feat: 优化安全登录

2026-02-04 06:47:20 +08:00 · 2024-12-03 04:03:21 +08:00
parent 7bc716cff6
commit fc97709ebf
4 changed files with 11 additions and 8 deletions
--- a/internal/http/middleware/must_login.go
+++ b/internal/http/middleware/must_login.go
@@ -65,8 +65,7 @@ func MustLogin(next http.Handler) http.Handler {
 		if safeLogin {
 			safeClientHash := cast.ToString(sess.Get("safe_client"))
 			ip, _, _ := net.SplitHostPort(strings.TrimSpace(r.RemoteAddr))
-			ua := r.Header.Get("User-Agent")
-			clientHash := fmt.Sprintf("%x", sha3.Sum256([]byte(ip+"|"+ua)))
+			clientHash := fmt.Sprintf("%x", sha3.Sum256([]byte(ip)))
 			if safeClientHash != clientHash || safeClientHash == "" {
 				render := chix.NewRender(w)
 				render.Status(http.StatusUnauthorized)
--- a/internal/service/user.go
+++ b/internal/service/user.go
@@ -93,9 +93,8 @@ func (s *UserService) Login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	if req.SafeLogin && !app.Conf.Bool("http.tls") {
-		ua := r.Header.Get("User-Agent")
 		sess.Put("safe_login", true)
-		sess.Put("safe_client", fmt.Sprintf("%x", sha3.Sum256([]byte(ip+"|"+ua))))
+		sess.Put("safe_client", fmt.Sprintf("%x", sha3.Sum256([]byte(ip))))
 	}

 	sess.Put("user_id", user.ID)
--- a/web/src/api/panel/user/index.ts
+++ b/web/src/api/panel/user/index.ts
@@ -4,10 +4,11 @@ export default {
  // 公钥
  key: () => http.Get('/user/key'),
  // 登录
-  login: (username: string, password: string) =>
+  login: (username: string, password: string, safe_login: boolean) =>
    http.Post('/user/login', {
      username,
-      password
+      password,
+      safe_login
    }),
  // 登出
  logout: () => http.Post('/user/logout'),
--- a/web/src/views/login/IndexView.vue
+++ b/web/src/views/login/IndexView.vue
@@ -36,7 +36,7 @@ const loging = ref<boolean>(false)
 const isRemember = useStorage('isRemember', false)

 async function handleLogin() {
-  const { username, password } = loginInfo.value
+  const { username, password, safe_login } = loginInfo.value
  if (!username || !password) {
    window.$message.warning('请输入用户名和密码')
    return
@@ -47,7 +47,11 @@ async function handleLogin() {
  }
  try {
    user
-      .login(rsaEncrypt(username, String(unref(key))), rsaEncrypt(password, String(unref(key))))
+      .login(
+        rsaEncrypt(username, String(unref(key))),
+        rsaEncrypt(password, String(unref(key))),
+        safe_login
+      )
      .then(async () => {
        loging.value = true
        window.$notification?.success({ title: '登录成功！', duration: 2500 })