ivampiresp/Lae
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

快速登录 与 安全性

Browse Source
This commit is contained in:
iVampireSP.com 2022-12-09 17:22:59 +08:00
parent 8b862ca202
commit 09cb6bea2e
No known key found for this signature in database
GPG Key ID: 2F7B001CA27A8132
9 changed files with 131 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Controllers/Admin/ModuleController.php
View File

@ -6,11 +6,8 @@
use App\Models\Host;
use App\Models\Module;
use App\Models\ModuleAllow;
use App\Models\WorkOrder\Reply;
use App\Models\WorkOrder\WorkOrder;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Str;
use Illuminate\View\View;
@ -189,4 +186,18 @@ public function allows_destroy(Module $module, ModuleAllow $allow)
return redirect()->route('admin.modules.allows', $module)->with('success', '取消信任完成。');
}
// fast login
public function fast_login(Module $module): View|RedirectResponse
{
$resp = $module->baseRequest('post', 'fast-login', []);
if ($resp['success']) {
$resp = $resp['json']['data'];
return view('admin.modules.login', compact('module', 'resp'));
} else {
return redirect()->route('admin.modules.show', $module)->with('error', '快速登录失败,可能是模块不支持。');
}
}
}

1
app/Http/Kernel.php
View File

@ -71,5 +71,6 @@ class Kernel extends HttpKernel
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'banned' => \App\Http\Middleware\ValidateUserIfBanned::class,
'admin.validateReferer' => \App\Http\Middleware\Admin\ValidateReferer::class,
];
}

30
app/Http/Middleware/Admin/ValidateReferer.php Normal file
View File

@ -0,0 +1,30 @@
<?php
namespace App\Http\Middleware\Admin;
use Closure;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Str;
class ValidateReferer
{
/**
* Handle an incoming request.
*
* @param Request $request
* @param Closure(Request): (Response|RedirectResponse) $next
*
* @return Response|RedirectResponse
*/
public function handle(Request $request, Closure $next): Response|RedirectResponse
{
// 如果 referer 不为空,且不是来自本站的请求,则返回 403
if ($request->headers->get('referer') && !Str::contains($request->headers->get('referer'), config('app.url'))) {
abort(403, '来源不属于后台。');
} else {
return $next($request);
}
}
}

10
app/Models/Module.php
View File

@ -145,10 +145,18 @@ private function getResponse(Response $response): array
$json = $response->json();
$status = $response->status();
$success = true;
// if status code is not 20x
if ($status < 200 || $status >= 300) {
$success = false;
}
return [
'body' => $response->body(),
'json' => $json,
'status' => $status
'status' => $status,
'success' => $success,
];
}

2
app/Providers/RouteServiceProvider.php
View File

@ -44,7 +44,7 @@ public function boot()
->as('applications.')
->group(base_path('routes/applications.php'));
Route::middleware(['web'])
Route::middleware(['web', 'admin.validateReferer'])
->prefix('admin')
->as('admin.')
->group(base_path('routes/admin.php'));

2
resources/views/admin/modules/index.blade.php
View File

@ -29,6 +29,8 @@
<a href="{{ route('admin.modules.show', $module) }}" class="btn btn-primary btn-sm">查看</a>
<a href="{{ route('admin.modules.edit', $module) }}" class="btn btn-primary btn-sm">编辑</a>
<a href="{{ route('admin.modules.allows', $module) }}" class="btn btn-primary btn-sm">MQTT 授权</a>
<a href="{{ route('admin.modules.fast-login', $module) }}" target="_blank" class="btn btn-primary btn-sm">快速登录</a>
</td>
</tr>
@endforeach

21
resources/views/admin/modules/login.blade.php Normal file
View File

@ -0,0 +1,21 @@
@extends('layouts.admin')
@section('title', '快速登录')
@section('content')
<h4>正在登录到 {{ $module->name }}...</h4>
<form class="visually-hidden" action="{{ $resp['url'] }}" method="GET" id="fast-login">
<input type="hidden" name="fast_login_token" value="{{ $resp['token'] }}" />
</form>
<script>
setTimeout(() => {
document.getElementById('fast-login').submit();
}, 1000)
</script>
@endsection

