	// 记录循环点
-	loopCurIp uint32
 )
 
 type ipPoolConfig struct {
@@ -73,17 +71,16 @@ func initIpPool() {
 // func getIpLease() {
 // 	xdb := dbdata.GetXdb()
 // 	keepIpMaps := []dbdata.IpMap{}
-// 	sNow := time.Now().Add(-1 * time.Duration(base.Cfg.IpLease) * time.Second)
-// 	err := xdb.Cols("ip_addr").Where("keep=?", true).
-// 		Or("unique_mac=? and last_login>?", true, sNow).Find(&keepIpMaps)
+// 	// sNow := time.Now().Add(-1 * time.Duration(base.Cfg.IpLease) * time.Second)
+// 	err := xdb.Cols("ip_addr", "mac_addr").Where("keep=?", true).Find(&keepIpMaps)
 // 	if err != nil {
 // 		base.Error(err)
 // 	}
-// 	// fmt.Println(keepIpMaps)
+// 	log.Println(keepIpMaps)
 // 	ipPoolMux.Lock()
-// 	ipLease = map[string]bool{}
+// 	ipKeep = map[string]string{}
 // 	for _, v := range keepIpMaps {
-// 		ipLease[v.IpAddr] = true
+// 		ipKeep[v.IpAddr] = v.MacAddr
 // 	}
 // 	ipPoolMux.Unlock()
 // }
@@ -95,6 +92,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 	defer func() {
 		ipPoolMux.Unlock()
 		base.Trace("AcquireIp end:", username, macAddr, uniqueMac, newIp)
+		base.Info("AcquireIp ip:", username, macAddr, uniqueMac, newIp)
 	}()
 
 	var (
@@ -102,6 +100,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 		tNow = time.Now()
 	)
 
+	// 获取到客户端 macAddr 的情况
 	if uniqueMac {
 		// 判断是否已经分配过
 		mi := &dbdata.IpMap{}
@@ -124,8 +123,9 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 		_, ok := ipActive[ipStr]
 		// 检测原有ip是否在新的ip池内
 		// IpPool.Ipv4IPNet.Contains(ip) &&
-		if !ok &&
-			utils.Ip2long(ip) >= IpPool.IpLongMin &&
+		// ip符合规范
+		// 检测原有ip是否在新的ip池内
+		if !ok && utils.Ip2long(ip) >= IpPool.IpLongMin &&
 			utils.Ip2long(ip) <= IpPool.IpLongMax {
 			mi.Username = username
 			mi.LastLogin = tNow
@@ -135,61 +135,84 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 			ipActive[ipStr] = true
 			return ip
 		}
-		// 删除当前macAddr
-		mi = &dbdata.IpMap{MacAddr: macAddr}
-		_ = dbdata.Del(mi)
 
-	} else {
-		// 没有获取到mac的情况
-		ipMaps := []dbdata.IpMap{}
-		err = dbdata.FindWhere(&ipMaps, 50, 1, "username=? and unique_mac=?", username, false)
-		if err != nil {
-			// 没有查询到数据
-			if dbdata.CheckErrNotFound(err) {
-				return loopIp(username, macAddr, uniqueMac)
-			}
-			// 查询报错
-			base.Error(err)
+		// ip保留
+		if mi.Keep {
+			base.Error(username, macAddr, ipStr, "保留ip不匹配CIDR")
 			return nil
 		}
 
-		// 遍历mac记录
-		for _, mi := range ipMaps {
-			ipStr := mi.IpAddr
-			ip := net.ParseIP(ipStr)
+		// 删除当前macAddr
+		mi = &dbdata.IpMap{MacAddr: macAddr}
+		_ = dbdata.Del(mi)
+		return loopIp(username, macAddr, uniqueMac)
+	}
 
-			// 跳过活跃连接
-			if _, ok := ipActive[ipStr]; ok {
-				continue
-			}
-			// 跳过保留ip
-			if mi.Keep {
-				continue
-			}
-			// 没有mac的 不需要验证租期
-			// mi.LastLogin.Before(leaseTime) &&
-			if utils.Ip2long(ip) >= IpPool.IpLongMin &&
-				utils.Ip2long(ip) <= IpPool.IpLongMax {
-				mi.LastLogin = tNow
-				mi.MacAddr = macAddr
-				mi.UniqueMac = uniqueMac
-				// 回写db数据
-				_ = dbdata.Set(mi)
-				ipActive[ipStr] = true
-				return ip
-			}
+	// 没有获取到mac的情况
+	ipMaps := []dbdata.IpMap{}
+	err = dbdata.FindWhere(&ipMaps, 50, 1, "username=?", username)
+	if err != nil {
+		// 没有查询到数据
+		if dbdata.CheckErrNotFound(err) {
+			return loopIp(username, macAddr, uniqueMac)
+		}
+		// 查询报错
+		base.Error(err)
+		return nil
+	}
+
+	// 遍历mac记录
+	for _, mi := range ipMaps {
+		ipStr := mi.IpAddr
+		ip := net.ParseIP(ipStr)
+
+		// 跳过活跃连接
+		if _, ok := ipActive[ipStr]; ok {
+			continue
+		}
+		// 跳过保留ip
+		if mi.Keep {
+			continue
+		}
+		if mi.UniqueMac {
+			continue
+		}
+
+		// 没有mac的 不需要验证租期
+		// mi.LastLogin.Before(leaseTime) &&
+		if utils.Ip2long(ip) >= IpPool.IpLongMin &&
+			utils.Ip2long(ip) <= IpPool.IpLongMax {
+			mi.Username = username
+			mi.LastLogin = tNow
+			mi.MacAddr = macAddr
+			mi.UniqueMac = uniqueMac
+			// 回写db数据
+			_ = dbdata.Set(mi)
+			ipActive[ipStr] = true
+			return ip
 		}
 	}
 
 	return loopIp(username, macAddr, uniqueMac)
 }
 
+var (
+	// 记录循环点
+	loopCurIp uint32
+	loopFarIp = &dbdata.IpMap{LastLogin: time.Now()}
+	loopFarI  = uint32(0)
+)
+
 func loopIp(username, macAddr string, uniqueMac bool) net.IP {
 	var (
 		i  uint32
 		ip net.IP
 	)
 
+	// 重新赋值
+	loopFarIp = &dbdata.IpMap{LastLogin: time.Now()}
+	loopFarI = uint32(0)
+
 	i, ip = loopLong(loopCurIp, IpPool.IpLongMax, username, macAddr, uniqueMac)
 	if ip != nil {
 		loopCurIp = i
@@ -202,6 +225,22 @@ func loopIp(username, macAddr string, uniqueMac bool) net.IP {
 		return ip
 	}
 
+	// ip分配完,从头开始
+	loopCurIp = IpPool.IpLongMin
+
+	if loopFarIp.Id > 0 {
+		// 使用最早登陆的 ip
+		ipStr := loopFarIp.IpAddr
+		ip = net.ParseIP(ipStr)
+		mi := &dbdata.IpMap{IpAddr: ipStr, MacAddr: macAddr, UniqueMac: uniqueMac, Username: username, LastLogin: time.Now()}
+		// 回写db数据
+		_ = dbdata.Set(mi)
+		ipActive[ipStr] = true
+
+		return ip
+	}
+
+	// 全都在线，没有数据可用
 	base.Warn("no ip available, please see ip_map table row", username, macAddr)
 	return nil
 }
@@ -247,6 +286,7 @@ func loopLong(start, end uint32, username, macAddr string, uniqueMac bool) (uint
 		// 判断租期
 		if mi.LastLogin.Before(leaseTime) {
 			// 存在记录，说明已经超过租期，可以直接使用
+			mi.Username = username
 			mi.LastLogin = tNow
 			mi.MacAddr = macAddr
 			mi.UniqueMac = uniqueMac
@@ -255,6 +295,11 @@ func loopLong(start, end uint32, username, macAddr string, uniqueMac bool) (uint
 			ipActive[ipStr] = true
 			return i, ip
 		}
+		// 其他情况判断最早登陆
+		if mi.LastLogin.Before(loopFarIp.LastLogin) {
+			loopFarIp = mi
+			loopFarI = i
+		}
 	}
 
 	return 0, nil
diff --git a/web/src/pages/user/IpMap.vue b/web/src/pages/user/IpMap.vue
index 5b4755a..78d49e6 100644
--- a/web/src/pages/user/IpMap.vue
+++ b/web/src/pages/user/IpMap.vue
@@ -48,6 +48,7 @@
                         label="唯一MAC">
                     <template slot-scope="scope">
                         <el-tag v-if="scope.row.unique_mac" type="success">是</el-tag>
+                        <el-tag v-else type="info">否</el-tag>
                     </template>
                 </el-table-column>
 

From cb9d023a9621147511c16c2776496e33f86eb700 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 23 Oct 2024 18:13:06 +0800
Subject: [PATCH 14/48] =?UTF-8?q?=E6=81=A2=E5=A4=8D=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 18db099..b4d7817 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -117,13 +117,13 @@ func checkLocalUser(name, pwd, group string) error {
 	}
 	// 判断otp信息
 	pinCode := pwd
-	// if !v.DisableOtp {
-	// 	pinCode = pwd[:pl-6]
-	// 	otp := pwd[pl-6:]
-	// 	if !CheckOtp(name, otp, v.OtpSecret) {
-	// 		return fmt.Errorf("%s %s", name, "动态码错误")
-	// 	}
-	// }
+	if !v.DisableOtp {
+		pinCode = pwd[:pl-6]
+		otp := pwd[pl-6:]
+		if !CheckOtp(name, otp, v.OtpSecret) {
+			return fmt.Errorf("%s %s", name, "动态码错误")
+		}
+	}
 
 	// 判断用户密码
 	if pinCode != v.PinCode {

From 49b40b5ee4c3b89d35ff39b257948ba1b8c72767 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 23 Oct 2024 18:18:37 +0800
Subject: [PATCH 15/48] =?UTF-8?q?=E6=81=A2=E5=A4=8D=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index b4d7817..18db099 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -117,13 +117,13 @@ func checkLocalUser(name, pwd, group string) error {
 	}
 	// 判断otp信息
 	pinCode := pwd
-	if !v.DisableOtp {
-		pinCode = pwd[:pl-6]
-		otp := pwd[pl-6:]
-		if !CheckOtp(name, otp, v.OtpSecret) {
-			return fmt.Errorf("%s %s", name, "动态码错误")
-		}
-	}
+	// if !v.DisableOtp {
+	// 	pinCode = pwd[:pl-6]
+	// 	otp := pwd[pl-6:]
+	// 	if !CheckOtp(name, otp, v.OtpSecret) {
+	// 		return fmt.Errorf("%s %s", name, "动态码错误")
+	// 	}
+	// }
 
 	// 判断用户密码
 	if pinCode != v.PinCode {

From 772b1118ebde09c4a3b1ab3b617d597f9765e80a Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 24 Oct 2024 11:20:45 +0800
Subject: [PATCH 16/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9docker=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                     | 17 ++++++++++++++---
 docker/Dockerfile             |  4 +++-
 docker/docker_entrypoint.sh   | 10 ++++++++--
 docker/init_release.sh        |  7 ++++---
 server/base/mod.go            |  2 +-
 web/src/pages/user/Online.vue |  1 +
 6 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index cdaa584..7c05590 100644
--- a/README.md
+++ b/README.md
@@ -390,7 +390,17 @@ ipv4_end = "10.1.2.200"
    docker run -it --rm bjdgyc/anylink tool -d
    ```
 
-6. 启动容器
+6. iptables兼容设置
+   ```bash
+   # 默认 iptables 使用 nf_tables 设置转发规则,如果内核低于 4.19 版本,需要特殊配置
+   docker run -itd --name anylink --privileged \
+      -e IPTABLES_LEGACY=on \
+      -p 443:443 -p 8800:8800 -p 443:443/udp \
+      --restart=always \
+      bjdgyc/anylink
+   ```
+
+7. 启动容器
    ```bash
    # 默认启动
    docker run -itd --name anylink --privileged \
@@ -410,7 +420,7 @@ ipv4_end = "10.1.2.200"
    docker restart anylink
    ```
 
-6. 使用自定义参数启动容器
+8. 使用自定义参数启动容器
    ```bash
    # 参数可以参考 ./anylink tool -d
    # 可以使用命令行参数 或者 环境变量 配置
@@ -459,7 +469,8 @@ ipv4_end = "10.1.2.200"
 - [AnyConnect Secure Client](https://www.cisco.com/) (可通过群文件下载: Windows/macOS/Linux/Android/iOS)
 - [OpenConnect](https://gitlab.com/openconnect/openconnect) (Windows/macOS/Linux)
 - [三方 AnyLink Secure Client](https://github.com/tlslink/anylink-client) (Windows/macOS/Linux)
-- 【推荐】三方客户端下载地址(Windows/macOS/Linux/Android/iOS) [国内地址](https://ocserv.yydy.link:2023) [国外地址](https://cisco.yydy.link/#/)
+- 【推荐】三方客户端下载地址(
+  Windows/macOS/Linux/Android/iOS) [国内地址](https://ocserv.yydy.link:2023) [国外地址](https://cisco.yydy.link/#/)
 
 ## Contribution
 
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 909e352..a7b5cd3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -38,7 +38,9 @@ LABEL maintainer="github.com/bjdgyc"
 ARG CN="no"
 
 ENV TZ=Asia/Shanghai
-ENV ANYLINK_IN_CONTAINER=true
+#开关变量  on  off
+ENV ANYLINK_IN_CONTAINER="on"
+ENV IPTABLES_LEGACY="off"
 
 WORKDIR /app
 COPY docker/init_release.sh /tmp/
diff --git a/docker/docker_entrypoint.sh b/docker/docker_entrypoint.sh
index e2e00a1..e48921e 100644
--- a/docker/docker_entrypoint.sh
+++ b/docker/docker_entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 var1=$1
 
 #set -x
@@ -19,13 +19,19 @@ case $var1 in
   #iptables -nL -t nat
 
   # 启动服务 先判断配置文件是否存在
-  if [ ! -f /app/conf/profile.xml ]; then
+  if [[ ! -f /app/conf/profile.xml ]]; then
     /bin/cp -r /home/conf-bak/* /app/conf/
     echo "After the configuration file is initialized, the container will be forcibly exited. Restart the container."
     echo "配置文件初始化完成后，容器会强制退出，请重新启动容器。"
     exit 1
   fi
 
+  # 兼容老版本 iptables
+  if [[ $IPTABLES_LEGACY == "on" ]]; then
+    rm /sbin/iptables
+    ln -s /sbin/iptables-legacy /sbin/iptables
+  fi
+
   exec /app/anylink "$@"
   ;;
 esac
diff --git a/docker/init_release.sh b/docker/init_release.sh
index 1d2df88..e83071f 100644
--- a/docker/init_release.sh
+++ b/docker/init_release.sh
@@ -13,10 +13,11 @@ fi
 # docker 启动使用 4.19 以上内核
 apk add --no-cache ca-certificates bash iproute2 tzdata iptables
 
-# alpine:3.19 兼容老版 iptables
+# alpine:3.19 兼容老版本 iptables
 apk add --no-cache iptables-legacy
-rm /sbin/iptables
-ln -s /sbin/iptables-legacy /sbin/iptables
+
+#rm /sbin/iptables
+#ln -s /sbin/iptables-legacy /sbin/iptables
 
 
 chmod +x /app/docker_entrypoint.sh
diff --git a/server/base/mod.go b/server/base/mod.go
index 481e576..28fde7e 100644
--- a/server/base/mod.go
+++ b/server/base/mod.go
@@ -22,7 +22,7 @@ var (
 
 func initMod() {
 	container := os.Getenv(inContainerKey)
-	if container == "true" {
+	if container == "on" {
 		InContainer = true
 	}
 	log.Println("InContainer", InContainer)
diff --git a/web/src/pages/user/Online.vue b/web/src/pages/user/Online.vue
index d3a2b49..1e506a2 100644
--- a/web/src/pages/user/Online.vue
+++ b/web/src/pages/user/Online.vue
@@ -86,6 +86,7 @@
             label="唯一MAC">
             <template slot-scope="scope">
                 <el-tag v-if="scope.row.unique_mac" type="success">是</el-tag>
+                <el-tag v-else type="info">否</el-tag>
             </template>
         </el-table-column>
 

From bd6ee0b1405416e84bc80dd75cb0abe190986d1c Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 24 Oct 2024 18:10:29 +0800
Subject: [PATCH 17/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth.go     |  1 -
 server/handler/link_auth_otp.go | 34 +++++++++++++++++++++------------
 server/pkg/utils/util.go        | 16 ++++++++++++++--
 server/sessdata/session.go      | 22 +++------------------
 4 files changed, 39 insertions(+), 34 deletions(-)

diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index cabe728..fa42c96 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -159,7 +159,6 @@ func tplRequest(typ int, w io.Writer, data RequestData) {
 			_ = xml.EscapeText(buf, []byte(data.Banner))
 			data.Banner = buf.String()
 		}
-
 		t, _ := template.New("auth_complete").Parse(auth_complete)
 		_ = t.Execute(w, data)
 	case tpl_otp:
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 313aa63..683c577 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -2,26 +2,28 @@ package handler
 
 import (
 	"crypto/md5"
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/base64"
 	"encoding/xml"
 	"fmt"
 	"io"
 	"net"
 	"net/http"
 	"sync"
+	"sync/atomic"
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/bjdgyc/anylink/sessdata"
 )
 
 var SessStore = NewSessionStore()
 
+const maxOtpErrCount = 3
+
 type AuthSession struct {
 	ClientRequest *ClientRequest
 	UserActLog    *dbdata.UserActLog
+	OtpErrCount   atomic.Uint32 // otp错误次数
 }
 
 // 存储临时会话信息
@@ -60,15 +62,17 @@ func (s *SessionStore) DeleteAuthSession(sessionID string) {
 	delete(s.session, sessionID)
 }
 
+func (a *AuthSession) AddOtpErrCount(i int) int {
+	newI := a.OtpErrCount.Add(uint32(i))
+	return int(newI)
+}
+
 func GenerateSessionID() (string, error) {
-	b := make([]byte, 32)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", fmt.Errorf("failed to generate session ID: %w", err)
+	sessionID := utils.RandomRunes(32)
+	if sessionID == "" {
+		return "", fmt.Errorf("failed to generate session ID")
 	}
 
-	hash := sha256.Sum256(b)
-	sessionID := base64.URLEncoding.EncodeToString(hash[:])
 	return sessionID, nil
 }
 
@@ -186,14 +190,20 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 	otpSecret := sessionData.ClientRequest.Auth.OtpSecret
 	otp := cr.Auth.SecondaryPassword
 
+	// 动态码错误
 	if !dbdata.CheckOtp(username, otp, otpSecret) {
-		base.Warn("OTP 动态码错误", r.RemoteAddr)
+		if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
+			http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
+			return
+		}
+
+		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"
 		ua.Status = dbdata.UserAuthFail
 		dbdata.UserActLogIns.Add(*ua, sessionData.ClientRequest.UserAgent)
 
 		w.WriteHeader(http.StatusOK)
-		data := RequestData{Error: "OTP 动态码错误"}
+		data := RequestData{Error: "请求错误"}
 		if base.Cfg.DisplayError {
 			data.Error = "OTP 动态码错误"
 		}
@@ -216,7 +226,7 @@ var auth_otp = `<?xml version="1.0" encoding="UTF-8"?>
         <error id="otp-verification" param1="{{.Error}}" param2="">验证失败:  %s</error>
         {{end}}		
         <form method="post" action="/otp-verification">
-            <input type="password" name="secondary_password" label="OTP"/>
+            <input type="password" name="secondary_password" label="OTPCode:"/>
         </form>
     </auth>
 </config-auth>`
diff --git a/server/pkg/utils/util.go b/server/pkg/utils/util.go
index 2b17f26..54f7df1 100644
--- a/server/pkg/utils/util.go
+++ b/server/pkg/utils/util.go
@@ -1,7 +1,10 @@
 package utils
 
 import (
+	crand "crypto/rand"
+	"encoding/hex"
 	"fmt"
+	"log"
 	"math/rand"
 	"strings"
 	"sync/atomic"
@@ -83,9 +86,7 @@ func HumanByte(bf interface{}) string {
 
 func RandomRunes(length int) string {
 	letterRunes := []rune("abcdefghijklmnpqrstuvwxy1234567890")
-
 	bytes := make([]rune, length)
-
 	for i := range bytes {
 		bytes[i] = letterRunes[rand.Intn(len(letterRunes))]
 	}
@@ -93,6 +94,17 @@ func RandomRunes(length int) string {
 	return string(bytes)
 }
 
+func RandomHex(length int) string {
+	b := make([]byte, length)
+	_, err := crand.Read(b)
+	if err != nil {
+		log.Println(err)
+		return ""
+	}
+
+	return hex.EncodeToString(b)
+}
+
 func ParseName(name string) string {
 	name = strings.ReplaceAll(name, " ", "-")
 	name = strings.ReplaceAll(name, "'", "-")
diff --git a/server/sessdata/session.go b/server/sessdata/session.go
index 60fae1d..9885419 100644
--- a/server/sessdata/session.go
+++ b/server/sessdata/session.go
@@ -2,7 +2,6 @@ package sessdata
 
 import (
 	"fmt"
-	"math/rand"
 	"net"
 	"strconv"
 	"strings"
@@ -12,6 +11,7 @@ import (
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
+	"github.com/bjdgyc/anylink/pkg/utils"
 	mapset "github.com/deckarep/golang-set"
 )
 
@@ -91,10 +91,6 @@ type Session struct {
 	CSess *ConnSession
 }
 
-func init() {
-	rand.Seed(time.Now().UnixNano())
-}
-
 func checkSession() {
 	// 检测过期的session
 	go func() {
@@ -144,28 +140,16 @@ func CloseUserLimittimeSession() {
 	}
 }
 
-func GenToken() string {
-	// 生成32位的 token
-	bToken := make([]byte, 32)
-	rand.Read(bToken)
-	return fmt.Sprintf("%x", bToken)
-}
-
 func NewSession(token string) *Session {
 	if token == "" {
-		btoken := make([]byte, 32)
-		rand.Read(btoken)
-		token = fmt.Sprintf("%x", btoken)
+		token = utils.RandomHex(32)
 	}
 
 	// 生成 dtlsn session_id
-	dtlsid := make([]byte, 32)
-	rand.Read(dtlsid)
-
 	sess := &Session{
 		Sid:       fmt.Sprintf("%d", time.Now().Unix()),
 		Token:     token,
-		DtlsSid:   fmt.Sprintf("%x", dtlsid),
+		DtlsSid:   utils.RandomHex(32),
 		LastLogin: time.Now(),
 	}
 

