new-api

Paused

new-api / controller /secure_verification.go

liuzhao521

Deploy New API v0.9.25+ (commit b47cf4ef) to HuggingFace Spaces

4674012 3 months ago

7.57 kB

	package controller

	import (
	"fmt"
	"net/http"
	"time"

	"github.com/QuantumNous/new-api/common"
	"github.com/QuantumNous/new-api/model"
	passkeysvc "github.com/QuantumNous/new-api/service/passkey"
	"github.com/QuantumNous/new-api/setting/system_setting"

	"github.com/gin-contrib/sessions"
	"github.com/gin-gonic/gin"
	)

	const (
	// SecureVerificationSessionKey 安全验证的 session key
	SecureVerificationSessionKey = "secure_verified_at"
	// SecureVerificationTimeout 验证有效期（秒）
	SecureVerificationTimeout = 300 // 5分钟
	)

	type UniversalVerifyRequest struct {
	Method string `json:"method"` // "2fa" 或 "passkey"
	Code string `json:"code,omitempty"`
	}

	type VerificationStatusResponse struct {
	Verified bool `json:"verified"`
	ExpiresAt int64 `json:"expires_at,omitempty"`
	}

	// UniversalVerify 通用验证接口
	// 支持 2FA 和 Passkey 验证，验证成功后在 session 中记录时间戳
	func UniversalVerify(c *gin.Context) {
	userId := c.GetInt("id")
	if userId == 0 {
	c.JSON(http.StatusUnauthorized, gin.H{
	"success": false,
	"message": "未登录",
	})
	return
	}

	var req UniversalVerifyRequest
	if err := c.ShouldBindJSON(&req); err != nil {
	common.ApiError(c, fmt.Errorf("参数错误: %v", err))
	return
	}

	// 获取用户信息
	user := &model.User{Id: userId}
	if err := user.FillUserById(); err != nil {
	common.ApiError(c, fmt.Errorf("获取用户信息失败: %v", err))
	return
	}

	if user.Status != common.UserStatusEnabled {
	common.ApiError(c, fmt.Errorf("该用户已被禁用"))
	return
	}

	// 检查用户的验证方式
	twoFA, _ := model.GetTwoFAByUserId(userId)
	has2FA := twoFA != nil && twoFA.IsEnabled

	passkey, passkeyErr := model.GetPasskeyByUserID(userId)
	hasPasskey := passkeyErr == nil && passkey != nil

	if !has2FA && !hasPasskey {
	common.ApiError(c, fmt.Errorf("用户未启用2FA或Passkey"))
	return
	}

	// 根据验证方式进行验证
	var verified bool
	var verifyMethod string

	switch req.Method {
	case "2fa":
	if !has2FA {
	common.ApiError(c, fmt.Errorf("用户未启用2FA"))
	return
	}
	if req.Code == "" {
	common.ApiError(c, fmt.Errorf("验证码不能为空"))
	return
	}
	verified = validateTwoFactorAuth(twoFA, req.Code)
	verifyMethod = "2FA"

	case "passkey":
	if !hasPasskey {
	common.ApiError(c, fmt.Errorf("用户未启用Passkey"))
	return
	}
	// Passkey 验证需要先调用 PasskeyVerifyBegin 和 PasskeyVerifyFinish
	// 这里只是验证 Passkey 验证流程是否已经完成
	// 实际上，前端应该先调用这两个接口，然后再调用本接口
	verified = true // Passkey 验证逻辑已在 PasskeyVerifyFinish 中完成
	verifyMethod = "Passkey"

	default:
	common.ApiError(c, fmt.Errorf("不支持的验证方式: %s", req.Method))
	return
	}

	if !verified {
	common.ApiError(c, fmt.Errorf("验证失败，请检查验证码"))
	return
	}

	// 验证成功，在 session 中记录时间戳
	session := sessions.Default(c)
	now := time.Now().Unix()
	session.Set(SecureVerificationSessionKey, now)
	if err := session.Save(); err != nil {
	common.ApiError(c, fmt.Errorf("保存验证状态失败: %v", err))
	return
	}

	// 记录日志
	model.RecordLog(userId, model.LogTypeSystem, fmt.Sprintf("通用安全验证成功 (验证方式: %s)", verifyMethod))

	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "验证成功",
	"data": gin.H{
	"verified": true,
	"expires_at": now + SecureVerificationTimeout,
	},
	})
	}

