alist/server/handles/auth.go

package handles

import (
	"bytes"
	"encoding/base64"
	"image/png"
	"time"

	"github.com/Xhofe/go-cache"
	"github.com/alist-org/alist/v3/internal/model"
	"github.com/alist-org/alist/v3/internal/op"
	"github.com/alist-org/alist/v3/server/common"
	"github.com/gin-gonic/gin"
	"github.com/pquerna/otp/totp"
)

var loginCache = cache.NewMemCache[int]()
var (
	defaultDuration = time.Minute * 5
	defaultTimes    = 5
)

type LoginReq struct {
	Username string `json:"username" binding:"required"`
	Password string `json:"password"`
	OtpCode  string `json:"otp_code"`
}

func Login(c *gin.Context) {
	// check count of login
	ip := c.ClientIP()
	count, ok := loginCache.Get(ip)
	if ok && count >= defaultTimes {
		common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
		loginCache.Expire(ip, defaultDuration)
		return
	}
	// check username
	var req LoginReq
	if err := c.ShouldBind(&req); err != nil {
		common.ErrorResp(c, err, 400)
		return
	}
	user, err := op.GetUserByName(req.Username)
	if err != nil {
		common.ErrorResp(c, err, 400)
		loginCache.Set(ip, count+1)
		return
	}
	// validate password
	if err := user.ValidatePassword(req.Password); err != nil {
		common.ErrorResp(c, err, 400)
		loginCache.Set(ip, count+1)
		return
	}
	// check 2FA
	if user.OtpSecret != "" {
		if !totp.Validate(req.OtpCode, user.OtpSecret) {
			common.ErrorStrResp(c, "Invalid 2FA code", 402)
			loginCache.Set(ip, count+1)
			return
		}
	}
	// generate token
	token, err := common.GenerateToken(user.Username)
	if err != nil {
		common.ErrorResp(c, err, 400, true)
		return
	}
	common.SuccessResp(c, gin.H{"token": token})
	loginCache.Del(ip)
}

type UserResp struct {
	model.User
	Otp bool `json:"otp"`
}

// CurrentUser get current user by token
// if token is empty, return guest user
func CurrentUser(c *gin.Context) {
	user := c.MustGet("user").(*model.User)
	userResp := UserResp{
		User: *user,
	}
	userResp.Password = ""
	if userResp.OtpSecret != "" {
		userResp.Otp = true
	}
	common.SuccessResp(c, userResp)
}

func UpdateCurrent(c *gin.Context) {
	var req LoginReq
	if err := c.ShouldBind(&req); err != nil {
		common.ErrorResp(c, err, 400)
		return
	}
	user := c.MustGet("user").(*model.User)
	user.Username = req.Username
	if req.Password != "" {
		user.Password = req.Password
	}
	if err := op.UpdateUser(user); err != nil {
		common.ErrorResp(c, err, 500)
	} else {
		common.SuccessResp(c)
	}
}

func Generate2FA(c *gin.Context) {
	user := c.MustGet("user").(*model.User)
	if user.IsGuest() {
		common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
		return
	}
	key, err := totp.Generate(totp.GenerateOpts{
		Issuer:      "Alist",
		AccountName: user.Username,
	})
	if err != nil {
		common.ErrorResp(c, err, 500)
		return
	}
	img, err := key.Image(400, 400)
	if err != nil {
		common.ErrorResp(c, err, 500)
		return
	}
	// to base64
	var buf bytes.Buffer
	png.Encode(&buf, img)
	b64 := base64.StdEncoding.EncodeToString(buf.Bytes())
	common.SuccessResp(c, gin.H{
		"qr":     "data:image/png;base64," + b64,
		"secret": key.Secret(),
	})
}

type Verify2FAReq struct {
	Code   string `json:"code" binding:"required"`
	Secret string `json:"secret" binding:"required"`
}