From 96fd114c25ff8a762690173d671f70048b46d7db Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 25 Oct 2024 10:41:48 +0800
Subject: [PATCH 18/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth_otp.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 683c577..91ef5b3 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -172,6 +172,8 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 
 	body, err := io.ReadAll(r.Body)
 	if err != nil {
+		base.Error(err)
+		SessStore.DeleteAuthSession(sessionID)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
@@ -181,6 +183,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 	err = xml.Unmarshal(body, &cr)
 	if err != nil {
 		base.Error(err)
+		SessStore.DeleteAuthSession(sessionID)
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
@@ -193,6 +196,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 	// 动态码错误
 	if !dbdata.CheckOtp(username, otp, otpSecret) {
 		if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
+			SessStore.DeleteAuthSession(sessionID)
 			http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
 			return
 		}

From fdc755bd98440c5e07c0d974777d61ccecd18a2d Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 25 Oct 2024 12:00:45 +0800
Subject: [PATCH 19/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 deploy/docker-compose.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deploy/docker-compose.yaml b/deploy/docker-compose.yaml
index be08dcc..fe1f28c 100644
--- a/deploy/docker-compose.yaml
+++ b/deploy/docker-compose.yaml
@@ -12,6 +12,7 @@ services:
       - 443:443/udp
     environment:
       LINK_LOG_LEVEL: info
+      #IPTABLES_LEGACY: "on"
     command:
       - --conf=/app/conf/server.toml
     #volumes:

From f8685490dc7b1f7870f99c03d7d83a288580641c Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sat, 26 Oct 2024 09:13:02 +0800
Subject: [PATCH 20/48] =?UTF-8?q?1.=E4=BF=AE=E5=A4=8D=E9=98=B2=E7=88=86?=
 =?UTF-8?q?=E7=AD=96=E7=95=A5=E7=94=A8=E6=88=B7=E7=99=BB=E5=BD=95=E6=88=90?=
 =?UTF-8?q?=E5=8A=9F=E5=90=8E=E6=B2=A1=E6=9C=89=E9=87=8D=E7=BD=AE=E8=AE=A1?=
 =?UTF-8?q?=E6=95=B0=E7=9A=84Bug=202.=E5=A2=9E=E5=8A=A0otp=E9=98=B2?=
 =?UTF-8?q?=E7=88=86=203.=E6=B7=BB=E5=8A=A0otp=E4=BD=BF=E7=94=A8=E8=AF=B4?=
 =?UTF-8?q?=E6=98=8E=204.=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/db.go              |   3 +-
 server/handler/antiBruteForce.go |  72 +++++++-------
 server/handler/link_auth.go      |   5 +-
 server/handler/link_auth_otp.go  |   3 +
 server/handler/server.go         |   2 +-
 web/src/pages/user/List.vue      | 166 ++++++++-----------------------
 6 files changed, 86 insertions(+), 165 deletions(-)

diff --git a/server/dbdata/db.go b/server/dbdata/db.go
index f33ed37..388476b 100644
--- a/server/dbdata/db.go
+++ b/server/dbdata/db.go
@@ -203,7 +203,8 @@ const accountMail = `<p>您好:</p>
     <ul>
         <li>请使用OTP软件扫描动态码二维码</li>
         <li>然后使用anyconnect客户端进行登陆</li>
-        <li>登陆密码为 【PIN码+动态码】(中间没有+号)</li>
+        <li>登陆密码为 PIN 码</li>
+		<li>OTP密码为扫码后生成的动态码</li>
     </ul>
 </div>
 <p>
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 248f8d2..da799f5 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -12,11 +12,7 @@ import (
 	"github.com/bjdgyc/anylink/base"
 )
 
-// 自定义 contextKey 类型，避免键冲突
-type contextKey string
-
-// 定义常量作为上下文的键
-const loginStatusKey contextKey = "login_status"
+const loginStatusKey = "login_status"
 const defaultGlobalLockStateExpirationTime = 3600
 
 func initAntiBruteForce() {
@@ -53,6 +49,20 @@ func antiBruteForce(next http.Handler) http.Handler {
 		}
 
 		username := cr.Auth.Username
+		if r.URL.Path == "/otp-verification" {
+			sessionID, err := GetCookie(r, "auth-session-id")
+			if err != nil {
+				http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+				return
+			}
+
+			sessionData, err := SessStore.GetAuthSession(sessionID)
+			if err != nil {
+				http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
+				return
+			}
+			username = sessionData.ClientRequest.Auth.Username
+		}
 		ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址，去掉端口号
 		if err != nil {
 			http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
@@ -109,13 +119,17 @@ func antiBruteForce(next http.Handler) http.Handler {
 		// 调用下一个处理器
 		next.ServeHTTP(w, r)
 
-		// 从 context 中获取登录状态
-		loginStatus, _ := r.Context().Value(loginStatusKey).(bool)
+		// 检查登录状态
+		Status, _ := lockManager.loginStatus.Load(loginStatusKey)
+		loginStatus, _ := Status.(bool)
 
 		// 更新用户登录状态
 		lockManager.updateGlobalIPLock(ip, now, loginStatus)
 		lockManager.updateGlobalUserLock(username, now, loginStatus)
 		lockManager.updateUserIPLock(username, ip, now, loginStatus)
+
+		// 清除登录状态
+		lockManager.loginStatus.Delete(loginStatusKey)
 	})
 }
 
@@ -131,6 +145,7 @@ type IPWhitelists struct {
 
 type LockManager struct {
 	mu           sync.Mutex
+	loginStatus  sync.Map                         // 登录状态
 	ipLocks      map[string]*LockState            // 全局IP锁定状态
 	userLocks    map[string]*LockState            // 全局用户锁定状态
 	ipUserLocks  map[string]map[string]*LockState // 单用户IP锁定状态
@@ -140,6 +155,7 @@ type LockManager struct {
 }
 
 var lockManager = &LockManager{
+	loginStatus:  sync.Map{},
 	ipLocks:      make(map[string]*LockState),
 	userLocks:    make(map[string]*LockState),
 	ipUserLocks:  make(map[string]map[string]*LockState),
@@ -251,14 +267,7 @@ func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
 		return false
 	}
 
-	// 如果超过时间窗口，重置失败计数
-	lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalIPBanResetTime)
-
-	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
-		return true
-	}
-
-	return false
+	return lm.checkLockState(state, now, base.Cfg.GlobalIPBanResetTime)
 }
 
 // 检查全局用户锁定
@@ -274,14 +283,7 @@ func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool
 	if !exists {
 		return false
 	}
-	// 如果超过时间窗口，重置失败计数
-	lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalUserBanResetTime)
-
-	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
-		return true
-	}
-
-	return false
+	return lm.checkLockState(state, now, base.Cfg.GlobalUserBanResetTime)
 }
 
 // 检查单个用户的 IP 锁定
@@ -303,14 +305,7 @@ func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool
 		return false
 	}
 
-	// 如果超过时间窗口，重置失败计数
-	lm.resetLockStateIfExpired(state, now, base.Cfg.BanResetTime)
-
-	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
-		return true
-	}
-
-	return false
+	return lm.checkLockState(state, now, base.Cfg.BanResetTime)
 }
 
 // 更新全局 IP 锁定状态
@@ -383,22 +378,27 @@ func (lm *LockManager) updateLockState(state *LockState, now time.Time, success
 	state.LastAttempt = now
 }
 
-// 超过窗口时间和锁定时间时重置锁定状态
-func (lm *LockManager) resetLockStateIfExpired(state *LockState, now time.Time, resetTime int) {
+// 检查锁定状态
+func (lm *LockManager) checkLockState(state *LockState, now time.Time, resetTime int) bool {
 	if state == nil || state.LastAttempt.IsZero() {
-		return
+		return false
 	}
 
 	// 如果超过锁定时间，重置锁定状态
 	if !state.LockTime.IsZero() && now.After(state.LockTime) {
 		state.FailureCount = 0
 		state.LockTime = time.Time{}
-		return
+		return false
 	}
-
 	// 如果超过窗口时间，重置失败计数
 	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
 		state.FailureCount = 0
 		state.LockTime = time.Time{}
+		return false
 	}
+	// 如果锁定时间还在有效期内，继续锁定
+	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
+		return true
+	}
+	return false
 }
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index fa42c96..a5a9f3d 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -2,7 +2,6 @@ package handler
 
 import (
 	"bytes"
-	"context"
 	"encoding/xml"
 	"fmt"
 	"io"
@@ -95,7 +94,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 用户密码校验
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
-		r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, false)) // 传递登录失败状态
+		lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
@@ -109,7 +108,6 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		tplRequest(tpl_request, w, data)
 		return
 	}
-	r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, true)) // 传递登录成功状态
 	dbdata.UserActLogIns.Add(*ua, userAgent)
 
 	v := &dbdata.User{}
@@ -121,6 +119,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	// 用户otp验证
 	if !v.DisableOtp {
+		lockManager.loginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
 		sessionID, err := GenerateSessionID()
 		if err != nil {
 			base.Error("Failed to generate session ID: ", err)
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 91ef5b3..64b6362 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -110,6 +110,8 @@ func DeleteCookie(w http.ResponseWriter, name string) {
 	http.SetCookie(w, cookie)
 }
 func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
+	lockManager.loginStatus.Store(loginStatusKey, true) // 更新登录成功状态
+
 	cr := authSession.ClientRequest
 	ua := authSession.UserActLog
 
@@ -200,6 +202,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
 			return
 		}
+		lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"
diff --git a/server/handler/server.go b/server/handler/server.go
index bf0a140..c257aad 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -114,7 +114,7 @@ func initRoute() http.Handler {
 	r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
 	r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
-	r.HandleFunc("/otp-verification", LinkAuth_otp)
+	r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost)
 	r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
 		b, _ := os.ReadFile(base.Cfg.Profile)
 		w.Write(b)
diff --git a/web/src/pages/user/List.vue b/web/src/pages/user/List.vue
index 4e4476d..cf898ba 100644
--- a/web/src/pages/user/List.vue
+++ b/web/src/pages/user/List.vue
@@ -3,22 +3,13 @@
     <el-card>
       <el-form :inline="true">
         <el-form-item>
-          <el-button
-              size="small"
-              type="primary"
-              icon="el-icon-plus"
-              @click="handleEdit('')">添加
+          <el-button size="small" type="primary" icon="el-icon-plus" @click="handleEdit('')">添加
           </el-button>
         </el-form-item>
         <el-form-item>
           <el-dropdown size="small" placement="bottom">
-            <el-upload
-                class="uploaduser"
-                action="uploaduser"
-                accept=".xlsx, .xls"
-                :http-request="upLoadUser"
-                :limit="1"
-                :show-file-list="false">
+            <el-upload class="uploaduser" action="uploaduser" accept=".xlsx, .xls" :http-request="upLoadUser" :limit="1"
+              :show-file-list="false">
               <el-button size="small" icon="el-icon-upload2" type="primary">批量添加</el-button>
             </el-upload>
             <el-dropdown-menu slot="dropdown">
@@ -32,79 +23,45 @@
         </el-form-item>
         <el-form-item label="用户名或姓名或邮箱:">
           <el-input size="small" v-model="searchData" placeholder="请输入内容"
-                    @keydown.enter.native="searchEnterFun"></el-input>
+            @keydown.enter.native="searchEnterFun"></el-input>
         </el-form-item>
 
         <el-form-item>
-          <el-button
-              size="small"
-              type="primary"
-              icon="el-icon-search"
-              @click="handleSearch()">搜索
+          <el-button size="small" type="primary" icon="el-icon-search" @click="handleSearch()">搜索
           </el-button>
-          <el-button
-              size="small"
-              icon="el-icon-refresh"
-              @click="reset">重置搜索
+          <el-button size="small" icon="el-icon-refresh" @click="reset">重置搜索
           </el-button>
         </el-form-item>
       </el-form>
 
-      <el-table
-          ref="multipleTable"
-          :data="tableData"
-          border>
+      <el-table ref="multipleTable" :data="tableData" border>
 
-        <el-table-column
-            sortable="true"
-            prop="id"
-            label="ID"
-            width="60">
+        <el-table-column sortable="true" prop="id" label="ID" width="60">
         </el-table-column>
 
-        <el-table-column
-            prop="username"
-            label="用户名"
-            width="150">
+        <el-table-column prop="username" label="用户名" width="150">
         </el-table-column>
 
-        <el-table-column
-            prop="nickname"
-            label="姓名"
-            width="100">
+        <el-table-column prop="nickname" label="姓名" width="100">
         </el-table-column>
 
-        <el-table-column
-            prop="email"
-            label="邮箱">
+        <el-table-column prop="email" label="邮箱">
         </el-table-column>
-        <el-table-column
-            prop="otp_secret"
-            label="OTP密钥"
-            width="110">
+        <el-table-column prop="otp_secret" label="OTP密钥" width="110">
           <template slot-scope="scope">
-            <el-button
-                v-if="!scope.row.disable_otp"
-                type="text"
-                icon="el-icon-view"
-                @click="getOtpImg(scope.row)">
+            <el-button v-if="!scope.row.disable_otp" type="text" icon="el-icon-view" @click="getOtpImg(scope.row)">
               {{ scope.row.otp_secret.substring(0, 6) }}
             </el-button>
           </template>
         </el-table-column>
 
-        <el-table-column
-            prop="groups"
-            label="用户组">
+        <el-table-column prop="groups" label="用户组">
           <template slot-scope="scope">
             <el-row v-for="item in scope.row.groups" :key="item">{{ item }}</el-row>
           </template>
         </el-table-column>
 
-        <el-table-column
-            prop="status"
-            label="状态"
-            width="70">
+        <el-table-column prop="status" label="状态" width="70">
           <template slot-scope="scope">
             <el-tag v-if="scope.row.status === 1" type="success">可用</el-tag>
             <el-tag v-if="scope.row.status === 0" type="danger">停用</el-tag>
@@ -112,20 +69,12 @@
           </template>
         </el-table-column>
 
-        <el-table-column
-            prop="updated_at"
-            label="更新时间"
-            :formatter="tableDateFormat">
+        <el-table-column prop="updated_at" label="更新时间" :formatter="tableDateFormat">
         </el-table-column>
 
-        <el-table-column
-            label="操作"
-            width="210">
+        <el-table-column label="操作" width="210">
           <template slot-scope="scope">
-            <el-button
-                size="mini"
-                type="primary"
-                @click="handleEdit(scope.row)">编辑
+            <el-button size="mini" type="primary" @click="handleEdit(scope.row)">编辑
             </el-button>
 
             <!--            <el-popconfirm
@@ -139,14 +88,8 @@
                           </el-button>
                         </el-popconfirm>-->
 
-            <el-popconfirm
-                class="m-left-10"
-                @confirm="handleDel(scope.row)"
-                title="确定要删除用户吗？">
-              <el-button
-                  slot="reference"
-                  size="mini"
-                  type="danger">删除
+            <el-popconfirm class="m-left-10" @confirm="handleDel(scope.row)" title="确定要删除用户吗？">
+              <el-button slot="reference" size="mini" type="danger">删除
               </el-button>
             </el-popconfirm>
 
@@ -156,34 +99,20 @@
 
       <div class="sh-20"></div>
 
-      <el-pagination
-          background
-          layout="prev, pager, next"
-          :pager-count="11"
-          @current-change="pageChange"
-          :current-page="page"
-          :total="count">
+      <el-pagination background layout="prev, pager, next" :pager-count="11" @current-change="pageChange"
+        :current-page="page" :total="count">
       </el-pagination>
 
     </el-card>
 
-    <el-dialog
-        title="OTP密钥"
-        :visible.sync="otpImgData.visible"
-        width="350px"
-        center>
+    <el-dialog title="OTP密钥" :visible.sync="otpImgData.visible" width="350px" center>
       <div style="text-align: center">{{ otpImgData.username }} : {{ otpImgData.nickname }}</div>
-      <img :src="otpImgData.base64Img" alt="otp-img"/>
+      <img :src="otpImgData.base64Img" alt="otp-img" />
     </el-dialog>
 
     <!--新增、修改弹出框-->
-    <el-dialog
-        :close-on-click-modal="false"
-        title="用户"
-        :visible="user_edit_dialog"
-        @close="disVisible"
-        width="650px"
-        center>
+    <el-dialog :close-on-click-modal="false" title="用户" :visible="user_edit_dialog" @close="disVisible" width="650px"
+      center>
 
       <el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
         <el-form-item label="用户ID" prop="id">
@@ -204,21 +133,13 @@
         </el-form-item>
 
         <el-form-item label="过期时间" prop="limittime">
-          <el-date-picker
-              v-model="ruleForm.limittime"
-              type="date"
-              size="small"
-              align="center"
-              style="width:130px"
-              :picker-options="pickerOptions"
-              placeholder="选择日期">
+          <el-date-picker v-model="ruleForm.limittime" type="date" size="small" align="center" style="width:130px"
+            :picker-options="pickerOptions" placeholder="选择日期">
           </el-date-picker>
         </el-form-item>
 
         <el-form-item label="禁用OTP" prop="disable_otp">
-          <el-switch
-              v-model="ruleForm.disable_otp"
-              active-text="开启OTP后，用户密码为【PIN码+OTP动态码】(中间没有+号)">
+          <el-switch v-model="ruleForm.disable_otp" active-text="开启OTP后，用户密码为PIN码,OTP密码为扫码后生成的动态码">
           </el-switch>
         </el-form-item>
 
@@ -233,8 +154,7 @@
         </el-form-item>
 
         <el-form-item label="发送邮件" prop="send_email">
-          <el-switch
-              v-model="ruleForm.send_email">
+          <el-switch v-model="ruleForm.send_email">
           </el-switch>
         </el-form-item>
 
@@ -286,7 +206,7 @@ export default {
         }
       },
       searchData: '',
-      otpImgData: {visible: false, username: '', nickname: '', base64Img: ''},
+      otpImgData: { visible: false, username: '', nickname: '', base64Img: '' },
       ruleForm: {
         send_email: true,
         status: 1,
@@ -294,30 +214,30 @@ export default {
       },
       rules: {
         username: [
-          {required: true, message: '请输入用户名', trigger: 'blur'},
-          {max: 50, message: '长度小于 50 个字符', trigger: 'blur'}
+          { required: true, message: '请输入用户名', trigger: 'blur' },
+          { max: 50, message: '长度小于 50 个字符', trigger: 'blur' }
         ],
         nickname: [
-          {required: true, message: '请输入用户姓名', trigger: 'blur'}
+          { required: true, message: '请输入用户姓名', trigger: 'blur' }
         ],
         email: [
-          {required: true, message: '请输入用户邮箱', trigger: 'blur'},
-          {type: 'email', message: '请输入正确的邮箱地址', trigger: ['blur', 'change']}
+          { required: true, message: '请输入用户邮箱', trigger: 'blur' },
+          { type: 'email', message: '请输入正确的邮箱地址', trigger: ['blur', 'change'] }
         ],
         password: [
-          {min: 6, message: '长度大于 6 个字符', trigger: 'blur'}
+          { min: 6, message: '长度大于 6 个字符', trigger: 'blur' }
         ],
         pin_code: [
-          {min: 6, message: 'PIN码大于 6 个字符', trigger: 'blur'}
+          { min: 6, message: 'PIN码大于 6 个字符', trigger: 'blur' }
         ],
         date1: [
-          {type: 'date', required: true, message: '请选择日期', trigger: 'change'}
+          { type: 'date', required: true, message: '请选择日期', trigger: 'change' }
         ],
         groups: [
-          {type: 'array', required: true, message: '请至少选择一个组', trigger: 'change'}
+          { type: 'array', required: true, message: '请至少选择一个组', trigger: 'change' }
         ],
         status: [
-          {required: true}
+          { required: true }
         ],
       },
     }
@@ -473,6 +393,4 @@ export default {
 }
 </script>
 
-<style scoped>
-
-</style>
+<style scoped></style>

From 34e555c70c422f1a7d08fa95f4e33609c534b25b Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sat, 26 Oct 2024 18:32:47 +0800
Subject: [PATCH 21/48] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=AF=86=E7=A0=81?=
 =?UTF-8?q?=E5=8A=A0=E5=AF=86=E5=AD=98=E5=82=A8=E7=9A=84=E5=8A=9F=E8=83=BD?=
 =?UTF-8?q?=EF=BC=8C=E8=80=81=E7=94=A8=E6=88=B7=E4=B8=8D=E5=BD=B1=E5=93=8D?=
 =?UTF-8?q?=EF=BC=8C=E4=BD=86=E6=9B=B4=E6=96=B0=E5=90=8E=E8=87=AA=E5=8A=A8?=
 =?UTF-8?q?=E5=8A=A0=E5=AF=86=E5=AD=98=E5=82=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/cert.go |  9 ---------
 server/dbdata/user.go | 33 +++++++++++++++++++++++++++++++--
 2 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/server/dbdata/cert.go b/server/dbdata/cert.go
index 53d8727..c80f7cb 100644
--- a/server/dbdata/cert.go
+++ b/server/dbdata/cert.go
@@ -400,12 +400,3 @@ func buildNameToCertificate(cert *tls.Certificate) {
 		nameToCertificate[san] = cert
 	}
 }
-
-// func Scrypt(passwd string) string {
-// 	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
-// 	hashPasswd, err := scrypt.Key([]byte(passwd), salt, 1<<15, 8, 1, 32)
-// 	if err != nil {
-// 		return err.Error()
-// 	}
-// 	return base64.StdEncoding.EncodeToString(hashPasswd)
-// }
diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 18db099..fac0169 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -1,6 +1,7 @@
 package dbdata
 
 import (
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"sync"
@@ -8,6 +9,7 @@ import (
 
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/xlzd/gotp"
+	"golang.org/x/crypto/scrypt"
 )
 
 // type User struct {
@@ -116,7 +118,7 @@ func checkLocalUser(name, pwd, group string) error {
 		return fmt.Errorf("%s %s", name, "用户组错误")
 	}
 	// 判断otp信息
-	pinCode := pwd
+	// pinCode := pwd
 	// if !v.DisableOtp {
 	// 	pinCode = pwd[:pl-6]
 	// 	otp := pwd[pl-6:]
@@ -126,7 +128,7 @@ func checkLocalUser(name, pwd, group string) error {
 	// }
 
 	// 判断用户密码
-	if pinCode != v.PinCode {
+	if !VerifyPassword(pwd, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
 
@@ -190,3 +192,30 @@ func CheckOtp(name, otp, secret string) bool {
 
 	return verify
 }
+
+// 插入数据库前加密 Password
+func (u *User) BeforeInsert() {
+	u.PinCode = ScryptPassword(u.PinCode)
+}
+
+// 更新数据库前加密 Password
+func (u *User) BeforeUpdate() {
+	if len(u.PinCode) != 44 {
+		u.PinCode = ScryptPassword(u.PinCode)
+	}
+}
+
+// 加密
+func ScryptPassword(passwd string) string {
+	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
+	hashPasswd, _ := scrypt.Key([]byte(passwd), salt, 1<<16, 8, 1, 32)
+	return base64.StdEncoding.EncodeToString(hashPasswd)
+}
+
+// 验证
+func VerifyPassword(password, hashPassword string) bool {
+	if len(hashPassword) != 44 {
+		return password == hashPassword
+	}
+	return ScryptPassword(password) == hashPassword
+}

