2025-10-24 00:09:45 +08:00
|
|
|
|
package admin
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
2026-03-18 21:51:17 +08:00
|
|
|
|
"NetworkAuth/controllers"
|
|
|
|
|
|
"NetworkAuth/database"
|
|
|
|
|
|
"NetworkAuth/models"
|
|
|
|
|
|
"NetworkAuth/services"
|
|
|
|
|
|
"NetworkAuth/utils"
|
2025-10-24 00:09:45 +08:00
|
|
|
|
"fmt"
|
|
|
|
|
|
"net/http"
|
|
|
|
|
|
"strings"
|
|
|
|
|
|
"time"
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
"github.com/gin-gonic/gin"
|
2025-10-24 00:09:45 +08:00
|
|
|
|
"github.com/golang-jwt/jwt/v5"
|
|
|
|
|
|
"github.com/spf13/viper"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2025-10-27 23:12:15 +08:00
|
|
|
|
// ============================================================================
|
|
|
|
|
|
// 全局变量
|
|
|
|
|
|
// ============================================================================
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
// 创建BaseController实例
|
|
|
|
|
|
var authBaseController = controllers.NewBaseController()
|
|
|
|
|
|
|
2025-10-27 23:12:15 +08:00
|
|
|
|
// ============================================================================
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// API处理器
|
2025-10-27 23:12:15 +08:00
|
|
|
|
// ============================================================================
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// CSRFTokenHandler 获取CSRF令牌接口
|
|
|
|
|
|
func CSRFTokenHandler(c *gin.Context) {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 尝试从Cookie获取
|
2026-03-28 23:30:02 +08:00
|
|
|
|
var token string
|
2026-03-18 21:51:17 +08:00
|
|
|
|
if cookie, err := c.Cookie(CSRFCookieName); err == nil && cookie != "" {
|
|
|
|
|
|
token = cookie
|
2025-10-26 03:05:27 +08:00
|
|
|
|
} else {
|
|
|
|
|
|
newToken, err := utils.GenerateCSRFToken()
|
|
|
|
|
|
if err != nil {
|
2026-03-28 23:30:02 +08:00
|
|
|
|
authBaseController.HandleInternalError(c, "生成CSRF令牌失败", err)
|
2025-10-26 03:05:27 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
token = newToken
|
2026-03-18 21:51:17 +08:00
|
|
|
|
setCSRFToken(c, token)
|
2025-10-26 03:05:27 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
authBaseController.HandleSuccess(c, "success", gin.H{
|
|
|
|
|
|
"csrf_token": token,
|
|
|
|
|
|
})
|
2025-10-24 00:09:45 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// LoginHandler 管理员登录接口
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// - 接收JSON: {username, password, captcha, csrf_token}
|
|
|
|
|
|
// - 验证CSRF令牌
|
|
|
|
|
|
// - 验证验证码
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// - 验证用户存在与密码正确性
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// - 仅允许管理员登录
|
|
|
|
|
|
// - 成功后设置JWT Cookie
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func LoginHandler(c *gin.Context) {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
var body struct {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
Username string `json:"username"`
|
|
|
|
|
|
Password string `json:"password"`
|
|
|
|
|
|
Captcha string `json:"captcha"`
|
|
|
|
|
|
CSRFToken string `json:"csrf_token"`
|
2025-10-24 00:09:45 +08:00
|
|
|
|
}
|
2025-10-27 23:12:15 +08:00
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
if !authBaseController.BindJSON(c, &body) {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2025-10-27 23:12:15 +08:00
