tuonian
/
nginx-ui


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123
							package middleware

import (
	"fmt"
	"github.com/astaxie/beego"
	"github.com/astaxie/beego/context"
	"github.com/astaxie/beego/logs"
	"github.com/astaxie/beego/session"
	"github.com/beego/beego/v2/client/httplib"
	"log"
	"nginx-ui/server/base"
	"nginx-ui/server/config"
	"nginx-ui/server/models"
	"nginx-ui/server/modules/auth_token"
	"strings"
)

// 白名单，不需要登录即可访问
var whitelist = map[string]bool{
	"/user/login":            true,
	"/user/register":         true,
	"/oauth2":                true,
	"/oauth2/callback":       true,
	"/ldap/login":            true,
	"/ldap/server/active":    true,
	"/user/resetPassword":    true,
	"/wechat/webhook/gitlab": true,
}

func init() {
	beego.BConfig.WebConfig.Session.SessionAutoSetCookie = true
}

func checkThirdSession(ctx *context.Context, sess session.Store) {
	cfg := config.Config
	if !cfg.ThirdSession {
		return
	}
	cookie, err := ctx.Request.Cookie(cfg.ThirdSessionName)
	if err != nil {
		logs.Warn("no cookie", err)
		return
	}
	req := httplib.Get(cfg.ThirdSessionCheckUrl)
	req.SetEnableCookie(true)
	req.SetCookie(cookie)
	user := models.User{}
	err = req.ToJSON(&user)
	if err != nil {
		logs.Warn("check third session fail ", err)
		return
	}
	err = sess.Set("user", user)
	if err != nil {
		logs.Warn("set session data fail ", err)
		return
	}
	logs.Debug("check third session ok ", user)
}

func checkAuthToken(ctx *context.Context, sess session.Store, path string) (bool, error) {
	c := sess.Get("client")
	if c != nil {
		_, ok := c.(models.AuthToken)
		if ok {
			return true, nil
		}
	}
	token := ctx.Request.Header.Get("Token")
	if token == "" {
		return false, nil
	}
	t, err := auth_token.VerifyToken(token, path, ctx.Input.IP())
	if err != nil {
		return false, err
	}
	log.Printf("auth token: %v", t)
	_ = sess.Set("client", t)
	return true, nil
}

func AuthFilter(ctx *context.Context) {
	path := ctx.Request.URL.Path
	path = strings.TrimSuffix(path, "/")
	path = strings.TrimPrefix(path, config.Config.BaseApi)
	if whitelist[path] {
		logs.Debug("in whitelist ,skip ", ctx.Request.RequestURI, path)
		return
	}
	logs.Info(fmt.Sprintf("auth: %s,%s", ctx.Request.RequestURI, path))

	sess := ctx.Input.CruSession
	if sess == nil {
		logs.Warn("no session found in request")
		return
	}
	defer sess.SessionRelease(ctx.ResponseWriter)
	data := sess.Get("user")
	if data == nil {
		checkThirdSession(ctx, sess)
	}
	data = sess.Get("user")
	if data == nil {
		ok, err := checkAuthToken(ctx, sess, path)
		if err != nil {
			base.WriteError(ctx.ResponseWriter, err)
			return
		}
		if ok {
			return
		}
	}
	if data == nil {
		base.WriteForbidden(ctx.ResponseWriter)
		return
	}
	user := data.(models.User)
	if len(user.Account) == 0 {
		base.WriteForbidden(ctx.ResponseWriter)
		return
	}
	logs.Info(fmt.Sprintf("request uri: %s, uid: %s", ctx.Request.RequestURI, user.Account))
}