From ff9d92a693d1c7dd14881de931697fe8f9c07323 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sat, 26 Oct 2024 21:22:04 +0800
Subject: [PATCH 22/48] =?UTF-8?q?=E4=BD=BF=E7=94=A8=E5=8A=A8=E6=80=81?=
 =?UTF-8?q?=E7=9B=90=E5=80=BC=E5=8A=A0=E5=AF=86=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go | 81 +++++++++++++++++++++++++++++++++----------
 1 file changed, 63 insertions(+), 18 deletions(-)

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index fac0169..071e0b5 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -1,12 +1,15 @@
 package dbdata
 
 import (
+	"crypto/rand"
 	"encoding/base64"
 	"errors"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
+	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/xlzd/gotp"
 	"golang.org/x/crypto/scrypt"
@@ -126,7 +129,6 @@ func checkLocalUser(name, pwd, group string) error {
 	// 		return fmt.Errorf("%s %s", name, "动态码错误")
 	// 	}
 	// }
-
 	// 判断用户密码
 	if !VerifyPassword(pwd, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
@@ -193,29 +195,72 @@ func CheckOtp(name, otp, secret string) bool {
 	return verify
 }
 
-// 插入数据库前加密 Password
-func (u *User) BeforeInsert() {
-	u.PinCode = ScryptPassword(u.PinCode)
-}
-
-// 更新数据库前加密 Password
-func (u *User) BeforeUpdate() {
-	if len(u.PinCode) != 44 {
-		u.PinCode = ScryptPassword(u.PinCode)
+// 插入数据库前加密密码
+func (u *User) BeforeInsert() error {
+	hashedPassword, err := ScryptPassword(u.PinCode)
+	if err != nil {
+		base.Error(err)
+		return err
 	}
+	u.PinCode = hashedPassword
+	return nil
 }
 
-// 加密
-func ScryptPassword(passwd string) string {
-	salt := []byte{0xc8, 0x28, 0xf2, 0x58, 0xa7, 0x6a, 0xad, 0x7b}
-	hashPasswd, _ := scrypt.Key([]byte(passwd), salt, 1<<16, 8, 1, 32)
-	return base64.StdEncoding.EncodeToString(hashPasswd)
+// 更新数据库前加密密码
+func (u *User) BeforeUpdate() error {
+	if len(u.PinCode) != 57 {
+		hashedPassword, err := ScryptPassword(u.PinCode)
+		if err != nil {
+			base.Error(err)
+			return err
+		}
+		u.PinCode = hashedPassword
+	}
+	return nil
 }
 
-// 验证
+// 加密密码
+func ScryptPassword(passwd string) (string, error) {
+	salt := make([]byte, 8)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+
+	hashPasswd, err := scrypt.Key([]byte(passwd), salt, 1<<16, 8, 1, 32)
+	if err != nil {
+		return "", err
+	}
+
+	encodedSalt := base64.StdEncoding.EncodeToString(salt)
+	encodedHash := base64.StdEncoding.EncodeToString(hashPasswd)
+
+	return encodedSalt + "&" + encodedHash, nil
+}
+
+// 验证密码
 func VerifyPassword(password, hashPassword string) bool {
-	if len(hashPassword) != 44 {
+	// 老用户使用明文验证
+	if len(hashPassword) != 57 {
 		return password == hashPassword
 	}
-	return ScryptPassword(password) == hashPassword
+
+	// 分割盐值和哈希值
+	encodepwds := strings.SplitN(hashPassword, "&", 2)
+	if len(encodepwds) != 2 {
+		return false
+	}
+
+	// 解码盐值
+	salt, err := base64.StdEncoding.DecodeString(encodepwds[0])
+	if err != nil {
+		return false
+	}
+
+	// 计算新的哈希值
+	newHash, err := scrypt.Key([]byte(password), salt, 1<<16, 8, 1, 32)
+	if err != nil {
+		return false
+	}
+
+	return base64.StdEncoding.EncodeToString(newHash) == encodepwds[1]
 }

From 5f7b11954ad292899be74bb36639f5d1621e0f06 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Sun, 27 Oct 2024 23:14:51 +0800
Subject: [PATCH 23/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
 =?UTF-8?q?=EF=BC=8C=E4=B8=BA=E5=90=8E=E7=BB=AD=E6=89=8B=E5=8A=A8=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E9=94=81=E5=AE=9A=E7=8A=B6=E6=80=81=E5=81=9A=E5=87=86?=
 =?UTF-8?q?=E5=A4=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/lockmanager.go      | 391 +++++++++++++++++++++++++++++++
 server/admin/server.go           |   1 +
 server/handler/antiBruteForce.go | 318 +------------------------
 server/handler/link_auth.go      |   4 +-
 server/handler/link_auth_otp.go  |   4 +-
 server/handler/start.go          |   2 +-
 6 files changed, 409 insertions(+), 311 deletions(-)
 create mode 100644 server/admin/lockmanager.go

diff --git a/server/admin/lockmanager.go b/server/admin/lockmanager.go
new file mode 100644
index 0000000..c7c99a3
--- /dev/null
+++ b/server/admin/lockmanager.go
@@ -0,0 +1,391 @@
+package admin
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/bjdgyc/anylink/base"
+)
+
+type LockInfo struct {
+	Description string     `json:"description"` // 锁定原因
+	Username    string     `json:"username"`    // 用户名
+	IP          string     `json:"ip"`          // IP 地址
+	State       *LockState `json:"state"`       // 锁定状态信息
+}
+type LockState struct {
+	Locked       bool      `json:"locked"`      // 是否锁定
+	FailureCount int       `json:"attempts"`    // 失败次数
+	LockTime     time.Time `json:"lock_time"`   // 锁定截止时间
+	LastAttempt  time.Time `json:"lastAttempt"` // 最后一次尝试的时间
+}
+type IPWhitelists struct {
+	IP   net.IP
+	CIDR *net.IPNet
+}
+
+type LockManager struct {
+	mu            sync.Mutex
+	LoginStatus   sync.Map                         // 登录状态
+	ipLocks       map[string]*LockState            // 全局IP锁定状态
+	userLocks     map[string]*LockState            // 全局用户锁定状态
+	ipUserLocks   map[string]map[string]*LockState // 单用户IP锁定状态
+	ipWhitelists  []IPWhitelists                   // 全局IP白名单，包含IP地址和CIDR范围
+	cleanupTicker *time.Ticker
+}
+
+var lockmanager *LockManager
+var once sync.Once
+
+func GetLockManager() *LockManager {
+	once.Do(func() {
+		lockmanager = &LockManager{
+			LoginStatus:  sync.Map{},
+			ipLocks:      make(map[string]*LockState),
+			userLocks:    make(map[string]*LockState),
+			ipUserLocks:  make(map[string]map[string]*LockState),
+			ipWhitelists: make([]IPWhitelists, 0),
+		}
+	})
+	return lockmanager
+}
+
+const defaultGlobalLockStateExpirationTime = 3600
+
+func InitLockManager() {
+	lm := GetLockManager()
+	if base.Cfg.AntiBruteForce {
+		if base.Cfg.GlobalLockStateExpirationTime <= 0 {
+			base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
+		}
+		lm.StartCleanupTicker()
+		lm.InitIPWhitelist()
+	}
+}
+
+func GetLocksInfo(w http.ResponseWriter, r *http.Request) {
+	lm := GetLockManager()
+	locksInfo := lm.GetLocksInfo()
+
+	RespSucess(w, locksInfo)
+}
+
+func UnlockUser(w http.ResponseWriter, r *http.Request) {
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+	lockinfo := LockInfo{}
+	if err := json.Unmarshal(body, &lockinfo); err != nil {
+		RespError(w, RespInternalErr, err)
+		return
+	}
+
+	if lockinfo.State == nil {
+		RespError(w, RespInternalErr, fmt.Errorf("未找到锁定用户！"))
+		return
+	}
+	lm := GetLockManager()
+
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	lm.Unlock(lockinfo.State)
+	base.Info("解锁成功:", lockinfo.Description, lockinfo.Username, lockinfo.IP)
+
+	RespSucess(w, "解锁成功！")
+}
+
+func (lm *LockManager) GetLocksInfo() []LockInfo {
+	var locksInfo []LockInfo
+
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	for ip, state := range lm.ipLocks {
+		if state.Locked {
+			info := LockInfo{
+				Description: "全局 IP 锁定",
+				Username:    "",
+				IP:          ip,
+				State: &LockState{
+					Locked:       state.Locked,
+					FailureCount: state.FailureCount,
+					LockTime:     state.LockTime,
+					LastAttempt:  state.LastAttempt,
+				},
+			}
+			locksInfo = append(locksInfo, info)
+		}
+	}
+
+	for username, state := range lm.userLocks {
+		if state.Locked {
+			info := LockInfo{
+				Description: "全局用户锁定",
+				Username:    username,
+				IP:          "",
+				State: &LockState{
+					Locked:       state.Locked,
+					FailureCount: state.FailureCount,
+					LockTime:     state.LockTime,
+					LastAttempt:  state.LastAttempt,
+				},
+			}
+			locksInfo = append(locksInfo, info)
+		}
+	}
+
+	for username, ipStates := range lm.ipUserLocks {
+		for ip, state := range ipStates {
+			if state.Locked {
+				info := LockInfo{
+					Description: "单用户 IP 锁定",
+					Username:    username,
+					IP:          ip,
+					State: &LockState{
+						Locked:       state.Locked,
+						FailureCount: state.FailureCount,
+						LockTime:     state.LockTime,
+						LastAttempt:  state.LastAttempt,
+					},
+				}
+				locksInfo = append(locksInfo, info)
+			}
+		}
+	}
+	return locksInfo
+}
+
+// 初始化IP白名单
+func (lm *LockManager) InitIPWhitelist() {
+	ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
+	for _, ipWhitelist := range ipWhitelist {
+		ipWhitelist = strings.TrimSpace(ipWhitelist)
+		if ipWhitelist == "" {
+			continue
+		}
+
+		_, ipNet, err := net.ParseCIDR(ipWhitelist)
+		if err == nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
+			continue
+		}
+
+		ip := net.ParseIP(ipWhitelist)
+		if ip != nil {
+			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
+			continue
+		}
+	}
+}
+
+// 检查 IP 是否在白名单中
+func (lm *LockManager) IsWhitelisted(ip string) bool {
+	clientIP := net.ParseIP(ip)
+	if clientIP == nil {
+		return false
+	}
+	for _, ipWhitelist := range lm.ipWhitelists {
+		if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
+			return true
+		}
+		if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
+			return true
+		}
+	}
+	return false
+}
+
+func (lm *LockManager) StartCleanupTicker() {
+	lm.cleanupTicker = time.NewTicker(5 * time.Minute)
+	go func() {
+		for range lm.cleanupTicker.C {
+			lm.CleanupExpiredLocks()
+		}
+	}()
+}
+
+// 定期清理过期的锁定
+func (lm *LockManager) CleanupExpiredLocks() {
+	now := time.Now()
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	for ip, state := range lm.ipLocks {
+		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			delete(lm.ipLocks, ip)
+		}
+	}
+
+	for user, state := range lm.userLocks {
+		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			delete(lm.userLocks, user)
+		}
+	}
+
+	for user, ipMap := range lm.ipUserLocks {
+		for ip, state := range ipMap {
+			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+				delete(ipMap, ip)
+				if len(ipMap) == 0 {
+					delete(lm.ipUserLocks, user)
+				}
+			}
+		}
+	}
+}
+
+// 检查全局 IP 锁定
+func (lm *LockManager) CheckGlobalIPLock(ip string, now time.Time) bool {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		return false
+	}
+
+	return lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime)
+}
+
+// 检查全局用户锁定
+func (lm *LockManager) CheckGlobalUserLock(username string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		return false
+	}
+	return lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime)
+}
+
+// 检查单个用户的 IP 锁定
+func (lm *LockManager) CheckUserIPLock(username, ip string, now time.Time) bool {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return false
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		return false
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		return false
+	}
+
+	return lm.CheckLockState(state, now, base.Cfg.BanResetTime)
+}
+
+// 更新全局 IP 锁定状态
+func (lm *LockManager) UpdateGlobalIPLock(ip string, now time.Time, success bool) {
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.ipLocks[ip]
+	if !exists {
+		state = &LockState{}
+		lm.ipLocks[ip] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
+}
+
+// 更新全局用户锁定状态
+func (lm *LockManager) UpdateGlobalUserLock(username string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	state, exists := lm.userLocks[username]
+	if !exists {
+		state = &LockState{}
+		lm.userLocks[username] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
+}
+
+// 更新单个用户的 IP 锁定状态
+func (lm *LockManager) UpdateUserIPLock(username, ip string, now time.Time, success bool) {
+	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
+	if username == "" {
+		return
+	}
+	lm.mu.Lock()
+	defer lm.mu.Unlock()
+
+	userIPMap, userExists := lm.ipUserLocks[username]
+	if !userExists {
+		userIPMap = make(map[string]*LockState)
+		lm.ipUserLocks[username] = userIPMap
+	}
+
+	state, ipExists := userIPMap[ip]
+	if !ipExists {
+		state = &LockState{}
+		userIPMap[ip] = state
+	}
+
+	lm.UpdateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
+}
+
+// 更新锁定状态
+func (lm *LockManager) UpdateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
+	if success {
+		lm.Unlock(state) // 成功登录后解锁
+	} else {
+		state.FailureCount++
+		if state.FailureCount >= maxBanCount {
+			state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
+			state.Locked = true // 超过阈值时锁定
+		}
+	}
+	state.LastAttempt = now
+}
+
+// 检查锁定状态
+func (lm *LockManager) CheckLockState(state *LockState, now time.Time, resetTime int) bool {
+	if state == nil || state.LastAttempt.IsZero() {
+		return false
+	}
+
+	// 如果超过锁定时间，重置锁定状态
+	if !state.LockTime.IsZero() && now.After(state.LockTime) {
+		lm.Unlock(state) // 锁定期过后解锁
+		return false
+	}
+	// 如果超过窗口时间，重置失败计数
+	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
+		state.FailureCount = 0
+		return false
+	}
+	return state.Locked
+}
+
+// 解锁
+func (lm *LockManager) Unlock(state *LockState) {
+	state.FailureCount = 0
+	state.LockTime = time.Time{}
+	state.Locked = false
+}
diff --git a/server/admin/server.go b/server/admin/server.go
index f38d0c0..7329f87 100644
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -87,6 +87,7 @@ func StartAdmin() {
 	r.HandleFunc("/group/auth_login", GroupAuthLogin)
 
 	r.HandleFunc("/statsinfo/list", StatsInfoList)
+	r.HandleFunc("/locksinfo/list", GetLocksInfo)
 
 	// pprof
 	if base.Cfg.Pprof {
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index da799f5..7a5e82c 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -6,24 +6,15 @@ import (
 	"net"
 	"net/http"
 	"strings"
-	"sync"
 	"time"
 
+	"github.com/bjdgyc/anylink/admin"
 	"github.com/bjdgyc/anylink/base"
 )
 
-const loginStatusKey = "login_status"
-const defaultGlobalLockStateExpirationTime = 3600
+var lockManager = admin.GetLockManager()
 
-func initAntiBruteForce() {
-	if base.Cfg.AntiBruteForce {
-		if base.Cfg.GlobalLockStateExpirationTime <= 0 {
-			base.Cfg.GlobalLockStateExpirationTime = defaultGlobalLockStateExpirationTime
-		}
-		lockManager.startCleanupTicker()
-		lockManager.initIPWhitelist()
-	}
-}
+const loginStatusKey = "login_status"
 
 // 防爆破中间件
 func antiBruteForce(next http.Handler) http.Handler {
@@ -71,43 +62,28 @@ func antiBruteForce(next http.Handler) http.Handler {
 
 		now := time.Now()
 		// 检查IP是否在白名单中
-		if lockManager.isWhitelisted(ip) {
+		if lockManager.IsWhitelisted(ip) {
 			r.Body = io.NopCloser(strings.NewReader(string(body)))
 			next.ServeHTTP(w, r)
 			return
 		}
 
-		// // 速率限制
-		// lockManager.mu.RLock()
-		// limiter, exists := lockManager.rateLimiter[ip]
-		// if !exists {
-		// 	limiter = rate.NewLimiter(rate.Limit(base.Cfg.RateLimit), base.Cfg.Burst)
-		// 	lockManager.rateLimiter[ip] = limiter
-		// }
-		// lockManager.mu.RUnlock()
-
-		// if !limiter.Allow() {
-		// 	log.Printf("Rate limit exceeded for IP %s. Try again later.", ip)
-		// 	http.Error(w, "Rate limit exceeded. Try again later.", http.StatusTooManyRequests)
-		// 	return
-		// }
-
 		// 检查全局 IP 锁定
-		if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.checkGlobalIPLock(ip, now) {
+		if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.CheckGlobalIPLock(ip, now) {
 			base.Warn("IP", ip, "is globally locked. Try again later.")
 			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
 		}
 
 		// 检查全局用户锁定
-		if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.checkGlobalUserLock(username, now) {
+		if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.CheckGlobalUserLock(username, now) {
 			base.Warn("User", username, "is globally locked. Try again later.")
 			http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
 		}
 
 		// 检查单个用户的 IP 锁定
-		if base.Cfg.MaxBanCount > 0 && lockManager.checkUserIPLock(username, ip, now) {
+		if base.Cfg.MaxBanCount > 0 && lockManager.CheckUserIPLock(username, ip, now) {
 			base.Warn("IP", ip, "is locked for user", username, "Try again later.")
 			http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
 			return
@@ -120,285 +96,15 @@ func antiBruteForce(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 
 		// 检查登录状态
-		Status, _ := lockManager.loginStatus.Load(loginStatusKey)
+		Status, _ := lockManager.LoginStatus.Load(loginStatusKey)
 		loginStatus, _ := Status.(bool)
 
 		// 更新用户登录状态
-		lockManager.updateGlobalIPLock(ip, now, loginStatus)
-		lockManager.updateGlobalUserLock(username, now, loginStatus)
-		lockManager.updateUserIPLock(username, ip, now, loginStatus)
+		lockManager.UpdateGlobalIPLock(ip, now, loginStatus)
+		lockManager.UpdateGlobalUserLock(username, now, loginStatus)
+		lockManager.UpdateUserIPLock(username, ip, now, loginStatus)
 
