From df553981009a46fa94cdca789764d4ad59eb06db Mon Sep 17 00:00:00 2001 From: yubo Date: Thu, 5 Nov 2020 12:20:02 +0800 Subject: [PATCH] add checkPassword to reset password by sms code (#378) * add logout v2 for sso * support sms-code login * use db instead of memory cache for login code * feature: support reset password by sms code * remove deprecated api/code * feature: support image captcha * use db instead of memory cache for sso.auth.state * add authLogin for login, v1/login; support (*)[.local].tpl for tpl file * add username to sms-code api --- src/modules/rdb/http/router_auth.go | 65 ++++++++++++++++++---------- src/modules/rdb/http/router_funcs.go | 13 +++--- src/modules/rdb/http/router_self.go | 2 +- src/modules/rdb/http/router_user.go | 8 ++-- 4 files changed, 55 insertions(+), 33 deletions(-) diff --git a/src/modules/rdb/http/router_auth.go b/src/modules/rdb/http/router_auth.go index f0a3d0fb..b8186b37 100644 --- a/src/modules/rdb/http/router_auth.go +++ b/src/modules/rdb/http/router_auth.go @@ -29,6 +29,9 @@ var ( errUnsupportCaptcha = errors.New("unsupported captcha") errInvalidAnswer = errors.New("Invalid captcha answer") + // TODO: set false + debug = true + // https://captcha.mojotv.cn captchaDirver = base64Captcha.DriverString{ Height: 30, @@ -128,6 +131,7 @@ type authRedirect struct { func authAuthorizeV2(c *gin.Context) { redirect := queryStr(c, "redirect", "/") + log.Printf("---> redirect %s", redirect) ret := &authRedirect{Redirect: redirect} username := cookieUsername(c) @@ -236,6 +240,8 @@ func v1Login(c *gin.Context) { user, err := authLogin(f) renderData(c, *user, err) + + go models.LoginLogNew(user.Username, f.RemoteAddr, "in") } // authLogin called by /v1/rdb/login, /api/rdb/auth/login @@ -298,10 +304,11 @@ func v1SendLoginCodeBySms(c *gin.Context) { return "", err } - // log.Printf("[sms -> %s] %s", phone, buf.String()) + if debug { + return fmt.Sprintf("[debug]: %s", buf.String()), nil + } - // TODO: remove code from msg - return fmt.Sprintf("[debug] msg: %s", buf.String()), nil + return "successed", nil }() renderData(c, msg, err) @@ -344,22 +351,24 @@ func v1SendLoginCodeByEmail(c *gin.Context) { return "", err } - err := redisc.Write(&dataobj.Message{ + if err := redisc.Write(&dataobj.Message{ Tos: []string{email}, Content: buf.String(), - }, config.SMS_QUEUE_NAME) - - // log.Printf("[email -> %s] %s", email, buf.String()) - - // TODO: remove code from msg - return fmt.Sprintf("[debug] msg: %s", buf.String()), err + }, config.SMS_QUEUE_NAME); err != nil { + return "", err + } + if debug { + return fmt.Sprintf("[debug]: %s", buf.String()), nil + } + return "successed", nil }() renderData(c, msg, err) } type sendRstCodeBySmsInput struct { - Phone string `json:"phone"` + Username string `json:"username"` + Phone string `json:"phone"` } func sendRstCodeBySms(c *gin.Context) { @@ -371,9 +380,9 @@ func sendRstCodeBySms(c *gin.Context) { return "", fmt.Errorf("sms sender is disabled") } phone := f.Phone - user, _ := models.UserGet("phone=?", phone) + user, _ := models.UserGet("username=? and phone=?", f.Username, phone) if user == nil { - return "", fmt.Errorf("phone %s dose not exist", phone) + return "", fmt.Errorf("user %s phone %s dose not exist", f.Username, phone) } // general a random code and add cache @@ -402,51 +411,61 @@ func sendRstCodeBySms(c *gin.Context) { return "", err } - // log.Printf("[sms -> %s] %s", phone, buf.String()) + if debug { + return fmt.Sprintf("[debug] msg: %s", buf.String()), nil + } - // TODO: remove code from msg - return fmt.Sprintf("[debug] msg: %s", buf.String()), nil + return "successed", nil }() renderData(c, msg, err) } type rstPasswordInput struct { + Username string `json:"username"` Phone string `json:"phone"` Code string `json:"code"` Password string `json:"password"` + Type