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 1. 验证CSRF令牌 (Gin 方式)
|
|
|
|
|
|
if !validateCSRFToken(c, body.CSRFToken) {
|
|
|
|
|
|
authBaseController.HandleValidationError(c, "CSRF令牌验证失败")
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
if !authBaseController.ValidateRequired(c, map[string]interface{}{
|
|
|
|
|
|
"用户名": body.Username,
|
|
|
|
|
|
"密码": body.Password,
|
|
|
|
|
|
"验证码": body.Captcha,
|
|
|
|
|
|
}) {
|
2025-10-24 03:08:43 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证验证码
|
2025-10-26 14:48:02 +08:00
|
|
|
|
if !VerifyCaptcha(c, body.Captcha) {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
recordLoginLog(c, body.Username, 0, "验证码错误")
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleValidationError(c, "验证码错误")
|
2025-10-24 03:08:43 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
2025-10-24 00:09:45 +08:00
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// 从数据库中查找对应的用户
|
|
|
|
|
|
db, err := database.GetDB()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
recordLoginLog(c, body.Username, 0, "数据库连接失败")
|
|
|
|
|
|
authBaseController.HandleInternalError(c, "数据库连接失败", err)
|
2025-10-26 09:35:07 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
var user models.User
|
|
|
|
|
|
if err := db.Where("username = ? AND role = ?", body.Username, 0).First(&user).Error; err != nil {
|
|
|
|
|
|
recordLoginLog(c, body.Username, 0, "用户不存在或非管理员")
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleValidationError(c, "用户不存在或密码错误")
|
2025-10-26 09:35:07 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 验证密码(使用盐值校验)
|
2026-03-28 23:30:02 +08:00
|
|
|
|
if !utils.VerifyPasswordWithSalt(body.Password, user.PasswordSalt, user.Password) {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
recordLoginLog(c, body.Username, 0, "密码错误")
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleValidationError(c, "用户不存在或密码错误")
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 生成JWT令牌
|
2026-03-28 23:30:02 +08:00
|
|
|
|
token, err := generateJWTTokenForAdmin(user.Username, user.Password, user.UUID)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
recordLoginLog(c, body.Username, 0, "生成令牌失败")
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleInternalError(c, "生成令牌失败", err)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 设置JWT Cookie(HttpOnly,安全)
|
|
|
|
|
|
// 使用系统配置的Cookie参数
|
2026-03-28 23:30:02 +08:00
|
|
|
|
settingsService := services.GetSettingsService()
|
2026-03-18 21:51:17 +08:00
|
|
|
|
secure, sameSite, domain, maxAge := settingsService.GetCookieConfig()
|
|
|
|
|
|
cookie := utils.CreateSecureCookie("admin_session", token, maxAge, domain, secure, sameSite)
|
2025-10-26 14:48:02 +08:00
|
|
|
|
c.SetCookie(cookie.Name, cookie.Value, cookie.MaxAge, cookie.Path, cookie.Domain, cookie.Secure, cookie.HttpOnly)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
recordLoginLog(c, body.Username, 1, "登录成功")
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleSuccess(c, "登录成功", gin.H{
|
2025-10-24 00:09:45 +08:00
|
|
|
|
"redirect": "/admin",
|
2026-03-28 23:30:02 +08:00
|
|
|
|
"avatar": user.Avatar,
|
|
|
|
|
|
"nickname": user.Nickname,
|
|
|
|
|
|
"username": user.Username,
|
2026-03-31 02:14:08 +08:00
|
|
|
|
"token": token,
|
2025-10-24 00:09:45 +08:00
