github
/
certd
mirror of https://github.com/certd/certd
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

chore: 2FA

pull/409/head
xiaojunnuo 2025-04-17 01:15:55 +08:00
parent 412e8a32dd
commit d5d54d4d3b
12 changed files with 211 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
packages/libs/lib-server/src/basic/constants.ts
View File

@ -75,6 +75,10 @@ export const Constants = {
code: 10010,
message: '站点已关闭',
},
need2fa:{
code: 10020,
message: '需要2FA认证',
},
openKeyError: {
code: 20000,
message: 'ApiToken错误',

10
packages/libs/lib-server/src/basic/exception/auth-exception.ts
View File

@ -4,7 +4,15 @@ import { BaseException } from './base-exception.js';
*
*/
export class AuthException extends BaseException {
constructor(message) {
constructor(message?:string) {
super('AuthException', Constants.res.auth.code, message ? message : Constants.res.auth.message);
}
}
export class Need2FAException extends BaseException {
constructor(message?:string) {
super('Need2FAException', Constants.res.need2fa.code, message ? message : Constants.res.need2fa.message);
}
}

11
packages/ui/certd-client/src/router/source/modules/certd.ts
View File

@ -143,6 +143,17 @@ export const certdResources = [
keepAlive: true,
},
},
{
title: "认证安全设置",
name: "UserSecurity",
path: "/certd/mine/security",
component: "/certd/mine/security/index.vue",
meta: {
icon: "ion:locked-outline",
auth: true,
isMenu: true,
},
},
{
title: "账号信息",
name: "UserProfile",

7
packages/ui/certd-client/src/views/certd/settings/two-factor/api.ts → packages/ui/certd-client/src/views/certd/mine/security/api.ts
View File

@ -38,3 +38,10 @@ export async function TwoFactorAuthenticatorSave(req: AuthenticatorSaveReq) {
data: req,
});
}
export async function TwoFactorAuthenticatorOff() {
return await request({
url: apiPrefix + "/twoFactor/authenticator/off",
method: "post",
});
}

66
packages/ui/certd-client/src/views/certd/settings/two-factor/index.vue → packages/ui/certd-client/src/views/certd/mine/security/index.vue
View File

