mirror of
https://github.com/certd/certd.git
synced 2026-04-23 19:57:27 +08:00
chore: 2FA
This commit is contained in:
xiaojunnuo
@@ -23,13 +23,16 @@ export class LoginController extends BaseController {
|
||||
user: any
|
||||
) {
|
||||
const token = await this.loginService.loginByPassword(user);
|
||||
this.ctx.cookies.set('token', token.token, {
|
||||
maxAge: 1000 * token.expire,
|
||||
});
|
||||
|
||||
this.writeTokenCookie(token);
|
||||
return this.ok(token);
|
||||
}
|
||||
|
||||
private writeTokenCookie(token: { expire: any; token: any }) {
|
||||
this.ctx.cookies.set("token", token.token, {
|
||||
maxAge: 1000 * token.expire
|
||||
});
|
||||
}
|
||||
|
||||
@Post('/loginBySms', { summary: Constants.per.guest })
|
||||
public async loginBySms(
|
||||
@Body(ALL)
|
||||
@@ -48,10 +51,23 @@ export class LoginController extends BaseController {
|
||||
randomStr: body.randomStr,
|
||||
});
|
||||
|
||||
this.ctx.cookies.set('token', token.token, {
|
||||
maxAge: 1000 * token.expire,
|
||||
this.writeTokenCookie(token);
|
||||
|
||||
return this.ok(token);
|
||||
}
|
||||
|
||||
@Post('/loginByTwoFactor', { summary: Constants.per.guest })
|
||||
public async loginByTwoFactor(
|
||||
@Body(ALL)
|
||||
body: any
|
||||
) {
|
||||
|
||||
const token = await this.loginService.loginByTwoFactor({
|
||||
loginCode: body.loginCode,
|
||||
verifyCode: body.verifyCode,
|
||||
});
|
||||
|
||||
this.writeTokenCookie(token);
|
||||
return this.ok(token);
|
||||
}
|
||||
|
||||
|
||||
@@ -58,4 +58,11 @@ export class UserTwoFactorSettingController extends BaseController {
|
||||
return this.ok();
|
||||
}
|
||||
|
||||
@Post("/authenticator/off", { summary: Constants.per.authOnly })
|
||||
async authenticatorOff() {
|
||||
const userId = this.getUserId();
|
||||
await this.twoFactorService.offAuthenticator(userId);
|
||||
return this.ok();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -1,14 +1,16 @@
|
||||
import {Config, Inject, Provide, Scope, ScopeEnum} from '@midwayjs/core';
|
||||
import {UserService} from '../../sys/authority/service/user-service.js';
|
||||
import jwt from 'jsonwebtoken';
|
||||
import {CommonException} from '@certd/lib-server';
|
||||
import { AuthException, CommonException, Need2FAException } from "@certd/lib-server";
|
||||
import {RoleService} from '../../sys/authority/service/role-service.js';
|
||||
import {UserEntity} from '../../sys/authority/entity/user.js';
|
||||
import {SysSettingsService} from '@certd/lib-server';
|
||||
import {SysPrivateSettings} from '@certd/lib-server';
|
||||
import {cache} from '@certd/basic';
|
||||
import {cache, utils} from '@certd/basic';
|
||||
import {LoginErrorException} from '@certd/lib-server/dist/basic/exception/login-error-exception.js';
|
||||
import {CodeService} from '../../basic/service/code-service.js';
|
||||
import { TwoFactorService } from "../../mine/service/two-factor-service.js";
|
||||
import { UserSettingsService } from '../../mine/service/user-settings-service.js';
|
||||
|
||||
/**
|
||||
* 系统用户
|
||||
@@ -28,6 +30,10 @@ export class LoginService {
|
||||
|
||||
@Inject()
|
||||
sysSettingsService: SysSettingsService;
|
||||
@Inject()
|
||||
userSettingsService: UserSettingsService;
|
||||
@Inject()
|
||||
twoFactorService: TwoFactorService;
|
||||
|
||||
checkIsBlocked(username: string) {
|
||||
const blockDurationKey = `login_block_duration:${username}`;
|
||||
@@ -138,21 +144,50 @@ export class LoginService {
|
||||
return this.onLoginSuccess(info);
|
||||
}
|
||||
|
||||
private async onLoginSuccess(info: UserEntity) {
|
||||
async checkTwoFactorEnabled(userId:number) {
|
||||
//检查是否开启多重认证
|
||||
|
||||
const twoFactorSetting = await this.twoFactorService.getSetting(userId)
|
||||
|
||||
const authenticatorSetting = twoFactorSetting.authenticator
|
||||
if (authenticatorSetting.enabled){
|
||||
//要检查
|
||||
const randomKey = utils.id.simpleNanoId(12)
|
||||
cache.set(`login_2fa_code:${randomKey}`, userId, {
|
||||
ttl: 60 * 1000,
|
||||
})
|
||||
throw new Need2FAException('已开启多重认证,请在60秒内输入验证码')
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
async loginByTwoFactor(req: { loginCode: string; verifyCode: string }){
|
||||
const userId = cache.get(`login_2fa_code:${req.loginCode}`)
|
||||
if (!userId){
|
||||
throw new AuthException('登录状态已失效,请重新登录')
|
||||
}
|
||||
await this.twoFactorService.verifyAuthenticatorCode(userId, req.verifyCode)
|
||||
|
||||
return this.generateToken(await this.userService.findOne(userId))
|
||||
}
|
||||
|
||||
private async onLoginSuccess(info: UserEntity) {
|
||||
if (info.status === 0) {
|
||||
throw new CommonException('用户已被禁用');
|
||||
}
|
||||
const roleIds = await this.roleService.getRoleIdsByUserId(info.id);
|
||||
return this.generateToken(info, roleIds);
|
||||
await this.checkTwoFactorEnabled(info.id)
|
||||
return this.generateToken(info);
|
||||
}
|
||||
|
||||
|
||||
|
||||
/**
|
||||
* 生成token
|
||||
* @param user 用户对象