 		// 清除登录状态
-		lockManager.loginStatus.Delete(loginStatusKey)
+		lockManager.LoginStatus.Delete(loginStatusKey)
 	})
 }
-
-type LockState struct {
-	FailureCount int
-	LockTime     time.Time
-	LastAttempt  time.Time
-}
-type IPWhitelists struct {
-	IP   net.IP
-	CIDR *net.IPNet
-}
-
-type LockManager struct {
-	mu           sync.Mutex
-	loginStatus  sync.Map                         // 登录状态
-	ipLocks      map[string]*LockState            // 全局IP锁定状态
-	userLocks    map[string]*LockState            // 全局用户锁定状态
-	ipUserLocks  map[string]map[string]*LockState // 单用户IP锁定状态
-	ipWhitelists []IPWhitelists                   // 全局IP白名单，包含IP地址和CIDR范围
-	// rateLimiter   map[string]*rate.Limiter         // 速率限制器
-	cleanupTicker *time.Ticker
-}
-
-var lockManager = &LockManager{
-	loginStatus:  sync.Map{},
-	ipLocks:      make(map[string]*LockState),
-	userLocks:    make(map[string]*LockState),
-	ipUserLocks:  make(map[string]map[string]*LockState),
-	ipWhitelists: make([]IPWhitelists, 0),
-	// rateLimiter: make(map[string]*rate.Limiter),
-}
-
-// 初始化IP白名单
-func (lm *LockManager) initIPWhitelist() {
-	ipWhitelist := strings.Split(base.Cfg.IPWhitelist, ",")
-	for _, ipWhitelist := range ipWhitelist {
-		ipWhitelist = strings.TrimSpace(ipWhitelist)
-		if ipWhitelist == "" {
-			continue
-		}
-
-		_, ipNet, err := net.ParseCIDR(ipWhitelist)
-		if err == nil {
-			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{CIDR: ipNet})
-			continue
-		}
-
-		ip := net.ParseIP(ipWhitelist)
-		if ip != nil {
-			lm.ipWhitelists = append(lm.ipWhitelists, IPWhitelists{IP: ip})
-			continue
-		}
-	}
-}
-
-// 检查 IP 是否在白名单中
-func (lm *LockManager) isWhitelisted(ip string) bool {
-	clientIP := net.ParseIP(ip)
-	if clientIP == nil {
-		return false
-	}
-	for _, ipWhitelist := range lm.ipWhitelists {
-		if ipWhitelist.CIDR != nil && ipWhitelist.CIDR.Contains(clientIP) {
-			return true
-		}
-		if ipWhitelist.IP != nil && ipWhitelist.IP.Equal(clientIP) {
-			return true
-		}
-	}
-	return false
-}
-
-func (lm *LockManager) startCleanupTicker() {
-	lm.cleanupTicker = time.NewTicker(5 * time.Minute)
-	go func() {
-		for range lm.cleanupTicker.C {
-			lm.cleanupExpiredLocks()
-		}
-	}()
-}
-
-// 定期清理过期的锁定
-func (lm *LockManager) cleanupExpiredLocks() {
-	now := time.Now()
-
-	var ipKeys, userKeys []string
-	var IPuserKeys []struct{ user, ip string }
-
-	lm.mu.Lock()
-	for ip, state := range lm.ipLocks {
-		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
-			ipKeys = append(ipKeys, ip)
-		}
-	}
-
-	for user, state := range lm.userLocks {
-		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
-			userKeys = append(userKeys, user)
-		}
-	}
-
-	for user, ipMap := range lm.ipUserLocks {
-		for ip, state := range ipMap {
-			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
-				IPuserKeys = append(IPuserKeys, struct{ user, ip string }{user, ip})
-			}
-		}
-	}
-	lm.mu.Unlock()
-
-	lm.mu.Lock()
-	for _, ip := range ipKeys {
-		delete(lm.ipLocks, ip)
-	}
-	for _, user := range userKeys {
-		delete(lm.userLocks, user)
-	}
-	for _, key := range IPuserKeys {
-		delete(lm.ipUserLocks[key.user], key.ip)
-		if len(lm.ipUserLocks[key.user]) == 0 {
-			delete(lm.ipUserLocks, key.user)
-		}
-	}
-	lm.mu.Unlock()
-}
-
-// 检查全局 IP 锁定
-func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	state, exists := lm.ipLocks[ip]
-	if !exists {
-		return false
-	}
-
-	return lm.checkLockState(state, now, base.Cfg.GlobalIPBanResetTime)
-}
-
-// 检查全局用户锁定
-func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool {
-	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
-	if username == "" {
-		return false
-	}
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	state, exists := lm.userLocks[username]
-	if !exists {
-		return false
-	}
-	return lm.checkLockState(state, now, base.Cfg.GlobalUserBanResetTime)
-}
-
-// 检查单个用户的 IP 锁定
-func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool {
-	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
-	if username == "" {
-		return false
-	}
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	userIPMap, userExists := lm.ipUserLocks[username]
-	if !userExists {
-		return false
-	}
-
-	state, ipExists := userIPMap[ip]
-	if !ipExists {
-		return false
-	}
-
-	return lm.checkLockState(state, now, base.Cfg.BanResetTime)
-}
-
-// 更新全局 IP 锁定状态
-func (lm *LockManager) updateGlobalIPLock(ip string, now time.Time, success bool) {
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	state, exists := lm.ipLocks[ip]
-	if !exists {
-		state = &LockState{}
-		lm.ipLocks[ip] = state
-	}
-
-	lm.updateLockState(state, now, success, base.Cfg.MaxGlobalIPBanCount, base.Cfg.GlobalIPLockTime)
-}
-
-// 更新全局用户锁定状态
-func (lm *LockManager) updateGlobalUserLock(username string, now time.Time, success bool) {
-	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
-	if username == "" {
-		return
-	}
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	state, exists := lm.userLocks[username]
-	if !exists {
-		state = &LockState{}
-		lm.userLocks[username] = state
-	}
-
-	lm.updateLockState(state, now, success, base.Cfg.MaxGlobalUserBanCount, base.Cfg.GlobalUserLockTime)
-}
-
-// 更新单个用户的 IP 锁定状态
-func (lm *LockManager) updateUserIPLock(username, ip string, now time.Time, success bool) {
-	// 我也不知道为什么cisco anyconnect每次连接会先传一个空用户请求····
-	if username == "" {
-		return
-	}
-	lm.mu.Lock()
-	defer lm.mu.Unlock()
-
-	userIPMap, userExists := lm.ipUserLocks[username]
-	if !userExists {
-		userIPMap = make(map[string]*LockState)
-		lm.ipUserLocks[username] = userIPMap
-	}
-
-	state, ipExists := userIPMap[ip]
-	if !ipExists {
-		state = &LockState{}
-		userIPMap[ip] = state
-	}
-
-	lm.updateLockState(state, now, success, base.Cfg.MaxBanCount, base.Cfg.LockTime)
-}
-
-// 更新锁定状态
-func (lm *LockManager) updateLockState(state *LockState, now time.Time, success bool, maxBanCount, lockTime int) {
-	if success {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-	} else {
-		state.FailureCount++
-		if state.FailureCount >= maxBanCount {
-			state.LockTime = now.Add(time.Duration(lockTime) * time.Second)
-		}
-	}
-	state.LastAttempt = now
-}
-
-// 检查锁定状态
-func (lm *LockManager) checkLockState(state *LockState, now time.Time, resetTime int) bool {
-	if state == nil || state.LastAttempt.IsZero() {
-		return false
-	}
-
-	// 如果超过锁定时间，重置锁定状态
-	if !state.LockTime.IsZero() && now.After(state.LockTime) {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-		return false
-	}
-	// 如果超过窗口时间，重置失败计数
-	if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
-		state.FailureCount = 0
-		state.LockTime = time.Time{}
-		return false
-	}
-	// 如果锁定时间还在有效期内，继续锁定
-	if !state.LockTime.IsZero() && now.Before(state.LockTime) {
-		return true
-	}
-	return false
-}
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index a5a9f3d..666330d 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -94,7 +94,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 用户密码校验
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
-		lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
@@ -119,7 +119,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	// 用户otp验证
 	if !v.DisableOtp {
-		lockManager.loginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
+		lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
 		sessionID, err := GenerateSessionID()
 		if err != nil {
 			base.Error("Failed to generate session ID: ", err)
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 64b6362..579fcfd 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -110,7 +110,7 @@ func DeleteCookie(w http.ResponseWriter, name string) {
 	http.SetCookie(w, cookie)
 }
 func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
-	lockManager.loginStatus.Store(loginStatusKey, true) // 更新登录成功状态
+	lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
 
 	cr := authSession.ClientRequest
 	ua := authSession.UserActLog
@@ -202,7 +202,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
 			return
 		}
-		lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"
diff --git a/server/handler/start.go b/server/handler/start.go
index e582739..51dc952 100644
--- a/server/handler/start.go
+++ b/server/handler/start.go
@@ -17,7 +17,7 @@ func Start() {
 	sessdata.Start()
 	cron.Start()
 
-	initAntiBruteForce() //初始化防爆破定时器和IP白名单
+	admin.InitLockManager() //初始化防爆破定时器和IP白名单
 
 	// 开启服务器转发
 	err := execCmd([]string{"sysctl -w net.ipv4.ip_forward=1"})

From dd7d1b0e2522d1dfd82155d0d8a1b873368c3d6d Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Mon, 28 Oct 2024 11:53:34 +0800
Subject: [PATCH 24/48] =?UTF-8?q?=E4=BD=BF=E7=94=A8=E5=B7=B2=E6=9C=89?=
 =?UTF-8?q?=E7=9A=84=E5=8A=A0=E5=AF=86=E6=96=B9=E6=A1=88=E5=8A=A0=E5=AF=86?=
 =?UTF-8?q?=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go             | 66 +++----------------------------
 server/pkg/utils/password_hash.go |  4 ++
 2 files changed, 10 insertions(+), 60 deletions(-)

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 071e0b5..5d22bb9 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -1,18 +1,14 @@
 package dbdata
 
 import (
-	"crypto/rand"
-	"encoding/base64"
 	"errors"
 	"fmt"
-	"strings"
 	"sync"
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/pkg/utils"
 	"github.com/xlzd/gotp"
-	"golang.org/x/crypto/scrypt"
 )
 
 // type User struct {
@@ -130,7 +126,7 @@ func checkLocalUser(name, pwd, group string) error {
 	// 	}
 	// }
 	// 判断用户密码
-	if !VerifyPassword(pwd, v.PinCode) {
+	if !utils.PasswordVerify(pwd, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
 
@@ -196,71 +192,21 @@ func CheckOtp(name, otp, secret string) bool {
 }
 
 // 插入数据库前加密密码
-func (u *User) BeforeInsert() error {
-	hashedPassword, err := ScryptPassword(u.PinCode)
+func (u *User) BeforeInsert() {
+	hashedPassword, err := utils.PasswordHash(u.PinCode)
 	if err != nil {
 		base.Error(err)
-		return err
 	}
 	u.PinCode = hashedPassword
-	return nil
 }
 
 // 更新数据库前加密密码
-func (u *User) BeforeUpdate() error {
-	if len(u.PinCode) != 57 {
-		hashedPassword, err := ScryptPassword(u.PinCode)
+func (u *User) BeforeUpdate() {
+	if len(u.PinCode) != 60 {
+		hashedPassword, err := utils.PasswordHash(u.PinCode)
 		if err != nil {
 			base.Error(err)
-			return err
 		}
 		u.PinCode = hashedPassword
 	}
-	return nil
-}
-
-// 加密密码
-func ScryptPassword(passwd string) (string, error) {
-	salt := make([]byte, 8)
-	if _, err := rand.Read(salt); err != nil {
-		return "", err
-	}
-
-	hashPasswd, err := scrypt.Key([]byte(passwd), salt, 1<<16, 8, 1, 32)
-	if err != nil {
-		return "", err
-	}
-
-	encodedSalt := base64.StdEncoding.EncodeToString(salt)
-	encodedHash := base64.StdEncoding.EncodeToString(hashPasswd)
-
-	return encodedSalt + "&" + encodedHash, nil
-}
-
-// 验证密码
-func VerifyPassword(password, hashPassword string) bool {
-	// 老用户使用明文验证
-	if len(hashPassword) != 57 {
-		return password == hashPassword
-	}
-
-	// 分割盐值和哈希值
-	encodepwds := strings.SplitN(hashPassword, "&", 2)
-	if len(encodepwds) != 2 {
-		return false
-	}
-
-	// 解码盐值
-	salt, err := base64.StdEncoding.DecodeString(encodepwds[0])
-	if err != nil {
-		return false
-	}
-
-	// 计算新的哈希值
-	newHash, err := scrypt.Key([]byte(password), salt, 1<<16, 8, 1, 32)
-	if err != nil {
-		return false
-	}
-
-	return base64.StdEncoding.EncodeToString(newHash) == encodepwds[1]
 }
diff --git a/server/pkg/utils/password_hash.go b/server/pkg/utils/password_hash.go
index 9254b7c..be899f6 100644
--- a/server/pkg/utils/password_hash.go
+++ b/server/pkg/utils/password_hash.go
@@ -14,6 +14,10 @@ func PasswordHash(password string) (string, error) {
 }
 
 func PasswordVerify(password, hash string) bool {
+	// 保留老用户明文验证
+	if len(hash) != 60 {
+		return password == hash
+	}
 	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
 	return err == nil
 }

From 55d73000330be6d8e0eccd5c0b922b92595f38f6 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Mon, 28 Oct 2024 17:34:01 +0800
Subject: [PATCH 25/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
 =?UTF-8?q?=EF=BC=8C=E5=BC=80=E5=90=AFOTP=E9=98=B2=E7=88=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth_otp.go | 23 +++++++++++------------
 1 file changed, 11 insertions(+), 12 deletions(-)

diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 579fcfd..4db0f59 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -8,7 +8,6 @@ import (
 	"net"
 	"net/http"
 	"sync"
-	"sync/atomic"
 
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
@@ -18,12 +17,12 @@ import (
 
 var SessStore = NewSessionStore()
 
-const maxOtpErrCount = 3
+// const maxOtpErrCount = 3
 
 type AuthSession struct {
 	ClientRequest *ClientRequest
 	UserActLog    *dbdata.UserActLog
-	OtpErrCount   atomic.Uint32 // otp错误次数
+	// OtpErrCount   atomic.Uint32 // otp错误次数
 }
 
 // 存储临时会话信息
@@ -62,10 +61,10 @@ func (s *SessionStore) DeleteAuthSession(sessionID string) {
 	delete(s.session, sessionID)
 }
 
-func (a *AuthSession) AddOtpErrCount(i int) int {
-	newI := a.OtpErrCount.Add(uint32(i))
-	return int(newI)
-}
+// func (a *AuthSession) AddOtpErrCount(i int) int {
+// 	newI := a.OtpErrCount.Add(uint32(i))
+// 	return int(newI)
+// }
 
 func GenerateSessionID() (string, error) {
 	sessionID := utils.RandomRunes(32)
@@ -197,11 +196,11 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 
 	// 动态码错误
 	if !dbdata.CheckOtp(username, otp, otpSecret) {
-		if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
-			SessStore.DeleteAuthSession(sessionID)
-			http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
-			return
-		}
+		// if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
+		// 	SessStore.DeleteAuthSession(sessionID)
+		// 	http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
+		// 	return
+		// }
 		lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)

From 5826ebe6eb6f9a7963be84b4b9e28c4c86ddf54b Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Mon, 28 Oct 2024 18:14:21 +0800
Subject: [PATCH 26/48] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20advertise=5Fdtls=5Fa?=
 =?UTF-8?q?ddr?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/README.md                  | 83 ++++++++++++++++++----------------
 server/base/cfg.go             | 49 +++++++++++---------
 server/base/config.go          |  1 +
 server/conf/server-sample.toml |  2 +
 server/handler/link_tunnel.go  |  4 +-
 5 files changed, 76 insertions(+), 63 deletions(-)

diff --git a/doc/README.md b/doc/README.md
index 0af86ee..9d61a17 100644
--- a/doc/README.md
+++ b/doc/README.md
@@ -12,45 +12,50 @@
 >
 > 需要展示主页的同学，可以在QQ群 直接联系我添加。
 
-| 昵称          | 主页 / 联系方式                    |
-|-------------|------------------------------|
-| 代码 oo8      |                              |
-| 甘磊          | https://github.com/ganlei333 |
-| Oo@         | https://github.com/chooop    |
-| 虚极静笃        |                              |
-| 请喝可乐        |                              |
-| 加油加油        |                              |
-| 李建          |                              |
-| lanbin      |                              |
-| 乐在东途        |                              |
-| 孤鸿          |                              |
-| 刘国华         |                              |
-| 改名好无聊       |                              |
-| 全能互联网专家     |                              |
-| JCM         |                              |
-| Eh...       |                              |
-| 沉           |                              |
-| 刘国华         |                              |
-| 忧郁的豚骨拉面     |                              |
-| 张小旋当爹地      |                              |
-| 对方正在输入      |                              |
-| Ronny       |                              |
-| 奔跑的少年       |                              |
-| ZBW         |                              |
-| 悲鸣          |                              |
-| 谢谢          |                              |
-| 云思科技        |                              |
-| 哆啦A伟(张佳伟)   |                              |
-| 人类的悲欢并不相通   |                              |
-| 做人要低调       |                              |
-| 洛洛          |                              |
-| Dragon Liao |                              |
-| 诸葛御风        |                              |
-| 杨杨得亿        |                              |
-| Thanataos   |                              |
-| 憨大叔         |                              |
-| 明月          |                              |
-| Amis        |                              |
+| 昵称                 | 主页 / 联系方式                    |
+|--------------------|------------------------------|
+| 代码 oo8             |                              |
+| 甘磊                 | https://github.com/ganlei333 |
+| Oo@                | https://github.com/chooop    |
+| 虚极静笃               |                              |
+| 请喝可乐               |                              |
+| 加油加油               |                              |
+| 李建                 |                              |
+| lanbin             |                              |
+| 乐在东途               |                              |
+| 孤鸿                 |                              |
+| 刘国华                |                              |
+| 改名好无聊              |                              |
+| 全能互联网专家            |                              |
+| JCM                |                              |
+| Eh...              |                              |
+| 沉                  |                              |
+| 刘国华                |                              |
+| 忧郁的豚骨拉面            |                              |
+| 张小旋当爹地             |                              |
+| 对方正在输入             |                              |
+| Ronny              |                              |
+| 奔跑的少年              |                              |
+| ZBW                |                              |
+| 悲鸣                 |                              |
+| 谢谢                 |                              |
+| 云思科技               |                              |
+| 哆啦A伟(张佳伟)          |                              |
+| 人类的悲欢并不相通          |                              |
+| 做人要低调              |                              |
+| 洛洛                 |                              |
+| Dragon Liao        |                              |
+| 诸葛御风               |                              |
+| 杨杨得亿               |                              |
+| Thanataos          |                              |
+| 憨大叔                |                              |
+| 明月                 |                              |
+| Amis               |                              |
+| Blake              |                              |
+| 刘国华                |                              |
+| ZBW                |                              |
+| 全能互联网专家            |                              |
+| 广播.会议.音响.无纸化.物联网中控 |                              |
 
 
 
diff --git a/server/base/cfg.go b/server/base/cfg.go
index fba15f0..69b7dbf 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -33,28 +33,29 @@ var (
 
 type ServerConfig struct {
 	// LinkAddr      string `json:"link_addr"`
-	Conf           string `json:"conf"`
-	Profile        string `json:"profile"`
-	ProfileName    string `json:"profile_name"`
-	ServerAddr     string `json:"server_addr"`
-	ServerDTLSAddr string `json:"server_dtls_addr"`
-	ServerDTLS     bool   `json:"server_dtls"`
-	AdminAddr      string `json:"admin_addr"`
-	ProxyProtocol  bool   `json:"proxy_protocol"`
-	DbType         string `json:"db_type"`
-	DbSource       string `json:"db_source"`
-	CertFile       string `json:"cert_file"`
-	CertKey        string `json:"cert_key"`
-	FilesPath      string `json:"files_path"`
-	LogPath        string `json:"log_path"`
-	LogLevel       string `json:"log_level"`
-	HttpServerLog  bool   `json:"http_server_log"`
-	Pprof          bool   `json:"pprof"`
-	Issuer         string `json:"issuer"`
-	AdminUser      string `json:"admin_user"`
-	AdminPass      string `json:"admin_pass"`
-	AdminOtp       string `json:"admin_otp"`
-	JwtSecret      string `json:"jwt_secret"`
+	Conf              string `json:"conf"`
+	Profile           string `json:"profile"`
+	ProfileName       string `json:"profile_name"`
+	ServerAddr        string `json:"server_addr"`
+	ServerDTLS        bool   `json:"server_dtls"`
+	ServerDTLSAddr    string `json:"server_dtls_addr"`
+	AdvertiseDTLSAddr string `json:"advertise_dtls_addr"`
+	AdminAddr         string `json:"admin_addr"`
+	ProxyProtocol     bool   `json:"proxy_protocol"`
+	DbType            string `json:"db_type"`
+	DbSource          string `json:"db_source"`
+	CertFile          string `json:"cert_file"`
+	CertKey           string `json:"cert_key"`
+	FilesPath         string `json:"files_path"`
+	LogPath           string `json:"log_path"`
+	LogLevel          string `json:"log_level"`
+	HttpServerLog     bool   `json:"http_server_log"`
+	Pprof             bool   `json:"pprof"`
+	Issuer            string `json:"issuer"`
+	AdminUser         string `json:"admin_user"`
+	AdminPass         string `json:"admin_pass"`
+	AdminOtp          string `json:"admin_otp"`
+	JwtSecret         string `json:"jwt_secret"`
 
 	LinkMode    string `json:"link_mode"`    // tun tap macvtap ipvtap
 	Ipv4Master  string `json:"ipv4_master"`  // eth0
@@ -132,6 +133,10 @@ func initServerCfg() {
 		Cfg.JwtSecret = jwtSecret
 	}
 
+	if Cfg.AdvertiseDTLSAddr == "" {
+		Cfg.AdvertiseDTLSAddr = Cfg.ServerDTLSAddr
+	}
+
 	fmt.Printf("ServerCfg: %+v \n", Cfg)
 }
 
diff --git a/server/base/config.go b/server/base/config.go
index 65084d4..5604fdb 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -26,6 +26,7 @@ var configs = []config{
 	{Typ: cfgStr, Name: "server_addr", Usage: "TCP服务监听地址(任意端口)", ValStr: ":443"},
 	{Typ: cfgBool, Name: "server_dtls", Usage: "开启DTLS", ValBool: false},
 	{Typ: cfgStr, Name: "server_dtls_addr", Usage: "DTLS监听地址(任意端口)", ValStr: ":443"},
+	{Typ: cfgStr, Name: "advertise_dtls_addr", Usage: "DTLS对外映射端口(为空则与server_dtls_addr相同)", ValStr: ""},
 	{Typ: cfgStr, Name: "admin_addr", Usage: "后台服务监听地址", ValStr: ":8800"},
 	{Typ: cfgBool, Name: "proxy_protocol", Usage: "TCP代理协议", ValBool: false},
 	{Typ: cfgStr, Name: "db_type", Usage: "数据库类型 [sqlite3 mysql postgres]", ValStr: "sqlite3"},
diff --git a/server/conf/server-sample.toml b/server/conf/server-sample.toml
index 7315771..239d454 100644
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -44,6 +44,8 @@ server_addr = ":443"
 server_dtls = false
 #UDP监听地址(任意端口)
 server_dtls_addr = ":443"
+#DTLS对外映射端口(为空则与server_dtls_addr相同)
+advertise_dtls_addr = ""
 #后台服务监听地址
 admin_addr = ":8800"
 #开启tcp proxy protocol协议
diff --git a/server/handler/link_tunnel.go b/server/handler/link_tunnel.go
index a4f1b21..0a3bdab 100644
--- a/server/handler/link_tunnel.go
+++ b/server/handler/link_tunnel.go
@@ -87,8 +87,8 @@ func LinkTunnel(w http.ResponseWriter, r *http.Request) {
 	cSess.CstpDpd = cstpDpd
 
 	dtlsPort := "443"
-	if strings.Contains(base.Cfg.ServerDTLSAddr, ":") {
-		ss := strings.Split(base.Cfg.ServerDTLSAddr, ":")
+	if strings.Contains(base.Cfg.AdvertiseDTLSAddr, ":") {
+		ss := strings.Split(base.Cfg.AdvertiseDTLSAddr, ":")
 		dtlsPort = ss[1]
 	}
 

From 152b62ac90615ebf364cba9d130a9b97df5d3a21 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 30 Oct 2024 16:02:54 +0800
Subject: [PATCH 27/48] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20mssql=20=E6=94=AF?=
 =?UTF-8?q?=E6=8C=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md           | 11 ++++++-----
 server/dbdata/db.go |  8 +++++---
 server/go.mod       |  3 +++
 server/go.sum       | 20 ++++++++++++++++++++
 4 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 7c05590..43a741b 100644
--- a/README.md
+++ b/README.md
@@ -160,11 +160,12 @@ sudo ./anylink
 >
 > 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)
 
-| db_type  | db_source                                                      |
-|----------|----------------------------------------------------------------|
-| sqlite3  | ./conf/anylink.db                                              |
-| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8         |
-| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full |
+| db_type  | db_source                                                                  |
+|----------|----------------------------------------------------------------------------|
+| sqlite3  | ./conf/anylink.db                                                          |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8                     |
+| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full             |
+| mssql    | sqlserver://user:password@localhost?database=anylink&connection+timeout=30 |
 
 > 示例配置文件
 >
diff --git a/server/dbdata/db.go b/server/dbdata/db.go
index 388476b..764638d 100644
--- a/server/dbdata/db.go
+++ b/server/dbdata/db.go
@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/bjdgyc/anylink/base"
+	_ "github.com/denisenkom/go-mssqldb"
 	_ "github.com/go-sql-driver/mysql"
 	_ "github.com/lib/pq"
 	_ "github.com/mattn/go-sqlite3"
@@ -22,13 +23,14 @@ func GetXdb() *xorm.Engine {
 func initDb() {
 	var err error
 	xdb, err = xorm.NewEngine(base.Cfg.DbType, base.Cfg.DbSource)
-	// 初始化xorm时区
-	xdb.DatabaseTZ = time.Local
-	xdb.TZLocation = time.Local
 	if err != nil {
 		base.Fatal(err)
 	}
 
