451 lines
12 KiB
Go
451 lines
12 KiB
Go
// SiYuan - Refactor your thinking
|
||
// Copyright (c) 2020-present, b3log.org
|
||
//
|
||
// This program is free software: you can redistribute it and/or modify
|
||
// it under the terms of the GNU Affero General Public License as published by
|
||
// the Free Software Foundation, either version 3 of the License, or
|
||
// (at your option) any later version.
|
||
//
|
||
// This program is distributed in the hope that it will be useful,
|
||
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||
// GNU Affero General Public License for more details.
|
||
//
|
||
// You should have received a copy of the GNU Affero General Public License
|
||
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
||
|
||
package model
|
||
|
||
import (
|
||
"image/color"
|
||
"net/http"
|
||
"net/url"
|
||
"os"
|
||
"strconv"
|
||
"strings"
|
||
"sync"
|
||
"time"
|
||
|
||
"github.com/88250/gulu"
|
||
"github.com/gin-gonic/gin"
|
||
"github.com/gorilla/websocket"
|
||
"github.com/siyuan-note/logging"
|
||
"github.com/siyuan-note/siyuan/kernel/util"
|
||
"github.com/steambap/captcha"
|
||
)
|
||
|
||
func LogoutAuth(c *gin.Context) {
|
||
ret := gulu.Ret.NewResult()
|
||
defer c.JSON(http.StatusOK, ret)
|
||
|
||
if "" == Conf.AccessAuthCode {
|
||
ret.Code = -1
|
||
ret.Msg = Conf.Language(86)
|
||
ret.Data = map[string]interface{}{"closeTimeout": 5000}
|
||
return
|
||
}
|
||
|
||
session := util.GetSession(c)
|
||
util.RemoveWorkspaceSession(session)
|
||
if err := session.Save(c); err != nil {
|
||
logging.LogErrorf("saves session failed: " + err.Error())
|
||
ret.Code = -1
|
||
ret.Msg = "save session failed"
|
||
}
|
||
}
|
||
|
||
func LoginAuth(c *gin.Context) {
|
||
ret := gulu.Ret.NewResult()
|
||
defer c.JSON(http.StatusOK, ret)
|
||
|
||
arg, ok := util.JsonArg(c, ret)
|
||
if !ok {
|
||
return
|
||
}
|
||
|
||
var inputCaptcha string
|
||
session := util.GetSession(c)
|
||
workspaceSession := util.GetWorkspaceSession(session)
|
||
if util.NeedCaptcha() {
|
||
captchaArg := arg["captcha"]
|
||
if nil == captchaArg {
|
||
ret.Code = 1
|
||
ret.Msg = Conf.Language(21)
|
||
logging.LogWarnf("invalid captcha")
|
||
return
|
||
}
|
||
inputCaptcha = captchaArg.(string)
|
||
if "" == inputCaptcha {
|
||
ret.Code = 1
|
||
ret.Msg = Conf.Language(21)
|
||
logging.LogWarnf("invalid captcha")
|
||
return
|
||
}
|
||
|
||
if strings.ToLower(workspaceSession.Captcha) != strings.ToLower(inputCaptcha) {
|
||
ret.Code = 1
|
||
ret.Msg = Conf.Language(22)
|
||
logging.LogWarnf("invalid captcha")
|
||
return
|
||
}
|
||
}
|
||
|
||
authCode := arg["authCode"].(string)
|
||
if Conf.AccessAuthCode != authCode {
|
||
ret.Code = -1
|
||
ret.Msg = Conf.Language(83)
|
||
logging.LogWarnf("invalid auth code [ip=%s]", util.GetRemoteAddr(c.Request))
|
||
|
||
util.WrongAuthCount++
|
||
workspaceSession.Captcha = gulu.Rand.String(7)
|
||
if util.NeedCaptcha() {
|
||
ret.Code = 1 // 需要渲染验证码
|
||
}
|
||
|
||
if err := session.Save(c); err != nil {
|
||
logging.LogErrorf("save session failed: " + err.Error())
|
||
c.Status(http.StatusInternalServerError)
|
||
return
|
||
}
|
||
return
|
||
}
|
||
|
||