func Verify2FA(c *gin.Context) {
	var req Verify2FAReq
	if err := c.ShouldBind(&req); err != nil {
		common.ErrorResp(c, err, 400)
		return
	}
	user := c.MustGet("user").(*model.User)
	if user.IsGuest() {
		common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
		return
	}
	if !totp.Validate(req.Code, req.Secret) {
		common.ErrorStrResp(c, "Invalid 2FA code", 400)
		return
	}
	user.OtpSecret = req.Secret
	if err := op.UpdateUser(user); err != nil {
		common.ErrorResp(c, err, 500)
	} else {
		common.SuccessResp(c)
	}
}
chore: rename controllers to handles 2022-07-11 09:12:50 +00:00			`package handles`
feat: user jwt login 2022-06-25 13:34:44 +00:00
			`import (`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`"bytes"`
			`"encoding/base64"`
			`"image/png"`
chore: common err resp log 2022-06-28 10:12:53 +00:00			`"time"`

feat: user jwt login 2022-06-25 13:34:44 +00:00			`"github.com/Xhofe/go-cache"`
chore: set guest while token is empty 2022-06-26 08:39:02 +00:00			`"github.com/alist-org/alist/v3/internal/model"`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 11:51:20 +00:00			`"github.com/alist-org/alist/v3/internal/op"`
chore: change whether print log 2022-06-26 11:20:19 +00:00			`"github.com/alist-org/alist/v3/server/common"`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`"github.com/gin-gonic/gin"`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`"github.com/pquerna/otp/totp"`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`)`

			`var loginCache = cache.NewMemCache[int]()`
			`var (`
			`defaultDuration = time.Minute * 5`
			`defaultTimes = 5`
			`)`

			`type LoginReq struct {`
feat: change current user's profile 2022-07-23 12:42:12 +00:00			Username string `json:"username" binding:"required"`
chore: password can be empty when update me 2022-07-23 12:49:16 +00:00			Password string `json:"password"`
chore: and otp to current user resp 2022-08-06 09:21:32 +00:00			OtpCode string `json:"otp_code"`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`}`

			`func Login(c *gin.Context) {`
			`// check count of login`
			`ip := c.ClientIP()`
			`count, ok := loginCache.Get(ip)`
chore: set guest while token is empty 2022-06-26 08:39:02 +00:00			`if ok && count >= defaultTimes {`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`loginCache.Expire(ip, defaultDuration)`
			`return`
			`}`
			`// check username`
			`var req LoginReq`
			`if err := c.ShouldBind(&req); err != nil {`
chore: common err resp log 2022-06-28 10:12:53 +00:00			`common.ErrorResp(c, err, 400)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`return`
			`}`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 11:51:20 +00:00			`user, err := op.GetUserByName(req.Username)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`if err != nil {`
chore: common err resp log 2022-06-28 10:12:53 +00:00			`common.ErrorResp(c, err, 400)`
chore: incorrect username retry count 2022-07-07 13:31:43 +00:00			`loginCache.Set(ip, count+1)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`return`
			`}`
			`// validate password`
			`if err := user.ValidatePassword(req.Password); err != nil {`
chore: common err resp log 2022-06-28 10:12:53 +00:00			`common.ErrorResp(c, err, 400)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`loginCache.Set(ip, count+1)`
			`return`
			`}`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`// check 2FA`
			`if user.OtpSecret != "" {`
chore: and otp to current user resp 2022-08-06 09:21:32 +00:00			`if !totp.Validate(req.OtpCode, user.OtpSecret) {`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`common.ErrorStrResp(c, "Invalid 2FA code", 402)`
			`loginCache.Set(ip, count+1)`
			`return`
			`}`
			`}`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`// generate token`
chore: change whether print log 2022-06-26 11:20:19 +00:00			`token, err := common.GenerateToken(user.Username)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`if err != nil {`
chore: common err resp log 2022-06-28 10:12:53 +00:00			`common.ErrorResp(c, err, 400, true)`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`return`
			`}`
chore: change whether print log 2022-06-26 11:20:19 +00:00			`common.SuccessResp(c, gin.H{"token": token})`
feat: user jwt login 2022-06-25 13:34:44 +00:00			`loginCache.Del(ip)`
			`}`
chore: set guest while token is empty 2022-06-26 08:39:02 +00:00
chore: and otp to current user resp 2022-08-06 09:21:32 +00:00			`type UserResp struct {`
			`model.User`
			Otp bool `json:"otp"`
			`}`

