From 3e09794b06756ce9dd627557f931e3520bd68cfc Mon Sep 17 00:00:00 2001 From: vapao Date: Sat, 10 Oct 2020 09:49:58 +0800 Subject: [PATCH] U improve security --- spug_api/apps/account/views.py | 6 ++++-- spug_api/libs/middleware.py | 4 ++-- spug_api/libs/utils.py | 10 ++++++++++ spug_web/src/pages/login/index.js | 18 ++++++++++-------- 4 files changed, 26 insertions(+), 12 deletions(-) diff --git a/spug_api/apps/account/views.py b/spug_api/apps/account/views.py index 999b309..8ac495b 100644 --- a/spug_api/apps/account/views.py +++ b/spug_api/apps/account/views.py @@ -5,9 +5,11 @@ from django.core.cache import cache from django.views.generic import View from django.db.models import F from libs import JsonParser, Argument, human_datetime, json_response +from libs.utils import get_request_real_ip from apps.account.models import User, Role from apps.setting.models import Setting from libs.ldap import LDAP +import ipaddress import time import uuid import json @@ -155,7 +157,7 @@ def login(request): Argument('type', required=False) ).parse(request.body) if error is None: - x_real_ip = request.headers.get('x-real-ip', '') + x_real_ip = get_request_real_ip(request.headers) user = User.objects.filter(username=form.username, type=form.type).first() if user and not user.is_active: return json_response(error="账户已被系统禁用") @@ -198,7 +200,7 @@ def handle_user_info(user, x_real_ip): 'access_token': user.access_token, 'nickname': user.nickname, 'is_supper': user.is_supper, - 'has_real_ip': True if x_real_ip else False, + 'has_real_ip': x_real_ip and ipaddress.ip_address(x_real_ip).is_global, 'host_perms': [] if user.is_supper else user.host_perms, 'permissions': [] if user.is_supper else user.page_perms }) diff --git a/spug_api/libs/middleware.py b/spug_api/libs/middleware.py index b081285..391a192 100644 --- a/spug_api/libs/middleware.py +++ b/spug_api/libs/middleware.py @@ -3,7 +3,7 @@ # Released under the AGPL-3.0 License. from django.utils.deprecation import MiddlewareMixin from django.conf import settings -from .utils import json_response +from .utils import json_response, get_request_real_ip from apps.account.models import User import traceback import time @@ -31,7 +31,7 @@ class AuthenticationMiddleware(MiddlewareMixin): return None access_token = request.headers.get('x-token') or request.GET.get('x-token') if access_token and len(access_token) == 32: - x_real_ip = request.headers.get('x-real-ip', '') + x_real_ip = get_request_real_ip(request.headers) user = User.objects.filter(access_token=access_token).first() if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active: request.user = user diff --git a/spug_api/libs/utils.py b/spug_api/libs/utils.py index e901ebe..32c9422 100644 --- a/spug_api/libs/utils.py +++ b/spug_api/libs/utils.py @@ -102,3 +102,13 @@ class DateTimeEncoder(json.JSONEncoder): def generate_random_str(length: int = 4, is_digits: bool = True) -> str: words = string.digits if is_digits else string.ascii_letters + string.digits return ''.join(random.sample(words, length)) + + +def get_request_real_ip(headers: dict): + x_real_ip = headers.get('x-real-ip') + if not x_real_ip: + x_forwarded_for = headers.get('x-forwarded-for') + if not x_forwarded_for: + return '' + x_real_ip = x_forwarded_for.split(',')[0] + return x_real_ip diff --git a/spug_web/src/pages/login/index.js b/spug_web/src/pages/login/index.js index d51293d..af68e7a 100644 --- a/spug_web/src/pages/login/index.js +++ b/spug_web/src/pages/login/index.js @@ -4,10 +4,10 @@ * Released under the AGPL-3.0 License. */ import React from 'react'; -import {Form, Input, Icon, Button, Tabs, Modal} from 'antd'; +import { Form, Input, Icon, Button, Tabs, Modal } from 'antd'; import styles from './login.module.css'; import history from 'libs/history'; -import {http, updatePermissions} from 'libs'; +import { http, updatePermissions } from 'libs'; import logo from 'layout/logo-spug-txt.png'; import envStore from 'pages/config/environment/store'; import appStore from 'pages/config/app/store'; @@ -46,7 +46,9 @@ class LoginIndex extends React.Component { className: styles.tips, content:
未能获取到客户端的真实IP,无法提供基于请求来源IP的合法性验证,详细信息请参考 - 官方文档。 + 官方文档
, onOk: () => this.doLogin(data) }) @@ -119,14 +121,14 @@ class LoginIndex extends React.Component {
- 官网 - - + 文档
-
Copyright 2020 By OpenSpug
+
Copyright 2020 By OpenSpug
)