workspaceSession.AccessAuthCode = authCode
|
||
util.WrongAuthCount = 0
|
||
workspaceSession.Captcha = gulu.Rand.String(7)
|
||
logging.LogInfof("auth success [ip=%s]", util.GetRemoteAddr(c.Request))
|
||
if err := session.Save(c); err != nil {
|
||
logging.LogErrorf("save session failed: " + err.Error())
|
||
c.Status(http.StatusInternalServerError)
|
||
return
|
||
}
|
||
}
|
||
|
||
func GetCaptcha(c *gin.Context) {
|
||
img, err := captcha.New(100, 26, func(options *captcha.Options) {
|
||
options.CharPreset = "ABCDEFGHKLMNPQRSTUVWXYZ23456789"
|
||
options.Noise = 0.5
|
||
options.CurveNumber = 0
|
||
options.BackgroundColor = color.White
|
||
})
|
||
if err != nil {
|
||
logging.LogErrorf("generates captcha failed: " + err.Error())
|
||
c.Status(http.StatusInternalServerError)
|
||
return
|
||
}
|
||
|
||
session := util.GetSession(c)
|
||
workspaceSession := util.GetWorkspaceSession(session)
|
||
workspaceSession.Captcha = img.Text
|
||
if err = session.Save(c); err != nil {
|
||
logging.LogErrorf("save session failed: " + err.Error())
|
||
c.Status(http.StatusInternalServerError)
|
||
return
|
||
}
|
||
|
||
if err = img.WriteImage(c.Writer); err != nil {
|
||
logging.LogErrorf("writes captcha image failed: " + err.Error())
|
||
c.Status(http.StatusInternalServerError)
|
||
return
|
||
}
|
||
c.Status(http.StatusOK)
|
||
}
|
||
|
||
func CheckReadonly(c *gin.Context) {
|
||
if util.ReadOnly {
|
||
result := util.NewResult()
|
||
result.Code = -1
|
||
result.Msg = Conf.Language(34)
|
||
result.Data = map[string]interface{}{"closeTimeout": 5000}
|
||
c.JSON(http.StatusOK, result)
|
||
c.Abort()
|
||
return
|
||
}
|
||
}
|
||
|
||
func CheckAuth(c *gin.Context) {
|
||
// 已通过 JWT 认证
|
||
if role := GetGinContextRole(c); IsValidRole(role, []Role{
|
||
RoleAdministrator,
|
||
RoleEditor,
|
||
RoleReader,
|
||
}) {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
//logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
|
||
localhost := util.IsLocalHost(c.Request.RemoteAddr)
|
||
|
||
// 未设置访问授权码
|
||
if "" == Conf.AccessAuthCode {
|
||
// Skip the empty access authorization code check https://github.com/siyuan-note/siyuan/issues/9709
|
||
if util.SiyuanAccessAuthCodeBypass {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
|
||
clientIP := c.ClientIP()
|
||
host := c.GetHeader("Host")
|
||
origin := c.GetHeader("Origin")
|
||
forwardedHost := c.GetHeader("X-Forwarded-Host")
|
||
if !localhost ||
|
||
("" != clientIP && !util.IsLocalHostname(clientIP)) ||
|
||
("" != host && !util.IsLocalHost(host)) ||
|
||
("" != origin && !util.IsLocalOrigin(origin) && !strings.HasPrefix(origin, "chrome-extension://")) ||
|
||
("" != forwardedHost && !util.IsLocalHost(forwardedHost)) {
|
||
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed: for security reasons, please set [Access authorization code] when using non-127.0.0.1 access\n\n为安全起见,使用非 127.0.0.1 访问时请设置 [访问授权码]"})
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
// 放过 /appearance/
|
||
if strings.HasPrefix(c.Request.RequestURI, "/appearance/") ||
|
||
strings.HasPrefix(c.Request.RequestURI, "/stage/build/export/") ||
|
||
strings.HasPrefix(c.Request.RequestURI, "/stage/build/fonts/") ||
