A 安全设置增加登录IP绑定设置

2021-12-23 21:50:06 +08:00 · 2021-12-23 21:50:06 +08:00 · eb0ab71017
parent 3b5ec14185
commit eb0ab71017
5 changed files with 37 additions and 14 deletions
--- a/spug_api/apps/setting/models.py
+++ b/spug_api/apps/setting/models.py
@ -8,6 +8,7 @@ import json
 KEYS_DEFAULT = {
    'MFA': {'enable': False},
    'verify_ip': True,
+    'bind_ip': True,
    'ldap_service': {},
    'spug_key': None,
    'api_key': None,
--- a/spug_api/apps/setting/views.py
+++ b/spug_api/apps/setting/views.py
@ -10,15 +10,18 @@ from libs.mail import Mail
 from libs.spug import send_login_wx_code
 from libs.mixins import AdminView
 from apps.setting.utils import AppSetting
-from apps.setting.models import Setting
+from apps.setting.models import Setting, KEYS_DEFAULT
+from copy import deepcopy
 import platform
 import ldap


 class SettingView(AdminView):
    def get(self, request):
-        data = Setting.objects.all()
-        return json_response([x.to_view() for x in data])
+        response = deepcopy(KEYS_DEFAULT)
+        for item in Setting.objects.all():
+            response[item.key] = item.real_val
+        return json_response(response)

    def post(self, request):
        form, error = JsonParser(
--- a/spug_api/libs/middleware.py
+++ b/spug_api/libs/middleware.py
@ -5,6 +5,7 @@ from django.utils.deprecation import MiddlewareMixin
 from django.conf import settings
 from .utils import json_response, get_request_real_ip
 from apps.account.models import User
+from apps.setting.utils import AppSetting
 import traceback
 import time

@ -33,11 +34,12 @@ class AuthenticationMiddleware(MiddlewareMixin):
        if access_token and len(access_token) == 32:
            x_real_ip = get_request_real_ip(request.headers)
            user = User.objects.filter(access_token=access_token).first()
-            if user and x_real_ip == user.last_ip and user.token_expired >= time.time() and user.is_active:
-                request.user = user
-                user.token_expired = time.time() + 8 * 60 * 60
-                user.save()
-                return None
+            if user and user.token_expired >= time.time() and user.is_active:
+                if x_real_ip == user.last_ip or AppSetting.get_default('bind_ip') is False:
+                    request.user = user
+                    user.token_expired = time.time() + 8 * 60 * 60
+                    user.save()
+                    return None
        response = json_response(error="验证失败，请重新登录")
        response.status_code = 401
        return response
--- a/spug_web/src/pages/system/setting/SecuritySetting.js
+++ b/spug_web/src/pages/system/setting/SecuritySetting.js
@ -12,6 +12,7 @@ import store from './store';

 export default observer(function () {
  const [verify_ip, setVerifyIP] = useState(store.settings.verify_ip);
+  const [bind_ip, setBindIP] = useState(store.settings.bind_ip);
  const [mfa, setMFA] = useState(store.settings.MFA || {});
  const [code, setCode] = useState();
  const [visible, setVisible] = useState(false);
@ -36,6 +37,15 @@ export default observer(function () {
      })
  }

+  function handleChangeBindIP(v) {
+    setBindIP(v);
+    http.post('/api/setting/', {data: [{key: 'bind_ip', value: v}]})
+      .then(() => {
+        message.success('设置成功');
+        store.fetchSettings()
+      })
+  }
+
  function handleChangeMFA(v) {
    if (v && !store.settings.spug_key) return message.error('开启MFA认证需要先在基本设置中配置调用凭据');
    v ? setVisible(true) : handleMFAModify(false)
@ -66,13 +76,24 @@ export default observer(function () {
      <Form layout="vertical" style={{maxWidth: 500}}>
        <Form.Item
          label="访问IP校验"
-          extra="建议开启，校验是否获取了真实的访问者IP，防止因为增加的反向代理层导致基于IP的安全策略失效，当校验失败时会在登录时弹窗提醒。如果你在内网部署且仅在内网使用可以关闭该特性。">
+          extra={<span>建议开启，校验是否获取了真实的访问者IP，防止因为增加的反向代理层导致基于IP的安全策略失效，当校验失败时会在登录时弹窗提醒。如果你在内网部署且仅在内网使用可以关闭该特性。<a
+            href="https://spug.cc/docs/practice/#%E5%AE%89%E5%85%A8%E6%80%A7%E5%AE%9E%E8%B7%B5%E6%8C%87%E5%8D%97"
+            target="_blank" rel="noopener noreferrer">为什么没有获取到真实IP？</a></span>}>
          <Switch
            checkedChildren="开启"
            unCheckedChildren="关闭"
            onChange={handleChangeVerifyIP}
            checked={verify_ip}/>
        </Form.Item>
+        <Form.Item
+          label="登录IP绑定"
+          extra="强烈建议开启，当开启后会把登录凭证与IP进行绑定，当该登录凭证通过其他IP访问时将自动失效。如非必要，切勿关闭该特性！">
+          <Switch
+            checkedChildren="开启"
+            unCheckedChildren="关闭"
+            onChange={handleChangeBindIP}
+            checked={bind_ip}/>
+        </Form.Item>
        <Form.Item
          label="登录MFA（两步）认证"
          style={{marginTop: 24}}
--- a/spug_web/src/pages/system/setting/store.js
+++ b/spug_web/src/pages/system/setting/store.js
@ -14,11 +14,7 @@ class Store {
  fetchSettings = () => {
    this.isFetching = true;
    http.get('/api/setting/')
-      .then(res => {
-        for (let item of res) {
-          this.settings[item.key] = item.value;
-        }
-      })
+      .then(res => this.settings = res)
      .finally(() => this.isFetching = false)
  };