string `json:"type"` } func rstPassword(c *gin.Context) { - var in loginInput + var in rstPasswordInput bind(c, &in) err := func() error { - user, _ := models.UserGet("phone=?", in.Phone) + user, _ := models.UserGet("username=? and phone=?", in.Username, in.Phone) if user == nil { - return fmt.Errorf("phone %s dose not exist", in.Phone) + return fmt.Errorf("user's phone not exist") } lc, err := models.LoginCodeGet("username=? and code=? and login_type=?", user.Username, in.Code, models.LOGIN_T_RST) if err != nil { - return fmt.Errorf("invalid code", in.Phone) + return fmt.Errorf("invalid code") } if time.Now().Unix()-lc.CreatedAt > models.LOGIN_EXPIRES_IN { - return fmt.Errorf("the code has expired", in.Phone) + return fmt.Errorf("the code has expired") } + if in.Type == "verify-code" { + return nil + } + defer lc.Del() + // update password if user.Password, err = models.CryptoPass(in.Password); err != nil { return err } - if err = user.Update("password"); err != nil { + if err = checkPassword(in.Password); err != nil { return err } - lc.Del() + if err = user.Update("password"); err != nil { + return err + } return nil }() diff --git a/src/modules/rdb/http/router_funcs.go b/src/modules/rdb/http/router_funcs.go index 820e3ba7..99c906ec 100644 --- a/src/modules/rdb/http/router_funcs.go +++ b/src/modules/rdb/http/router_funcs.go @@ -1,6 +1,7 @@ package http import ( + "fmt" "strconv" "github.com/gin-gonic/gin" @@ -137,12 +138,12 @@ type idsForm struct { Ids []int64 `json:"ids"` } -func checkPassword(passwd string) { +func checkPassword(passwd string) error { indNum := [4]int{0, 0, 0, 0} spCode := []byte{'!', '@', '#', '$', '%', '^', '&', '*', '_', '-', '~', '.', ',', '<', '>', '/', ';', ':', '|', '?', '+', '='} if len(passwd) < 6 { - bomb("password too short") + return fmt.Errorf("password too short") } passwdByte := []byte(passwd) @@ -174,7 +175,7 @@ func checkPassword(passwd string) { } if !has { - bomb("character: %s not supported", string(i)) + return fmt.Errorf("character: %s not supported", string(i)) } } @@ -185,9 +186,11 @@ func checkPassword(passwd string) { codeCount += i } - if codeCount < 3 { - bomb("password too simple") + if codeCount < 4 { + return fmt.Errorf("password too simple") } + + return nil } // ------------ diff --git a/src/modules/rdb/http/router_self.go b/src/modules/rdb/http/router_self.go index d9a104a0..a948ee10 100644 --- a/src/modules/rdb/http/router_self.go +++ b/src/modules/rdb/http/router_self.go @@ -42,7 +42,7 @@ type selfPasswordForm struct { func selfPasswordPut(c *gin.Context) { var f selfPasswordForm bind(c, &f) - checkPassword(f.NewPass) + dangerous(checkPassword(f.NewPass)) oldpass, err := models.CryptoPass(f.OldPass) dangerous(err) diff --git a/src/modules/rdb/http/router_user.go b/src/modules/rdb/http/router_user.go index 08fe70e7..c2cb5da0 100644 --- a/src/modules/rdb/http/router_user.go +++ b/src/modules/rdb/http/router_user.go @@ -49,7 +49,7 @@ func userAddPost(c *gin.Context) { var f userProfileForm bind(c, &f) - checkPassword(f.Password) + dangerous(checkPassword(f.Password)) pass, err := models.CryptoPass(f.Password) dangerous(err) @@ -81,7 +81,7 @@ func userAddPost(c *gin.Context) { func userProfileGet(c *gin.Context) { user := User(urlParamInt64(c, "id")) user.UUID = "" - renderData(c, user,nil) + renderData(c, user, nil) } func userProfilePut(c *gin.Context) { @@ -147,7 +147,7 @@ func userPasswordPut(c *gin.Context) { var f userPasswordForm bind(c, &f) - checkPassword(f.Password) + dangerous(checkPassword(f.Password)) target := User(urlParamInt64(c, "id")) @@ -267,7 +267,7 @@ type userInviteForm struct { func userInvitePost(c *gin.Context) { var f userInviteForm bind(c, &f) - checkPassword(f.Password) + dangerous(checkPassword(f.Password)) inv, err := models.InviteGet("token=?", f.Token) dangerous(err)