7x31
/
anylink
mirror of https://github.com/bjdgyc/anylink.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

1.修复防爆策略用户登录成功后没有重置计数的Bug 

2.增加otp防爆
3.添加otp使用说明
4.优化代码
This commit is contained in:
wsczx 2024-10-26 09:13:02 +08:00
parent fdc755bd98
commit f8685490dc
6 changed files with 86 additions and 165 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/dbdata/db.go
View File

@ -203,7 +203,8 @@ const accountMail = `<p>您好:</p>
<ul>
<li>请使用OTP软件扫描动态码二维码</li>
<li>然后使用anyconnect客户端进行登陆</li>
<li>登陆密码为 PIN码+动态码(中间没有+)</li>
<li>登陆密码为 PIN </li>
<li>OTP密码为扫码后生成的动态码</li>
</ul>
</div>
<p>

72
server/handler/antiBruteForce.go
View File

@ -12,11 +12,7 @@ import (
"github.com/bjdgyc/anylink/base"
)
// 自定义 contextKey 类型,避免键冲突
type contextKey string
// 定义常量作为上下文的键
const loginStatusKey contextKey = "login_status"
const loginStatusKey = "login_status"
const defaultGlobalLockStateExpirationTime = 3600
func initAntiBruteForce() {
@ -53,6 +49,20 @@ func antiBruteForce(next http.Handler) http.Handler {
}
username := cr.Auth.Username
if r.URL.Path == "/otp-verification" {
sessionID, err := GetCookie(r, "auth-session-id")
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
sessionData, err := SessStore.GetAuthSession(sessionID)
if err != nil {
http.Error(w, "Invalid session, please login again", http.StatusUnauthorized)
return
}
username = sessionData.ClientRequest.Auth.Username
}
ip, _, err := net.SplitHostPort(r.RemoteAddr) // 提取纯 IP 地址,去掉端口号
if err != nil {
http.Error(w, "Unable to parse IP address", http.StatusInternalServerError)
@ -109,13 +119,17 @@ func antiBruteForce(next http.Handler) http.Handler {
// 调用下一个处理器
next.ServeHTTP(w, r)
// 从 context 中获取登录状态
loginStatus, _ := r.Context().Value(loginStatusKey).(bool)
// 检查登录状态
Status, _ := lockManager.loginStatus.Load(loginStatusKey)
loginStatus, _ := Status.(bool)
// 更新用户登录状态
lockManager.updateGlobalIPLock(ip, now, loginStatus)
lockManager.updateGlobalUserLock(username, now, loginStatus)
lockManager.updateUserIPLock(username, ip, now, loginStatus)
// 清除登录状态
lockManager.loginStatus.Delete(loginStatusKey)
})
}
@ -131,6 +145,7 @@ type IPWhitelists struct {
type LockManager struct {
mu sync.Mutex
loginStatus sync.Map // 登录状态
ipLocks map[string]*LockState // 全局IP锁定状态
userLocks map[string]*LockState // 全局用户锁定状态
ipUserLocks map[string]map[string]*LockState // 单用户IP锁定状态
@ -140,6 +155,7 @@ type LockManager struct {
}
var lockManager = &LockManager{
loginStatus: sync.Map{},
ipLocks: make(map[string]*LockState),
userLocks: make(map[string]*LockState),
ipUserLocks: make(map[string]map[string]*LockState),
@ -251,14 +267,7 @@ func (lm *LockManager) checkGlobalIPLock(ip string, now time.Time) bool {
return false
}
// 如果超过时间窗口,重置失败计数
lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalIPBanResetTime)
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
return false
return lm.checkLockState(state, now, base.Cfg.GlobalIPBanResetTime)
}
// 检查全局用户锁定
@ -274,14 +283,7 @@ func (lm *LockManager) checkGlobalUserLock(username string, now time.Time) bool
if !exists {
return false
}
// 如果超过时间窗口,重置失败计数
lm.resetLockStateIfExpired(state, now, base.Cfg.GlobalUserBanResetTime)
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
return false
return lm.checkLockState(state, now, base.Cfg.GlobalUserBanResetTime)
}
// 检查单个用户的 IP 锁定
@ -303,14 +305,7 @@ func (lm *LockManager) checkUserIPLock(username, ip string, now time.Time) bool
return false
}
// 如果超过时间窗口,重置失败计数
lm.resetLockStateIfExpired(state, now, base.Cfg.BanResetTime)
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
return false
return lm.checkLockState(state, now, base.Cfg.BanResetTime)
}
// 更新全局 IP 锁定状态
@ -383,22 +378,27 @@ func (lm *LockManager) updateLockState(state *LockState, now time.Time, success
state.LastAttempt = now
}
// 超过窗口时间和锁定时间时重置锁定状态
func (lm *LockManager) resetLockStateIfExpired(state *LockState, now time.Time, resetTime int) {
// 检查锁定状态
func (lm *LockManager) checkLockState(state *LockState, now time.Time, resetTime int) bool {
if state == nil || state.LastAttempt.IsZero() {
return
return false
}
// 如果超过锁定时间,重置锁定状态
if !state.LockTime.IsZero() && now.After(state.LockTime) {
state.FailureCount = 0
state.LockTime = time.Time{}
return
return false
}
// 如果超过窗口时间,重置失败计数
if now.Sub(state.LastAttempt) > time.Duration(resetTime)*time.Second {
state.FailureCount = 0
state.LockTime = time.Time{}
return false
}
// 如果锁定时间还在有效期内,继续锁定
if !state.LockTime.IsZero() && now.Before(state.LockTime) {
return true
}
return false
}

