U improve security

spug_api/apps/account/views.py

@@ -5,9 +5,11 @@ from django.core.cache import cache
 from django.views.generic import View
 from django.db.models import F
 from libs import JsonParser, Argument, human_datetime, json_response
+from libs.utils import get_request_real_ip
 from apps.account.models import User, Role
 from apps.setting.models import Setting
 from libs.ldap import LDAP
+import ipaddress
 import time
 import uuid
 import json
@@ -155,7 +157,7 @@ def login(request):
         Argument('type', required=False)
     ).parse(request.body)
     if error is None:
-        x_real_ip = request.headers.get('x-real-ip', '')
+        x_real_ip = get_request_real_ip(request.headers)
         user = User.objects.filter(username=form.username, type=form.type).first()
         if user and not user.is_active:
             return json_response(error="账户已被系统禁用")
@@ -198,7 +200,7 @@ def handle_user_info(user, x_real_ip):
         'access_token': user.access_token,
         'nickname': user.nickname,
         'is_supper': user.is_supper,
-        'has_real_ip': True if x_real_ip else False,
+        'has_real_ip': x_real_ip and ipaddress.ip_address(x_real_ip).is_global,
         'host_perms': [] if user.is_supper else user.host_perms,
         'permissions': [] if user.is_supper else user.page_perms
     })

spug_api/libs/middleware.py

@@ -3,7 +3,7 @@
 # Released under the AGPL-3.0 License.
 from django.utils.deprecation import MiddlewareMixin
 from django.conf import settings
-from .utils import json_response
+from .utils import json_response, get_request_real_ip
 from apps.account.models import User
 import traceback
 import time
@@ -31,7 +31,7 @@ class AuthenticationMiddleware(MiddlewareMixin):
             return None
         access_token = request.headers.get('x-token') or request.GET.get('x-token')
         if access_token and len(access_token) == 32:
-            x_real_ip = request.headers.get('x-real-ip', '')
+            x_real_ip = get_request_real_ip(request.headers)
             user = User.objects.filter(access_token=access_token).first()
             if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active:
                 request.user = user

spug_api/libs/utils.py

@@ -102,3 +102,13 @@ class DateTimeEncoder(json.JSONEncoder):
 def generate_random_str(length: int = 4, is_digits: bool = True) -> str:
     words = string.digits if is_digits else string.ascii_letters + string.digits
     return ''.join(random.sample(words, length))
+
+
+def get_request_real_ip(headers: dict):
+    x_real_ip = headers.get('x-real-ip')
+    if not x_real_ip:
+        x_forwarded_for = headers.get('x-forwarded-for')
+        if not x_forwarded_for:
+            return ''
+        x_real_ip = x_forwarded_for.split(',')[0]
+    return x_real_ip

spug_web/src/pages/login/index.js

@@ -46,7 +46,9 @@ class LoginIndex extends React.Component {
                 className: styles.tips,
                 content: <div>
                   未能获取到客户端的真实IP，无法提供基于请求来源IP的合法性验证，详细信息请参考
-                  <a target="_blank" href="https://spug.dev" rel="noopener noreferrer">官方文档</a>。
+                  <a target="_blank"
+                     href="https://spug.dev/docs/practice/#%E5%AE%89%E5%85%A8%E6%80%A7%E5%AE%9E%E8%B7%B5%E6%8C%87%E5%8D%97"
+                     rel="noopener noreferrer">官方文档</a>。
                 </div>,
                 onOk: () => this.doLogin(data)
               })