7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #357 from wsczx/dev 

修复邮件发送密码为密文密码的Bug
This commit is contained in:
bjdgyc 2025-03-09 15:34:02 +08:00 committed by GitHub
parent 5e60feeb9b 315e1deadc
commit e864585588
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 30 additions and 156 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
server/admin/api_uploaduser.go
View File

@ -110,6 +110,7 @@ func UploadUser(file string) error {
if err := dbdata.AddBatch(user); err != nil { if err := dbdata.AddBatch(user); err != nil {
return fmt.Errorf("请检查第%d行数据是否导入有重复用户", index) return fmt.Errorf("请检查第%d行数据是否导入有重复用户", index)
} }
user.PinCode = row[4]
if user.SendEmail { if user.SendEmail {
if err := userAccountMail(user); err != nil { if err := userAccountMail(user); err != nil {
return err return err

7
server/admin/api_user.go
View File

@ -15,6 +15,7 @@ import (
"github.com/bjdgyc/anylink/base" "github.com/bjdgyc/anylink/base"
"github.com/bjdgyc/anylink/dbdata" "github.com/bjdgyc/anylink/dbdata"
"github.com/bjdgyc/anylink/pkg/utils"
"github.com/bjdgyc/anylink/sessdata" "github.com/bjdgyc/anylink/sessdata"
"github.com/skip2/go-qrcode" "github.com/skip2/go-qrcode"
mail "github.com/xhit/go-simple-mail/v2" mail "github.com/xhit/go-simple-mail/v2"
@ -98,11 +99,17 @@ func UserSet(w http.ResponseWriter, r *http.Request) {
return return
} }
if len(data.PinCode) < 6 {
data.PinCode = utils.RandomRunes(8)
base.Info("用户", data.Username, "随机密码为:", data.PinCode)
}
plainpwd := data.PinCode
err = dbdata.SetUser(data) err = dbdata.SetUser(data)
if err != nil { if err != nil {
RespError(w, RespInternalErr, err) RespError(w, RespInternalErr, err)
return return
} }
data.PinCode = plainpwd
// 发送邮件 // 发送邮件
if data.SendEmail { if data.SendEmail {

10
server/base/cfg.go
View File

@ -2,11 +2,12 @@ package base
import ( import (
"fmt" "fmt"
"github.com/bjdgyc/anylink/pkg/utils"
"os" "os"
"path/filepath" "path/filepath"
"reflect" "reflect"
"strings" "strings"
"github.com/bjdgyc/anylink/pkg/utils"
) )
const ( const (
@ -85,9 +86,10 @@ type ServerConfig struct {
Compression bool `json:"compression"` // bool Compression bool `json:"compression"` // bool
NoCompressLimit int `json:"no_compress_limit"` // int NoCompressLimit int `json:"no_compress_limit"` // int
DisplayError bool `json:"display_error"` DisplayError bool `json:"display_error"`
ExcludeExportIp bool `json:"exclude_export_ip"` ExcludeExportIp bool `json:"exclude_export_ip"`
AuthAloneOtp bool `json:"auth_alone_otp"` AuthAloneOtp bool `json:"auth_alone_otp"`
EncryptionPassword bool `json:"encryption_password"`
AntiBruteForce bool `json:"anti_brute_force"` AntiBruteForce bool `json:"anti_brute_force"`
IPWhitelist string `json:"ip_whitelist"` IPWhitelist string `json:"ip_whitelist"`

1
server/base/config.go
View File

@ -73,6 +73,7 @@ var configs = []config{
{Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false}, {Typ: cfgBool, Name: "display_error", Usage: "客户端显示详细错误信息(线上环境慎开启)", ValBool: false},
{Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true}, {Typ: cfgBool, Name: "exclude_export_ip", Usage: "排除出口ip路由(出口ip不加密传输)", ValBool: true},
{Typ: cfgBool, Name: "auth_alone_otp", Usage: "登录单独验证OTP窗口", ValBool: false}, {Typ: cfgBool, Name: "auth_alone_otp", Usage: "登录单独验证OTP窗口", ValBool: false},
{Typ: cfgBool, Name: "encryption_password", Usage: "用户密码是否加密保存", ValBool: false},
{Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true}, {Typ: cfgBool, Name: "anti_brute_force", Usage: "是否开启防爆功能", ValBool: true},
{Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"}, {Typ: cfgStr, Name: "ip_whitelist", Usage: "全局IP白名单,多个用逗号分隔支持单IP和CIDR范围", ValStr: "192.168.90.1,172.16.0.0/24"},