5
server/handler/link_auth.go
View File

@ -2,7 +2,6 @@ package handler
import (
"bytes"
"context"
"encoding/xml"
"fmt"
"io"
@ -95,7 +94,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
// TODO 用户密码校验
err = dbdata.CheckUser(cr.Auth.Username, cr.Auth.Password, cr.GroupSelect)
if err != nil {
r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, false)) // 传递登录失败状态
lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
base.Warn(err, r.RemoteAddr)
ua.Info = err.Error()
ua.Status = dbdata.UserAuthFail
@ -109,7 +108,6 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
tplRequest(tpl_request, w, data)
return
}
r = r.WithContext(context.WithValue(r.Context(), loginStatusKey, true)) // 传递登录成功状态
dbdata.UserActLogIns.Add(*ua, userAgent)
v := &dbdata.User{}
@ -121,6 +119,7 @@ func LinkAuth(w http.ResponseWriter, r *http.Request) {
}
// 用户otp验证
if !v.DisableOtp {
lockManager.loginStatus.Store(loginStatusKey, true) // 重置OTP验证计数
sessionID, err := GenerateSessionID()
if err != nil {
base.Error("Failed to generate session ID: ", err)

3
server/handler/link_auth_otp.go
View File

@ -110,6 +110,8 @@ func DeleteCookie(w http.ResponseWriter, name string) {
http.SetCookie(w, cookie)
}
func CreateSession(w http.ResponseWriter, r *http.Request, authSession *AuthSession) {
lockManager.loginStatus.Store(loginStatusKey, true) // 更新登录成功状态
cr := authSession.ClientRequest
ua := authSession.UserActLog
@ -200,6 +202,7 @@ func LinkAuth_otp(w http.ResponseWriter, r *http.Request) {
http.Error(w, "TooManyError, please login again", http.StatusBadRequest)
return
}
lockManager.loginStatus.Store(loginStatusKey, false) // 记录登录失败状态
base.Warn("OTP 动态码错误", username, r.RemoteAddr)
ua.Info = "OTP 动态码错误"

2
server/handler/server.go
View File

@ -114,7 +114,7 @@ func initRoute() http.Handler {
r.Handle("/", antiBruteForce(http.HandlerFunc(LinkAuth))).Methods(http.MethodPost)
r.HandleFunc("/CSCOSSLC/tunnel", LinkTunnel).Methods(http.MethodConnect)
r.HandleFunc("/otp_qr", LinkOtpQr).Methods(http.MethodGet)
r.HandleFunc("/otp-verification", LinkAuth_otp)
r.Handle("/otp-verification", antiBruteForce(http.HandlerFunc(LinkAuth_otp))).Methods(http.MethodPost)
r.HandleFunc(fmt.Sprintf("/profile_%s.xml", base.Cfg.ProfileName), func(w http.ResponseWriter, r *http.Request) {
b, _ := os.ReadFile(base.Cfg.Profile)
w.Write(b)

