|
|
|
|
|
package middleware
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"github.com/HFO4/cloudreve/models"
|
|
|
|
|
|
"github.com/HFO4/cloudreve/pkg/auth"
|
|
|
|
|
|
"github.com/HFO4/cloudreve/pkg/cache"
|
|
|
|
|
|
"github.com/HFO4/cloudreve/pkg/serializer"
|
|
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
|
|
"net/http"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
// SignRequired 验证请求签名
|
|
|
|
|
|
func SignRequired() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
var err error
|
|
|
|
|
|
switch c.Request.Method {
|
|
|
|
|
|
case "PUT", "POST":
|
|
|
|
|
|
err = auth.CheckRequest(auth.General, c.Request)
|
|
|
|
|
|
// TODO 生产环境去掉下一行
|
|
|
|
|
|
//err = nil
|
|
|
|
|
|
default:
|
|
|
|
|
|
err = auth.CheckURI(auth.General, c.Request.URL)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(200, serializer.Err(serializer.CodeCheckLogin, err.Error(), err))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// CurrentUser 获取登录用户
|
|
|
|
|
|
func CurrentUser() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
session := sessions.Default(c)
|
|
|
|
|
|
uid := session.Get("user_id")
|
|
|
|
|
|
if uid != nil {
|
|
|
|
|
|
user, err := model.GetUserByID(uid)
|
|
|
|
|
|
if err == nil {
|
|
|
|
|
|
c.Set("user", &user)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// AuthRequired 需要登录
|
|
|
|
|
|
func AuthRequired() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
if user, _ := c.Get("user"); user != nil {
|
|
|
|
|
|
if _, ok := user.(*model.User); ok {
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.JSON(200, serializer.CheckLogin())
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// WebDAVAuth 验证WebDAV登录及权限
|
|
|
|
|
|
func WebDAVAuth() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
// OPTIONS 请求不需要鉴权,否则Windows10下无法保存文档
|
|
|
|
|
|
if c.Request.Method == "OPTIONS" {
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
username, password, ok := c.Request.BasicAuth()
|
|
|
|
|
|
if !ok {
|
|
|
|
|
|
c.Writer.Header()["WWW-Authenticate"] = []string{`Basic realm="cloudreve"`}
|
|
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
expectedUser, err := model.GetUserByEmail(username)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 密码正确?
|
|
|
|
|
|
ok, _ = expectedUser.CheckPassword(password)
|
|
|
|
|
|
if !ok {
|
|
|
|
|
|
c.Status(http.StatusUnauthorized)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 用户组已启用WebDAV?
|
|
|
|
|
|
if !expectedUser.Group.WebDAVEnabled {
|
|
|
|
|
|
c.Status(http.StatusForbidden)
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Set("user", &expectedUser)
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// RemoteCallbackAuth 远程回调签名验证
|
|
|
|
|
|
// TODO 测试
|
|
|
|
|
|
func RemoteCallbackAuth() gin.HandlerFunc {
|
|
|
|
|
|
return func(c *gin.Context) {
|
|
|
|
|
|
// 验证 Callback Key
|
|
|
|
|
|
callbackKey := c.Param("key")
|
|
|
|
|
|
if callbackKey == "" {
|
|
|
|
|
|
c.JSON(200, serializer.ParamErr("Callback Key 不能为空", nil))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
callbackSessionRaw, exist := cache.Get("callback_" + callbackKey)
|
|
|
|
|
|
if !exist {
|
|
|
|
|
|
c.JSON(200, serializer.ParamErr("回调会话不存在或已过期", nil))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
callbackSession := callbackSessionRaw.(serializer.UploadSession)
|
|
|
|
|
|
c.Set("callbackSession", &callbackSession)
|
|
|
|
|
|
|
|
|
|
|
|
// 清理回调会话
|
|
|
|
|
|
_ = cache.Deletes([]string{callbackKey}, "callback_")
|
|
|
|
|
|
|
|
|
|
|
|
// 查找用户
|
|
|
|
|
|
user, err := model.GetUserByID(callbackSession.UID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
c.JSON(200, serializer.Err(serializer.CodeCheckLogin, "找不到用户", err))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
c.Set("user", &user)
|
|
|
|
|
|
|
|
|
|
|
|
// 检查存储策略是否一致
|
|
|
|
|
|
if user.GetPolicyID() != callbackSession.PolicyID {
|
|
|
|
|
|
c.JSON(200, serializer.Err(serializer.CodePolicyNotAllowed, "存储策略已变更,请重新上传", nil))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// 验证签名
|
|
|
|
|
|
authInstance := auth.HMACAuth{SecretKey: []byte(user.Policy.SecretKey)}
|
|
|
|
|
|
if err := auth.CheckRequest(authInstance, c.Request); err != nil {
|
|
|
|
|
|
c.JSON(200, serializer.Err(serializer.CodeCheckLogin, err.Error(), err))
|
|
|
|
|
|
c.Abort()
|
|
|
|
|
|
return
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
c.Next()
|
|
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
