U improve security

2020-10-10 09:49:58 +08:00 · 2020-10-10 09:49:58 +08:00 · 3e09794b06
parent 4795c9e9ae
commit 3e09794b06
4 changed files with 26 additions and 12 deletions
--- a/spug_api/apps/account/views.py
+++ b/spug_api/apps/account/views.py
@ -5,9 +5,11 @@ from django.core.cache import cache
 from django.views.generic import View
 from django.db.models import F
 from libs import JsonParser, Argument, human_datetime, json_response
+from libs.utils import get_request_real_ip
 from apps.account.models import User, Role
 from apps.setting.models import Setting
 from libs.ldap import LDAP
+import ipaddress
 import time
 import uuid
 import json
@ -155,7 +157,7 @@ def login(request):
        Argument('type', required=False)
    ).parse(request.body)
    if error is None:
-        x_real_ip = request.headers.get('x-real-ip', '')
+        x_real_ip = get_request_real_ip(request.headers)
        user = User.objects.filter(username=form.username, type=form.type).first()
        if user and not user.is_active:
            return json_response(error="账户已被系统禁用")
@ -198,7 +200,7 @@ def handle_user_info(user, x_real_ip):
        'access_token': user.access_token,
        'nickname': user.nickname,
        'is_supper': user.is_supper,
-        'has_real_ip': True if x_real_ip else False,
+        'has_real_ip': x_real_ip and ipaddress.ip_address(x_real_ip).is_global,
        'host_perms': [] if user.is_supper else user.host_perms,
        'permissions': [] if user.is_supper else user.page_perms
    })
--- a/spug_api/libs/middleware.py
+++ b/spug_api/libs/middleware.py
@ -3,7 +3,7 @@
 # Released under the AGPL-3.0 License.
 from django.utils.deprecation import MiddlewareMixin
 from django.conf import settings
-from .utils import json_response
+from .utils import json_response, get_request_real_ip
 from apps.account.models import User
 import traceback
 import time
@ -31,7 +31,7 @@ class AuthenticationMiddleware(MiddlewareMixin):
            return None
        access_token = request.headers.get('x-token') or request.GET.get('x-token')
        if access_token and len(access_token) == 32:
-            x_real_ip = request.headers.get('x-real-ip', '')
+            x_real_ip = get_request_real_ip(request.headers)
            user = User.objects.filter(access_token=access_token).first()
            if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active:
                request.user = user
--- a/spug_api/libs/utils.py
+++ b/spug_api/libs/utils.py
@ -102,3 +102,13 @@ class DateTimeEncoder(json.JSONEncoder):
 def generate_random_str(length: int = 4, is_digits: bool = True) -> str:
    words = string.digits if is_digits else string.ascii_letters + string.digits
    return ''.join(random.sample(words, length))
+
+
+def get_request_real_ip(headers: dict):
+    x_real_ip = headers.get('x-real-ip')
+    if not x_real_ip:
+        x_forwarded_for = headers.get('x-forwarded-for')
+        if not x_forwarded_for:
+            return ''
+        x_real_ip = x_forwarded_for.split(',')[0]
+    return x_real_ip
--- a/spug_web/src/pages/login/index.js
+++ b/spug_web/src/pages/login/index.js
@ -4,10 +4,10 @@
 * Released under the AGPL-3.0 License.
 */
 import React from 'react';
-import {Form, Input, Icon, Button, Tabs, Modal} from 'antd';
+import { Form, Input, Icon, Button, Tabs, Modal } from 'antd';
 import styles from './login.module.css';
 import history from 'libs/history';
-import {http, updatePermissions} from 'libs';
+import { http, updatePermissions } from 'libs';
 import logo from 'layout/logo-spug-txt.png';
 import envStore from 'pages/config/environment/store';
 import appStore from 'pages/config/app/store';
@ -46,7 +46,9 @@ class LoginIndex extends React.Component {
                className: styles.tips,
                content: <div>
                  未能获取到客户端的真实IP，无法提供基于请求来源IP的合法性验证，详细信息请参考
-                  <a target="_blank" href="https://spug.dev" rel="noopener noreferrer">官方文档</a>。
+                  <a target="_blank"
+                     href="https://spug.dev/docs/practice/#%E5%AE%89%E5%85%A8%E6%80%A7%E5%AE%9E%E8%B7%B5%E6%8C%87%E5%8D%97"
+                     rel="noopener noreferrer">官方文档</a>。
                </div>,
                onOk: () => this.doLogin(data)
              })
@ -119,14 +121,14 @@ class LoginIndex extends React.Component {

        <div className={styles.footerZone}>
          <div className={styles.linksZone}>
-            <a className={styles.links} title="官网" href="https://www.spug.dev"  target="_blank"
+            <a className={styles.links} title="官网" href="https://www.spug.dev" target="_blank"
               rel="noopener noreferrer">官网</a>
-            <a className={styles.links} title="Github" href="https://github.com/openspug/spug"  target="_blank"
-               rel="noopener noreferrer"><Icon type="github" /></a>
-            <a title="文档" href="https://www.spug.dev/docs/about-spug/"  target="_blank"
+            <a className={styles.links} title="Github" href="https://github.com/openspug/spug" target="_blank"
+               rel="noopener noreferrer"><Icon type="github"/></a>
+            <a title="文档" href="https://www.spug.dev/docs/about-spug/" target="_blank"
               rel="noopener noreferrer">文档</a>
          </div>
-          <div style={{color: 'rgba(0, 0, 0, .45)'}}>Copyright <Icon type="copyright" /> 2020 By OpenSpug</div>
+          <div style={{color: 'rgba(0, 0, 0, .45)'}}>Copyright <Icon type="copyright"/> 2020 By OpenSpug</div>
        </div>
      </div>
    )