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// recordLoginLog 记录登录日志
|
|
|
|
|
|
// status: 1-成功, 0-失败
|
|
|
|
|
|
func recordLoginLog(c *gin.Context, username string, status int, message string) {
|
|
|
|
|
|
db, err := database.GetDB()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
// 记录日志失败不应影响主流程,但可以记录到系统日志
|
|
|
|
|
|
fmt.Printf("Failed to connect to database for login log: %v\n", err)
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
log := models.LoginLog{
|
|
|
|
|
|
Type: "admin",
|
|
|
|
|
|
Username: username,
|
|
|
|
|
|
IP: c.ClientIP(),
|
|
|
|
|
|
Status: status,
|
|
|
|
|
|
Message: message,
|
|
|
|
|
|
UserAgent: c.Request.UserAgent(),
|
|
|
|
|
|
CreatedAt: time.Now(),
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err := db.Create(&log).Error; err != nil {
|
|
|
|
|
|
fmt.Printf("Failed to create login log: %v\n", err)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// LogoutHandler 管理员登出
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// - 清理JWT Cookie会话
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// - 确保令牌完全失效
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func LogoutHandler(c *gin.Context) {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// 清理JWT Cookie
|
2025-10-26 14:48:02 +08:00
|
|
|
|
clearInvalidJWTCookie(c)
|
2025-10-26 01:51:25 +08:00
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
authBaseController.HandleSuccess(c, "已退出登录", gin.H{
|
2025-10-26 01:51:25 +08:00
|
|
|
|
"redirect": "/admin/login",
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// ============================================================================
|
|
|
|
|
|
// CSRF 相关辅助函数
|
|
|
|
|
|
// ============================================================================
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
CSRFCookieName = "csrf_token"
|
|
|
|
|
|
CSRFHeaderName = "X-CSRF-Token"
|
|
|
|
|
|
CSRFFormField = "csrf_token"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// setCSRFToken 设置CSRF令牌到Cookie (Gin适配)
|
|
|
|
|
|
func setCSRFToken(c *gin.Context, token string) {
|
|
|
|
|
|
c.SetCookie(CSRFCookieName, token, 3600*24, "/", "", false, false)
|
|
|
|
|
|
c.Header(CSRFHeaderName, token)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// validateCSRFToken 验证CSRF令牌 (Gin适配)
|
|
|
|
|
|
func validateCSRFToken(c *gin.Context, requestToken string) bool {
|
|
|
|
|
|
// 获取Cookie中的令牌
|
|
|
|
|
|
cookie, err := c.Cookie(CSRFCookieName)
|
|
|
|
|
|
if err != nil || cookie == "" {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
cookieToken := cookie
|
|
|
|
|
|
|
|
|
|
|
|
// 如果请求体中没有提供token,尝试从Header获取
|
|
|
|
|
|
if requestToken == "" {
|
|
|
|
|
|
requestToken = c.GetHeader(CSRFHeaderName)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if requestToken == "" {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 使用常量时间比较
|
|
|
|
|
|
return strings.Compare(cookieToken, requestToken) == 0
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-27 23:12:15 +08:00
|
|
|
|
// ============================================================================
|
|
|
|
|
|
// 辅助函数
|
|
|
|
|
|
// ============================================================================
|
|
|
|
|
|
|
|
|
|
|
|
// clearInvalidJWTCookie 清理无效的JWT Cookie
|
2025-10-26 01:51:25 +08:00
|
|
|
|