|
||
strings.HasPrefix(c.Request.RequestURI, "/stage/protyle/") {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
// 放过来自本机的某些请求
|
||
if localhost {
|
||
if strings.HasPrefix(c.Request.RequestURI, "/assets/") || strings.HasPrefix(c.Request.RequestURI, "/export/") {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
if strings.HasPrefix(c.Request.RequestURI, "/api/system/exit") {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
if strings.HasPrefix(c.Request.RequestURI, "/api/system/getNetwork") {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
if strings.HasPrefix(c.Request.RequestURI, "/api/sync/performSync") {
|
||
if util.ContainerIOS == util.Container || util.ContainerAndroid == util.Container {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
}
|
||
}
|
||
|
||
// 通过 Cookie
|
||
session := util.GetSession(c)
|
||
workspaceSession := util.GetWorkspaceSession(session)
|
||
if workspaceSession.AccessAuthCode == Conf.AccessAuthCode {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
// 通过 BasicAuth (header: Authorization)
|
||
if username, password, ok := c.Request.BasicAuth(); ok {
|
||
// 使用访问授权码作为密码
|
||
if util.WorkspaceName == username && Conf.AccessAuthCode == password {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
}
|
||
|
||
// 通过 API token (header: Authorization)
|
||
if authHeader := c.GetHeader("Authorization"); "" != authHeader {
|
||
var token string
|
||
if strings.HasPrefix(authHeader, "Token ") {
|
||
token = strings.TrimPrefix(authHeader, "Token ")
|
||
} else if strings.HasPrefix(authHeader, "token ") {
|
||
token = strings.TrimPrefix(authHeader, "token ")
|
||
} else if strings.HasPrefix(authHeader, "Bearer ") {
|
||
token = strings.TrimPrefix(authHeader, "Bearer ")
|
||
} else if strings.HasPrefix(authHeader, "bearer ") {
|
||
token = strings.TrimPrefix(authHeader, "bearer ")
|
||
}
|
||
|
||
if "" != token {
|
||
if Conf.Api.Token == token {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [header: Authorization]"})
|
||
c.Abort()
|
||
return
|
||
}
|
||
}
|
||
|
||
// 通过 API token (query-params: token)
|
||
if token := c.Query("token"); "" != token {
|
||
if Conf.Api.Token == token {
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [query: token]"})
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
// WebDAV BasicAuth Authenticate
|
||
if strings.HasPrefix(c.Request.RequestURI, "/webdav") {
|
||
c.Header("WWW-Authenticate", "Basic realm=Authorization Required")
|
||
c.AbortWithStatus(http.StatusUnauthorized)
|
||
return
|
||
}
|
||
|
||
// 跳过访问授权页
|
||
if "/check-auth" == c.Request.URL.Path {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
if workspaceSession.AccessAuthCode != Conf.AccessAuthCode {
|
||
userAgentHeader := c.GetHeader("User-Agent")
|
||
if strings.HasPrefix(userAgentHeader, "SiYuan/") || strings.HasPrefix(userAgentHeader, "Mozilla/") {
|
||
if "GET" != c.Request.Method || c.IsWebsocket() {
|
||
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": Conf.Language(156)})
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
location := url.URL{}
|
||
queryParams := url.Values{}
|
||
queryParams.Set("to", c.Request.URL.String())
|
||
