tcjlj/nezha
1
0
Fork 0
mirror of https://github.com/nezhahq/nezha.git synced 2025-01-22 12:48:14 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: checkorigin when debug enabled & update fronted dist

Browse Source
This commit is contained in:
naiba 2024-12-01 00:00:01 +08:00
parent 166f25508c
commit cb06a303b7
3 changed files with 45 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/release.yml vendored
View File

@ -32,7 +32,7 @@ jobs:
- uses: robinraju/release-downloader@v1 - uses: robinraju/release-downloader@v1
with: with:
repository: nezhahq/admin-frontend repository: nezhahq/admin-frontend
tag: v1.0.11 tag: v1.0.12
fileName: dist.zip fileName: dist.zip
latest: true latest: true
extract: true extract: true
@ -45,7 +45,7 @@ jobs:
- uses: robinraju/release-downloader@v1 - uses: robinraju/release-downloader@v1
with: with:
repository: nezhahq/user-frontend repository: nezhahq/user-frontend
tag: v1.0.4 tag: v1.0.5
fileName: dist.zip fileName: dist.zip
latest: true latest: true
extract: true extract: true

5
cmd/dashboard/controller/jwt.go
View File

@ -8,6 +8,7 @@ import (
jwt "github.com/appleboy/gin-jwt/v2" jwt "github.com/appleboy/gin-jwt/v2"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
"gorm.io/gorm"
"github.com/nezhahq/nezha/cmd/dashboard/controller/waf" "github.com/nezhahq/nezha/cmd/dashboard/controller/waf"
"github.com/nezhahq/nezha/model" "github.com/nezhahq/nezha/model"
@ -88,7 +89,9 @@ func authenticator() func(c *gin.Context) (interface{}, error) {
var user model.User var user model.User
if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil { if err := singleton.DB.Select("id", "password").Where("username = ?", loginVals.Username).First(&user).Error; err != nil {
model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail) if err == gorm.ErrRecordNotFound {
model.BlockIP(singleton.DB, c.GetString(model.CtxKeyRealIPStr), model.WAFBlockReasonTypeLoginFail)
}
return nil, jwt.ErrFailedAuthentication return nil, jwt.ErrFailedAuthentication
} }

40
cmd/dashboard/controller/ws.go
View File

@ -4,7 +4,9 @@ import (
"fmt" "fmt"
"net" "net"
"net/http" "net/http"
"net/url"
"time" "time"
"unicode/utf8"
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/gorilla/websocket" "github.com/gorilla/websocket"
@ -23,6 +25,9 @@ func InitUpgrader() {
// Allow CORS from loopback addresses in debug mode // Allow CORS from loopback addresses in debug mode
if singleton.Conf.Debug { if singleton.Conf.Debug {
checkOrigin = func(r *http.Request) bool { checkOrigin = func(r *http.Request) bool {
if checkSameOrigin(r) {
return true
}
hostAddr := r.Host hostAddr := r.Host
host, _, err := net.SplitHostPort(hostAddr) host, _, err := net.SplitHostPort(hostAddr)
if err != nil { if err != nil {
@ -42,7 +47,6 @@ func InitUpgrader() {
return true return true
} }
} }
return false return false
} }
} }
@ -54,6 +58,40 @@ func InitUpgrader() {
} }
} }
func equalASCIIFold(s, t string) bool {
for s != "" && t != "" {
sr, size := utf8.DecodeRuneInString(s)
s = s[size:]
tr, size := utf8.DecodeRuneInString(t)
t = t[size:]
if sr == tr {
continue
}
if 'A' <= sr && sr <= 'Z' {
sr = sr + 'a' - 'A'
}
if 'A' <= tr && tr <= 'Z' {
tr = tr + 'a' - 'A'
}
if sr != tr {
return false
}
}
return s == t
}
func checkSameOrigin(r *http.Request) bool {
origin := r.Header["Origin"]
if len(origin) == 0 {
return true
}
u, err := url.Parse(origin[0])
if err != nil {
return false
}
return equalASCIIFold(u.Host, r.Host)
}
// Websocket server stream // Websocket server stream
// @Summary Websocket server stream // @Summary Websocket server stream
// @tags common // @tags common