166
web/src/pages/user/List.vue
View File

@ -3,22 +3,13 @@
<el-card>
<el-form :inline="true">
<el-form-item>
<el-button
size="small"
type="primary"
icon="el-icon-plus"
@click="handleEdit('')">添加
<el-button size="small" type="primary" icon="el-icon-plus" @click="handleEdit('')">添加
</el-button>
</el-form-item>
<el-form-item>
<el-dropdown size="small" placement="bottom">
<el-upload
class="uploaduser"
action="uploaduser"
accept=".xlsx, .xls"
:http-request="upLoadUser"
:limit="1"
:show-file-list="false">
<el-upload class="uploaduser" action="uploaduser" accept=".xlsx, .xls" :http-request="upLoadUser" :limit="1"
:show-file-list="false">
<el-button size="small" icon="el-icon-upload2" type="primary">批量添加</el-button>
</el-upload>
<el-dropdown-menu slot="dropdown">
@ -32,79 +23,45 @@
</el-form-item>
<el-form-item label="用户名或姓名或邮箱:">
<el-input size="small" v-model="searchData" placeholder="请输入内容"
@keydown.enter.native="searchEnterFun"></el-input>
@keydown.enter.native="searchEnterFun"></el-input>
</el-form-item>
<el-form-item>
<el-button
size="small"
type="primary"
icon="el-icon-search"
@click="handleSearch()">搜索
<el-button size="small" type="primary" icon="el-icon-search" @click="handleSearch()">搜索
</el-button>
<el-button
size="small"
icon="el-icon-refresh"
@click="reset">重置搜索
<el-button size="small" icon="el-icon-refresh" @click="reset">重置搜索
</el-button>
</el-form-item>
</el-form>
<el-table
ref="multipleTable"
:data="tableData"
border>
<el-table ref="multipleTable" :data="tableData" border>
<el-table-column
sortable="true"
prop="id"
label="ID"
width="60">
<el-table-column sortable="true" prop="id" label="ID" width="60">
</el-table-column>
<el-table-column
prop="username"
label="用户名"
width="150">
<el-table-column prop="username" label="用户名" width="150">
</el-table-column>
<el-table-column
prop="nickname"
label="姓名"
width="100">
<el-table-column prop="nickname" label="姓名" width="100">
</el-table-column>
<el-table-column
prop="email"
label="邮箱">
<el-table-column prop="email" label="邮箱">
</el-table-column>
<el-table-column
prop="otp_secret"
label="OTP密钥"
width="110">
<el-table-column prop="otp_secret" label="OTP密钥" width="110">
<template slot-scope="scope">
<el-button
v-if="!scope.row.disable_otp"
type="text"
icon="el-icon-view"
@click="getOtpImg(scope.row)">
<el-button v-if="!scope.row.disable_otp" type="text" icon="el-icon-view" @click="getOtpImg(scope.row)">
{{ scope.row.otp_secret.substring(0, 6) }}
</el-button>
</template>
</el-table-column>
<el-table-column
prop="groups"
label="用户组">
<el-table-column prop="groups" label="用户组">
<template slot-scope="scope">
<el-row v-for="item in scope.row.groups" :key="item">{{ item }}</el-row>
</template>
</el-table-column>
<el-table-column
prop="status"
label="状态"
width="70">
<el-table-column prop="status" label="状态" width="70">
<template slot-scope="scope">
<el-tag v-if="scope.row.status === 1" type="success">可用</el-tag>
<el-tag v-if="scope.row.status === 0" type="danger">停用</el-tag>
@ -112,20 +69,12 @@
</template>
</el-table-column>
<el-table-column
prop="updated_at"
label="更新时间"
:formatter="tableDateFormat">
<el-table-column prop="updated_at" label="更新时间" :formatter="tableDateFormat">
</el-table-column>
<el-table-column
label="操作"
width="210">
<el-table-column label="操作" width="210">
<template slot-scope="scope">
<el-button
size="mini"
type="primary"
@click="handleEdit(scope.row)">编辑
<el-button size="mini" type="primary" @click="handleEdit(scope.row)">编辑
</el-button>
<!-- <el-popconfirm
@ -139,14 +88,8 @@
</el-button>
</el-popconfirm>-->
<el-popconfirm
class="m-left-10"
@confirm="handleDel(scope.row)"
title="确定要删除用户吗?">
<el-button
slot="reference"
size="mini"
type="danger">删除
<el-popconfirm class="m-left-10" @confirm="handleDel(scope.row)" title="确定要删除用户吗?">