5
server/conf/server-sample.toml
View File

@ -117,6 +117,8 @@ exclude_export_ip = true
#登录单独验证OTP窗口 #登录单独验证OTP窗口
auth_alone_otp = false auth_alone_otp = false
#加密保存用户密码
encryption_password = false
#防爆破全局开关 #防爆破全局开关
anti_brute_force = true anti_brute_force = true
@ -147,6 +149,3 @@ global_ip_lock_time = 300
#全局锁定状态的保存生命周期(秒),超过则删除记录 #全局锁定状态的保存生命周期(秒),超过则删除记录
global_lock_state_expiration_time = 3600 global_lock_state_expiration_time = 3600

24
server/dbdata/user.go
View File

@ -120,7 +120,7 @@ func checkLocalUser(name, pwd, group string, ext map[string]interface{}) error {
} }
pinCode := pwd pinCode := pwd
if base.Cfg.AuthAloneOtp == false { if !base.Cfg.AuthAloneOtp {
// 判断otp信息 // 判断otp信息
if !v.DisableOtp { if !v.DisableOtp {
pinCode = pwd[:pl-6] pinCode = pwd[:pl-6]
@ -207,16 +207,18 @@ func CheckOtp(name, otp, secret string) bool {
// 插入数据库前加密密码 // 插入数据库前加密密码
func (u *User) BeforeInsert() { func (u *User) BeforeInsert() {
hashedPassword, err := utils.PasswordHash(u.PinCode) if base.Cfg.EncryptionPassword {
if err != nil { hashedPassword, err := utils.PasswordHash(u.PinCode)
base.Error(err) if err != nil {
} base.Error(err)
u.PinCode = hashedPassword }
} u.PinCode = hashedPassword
}
// 更新数据库前加密密码 }
func (u *User) BeforeUpdate() {
if len(u.PinCode) != 60 { // 更新数据库前加密密码
func (u *User) BeforeUpdate() {
if len(u.PinCode) != 60 && base.Cfg.EncryptionPassword {
hashedPassword, err := utils.PasswordHash(u.PinCode) hashedPassword, err := utils.PasswordHash(u.PinCode)
if err != nil { if err != nil {
base.Error(err) base.Error(err)

