增加证书认证开关，优化前端下载证书的错误处理

server/handler/link_auth.go

@@ -78,32 +78,43 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	// 检查客户端证书认证
-	if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
-		clientCert := r.TLS.PeerCertificates[0]
-		username := clientCert.Subject.CommonName
-		groupname := clientCert.Subject.OrganizationalUnit[0]
-		if username == "" || groupname == "" {
-			base.Warn("客户端证书缺少用户名或组名")
-			w.WriteHeader(http.StatusBadRequest)
-			return
-		}
-
-		// 验证证书有效性和用户状态
-		if dbdata.ValidateClientCert(clientCert, userAgent) {
-			// 证书认证成功，创建会话
-			base.Info("用户通过证书认证:", username)
-
-			sessionData.ClientRequest.GroupSelect = groupname
-			sessionData.ClientRequest.Auth.Username = username
+	if base.Cfg.AuthAloneCert {
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			clientCert := r.TLS.PeerCertificates[0]
+			username := clientCert.Subject.CommonName
+			groupname := clientCert.Subject.OrganizationalUnit[0]
+			if username == "" || groupname == "" {
+				base.Warn("客户端证书缺少用户名或组名")
+				w.WriteHeader(http.StatusBadRequest)
+				return
+			}
 			ua.Username = username
 			ua.GroupName = groupname
-			ua.Info = "用户通过证书认证登录"
-			ua.Status = dbdata.UserConnected
-			dbdata.UserActLogIns.Add(*ua, userAgent)
+			// 验证证书有效性和用户状态
+			if dbdata.ValidateClientCert(clientCert, userAgent) {
+				// 证书认证成功，创建会话
+				base.Info("用户通过证书认证:", username)
 
-			CreateSession(w, r, sessionData)
-			return
+				sessionData.ClientRequest.GroupSelect = groupname
+				sessionData.ClientRequest.Auth.Username = username
+				ua.Info = "用户通过证书认证登录"
+				ua.Status = dbdata.UserConnected
+				dbdata.UserActLogIns.Add(*ua, userAgent)
+
+				CreateSession(w, r, sessionData)
+				return
+			} else {
+				ua.Info = "客户端证书验证失败"
+				ua.Status = dbdata.UserAuthFail
+				dbdata.UserActLogIns.Add(*ua, userAgent)
+
+				w.WriteHeader(http.StatusForbidden)
+				return
+			}
 		}
+		base.Warn("启用了独立证书验证，但用户未提供有效证书")
+		w.WriteHeader(http.StatusForbidden)
+		return
 	}
 
 	if cr.Type == "init" {