+	// 初始化xorm时区
+	xdb.DatabaseTZ = time.Local
+	xdb.TZLocation = time.Local
+
 	if base.Cfg.ShowSQL {
 		xdb.ShowSQL(true)
 	}
diff --git a/server/go.mod b/server/go.mod
index 67cbe08..abd7ac0 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -5,6 +5,7 @@ go 1.22
 require (
 	github.com/arl/statsviz v0.6.0
 	github.com/deckarep/golang-set v1.8.0
+	github.com/denisenkom/go-mssqldb v0.12.3
 	github.com/go-acme/lego/v4 v4.15.0
 	github.com/go-co-op/gocron v1.37.0
 	github.com/go-ldap/ldap v3.0.3+incompatible
@@ -49,6 +50,8 @@ require (
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
+	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
+	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
diff --git a/server/go.sum b/server/go.sum
index 4573152..3c0553e 100644
--- a/server/go.sum
+++ b/server/go.sum
@@ -3,6 +3,9 @@ filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:EXuID2Zs0pAQhH8yz+DNjUbjppKQzKFAn28TMYPB6IU=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
+github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
@@ -24,6 +27,9 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/deckarep/golang-set v1.8.0 h1:sk9/l/KqpunDwP7pSjUg0keiOOLEnOBHzykLrsPppp4=
 github.com/deckarep/golang-set v1.8.0/go.mod h1:5nI87KwE7wgsBU1F4GKAw2Qod7p5kyS383rP6+o6qqo=
+github.com/denisenkom/go-mssqldb v0.12.3 h1:pBSGx9Tq67pBOTLmxNuirNTeB8Vjmf886Kx+8Y+8shw=
+github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDrorD1Vrm1KEz5hxDo=
+github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
@@ -59,6 +65,11 @@ github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MG
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
+github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
+github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
+github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
 github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
@@ -140,6 +151,7 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJ
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 h1:RWengNIwukTxcDr9M+97sNutRR1RKhG96O6jWumTTnw=
 github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826/go.mod h1:TaXosZuwdSHYgviHp1DAtfrULt5eUgsSMsZf+YrPgl8=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
@@ -162,6 +174,7 @@ github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QA
 github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
 github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
 github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -257,7 +270,9 @@ go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN8
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20201016220609-9e8e0b390897/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
@@ -288,6 +303,8 @@ golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20210610132358-84b48f89b13b/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
@@ -307,6 +324,7 @@ golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -329,6 +347,7 @@ golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
@@ -377,6 +396,7 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

From cad74d7fdb2fdff1e8d23e81baf7c4bccb143126 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Thu, 31 Oct 2024 10:04:35 +0800
Subject: [PATCH 28/48] =?UTF-8?q?=E9=98=B2=E7=88=86=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?=E5=89=8D=E7=AB=AF=E6=89=8B=E5=8A=A8=E8=A7=A3=E9=94=81=E7=9A=84?=
 =?UTF-8?q?=E5=8A=9F=E8=83=BD?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/lockmanager.go        |  35 +++++++--
 server/admin/server.go             |   1 +
 web/src/layout/LayoutAside.vue     |  15 ++--
 web/src/pages/user/LockManager.vue | 109 +++++++++++++++++++++++++++++
 web/src/plugins/router.js          |  29 ++++----
 5 files changed, 157 insertions(+), 32 deletions(-)
 create mode 100644 web/src/pages/user/LockManager.vue

diff --git a/server/admin/lockmanager.go b/server/admin/lockmanager.go
index c7c99a3..cf6e523 100644
--- a/server/admin/lockmanager.go
+++ b/server/admin/lockmanager.go
@@ -97,7 +97,25 @@ func UnlockUser(w http.ResponseWriter, r *http.Request) {
 	lm.mu.Lock()
 	defer lm.mu.Unlock()
 
-	lm.Unlock(lockinfo.State)
+	// 根据用户名和IP查找锁定状态
+	var state *LockState
+	switch {
+	case lockinfo.IP == "" && lockinfo.Username != "":
+		state = lm.userLocks[lockinfo.Username] // 全局用户锁定
+	case lockinfo.Username != "" && lockinfo.IP != "":
+		if userIPMap, exists := lm.ipUserLocks[lockinfo.Username]; exists {
+			state = userIPMap[lockinfo.IP] // 单用户 IP 锁定
+		}
+	default:
+		state = lm.ipLocks[lockinfo.IP] // 全局 IP 锁定
+	}
+
+	if state == nil || !state.Locked {
+		RespError(w, RespInternalErr, fmt.Errorf("锁定状态未找到或已解锁"))
+		return
+	}
+
+	lm.Unlock(state)
 	base.Info("解锁成功:", lockinfo.Description, lockinfo.Username, lockinfo.IP)
 
 	RespSucess(w, "解锁成功！")
@@ -112,7 +130,7 @@ func (lm *LockManager) GetLocksInfo() []LockInfo {
 	for ip, state := range lm.ipLocks {
 		if state.Locked {
 			info := LockInfo{
-				Description: "全局 IP 锁定",
+				Description: "全局IP锁定",
 				Username:    "",
 				IP:          ip,
 				State: &LockState{
@@ -147,7 +165,7 @@ func (lm *LockManager) GetLocksInfo() []LockInfo {
 		for ip, state := range ipStates {
 			if state.Locked {
 				info := LockInfo{
-					Description: "单用户 IP 锁定",
+					Description: "单用户IP锁定",
 					Username:    username,
 					IP:          ip,
 					State: &LockState{
@@ -205,7 +223,7 @@ func (lm *LockManager) IsWhitelisted(ip string) bool {
 }
 
 func (lm *LockManager) StartCleanupTicker() {
-	lm.cleanupTicker = time.NewTicker(5 * time.Minute)
+	lm.cleanupTicker = time.NewTicker(1 * time.Minute)
 	go func() {
 		for range lm.cleanupTicker.C {
 			lm.CleanupExpiredLocks()
@@ -220,20 +238,23 @@ func (lm *LockManager) CleanupExpiredLocks() {
 	defer lm.mu.Unlock()
 
 	for ip, state := range lm.ipLocks {
-		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalIPLockTime) ||
+			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.ipLocks, ip)
 		}
 	}
 
 	for user, state := range lm.userLocks {
-		if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalUserLockTime) ||
+			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.userLocks, user)
 		}
 	}
 
 	for user, ipMap := range lm.ipUserLocks {
 		for ip, state := range ipMap {
-			if now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
+			if !lm.CheckLockState(state, now, base.Cfg.LockTime) ||
+				now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 				delete(ipMap, ip)
 				if len(ipMap) == 0 {
 					delete(lm.ipUserLocks, user)
diff --git a/server/admin/server.go b/server/admin/server.go
index 7329f87..dae1a66 100644
--- a/server/admin/server.go
+++ b/server/admin/server.go
@@ -88,6 +88,7 @@ func StartAdmin() {
 
 	r.HandleFunc("/statsinfo/list", StatsInfoList)
 	r.HandleFunc("/locksinfo/list", GetLocksInfo)
+	r.HandleFunc("/locksinfo/unlok", UnlockUser)
 
 	// pprof
 	if base.Cfg.Pprof {
diff --git a/web/src/layout/LayoutAside.vue b/web/src/layout/LayoutAside.vue
index cfbbc59..6bb927e 100644
--- a/web/src/layout/LayoutAside.vue
+++ b/web/src/layout/LayoutAside.vue
@@ -7,17 +7,9 @@
 
   <!--<div class="layout-aside" :style="aside_style">-->
 
-  <el-menu :collapse="!is_active"
-           :default-active="route_path"
-           :style="is_active?'width:200px':''"
-           router
-           class="layout-menu"
-           :collapse-transition="false"
-
-           background-color="#545c64"
-           text-color="#fff"
-           active-text-color="#ffd04b"
-  >
+  <el-menu :collapse="!is_active" :default-active="route_path" :style="is_active ? 'width:200px' : ''" router
+    class="layout-menu" :collapse-transition="false" background-color="#545c64" text-color="#fff"
+    active-text-color="#ffd04b">
     <el-menu-item index="/admin/home">
       <i class="el-icon-s-home"></i>
       <span slot="title">首页</span>
@@ -44,6 +36,7 @@
       <el-menu-item index="/admin/user/list">用户列表</el-menu-item>
       <el-menu-item index="/admin/user/policy">用户策略</el-menu-item>
       <el-menu-item index="/admin/user/online">在线用户</el-menu-item>
+      <el-menu-item index="/admin/user/lockmanager">锁定管理</el-menu-item>
       <el-menu-item index="/admin/user/ip_map">IP映射</el-menu-item>
     </el-submenu>
 
diff --git a/web/src/pages/user/LockManager.vue b/web/src/pages/user/LockManager.vue
new file mode 100644
index 0000000..c4986a8
--- /dev/null
+++ b/web/src/pages/user/LockManager.vue
@@ -0,0 +1,109 @@
+<template>
+    <div id="lock-manager">
+        <el-card>
+            <div slot="header">
+                <el-button type="primary" @click="getLocks">刷新信息</el-button>
+            </div>
+            <el-table :data="locksInfo" style="width: 100%" border>
+                <el-table-column type="index" label="序号" width="60"></el-table-column>
+                <el-table-column prop="description" label="描述"></el-table-column>
+                <el-table-column prop="username" label="用户名"></el-table-column>
+                <el-table-column prop="ip" label="IP地址"></el-table-column>
+                <el-table-column prop="state.locked" label="状态" width="100">
+                    <template slot-scope="scope">
+                        <el-tag :type="scope.row.state.locked ? 'danger' : 'success'">
+                            {{ scope.row.state.locked ? '已锁定' : '未锁定' }}
+                        </el-tag>
+                    </template>
+                </el-table-column>
+                <el-table-column prop="state.attempts" label="失败次数"></el-table-column>
+                <el-table-column prop="state.lock_time" label="锁定截止时间">
+                    <template slot-scope="scope">
+                        {{ formatDate(scope.row.state.lock_time) }}
+                    </template>
+                </el-table-column>
+                <el-table-column prop="state.lastAttempt" label="最后尝试时间">
+                    <template slot-scope="scope">
+                        {{ formatDate(scope.row.state.lastAttempt) }}
+                    </template>
+                </el-table-column>
+                <el-table-column label="操作">
+                    <template slot-scope="scope">
+                        <div class="button">
+                            <el-button size="small" type="danger" @click="unlock(scope.row)">
+                                解锁
+                            </el-button>
+                        </div>
+                    </template>
+                </el-table-column>
+            </el-table>
+        </el-card>
+    </div>
+</template>
+
+<script>
+import axios from 'axios';
+
+export default {
+    name: 'LockManager',
+    data() {
+        return {
+            locksInfo: []
+        };
+    },
+    methods: {
+        getLocks() {
+            axios.get('/locksinfo/list')
+                .then(response => {
+                    this.locksInfo = response.data.data;
+                })
+                .catch(error => {
+                    console.error('Failed to get locks info:', error);
+                    this.$message.error('无法获取锁信息，请稍后再试。');
+                });
+        },
+        unlock(lock) {
+            const lockInfo = {
+                state: { locked: false },
+                username: lock.username,
+                ip: lock.ip,
+                description: lock.description
+            };
+
+            axios.post('/locksinfo/unlok', lockInfo)
+                .then(() => {
+                    this.$message.success('解锁成功！');
+                    this.getLocks();
+                })
+                .catch(error => {
+                    console.error('Failed to unlock:', error);
+                    this.$message.error('解锁失败，请稍后再试。');
+                });
+        },
+        formatDate(dateString) {
+            if (!dateString) return '';
+            const date = new Date(dateString);
+            return new Intl.DateTimeFormat('zh-CN', {
+                year: 'numeric',
+                month: '2-digit',
+                day: '2-digit',
+                hour: '2-digit',
+                minute: '2-digit',
+                second: '2-digit',
+                hour12: false
+            }).format(date);
+        }
+    },
+    created() {
+        this.getLocks();
+    }
+};
+</script>
+
+<style scoped>
+.button {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+}
+</style>
\ No newline at end of file
diff --git a/web/src/plugins/router.js b/web/src/plugins/router.js
index 07b42e5..1daff4d 100644
--- a/web/src/plugins/router.js
+++ b/web/src/plugins/router.js
@@ -1,35 +1,36 @@
 import Vue from "vue";
 import VueRouter from "vue-router";
-import {getToken} from "./token";
+import { getToken } from "./token";
 
 Vue.use(VueRouter)
 
 
 const routes = [
-    {path: '/login', component: () => import('@/pages/Login')},
+    { path: '/login', component: () => import('@/pages/Login') },
     {
         path: '/admin',
         component: () => import('@/layout/Layout'),
         redirect: '/admin/home',
         children: [
-            {path: 'home', component: () => import('@/pages/Home')},
+            { path: 'home', component: () => import('@/pages/Home') },
 
-            {path: 'set/system', component: () => import('@/pages/set/System')},
-            {path: 'set/soft', component: () => import('@/pages/set/Soft')},
-            {path: 'set/other', component: () => import('@/pages/set/Other')},
-            {path: 'set/audit', component: () => import('@/pages/set/Audit')},
+            { path: 'set/system', component: () => import('@/pages/set/System') },
+            { path: 'set/soft', component: () => import('@/pages/set/Soft') },
+            { path: 'set/other', component: () => import('@/pages/set/Other') },
+            { path: 'set/audit', component: () => import('@/pages/set/Audit') },
 
-            {path: 'user/list', component: () => import('@/pages/user/List')},
-            {path: 'user/policy', component: () => import('@/pages/user/Policy')},
-            {path: 'user/online', component: () => import('@/pages/user/Online')},
-            {path: 'user/ip_map', component: () => import('@/pages/user/IpMap')},
+            { path: 'user/list', component: () => import('@/pages/user/List') },
+            { path: 'user/policy', component: () => import('@/pages/user/Policy') },
+            { path: 'user/online', component: () => import('@/pages/user/Online') },
+            { path: 'user/ip_map', component: () => import('@/pages/user/IpMap') },
+            { path: 'user/lockmanager', component: () => import('@/pages/user/LockManager') },
 
-            {path: 'group/list', component: () => import('@/pages/group/List')},
+            { path: 'group/list', component: () => import('@/pages/group/List') },
 
         ],
     },
 
-    {path: '*', redirect: '/admin/home'},
+    { path: '*', redirect: '/admin/home' },
 ]
 
 // 3. 创建 router 实例，然后传 `routes` 配置
@@ -64,7 +65,7 @@ router.beforeEach((to, from, next) => {
     }
 
     if (to.path === "/login") {
-        next({path: '/admin/home'});
+        next({ path: '/admin/home' });
         return;
     }
 

From 9d5b7070d9ce4d94eca53a236260532eb3f8c8eb Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Thu, 31 Oct 2024 11:51:49 +0800
Subject: [PATCH 29/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=89=8D=E7=AB=AF?=
 =?UTF-8?q?=E4=BC=9A=E6=98=BE=E7=A4=BA=E5=B7=B2=E7=A6=81=E7=94=A8=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E5=99=A8=E4=BF=A1=E6=81=AF=E7=9A=84bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/lockmanager.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/admin/lockmanager.go b/server/admin/lockmanager.go
index cf6e523..968ae64 100644
--- a/server/admin/lockmanager.go
+++ b/server/admin/lockmanager.go
@@ -128,7 +128,7 @@ func (lm *LockManager) GetLocksInfo() []LockInfo {
 	defer lm.mu.Unlock()
 
 	for ip, state := range lm.ipLocks {
-		if state.Locked {
+		if base.Cfg.MaxGlobalIPBanCount > 0 && state.Locked {
 			info := LockInfo{
 				Description: "全局IP锁定",
 				Username:    "",
@@ -145,7 +145,7 @@ func (lm *LockManager) GetLocksInfo() []LockInfo {
 	}
 
 	for username, state := range lm.userLocks {
-		if state.Locked {
+		if base.Cfg.MaxGlobalUserBanCount > 0 && state.Locked {
 			info := LockInfo{
 				Description: "全局用户锁定",
 				Username:    username,
@@ -163,7 +163,7 @@ func (lm *LockManager) GetLocksInfo() []LockInfo {
 
 	for username, ipStates := range lm.ipUserLocks {
 		for ip, state := range ipStates {
-			if state.Locked {
+			if base.Cfg.MaxBanCount > 0 && state.Locked {
 				info := LockInfo{
 					Description: "单用户IP锁定",
 					Username:    username,

From 7116aaa5a868b9faf6802e46c8c26dedf4454c1a Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 5 Nov 2024 18:20:23 +0800
Subject: [PATCH 30/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 build_docker.sh            | 10 +++++++---
 server/sessdata/ip_pool.go | 20 +++++++++++---------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/build_docker.sh b/build_docker.sh
index 8a9701e..4bf4356 100644
--- a/build_docker.sh
+++ b/build_docker.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+action=$1
+
 ver=$(cat version)
 echo $ver
 
@@ -18,6 +20,8 @@ docker build -t bjdgyc/anylink:latest --no-cache --progress=plain \
 echo "docker tag latest $ver"
 docker tag bjdgyc/anylink:latest bjdgyc/anylink:$ver
 
-
-# docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
-# docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+if [[ $action == "cntest" ]]; then
+  docker tag bjdgyc/anylink:$ver registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+  docker push registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+  echo registry.cn-hangzhou.aliyuncs.com/bjdgyc/anylink:test-$ver
+fi
diff --git a/server/sessdata/ip_pool.go b/server/sessdata/ip_pool.go
index 8d49496..4127080 100644
--- a/server/sessdata/ip_pool.go
+++ b/server/sessdata/ip_pool.go
@@ -85,6 +85,13 @@ func initIpPool() {
 // 	ipPoolMux.Unlock()
 // }
 
+func ipInPool(ip net.IP) bool {
+	if utils.Ip2long(ip) >= IpPool.IpLongMin && utils.Ip2long(ip) <= IpPool.IpLongMax {
+		return true
+	}
+	return false
+}
+
 // AcquireIp 获取动态ip
 func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 	base.Trace("AcquireIp start:", username, macAddr, uniqueMac)
@@ -125,8 +132,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 		// IpPool.Ipv4IPNet.Contains(ip) &&
 		// ip符合规范
 		// 检测原有ip是否在新的ip池内
-		if !ok && utils.Ip2long(ip) >= IpPool.IpLongMin &&
-			utils.Ip2long(ip) <= IpPool.IpLongMax {
+		if !ok && ipInPool(ip) {
 			mi.Username = username
 			mi.LastLogin = tNow
 			mi.UniqueMac = uniqueMac
@@ -150,7 +156,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 
 	// 没有获取到mac的情况
 	ipMaps := []dbdata.IpMap{}
-	err = dbdata.FindWhere(&ipMaps, 50, 1, "username=?", username)
+	err = dbdata.FindWhere(&ipMaps, 30, 1, "username=?", username)
 	if err != nil {
 		// 没有查询到数据
 		if dbdata.CheckErrNotFound(err) {
@@ -180,8 +186,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 
 		// 没有mac的 不需要验证租期
 		// mi.LastLogin.Before(leaseTime) &&
-		if utils.Ip2long(ip) >= IpPool.IpLongMin &&
-			utils.Ip2long(ip) <= IpPool.IpLongMax {
+		if ipInPool(ip) {
 			mi.Username = username
 			mi.LastLogin = tNow
 			mi.MacAddr = macAddr
@@ -199,8 +204,7 @@ func AcquireIp(username, macAddr string, uniqueMac bool) (newIp net.IP) {
 var (
 	// 记录循环点
 	loopCurIp uint32
-	loopFarIp = &dbdata.IpMap{LastLogin: time.Now()}
-	loopFarI  = uint32(0)
+	loopFarIp *dbdata.IpMap
 )
 
 func loopIp(username, macAddr string, uniqueMac bool) net.IP {
@@ -211,7 +215,6 @@ func loopIp(username, macAddr string, uniqueMac bool) net.IP {
 
 	// 重新赋值
 	loopFarIp = &dbdata.IpMap{LastLogin: time.Now()}
-	loopFarI = uint32(0)
 
 	i, ip = loopLong(loopCurIp, IpPool.IpLongMax, username, macAddr, uniqueMac)
 	if ip != nil {
@@ -298,7 +301,6 @@ func loopLong(start, end uint32, username, macAddr string, uniqueMac bool) (uint
 		// 其他情况判断最早登陆
 		if mi.LastLogin.Before(loopFarIp.LastLogin) {
 			loopFarIp = mi
-			loopFarI = i
 		}
 	}
 

From 7d1b4b5e22050f216139ab2ffea6a68e273d1817 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 6 Nov 2024 16:26:21 +0800
Subject: [PATCH 31/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md                  | 6 +++++-
 server/dbdata/user.go      | 8 ++++++++
 server/dbdata/user_test.go | 7 ++++---
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 43a741b..dbab5fd 100644
--- a/README.md
+++ b/README.md
@@ -12,6 +12,10 @@
 
 AnyLink 是一个企业级远程办公 sslvpn 的软件，可以支持多人同时在线使用。
 
+使用 AnyLink，你可以随时随地安全的访问你的内部网络。
+
+With AnyLink, you can securely access your internal network anytime and anywhere.
+
 ## Repo
 
 > github: https://github.com/bjdgyc/anylink
@@ -26,7 +30,7 @@ AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannop
 AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以使用私有自签证书，可以通过 Let's Encrypt 和 TrustAsia
 申请免费的 SSL 证书。
 
-AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18.04、Ubuntu 20.04 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
+AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18、Ubuntu 20、Ubuntu 20、AnolisOS 8 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
 功能、ip 设置命令、iptables命令。
 
 ## Screenshot
diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 5d22bb9..8dbcd15 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -126,6 +126,14 @@ func checkLocalUser(name, pwd, group string) error {
 	// 	}
 	// }
 	// 判断用户密码
+	// 兼容明文密码
+	if len(v.PinCode) != 60 {
+		if pwd != v.PinCode {
+			return fmt.Errorf("%s %s", name, "密码错误")
+		}
+		return nil
+	}
+	// 密文密码
 	if !utils.PasswordVerify(pwd, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
diff --git a/server/dbdata/user_test.go b/server/dbdata/user_test.go
index ea54918..c7aa92f 100644
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -24,7 +24,8 @@ func TestCheckUser(t *testing.T) {
 	ast.Equal(g.RouteInclude[0].IpMask, "192.168.1.0/255.255.255.0")
 
 	// 添加一个用户
-	u := User{Username: "aaa", Groups: []string{group}, Status: 1}
+	pincode := "a123456"
+	u := User{Username: "aaa", PinCode: pincode, Groups: []string{group}, Status: 1}
 	err = SetUser(&u)
 	ast.Nil(err)
 
@@ -37,7 +38,7 @@ func TestCheckUser(t *testing.T) {
 	// 单独验证密码
 	u.DisableOtp = true
 	_ = SetUser(&u)
-	err = CheckUser("aaa", u.PinCode, group)
+	err = CheckUser("aaa", pincode, group)
 	ast.Nil(err)
 
