失败次数大于系统规定阈值,开启验证码校验

4 years ago · e98b06e7fe
parent 2c774e628a
commit e98b06e7fe
5 changed files with 167 additions and 75 deletions
--- a/opsli-base-support/opsli-core/src/main/java/org/opsli/core/conf/ShiroConfig.java
+++ b/opsli-base-support/opsli-core/src/main/java/org/opsli/core/conf/ShiroConfig.java
@ -70,6 +70,7 @@ public class ShiroConfig {
        filterMap.put("/druid/**", "anon");
        filterMap.put("/app/**", "anon");
        filterMap.put("/sys/login", "anon");
        filterMap.put("/sys/slipCount", "anon");
        filterMap.put("/swagger/**", "anon");
        filterMap.put("/v2/api-docs", "anon");
        filterMap.put("/doc.html", "anon");
--- a/opsli-base-support/opsli-core/src/main/java/org/opsli/core/msg/TokenMsg.java
+++ b/opsli-base-support/opsli-core/src/main/java/org/opsli/core/msg/TokenMsg.java
@ -43,6 +43,7 @@ public enum TokenMsg implements BaseMsg {
    EXCEPTION_LOGOUT_SUCCESS(12104,"登出成功！"),
    EXCEPTION_LOGIN_ACCOUNT_LOCK(12104,"账号已锁定，请{}后，再次尝试"),
    EXCEPTION_LOGIN_TENANT_NOT_USABLE(12105,"租户未启用，请联系管理员"),
    EXCEPTION_LOGIN_NULL(12106,"请输入账号密码"),
    /**
     * 其他
--- a/opsli-base-support/opsli-core/src/main/java/org/opsli/core/utils/UserTokenUtil.java
+++ b/opsli-base-support/opsli-core/src/main/java/org/opsli/core/utils/UserTokenUtil.java
@ -15,8 +15,11 @@
 */
 package org.opsli.core.utils;
 import cn.hutool.core.convert.Convert;
 import cn.hutool.core.date.DateTime;
 import cn.hutool.core.date.DateUnit;
 import cn.hutool.core.date.DateUtil;
 import cn.hutool.core.util.StrUtil;
 import com.google.common.collect.Maps;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
@ -25,15 +28,20 @@ import org.opsli.api.base.result.ResultVo;
 import org.opsli.api.wrapper.system.user.UserModel;
 import org.opsli.common.constants.SignConstants;
 import org.opsli.common.constants.TokenConstants;
 import org.opsli.common.exception.ServiceException;
 import org.opsli.common.exception.TokenException;
 import org.opsli.common.utils.Props;
 import org.opsli.core.msg.TokenMsg;
 import org.opsli.plugins.redis.RedisPlugin;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.AutoConfigureAfter;
 import org.springframework.context.annotation.Lazy;
 import org.springframework.core.annotation.Order;
 import org.springframework.stereotype.Component;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Date;
 import java.util.Map;
 import static org.opsli.common.constants.OrderConstants.UTIL_ORDER;
@ -53,13 +61,31 @@ public class UserTokenUtil {
    /** token 缓存名 */
    public static final String TOKEN_NAME = TokenConstants.ACCESS_TOKEN;
    /** 缓存前缀 */
    private static final String PREFIX = "opsli:ticket:";
    /** 账号失败次数 */
    public static final String ACCOUNT_SLIP_COUNT_PREFIX = "opsli:account:slip:count:";
    /** 账号失败锁定KEY */
    public static final String ACCOUNT_SLIP_LOCK_PREFIX = "opsli:account:slip:lock:";
    /** 账号失败阈值 */
    public static final int ACCOUNT_SLIP_COUNT;
    /** 账号失败N次后弹出验证码 */
    public static final int ACCOUNT_SLIP_VERIFY_COUNT;
    /** 账号锁定时间 */
    public static final int ACCOUNT_SLIP_LOCK_SPEED;
    /** Redis插件 */
    private static RedisPlugin redisPlugin;
    static {
        Props props = new Props("application.yaml");
        ACCOUNT_SLIP_COUNT = props.getInt("opsli.login.slip-count", 5);
        ACCOUNT_SLIP_VERIFY_COUNT = props.getInt("opsli.login.slip-verify-count", 3);
        ACCOUNT_SLIP_LOCK_SPEED = props.getInt("opsli.login.slip-lock-speed", 300);
    }
    /**
     * 根据 user 创建Token
     * @param user
@ -196,6 +222,95 @@ public class UserTokenUtil {
        return true;
    }
    // ============================ 锁账号 操作
    /**
     * 验证锁定账号
     * @param username
     */
    public static void verifyLockAccount(String username){
        // 判断账号是否临时锁定