@ -1,35 +1,39 @@
<template>
<fs-page class="page-user-settings page-two-factor">
<template #header>
<div class="title">多重认证设置</div>
<div class="title">认证安全设置</div>
</template>
<div class="user-settings-form settings-form">
<a-form :model="formState" name="basic" :label-col="{ span: 8 }" :wrapper-col="{ span: 16 }" autocomplete="off">
<a-form-item label="Authenticator APP认证" :name="['authenticator', 'enabled']">
<div class="flex">
<a-switch v-model:checked="formState.authenticator.enabled" />
<a-form-item label="OTP多重验证登录" :name="['authenticator', 'enabled']">
<div class="flex mt-5">
<a-switch v-model:checked="formState.authenticator.enabled" @change="onAuthenticatorEnabledChanged" />
<a-button v-if="formState.authenticator.enabled && formState.authenticator.verified" class="ml-1" type="primary" @click="authenticatorForm.open = true"></a-button>
<a-button v-if="formState.authenticator.enabled && formState.authenticator.verified" :disabled="authenticatorOpenRef" size="small" class="ml-2" type="primary" @click="authenticatorForm.open = true">
重新绑定
</a-button>
</div>
<div class="helper">创建流水线时默认使用此定时时间</div>
<div class="helper">是否开启多重验证登录</div>
</a-form-item>
<div v-if="authenticatorOpenRef" class="authenticator-config">
<h3>1. 安装任意一款 Authenticator APP</h3>
<div>比如Microsoft Authenticator / Google Authenticator / Authy / Synology Secure SignIn </div>
<h3>2. 扫描二维码添加账号</h3>
<a-form-item v-if="authenticatorOpenRef" label="绑定设备" class="authenticator-config">
<h3 class="font-bold m-5">1. 安装任意一款 Authenticator APP</h3>
<div class="ml-20">比如Microsoft Authenticator / Google Authenticator / Authy / Synology Secure SignIn </div>
<h3 class="font-bold m-10">2. 扫描二维码添加账号</h3>
<div v-if="authenticatorForm.qrcodeSrc" class="qrcode">
<img style="width: 400px; height: 400px" :src="authenticatorForm.qrcodeSrc" />
<div class="ml-20">
<img class="full-w" :src="authenticatorForm.qrcodeSrc" />
</div>
</div>
<h3>3. 输入验证码</h3>
<div>
<h3 class="font-bold m-10">3. 输入验证码</h3>
<div class="ml-20">
<a-input v-model:value="authenticatorForm.verifyCode" placeholder="请输入验证码" />
</div>
<div>
<div class="ml-20 flex mt-10">
<loading-button type="primary" html-type="button" :click="doAuthenticatorSave">确认</loading-button>
<a-button class="ml-1" @click="authenticatorForm.open = false">取消</a-button>
</div>
</div>
</a-form-item>
</a-form>
</div>
</fs-page>
@ -39,11 +43,11 @@
import { computed, reactive, watch } from "vue";
import * as api from "./api";
import { UserTwoFactorSetting } from "./api";
import { notification } from "ant-design-vue";
import { Modal, notification } from "ant-design-vue";
import { merge } from "lodash-es";
defineOptions({
name: "UserSettingsTwoFactor",
name: "UserSecurity",
});
const formState = reactive<Partial<UserTwoFactorSetting>>({});
@ -63,9 +67,8 @@ watch(
},
async open => {
if (open) {
const data = await api.TwoFactorAuthenticatorGet();
//base64
authenticatorForm.qrcodeSrc = `data:image/png;base64,${data}`;
authenticatorForm.qrcodeSrc = await api.TwoFactorAuthenticatorGet();
} else {
authenticatorForm.qrcodeSrc = "";
authenticatorForm.verifyCode = "";
@ -86,13 +89,36 @@ const doAuthenticatorSave = async (form: any) => {
notification.success({
message: "保存成功",
});
authenticatorForm.open = false;
};
function onAuthenticatorEnabledChanged(value) {
if (!value) {
//
if (formState.authenticator.verified) {
Modal.confirm({
title: "确认",
content: `确定要关闭多重验证登录吗?`,
async onOk() {
await api.TwoFactorAuthenticatorOff();
notification.success({
message: "关闭成功",
});
loadUserSettings();
},
onCancel() {
formState.authenticator.enabled = true;
},
});
}
}
}
</script>
<style lang="less">
.page-user-settings {
.user-settings-form {
width: 500px;
width: 600px;
margin: 20px;
}
}

48
packages/ui/certd-client/src/views/framework/login/index.vue
View File

@ -1,14 +1,6 @@
<template>
<div class="main login-page">
<a-form
ref="formRef"
class="user-layout-login"
name="custom-validation"
:model="formState"
v-bind="layout"
@finish="handleFinish"
@finish-failed="handleFinishFailed"
>
<a-form ref="formRef" class="user-layout-login" name="custom-validation" :model="formState" v-bind="layout" @finish="handleFinish" @finish-failed="handleFinishFailed">
<!-- <div class="login-title">登录</div>-->
<a-tabs v-model:active-key="formState.loginType" :tab-bar-style="{ textAlign: 'center', borderBottom: 'unset' }">
<a-tab-pane key="password" tab="密码登录" :disabled="sysPublicSettings.passwordLoginEnabled !== true">
@ -44,13 +36,7 @@
</a-form-item>
<a-form-item name="smsCode" :rules="rules.smsCode">
<sms-code
v-model:value="formState.smsCode"
:img-code="formState.imgCode"
:mobile="formState.mobile"
:phone-code="formState.phoneCode"
:random-str="formState.randomStr"
/>
<sms-code v-model:value="formState.smsCode" :img-code="formState.imgCode" :mobile="formState.mobile" :phone-code="formState.phoneCode" :random-str="formState.randomStr" />
</a-form-item>
</template>
</a-tab-pane>
@ -89,42 +75,42 @@ export default defineComponent({
loginType: "password", //password
imgCode: "",
smsCode: "",
randomStr: ""
randomStr: "",
});
const rules = {
mobile: [
{
required: true,
message: "请输入手机号"
}
message: "请输入手机号",
},
],
username: [
{
required: true,
message: "请输入用户名"
}
message: "请输入用户名",
},
],
password: [
{
required: true,
message: "请输入登录密码"
}
message: "请输入登录密码",
},
],
smsCode: [
{
required: true,
message: "请输入短信验证码"
}
]
message: "请输入短信验证码",
},
],
};
const layout = {
labelCol: {
span: 0
span: 0,
},
wrapperCol: {
span: 24
}
span: 24,
},
};
const handleFinish = async (values: any) => {
@ -163,9 +149,9 @@ export default defineComponent({
resetForm,
isLoginError,
sysPublicSettings,
hasRegisterTypeEnabled
hasRegisterTypeEnabled,
};
}
},
});
</script>