|
||||
* @param roleIds
|
||||
*/
|
||||
async generateToken(user: UserEntity, roleIds: number[]) {
|
||||
async generateToken(user: UserEntity) {
|
||||
const roleIds = await this.roleService.getRoleIdsByUserId(user.id);
|
||||
const tokenInfo = {
|
||||
username: user.username,
|
||||
id: user.id,
|
||||
|
||||
@@ -14,7 +14,6 @@ export class UserTwoFactorSetting extends BaseSettings {
|
||||
authenticator: TwoFactorAuthenticator = {
|
||||
enabled:false,
|
||||
verified:false,
|
||||
type: "totp"
|
||||
};
|
||||
|
||||
}
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
import { Inject, Provide, Scope, ScopeEnum } from "@midwayjs/core";
|
||||
import { UserSettingsService } from "./user-settings-service.js";
|
||||
import { UserTwoFactorSetting } from "./models.js";
|
||||
import { utils } from "@certd/basic";
|
||||
import { UserService } from "../../sys/authority/service/user-service.js";
|
||||
|
||||
/**
|
||||
@@ -17,17 +16,19 @@ export class TwoFactorService {
|
||||
|
||||
|
||||
async getAuthenticatorQrCode(userId: any) {
|
||||
const setting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
|
||||
const setting = await this.getSetting(userId)
|
||||
|
||||
const authenticator = setting.authenticator;
|
||||
if (!authenticator.secret) {
|
||||
authenticator.secret = utils.id.simpleNanoId(16);
|
||||
const authenticatorSetting = setting.authenticator;
|
||||
if (!authenticatorSetting.secret) {
|
||||
const { authenticator } = await import("otplib");
|
||||
|
||||
authenticatorSetting.secret = authenticator.generateSecret()
|
||||
await this.userSettingsService.saveSetting(userId, setting);
|
||||
}
|
||||
|
||||
const user = await this.userService.info(userId);
|
||||
const username = user.username;
|
||||
const secret = authenticator.secret;
|
||||
const secret = authenticatorSetting.secret;
|
||||
const qrcodeContent = `otpauth://totp/Certd:${username}?secret=${secret}&issuer=Certd`;
|
||||
|
||||
//生成qrcode base64
|
||||
@@ -39,13 +40,13 @@ export class TwoFactorService {
|
||||
async saveAuthenticator(req: { userId: any; verifyCode: any }) {
|
||||
const userId = req.userId;
|
||||
const { authenticator } = await import("otplib");
|
||||
const tfSetting = await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
|
||||
const setting = await this.getSetting(userId)
|
||||
|
||||
const setting = tfSetting.authenticator;
|
||||
if (!setting.secret) {
|
||||
const authenticatorSetting = setting.authenticator;
|
||||
if (!authenticatorSetting.secret) {
|
||||
throw new Error("secret is required");
|
||||
}
|
||||
const secret = setting.secret;
|
||||
const secret = authenticatorSetting.secret;
|
||||
const token = req.verifyCode;
|
||||
|
||||
const isValid = authenticator.verify({ token, secret });
|
||||
@@ -54,9 +55,38 @@ export class TwoFactorService {
|
||||
}
|
||||
|
||||
//校验成功,保存开启状态
|
||||
setting.enabled = true;
|
||||
setting.verified = true;
|
||||
authenticatorSetting.enabled = true;
|
||||
authenticatorSetting.verified = true;
|
||||
|
||||
await this.userSettingsService.saveSetting(userId, setting);
|
||||
}
|
||||
|
||||
async offAuthenticator(userId:number) {
|
||||
if (!userId) {
|
||||
throw new Error("userId is required");
|
||||
}
|
||||
|
||||
const setting = await this.getSetting(userId)
|
||||
setting.authenticator.enabled = false;
|
||||
setting.authenticator.verified = false;
|
||||
setting.authenticator.secret = '';
|
||||
await this.userSettingsService.saveSetting(userId, setting);
|
||||
}
|
||||
|
||||
async getSetting(userId:number) {
|
||||
return await this.userSettingsService.getSetting<UserTwoFactorSetting>(userId, UserTwoFactorSetting);
|
||||
|
||||
}
|
||||
|
||||
async verifyAuthenticatorCode(userId: any, verifyCode: string) {
|
||||
const { authenticator } = await import("otplib");
|
||||
const setting = await this.getSetting(userId)
|
||||
if (!setting.authenticator.enabled) {
|
||||
throw new Error("authenticator 未开启");
|
||||
}
|
||||
if (!authenticator.verify({ token: verifyCode, secret: setting.authenticator.secret })) {
|
||||
throw new Error("验证码错误");
|
||||
}
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -95,6 +95,9 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
|
||||
|
||||
const type: any = bean.constructor;
|
||||
const key = type.__key__;
|
||||
if(!key){
|
||||
throw new Error(`${type.name} must have __key__`);
|
||||
}
|
||||
const entity = await this.getByKey(key,userId);
|
||||
const newEntity = new UserSettingsEntity();
|
||||
if (entity) {
|
||||
@@ -104,8 +107,8 @@ export class UserSettingsService extends BaseService<UserSettingsEntity> {
|
||||
newEntity.title = type.__title__;
|
||||
newEntity.userId = userId;
|
||||
}
|
||||
entity.setting = JSON.stringify(bean);
|
||||
await this.repository.save(entity);
|
||||
newEntity.setting = JSON.stringify(bean);
|
||||
await this.repository.save(newEntity);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user