        Long loseTimeMillis = (Long) redisPlugin.get(ACCOUNT_SLIP_LOCK_PREFIX + username);
        if(loseTimeMillis != null){
            Date currDate = new Date();
            DateTime loseDate = DateUtil.date(loseTimeMillis);
            // 偏移5分钟
            DateTime currLoseDate = DateUtil.offsetSecond(loseDate, ACCOUNT_SLIP_LOCK_SPEED);
            // 计算失效剩余时间( 分 )
            long betweenM = DateUtil.between(currLoseDate, currDate, DateUnit.MINUTE);
            if(betweenM > 0){
                String msg = StrUtil.format(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getMessage()
                        ,betweenM + "分钟");
                throw new TokenException(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getCode(), msg);
            }else{
                // 计算失效剩余时间( 秒 )
                long betweenS = DateUtil.between(currLoseDate, currDate, DateUnit.SECOND);
                String msg = StrUtil.format(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getMessage()
                        ,betweenS + "秒");
                throw new TokenException(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getCode(), msg);
            }
        }
    }
    /**
     * 锁定账号
     * @param username
     */
    public static ResultVo<?> lockAccount(String username){
        // 如果失败次数 超过阈值 则锁定账号
        Long slipNum = redisPlugin.increment(ACCOUNT_SLIP_COUNT_PREFIX + username);
        if (slipNum != null){
            // 设置失效时间为 5分钟
            redisPlugin.expire(ACCOUNT_SLIP_COUNT_PREFIX + username, ACCOUNT_SLIP_LOCK_SPEED);
            // 如果确认 都失败 则存入临时缓存
            if(slipNum >= ACCOUNT_SLIP_COUNT){
                long currentTimeMillis = System.currentTimeMillis();
                // 存入Redis
                redisPlugin.put(ACCOUNT_SLIP_LOCK_PREFIX + username,
                        currentTimeMillis, ACCOUNT_SLIP_LOCK_SPEED);
            }
        }
        Map<String,Boolean> flagMap = Maps.newHashMap();
        flagMap.put("izVerify", false);
        if(slipNum != null && slipNum >= ACCOUNT_SLIP_VERIFY_COUNT){
            flagMap.put("izVerify", true);
        }
        return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_NO.getCode(),
                TokenMsg.EXCEPTION_LOGIN_ACCOUNT_NO.getMessage(),
                flagMap
                );
    }
    /**
     * 获得当前失败次数
     * @param username
     */
    public static long getSlipCount(String username){
        long count = 0L;
        Object obj = redisPlugin.get(ACCOUNT_SLIP_COUNT_PREFIX + username);
        if(obj != null){
            try {
                count = Convert.convert(Long.class, obj);
            }catch (Exception ignored){}
        }
        return count;
    }
    /**
     * 清除锁定账号
     * @param username
     */
    public static void clearLockAccount(String username){
        // 删除失败次数记录
        redisPlugin.del(ACCOUNT_SLIP_COUNT_PREFIX + username);
        // 删除失败次数记录
        redisPlugin.del(ACCOUNT_SLIP_LOCK_PREFIX + username);
    }
    // ==========================
--- a/opsli-modulars/opsli-modulars-system/src/main/java/org/opsli/modulars/system/login/web/LoginRestController.java
+++ b/opsli-modulars/opsli-modulars-system/src/main/java/org/opsli/modulars/system/login/web/LoginRestController.java
@ -15,11 +15,9 @@
 */
 package org.opsli.modulars.system.login.web;
-import cn.hutool.core.date.DateTime;
+import cn.hutool.core.convert.Convert;
 import cn.hutool.core.date.DateUnit;
 import cn.hutool.core.date.DateUtil;
 import cn.hutool.core.util.StrUtil;
 import com.baomidou.mybatisplus.core.conditions.query.QueryWrapper;
 import com.google.common.collect.Maps;
 import io.swagger.annotations.ApiOperation;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.commons.lang3.StringUtils;
@ -27,6 +25,7 @@ import org.apache.tomcat.util.http.fileupload.IOUtils;
