U improve security

2020-10-10 09:49:58 +08:00 · 2020-10-10 09:49:58 +08:00 · 3e09794b06
parent 4795c9e9ae
commit 3e09794b06
4 changed files with 26 additions and 12 deletions
--- a/spug_api/apps/account/views.py
+++ b/spug_api/apps/account/views.py
@ -5,9 +5,11 @@ from django.core.cache import cache
 from django.views.generic import View
 from django.db.models import F
 from libs import JsonParser, Argument, human_datetime, json_response
+from libs.utils import get_request_real_ip
 from apps.account.models import User, Role
 from apps.setting.models import Setting
 from libs.ldap import LDAP
+import ipaddress
 import time
 import uuid
 import json
@ -155,7 +157,7 @@ def login(request):
        Argument('type', required=False)
    ).parse(request.body)
    if error is None:
-        x_real_ip = request.headers.get('x-real-ip', '')
+        x_real_ip = get_request_real_ip(request.headers)
        user = User.objects.filter(username=form.username, type=form.type).first()
        if user and not user.is_active:
            return json_response(error="账户已被系统禁用")
@ -198,7 +200,7 @@ def handle_user_info(user, x_real_ip):
        'access_token': user.access_token,
        'nickname': user.nickname,
        'is_supper': user.is_supper,
-        'has_real_ip': True if x_real_ip else False,
+        'has_real_ip': x_real_ip and ipaddress.ip_address(x_real_ip).is_global,
        'host_perms': [] if user.is_supper else user.host_perms,
        'permissions': [] if user.is_supper else user.page_perms
    })
--- a/spug_api/libs/middleware.py
+++ b/spug_api/libs/middleware.py
@ -3,7 +3,7 @@
 # Released under the AGPL-3.0 License.
 from django.utils.deprecation import MiddlewareMixin
 from django.conf import settings
-from .utils import json_response
+from .utils import json_response, get_request_real_ip
 from apps.account.models import User
 import traceback
 import time
@ -31,7 +31,7 @@ class AuthenticationMiddleware(MiddlewareMixin):
            return None
        access_token = request.headers.get('x-token') or request.GET.get('x-token')
        if access_token and len(access_token) == 32:
-            x_real_ip = request.headers.get('x-real-ip', '')
+            x_real_ip = get_request_real_ip(request.headers)
            user = User.objects.filter(access_token=access_token).first()
            if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active:
                request.user = user
--- a/spug_api/libs/utils.py
+++ b/spug_api/libs/utils.py
@ -102,3 +102,13 @@ class DateTimeEncoder(json.JSONEncoder):
 def generate_random_str(length: int = 4, is_digits: bool = True) -> str:
    words = string.digits if is_digits else string.ascii_letters + string.digits
    return ''.join(random.sample(words, length))
+
+
+def get_request_real_ip(headers: dict):
+    x_real_ip = headers.get('x-real-ip')
+    if not x_real_ip:
+        x_forwarded_for = headers.get('x-forwarded-for')
+        if not x_forwarded_for:
+            return ''
+        x_real_ip = x_forwarded_for.split(',')[0]
+    return x_real_ip
--- a/spug_web/src/pages/login/index.js
+++ b/spug_web/src/pages/login/index.js
@ -46,7 +46,9 @@ class LoginIndex extends React.Component {
                className: styles.tips,
                content: <div>
                  未能获取到客户端的真实IP，无法提供基于请求来源IP的合法性验证，详细信息请参考
-                  <a target="_blank" href="https://spug.dev" rel="noopener noreferrer">官方文档</a>。
+                  <a target="_blank"
+                     href="https://spug.dev/docs/practice/#%E5%AE%89%E5%85%A8%E6%80%A7%E5%AE%9E%E8%B7%B5%E6%8C%87%E5%8D%97"
+                     rel="noopener noreferrer">官方文档</a>。
                </div>,
                onOk: () => this.doLogin(data)
              })