// - 统一的Cookie清理函数,确保一致性
|
|
|
|
|
|
// - 在JWT校验失败时自动调用,提升安全性和用户体验
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func clearInvalidJWTCookie(c *gin.Context) {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
_, _, domain, _ := services.GetSettingsService().GetCookieConfig()
|
|
|
|
|
|
cookie := utils.CreateExpiredCookie("admin_session", domain)
|
2025-10-26 14:48:02 +08:00
|
|
|
|
c.SetCookie(cookie.Name, cookie.Value, cookie.MaxAge, cookie.Path, cookie.Domain, cookie.Secure, cookie.HttpOnly)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 11:57:31 +08:00
|
|
|
|
// getJWTSecret 动态获取当前的JWT密钥
|
|
|
|
|
|
// 修复安全漏洞:确保每次都从最新配置中获取密钥,而不是使用启动时的全局变量
|
|
|
|
|
|
func getJWTSecret() []byte {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 1. 尝试从数据库设置获取
|
|
|
|
|
|
settingsService := services.GetSettingsService()
|
|
|
|
|
|
if secret := settingsService.GetJWTSecret(); secret != "" {
|
|
|
|
|
|
return []byte(secret)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 2. 尝试从配置文件获取(兼容旧配置)
|
|
|
|
|
|
if secret := viper.GetString("security.jwt_secret"); secret != "" {
|
|
|
|
|
|
return []byte(secret)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 3. 使用默认不安全密钥(仅开发环境)
|
|
|
|
|
|
return []byte("default-insecure-jwt-secret")
|
2025-10-26 11:57:31 +08:00
|
|
|
|
}
|
2025-10-24 00:09:45 +08:00
|
|
|
|
|
2025-10-27 23:12:15 +08:00
|
|
|
|
// ============================================================================
|
|
|
|
|
|
// 结构体定义
|
|
|
|
|
|
// ============================================================================
|
|
|
|
|
|
|
|
|
|
|
|
// JWTClaims JWT载荷结构体
|
2025-10-24 00:09:45 +08:00
|
|
|
|
type JWTClaims struct {
|
2025-10-26 01:51:25 +08:00
|
|
|
|
Username string `json:"username"`
|
2026-03-18 21:51:17 +08:00
|
|
|
|
UUID string `json:"uuid"` // 添加虚拟角色UUID
|
|
|
|
|
|
Role int `json:"role"` // 添加虚拟角色
|
2025-10-26 01:51:25 +08:00
|
|
|
|
PasswordHash string `json:"password_hash"` // 密码哈希摘要,用于验证密码是否被修改
|
2025-10-24 00:09:45 +08:00
|
|
|
|
jwt.RegisteredClaims
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 09:35:07 +08:00
|
|
|
|
// generateJWTTokenForAdmin 生成管理员JWT令牌
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// - 包含管理员用户名信息和密码哈希
|
|
|
|
|
|
// - 设置过期时间
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// - 使用HMAC-SHA256签名
|
2026-03-28 23:30:02 +08:00
|
|
|
|
func generateJWTTokenForAdmin(username, passwordHash string, adminUUID string) (string, error) {
|
2025-10-26 01:51:25 +08:00
|
|
|
|
// 生成密码哈希摘要(使用SHA256)
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 注意:传入的 passwordHash 已经是数据库存的 Hash,这里我们再次 Hash 还是直接用?
|
|
|
|
|
|
// atomicLibrary 的实现是: utils.GenerateSHA256Hash(adminUser.Password)
|
|
|
|
|
|
// 这里我们直接用数据库里的 Hash 值作为 Token 的一部分即可,或者对它再 Hash 一次。
|
|
|
|
|
|
// 为了与 validateAdminPasswordHash 对应,我们需要知道验证时怎么比对。
|
|
|
|
|
|
// validateAdminPasswordHash: currentPasswordHash := utils.GenerateSHA256Hash(adminPassword.Value)
|
|
|
|
|
|
// 所以这里也应该对数据库里的值进行 Hash。
|
|
|
|
|
|
passwordHashDigest := utils.GenerateSHA256Hash(passwordHash)
|
|
|
|
|
|
|
2025-10-24 00:09:45 +08:00
|
|
|
|
claims := JWTClaims{
|
2026-03-18 21:51:17 +08:00
|
|
|
|
Username: username,
|
|
|
|
|
|
UUID: adminUUID,
|
|
|
|
|
|
Role: 0, // 0表示超级管理员
|
2025-10-26 01:51:25 +08:00
|
|
|
|
PasswordHash: passwordHashDigest, // 包含密码哈希摘要
|
