|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v3/pkg/cache"
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v3/pkg/sessionstore"
|
|
|
|
|
"net/http"
|
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v3/pkg/conf"
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
|
|
|
|
|
"github.com/cloudreve/Cloudreve/v3/pkg/util"
|
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Store session存储
|
|
|
|
|
var Store sessions.Store
|
|
|
|
|
|
|
|
|
|
// Session 初始化session
|
|
|
|
|
func Session(secret string) gin.HandlerFunc {
|
|
|
|
|
// Redis设置不为空,且非测试模式时使用Redis
|
|
|
|
|
Store = sessionstore.NewStore(cache.Store, []byte(secret))
|
|
|
|
|
|
|
|
|
|
sameSiteMode := http.SameSiteDefaultMode
|
|
|
|
|
switch strings.ToLower(conf.CORSConfig.SameSite) {
|
|
|
|
|
case "default":
|
|
|
|
|
sameSiteMode = http.SameSiteDefaultMode
|
|
|
|
|
case "none":
|
|
|
|
|
sameSiteMode = http.SameSiteNoneMode
|
|
|
|
|
case "strict":
|
|
|
|
|
sameSiteMode = http.SameSiteStrictMode
|
|
|
|
|
case "lax":
|
|
|
|
|
sameSiteMode = http.SameSiteLaxMode
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Also set Secure: true if using SSL, you should though
|
|
|
|
|
Store.Options(sessions.Options{
|
|
|
|
|
HttpOnly: true,
|
|
|
|
|
MaxAge: 60 * 86400,
|
|
|
|
|
Path: "/",
|
|
|
|
|
SameSite: sameSiteMode,
|
|
|
|
|
Secure: conf.CORSConfig.Secure,
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
return sessions.Sessions("cloudreve-session", Store)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CSRFInit 初始化CSRF标记
|
|
|
|
|
func CSRFInit() gin.HandlerFunc {
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
util.SetSession(c, map[string]interface{}{"CSRF": true})
|
|
|
|
|
c.Next()
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// CSRFCheck 检查CSRF标记
|
|
|
|
|
func CSRFCheck() gin.HandlerFunc {
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
if check, ok := util.GetSession(c, "CSRF").(bool); ok && check {
|
|
|
|
|
c.Next()
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.JSON(200, serializer.Err(serializer.CodeNoPermissionErr, "Invalid origin", nil))
|
|
|
|
|
c.Abort()
|
|
|
|
|
}
|
|
|
|
|
}
|