<el-button slot="reference" size="mini" type="danger">删除
</el-button>
</el-popconfirm>
@ -156,34 +99,20 @@
<div class="sh-20"></div>
<el-pagination
background
layout="prev, pager, next"
:pager-count="11"
@current-change="pageChange"
:current-page="page"
:total="count">
<el-pagination background layout="prev, pager, next" :pager-count="11" @current-change="pageChange"
:current-page="page" :total="count">
</el-pagination>
</el-card>
<el-dialog
title="OTP密钥"
:visible.sync="otpImgData.visible"
width="350px"
center>
<el-dialog title="OTP密钥" :visible.sync="otpImgData.visible" width="350px" center>
<div style="text-align: center">{{ otpImgData.username }} : {{ otpImgData.nickname }}</div>
<img :src="otpImgData.base64Img" alt="otp-img"/>
<img :src="otpImgData.base64Img" alt="otp-img" />
</el-dialog>
<!--新增修改弹出框-->
<el-dialog
:close-on-click-modal="false"
title="用户"
:visible="user_edit_dialog"
@close="disVisible"
width="650px"
center>
<el-dialog :close-on-click-modal="false" title="用户" :visible="user_edit_dialog" @close="disVisible" width="650px"
center>
<el-form :model="ruleForm" :rules="rules" ref="ruleForm" label-width="100px" class="ruleForm">
<el-form-item label="用户ID" prop="id">
@ -204,21 +133,13 @@
</el-form-item>
<el-form-item label="过期时间" prop="limittime">
<el-date-picker
v-model="ruleForm.limittime"
type="date"
size="small"
align="center"
style="width:130px"
:picker-options="pickerOptions"
placeholder="选择日期">
<el-date-picker v-model="ruleForm.limittime" type="date" size="small" align="center" style="width:130px"
:picker-options="pickerOptions" placeholder="选择日期">
</el-date-picker>
</el-form-item>
<el-form-item label="禁用OTP" prop="disable_otp">
<el-switch
v-model="ruleForm.disable_otp"
active-text="开启OTP后用户密码为【PIN码+OTP动态码】(中间没有+号)">
<el-switch v-model="ruleForm.disable_otp" active-text="开启OTP后用户密码为PIN码,OTP密码为扫码后生成的动态码">
</el-switch>
</el-form-item>
@ -233,8 +154,7 @@
</el-form-item>
<el-form-item label="发送邮件" prop="send_email">
<el-switch
v-model="ruleForm.send_email">
<el-switch v-model="ruleForm.send_email">
</el-switch>
</el-form-item>
@ -286,7 +206,7 @@ export default {
}
},
searchData: '',
otpImgData: {visible: false, username: '', nickname: '', base64Img: ''},
otpImgData: { visible: false, username: '', nickname: '', base64Img: '' },
ruleForm: {
send_email: true,
status: 1,
@ -294,30 +214,30 @@ export default {
},
rules: {
username: [
{required: true, message: '请输入用户名', trigger: 'blur'},
{max: 50, message: '长度小于 50 个字符', trigger: 'blur'}
{ required: true, message: '请输入用户名', trigger: 'blur' },
{ max: 50, message: '长度小于 50 个字符', trigger: 'blur' }
],
nickname: [
{required: true, message: '请输入用户姓名', trigger: 'blur'}
{ required: true, message: '请输入用户姓名', trigger: 'blur' }
],
email: [
{required: true, message: '请输入用户邮箱', trigger: 'blur'},
{type: 'email', message: '请输入正确的邮箱地址', trigger: ['blur', 'change']}
{ required: true, message: '请输入用户邮箱', trigger: 'blur' },
{ type: 'email', message: '请输入正确的邮箱地址', trigger: ['blur', 'change'] }
],
password: [
{min: 6, message: '长度大于 6 个字符', trigger: 'blur'}
{ min: 6, message: '长度大于 6 个字符', trigger: 'blur' }
],
pin_code: [
{min: 6, message: 'PIN码大于 6 个字符', trigger: 'blur'}
{ min: 6, message: 'PIN码大于 6 个字符', trigger: 'blur' }
],
date1: [
{type: 'date', required: true, message: '请选择日期', trigger: 'change'}
{ type: 'date', required: true, message: '请选择日期', trigger: 'change' }
],
groups: [
{type: 'array', required: true, message: '请至少选择一个组', trigger: 'change'}
{ type: 'array', required: true, message: '请至少选择一个组', trigger: 'change' }
],
status: [
{required: true}
{ required: true }
],
},
}
@ -473,6 +393,4 @@ export default {
}
</script>
<style scoped>
</style>
<style scoped></style>