feat: 优化安全登录

TheTNB · Dec 2, 2024 · fc97709 · fc97709
1 parent 7bc716c
commit fc97709
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 8 deletions.
diff --git a/internal/http/middleware/must_login.go b/internal/http/middleware/must_login.go
@@ -65,8 +65,7 @@ func MustLogin(next http.Handler) http.Handler {
 		if safeLogin {
 			safeClientHash := cast.ToString(sess.Get("safe_client"))
 			ip, _, _ := net.SplitHostPort(strings.TrimSpace(r.RemoteAddr))
-			ua := r.Header.Get("User-Agent")
-			clientHash := fmt.Sprintf("%x", sha3.Sum256([]byte(ip+"|"+ua)))
+			clientHash := fmt.Sprintf("%x", sha3.Sum256([]byte(ip)))
 			if safeClientHash != clientHash || safeClientHash == "" {
 				render := chix.NewRender(w)
 				render.Status(http.StatusUnauthorized)

diff --git a/internal/service/user.go b/internal/service/user.go
@@ -93,9 +93,8 @@ func (s *UserService) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if req.SafeLogin && !app.Conf.Bool("http.tls") {
-		ua := r.Header.Get("User-Agent")
 		sess.Put("safe_login", true)
-		sess.Put("safe_client", fmt.Sprintf("%x", sha3.Sum256([]byte(ip+"|"+ua))))
+		sess.Put("safe_client", fmt.Sprintf("%x", sha3.Sum256([]byte(ip))))
 	}
 
 	sess.Put("user_id", user.ID)

diff --git a/web/src/api/panel/user/index.ts b/web/src/api/panel/user/index.ts
@@ -4,10 +4,11 @@ export default {
   // 公钥
   key: () => http.Get('/user/key'),
   // 登录
-  login: (username: string, password: string) =>
+  login: (username: string, password: string, safe_login: boolean) =>
     http.Post('/user/login', {
       username,
-      password
+      password,
+      safe_login
     }),
   // 登出
   logout: () => http.Post('/user/logout'),

diff --git a/web/src/views/login/IndexView.vue b/web/src/views/login/IndexView.vue
@@ -36,7 +36,7 @@ const loging = ref<boolean>(false)
 const isRemember = useStorage('isRemember', false)
 
 async function handleLogin() {
-  const { username, password } = loginInfo.value
+  const { username, password, safe_login } = loginInfo.value
   if (!username || !password) {
     window.$message.warning('请输入用户名和密码')
     return
@@ -47,7 +47,11 @@ async function handleLogin() {
   }
   try {
     user
-      .login(rsaEncrypt(username, String(unref(key))), rsaEncrypt(password, String(unref(key))))
+      .login(
+        rsaEncrypt(username, String(unref(key))),
+        rsaEncrypt(password, String(unref(key))),
+        safe_login
+      )
       .then(async () => {
         loging.value = true
         window.$notification?.success({ title: '登录成功！', duration: 2500 })