fix: checkorigin when debug enabled & update fronted dist

2025-01-22 12:48:14 -05:00 · 2024-12-01 00:00:01 +08:00 · 2024-12-01 00:00:01 +08:00 · cb06a303b7
commit cb06a303b7
parent 166f25508c
3 changed files with 45 additions and 4 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -32,7 +32,7 @@ jobs:
      - uses: robinraju/release-downloader@v1
        with:
          repository: nezhahq/admin-frontend
-          tag: v1.0.11
+          tag: v1.0.12
          fileName: dist.zip
          latest: true
          extract: true
@ -45,7 +45,7 @@ jobs:
      - uses: robinraju/release-downloader@v1
        with:
          repository: nezhahq/user-frontend
-          tag: v1.0.4
+          tag: v1.0.5
          fileName: dist.zip
          latest: true
          extract: true
--- a/cmd/dashboard/controller/jwt.go
+++ b/cmd/dashboard/controller/jwt.go
@ -8,6 +8,7 @@ import (
 	jwt "github.com/appleboy/gin-jwt/v2"
 	"github.com/gin-gonic/gin"
 	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"

 	"github.com/nezhahq/nezha/cmd/dashboard/controller/waf"
 	"github.com/nezhahq/nezha/model"
@ -88,7 +89,9 @@ func authenticator() func(c *gin.Context) (interface{}, error) {

 		var user model.User
 		if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil {
-			model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
+			if err == gorm.ErrRecordNotFound {
+				model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
+			}
 			return nil, jwt.ErrFailedAuthentication
 		}

--- a/cmd/dashboard/controller/ws.go
+++ b/cmd/dashboard/controller/ws.go
@ -4,7 +4,9 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"time"
+	"unicode/utf8"

 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/websocket"
@ -23,6 +25,9 @@ func InitUpgrader() {
 	// Allow CORS from loopback addresses in debug mode
 	if singleton.Conf.Debug {
 		checkOrigin = func(r *http.Request) bool {
+			if checkSameOrigin(r) {
+				return true
+			}
 			hostAddr := r.Host
 			host, _, err := net.SplitHostPort(hostAddr)
 			if err != nil {
@ -42,7 +47,6 @@ func InitUpgrader() {
 					return true
 				}
 			}
-
 			return false
 		}
 	}
@ -54,6 +58,40 @@ func InitUpgrader() {
 	}
 }

+func equalASCIIFold(s, t string) bool {
+	for s != "" && t != "" {
+		sr, size := utf8.DecodeRuneInString(s)
+		s = s[size:]
+		tr, size := utf8.DecodeRuneInString(t)
+		t = t[size:]
+		if sr == tr {
+			continue
+		}
+		if 'A' <= sr && sr <= 'Z' {
+			sr = sr + 'a' - 'A'
+		}
+		if 'A' <= tr && tr <= 'Z' {
+			tr = tr + 'a' - 'A'
+		}
+		if sr != tr {
+			return false
+		}
+	}
+	return s == t
+}
+
+func checkSameOrigin(r *http.Request) bool {
+	origin := r.Header["Origin"]
+	if len(origin) == 0 {
+		return true
+	}
+	u, err := url.Parse(origin[0])
+	if err != nil {
+		return false
+	}
+	return equalASCIIFold(u.Host, r.Host)
+}
+
 // Websocket server stream
 // @Summary Websocket server stream
 // @tags common