github
/
alist
mirror of https://github.com/Xhofe/alist
1
0
Fork 0
Code Issues Releases Wiki Activity
alist/server/handles/auth.go

287 lines
6.7 KiB
Go
Raw Permalink Blame History

package handles
import (
"bytes"
"encoding/base64"
"errors"
"fmt"
"image/png"
"path"
"strings"
"time"
"github.com/Xhofe/go-cache"
"github.com/alist-org/alist/v3/internal/conf"
"github.com/alist-org/alist/v3/internal/device"
"github.com/alist-org/alist/v3/internal/errs"
"github.com/alist-org/alist/v3/internal/model"
"github.com/alist-org/alist/v3/internal/op"
"github.com/alist-org/alist/v3/internal/session"
"github.com/alist-org/alist/v3/internal/setting"
"github.com/alist-org/alist/v3/pkg/utils"
"github.com/alist-org/alist/v3/server/common"
"github.com/gin-gonic/gin"
"github.com/pquerna/otp/totp"
)
var loginCache = cache.NewMemCache[int]()
var (
defaultDuration = time.Minute * 5
defaultTimes = 5
)
type LoginReq struct {
Username string `json:"username" binding:"required"`
Password string `json:"password"`
OtpCode string `json:"otp_code"`
}
// Login Deprecated
func Login(c *gin.Context) {
var req LoginReq
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
req.Password = model.StaticHash(req.Password)
loginHash(c, &req)
}
// LoginHash login with password hashed by sha256
func LoginHash(c *gin.Context) {
var req LoginReq
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
loginHash(c, &req)
}
func loginHash(c *gin.Context, req *LoginReq) {
// check count of login
ip := c.ClientIP()
count, ok := loginCache.Get(ip)
if ok && count >= defaultTimes {
common.ErrorStrResp(c, "Too many unsuccessful sign-in attempts have been made using an incorrect username or password, Try again later.", 429)
loginCache.Expire(ip, defaultDuration)
return
}
// check username
user, err := op.GetUserByName(req.Username)
if err != nil {
common.ErrorResp(c, err, 400)
loginCache.Set(ip, count+1)
return
}
// validate password hash
if err := user.ValidatePwdStaticHash(req.Password); err != nil {
common.ErrorResp(c, err, 400)
loginCache.Set(ip, count+1)
return
}
// check 2FA
if user.OtpSecret != "" {
if !totp.Validate(req.OtpCode, user.OtpSecret) {
common.ErrorStrResp(c, "Invalid 2FA code", 402)
loginCache.Set(ip, count+1)
return
}
}
clientID := c.GetHeader("Client-Id")
if clientID == "" {
clientID = c.Query("client_id")
}
key := utils.GetMD5EncodeStr(fmt.Sprintf("%d-%s",
user.ID, clientID))
if err := device.EnsureActiveOnLogin(user, key, c.Request.UserAgent(), c.ClientIP()); err != nil {
if errors.Is(err, errs.TooManyDevices) {
common.ErrorResp(c, err, 403)
} else {
common.ErrorResp(c, err, 400, true)
}
return
}
// generate token
token, err := common.GenerateToken(user)
if err != nil {
common.ErrorResp(c, err, 400, true)
return
}
common.SuccessResp(c, gin.H{"token": token, "device_key": key})
loginCache.Del(ip)
}
type RegisterReq struct {
Username string `json:"username" binding:"required"`
Password string `json:"password" binding:"required"`
}
// Register a new user
func Register(c *gin.Context) {
if !setting.GetBool(conf.AllowRegister) {
common.ErrorStrResp(c, "registration is disabled", 403)
return
}
var req RegisterReq
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
user := &model.User{
Username: req.Username,
Role: model.Roles{op.GetDefaultRoleID()},
Authn: "[]",
}
user.SetPassword(req.Password)
if err := op.CreateUser(user); err != nil {
common.ErrorResp(c, err, 500, true)
return
}
common.SuccessResp(c)
}
type UserResp struct {
model.User
Otp bool `json:"otp"`
RoleNames []string `json:"role_names"`
Permissions []model.PermissionEntry `json:"permissions"`
}
// CurrentUser get current user by token
// if token is empty, return guest user
func CurrentUser(c *gin.Context) {
user := c.MustGet("user").(*model.User)
userResp := UserResp{
User: *user,
}
userResp.Password = ""
if userResp.OtpSecret != "" {
userResp.Otp = true
}
var roleNames []string
permMap := map[string]int32{}
addedPaths := map[string]bool{}
for _, role := range user.RolesDetail {
roleNames = append(roleNames, role.Name)
for _, entry := range role.PermissionScopes {
cleanPath := path.Clean("/" + strings.TrimPrefix(entry.Path, "/"))
permMap[cleanPath] |= entry.Permission
}
}
userResp.RoleNames = roleNames
for fullPath, perm := range permMap {
if !addedPaths[fullPath] {
userResp.Permissions = append(userResp.Permissions, model.PermissionEntry{
Path: fullPath,
Permission: perm,
})
addedPaths[fullPath] = true
}
}
common.SuccessResp(c, userResp)
}
func UpdateCurrent(c *gin.Context) {
var req model.User
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
user := c.MustGet("user").(*model.User)
if user.IsGuest() {
common.ErrorStrResp(c, "Guest user can not update profile", 403)
return
}
user.Username = req.Username
if req.Password != "" {
user.SetPassword(req.Password)
}
user.SsoID = req.SsoID
if err := op.UpdateUser(user); err != nil {
common.ErrorResp(c, err, 500)
} else {
common.SuccessResp(c)
}
}
func Generate2FA(c *gin.Context) {
user := c.MustGet("user").(*model.User)
if user.IsGuest() {
common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
return
}
key, err := totp.Generate(totp.GenerateOpts{
Issuer: "Alist",
AccountName: user.Username,
})
if err != nil {
common.ErrorResp(c, err, 500)
return
}
img, err := key.Image(400, 400)
if err != nil {
common.ErrorResp(c, err, 500)
return
}
// to base64
var buf bytes.Buffer
png.Encode(&buf, img)
b64 := base64.StdEncoding.EncodeToString(buf.Bytes())
common.SuccessResp(c, gin.H{
"qr": "data:image/png;base64," + b64,
"secret": key.Secret(),
})
}
type Verify2FAReq struct {
Code string `json:"code" binding:"required"`
Secret string `json:"secret" binding:"required"`
}
func Verify2FA(c *gin.Context) {
var req Verify2FAReq
if err := c.ShouldBind(&req); err != nil {
common.ErrorResp(c, err, 400)
return
}
user := c.MustGet("user").(*model.User)
if user.IsGuest() {
common.ErrorStrResp(c, "Guest user can not generate 2FA code", 403)
return
}
if !totp.Validate(req.Code, req.Secret) {
common.ErrorStrResp(c, "Invalid 2FA code", 400)
return
}
user.OtpSecret = req.Secret
if err := op.UpdateUser(user); err != nil {
common.ErrorResp(c, err, 500)
} else {
common.SuccessResp(c)
}
}
func LogOut(c *gin.Context) {
if keyVal, ok := c.Get("device_key"); ok {
if err := session.MarkInactive(keyVal.(string)); err != nil {
common.ErrorResp(c, err, 500)
return
}
c.Set("session_inactive", true)
}
err := common.InvalidateToken(c.GetHeader("Authorization"))
if err != nil {
common.ErrorResp(c, err, 500)
} else {
common.SuccessResp(c)
}
}
Reference in New Issue View Git Blame Copy Permalink