2025-10-24 00:09:45 +08:00
|
|
|
|
RegisteredClaims: jwt.RegisteredClaims{
|
2026-03-18 21:51:17 +08:00
|
|
|
|
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Duration(services.GetSettingsService().GetJWTExpire()) * time.Hour)),
|
2025-10-24 00:09:45 +08:00
|
|
|
|
IssuedAt: jwt.NewNumericDate(time.Now()),
|
|
|
|
|
|
NotBefore: jwt.NewNumericDate(time.Now()),
|
2026-03-18 21:51:17 +08:00
|
|
|
|
Issuer: "NetworkAuth",
|
|
|
|
|
|
Subject: username,
|
2025-10-24 00:09:45 +08:00
|
|
|
|
},
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return token.SignedString(getJWTSecret())
|
2025-10-24 00:09:45 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// parseJWTToken 解析并验证JWT令牌
|
|
|
|
|
|
// - 验证签名有效性
|
|
|
|
|
|
// - 检查过期时间
|
|
|
|
|
|
// - 返回用户信息
|
|
|
|
|
|
func parseJWTToken(tokenString string) (*JWTClaims, error) {
|
|
|
|
|
|
token, err := jwt.ParseWithClaims(tokenString, &JWTClaims{}, func(token *jwt.Token) (interface{}, error) {
|
|
|
|
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
|
|
|
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
|
|
|
|
|
}
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return getJWTSecret(), nil
|
2025-10-24 00:09:45 +08:00
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if claims, ok := token.Claims.(*JWTClaims); ok && token.Valid {
|
|
|
|
|
|
return claims, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil, fmt.Errorf("invalid token")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 02:14:08 +08:00
|
|
|
|
// getJWTCookie 获取JWT cookie的通用函数,支持从Cookie或Authorization Header中获取
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func getJWTCookie(c *gin.Context) (string, error) {
|
2026-03-31 02:14:08 +08:00
|
|
|
|
cookie, err := c.Cookie("admin_session")
|
|
|
|
|
|
if err == nil && cookie != "" {
|
|
|
|
|
|
return cookie, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 如果Cookie中没有,尝试从Authorization Header中获取 (兼容前端在非HTTPS环境下无法设置Secure Cookie的情况)
|
|
|
|
|
|
authHeader := c.GetHeader("Authorization")
|
|
|
|
|
|
if authHeader != "" && strings.HasPrefix(authHeader, "Bearer ") {
|
|
|
|
|
|
token := strings.TrimPrefix(authHeader, "Bearer ")
|
|
|
|
|
|
return token, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return "", fmt.Errorf("未找到会话信息")
|
2025-10-26 11:57:31 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// validateAdminPasswordHash 验证管理员密码哈希的通用函数
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func validateAdminPasswordHash(claims *JWTClaims, c *gin.Context) bool {
|
2025-10-26 11:57:31 +08:00
|
|
|
|
// 【安全修复】验证数据库中的当前密码哈希
|
|
|
|
|
|
// 这确保了密码修改后,旧的JWT令牌会失效
|
|
|
|
|
|
db, err := database.GetDB()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
fmt.Printf("[SECURITY WARNING] Database connection failed during auth - Username=%s, IP=%s\n",
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims.Username, c.ClientIP())
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// 获取当前数据库中的管理员用户
|
|
|
|
|
|
var adminUser models.User
|
|
|
|
|
|
if err := db.Where("username = ? AND role = ?", claims.Username, 0).First(&adminUser).Error; err != nil {
|
|
|
|
|
|
fmt.Printf("[SECURITY WARNING] Admin user not found in database - Username=%s, IP=%s\n",
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims.Username, c.ClientIP())