96
resources/views/admin/modules/show.blade.php
View File

@ -3,19 +3,21 @@
@section('title', '模块: ' . $module->name)
@section('content')
<h3>{{ $module->name }}</h3>
<p>状态: {{ $module->status }}</p>
<a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a>
<a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a>
<h4 class="mt-2">收益</h4>
<div>
<x-module-earning :module="$module" />
</div>
<h3>{{ $module->name }}</h3>
<p>状态: {{ $module->status }}</p>
<a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a>
<a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a>
<a class="mt-3" href="{{ route('admin.modules.fast-login', $module) }}" target="_blank">快速登录</a>
<h4 class="mt-2">主机</h4>
<div class="overflow-auto">
<table class="table table-hover">
<thead>
<h4 class="mt-2">收益</h4>
<div>
<x-module-earning :module="$module"/>
</div>
<h4 class="mt-2">主机</h4>
<div class="overflow-auto">
<table class="table table-hover">
<thead>
<th>ID</th>
<th>名称</th>
<th>用户</th>
@ -24,44 +26,44 @@
<th>更新时间</th>
<th>创建时间</th>
<th>操作</th>
</thead>
</thead>
<tbody>
<tbody>
@foreach ($hosts as $host)
<tr>
<td>
<a href="{{ route('admin.hosts.edit', $host) }}">
{{ $host->id }}
</a>
</td>
<td>
{{ $host->name }}
</td>
<td>
<a href="{{ route('admin.users.edit', $host->user_id) }}"> {{ $host->user->name }}</a>
</td>
<td>
{{ $host->price }}
</td>
<td>
<x-host-status :status="$host->status" />
</td>
<td>
{{ $host->updated_at }}
</td>
<td>
{{ $host->created_at }}
</td>
<td>
<a href="{{ route('admin.hosts.edit', $host) }}" class="btn btn-primary btn-sm">编辑</a>
</td>
</tr>
<tr>
<td>
<a href="{{ route('admin.hosts.edit', $host) }}">
{{ $host->id }}
</a>
</td>
<td>
{{ $host->name }}
</td>
<td>
<a href="{{ route('admin.users.edit', $host->user_id) }}"> {{ $host->user->name }}</a>
</td>
<td>
{{ $host->price }}
</td>
<td>
<x-host-status :status="$host->status"/>
</td>
<td>
{{ $host->updated_at }}
</td>
<td>
{{ $host->created_at }}
</td>
<td>
<a href="{{ route('admin.hosts.edit', $host) }}" class="btn btn-primary btn-sm">编辑</a>
</td>
</tr>
@endforeach
</tbody>
</table>
</div>
</tbody>
</table>
</div>
{{-- 分页 --}}
{{ $hosts->links() }}
{{-- 分页 --}}
{{ $hosts->links() }}
@endsection

6
routes/admin.php
View File

@ -12,13 +12,13 @@
use App\Http\Controllers\Admin\WorkOrderController;
use Illuminate\Support\Facades\Route;
Route::withoutMiddleware(['auth'])->group(function () {
Route::withoutMiddleware(['auth', 'admin.validateReferer'])->group(function () {
Route::get('/login', [AuthController::class, 'index'])->name('login');
Route::post('/login', [AuthController::class, 'login']);
});
Route::post('/logout', [AuthController::class, 'logout'])->name('logout');
Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin');
Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin')->withoutMiddleware('admin.validateReferer');
Route::group([
'middleware' => 'auth:admin',
@ -33,6 +33,8 @@
Route::post('modules/{module}/allows', [ModuleController::class, 'allows_store'])->name('modules.allows.store');
Route::delete('modules/{module}/allows/{allow}', [ModuleController::class, 'allows_destroy'])->name('modules.allows.destroy');
Route::get('modules/{module}/fast-login', [ModuleController::class, 'fast_login'])->name('modules.fast-login');
Route::resource('applications', ApplicationController::class);
Route::resource('hosts', HostController::class)->only(['index', 'edit', 'update', 'destroy']);