	// GetVerificationStatus 获取验证状态
	func GetVerificationStatus(c *gin.Context) {
	userId := c.GetInt("id")
	if userId == 0 {
	c.JSON(http.StatusUnauthorized, gin.H{
	"success": false,
	"message": "未登录",
	})
	return
	}

	session := sessions.Default(c)
	verifiedAtRaw := session.Get(SecureVerificationSessionKey)

	if verifiedAtRaw == nil {
	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "",
	"data": VerificationStatusResponse{
	Verified: false,
	},
	})
	return
	}

	verifiedAt, ok := verifiedAtRaw.(int64)
	if !ok {
	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "",
	"data": VerificationStatusResponse{
	Verified: false,
	},
	})
	return
	}

	elapsed := time.Now().Unix() - verifiedAt
	if elapsed >= SecureVerificationTimeout {
	// 验证已过期
	session.Delete(SecureVerificationSessionKey)
	_ = session.Save()
	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "",
	"data": VerificationStatusResponse{
	Verified: false,
	},
	})
	return
	}

	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "",
	"data": VerificationStatusResponse{
	Verified: true,
	ExpiresAt: verifiedAt + SecureVerificationTimeout,
	},
	})
	}

	// CheckSecureVerification 检查是否已通过安全验证
	// 返回 true 表示验证有效，false 表示需要重新验证
	func CheckSecureVerification(c *gin.Context) bool {
	session := sessions.Default(c)
	verifiedAtRaw := session.Get(SecureVerificationSessionKey)

	if verifiedAtRaw == nil {
	return false
	}

	verifiedAt, ok := verifiedAtRaw.(int64)
	if !ok {
	return false
	}

	elapsed := time.Now().Unix() - verifiedAt
	if elapsed >= SecureVerificationTimeout {
	// 验证已过期，清除 session
	session.Delete(SecureVerificationSessionKey)
	_ = session.Save()
	return false
	}

	return true
	}

	// PasskeyVerifyAndSetSession Passkey 验证完成后设置 session
	// 这是一个辅助函数，供 PasskeyVerifyFinish 调用
	func PasskeyVerifyAndSetSession(c *gin.Context) {
	session := sessions.Default(c)
	now := time.Now().Unix()
	session.Set(SecureVerificationSessionKey, now)
	_ = session.Save()
	}

	// PasskeyVerifyForSecure 用于安全验证的 Passkey 验证流程
	// 整合了 begin 和 finish 流程
	func PasskeyVerifyForSecure(c *gin.Context) {
	if !system_setting.GetPasskeySettings().Enabled {
	c.JSON(http.StatusOK, gin.H{
	"success": false,
	"message": "管理员未启用 Passkey 登录",
	})
	return
	}

	userId := c.GetInt("id")
	if userId == 0 {
	c.JSON(http.StatusUnauthorized, gin.H{
	"success": false,
	"message": "未登录",
	})
	return
	}

	user := &model.User{Id: userId}
	if err := user.FillUserById(); err != nil {
	common.ApiError(c, fmt.Errorf("获取用户信息失败: %v", err))
	return
	}

	if user.Status != common.UserStatusEnabled {
	common.ApiError(c, fmt.Errorf("该用户已被禁用"))
	return
	}

	credential, err := model.GetPasskeyByUserID(userId)
	if err != nil {
	c.JSON(http.StatusOK, gin.H{
	"success": false,
	"message": "该用户尚未绑定 Passkey",
	})
	return
	}

	wa, err := passkeysvc.BuildWebAuthn(c.Request)
	if err != nil {
	common.ApiError(c, err)
	return
	}

	waUser := passkeysvc.NewWebAuthnUser(user, credential)
	sessionData, err := passkeysvc.PopSessionData(c, passkeysvc.VerifySessionKey)
	if err != nil {
	common.ApiError(c, err)
	return
	}

	_, err = wa.FinishLogin(waUser, *sessionData, c.Request)
	if err != nil {
	common.ApiError(c, err)
	return
	}

	// 更新凭证的最后使用时间
	now := time.Now()
	credential.LastUsedAt = &now
	if err := model.UpsertPasskeyCredential(credential); err != nil {
	common.ApiError(c, err)
	return
	}

	// 验证成功，设置 session
	PasskeyVerifyAndSetSession(c)

	// 记录日志
	model.RecordLog(userId, model.LogTypeSystem, "Passkey 安全验证成功")

	c.JSON(http.StatusOK, gin.H{
	"success": true,
	"message": "Passkey 验证成功",
	"data": gin.H{
	"verified": true,
	"expires_at": time.Now().Unix() + SecureVerificationTimeout,
	},
	})
	}