location.RawQuery = queryParams.Encode()
|
||
location.Path = "/check-auth"
|
||
|
||
c.Redirect(http.StatusFound, location.String())
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": "Auth failed [session]"})
|
||
c.Abort()
|
||
return
|
||
}
|
||
|
||
c.Set(RoleContextKey, RoleAdministrator)
|
||
c.Next()
|
||
}
|
||
|
||
func CheckAdminRole(c *gin.Context) {
|
||
if IsAdminRoleContext(c) {
|
||
c.Next()
|
||
} else {
|
||
c.AbortWithStatus(http.StatusForbidden)
|
||
}
|
||
}
|
||
|
||
func CheckEditRole(c *gin.Context) {
|
||
if IsValidRole(GetGinContextRole(c), []Role{
|
||
RoleAdministrator,
|
||
RoleEditor,
|
||
}) {
|
||
c.Next()
|
||
} else {
|
||
c.AbortWithStatus(http.StatusForbidden)
|
||
}
|
||
}
|
||
|
||
func CheckReadRole(c *gin.Context) {
|
||
if IsValidRole(GetGinContextRole(c), []Role{
|
||
RoleAdministrator,
|
||
RoleEditor,
|
||
RoleReader,
|
||
}) {
|
||
c.Next()
|
||
} else {
|
||
c.AbortWithStatus(http.StatusForbidden)
|
||
}
|
||
}
|
||
|
||
var timingAPIs = map[string]int{
|
||
"/api/search/fullTextSearchBlock": 200, // Monitor the search performance and suggest solutions https://github.com/siyuan-note/siyuan/issues/7873
|
||
}
|
||
|
||
func Timing(c *gin.Context) {
|
||
p := c.Request.URL.Path
|
||
tip, ok := timingAPIs[p]
|
||
if !ok {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
timing := 15 * 1000
|
||
if timingEnv := os.Getenv("SIYUAN_PERFORMANCE_TIMING"); "" != timingEnv {
|
||
val, err := strconv.Atoi(timingEnv)
|
||
if err == nil {
|
||
timing = val
|
||
}
|
||
}
|
||
|
||
now := time.Now().UnixMilli()
|
||
c.Next()
|
||
elapsed := int(time.Now().UnixMilli() - now)
|
||
if timing < elapsed {
|
||
logging.LogWarnf("[%s] elapsed [%dms]", c.Request.RequestURI, elapsed)
|
||
util.PushMsg(Conf.Language(tip), 7000)
|
||
}
|
||
}
|
||
|
||
func Recover(c *gin.Context) {
|
||
defer logging.Recover()
|
||
c.Next()
|
||
}
|
||
|
||
var (
|
||
requestingLock = sync.Mutex{}
|
||
requesting = map[string]*sync.Mutex{}
|
||
)
|
||
|
||
func ControlConcurrency(c *gin.Context) {
|
||
if websocket.IsWebSocketUpgrade(c.Request) {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
reqPath := c.Request.URL.Path
|
||
|
||
// Improve the concurrency of the kernel data reading interfaces https://github.com/siyuan-note/siyuan/issues/10149
|
||
if strings.HasPrefix(reqPath, "/stage/") || strings.HasPrefix(reqPath, "/assets/") || strings.HasPrefix(reqPath, "/appearance/") {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
parts := strings.Split(reqPath, "/")
|
||
function := parts[len(parts)-1]
|
||
if strings.HasPrefix(function, "get") || strings.HasPrefix(function, "list") ||
|
||
strings.HasPrefix(function, "search") || strings.HasPrefix(function, "render") || strings.HasPrefix(function, "ls") {
|
||
c.Next()
|
||
return
|
||
}
|
||
if strings.HasPrefix(function, "/api/query/") || strings.HasPrefix(function, "/api/search/") {
|
||
c.Next()
|
||
return
|
||
}
|
||
|
||
requestingLock.Lock()
|
||
mutex := requesting[reqPath]
|
||
if nil == mutex {
|
||
mutex = &sync.Mutex{}
|
||
requesting[reqPath] = mutex
|
||
}
|
||
requestingLock.Unlock()
|
||
|
||
mutex.Lock()
|
||
defer mutex.Unlock()
|
||
c.Next()
|
||
}
|