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 生成当前数据库密码的哈希摘要
|
2026-03-28 23:30:02 +08:00
|
|
|
|
currentPasswordHash := utils.GenerateSHA256Hash(adminUser.Password)
|
2025-10-26 11:57:31 +08:00
|
|
|
|
|
|
|
|
|
|
// 验证JWT中的密码哈希是否与当前数据库中的密码哈希一致
|
|
|
|
|
|
if claims.PasswordHash != currentPasswordHash {
|
|
|
|
|
|
fmt.Printf("[SECURITY WARNING] Password hash mismatch - JWT token invalidated - Username=%s, IP=%s\n",
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims.Username, c.ClientIP())
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// IsAdminAuthenticated 判断管理员是否已认证(Gin版本)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// - 检查admin_session Cookie中的JWT令牌
|
|
|
|
|
|
// - 验证令牌签名、过期时间和用户角色
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func IsAdminAuthenticated(c *gin.Context) bool {
|
|
|
|
|
|
cookie, err := getJWTCookie(c)
|
|
|
|
|
|
if err != nil || cookie == "" {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 解析并验证JWT令牌
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims, err := parseJWTToken(cookie)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 11:57:31 +08:00
|
|
|
|
// 验证密码哈希
|
2025-10-26 14:48:02 +08:00
|
|
|
|
return validateAdminPasswordHash(claims, c)
|
2025-10-26 01:51:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// IsAdminAuthenticatedHttp 判断管理员是否已认证(HTTP兼容版本)
|
|
|
|
|
|
// 保留此方法以兼容未迁移的 Handler
|
|
|
|
|
|
func IsAdminAuthenticatedHttp(r *http.Request) bool {
|
2026-03-31 02:14:08 +08:00
|
|
|
|
token := ""
|
2026-03-18 21:51:17 +08:00
|
|
|
|
cookie, err := r.Cookie("admin_session")
|
2026-03-31 02:14:08 +08:00
|
|
|
|
if err == nil && cookie.Value != "" {
|
|
|
|
|
|
token = cookie.Value
|
|
|
|
|
|
} else {
|
|
|
|
|
|
authHeader := r.Header.Get("Authorization")
|
|
|
|
|
|
if authHeader != "" && strings.HasPrefix(authHeader, "Bearer ") {
|
|
|
|
|
|
token = strings.TrimPrefix(authHeader, "Bearer ")
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if token == "" {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 解析并验证JWT令牌
|
2026-03-31 02:14:08 +08:00
|
|
|
|
claims, err := parseJWTToken(token)
|
2026-03-18 21:51:17 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 注意:HTTP 版本无法方便地获取 ClientIP 用于日志,且无法使用 Gin Context 的功能
|
|
|
|
|
|
// 这里仅做基本的 Token 验证。如果 Token 包含了 PasswordHash,这里也会解析出来。
|
|
|
|
|
|
// 但验证 PasswordHash 需要 DB 访问。
|
|
|
|
|
|
// 为了完整性,我们应该也验证 PasswordHash。
|
|
|
|
|
|
// 这里的 ClientIP 只能从 r.RemoteAddr 获取。
|
|
|
|
|
|
|
|
|
|
|
|
db, err := database.GetDB()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
var adminUser models.User
|
|
|
|
|
|
if err := db.Where("username = ? AND role = ?", claims.Username, 0).First(&adminUser).Error; err != nil {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// 验证密码哈希
|
|
|
|
|
|
currentPasswordHash := utils.GenerateSHA256Hash(adminUser.Password)
|
2026-03-18 21:51:17 +08:00
|
|
|
|
if claims.PasswordHash != currentPasswordHash {
|
|
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 01:51:25 +08:00
|
|
|
|
// IsAdminAuthenticatedWithCleanup 带自动清理功能的JWT校验函数
|
|
|
|
|
|
// - 当JWT校验失败时,自动清理失效的Cookie
|
|
|
|
|
|
// - 适用于API接口等需要清理失效令牌的场景
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func IsAdminAuthenticatedWithCleanup(c *gin.Context) bool {
|
|
|
|
|
|
cookie, err := getJWTCookie(c)
|
|
|
|
|
|
if err != nil || cookie == "" {
|