chore: set guest while token is empty 2022-06-26 08:39:02 +00:00			`// CurrentUser get current user by token`
			`// if token is empty, return guest user`
			`func CurrentUser(c *gin.Context) {`
			`user := c.MustGet("user").(*model.User)`
chore: and otp to current user resp 2022-08-06 09:21:32 +00:00			`userResp := UserResp{`
			`User: *user,`
			`}`
fix: clear password while get current user 2022-07-10 09:09:03 +00:00			`userResp.Password = ""`
chore: and otp to current user resp 2022-08-06 09:21:32 +00:00			`if userResp.OtpSecret != "" {`
			`userResp.Otp = true`
			`}`
fix: clear password while get current user 2022-07-10 09:09:03 +00:00			`common.SuccessResp(c, userResp)`
chore: set guest while token is empty 2022-06-26 08:39:02 +00:00			`}`
feat: change current user's profile 2022-07-23 12:42:12 +00:00
			`func UpdateCurrent(c *gin.Context) {`
			`var req LoginReq`
			`if err := c.ShouldBind(&req); err != nil {`
			`common.ErrorResp(c, err, 400)`
			`return`
			`}`
			`user := c.MustGet("user").(*model.User)`
			`user.Username = req.Username`
chore: password can be empty when update me 2022-07-23 12:49:16 +00:00			`if req.Password != "" {`
			`user.Password = req.Password`
			`}`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 11:51:20 +00:00			`if err := op.UpdateUser(user); err != nil {`
feat: change current user's profile 2022-07-23 12:42:12 +00:00			`common.ErrorResp(c, err, 500)`
			`} else {`
			`common.SuccessResp(c)`
			`}`
			`}`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00
			`func Generate2FA(c *gin.Context) {`
			`user := c.MustGet("user").(*model.User)`
			`if user.IsGuest() {`
			`common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)`
			`return`
			`}`
			`key, err := totp.Generate(totp.GenerateOpts{`
			`Issuer: "Alist",`
			`AccountName: user.Username,`
			`})`
			`if err != nil {`
			`common.ErrorResp(c, err, 500)`
			`return`
			`}`
			`img, err := key.Image(400, 400)`
			`if err != nil {`
			`common.ErrorResp(c, err, 500)`
			`return`
			`}`
			`// to base64`
			`var buf bytes.Buffer`
			`png.Encode(&buf, img)`
feat: add 189cloud driver 2022-09-06 06:39:21 +00:00			`b64 := base64.StdEncoding.EncodeToString(buf.Bytes())`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`common.SuccessResp(c, gin.H{`
feat: add 189cloud driver 2022-09-06 06:39:21 +00:00			`"qr": "data:image/png;base64," + b64,`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`"secret": key.Secret(),`
			`})`
			`}`

			`type Verify2FAReq struct {`
			Code string `json:"code" binding:"required"`
			Secret string `json:"secret" binding:"required"`
			`}`

			`func Verify2FA(c *gin.Context) {`
			`var req Verify2FAReq`
			`if err := c.ShouldBind(&req); err != nil {`
			`common.ErrorResp(c, err, 400)`
			`return`
			`}`
			`user := c.MustGet("user").(*model.User)`
			`if user.IsGuest() {`
			`common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)`
			`return`
			`}`
			`if !totp.Validate(req.Code, req.Secret) {`
			`common.ErrorStrResp(c, "Invalid 2FA code", 400)`
			`return`
			`}`
			`user.OtpSecret = req.Secret`
refactor: split the db package hook and cache to the op package (#2747) * refactor:separate the setting method from the db package to the op package and add the cache * refactor:separate the meta method from the db package to the op package * fix:setting not load database data * refactor:separate the user method from the db package to the op package * refactor:remove user JoinPath error * fix:op package user cache * refactor:fs package list method * fix:tile virtual paths (close #2743) * Revert "refactor:remove user JoinPath error" This reverts commit 4e20daaf9e700da047000d4fd4900abbe05c3848. * clean path directly may lead to unknown behavior * fix: The path of the meta passed in must be prefix of reqPath * chore: rename all virtualPath to mountPath * fix: `getStoragesByPath` and `GetStorageVirtualFilesByPath` is_sub_path: /a/b isn't subpath of /a/bc * fix: don't save setting if hook error Co-authored-by: Noah Hsu <i@nn.ci> 2022-12-18 11:51:20 +00:00			`if err := op.UpdateUser(user); err != nil {`
feat: 2fa/otp support 2022-08-05 17:22:13 +00:00			`common.ErrorResp(c, err, 500)`
			`} else {`
			`common.SuccessResp(c)`
			`}`
			`}`