 import org.opsli.api.base.result.ResultVo;
 import org.opsli.api.wrapper.system.user.UserModel;
 import org.opsli.common.api.TokenThreadLocal;
 import org.opsli.common.exception.TokenException;
 import org.opsli.common.utils.IPUtil;
 import org.opsli.core.msg.TokenMsg;
 import org.opsli.core.persistence.querybuilder.GenQueryBuilder;
@ -38,9 +37,7 @@ import org.opsli.modulars.system.login.entity.LoginForm;
 import org.opsli.modulars.system.tenant.entity.SysTenant;
 import org.opsli.modulars.system.tenant.service.ITenantService;
 import org.opsli.modulars.system.user.service.IUserService;
 import org.opsli.plugins.redis.RedisPlugin;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@ -52,7 +49,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import java.awt.image.BufferedImage;
 import java.io.IOException;
 import java.util.Date;
 import java.util.List;
 import java.util.Map;
@ -69,93 +65,52 @@ import java.util.Map;
@RestController
 public class LoginRestController {
    /** 账号失败次数 */
    private static final String ACCOUNT_SLIP_COUNT_PREFIX = "opsli:account:slip:count:";
    /** 账号失败锁定KEY */
    private static final String ACCOUNT_SLIP_LOCK_PREFIX = "opsli:account:slip:lock:";
    /** 失败阈值 */
    @Value("${opsli.login.slip-count}")
    private int slipCount;
    /** 锁定时间 */
    @Value("${opsli.login.slip-lock-speed}")
    private int slipLockSpeed;
    @Autowired
    private RedisPlugin redisPlugin;
    @Autowired
    private ITenantService iTenantService;
    @Autowired
    private IUserService iUserService;
    /**
     * 登录
     */
    @ApiOperation(value = "登录", notes = "登录")
    @PostMapping("/sys/login")
    public ResultVo<?> login(@RequestBody LoginForm form, HttpServletRequest request){
-        boolean captcha = CaptchaUtil.validate(form.getUuid(), form.getCaptcha());
+        if(form == null){
-        // 验证码不正确
+            throw new TokenException(TokenMsg.EXCEPTION_LOGIN_NULL);
        if(!captcha){
            return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_CAPTCHA.getCode(),
                    TokenMsg.EXCEPTION_LOGIN_CAPTCHA.getMessage());
        }
        // 判断账号是否临时锁定
-        Long loseTimeMillis = (Long) redisPlugin.get(ACCOUNT_SLIP_LOCK_PREFIX + form.getUsername());
+        UserTokenUtil.verifyLockAccount(form.getUsername());
-        if(loseTimeMillis != null){
+
-            Date currDate = new Date();
+        // 获得当前失败次数
-            DateTime loseDate = DateUtil.date(loseTimeMillis);
+        long slipCount = UserTokenUtil.getSlipCount(form.getUsername());
-            // 偏移5分钟
+
-            DateTime currLoseDate = DateUtil.offsetSecond(loseDate, slipLockSpeed);
+        // 失败次数超过 验证次数阈值 开启验证码验证
-
+        if(slipCount >= UserTokenUtil.ACCOUNT_SLIP_VERIFY_COUNT){
-            // 计算失效剩余时间( 分 )
+            boolean captcha = CaptchaUtil.validate(form.getUuid(), form.getCaptcha());
-            long betweenM = DateUtil.between(currLoseDate, currDate, DateUnit.MINUTE);
+            // 验证码不正确
-            if(betweenM > 0){
+            if(!captcha){
-                String msg = StrUtil.format(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getMessage()
+                throw new TokenException(TokenMsg.EXCEPTION_LOGIN_CAPTCHA);
                        ,betweenM + "分钟");
                return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getCode(),
                        msg);
            }else{
                // 计算失效剩余时间( 秒 )
                long betweenS = DateUtil.between(currLoseDate, currDate, DateUnit.SECOND);
                String msg = StrUtil.format(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getMessage()
                        ,betweenS + "秒");
                return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCK.getCode(),
