From 09cb6bea2ece33426311282aad05e9c2254ef484 Mon Sep 17 00:00:00 2001
From: "iVampireSP.com" <im@ivampiresp.com>
Date: Fri, 9 Dec 2022 17:22:59 +0800
Subject: [PATCH] =?UTF-8?q?=E5=BF=AB=E9=80=9F=E7=99=BB=E5=BD=95=20?=
 =?UTF-8?q?=E4=B8=8E=20=E5=AE=89=E5=85=A8=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../Controllers/Admin/ModuleController.php    | 17 +++-
 app/Http/Kernel.php                           |  1 +
 app/Http/Middleware/Admin/ValidateReferer.php | 30 ++++++
 app/Models/Module.php                         | 10 +-
 app/Providers/RouteServiceProvider.php        |  2 +-
 resources/views/admin/modules/index.blade.php |  2 +
 resources/views/admin/modules/login.blade.php | 21 ++++
 resources/views/admin/modules/show.blade.php  | 96 ++++++++++---------
 routes/admin.php                              |  6 +-
 9 files changed, 131 insertions(+), 54 deletions(-)
 create mode 100644 app/Http/Middleware/Admin/ValidateReferer.php
 create mode 100644 resources/views/admin/modules/login.blade.php

diff --git a/app/Http/Controllers/Admin/ModuleController.php b/app/Http/Controllers/Admin/ModuleController.php
index 0df69c5..3dc0ca2 100644
--- a/app/Http/Controllers/Admin/ModuleController.php
+++ b/app/Http/Controllers/Admin/ModuleController.php
@@ -6,11 +6,8 @@
 use App\Models\Host;
 use App\Models\Module;
 use App\Models\ModuleAllow;
-use App\Models\WorkOrder\Reply;
-use App\Models\WorkOrder\WorkOrder;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
-use Illuminate\Http\Response;
 use Illuminate\Support\Str;
 use Illuminate\View\View;
 
@@ -189,4 +186,18 @@ public function allows_destroy(Module $module, ModuleAllow $allow)
         return redirect()->route('admin.modules.allows', $module)->with('success', '取消信任完成。');
     }
 
+
+    // fast login
+    public function fast_login(Module $module): View|RedirectResponse
+    {
+        $resp = $module->baseRequest('post', 'fast-login', []);
+
+        if ($resp['success']) {
+            $resp = $resp['json']['data'];
+            return view('admin.modules.login', compact('module', 'resp'));
+        } else {
+            return redirect()->route('admin.modules.show', $module)->with('error', '快速登录失败，可能是模块不支持。');
+        }
+    }
+
 }
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index abf7165..faaa61e 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -71,5 +71,6 @@ class Kernel extends HttpKernel
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
         'banned' => \App\Http\Middleware\ValidateUserIfBanned::class,
+        'admin.validateReferer' => \App\Http\Middleware\Admin\ValidateReferer::class,
     ];
 }
diff --git a/app/Http/Middleware/Admin/ValidateReferer.php b/app/Http/Middleware/Admin/ValidateReferer.php
new file mode 100644
index 0000000..58925f3
--- /dev/null
+++ b/app/Http/Middleware/Admin/ValidateReferer.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Http\Middleware\Admin;
+
+use Closure;
+use Illuminate\Http\RedirectResponse;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Illuminate\Support\Str;
+
+class ValidateReferer
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param Request                                       $request
+     * @param Closure(Request): (Response|RedirectResponse) $next
+     *
+     * @return Response|RedirectResponse
+     */
+    public function handle(Request $request, Closure $next): Response|RedirectResponse
+    {
+        // 如果 referer 不为空，且不是来自本站的请求，则返回 403
+        if ($request->headers->get('referer') && !Str::contains($request->headers->get('referer'), config('app.url'))) {
+            abort(403, '来源不属于后台。');
+        } else {
+            return $next($request);
+        }
+    }
+}
diff --git a/app/Models/Module.php b/app/Models/Module.php
index 1fe868d..e6306af 100644
--- a/app/Models/Module.php
+++ b/app/Models/Module.php
@@ -145,10 +145,18 @@ private function getResponse(Response $response): array
         $json = $response->json();
         $status = $response->status();
 
+        $success = true;
+
+        // if status code is not 20x
+        if ($status < 200 || $status >= 300) {
+            $success = false;
+        }
+
         return [
             'body' => $response->body(),
             'json' => $json,
-            'status' => $status
+            'status' => $status,
+            'success' => $success,
         ];
     }
 
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 72a91a5..fa93ebb 100644
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -44,7 +44,7 @@ public function boot()
                 ->as('applications.')
                 ->group(base_path('routes/applications.php'));
 