2025-10-26 01:51:25 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 解析并验证JWT令牌
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims, err := parseJWTToken(cookie)
|
2025-10-26 01:51:25 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
// JWT解析失败,清理失效Cookie
|
2025-10-26 14:48:02 +08:00
|
|
|
|
clearInvalidJWTCookie(c)
|
2025-10-26 01:51:25 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 11:57:31 +08:00
|
|
|
|
// 验证密码哈希
|
2025-10-26 14:48:02 +08:00
|
|
|
|
if !validateAdminPasswordHash(claims, c) {
|
|
|
|
|
|
clearInvalidJWTCookie(c)
|
2025-10-26 01:51:25 +08:00
|
|
|
|
return false
|
|
|
|
|
|
}
|
2025-10-24 00:09:45 +08:00
|
|
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// GetCurrentAdminUser 获取当前登录的管理员用户信息 (HTTP 兼容版)
|
|
|
|
|
|
func GetCurrentAdminUser(r *http.Request) (*JWTClaims, error) {
|
2026-03-31 02:14:08 +08:00
|
|
|
|
token := ""
|
2026-03-18 21:51:17 +08:00
|
|
|
|
cookie, err := r.Cookie("admin_session")
|
2026-03-31 02:14:08 +08:00
|
|
|
|
if err == nil && cookie.Value != "" {
|
|
|
|
|
|
token = cookie.Value
|
|
|
|
|
|
} else {
|
|
|
|
|
|
authHeader := r.Header.Get("Authorization")
|
|
|
|
|
|
if authHeader != "" && strings.HasPrefix(authHeader, "Bearer ") {
|
|
|
|
|
|
token = strings.TrimPrefix(authHeader, "Bearer ")
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if token == "" {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return nil, fmt.Errorf("未找到会话信息")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 02:14:08 +08:00
|
|
|
|
claims, err := parseJWTToken(token)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, fmt.Errorf("无效的会话信息")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return claims, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// GetCurrentAdminUserWithRefresh 获取当前登录的管理员用户信息并自动刷新令牌
|
|
|
|
|
|
// - 从JWT令牌中提取用户信息
|
|
|
|
|
|
// - 自动刷新接近过期的令牌(剩余时间少于6小时时刷新)
|
|
|
|
|
|
// - 返回用户ID、用户名、角色和是否刷新了令牌
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func GetCurrentAdminUserWithRefresh(c *gin.Context) (*JWTClaims, bool, error) {
|
|
|
|
|
|
cookie, err := getJWTCookie(c)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, false, fmt.Errorf("未找到会话信息")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims, err := parseJWTToken(cookie)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, false, fmt.Errorf("无效的会话信息")
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 11:57:31 +08:00
|
|
|
|
// 验证密码哈希
|
2025-10-26 14:48:02 +08:00
|
|
|
|
if !validateAdminPasswordHash(claims, c) {
|
2025-10-26 11:57:31 +08:00
|
|
|
|
return nil, false, fmt.Errorf("会话已失效,请重新登录")
|
2025-10-26 01:51:25 +08:00
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
// 检查是否需要刷新令牌
|
2025-10-24 00:09:45 +08:00
|
|
|
|
refreshed := false
|
2026-03-18 21:51:17 +08:00
|
|
|
|
|
|
|
|
|
|
// 动态获取刷新阈值:默认剩余时间少于6小时刷新
|
|
|
|
|
|
refreshThresholdHours := services.GetSettingsService().GetJWTRefresh()
|
|
|
|
|
|
if refreshThresholdHours <= 0 {
|
|
|
|
|
|
refreshThresholdHours = 6 // 默认值
|
|
|
|
|
|
}
|
|
|
|
|
|
refreshThreshold := time.Duration(refreshThresholdHours) * time.Hour
|
|
|
|
|
|
|
|
|
|
|
|
// 动态获取JWT总有效期
|
|
|
|
|
|
expireHours := services.GetSettingsService().GetJWTExpire()
|
|
|
|
|
|
if expireHours <= 0 {
|
|
|
|
|
|
expireHours = 24 // 默认值
