登录页尝试使用csrf校验
This commit is contained in:
22
internal/web/actions/actionutils/csrf.go
Normal file
22
internal/web/actions/actionutils/csrf.go
Normal file
@@ -0,0 +1,22 @@
|
||||
package actionutils
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/csrf"
|
||||
"github.com/iwind/TeaGo/actions"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
type CSRF struct {
|
||||
}
|
||||
|
||||
func (this *CSRF) BeforeAction(actionPtr actions.ActionWrapper, paramName string) (goNext bool) {
|
||||
action := actionPtr.Object()
|
||||
token := action.ParamString("csrfToken")
|
||||
if !csrf.Validate(token) {
|
||||
action.ResponseWriter.WriteHeader(http.StatusForbidden)
|
||||
action.WriteString("表单已失效,请刷新页面后重试(001)")
|
||||
return
|
||||
}
|
||||
|
||||
return true
|
||||
}
|
||||
12
internal/web/actions/default/csrf/init.go
Normal file
12
internal/web/actions/default/csrf/init.go
Normal file
@@ -0,0 +1,12 @@
|
||||
package csrf
|
||||
|
||||
import "github.com/iwind/TeaGo"
|
||||
|
||||
func init() {
|
||||
TeaGo.BeforeStart(func(server *TeaGo.Server) {
|
||||
server.
|
||||
Prefix("/csrf").
|
||||
Get("/token", new(TokenAction)).
|
||||
EndAll()
|
||||
})
|
||||
}
|
||||
39
internal/web/actions/default/csrf/token.go
Normal file
39
internal/web/actions/default/csrf/token.go
Normal file
@@ -0,0 +1,39 @@
|
||||
package csrf
|
||||
|
||||
import (
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/csrf"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
|
||||
"github.com/TeaOSLab/EdgeAdmin/internal/web/helpers"
|
||||
"sync"
|
||||
"time"
|
||||
)
|
||||
|
||||
var lastTimestamp = int64(0)
|
||||
var locker sync.Mutex
|
||||
|
||||
type TokenAction struct {
|
||||
actionutils.ParentAction
|
||||
}
|
||||
|
||||
func (this *TokenAction) Init() {
|
||||
this.Nav("", "", "")
|
||||
}
|
||||
|
||||
func (this *TokenAction) RunGet(params struct {
|
||||
Auth *helpers.UserShouldAuth
|
||||
}) {
|
||||
locker.Lock()
|
||||
defer locker.Unlock()
|
||||
|
||||
defer func() {
|
||||
lastTimestamp = time.Now().Unix()
|
||||
}()
|
||||
|
||||
// 没有登录,则限制请求速度
|
||||
if params.Auth.AdminId() <= 0 && lastTimestamp > 0 && time.Now().Unix()-lastTimestamp <= 1 {
|
||||
this.Fail("请求速度过快,请稍后刷新后重试")
|
||||
}
|
||||
|
||||
this.Data["token"] = csrf.Generate()
|
||||
this.Success()
|
||||
}
|
||||
@@ -15,7 +15,9 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
type IndexAction actions.Action
|
||||
type IndexAction struct {
|
||||
actionutils.ParentAction
|
||||
}
|
||||
|
||||
// 首页(登录页)
|
||||
|
||||
@@ -56,6 +58,7 @@ func (this *IndexAction) RunPost(params struct {
|
||||
Remember bool
|
||||
Must *actions.Must
|
||||
Auth *helpers.UserShouldAuth
|
||||
CSRF *actionutils.CSRF
|
||||
}) {
|
||||
params.Must.
|
||||
Field("username", params.Username).
|
||||
|
||||
@@ -7,6 +7,7 @@ import (
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/clusters/cluster/settings"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/csrf"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/dashboard"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/db"
|
||||
_ "github.com/TeaOSLab/EdgeAdmin/internal/web/actions/default/dns"
|
||||
|
||||
Reference in New Issue
Block a user