ivampiresp/Lae
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

快速登录 与 安全性

Browse Source
This commit is contained in:
iVampireSP.com 2022-12-09 17:22:59 +08:00
parent 8b862ca202
commit 09cb6bea2e
No known key found for this signature in database
GPG Key ID: 2F7B001CA27A8132
9 changed files with 131 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
app/Http/Controllers/Admin/ModuleController.php
View File

@ -6,11 +6,8 @@
use App\Models\Host; use App\Models\Host;
use App\Models\Module; use App\Models\Module;
use App\Models\ModuleAllow; use App\Models\ModuleAllow;
use App\Models\WorkOrder\Reply;
use App\Models\WorkOrder\WorkOrder;
use Illuminate\Http\RedirectResponse; use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Str; use Illuminate\Support\Str;
use Illuminate\View\View; use Illuminate\View\View;
@ -189,4 +186,18 @@ public function allows_destroy(Module $module, ModuleAllow $allow)
return redirect()->route('admin.modules.allows', $module)->with('success', '取消信任完成。'); return redirect()->route('admin.modules.allows', $module)->with('success', '取消信任完成。');
} }
// fast login
public function fast_login(Module $module): View|RedirectResponse
{
$resp = $module->baseRequest('post', 'fast-login', []);
if ($resp['success']) {
$resp = $resp['json']['data'];
return view('admin.modules.login', compact('module', 'resp'));
} else {
return redirect()->route('admin.modules.show', $module)->with('error', '快速登录失败,可能是模块不支持。');
}
}
} }

1
app/Http/Kernel.php
View File

@ -71,5 +71,6 @@ class Kernel extends HttpKernel
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class, 'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'banned' => \App\Http\Middleware\ValidateUserIfBanned::class, 'banned' => \App\Http\Middleware\ValidateUserIfBanned::class,
'admin.validateReferer' => \App\Http\Middleware\Admin\ValidateReferer::class,
]; ];
} }

30
app/Http/Middleware/Admin/ValidateReferer.php Normal file
View File

@ -0,0 +1,30 @@
<?php
namespace App\Http\Middleware\Admin;
use Closure;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Support\Str;
class ValidateReferer
{
/**
* Handle an incoming request.
*
* @param Request $request
* @param Closure(Request): (Response|RedirectResponse) $next
*
* @return Response|RedirectResponse
*/
public function handle(Request $request, Closure $next): Response|RedirectResponse
{
// 如果 referer 不为空,且不是来自本站的请求,则返回 403
if ($request->headers->get('referer') && !Str::contains($request->headers->get('referer'), config('app.url'))) {
abort(403, '来源不属于后台。');
} else {
return $next($request);
}
}
}

10
app/Models/Module.php
View File

@ -145,10 +145,18 @@ private function getResponse(Response $response): array
$json = $response->json(); $json = $response->json();
$status = $response->status(); $status = $response->status();
$success = true;
// if status code is not 20x
if ($status < 200 || $status >= 300) {
$success = false;
}
return [ return [
'body' => $response->body(), 'body' => $response->body(),
'json' => $json, 'json' => $json,
'status' => $status 'status' => $status,
'success' => $success,
]; ];
} }

2
app/Providers/RouteServiceProvider.php
View File

@ -44,7 +44,7 @@ public function boot()
->as('applications.') ->as('applications.')
->group(base_path('routes/applications.php')); ->group(base_path('routes/applications.php'));
Route::middleware(['web']) Route::middleware(['web', 'admin.validateReferer'])
->prefix('admin') ->prefix('admin')
->as('admin.') ->as('admin.')
->group(base_path('routes/admin.php')); ->group(base_path('routes/admin.php'));