28
packages/ui/certd-server/src/controller/user/login/login-controller.ts
View File

@ -23,13 +23,16 @@ export class LoginController extends BaseController {
user: any
) {
const token = await this.loginService.loginByPassword(user);
this.ctx.cookies.set('token', token.token, {
maxAge: 1000 * token.expire,
});
this.writeTokenCookie(token);
return this.ok(token);
}
private writeTokenCookie(token: { expire: any; token: any }) {
this.ctx.cookies.set("token", token.token, {
maxAge: 1000 * token.expire
});
}
@Post('/loginBySms', { summary: Constants.per.guest })
public async loginBySms(
@Body(ALL)
@ -48,10 +51,23 @@ export class LoginController extends BaseController {
randomStr: body.randomStr,
});
this.ctx.cookies.set('token', token.token, {
maxAge: 1000 * token.expire,
this.writeTokenCookie(token);
return this.ok(token);
}
@Post('/loginByTwoFactor', { summary: Constants.per.guest })
public async loginByTwoFactor(
@Body(ALL)
body: any
) {
const token = await this.loginService.loginByTwoFactor({
loginCode: body.loginCode,
verifyCode: body.verifyCode,
});
this.writeTokenCookie(token);
return this.ok(token);
}

7
packages/ui/certd-server/src/controller/user/mine/setting-two-factor-controller.ts
View File

@ -58,4 +58,11 @@ export class UserTwoFactorSettingController extends BaseController {
return this.ok();
}
@Post("/authenticator/off", { summary: Constants.per.authOnly })
async authenticatorOff() {
const userId = this.getUserId();
await this.twoFactorService.offAuthenticator(userId);
return this.ok();
}
}

47
packages/ui/certd-server/src/modules/login/service/login-service.ts
View File

@ -1,14 +1,16 @@
import {Config, Inject, Provide, Scope, ScopeEnum} from '@midwayjs/core';
import {UserService} from '../../sys/authority/service/user-service.js';
import jwt from 'jsonwebtoken';
import {CommonException} from '@certd/lib-server';
import { AuthException, CommonException, Need2FAException } from "@certd/lib-server";
import {RoleService} from '../../sys/authority/service/role-service.js';
import {UserEntity} from '../../sys/authority/entity/user.js';
import {SysSettingsService} from '@certd/lib-server';
import {SysPrivateSettings} from '@certd/lib-server';
import {cache} from '@certd/basic';
import {cache, utils} from '@certd/basic';
import {LoginErrorException} from '@certd/lib-server/dist/basic/exception/login-error-exception.js';
import {CodeService} from '../../basic/service/code-service.js';
import { TwoFactorService } from "../../mine/service/two-factor-service.js";
import { UserSettingsService } from '../../mine/service/user-settings-service.js';
/**
*
@ -28,6 +30,10 @@ export class LoginService {
@Inject()
sysSettingsService: SysSettingsService;
@Inject()
userSettingsService: UserSettingsService;
@Inject()
twoFactorService: TwoFactorService;
checkIsBlocked(username: string) {
const blockDurationKey = `login_block_duration:${username}`;
@ -138,21 +144,50 @@ export class LoginService {
return this.onLoginSuccess(info);
}
private async onLoginSuccess(info: UserEntity) {
async checkTwoFactorEnabled(userId:number) {
//检查是否开启多重认证
const twoFactorSetting = await this.twoFactorService.getSetting(userId)
const authenticatorSetting = twoFactorSetting.authenticator
if (authenticatorSetting.enabled){
//要检查
const randomKey = utils.id.simpleNanoId(12)
cache.set(`login_2fa_code:${randomKey}`, userId, {
ttl: 60 * 1000,
})
throw new Need2FAException('已开启多重认证请在60秒内输入验证码')
}
}
async loginByTwoFactor(req: { loginCode: string; verifyCode: string }){
const userId = cache.get(`login_2fa_code:${req.loginCode}`)
if (!userId){
throw new AuthException('登录状态已失效,请重新登录')
}
await this.twoFactorService.verifyAuthenticatorCode(userId, req.verifyCode)
return this.generateToken(await this.userService.findOne(userId))
}
private async onLoginSuccess(info: UserEntity) {
if (info.status === 0) {
throw new CommonException('用户已被禁用');
}
const roleIds = await this.roleService.getRoleIdsByUserId(info.id);
return this.generateToken(info, roleIds);
await this.checkTwoFactorEnabled(info.id)
return this.generateToken(info);
}
/**
* token
* @param user
* @param roleIds
*/
async generateToken(user: UserEntity, roleIds: number[]) {
async generateToken(user: UserEntity) {
const roleIds = await this.roleService.getRoleIdsByUserId(user.id);
const tokenInfo = {
username: user.username,
id: user.id,