                        msg);
            }
        }
-        //用户信息
+        // 用户信息
        UserModel user = UserUtil.getUserByUserName(form.getUsername());
-        //账号不存在、密码错误
+        // 账号不存在、密码错误
        if(user == null ||
                !user.getPassword().equals(UserUtil.handlePassword(form.getPassword(), user.getSecretkey()))) {
-
+            // 判断是否需要锁定账号 这里没有直接抛异常 而是返回错误信息， 其中包含 是否开启验证码状态
-            // 如果失败次数 超过阈值 则锁定账号
+            return UserTokenUtil.lockAccount(form.getUsername());
            Long slipNum = redisPlugin.increment(ACCOUNT_SLIP_COUNT_PREFIX + form.getUsername());
            // 设置失效时间为 5分钟
            redisPlugin.expire(ACCOUNT_SLIP_COUNT_PREFIX + form.getUsername(),slipLockSpeed);
            // 如果确认 都失败 则存入临时缓存
            if(slipNum >= slipCount){
                long currentTimeMillis = System.currentTimeMillis();
                // 存入Redis
                redisPlugin.put(ACCOUNT_SLIP_LOCK_PREFIX + form.getUsername(),
                        currentTimeMillis, slipLockSpeed);
            }
            return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_NO.getMessage());
        }
-        // 删除失败次数记录
+        // 如果验证成功， 则清除锁定信息
-        redisPlugin.del(ACCOUNT_SLIP_COUNT_PREFIX + form.getUsername());
+        UserTokenUtil.clearLockAccount(form.getUsername());
-        //账号锁定
+        // 账号锁定
        if(user.getLocked() == 1){
-            return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCKED.getMessage());
+            throw new TokenException(TokenMsg.EXCEPTION_LOGIN_ACCOUNT_LOCKED);
        }
        // 如果不是超级管理员 需要验证租户是否生效
@ -166,12 +121,15 @@ public class LoginRestController {
                    .eq("iz_usable", "1");
            List<SysTenant> tenants = iTenantService.findList(queryWrapper);
            if(tenants == null || tenants.isEmpty()){
-                return ResultVo.error(TokenMsg.EXCEPTION_LOGIN_TENANT_NOT_USABLE.getMessage());
+                throw new TokenException(TokenMsg.EXCEPTION_LOGIN_TENANT_NOT_USABLE);
            }
        }
-        // 删除验证过后验证码
+        // 失败次数超过 验证次数阈值 开启验证码验证
-        CaptchaUtil.delCaptcha(form.getUuid());
+        if(slipCount >= UserTokenUtil.ACCOUNT_SLIP_VERIFY_COUNT){
            // 删除验证过后验证码
            CaptchaUtil.delCaptcha(form.getUuid());
        }
        //生成token，并保存到Redis
        ResultVo<Map<String, Object>> resultVo = UserTokenUtil.createToken(user);
@ -183,8 +141,8 @@ public class LoginRestController {
                String clientIpAddress = IPUtil.getClientIpAddress(request);
                user.setLoginIp(clientIpAddress);
                iUserService.updateLoginIp(user);
-            }catch (Exception ignored){}
+            }catch (Exception ignored){
-            finally {
+            }finally {
                // 清空 token缓存
                TokenThreadLocal.remove();
            }
@ -209,6 +167,21 @@ public class LoginRestController {
        return ResultVo.success(TokenMsg.EXCEPTION_LOGOUT_SUCCESS.getMessage());
    }
    /**
     * 获得当前登录失败次数
     */
    @ApiOperation(value = "获得当前登录失败次数", notes = "获得当前登录失败次数")
    @GetMapping("/sys/slipCount")
    public ResultVo<?> slipCount(String username){
        // 获得当前失败次数
        long slipCount = UserTokenUtil.getSlipCount(username);
        Map<String, Object> ret = Maps.newHashMap();
        ret.put("base", UserTokenUtil.ACCOUNT_SLIP_VERIFY_COUNT);
        ret.put("curr", slipCount);
        return ResultVo.success(ret);
    }
    /**
     * 验证码
     */
--- a/opsli-starter/src/main/resources/application.yaml
+++ b/opsli-starter/src/main/resources/application.yaml
@ -180,6 +180,8 @@ opsli:
  login:
    # 失败次数
    slip-count: 5
    # 失败N次后弹出验证码 （超过验证码阈值 弹出验证码）
    slip-verify-count: 3
    # 失败锁定时间(秒)
    slip-lock-speed: 300