 	// 添加一个radius组
@@ -62,7 +63,7 @@ func TestCheckUser(t *testing.T) {
 	p1 := Policy{Username: "aaa", Status: 1, ClientDns: dns2, RouteInclude: route2}
 	err = SetPolicy(&p1)
 	ast.Nil(err)
-	err = CheckUser("aaa", u.PinCode, group)
+	err = CheckUser("aaa", pincode, group)
 	ast.Nil(err)
 	// 添加一个ldap组
 	group3 := "group3"

From 0405ed75ab96fc0b6f5463b0e2b84a5958ece41f Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 6 Nov 2024 16:30:05 +0800
Subject: [PATCH 32/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/question.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/doc/question.md b/doc/question.md
index 112b70c..19da2e3 100644
--- a/doc/question.md
+++ b/doc/question.md
@@ -117,3 +117,20 @@ anylink:    tun模式 tcp传输
 > 客户端tls加密协议、隧道header头都会占用一定带宽
 
 
+### 登录防爆说明
+
+```
+
+1.用户 A 在 IP 1.2.3.4 上尝试登录:
+  用户 A 在 IP 1.2.3.4 上尝试登录失败 5 次，触发了该 IP 上的用户 A 锁定 5 分钟。
+  在这 5 分钟内，用户 A 从 IP 1.2.3.4 无法进行新的登录尝试。
+2.用户 A 更换 IP 到 1.2.3.5 继续尝试登录:
+  用户 A 在 IP 1.2.3.5 上继续尝试登录，并且累计失败 20 次，触发了全局用户 A 锁定 5 分钟。
+  在这 5 分钟内，用户 A 从任何 IP 地址都无法进行新的登录尝试。
+3.IP 1.2.3.4 上多个用户尝试登录:
+  如果从 IP 1.2.3.4 上累计有 40 次失败登录尝试（无论来自多少不同的用户），触发了该 IP 的全局锁定 5 分钟。
+  在这 5 分钟内，从 IP 1.2.3.4 的所有登录尝试都将被拒绝。
+
+如果在 N 分钟内没有新的失败尝试，失败计数会在 N 分钟后（*_reset_time）重置。
+
+```
\ No newline at end of file

From 60898ea2f6d0796226b5099a7763dc3a7862699c Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 6 Nov 2024 16:30:58 +0800
Subject: [PATCH 33/48] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=BB=A3=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 doc/question.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/doc/question.md b/doc/question.md
index 19da2e3..a8f2433 100644
--- a/doc/question.md
+++ b/doc/question.md
@@ -120,7 +120,6 @@ anylink:    tun模式 tcp传输
 ### 登录防爆说明
 
 ```
-
 1.用户 A 在 IP 1.2.3.4 上尝试登录:
   用户 A 在 IP 1.2.3.4 上尝试登录失败 5 次，触发了该 IP 上的用户 A 锁定 5 分钟。
   在这 5 分钟内，用户 A 从 IP 1.2.3.4 无法进行新的登录尝试。
@@ -132,5 +131,4 @@ anylink:    tun模式 tcp传输
   在这 5 分钟内，从 IP 1.2.3.4 的所有登录尝试都将被拒绝。
 
 如果在 N 分钟内没有新的失败尝试，失败计数会在 N 分钟后（*_reset_time）重置。
-
 ```
\ No newline at end of file

From 6deb007d92516f97eea4c1befbd4531026906d61 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 6 Nov 2024 17:00:22 +0800
Subject: [PATCH 34/48] =?UTF-8?q?=E5=8D=87=E7=BA=A7=E4=BE=9D=E8=B5=96?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/go.mod | 87 ++++++++++++++++++++++++++-------------------------
 1 file changed, 44 insertions(+), 43 deletions(-)

diff --git a/server/go.mod b/server/go.mod
index abd7ac0..0769ed2 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,89 +1,90 @@
 module github.com/bjdgyc/anylink
 
-go 1.22
+go 1.22.0
+
+toolchain go1.22.7
 
 require (
 	github.com/arl/statsviz v0.6.0
 	github.com/deckarep/golang-set v1.8.0
 	github.com/denisenkom/go-mssqldb v0.12.3
-	github.com/go-acme/lego/v4 v4.15.0
+	github.com/go-acme/lego/v4 v4.19.2
 	github.com/go-co-op/gocron v1.37.0
 	github.com/go-ldap/ldap v3.0.3+incompatible
-	github.com/go-sql-driver/mysql v1.8.0
-	github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/go-sql-driver/mysql v1.8.1
+	github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1
+	github.com/golang-jwt/jwt/v4 v4.5.1
 	github.com/google/gopacket v1.1.19
 	github.com/gorilla/handlers v1.5.2
 	github.com/gorilla/mux v1.8.1
 	github.com/ivpusic/grpool v1.0.0
 	github.com/lanrenwo/lzsgo v0.0.2
 	github.com/lib/pq v1.10.9
-	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/orcaman/concurrent-map v1.0.0
-	github.com/pion/dtls/v2 v2.2.10
+	github.com/pion/dtls/v2 v2.2.12
 	github.com/pion/logging v0.2.2
-	github.com/pires/go-proxyproto v0.7.0
+	github.com/pires/go-proxyproto v0.8.0
 	github.com/shirou/gopsutil v3.21.11+incompatible
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/songgao/packets v0.0.0-20160404182456-549a10cd4091
 	github.com/songgao/water v0.0.0-20200317203138-2b4b6d7c09d8
-	github.com/spf13/cast v1.6.0
-	github.com/spf13/cobra v1.8.0
-	github.com/spf13/viper v1.18.2
-	github.com/stretchr/testify v1.8.4
+	github.com/spf13/cast v1.7.0
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.9.0
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/xlzd/gotp v0.1.0
-	github.com/xuri/excelize/v2 v2.8.1
-	golang.org/x/crypto v0.26.0
-	golang.org/x/net v0.25.0
-	golang.org/x/text v0.17.0
-	golang.org/x/time v0.5.0
+	github.com/xuri/excelize/v2 v2.9.0
+	golang.org/x/crypto v0.28.0
+	golang.org/x/net v0.30.0
+	golang.org/x/text v0.19.0
+	golang.org/x/time v0.7.0
 	layeh.com/radius v0.0.0-20231213012653-1006025d24f8
-	xorm.io/xorm v1.3.8
+	xorm.io/xorm v1.3.9
 )
 
 require (
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/aliyun/alibaba-cloud-sdk-go v1.62.690 // indirect
-	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
-	github.com/cloudflare/cloudflare-go v0.89.0 // indirect
+	github.com/aliyun/alibaba-cloud-sdk-go v1.63.48 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cloudflare/cloudflare-go v0.109.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
 	github.com/go-test/deep v1.1.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-retryablehttp v0.7.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/miekg/dns v1.1.58 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b // indirect
-	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
-	github.com/pion/transport/v2 v2.2.4 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pion/transport/v2 v2.2.10 // indirect
+	github.com/pion/transport/v3 v3.0.7 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.873 // indirect
-	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.873 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1036 // indirect
+	github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1036 // indirect
 	github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
-	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c // indirect
+	golang.org/x/mod v0.21.0 // indirect
 	golang.org/x/sync v0.8.0 // indirect
-	golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d // indirect
+	golang.org/x/tools v0.26.0 // indirect
 )
 
 require (
-	github.com/coreos/go-iptables v0.7.0
+	github.com/coreos/go-iptables v0.8.0
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/goccy/go-json v0.10.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/gorilla/websocket v1.5.1 // indirect
+	github.com/gorilla/websocket v1.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -94,17 +95,17 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/richardlehane/mscfb v1.0.4 // indirect
-	github.com/richardlehane/msoleps v1.0.3 // indirect
+	github.com/richardlehane/msoleps v1.0.4 // indirect
 	github.com/robfig/cron/v3 v3.0.1 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/syndtr/goleveldb v1.0.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.13 // indirect
-	github.com/tklauser/numcpus v0.7.0 // indirect
-	github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53 // indirect
-	github.com/xuri/nfp v0.0.0-20230919160717-d98342af3f05 // indirect
-	golang.org/x/sys v0.23.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.14 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
+	github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d // indirect
+	github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 // indirect
+	golang.org/x/sys v0.26.0 // indirect
 	gopkg.in/asn1-ber.v1 v1.0.0-20181015200546-f715ec2f112d // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

From c7d6a76759d3596b9b357aeda075f35093ecb354 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 6 Nov 2024 17:02:37 +0800
Subject: [PATCH 35/48] =?UTF-8?q?=E5=8D=87=E7=BA=A7=E4=BE=9D=E8=B5=96?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/go.yml | 2 +-
 server/go.mod            | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index a503c70..581354f 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -20,7 +20,7 @@ jobs:
       - name: Set up Go 1.x
         uses: actions/setup-go@v4
         with:
-          go-version: '1.20'
+          go-version: '1.22'
           go-version-file: 'server/go.mod'
           cache-dependency-path: 'server/go.sum'
 
diff --git a/server/go.mod b/server/go.mod
index 0769ed2..0f6cad8 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,8 +1,6 @@
 module github.com/bjdgyc/anylink
 
-go 1.22.0
-
-toolchain go1.22.7
+go 1.22
 
 require (
 	github.com/arl/statsviz v0.6.0

From 9ef29545bce06ece89155dcc0808a3cf31ebabe2 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 7 Nov 2024 16:32:48 +0800
Subject: [PATCH 36/48] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=20auth=5Falone=5Fotp?=
 =?UTF-8?q?=20=E5=BC=80=E5=85=B3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/base/cfg.go             |   1 +
 server/base/config.go          |   1 +
 server/conf/server-sample.toml |  37 +++++++
 server/conf/server.toml        |  30 ------
 server/dbdata/user.go          |  26 +++--
 server/go.sum                  | 187 +++++++++++++++------------------
 server/handler/link_auth.go    |   2 +-
 7 files changed, 141 insertions(+), 143 deletions(-)

diff --git a/server/base/cfg.go b/server/base/cfg.go
index 69b7dbf..fd75af0 100644
--- a/server/base/cfg.go
+++ b/server/base/cfg.go
@@ -87,6 +87,7 @@ type ServerConfig struct {
 
 	DisplayError    bool `json:"display_error"`
 	ExcludeExportIp bool `json:"exclude_export_ip"`
+	AuthAloneOtp    bool `json:"auth_alone_otp"`
 
 	AntiBruteForce bool   `json:"anti_brute_force"`
 	IPWhitelist    string `json:"ip_whitelist"`
diff --git a/server/base/config.go b/server/base/config.go
index 5604fdb..e6f75db 100644
--- a/server/base/config.go
+++ b/server/base/config.go
@@ -72,6 +72,7 @@ var configs = []config{
 
 	{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
 	{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
+	{Typ: cfgBool, Name: "auth_alone_otp", Usage: "登录单独验证OTP窗口", ValBool: false},
 
 	{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
 	{Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"},
diff --git a/server/conf/server-sample.toml b/server/conf/server-sample.toml
index 239d454..b66477e 100644
--- a/server/conf/server-sample.toml
+++ b/server/conf/server-sample.toml
@@ -113,3 +113,40 @@ display_error = false
 
 #排除出口ip路由(出口ip不加密传输)
 exclude_export_ip = true
+
+#登录单独验证OTP窗口
+auth_alone_otp = false
+
+
+#防爆破全局开关
+anti_brute_force = true
+#全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围
+ip_whitelist = "192.168.90.1,172.16.0.0/24"
+
+#锁定时间最好不要超过单位时间
+#单位时间内最大尝试次数，0为关闭该功能
+max_ban_score = 5
+#设置单位时间(秒)，超过则重置计数
+ban_reset_time = 600
+#超过最大尝试次数后的锁定时长(秒)
+lock_time = 300
+
+#全局用户单位时间内最大尝试次数,0为关闭该功能
+max_global_user_ban_count = 20
+#全局用户设置单位时间(秒)
+global_user_ban_reset_time = 600
+#全局用户锁定时间(秒)
+global_user_lock_time = 300
+
+#全局IP单位时间内最大尝试次数，0为关闭该功能
+max_global_ip_ban_count = 40
+#全局IP设置单位时间(秒)
+global_ip_ban_reset_time = 1200
+#全局IP锁定时间(秒)
+global_ip_lock_time = 300
+
+#全局锁定状态的保存生命周期(秒),超过则删除记录
+global_lock_state_expiration_time = 3600
+
+
+
diff --git a/server/conf/server.toml b/server/conf/server.toml
index 5dbf53d..d937bf3 100644
--- a/server/conf/server.toml
+++ b/server/conf/server.toml
@@ -53,35 +53,5 @@ ipv4_end = "192.168.90.200"
 #是否自动添加nat
 iptables_nat = true
 
-#防爆破全局开关
-anti_brute_force = true
-#全局IP白名单,多个用逗号分隔，支持单IP和CIDR范围
-ip_whitelist = "192.168.90.1,172.16.0.0/24"
-
-#锁定时间最好不要超过单位时间
-#单位时间内最大尝试次数，0为关闭该功能
-max_ban_score = 5
-#设置单位时间(秒)，超过则重置计数
-ban_reset_time = 600
-#超过最大尝试次数后的锁定时长(秒)
-lock_time = 300
-
-#全局用户单位时间内最大尝试次数,0为关闭该功能
-max_global_user_ban_count = 20
-#全局用户设置单位时间(秒)
-global_user_ban_reset_time = 600
-#全局用户锁定时间(秒)
-global_user_lock_time = 300
-
-#全局IP单位时间内最大尝试次数，0为关闭该功能
-max_global_ip_ban_count = 40
-#全局IP设置单位时间(秒)
-global_ip_ban_reset_time = 1200
-#全局IP锁定时间(秒)
-global_ip_lock_time = 300
-
-#全局锁定状态的保存生命周期(秒),超过则删除记录
-global_lock_state_expiration_time = 3600
-
 #客户端显示详细错误信息(线上环境慎开启)
 display_error = true
diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 8dbcd15..da93a8c 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -116,25 +116,29 @@ func checkLocalUser(name, pwd, group string) error {
 	if !utils.InArrStr(v.Groups, group) {
 		return fmt.Errorf("%s %s", name, "用户组错误")
 	}
-	// 判断otp信息
-	// pinCode := pwd
-	// if !v.DisableOtp {
-	// 	pinCode = pwd[:pl-6]
-	// 	otp := pwd[pl-6:]
-	// 	if !CheckOtp(name, otp, v.OtpSecret) {
-	// 		return fmt.Errorf("%s %s", name, "动态码错误")
-	// 	}
-	// }
+
+	pinCode := pwd
+	if base.Cfg.AuthAloneOtp == false {
+		// 判断otp信息
+		if !v.DisableOtp {
+			pinCode = pwd[:pl-6]
+			otp := pwd[pl-6:]
+			if !CheckOtp(name, otp, v.OtpSecret) {
+				return fmt.Errorf("%s %s", name, "动态码错误")
+			}
+		}
+	}
+
 	// 判断用户密码
 	// 兼容明文密码
 	if len(v.PinCode) != 60 {
-		if pwd != v.PinCode {
+		if pinCode != v.PinCode {
 			return fmt.Errorf("%s %s", name, "密码错误")
 		}
 		return nil
 	}
 	// 密文密码
-	if !utils.PasswordVerify(pwd, v.PinCode) {
+	if !utils.PasswordVerify(pinCode, v.PinCode) {
 		return fmt.Errorf("%s %s", name, "密码错误")
 	}
 
