feat: 优化注销时session处理

2026-02-03 23:27:22 +08:00 · 2025-07-07 16:49:53 +08:00
parent 11e206b41a
commit 05721dbb47
6 changed files with 31 additions and 28 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -22,4 +22,4 @@ If you find any security issues while using the panel, please do not submit an I

 Thank you in advance for your support and help!

-To some security beginners: Any operation performed through the logged panel's `session` / `access_token` (including but not limited to: obtaining root permissions, reading/writing sensitive system files, executing arbitrary shell commands, etc.) is not considered a security issue. Please do not waste each other's time by submitting such reports.
+To some security beginners: Any operation performed through an already logged-in panel's `session` / `access_token` (including but not limited to: obtaining root permissions, reading/writing sensitive system files, executing arbitrary shell commands, etc.) is not considered a security issue. Please do not waste each other's time by submitting such reports.
--- a/cmd/README.md
+++ b/cmd/README.md
@@ -1,3 +0,0 @@
-# cmd
-
-cmd 目录存放应用的入口文件。
--- a/internal/data/setting.go
+++ b/internal/data/setting.go
@@ -19,6 +19,7 @@ import (
 	"github.com/tnb-labs/panel/pkg/firewall"
 	"github.com/tnb-labs/panel/pkg/io"
 	"github.com/tnb-labs/panel/pkg/os"
+	"github.com/tnb-labs/panel/pkg/systemctl"
 	"github.com/tnb-labs/panel/pkg/types"
 )

@@ -310,6 +311,20 @@ func (r *settingRepo) UpdatePanel(req *request.SettingPanel) (bool, error) {
 		if os.TCPPortInUse(req.Port) {
 			return false, errors.New(r.t.Get("port is already in use"))
 		}
+		// 放行端口
+		if ok, _ := systemctl.IsEnabled("firewalld"); ok {
+			fw := firewall.NewFirewall()
+			err = fw.Port(firewall.FireInfo{
+				Type:      firewall.TypeNormal,
+				PortStart: config.HTTP.Port,
+				PortEnd:   config.HTTP.Port,
+				Direction: firewall.DirectionIn,
+				Strategy:  firewall.StrategyAccept,
+			}, firewall.OperationAdd)
+			if err != nil {
+				return false, err
+			}
+		}
 	}

 	config.App.Locale = req.Locale
@@ -321,19 +336,6 @@ func (r *settingRepo) UpdatePanel(req *request.SettingPanel) (bool, error) {
 	config.HTTP.BindUA = req.BindUA
 	config.Session.Lifetime = req.Lifetime

-	// 放行端口
-	fw := firewall.NewFirewall()
-	err = fw.Port(firewall.FireInfo{
-		Type:      firewall.TypeNormal,
-		PortStart: config.HTTP.Port,
-		PortEnd:   config.HTTP.Port,
-		Direction: firewall.DirectionIn,
-		Strategy:  firewall.StrategyAccept,
-	}, firewall.OperationAdd)
-	if err != nil {
-		return false, err
-	}
-
 	encoded, err := yaml.Marshal(config)
 	if err != nil {
 		return false, err
--- a/internal/http/middleware/entrance.go
+++ b/internal/http/middleware/entrance.go
@@ -77,14 +77,17 @@ func Entrance(t *gotext.Locale, conf *koanf.Koanf, session *sessions.Manager) fu
 				return
 			}

-			// 情况二：请求路径与入口路径相同或者未设置访问入口，标记通过验证并重定向到登录页面
+			// 情况二：请求路径与入口路径相同或未设置访问入口，标记通过验证并重定向
 			if (strings.TrimSuffix(r.URL.Path, "/") == entrance || entrance == "/") &&
 				r.Header.Get("Authorization") == "" {
 				sess.Put("verify_entrance", true)
-				render := chix.NewRender(w, r)
-				defer render.Release()
-				render.Redirect("/login")
-				return
+				// 设置入口的情况下进行重定向
+				if entrance != "/" {
+					render := chix.NewRender(w, r)
+					defer render.Release()
+					render.Redirect("/login")
+					return
+				}
 			}

 			// 情况三：通过APIKey+入口路径访问，重写请求路径并跳过验证
--- a/internal/http/middleware/middleware.go
+++ b/internal/http/middleware/middleware.go
@@ -41,7 +41,6 @@ func (r *Middlewares) Globals(t *gotext.Locale, mux *chi.Mux) []func(http.Handle
 	return []func(http.Handler) http.Handler{
 		middleware.Recoverer,
 		//middleware.SupressNotFound(mux),// bug https://github.com/go-chi/chi/pull/940
-		middleware.StripSlashes,
 		httplog.RequestLogger(r.log, &httplog.Options{
 			Level:             slog.LevelInfo,
 			LogRequestHeaders: []string{"User-Agent"},
--- a/internal/service/user.go
+++ b/internal/service/user.go
@@ -120,13 +120,15 @@ func (s *UserService) Login(w http.ResponseWriter, r *http.Request) {

 func (s *UserService) Logout(w http.ResponseWriter, r *http.Request) {
 	sess, err := s.session.GetSession(r)
-	if err == nil {
-		if err = sess.Invalidate(); err != nil {
-			Error(w, http.StatusInternalServerError, "%v", err)
-			return
-		}
+	if err != nil {
+		Error(w, http.StatusInternalServerError, "%v", err)
 	}

+	sess.Forget("user_id")
+	sess.Forget("key")
+	sess.Forget("safe_login")
+	sess.Forget("safe_client")
+
 	Success(w, nil)
 }