🔒 改进访问授权验证码安全性 Fix https://github.com/siyuan-note/siyuan/issues/5452

kernel/model/session.go

@@ -63,7 +63,7 @@ func LoginAuth(c *gin.Context) {
 
 	var inputCaptcha string
 	session := util.GetSession(c)
-	if session.NeedCaptcha() {
+	if util.NeedCaptcha() {
 		captchaArg := arg["captcha"]
 		if nil == captchaArg {
 			ret.Code = 1
@@ -71,6 +71,11 @@ func LoginAuth(c *gin.Context) {
 			return
 		}
 		inputCaptcha = captchaArg.(string)
+		if "" == inputCaptcha {
+			ret.Code = 1
+			ret.Msg = Conf.Language(21)
+			return
+		}
 
 		if strings.ToLower(session.Captcha) != strings.ToLower(inputCaptcha) {
 			ret.Code = 1
@@ -84,9 +89,9 @@ func LoginAuth(c *gin.Context) {
 		ret.Code = -1
 		ret.Msg = Conf.Language(83)
 
-		session.WrongAuthCount++
+		util.WrongAuthCount++
 		session.Captcha = gulu.Rand.String(7)
-		if session.NeedCaptcha() {
+		if util.NeedCaptcha() {
 			ret.Code = 1 // 需要渲染验证码
 		}
 
@@ -99,7 +104,7 @@ func LoginAuth(c *gin.Context) {
 	}
 
 	session.AccessAuthCode = authCode
-	session.WrongAuthCount = 0
+	util.WrongAuthCount = 0
 	session.Captcha = gulu.Rand.String(7)
 	if err := session.Save(c); nil != err {
 		logging.LogErrorf("save session failed: " + err.Error())

kernel/util/session.go

@@ -22,16 +22,16 @@ import (
 	"github.com/gin-gonic/gin"
 )
 
-// SessionData represents the session.
-type SessionData struct {
-	ID             int
-	AccessAuthCode string
-	WrongAuthCount int
-	Captcha        string
+var WrongAuthCount int
+
+func NeedCaptcha() bool {
+	return 3 < WrongAuthCount
 }
 
-func (sd *SessionData) NeedCaptcha() bool {
-	return 3 < sd.WrongAuthCount
+// SessionData represents the session.
+type SessionData struct {
+	AccessAuthCode string
+	Captcha        string
 }
 
 // Save saves the current session of the specified context.