2
resources/views/admin/modules/index.blade.php
View File

@ -29,6 +29,8 @@
<a href="{{ route('admin.modules.show', $module) }}" class="btn btn-primary btn-sm">查看</a> <a href="{{ route('admin.modules.show', $module) }}" class="btn btn-primary btn-sm">查看</a>
<a href="{{ route('admin.modules.edit', $module) }}" class="btn btn-primary btn-sm">编辑</a> <a href="{{ route('admin.modules.edit', $module) }}" class="btn btn-primary btn-sm">编辑</a>
<a href="{{ route('admin.modules.allows', $module) }}" class="btn btn-primary btn-sm">MQTT 授权</a> <a href="{{ route('admin.modules.allows', $module) }}" class="btn btn-primary btn-sm">MQTT 授权</a>
<a href="{{ route('admin.modules.fast-login', $module) }}" target="_blank" class="btn btn-primary btn-sm">快速登录</a>
</td> </td>
</tr> </tr>
@endforeach @endforeach

21
resources/views/admin/modules/login.blade.php Normal file
View File

@ -0,0 +1,21 @@
@extends('layouts.admin')
@section('title', '快速登录')
@section('content')
<h4>正在登录到 {{ $module->name }}...</h4>
<form class="visually-hidden" action="{{ $resp['url'] }}" method="GET" id="fast-login">
<input type="hidden" name="fast_login_token" value="{{ $resp['token'] }}" />
</form>
<script>
setTimeout(() => {
document.getElementById('fast-login').submit();
}, 1000)
</script>
@endsection

2
resources/views/admin/modules/show.blade.php
View File

@ -7,6 +7,8 @@
<p>状态: {{ $module->status }}</p> <p>状态: {{ $module->status }}</p>
<a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a> <a class="mt-3" href="{{ route('admin.modules.edit', $module) }}">编辑</a>
<a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a> <a class="mt-3" href="{{ route('admin.modules.allows', $module) }}">MQTT 授权</a>
<a class="mt-3" href="{{ route('admin.modules.fast-login', $module) }}" target="_blank">快速登录</a>
<h4 class="mt-2">收益</h4> <h4 class="mt-2">收益</h4>
<div> <div>
<x-module-earning :module="$module"/> <x-module-earning :module="$module"/>

6
routes/admin.php
View File

@ -12,13 +12,13 @@
use App\Http\Controllers\Admin\WorkOrderController; use App\Http\Controllers\Admin\WorkOrderController;
use Illuminate\Support\Facades\Route; use Illuminate\Support\Facades\Route;
Route::withoutMiddleware(['auth'])->group(function () { Route::withoutMiddleware(['auth', 'admin.validateReferer'])->group(function () {
Route::get('/login', [AuthController::class, 'index'])->name('login'); Route::get('/login', [AuthController::class, 'index'])->name('login');
Route::post('/login', [AuthController::class, 'login']); Route::post('/login', [AuthController::class, 'login']);
}); });
Route::post('/logout', [AuthController::class, 'logout'])->name('logout'); Route::post('/logout', [AuthController::class, 'logout'])->name('logout');
Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin'); Route::get('/', [HomeController::class, 'index'])->name('index')->middleware('auth:admin')->withoutMiddleware('admin.validateReferer');
Route::group([ Route::group([
'middleware' => 'auth:admin', 'middleware' => 'auth:admin',
@ -33,6 +33,8 @@
Route::post('modules/{module}/allows', [ModuleController::class, 'allows_store'])->name('modules.allows.store'); Route::post('modules/{module}/allows', [ModuleController::class, 'allows_store'])->name('modules.allows.store');
Route::delete('modules/{module}/allows/{allow}', [ModuleController::class, 'allows_destroy'])->name('modules.allows.destroy'); Route::delete('modules/{module}/allows/{allow}', [ModuleController::class, 'allows_destroy'])->name('modules.allows.destroy');
Route::get('modules/{module}/fast-login', [ModuleController::class, 'fast_login'])->name('modules.fast-login');
Route::resource('applications', ApplicationController::class); Route::resource('applications', ApplicationController::class);
Route::resource('hosts', HostController::class)->only(['index', 'edit', 'update', 'destroy']); Route::resource('hosts', HostController::class)->only(['index', 'edit', 'update', 'destroy']);