diff --git a/server/go.sum b/server/go.sum
index 3c0553e..5db49e8 100644
--- a/server/go.sum
+++ b/server/go.sum
@@ -9,17 +9,17 @@ github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/ajstarks/svgo v0.0.0-20180226025133-644b8db467af/go.mod h1:K08gAheRH3/J6wwsYMMT4xOr94bZjxIelGM0+d/wbFw=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.690 h1:9ChlXyXZxVeHXPlsUqquutxxmrEGhNmfQiOW/YKIbq8=
-github.com/aliyun/alibaba-cloud-sdk-go v1.62.690/go.mod h1:CJJYa1ZMxjlN/NbXEwmejEnBkhi0DV+Yb3B2lxf+74o=
+github.com/aliyun/alibaba-cloud-sdk-go v1.63.48 h1:f57dtSI1BJfF5FO7JJ7ljMh79Ae64nbbDfUOey5PBa0=
+github.com/aliyun/alibaba-cloud-sdk-go v1.63.48/go.mod h1:SOSDHfe1kX91v3W5QiBsWSLqeLxImobbMX1mxrFHsVQ=
 github.com/arl/statsviz v0.6.0 h1:jbW1QJkEYQkufd//4NDYRSNBpwJNrdzPahF7ZmoGdyE=
 github.com/arl/statsviz v0.6.0/go.mod h1:0toboo+YGSUXDaS4g1D5TVS4dXs7S7YYT5J/qnW2h8s=
-github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
-github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cloudflare/cloudflare-go v0.89.0 h1:3zoVntC8xmUR/weFEcNE1RizdW4LRZdQnJ/AN8DDa1U=
-github.com/cloudflare/cloudflare-go v0.89.0/go.mod h1:eyuehb1i6BNRc+ZwaTZAiRHeE+4jbKvHAns19oGeakg=
-github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
-github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cloudflare/cloudflare-go v0.109.0 h1:Wjp+RfJD1lidIFUlrTBqUQnCBrUnmVsLxgzWYiURueg=
+github.com/cloudflare/cloudflare-go v0.109.0/go.mod h1:m492eNahT/9MsN7Ppnoge8AaI7QhVFtEgVm3I9HJFeU=
+github.com/coreos/go-iptables v0.8.0 h1:MPc2P89IhuVpLI7ETL/2tx3XZ61VeICZjYqDEgNsPRc=
+github.com/coreos/go-iptables v0.8.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -32,39 +32,37 @@ github.com/denisenkom/go-mssqldb v0.12.3/go.mod h1:k0mtMFOnU+AihqFxPMiF05rtiDror
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/dustin/go-humanize v1.0.0 h1:VSnTsYCnlFHaM2/igO1h6X3HA71jcobQuxemgkq4zYo=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
-github.com/fatih/color v1.14.1 h1:qfhVLaG5s+nCROl1zJsZRxFeYrHLqWroPOQ8BWiNb4w=
-github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8WlgGZGg=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/fogleman/gg v1.2.1-0.20190220221249-0403632d5b90/go.mod h1:R/bRT+9gY/C5z7JzPU0zXsXHKM4/ayA+zqcVNZzPa1k=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-acme/lego/v4 v4.15.0 h1:A7MHEU3b+TDFqhC/HmzMJnzPbyeaYvMZQBbqgvbThhU=
-github.com/go-acme/lego/v4 v4.15.0/go.mod h1:eeGhjW4zWT7Ccqa3sY7ayEqFLCAICx+mXgkMHKIkLxg=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/go-acme/lego/v4 v4.19.2 h1:Y8hrmMvWETdqzzkRly7m98xtPJJivWFsgWi8fcvZo+Y=
+github.com/go-acme/lego/v4 v4.19.2/go.mod h1:wtDe3dDkmV4/oI2nydpNXSJpvV10J9RCyZ6MbYxNtlQ=
 github.com/go-co-op/gocron v1.37.0 h1:ZYDJGtQ4OMhTLKOKMIch+/CY70Brbb1dGdooLEhh7b0=
 github.com/go-co-op/gocron v1.37.0/go.mod h1:3L/n6BkO7ABj+TrfSVXLRzsP26zmikL4ISkLQ0O8iNY=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
-github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
-github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-ldap/ldap v3.0.3+incompatible h1:HTeSZO8hWMS1Rgb2Ziku6b8a7qRIZZMHjsvuZyatzwk=
 github.com/go-ldap/ldap v3.0.3+incompatible/go.mod h1:qfd9rJvER9Q0/D/Sqn1DfHRoBp40uXYvFoEVrNEPqRc=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
-github.com/go-sql-driver/mysql v1.8.0 h1:UtktXaU2Nb64z/pLiGIxY4431SJ4/dR5cjMmlVHgnT4=
-github.com/go-sql-driver/mysql v1.8.0/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-test/deep v1.1.0 h1:WOcxcdHcvdgThNXjw0t76K42FXTU7HpNQWHpA2HHNlg=
 github.com/go-test/deep v1.1.0/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a h1:RYfmiM0zluBJOiPDJseKLEN4BapJ42uSi9SZBQ2YyiA=
-github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a/go.mod h1:5YoVOkjYAQumqlV356Hj3xeYh4BdZuLE0/nRkf2NKkI=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1 h1:FWNFq4fM1wPfcK40yHE5UO3RUdSNPaBC+j3PokzA6OQ=
+github.com/gocarina/gocsv v0.0.0-20240520201108-78e41c74b4b1/go.mod h1:5YoVOkjYAQumqlV356Hj3xeYh4BdZuLE0/nRkf2NKkI=
+github.com/goccy/go-json v0.10.3 h1:KZ5WoDbxAIgm2HNbYckL0se1fHD6rz5j4ywS6ebzDqA=
+github.com/goccy/go-json v0.10.3/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goji/httpauth v0.0.0-20160601135302-2da839ab0f4d/go.mod h1:nnjvkQ9ptGaCkuDUx6wNykzzlUixGxvkme+H/lnzb+A=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.1 h1:JdqV9zKUdtaa9gdPlywC3aeoEsR681PlKC+4F5gQgeo=
+github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
@@ -77,7 +75,6 @@ github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
@@ -92,15 +89,8 @@ github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyE
 github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
-github.com/gorilla/websocket v1.5.1 h1:gmztn0JnHVt9JZquRuzLw3g4wouNVzKL15iLr/zn/QY=
-github.com/gorilla/websocket v1.5.1/go.mod h1:x3kM2JMyaluk02fnUJpQuwD2dCS5NDG2ZHL0uE0tcaY=
-github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
-github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
-github.com/hashicorp/go-hclog v0.9.2/go.mod h1:5CU+agLiy3J7N7QjHK5d05KxGsuXiQLrjA0H7acj2lQ=
-github.com/hashicorp/go-hclog v1.5.0 h1:bI2ocEMgcVlz55Oj1xZNBsVi900c7II+fWDyV9o+13c=
-github.com/hashicorp/go-hclog v1.5.0/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
-github.com/hashicorp/go-retryablehttp v0.7.5 h1:bJj+Pj19UZMIweq/iie+1u5YCdGrnxCT9yvm0e+Nd5M=
-github.com/hashicorp/go-retryablehttp v0.7.5/go.mod h1:Jy/gPYAdjqffZ/yFGCFV2doI5wjtH1ewM9u8iYVjtX8=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
@@ -109,12 +99,10 @@ github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/ivpusic/grpool v1.0.0 h1:+FCiCo3GhfsvzfXuJWnpJUNb/VaqyYVgG8C+qvh07Rc=
 github.com/ivpusic/grpool v1.0.0/go.mod h1:WPmiAI5ExAn06vg+0JzyPzXMQutJmpb7TrBtyLJkOHQ=
-github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/json-iterator/go v1.1.5/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jung-kurt/gofpdf v1.0.3-0.20190309125859-24315acbbda5/go.mod h1:7Id9E/uU8ce6rXgefFLlgrJj/GYY22cpxn+r32jIOes=
@@ -135,20 +123,17 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
 github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
-github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
-github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
-github.com/miekg/dns v1.1.58 h1:ca2Hdkz+cDg/7eNF6V56jjzuZ4aCAE+DbVkILdQWG/4=
-github.com/miekg/dns v1.1.58/go.mod h1:Ypv+3b/KadlvW9vJfXOTf300O4UqaHFzFCuHz+rPkBY=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
@@ -164,16 +149,19 @@ github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b h1:Ff
 github.com/opentracing/opentracing-go v1.2.1-0.20220228012449-10b1cf09e00b/go.mod h1:AC62GU6hc0BrNm+9RK9VSiwa/EUe1bkIeFORAMcHvJU=
 github.com/orcaman/concurrent-map v1.0.0 h1:I/2A2XPCb4IuQWcQhBhSwGfiuybl/J0ev9HDbW65HOY=
 github.com/orcaman/concurrent-map v1.0.0/go.mod h1:Lu3tH6HLW3feq74c2GC+jIMS/K2CFcDWnWD9XkenwhI=
-github.com/pelletier/go-toml/v2 v2.1.1 h1:LWAJwfNvjQZCFIDKWYQaM62NcYeYViCmWIwmOStowAI=
-github.com/pelletier/go-toml/v2 v2.1.1/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
-github.com/pion/dtls/v2 v2.2.10 h1:u2Axk+FyIR1VFTPurktB+1zoEPGIW3bmyj3LEFrXjAA=
-github.com/pion/dtls/v2 v2.2.10/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pion/dtls/v2 v2.2.12 h1:KP7H5/c1EiVAAKUmXyCzPiQe5+bCJrpOeKg/L05dunk=
+github.com/pion/dtls/v2 v2.2.12/go.mod h1:d9SYc9fch0CqK90mRk1dC7AkzzpwJj6u2GU3u+9pqFE=
 github.com/pion/logging v0.2.2 h1:M9+AIj/+pxNsDfAT64+MAVgJO0rsyLnoJKCqf//DoeY=
 github.com/pion/logging v0.2.2/go.mod h1:k0/tDVsRCX2Mb2ZEmTqNa7CWsQPc+YYCB7Q+5pahoms=
-github.com/pion/transport/v2 v2.2.4 h1:41JJK6DZQYSeVLxILA2+F4ZkKb4Xd/tFJZRFZQ9QAlo=
 github.com/pion/transport/v2 v2.2.4/go.mod h1:q2U/tf9FEfnSBGSW6w5Qp5PFWRLRj3NjLhCCgpRK4p0=
-github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
-github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pion/transport/v2 v2.2.10 h1:ucLBLE8nuxiHfvkFKnkDQRYWYfp8ejf4YBOPfaQpw6Q=
+github.com/pion/transport/v2 v2.2.10/go.mod h1:sq1kSLWs+cHW9E+2fJP95QudkzbK7wscs8yYgQToO5E=
+github.com/pion/transport/v3 v3.0.7 h1:iRbMH05BzSNwhILHoBoAPxoB9xQgOaJk+591KC9P1o0=
+github.com/pion/transport/v3 v3.0.7/go.mod h1:YleKiTZ4vqNxVwh77Z0zytYi7rXHl7j6uPLGhhz9rwo=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -186,8 +174,8 @@ github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qq
 github.com/richardlehane/mscfb v1.0.4 h1:WULscsljNPConisD5hR0+OyZjwK46Pfyr6mPu5ZawpM=
 github.com/richardlehane/mscfb v1.0.4/go.mod h1:YzVpcZg9czvAuhk9T+a3avCpcFPMUWm7gK3DypaEsUk=
 github.com/richardlehane/msoleps v1.0.1/go.mod h1:BWev5JBpU9Ko2WAgmZEuiz4/u3ZYTKbjLycmwiWUfWg=
-github.com/richardlehane/msoleps v1.0.3 h1:aznSZzrwYRl3rLKRT3gUk9am7T/mLNSnJINvN0AQoVM=
-github.com/richardlehane/msoleps v1.0.3/go.mod h1:BWev5JBpU9Ko2WAgmZEuiz4/u3ZYTKbjLycmwiWUfWg=
+github.com/richardlehane/msoleps v1.0.4 h1:WuESlvhX3gH2IHcd8UqyCuFY5yiq/GR/yqaSM/9/g00=
+github.com/richardlehane/msoleps v1.0.4/go.mod h1:BWev5JBpU9Ko2WAgmZEuiz4/u3ZYTKbjLycmwiWUfWg=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
 github.com/rogpeppe/go-internal v1.6.1/go.mod h1:xXDCJY+GAPziupqXw64V24skbSoqbTEfhy4qGm1nDQc=
@@ -195,8 +183,8 @@ github.com/rogpeppe/go-internal v1.8.1/go.mod h1:JeRgkft04UBgHMgCIwADu4Pn6Mtm5d4
 github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
 github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
+github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
+github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/shirou/gopsutil v3.21.11+incompatible h1:+1+c1VGhc88SSonWP6foOcLhvnKlUeu/erjjvaPEYiI=
@@ -211,37 +199,37 @@ github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9yS
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
+github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/syndtr/goleveldb v1.0.0 h1:fBdIW9lB4Iz0n9khmH8w27SJ3QEJ7+IgjPEwGSZiFdE=
 github.com/syndtr/goleveldb v1.0.0/go.mod h1:ZVVdQEZoIme9iO1Ch2Jdy24qqXrMMOU6lpPAyBWyWuQ=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.873 h1:VdQ+lQ98CFwbmfQj02iMVWWzdwnKubuICIa2QhzQBJI=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.873/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.873 h1:qawAviStyrk6b2bHvRvKxmiiL8Cu6KujtzAHktLqdFI=
-github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.873/go.mod h1:wqyJy+a/L53zH8pRDNOF+7t9iZhSPANmYSuUfvVp9NE=
-github.com/tklauser/go-sysconf v0.3.13 h1:GBUpcahXSpR2xN01jhkNAbTLRk2Yzgggk8IM08lq3r4=
-github.com/tklauser/go-sysconf v0.3.13/go.mod h1:zwleP4Q4OehZHGn4CYZDipCgg9usW5IJePewFCGVEa0=
-github.com/tklauser/numcpus v0.7.0 h1:yjuerZP127QG9m5Zh/mSO4wqurYil27tHrqwRoRjpr4=
-github.com/tklauser/numcpus v0.7.0/go.mod h1:bb6dMVcj8A42tSE7i32fsIUCbQNllK5iDguyOZRUzAY=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1036 h1:B3GO+IBOrjrq8sN5bT9e8GMHWguHkyyGdNEos6cp5cE=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/common v1.0.1036/go.mod h1:r5r4xbfxSaeR04b166HGsBa/R4U3SueirEUpXGuw+Q0=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1036 h1:lpDbM5GqLY67hGkndcRfledZf14sJaY+LOcHp5I4BkQ=
+github.com/tencentcloud/tencentcloud-sdk-go/tencentcloud/dnspod v1.0.1036/go.mod h1:WuuxNlel804BVTQYrE9qauuiu2462Va04PlIr8/FVJY=
+github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
+github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY=
+github.com/tklauser/numcpus v0.9.0 h1:lmyCHtANi8aRUgkckBgoDk1nHCux3n2cgkJLXdQGPDo=
+github.com/tklauser/numcpus v0.9.0/go.mod h1:SN6Nq1O3VychhC1npsWostA+oW+VOQTxZrS604NSRyI=
 github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208/go.mod h1:BzWtXXrXzZUvMacR0oF/fbDDgUPO8L36tDMmRAf14ns=
 github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92 h1:flbMkdl6HxQkLs6DDhH1UkcnFpNBOu70391STjMS0O4=
 github.com/toorop/go-dkim v0.0.0-20240103092955-90b7d1423f92/go.mod h1:BzWtXXrXzZUvMacR0oF/fbDDgUPO8L36tDMmRAf14ns=
@@ -249,16 +237,17 @@ github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaO
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
 github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
+github.com/wlynxg/anet v0.0.3/go.mod h1:eay5PRQr7fIVAMbTbchTnO9gG65Hg/uYGdc7mguHxoA=
 github.com/xhit/go-simple-mail/v2 v2.16.0 h1:ouGy/Ww4kuaqu2E2UrDw7SvLaziWTB60ICLkIkNVccA=
 github.com/xhit/go-simple-mail/v2 v2.16.0/go.mod h1:b7P5ygho6SYE+VIqpxA6QkYfv4teeyG4MKqB3utRu98=
 github.com/xlzd/gotp v0.1.0 h1:37blvlKCh38s+fkem+fFh7sMnceltoIEBYTVXyoa5Po=
 github.com/xlzd/gotp v0.1.0/go.mod h1:ndLJ3JKzi3xLmUProq4LLxCuECL93dG9WASNLpHz8qg=
-github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53 h1:Chd9DkqERQQuHpXjR/HSV1jLZA6uaoiwwH3vSuF3IW0=
-github.com/xuri/efp v0.0.0-20231025114914-d1ff6096ae53/go.mod h1:ybY/Jr0T0GTCnYjKqmdwxyxn2BQf2RcQIIvex5QldPI=
-github.com/xuri/excelize/v2 v2.8.1 h1:pZLMEwK8ep+CLIUWpWmvW8IWE/yxqG0I1xcN6cVMGuQ=
-github.com/xuri/excelize/v2 v2.8.1/go.mod h1:oli1E4C3Pa5RXg1TBXn4ENCXDV5JUMlBluUhG7c+CEE=
-github.com/xuri/nfp v0.0.0-20230919160717-d98342af3f05 h1:qhbILQo1K3mphbwKh1vNm4oGezE1eF9fQWmNiIpSfI4=
-github.com/xuri/nfp v0.0.0-20230919160717-d98342af3f05/go.mod h1:WwHg+CVyzlv/TX9xqBFXEZAuxOPxn2k1GNHwG41IIUQ=
+github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d h1:llb0neMWDQe87IzJLS4Ci7psK/lVsjIS2otl+1WyRyY=
+github.com/xuri/efp v0.0.0-20240408161823-9ad904a10d6d/go.mod h1:ybY/Jr0T0GTCnYjKqmdwxyxn2BQf2RcQIIvex5QldPI=
+github.com/xuri/excelize/v2 v2.9.0 h1:1tgOaEq92IOEumR1/JfYS/eR0KHOCsRv/rYXXh6YJQE=
+github.com/xuri/excelize/v2 v2.9.0/go.mod h1:uqey4QBZ9gdMeWApPLdhm9x+9o2lq4iVmjiLfBS5hdE=
+github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7 h1:hPVCafDV85blFTabnqKgNhDCkJX25eik94Si9cTER4A=
+github.com/xuri/nfp v0.0.0-20240318013403-ab9948c2c4a7/go.mod h1:WwHg+CVyzlv/TX9xqBFXEZAuxOPxn2k1GNHwG41IIUQ=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
@@ -276,29 +265,28 @@ golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
-golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
-golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
+golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
 golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136/go.mod h1:JXzH8nQsPlswgeRAPE3MuO9GYsAcnJvJ4vnMwN/5qkY=
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 h1:LfspQV/FYTatPTr/3HzIcmiUFH7PGP+OQ6mgDYo3yuQ=
-golang.org/x/exp v0.0.0-20240222234643-814bf88cf225/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc=
+golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c h1:7dEasQXItcW1xKJ2+gg5VOiBnqWrJc+rq0DPKyvvdbY=
+golang.org/x/exp v0.0.0-20241009180824-f66d83c29e7c/go.mod h1:NQtJDoLvd6faHhE7m4T/1IY708gDefGGjR/iUW8yQQ8=
 golang.org/x/image v0.0.0-20180708004352-c73c2afc3b81/go.mod h1:ux5Hcp/YLpHSI86hEcLt0YII63i6oz57MZXIpbrjZUs=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
-golang.org/x/image v0.14.0 h1:tNgSxAFe3jC4uYqvZdTr84SZoM1KfwdC9SKIFrLjFn4=
-golang.org/x/image v0.14.0/go.mod h1:HUYqC05R2ZcZ3ejNQsIHQDQiwWM4JBqmm6MKANTp4LE=
+golang.org/x/image v0.18.0 h1:jGzIakQa/ZXI1I0Fxvaa9W7yP25TqT6cHIHn+6CqvSQ=
+golang.org/x/image v0.18.0/go.mod h1:4yyo5vMFQjVjUcVk4jEQcU9MGy/rulF5WvUILseCM2E=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.1.0/go.mod h1:0QHyrYULN0/3qlju5TqG8bIK38QM8yzMo5ekMj3DlcY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
-golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
+golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -310,8 +298,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
-golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
+golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -334,9 +322,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.23.0 h1:YfKFowiIMvtgl1UERQoTPPToxltDeZfbj4H7dVUCwmM=
-golang.org/x/sys v0.23.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
+golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -344,7 +331,6 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
-golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -354,10 +340,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
-golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -366,8 +352,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
-golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -386,7 +372,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV
 gopkg.in/errgo.v2 v2.1.0/go.mod h1:hNsd1EY+bozCKY1Ytp96fpM3vjJbqLJn88ws8XvfDNI=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
-gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
@@ -425,5 +410,5 @@ modernc.org/token v1.0.1/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 xorm.io/builder v0.3.13 h1:a3jmiVVL19psGeXx8GIurTp7p0IIgqeDmwhcR6BAOAo=
 xorm.io/builder v0.3.13/go.mod h1:aUW0S9eb9VCaPohFCH3j7czOx1PMW3i1HrSzbLYGBSE=
-xorm.io/xorm v1.3.8 h1:CJmplmWqfSRpLWSPMmqz+so8toBp3m7ehuRehIWedZo=
-xorm.io/xorm v1.3.8/go.mod h1:LsCCffeeYp63ssk0pKumP6l96WZcHix7ChpurcLNuMw=
+xorm.io/xorm v1.3.9 h1:TUovzS0ko+IQ1XnNLfs5dqK1cJl1H5uHpWbWqAQ04nU=
+xorm.io/xorm v1.3.9/go.mod h1:LsCCffeeYp63ssk0pKumP6l96WZcHix7ChpurcLNuMw=
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 666330d..b8804d6 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -118,7 +118,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// 用户otp验证
-	if !v.DisableOtp {
+	if base.Cfg.AuthAloneOtp && !v.DisableOtp {
 		lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
 		sessionID, err := GenerateSessionID()
 		if err != nil {

From 2b757b65b6c350bb5181b7a6b1ad8b0994affb88 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 12 Nov 2024 15:11:28 +0800
Subject: [PATCH 37/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9=20LoginStatus=20?=
 =?UTF-8?q?=E7=94=A8=20context=20=E4=BC=A0=E9=80=92?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/antiBruteForce.go | 22 +++++++++++++++++-----
 server/handler/link_auth.go      | 10 ++++++++--
 server/handler/link_auth_otp.go  |  8 ++++++--
 3 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 7a5e82c..5dc42f1 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"context"
 	"encoding/xml"
 	"io"
 	"net"
@@ -16,15 +17,24 @@ var lockManager = admin.GetLockManager()
 
 const loginStatusKey = "login_status"
 
+type HttpContext struct {
+	LoginStatus bool // 登录状态
+}
+
 // 防爆破中间件
 func antiBruteForce(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	return http.HandlerFunc(func(w http.ResponseWriter, old_r *http.Request) {
 		// 防爆破功能全局开关
 		if !base.Cfg.AntiBruteForce {
-			next.ServeHTTP(w, r)
+			next.ServeHTTP(w, old_r)
 			return
 		}
 
+		// 非并发安全
+		hc := &HttpContext{}
+		ctx := context.WithValue(context.Background(), loginStatusKey, hc)
+		r := old_r.WithContext(ctx)
+
 		body, err := io.ReadAll(r.Body)
 		if err != nil {
 			http.Error(w, "Failed to read request body", http.StatusBadRequest)
@@ -96,8 +106,10 @@ func antiBruteForce(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 
 		// 检查登录状态
-		Status, _ := lockManager.LoginStatus.Load(loginStatusKey)
-		loginStatus, _ := Status.(bool)
+		// Status, _ := lockManager.LoginStatus.Load(loginStatusKey)
+		// loginStatus, _ := Status.(bool)
+
+		loginStatus := hc.LoginStatus
 
 		// 更新用户登录状态
 		lockManager.UpdateGlobalIPLock(ip, now, loginStatus)
@@ -105,6 +117,6 @@ func antiBruteForce(next http.Handler) http.Handler {
 		lockManager.UpdateUserIPLock(username, ip, now, loginStatus)
 
 		// 清除登录状态
-		lockManager.LoginStatus.Delete(loginStatusKey)
+		// lockManager.LoginStatus.Delete(loginStatusKey)
 	})
 }
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index b8804d6..221b3e2 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -94,7 +94,10 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// TODO 用户密码校验
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
-		lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		hc.LoginStatus = false
+
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
 		ua.Status = dbdata.UserAuthFail
@@ -119,7 +122,10 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	}
 	// 用户otp验证
 	if base.Cfg.AuthAloneOtp && !v.DisableOtp {
-		lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
+		// lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
+		hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		hc.LoginStatus = true
+
 		sessionID, err := GenerateSessionID()
 		if err != nil {
 			base.Error("Failed to generate session ID: ", err)
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 4db0f59..007e471 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -109,7 +109,9 @@ func DeleteCookie(w http.ResponseWriter, name string) {
 	http.SetCookie(w, cookie)
 }
 func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
-	lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
+	// lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
+	hc := r.Context().Value(loginStatusKey).(*HttpContext)
+	hc.LoginStatus = true
 
 	cr := authSession.ClientRequest
 	ua := authSession.UserActLog
@@ -201,7 +203,9 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 		// 	http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
 		// 	return
 		// }
-		lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
+		hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		hc.LoginStatus = false
 
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"

From fe47b22cf16ff0959bbce204e1862cb7839495d1 Mon Sep 17 00:00:00 2001
From: wsczx <wsc@wsczx.com>
Date: Wed, 13 Nov 2024 09:35:07 +0800
Subject: [PATCH 38/48] =?UTF-8?q?=E8=A7=A3=E5=86=B3=E9=98=B2=E7=88=86?=
 =?UTF-8?q?=E5=B9=B6=E8=A1=8C=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/admin/lockmanager.go      | 71 ++++++++++++++++++++++++++++----
 server/handler/antiBruteForce.go |  3 +-
 server/handler/link_auth.go      | 17 ++++++--
 server/handler/link_auth_otp.go  | 21 +++++++---
 server/handler/server.go         |  6 ++-
 5 files changed, 96 insertions(+), 22 deletions(-)

diff --git a/server/admin/lockmanager.go b/server/admin/lockmanager.go
index 968ae64..af67621 100644
--- a/server/admin/lockmanager.go
+++ b/server/admin/lockmanager.go
@@ -2,7 +2,6 @@ package admin
 
 import (
 	"encoding/json"
-	"fmt"
 	"io"
 	"net"
 	"net/http"
@@ -31,8 +30,8 @@ type IPWhitelists struct {
 }
 
 type LockManager struct {
-	mu            sync.Mutex
-	LoginStatus   sync.Map                         // 登录状态
+	mu sync.Mutex
+	// LoginStatus   sync.Map                         // 登录状态
 	ipLocks       map[string]*LockState            // 全局IP锁定状态
 	userLocks     map[string]*LockState            // 全局用户锁定状态
 	ipUserLocks   map[string]map[string]*LockState // 单用户IP锁定状态
@@ -46,7 +45,7 @@ var once sync.Once
 func GetLockManager() *LockManager {
 	once.Do(func() {
 		lockmanager = &LockManager{
-			LoginStatus:  sync.Map{},
+			// LoginStatus:  sync.Map{},
 			ipLocks:      make(map[string]*LockState),
 			userLocks:    make(map[string]*LockState),
 			ipUserLocks:  make(map[string]map[string]*LockState),
@@ -89,7 +88,7 @@ func UnlockUser(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if lockinfo.State == nil {
-		RespError(w, RespInternalErr, fmt.Errorf("未找到锁定用户！"))
+		RespError(w, RespInternalErr, "未找到锁定用户！")
 		return
 	}
 	lm := GetLockManager()
@@ -111,7 +110,7 @@ func UnlockUser(w http.ResponseWriter, r *http.Request) {
 	}
 
 	if state == nil || !state.Locked {
-		RespError(w, RespInternalErr, fmt.Errorf("锁定状态未找到或已解锁"))
+		RespError(w, RespInternalErr, "锁定状态未找到或已解锁")
 		return
 	}
 
@@ -238,14 +237,14 @@ func (lm *LockManager) CleanupExpiredLocks() {
 	defer lm.mu.Unlock()
 
 	for ip, state := range lm.ipLocks {
-		if !lm.CheckLockState(state, now, base.Cfg.GlobalIPLockTime) ||
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalIPBanResetTime) ||
 			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.ipLocks, ip)
 		}
 	}
 
 	for user, state := range lm.userLocks {
-		if !lm.CheckLockState(state, now, base.Cfg.GlobalUserLockTime) ||
+		if !lm.CheckLockState(state, now, base.Cfg.GlobalUserBanResetTime) ||
 			now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 			delete(lm.userLocks, user)
 		}
@@ -253,7 +252,7 @@ func (lm *LockManager) CleanupExpiredLocks() {
 
 	for user, ipMap := range lm.ipUserLocks {
 		for ip, state := range ipMap {
-			if !lm.CheckLockState(state, now, base.Cfg.LockTime) ||
+			if !lm.CheckLockState(state, now, base.Cfg.BanResetTime) ||
 				now.Sub(state.LastAttempt) > time.Duration(base.Cfg.GlobalLockStateExpirationTime)*time.Second {
 				delete(ipMap, ip)
 				if len(ipMap) == 0 {
@@ -410,3 +409,57 @@ func (lm *LockManager) Unlock(state *LockState) {
 	state.LockTime = time.Time{}
 	state.Locked = false
 }
+
+// 检查锁定状态
+func (lm *LockManager) CheckLocked(username, ipaddr string) bool {
+	if !base.Cfg.AntiBruteForce {
+		return true
+	}
+
+	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
+	if err != nil {
+		base.Error("检查锁定状态失败,提取IP地址错误:", ipaddr)
+		return true
+	}
+	now := time.Now()
+
+	// 检查IP是否在白名单中
+	if lm.IsWhitelisted(ip) {
+		return true
+	}
+
+	// 检查全局 IP 锁定
+	if base.Cfg.MaxGlobalIPBanCount > 0 && lm.CheckGlobalIPLock(ip, now) {
+		base.Warn("IP", ip, "is globally locked. Try again later.")
+		return false
+	}
+
+	// 检查全局用户锁定
+	if base.Cfg.MaxGlobalUserBanCount > 0 && lm.CheckGlobalUserLock(username, now) {
+		base.Warn("User", username, "is globally locked. Try again later.")
+		return false
+	}
+
+	// 检查单个用户的 IP 锁定
+	if base.Cfg.MaxBanCount > 0 && lm.CheckUserIPLock(username, ip, now) {
+		base.Warn("IP", ip, "is locked for user", username, "Try again later.")
+		return false
+	}
+
+	return true
+}
+
+// 更新用户登录状态
+func (lm *LockManager) UpdateLoginStatus(username, ipaddr string, loginStatus bool) {
+	ip, _, err := net.SplitHostPort(ipaddr) // 提取纯 IP 地址，去掉端口号
+	if err != nil {
+		base.Error("更新登录状态失败,提取IP地址错误:", ipaddr)
+		return
+	}
+	now := time.Now()
+
+	// 更新用户登录状态
+	lm.UpdateGlobalIPLock(ip, now, loginStatus)
+	lm.UpdateGlobalUserLock(username, now, loginStatus)
+	lm.UpdateUserIPLock(username, ip, now, loginStatus)
+}
diff --git a/server/handler/antiBruteForce.go b/server/handler/antiBruteForce.go
index 5dc42f1..cb6a990 100644
--- a/server/handler/antiBruteForce.go
+++ b/server/handler/antiBruteForce.go
@@ -9,11 +9,10 @@ import (
 	"strings"
 	"time"
 