1
packages/ui/certd-server/src/modules/mine/service/models.ts
View File

@ -14,7 +14,6 @@ export class UserTwoFactorSetting extends BaseSettings {
authenticator: TwoFactorAuthenticator = {
enabled:false,
verified:false,
type: "totp"
};
}

54
packages/ui/certd-server/src/modules/mine/service/two-factor-service.ts
View File

@ -1,7 +1,6 @@
import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
import { UserSettingsService } from "./user-settings-service.js";
import { UserTwoFactorSetting } from "./models.js";
import { utils } from "@certd/basic";
import { UserService } from "../../sys/authority/service/user-service.js";
/**
@ -17,17 +16,19 @@ export class TwoFactorService {
async getAuthenticatorQrCode(userId: any) {
const setting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
const setting = await this.getSetting(userId)
const authenticator = setting.authenticator;
if (!authenticator.secret) {
authenticator.secret = utils.id.simpleNanoId(16);
const authenticatorSetting = setting.authenticator;
if (!authenticatorSetting.secret) {
const { authenticator } = await import("otplib");
authenticatorSetting.secret = authenticator.generateSecret()
await this.userSettingsService.saveSetting(userId, setting);
}
const user = await this.userService.info(userId);
const username = user.username;
const secret = authenticator.secret;
const secret = authenticatorSetting.secret;
const qrcodeContent = `otpauth://totp/Certd:${username}?secret=${secret}&issuer=Certd`;
//生成qrcode base64
@ -39,13 +40,13 @@ export class TwoFactorService {
async saveAuthenticator(req: { userId: any; verifyCode: any }) {
const userId = req.userId;
const { authenticator } = await import("otplib");
const tfSetting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
const setting = await this.getSetting(userId)
const setting = tfSetting.authenticator;
if (!setting.secret) {
const authenticatorSetting = setting.authenticator;
if (!authenticatorSetting.secret) {
throw new Error("secret is required");
}
const secret = setting.secret;
const secret = authenticatorSetting.secret;
const token = req.verifyCode;
const isValid = authenticator.verify({ token, secret });
@ -54,9 +55,38 @@ export class TwoFactorService {
}
//校验成功,保存开启状态
setting.enabled = true;
setting.verified = true;
authenticatorSetting.enabled = true;
authenticatorSetting.verified = true;
await this.userSettingsService.saveSetting(userId, setting);
}
async offAuthenticator(userId:number) {
if (!userId) {
throw new Error("userId is required");
}
const setting = await this.getSetting(userId)
setting.authenticator.enabled = false;
setting.authenticator.verified = false;
setting.authenticator.secret = '';
await this.userSettingsService.saveSetting(userId, setting);
}
async getSetting(userId:number) {
return await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
}
async verifyAuthenticatorCode(userId: any, verifyCode: string) {
const { authenticator } = await import("otplib");
const setting = await this.getSetting(userId)
if (!setting.authenticator.enabled) {
throw new Error("authenticator 未开启");
}
if (!authenticator.verify({ token: verifyCode, secret: setting.authenticator.secret })) {
throw new Error("验证码错误");
}
return true;
}
}

7
packages/ui/certd-server/src/modules/mine/service/user-settings-service.ts
View File

@ -95,6 +95,9 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
const type: any = bean.constructor;
const key = type.__key__;
if(!key){
throw new Error(`${type.name} must have __key__`);
}
const entity = await this.getByKey(key,userId);
const newEntity = new UserSettingsEntity();
if (entity) {
@ -104,8 +107,8 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
newEntity.title = type.__title__;
newEntity.userId = userId;
}
entity.setting = JSON.stringify(bean);
await this.repository.save(entity);
newEntity.setting = JSON.stringify(bean);
await this.repository.save(newEntity);
}
}