121
server/handler/antiBruteForce.go
View File

@ -1,121 +0,0 @@
package handler
import (
"context"
"encoding/xml"
"io"
"net"
"net/http"
"strings"
"time"
"github.com/bjdgyc/anylink/base"
)
// var lockManager = admin.GetLockManager()
const loginStatusKey = "login_status"
type HttpContext struct {
LoginStatus bool // 登录状态
}
// 防爆破中间件
func antiBruteForce(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, old_r *http.Request) {
// 防爆破功能全局开关
if !base.Cfg.AntiBruteForce {
next.ServeHTTP(w, old_r)
return
}
// 非并发安全
hc := &HttpContext{}
ctx := context.WithValue(context.Background(), loginStatusKey, hc)
r := old_r.WithContext(ctx)
body, err := io.ReadAll(r.Body)
if err != nil {
http.Error(w, "Failed to read request body", http.StatusBadRequest)
return
}
defer r.Body.Close()
cr := ClientRequest{}
err = xml.Unmarshal(body, &cr)
if err != nil {
http.Error(w, "Failed to parse XML", http.StatusBadRequest)
return
}
username := cr.Auth.Username
if r.URL.Path == "/otp-verification" {
sessionID, err := GetCookie(r, "auth-session-id")
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
sessionData, err := SessStore.GetAuthSession(sessionID)
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
username = sessionData.ClientRequest.Auth.Username
}
ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
return
}
now := time.Now()
// 检查IP是否在白名单中
if lockManager.IsWhitelisted(ip) {
r.Body = io.NopCloser(strings.NewReader(string(body)))
next.ServeHTTP(w, r)
return
}
// 检查全局 IP 锁定
if base.Cfg.MaxGlobalIPBanCount > 0 && lockManager.CheckGlobalIPLock(ip, now) {
base.Warn("IP", ip, "is globally locked. Try again later.")
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 检查全局用户锁定
if base.Cfg.MaxGlobalUserBanCount > 0 && lockManager.CheckGlobalUserLock(username, now) {
base.Warn("User", username, "is globally locked. Try again later.")
http.Error(w, "Account globally locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 检查单个用户的 IP 锁定
if base.Cfg.MaxBanCount > 0 && lockManager.CheckUserIPLock(username, ip, now) {
base.Warn("IP", ip, "is locked for user", username, "Try again later.")
http.Error(w, "Account locked due to too many failed attempts. Try again later.", http.StatusTooManyRequests)
return
}
// 重新设置请求体以便后续处理器可以访问
r.Body = io.NopCloser(strings.NewReader(string(body)))
// 调用下一个处理器
next.ServeHTTP(w, r)
// 检查登录状态
// Status, _ := lockManager.LoginStatus.Load(loginStatusKey)
// loginStatus, _ := Status.(bool)
loginStatus := hc.LoginStatus
// 更新用户登录状态
lockManager.UpdateGlobalIPLock(ip, now, loginStatus)
lockManager.UpdateGlobalUserLock(username, now, loginStatus)
lockManager.UpdateUserIPLock(username, ip, now, loginStatus)
// 清除登录状态
// lockManager.LoginStatus.Delete(loginStatusKey)
})
}

6
server/handler/link_auth.go
View File

@ -102,9 +102,6 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
ext := map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress} ext := map[string]interface{}{"mac_addr": cr.MacAddressList.MacAddress}
err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect, ext) err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect, ext)
if err != nil { if err != nil {
// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
// hc := r.Context().Value(loginStatusKey).(*HttpContext)
// hc.LoginStatus = false
lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态 lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, false) // 记录登录失败状态
base.Warn(err, r.RemoteAddr) base.Warn(err, r.RemoteAddr)
@ -131,9 +128,6 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
} }
// 用户otp验证 // 用户otp验证
if base.Cfg.AuthAloneOtp && !v.DisableOtp { if base.Cfg.AuthAloneOtp && !v.DisableOtp {
// lockManager.LoginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
// hc := r.Context().Value(loginStatusKey).(*HttpContext)
// hc.LoginStatus = true
lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数 lockManager.UpdateLoginStatus(cr.Auth.Username, r.RemoteAddr, true) // 重置OTP验证计数
sessionID, err := GenerateSessionID() sessionID, err := GenerateSessionID()

11
server/handler/link_auth_otp.go
View File

@ -111,9 +111,6 @@ func DeleteCookie(w http.ResponseWriter, name string) {
http.SetCookie(w, cookie) http.SetCookie(w, cookie)
} }
func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) { func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
// lockManager.LoginStatus.Store(loginStatusKey, true) // 更新登录成功状态
// hc := r.Context().Value(loginStatusKey).(*HttpContext)
// hc.LoginStatus = true
cr := authSession.ClientRequest cr := authSession.ClientRequest
ua := authSession.UserActLog ua := authSession.UserActLog
@ -208,14 +205,6 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
// 动态码错误 // 动态码错误
if !dbdata.CheckOtp(username, otp, otpSecret) { if !dbdata.CheckOtp(username, otp, otpSecret) {
// if sessionData.AddOtpErrCount(1) > maxOtpErrCount {
// SessStore.DeleteAuthSession(sessionID)
// http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
// return
// }
// lockManager.LoginStatus.Store(loginStatusKey, false) // 记录登录失败状态
// hc := r.Context().Value(loginStatusKey).(*HttpContext)
// hc.LoginStatus = false
lockManager.UpdateLoginStatus(username, r.RemoteAddr, false) // 记录登录失败状态 lockManager.UpdateLoginStatus(username, r.RemoteAddr, false) // 记录登录失败状态
base.Warn("OTP 动态码错误", username, r.RemoteAddr) base.Warn("OTP 动态码错误", username, r.RemoteAddr)