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 动态获取Cookie配置(用于更新Cookie过期时间)
|
|
|
|
|
|
secure, sameSite, domain, maxAge := services.GetSettingsService().GetCookieConfig()
|
|
|
|
|
|
|
|
|
|
|
|
// 1. 默认情况下,每次请求都更新Cookie的过期时间(滑动过期)
|
|
|
|
|
|
tokenToSet := cookie
|
|
|
|
|
|
shouldUpdateCookie := true
|
|
|
|
|
|
|
|
|
|
|
|
// 2. 检查是否需要刷新JWT令牌(生成新的Token)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if time.Until(claims.ExpiresAt.Time) < refreshThreshold {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 获取当前的 PasswordHash
|
|
|
|
|
|
db, _ := database.GetDB()
|
2026-03-28 23:30:02 +08:00
|
|
|
|
var adminUser models.User
|
|
|
|
|
|
db.Where("username = ? AND role = ?", claims.Username, 0).First(&adminUser)
|
2026-03-18 21:51:17 +08:00
|
|
|
|
|
|
|
|
|
|
// 使用新的有效期生成令牌
|
2026-03-28 23:30:02 +08:00
|
|
|
|
newToken, err := generateJWTTokenForAdmin(claims.Username, adminUser.Password, claims.UUID)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err == nil {
|
2026-03-18 21:51:17 +08:00
|
|
|
|
tokenToSet = newToken
|
2025-10-24 00:09:45 +08:00
|
|
|
|
refreshed = true
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 更新当前claims的过期时间
|
|
|
|
|
|
claims.ExpiresAt = jwt.NewNumericDate(time.Now().Add(time.Duration(expireHours) * time.Hour))
|
2025-10-24 00:09:45 +08:00
|
|
|
|
claims.IssuedAt = jwt.NewNumericDate(time.Now())
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 3. 执行Cookie更新
|
|
|
|
|
|
if shouldUpdateCookie {
|
|
|
|
|
|
cookieObj := utils.CreateSecureCookie("admin_session", tokenToSet, maxAge, domain, secure, sameSite)
|
|
|
|
|
|
c.SetCookie(cookieObj.Name, cookieObj.Value, cookieObj.MaxAge, cookieObj.Path, cookieObj.Domain, cookieObj.Secure, cookieObj.HttpOnly)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return claims, refreshed, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// AdminAuthRequired 管理员认证拦截中间件 (Gin Middleware)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// - 未登录:重定向到 /admin/login
|
|
|
|
|
|
// - 已登录:自动刷新接近过期的令牌,然后放行到后续处理器
|
2025-10-26 14:48:02 +08:00
|
|
|
|
func AdminAuthRequired() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
2025-10-24 00:09:45 +08:00
|
|
|
|
// 尝试获取用户信息并自动刷新令牌
|
2025-10-26 14:48:02 +08:00
|
|
|
|
claims, refreshed, err := GetCurrentAdminUserWithRefresh(c)
|
2025-10-24 00:09:45 +08:00
|
|
|
|
if err != nil {
|
2025-10-26 01:51:25 +08:00
|
|
|
|
// 自动清理失效的JWT Cookie,提升安全性和用户体验
|
2025-10-26 14:48:02 +08:00
|
|
|
|
clearInvalidJWTCookie(c)
|
2025-10-26 09:35:07 +08:00
|
|
|
|
|
2026-03-28 23:30:02 +08:00
|
|
|
|
// API 请求直接返回 401 JSON
|
|
|
|
|
|
c.JSON(http.StatusUnauthorized, gin.H{
|
|
|
|
|
|
"success": false,
|
|
|
|
|
|
"message": "未登录或会话已过期",
|
|
|
|
|
|
"data": nil,
|
|
|
|
|
|
})
|
2025-10-26 14:48:02 +08:00
|
|
|
|
c.Abort()
|
2025-10-24 00:09:45 +08:00
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 如果令牌被刷新,可以在这里记录日志(可选)
|
|
|
|
|
|
if refreshed {
|
|
|
|
|
|
// 可以添加日志记录令牌刷新事件
|
|
|
|
|
|
_ = claims // 避免未使用变量警告
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-18 21:51:17 +08:00
|
|
|
|
// 将解析出的用户信息存入上下文,供后续处理使用
|
|
|
|
|
|
c.Set("admin_uuid", claims.UUID)
|
|
|
|
|
|
c.Set("admin_username", claims.Username)
|
|
|
|
|
|
c.Set("admin_role", claims.Role)
|
|
|
|
|
|
|
2025-10-26 14:48:02 +08:00
|
|
|
|
c.Next()
|
2025-10-24 00:09:45 +08:00
|
|
|
|
}
|
|
|
|
|
|
}
|