-            Route::middleware(['web'])
+            Route::middleware(['web', 'admin.validateReferer'])
                 ->prefix('admin')
                 ->as('admin.')
                 ->group(base_path('routes/admin.php'));
diff --git a/resources/views/admin/modules/index.blade.php b/resources/views/admin/modules/index.blade.php
index 71bcac8..6f713aa 100644
--- a/resources/views/admin/modules/index.blade.php
+++ b/resources/views/admin/modules/index.blade.php
@@ -29,6 +29,8 @@
                         <a href="{{ route('admin.modules.show', $module) }}" class="btn btn-primary btn-sm">查看</a>
                         <a href="{{ route('admin.modules.edit', $module) }}" class="btn btn-primary btn-sm">编辑</a>
                         <a href="{{ route('admin.modules.allows', $module) }}" class="btn btn-primary btn-sm">MQTT 授权</a>
+                        <a href="{{ route('admin.modules.fast-login', $module) }}" target="_blank" class="btn btn-primary btn-sm">快速登录</a>
+
                     </td>
                 </tr>
             @endforeach
diff --git a/resources/views/admin/modules/login.blade.php b/resources/views/admin/modules/login.blade.php
new file mode 100644
index 0000000..b41c964
--- /dev/null
+++ b/resources/views/admin/modules/login.blade.php
@@ -0,0 +1,21 @@
+@extends('layouts.admin')
+
+@section('title', '快速登录')
+
+@section('content')
+
+    <h4>正在登录到 {{ $module->name }}...</h4>
+
+    <form class="visually-hidden" action="{{ $resp['url'] }}" method="GET" id="fast-login">
+        <input type="hidden" name="fast_login_token" value="{{ $resp['token'] }}" />
+    </form>
+
+    <script>
+        setTimeout(() => {
+            document.getElementById('fast-login').submit();
+        }, 1000)
+    </script>
+
+
+@endsection
+
diff --git a/resources/views/admin/modules/show.blade.php b/resources/views/admin/modules/show.blade.php
index 40a3e59..50de26c 100644
--- a/resources/views/admin/modules/show.blade.php
+++ b/resources/views/admin/modules/show.blade.php
@@ -3,19 +3,21 @@
 @section('title', '模块: ' . $module->name)
 
 @section('content')
-<h3>{{ $module->name }}</h3>
-<p>状态: {{ $module->status }}</p>
-<a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a>
-<a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a>
-<h4 class="mt-2">收益</h4>
-<div>
-    <x-module-earning :module="$module" />
-</div>
+    <h3>{{ $module->name }}</h3>
+    <p>状态: {{ $module->status }}</p>
+    <a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a>
+    <a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a>
+    <a class="mt-3" href="{{ route('admin.modules.fast-login', $module) }}" target="_blank">快速登录</a>
 
-<h4 class="mt-2">主机</h4>
-<div class="overflow-auto">
-    <table class="table table-hover">
-        <thead>
+    <h4 class="mt-2">收益</h4>
+    <div>
+        <x-module-earning :module="$module"/>
+    </div>
+
+    <h4 class="mt-2">主机</h4>
+    <div class="overflow-auto">
+        <table class="table table-hover">
+            <thead>
             <th>ID</th>
             <th>名称</th>
             <th>用户</th>
@@ -24,44 +26,44 @@
             <th>更新时间</th>
             <th>创建时间</th>
             <th>操作</th>
-        </thead>
+            </thead>
 
-        <tbody>
+            <tbody>
             @foreach ($hosts as $host)
-            <tr>
-                <td>
-                    <a href="{{ route('admin.hosts.edit', $host) }}">
-                        {{ $host->id }}
-                    </a>
-                </td>
-                <td>
-                    {{ $host->name }}
-                </td>
-                <td>
-                    <a href="{{ route('admin.users.edit', $host->user_id) }}"> {{ $host->user->name }}</a>
-                </td>
-                <td>
-                    {{ $host->price }} 元
-                </td>
-                <td>
-                    <x-host-status :status="$host->status" />
-                </td>
-                <td>
-                    {{ $host->updated_at }}
-                </td>
-                <td>
-                    {{ $host->created_at }}
-                </td>
-                <td>
-                    <a href="{{ route('admin.hosts.edit', $host) }}" class="btn btn-primary btn-sm">编辑</a>
-                </td>
-            </tr>
+                <tr>
+                    <td>
+                        <a href="{{ route('admin.hosts.edit', $host) }}">
+                            {{ $host->id }}
+                        </a>
+                    </td>
+                    <td>
+                        {{ $host->name }}
+                    </td>
+                    <td>
+                        <a href="{{ route('admin.users.edit', $host->user_id) }}"> {{ $host->user->name }}</a>
+                    </td>
+                    <td>
+                        {{ $host->price }} 元
+                    </td>
+                    <td>
+                        <x-host-status :status="$host->status"/>
+                    </td>
+                    <td>
+                        {{ $host->updated_at }}
+                    </td>
+                    <td>
+                        {{ $host->created_at }}
+                    </td>
+                    <td>
+                        <a href="{{ route('admin.hosts.edit', $host) }}" class="btn btn-primary btn-sm">编辑</a>
+                    </td>
+                </tr>
 
             @endforeach
-        </tbody>
-    </table>
-</div>
+            </tbody>
+        </table>
+    </div>
 
-{{-- 分页 --}}
-{{ $hosts->links() }}
+    {{-- 分页 --}}
+    {{ $hosts->links() }}
 @endsection
diff --git a/routes/admin.php b/routes/admin.php
index 6e5728f..20ecdad 100644
--- a/routes/admin.php
+++ b/routes/admin.php
@@ -12,13 +12,13 @@
 use App\Http\Controllers\Admin\WorkOrderController;
 use Illuminate\Support\Facades\Route;
 
-Route::withoutMiddleware(['auth'])->group(function () {
+Route::withoutMiddleware(['auth', 'admin.validateReferer'])->group(function () {
     Route::get('/login', [AuthController::class, 'index'])->name('login');
     Route::post('/login', [AuthController::class, 'login']);
 });
 Route::post('/logout', [AuthController::class, 'logout'])->name('logout');
 
-Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin');
+Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin')->withoutMiddleware('admin.validateReferer');
 
 Route::group([
     'middleware' => 'auth:admin',
@@ -33,6 +33,8 @@
     Route::post('modules/{module}/allows', [ModuleController::class, 'allows_store'])->name('modules.allows.store');
     Route::delete('modules/{module}/allows/{allow}', [ModuleController::class, 'allows_destroy'])->name('modules.allows.destroy');
 
+    Route::get('modules/{module}/fast-login', [ModuleController::class, 'fast_login'])->name('modules.fast-login');
+
     Route::resource('applications', ApplicationController::class);
     Route::resource('hosts', HostController::class)->only(['index', 'edit', 'update', 'destroy']);