-	"github.com/bjdgyc/anylink/admin"
 	"github.com/bjdgyc/anylink/base"
 )
 
-var lockManager = admin.GetLockManager()
+// var lockManager = admin.GetLockManager()
 
 const loginStatusKey = "login_status"
 
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 221b3e2..b1e95a1 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -77,6 +77,13 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusBadRequest)
 		return
 	}
+
+	// 锁定状态判断
+	if !lockManager.CheckLocked(cr.Auth.Username, r.RemoteAddr) {
+		w.WriteHeader(http.StatusTooManyRequests)
+		return
+	}
+
 	// 用户活动日志
 	ua := &dbdata.UserActLog{
 		Username:        cr.Auth.Username,
@@ -95,8 +102,9 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
 	if err != nil {
 		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
-		hc := r.Context().Value(loginStatusKey).(*HttpContext)
-		hc.LoginStatus = false
+		// hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		// hc.LoginStatus = false
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态
 
 		base.Warn(err, r.RemoteAddr)
 		ua.Info = err.Error()
@@ -123,8 +131,9 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 	// 用户otp验证
 	if base.Cfg.AuthAloneOtp && !v.DisableOtp {
 		// lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
-		hc := r.Context().Value(loginStatusKey).(*HttpContext)
-		hc.LoginStatus = true
+		// hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		// hc.LoginStatus = true
+		lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数
 
 		sessionID, err := GenerateSessionID()
 		if err != nil {
diff --git a/server/handler/link_auth_otp.go b/server/handler/link_auth_otp.go
index 007e471..23558c0 100644
--- a/server/handler/link_auth_otp.go
+++ b/server/handler/link_auth_otp.go
@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"sync"
 
+	"github.com/bjdgyc/anylink/admin"
 	"github.com/bjdgyc/anylink/base"
 	"github.com/bjdgyc/anylink/dbdata"
 	"github.com/bjdgyc/anylink/pkg/utils"
@@ -16,6 +17,7 @@ import (
 )
 
 var SessStore = NewSessionStore()
+var lockManager = admin.GetLockManager()
 
 // const maxOtpErrCount = 3
 
@@ -110,12 +112,13 @@ func DeleteCookie(w http.ResponseWriter, name string) {
 }
 func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
 	// lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
-	hc := r.Context().Value(loginStatusKey).(*HttpContext)
-	hc.LoginStatus = true
-
+	// hc := r.Context().Value(loginStatusKey).(*HttpContext)
+	// hc.LoginStatus = true
 	cr := authSession.ClientRequest
 	ua := authSession.UserActLog
 
+	lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 更新登录成功状态
+
 	sess := sessdata.NewSession("")
 	sess.Username = cr.Auth.Username
 	sess.Group = cr.GroupSelect
@@ -196,6 +199,13 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 	otpSecret := sessionData.ClientRequest.Auth.OtpSecret
 	otp := cr.Auth.SecondaryPassword
 
+	// 锁定状态判断
+	if !lockManager.CheckLocked(username, r.RemoteAddr) {
+		w.WriteHeader(http.StatusTooManyRequests)
+		SessStore.DeleteAuthSession(sessionID)
+		return
+	}
+
 	// 动态码错误
 	if !dbdata.CheckOtp(username, otp, otpSecret) {
 		// if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
@@ -204,8 +214,9 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
 		// 	return
 		// }
 		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
-		hc := r.Context().Value(loginStatusKey).(*HttpContext)
-		hc.LoginStatus = false
+		// hc := r.Context().Value(loginStatusKey).(*HttpContext)
+		// hc.LoginStatus = false
+		lockManager.UpdateLoginStatus(username, r.RemoteAddr, false) // 记录登录失败状态
 
 		base.Warn("OTP 动态码错误", username, r.RemoteAddr)
 		ua.Info = "OTP 动态码错误"
diff --git a/server/handler/server.go b/server/handler/server.go
index c257aad..4d9a409 100644
--- a/server/handler/server.go
+++ b/server/handler/server.go
@@ -111,10 +111,12 @@ func initRoute() http.Handler {
 	})
 
 	r.HandleFunc("/", LinkHome).Methods(http.MethodGet)
-	r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
+	r.HandleFunc("/", LinkAuth).Methods(http.MethodPost)
+	// r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
 	r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
 	r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
-	r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost)
+	r.HandleFunc("/otp-verification", LinkAuth_otp).Methods(http.MethodPost)
+	// r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost)
 	r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
 		b, _ := os.ReadFile(base.Cfg.Profile)
 		w.Write(b)

From bda23283ecd0b64b397050554722301334c439a8 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 15 Nov 2024 15:13:24 +0800
Subject: [PATCH 39/48] =?UTF-8?q?radius=20=E6=B7=BB=E5=8A=A0=20=20CallingS?=
 =?UTF-8?q?tationID?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/group.go           |  3 ++-
 server/dbdata/user.go            |  8 ++++----
 server/dbdata/userauth.go        |  2 +-
 server/dbdata/userauth_ldap.go   |  2 +-
 server/dbdata/userauth_radius.go | 12 ++++++++++--
 server/handler/link_auth.go      |  3 ++-
 6 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/server/dbdata/group.go b/server/dbdata/group.go
index a25240f..f3bb253 100644
--- a/server/dbdata/group.go
+++ b/server/dbdata/group.go
@@ -340,7 +340,8 @@ func GroupAuthLogin(name, pwd string, authData map[string]interface{}) error {
 	if err != nil {
 		return err
 	}
-	err = auth.checkUser(name, pwd, g)
+	ext := map[string]interface{}{}
+	err = auth.checkUser(name, pwd, g, ext)
 	return err
 }
 
diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index da93a8c..1e344c6 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -68,7 +68,7 @@ func SetUser(v *User) error {
 }
 
 // 验证用户登录信息
-func CheckUser(name, pwd, group string) error {
+func CheckUser(name, pwd, group string, ext map[string]interface{}) error {
 	// 获取登入的group数据
 	groupData := &Group{}
 	err := One("Name", group, groupData)
@@ -82,7 +82,7 @@ func CheckUser(name, pwd, group string) error {
 	authType := groupData.Auth["type"].(string)
 	// 本地认证方式
 	if authType == "local" {
-		return checkLocalUser(name, pwd, group)
+		return checkLocalUser(name, pwd, group, ext)
 	}
 	// 其它认证方式, 支持自定义
 	_, ok := authRegistry[authType]
@@ -90,11 +90,11 @@ func CheckUser(name, pwd, group string) error {
 		return fmt.Errorf("%s %s", "未知的认证方式: ", authType)
 	}
 	auth := makeInstance(authType).(IUserAuth)
-	return auth.checkUser(name, pwd, groupData)
+	return auth.checkUser(name, pwd, groupData, ext)
 }
 
 // 验证本地用户登录信息
-func checkLocalUser(name, pwd, group string) error {
+func checkLocalUser(name, pwd, group string, ext map[string]interface{}) error {
 	// TODO 严重问题
 	// return nil
 
diff --git a/server/dbdata/userauth.go b/server/dbdata/userauth.go
index fbc3eb5..3a9b48f 100644
--- a/server/dbdata/userauth.go
+++ b/server/dbdata/userauth.go
@@ -9,7 +9,7 @@ var authRegistry = make(map[string]reflect.Type)
 
 type IUserAuth interface {
 	checkData(authData map[string]interface{}) error
-	checkUser(name, pwd string, g *Group) error
+	checkUser(name, pwd string, g *Group, ext map[string]interface{}) error
 }
 
 func makeInstance(name string) interface{} {
diff --git a/server/dbdata/userauth_ldap.go b/server/dbdata/userauth_ldap.go
index e7a5f1a..4121d9d 100644
--- a/server/dbdata/userauth_ldap.go
+++ b/server/dbdata/userauth_ldap.go
@@ -61,7 +61,7 @@ func (auth AuthLdap) checkData(authData map[string]interface{}) error {
 	return nil
 }
 
-func (auth AuthLdap) checkUser(name, pwd string, g *Group) error {
+func (auth AuthLdap) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
diff --git a/server/dbdata/userauth_radius.go b/server/dbdata/userauth_radius.go
index 95d2853..6e1a27d 100644
--- a/server/dbdata/userauth_radius.go
+++ b/server/dbdata/userauth_radius.go
@@ -40,7 +40,7 @@ func (auth AuthRadius) checkData(authData map[string]interface{}) error {
 	return nil
 }
 
-func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
+func (auth AuthRadius) checkUser(name, pwd string, g *Group, ext map[string]interface{}) error {
 	pl := len(pwd)
 	if name == "" || pl < 1 {
 		return fmt.Errorf("%s %s", name, "密码错误")
@@ -74,15 +74,23 @@ func (auth AuthRadius) checkUser(name, pwd string, g *Group) error {
 			return fmt.Errorf("%s %s", name, "Radius set nasip 出现错误")
 		}
 	}
+	macAddr := ext["mac_addr"].(string)
+	if macAddr != "" {
+		err = rfc2865.CallingStationID_SetString(packet, macAddr)
+		if err != nil {
+			return fmt.Errorf("%s %s", name, "Radius set CallingStationID 出现错误")
+		}
+	}
 
 	ctx, done := context.WithTimeout(context.Background(), 3*time.Second)
 	defer done()
 	response, err := radius.Exchange(ctx, packet, auth.Addr)
 	if err != nil {
-		return fmt.Errorf("%s %s", name, "Radius服务器连接异常, 请检测服务器和端口")
+		return fmt.Errorf("%s %s %s", name, "Radius服务器连接异常, 请检测服务器和端口", err)
 	}
 	if response.Code != radius.CodeAccessAccept {
 		return fmt.Errorf("%s %s", name, "Radius：用户名或密码错误")
 	}
 	return nil
+
 }
diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index b1e95a1..8403ca3 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -99,7 +99,8 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		UserActLog:    ua,
 	}
 	// TODO 用户密码校验
-	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
+	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect,
+		map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress})
 	if err != nil {
 		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 		// hc := r.Context().Value(loginStatusKey).(*HttpContext)

From 4846c80b048d21d1f538b4b300b06c235b9b45d2 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 15 Nov 2024 16:41:28 +0800
Subject: [PATCH 40/48] =?UTF-8?q?radius=20=E6=B7=BB=E5=8A=A0=20=20CallingS?=
 =?UTF-8?q?tationID?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user.go            | 2 ++
 server/dbdata/userauth_radius.go | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/server/dbdata/user.go b/server/dbdata/user.go
index 1e344c6..02967b9 100644
--- a/server/dbdata/user.go
+++ b/server/dbdata/user.go
@@ -69,6 +69,8 @@ func SetUser(v *User) error {
 
 // 验证用户登录信息
 func CheckUser(name, pwd, group string, ext map[string]interface{}) error {
+	base.Trace("CheckUser", name, pwd, group, ext)
+
 	// 获取登入的group数据
 	groupData := &Group{}
 	err := One("Name", group, groupData)
diff --git a/server/dbdata/userauth_radius.go b/server/dbdata/userauth_radius.go
index 6e1a27d..d52e434 100644
--- a/server/dbdata/userauth_radius.go
+++ b/server/dbdata/userauth_radius.go
@@ -9,6 +9,7 @@ import (
 	"reflect"
 	"time"
 
+	"github.com/bjdgyc/anylink/base"
 	"layeh.com/radius"
 	"layeh.com/radius/rfc2865"
 )
@@ -75,8 +76,9 @@ func (auth AuthRadius) checkUser(name, pwd string, g *Group, ext map[string]inte
 		}
 	}
 	macAddr := ext["mac_addr"].(string)
+	base.Trace("AuthRadius", ext, macAddr)
 	if macAddr != "" {
-		err = rfc2865.CallingStationID_SetString(packet, macAddr)
+		err = rfc2865.CallingStationID_AddString(packet, macAddr)
 		if err != nil {
 			return fmt.Errorf("%s %s", name, "Radius set CallingStationID 出现错误")
 		}

From 740fcf64e99709940e02a18f9d3df7167cd9d3ee Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 15 Nov 2024 16:42:50 +0800
Subject: [PATCH 41/48] =?UTF-8?q?radius=20=E6=B7=BB=E5=8A=A0=20=20CallingS?=
 =?UTF-8?q?tationID?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/link_auth.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/handler/link_auth.go b/server/handler/link_auth.go
index 8403ca3..2450e64 100644
--- a/server/handler/link_auth.go
+++ b/server/handler/link_auth.go
@@ -99,8 +99,8 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		UserActLog:    ua,
 	}
 	// TODO 用户密码校验
-	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect,
-		map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress})
+	ext := map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress}
+	err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect, ext)
 	if err != nil {
 		// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
 		// hc := r.Context().Value(loginStatusKey).(*HttpContext)

From 39fa986d55745107eec47feb0ce72a8be6747d4c Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Tue, 3 Dec 2024 15:47:29 +0800
Subject: [PATCH 42/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=20recover=20=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/handler/payload_access_audit.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/handler/payload_access_audit.go b/server/handler/payload_access_audit.go
index d3d91b7..5e58cac 100644
--- a/server/handler/payload_access_audit.go
+++ b/server/handler/payload_access_audit.go
@@ -106,6 +106,9 @@ func logAudit(userName string, pl *sessdata.Payload) {
 		if err := recover(); err != nil {
 			base.Error("logAudit is panic: ", err, "\n", string(debug.Stack()), "\n", pl.Data)
 		}
+	}()
+
+	defer func() {
 		putPayload(pl)
 	}()
 

From 825a4bc6caaa9f87954ea18c526f0b58d29ede7b Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Fri, 6 Dec 2024 11:38:48 +0800
Subject: [PATCH 43/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9=20readme?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index dbab5fd..9746cc8 100644
--- a/README.md
+++ b/README.md
@@ -30,7 +30,8 @@ AnyLink 基于 [ietf-openconnect](https://tools.ietf.org/html/draft-mavrogiannop
 AnyLink 使用 TLS/DTLS 进行数据加密，因此需要 RSA 或 ECC 证书，可以使用私有自签证书，可以通过 Let's Encrypt 和 TrustAsia
 申请免费的 SSL 证书。
 
-AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18、Ubuntu 20、Ubuntu 20、AnolisOS 8 测试通过，如需要安装在其他系统，需要服务端支持 tun/tap
+AnyLink 服务端仅在 CentOS 7、CentOS 8、Ubuntu 18、Ubuntu 20、Ubuntu 20、AnolisOS 8 测试通过，如需要安装在其他系统，需要服务端支持
+tun/tap
 功能、ip 设置命令、iptables命令。
 
 ## Screenshot
@@ -164,12 +165,12 @@ sudo ./anylink
 >
 > 数据库表结构自动生成，无需手动导入(请赋予 DDL 权限)
 
-| db_type  | db_source                                                                  |
-|----------|----------------------------------------------------------------------------|
-| sqlite3  | ./conf/anylink.db                                                          |
-| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8                     |
-| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full             |
-| mssql    | sqlserver://user:password@localhost?database=anylink&connection+timeout=30 |
+| db_type  | db_source                                                                                                            |
+|----------|----------------------------------------------------------------------------------------------------------------------|
+| sqlite3  | ./conf/anylink.db                                                                                                    |
+| mysql    | user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8<br/>user:password@tcp(127.0.0.1:3306)/anylink?charset=utf8mb4 |
+| postgres | postgres://user:password@localhost/anylink?sslmode=verify-full                                                       |
+| mssql    | sqlserver://user:password@localhost?database=anylink&connection+timeout=30                                           |
 
 > 示例配置文件
 >

From ee27290b82322730a17d71a9395afc38ad8fcd6b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=AD=A4=E9=B8=BF?=
 <31199914+wsczx@users.noreply.github.com>
Date: Fri, 14 Feb 2025 19:09:18 +0800
Subject: [PATCH 44/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E5=8D=87=E7=BA=A7?=
 =?UTF-8?q?=E5=90=8E=E6=95=B0=E6=8D=AE=E5=BA=93=E5=AF=86=E7=A0=81=E5=AD=97?=
 =?UTF-8?q?=E6=AE=B5=E5=AD=97=E7=AC=A6=E9=99=90=E5=88=B6=E7=9A=84Bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

修复升级后数据库密码字段字符限制的Bug
---
 server/dbdata/tables.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/dbdata/tables.go b/server/dbdata/tables.go
index 7c2e8cf..6fb4364 100644
--- a/server/dbdata/tables.go
+++ b/server/dbdata/tables.go
@@ -30,7 +30,7 @@ type User struct {
 	Nickname string `json:"nickname" xorm:"varchar(255)"`
 	Email    string `json:"email" xorm:"varchar(255)"`
 	// Password  string    `json:"password"`
-	PinCode    string     `json:"pin_code" xorm:"varchar(32)"`
+	PinCode    string     `json:"pin_code" xorm:"varchar(64)"`
 	LimitTime  *time.Time `json:"limittime,omitempty" xorm:"Datetime limittime"` // 值为null时，前端不显示
 	OtpSecret  string     `json:"otp_secret" xorm:"varchar(255)"`
 	DisableOtp bool       `json:"disable_otp" xorm:"Bool"` // 禁用otp

From d5e3e99b480af70a61c6e47633d7e5b9536b4ee3 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 26 Feb 2025 17:50:38 +0800
Subject: [PATCH 45/48] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E6=B5=8B=E8=AF=95?=
 =?UTF-8?q?=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/dbdata/user_test.go | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/server/dbdata/user_test.go b/server/dbdata/user_test.go
index c7aa92f..de8c0e2 100644
--- a/server/dbdata/user_test.go
+++ b/server/dbdata/user_test.go
@@ -3,10 +3,12 @@ package dbdata
 import (
 	"testing"
 
+	"github.com/bjdgyc/anylink/base"
 	"github.com/stretchr/testify/assert"
 )
 
 func TestCheckUser(t *testing.T) {
+	base.Test()
 	ast := assert.New(t)
 
 	preIpData()
@@ -38,7 +40,10 @@ func TestCheckUser(t *testing.T) {
 	// 单独验证密码
 	u.DisableOtp = true
 	_ = SetUser(&u)
-	err = CheckUser("aaa", pincode, group)
+	ext := map[string]any{
+		"mac_addr": "",
+	}
+	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)
 
 	// 添加一个radius组
@@ -53,9 +58,9 @@ func TestCheckUser(t *testing.T) {
 	g2 := Group{Name: group2, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g2)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group2)
+	err = CheckUser("aaa", "bbbbbbb", group2, ext)
 	if ast.NotNil(err) {
-		ast.Equal("aaa Radius服务器连接异常, 请检测服务器和端口", err.Error())
+		ast.Contains(err.Error(), "aaa Radius服务器连接异常")
 	}
 	// 添加用户策略
 	dns2 := []ValData{{Val: "8.8.8.8"}}
@@ -63,7 +68,7 @@ func TestCheckUser(t *testing.T) {
 	p1 := Policy{Username: "aaa", Status: 1, ClientDns: dns2, RouteInclude: route2}
 	err = SetPolicy(&p1)
 	ast.Nil(err)
-	err = CheckUser("aaa", pincode, group)
+	err = CheckUser("aaa", pincode, group, ext)
 	ast.Nil(err)
 	// 添加一个ldap组
 	group3 := "group3"
@@ -83,7 +88,7 @@ func TestCheckUser(t *testing.T) {
 	g3 := Group{Name: group3, Status: 1, ClientDns: dns, RouteInclude: route, Auth: authData}
 	err = SetGroup(&g3)
 	ast.Nil(err)
-	err = CheckUser("aaa", "bbbbbbb", group3)
+	err = CheckUser("aaa", "bbbbbbb", group3, ext)
 	if ast.NotNil(err) {
 		ast.Equal("aaa LDAP服务器连接异常, 请检测服务器和端口", err.Error())
 	}

From 2a1686073e1962ad7a9f63a6f2a8c54f9db46ccc Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 26 Feb 2025 17:58:22 +0800
Subject: [PATCH 46/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/go.mod | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/go.mod b/server/go.mod
index 0f6cad8..2156637 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,6 +1,8 @@
 module github.com/bjdgyc/anylink
 
-go 1.22
+go 1.22.0
+
+toolchain go1.23.3
 
 require (
 	github.com/arl/statsviz v0.6.0

From a0af89d77d2d1a480e3c961ef5d3aa62a4551ece Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Wed, 26 Feb 2025 17:58:59 +0800
Subject: [PATCH 47/48] =?UTF-8?q?=E4=BF=AE=E6=94=B9=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 version | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/version b/version
index d61567c..ed0d9e9 100644
--- a/version
+++ b/version
@@ -1 +1 @@
-0.12.3
\ No newline at end of file
+0.13.1
\ No newline at end of file

From a77f4cae84b122165f6546dd4520eece0da5cfe9 Mon Sep 17 00:00:00 2001
From: bjdgyc <bjdgyc@163.com>
Date: Thu, 27 Feb 2025 15:18:34 +0800
Subject: [PATCH 48/48] fix

---
 server/go.mod | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/server/go.mod b/server/go.mod
index 2156637..0f6cad8 100644
--- a/server/go.mod
+++ b/server/go.mod
@@ -1,8 +1,6 @@
 module github.com/bjdgyc/anylink
 
-go 1.22.0
-
-toolchain go1.23.3
+go 1.22
 
 require (
 	github.com/arl/statsviz v0.6.0