pref: 安全特性支持，站点隐藏功能

2026-04-23 19:57:27 +08:00 · 2025-04-14 17:40:23 +08:00
parent 251b0c58de
commit d76d56fcce
37 changed files with 1028 additions and 349 deletions
@@ -19,6 +19,7 @@ import * as libServer from '@certd/lib-server';
 import * as commercial from '@certd/commercial-core';
 import * as upload from '@midwayjs/upload';
 import { setLogger } from '@certd/acme-client';
+import {HiddenMiddleware} from "./middleware/hidden.js";
 process.on('uncaughtException', error => {
  console.error('未捕获的异常：', error);
  // 在这里可以添加日志记录、发送错误通知等操作
@@ -77,6 +78,8 @@ export class MainConfiguration {
    this.app.useMiddleware([
      //统一异常处理
      GlobalExceptionMiddleware,
+      //站点隐藏
+      HiddenMiddleware,
      //预览模式限制修改id<1000的数据
      PreviewMiddleware,
      //授权处理
@@ -0,0 +1,66 @@
+import {Body, Controller, Get, Inject, Post, Provide} from '@midwayjs/core';
+import {Constants, NotFoundException, ParamException, SysInstallInfo, SysSettingsService} from '@certd/lib-server';
+import {utils} from "@certd/basic";
+import {hiddenStatus, SafeService} from "../../modules/sys/settings/safe-service.js";
+import {IMidwayKoaContext} from "@midwayjs/koa";
+
+const unhiddenHtml = `
+<html lang="en">
+<head>
+<title>certd解除站点隐藏</title>
+</head>
+<body>
+<div style="margin:50px;width:500px">
+<h3>解除站点隐藏</h3>
+<form method="post">
+请输入解除密码： <input type="password" name="password" /> <button type="submit">确定</button>
+</form>
+</div>
+</body>
+</html>
+
+`
+
+@Provide()
+@Controller('/api/unhidden')
+export class HnhiddenController {
+    @Inject()
+    ctx: IMidwayKoaContext;
+    @Inject()
+    safeService: SafeService;
+    @Inject()
+    sysSettingsService: SysSettingsService;
+
+
+    @Post('/:randomPath', {summary: Constants.per.guest})
+    async randomPath(@Body("password") password: any) {
+        await this.checkUnhiddenPath()
+        const hiddenSetting = await this.safeService.getHiddenSetting()
+        if (utils.hash.md5(password) === hiddenSetting.openPassword) {
+            //解锁
+            hiddenStatus.isHidden = false;
+            const setting = await this.sysSettingsService.getSetting<SysInstallInfo>(SysInstallInfo)
+            const bindUrl = setting.bindUrl
+            //解锁成功,跳转回首页,redirect
+            this.ctx.response.redirect(bindUrl || "/");
+            return
+        } else {
+            //密码错误
+            throw new ParamException('解锁密码错误');
+        }
+    }
+
+    @Get('/:randomPath', {summary: Constants.per.guest})
+    async unhiddenGet() {
+        await this.checkUnhiddenPath()
+        this.ctx.response.body = unhiddenHtml
+    }
+
+    async checkUnhiddenPath() {
+        const hiddenSetting = await this.safeService.getHiddenSetting()
+        if (this.ctx.path != `/api/unhidden/${hiddenSetting.openPath}`) {
+            this.ctx.res.statusCode = 404
+            throw new NotFoundException("Page not found")
+        }
+    }
+}
@@ -0,0 +1,39 @@
+import {ALL, Body, Controller, Inject, Post, Provide} from '@midwayjs/core';
+import {BaseController, SysSafeSetting} from '@certd/lib-server';
+import {cloneDeep} from 'lodash-es';
+import {SafeService} from "../../../modules/sys/settings/safe-service.js";
+
+
+/**
+ */
+@Provide()
+@Controller('/api/sys/settings/safe')
+export class SysSettingsController extends BaseController {
+  @Inject()
+  safeService: SafeService;
+
+
+
+  @Post("/get", { summary: "sys:settings:view" })
+  async safeGet() {
+    const res = await this.safeService.getSafeSetting()
+    const clone:SysSafeSetting = cloneDeep(res);
+    delete clone.hidden?.openPassword;
+    return this.ok(clone);
+  }
+
+  @Post("/save", { summary: "sys:settings:edit" })
+  async safeSave(@Body(ALL) body: any) {
+    await this.safeService.saveSafeSetting(body);
+    return this.ok({});
+  }
+
+  /**
+   * 立即隐藏
+   */
+  @Post("/hidden", { summary: "sys:settings:edit" })
+  async hiddenImmediate() {
+    await this.safeService.hiddenImmediately();
+    return this.ok({});
+  }
+}
@@ -1,12 +1,19 @@
-import { ALL, Body, Controller, Inject, Post, Provide, Query } from '@midwayjs/core';
-import { CrudController, SysPrivateSettings, SysPublicSettings, SysSettingsEntity, SysSettingsService } from '@certd/lib-server';
-import { merge } from 'lodash-es';
-import { PipelineService } from '../../../modules/pipeline/service/pipeline-service.js';
-import { UserSettingsService } from '../../../modules/mine/service/user-settings-service.js';
-import { getEmailSettings } from '../../../modules/sys/settings/fix.js';
-import { http, logger, simpleNanoId } from '@certd/basic';
-import { CodeService } from '../../../modules/basic/service/code-service.js';
-import { SmsServiceFactory } from '../../../modules/basic/sms/factory.js';
+import {ALL, Body, Controller, Inject, Post, Provide, Query} from '@midwayjs/core';
+import {
+  CrudController,
+  SysPrivateSettings,
+  SysPublicSettings,
+  SysSafeSetting,
+  SysSettingsEntity,
+  SysSettingsService
+} from '@certd/lib-server';
+import {cloneDeep, merge} from 'lodash-es';
+import {PipelineService} from '../../../modules/pipeline/service/pipeline-service.js';
+import {UserSettingsService} from '../../../modules/mine/service/user-settings-service.js';
+import {getEmailSettings} from '../../../modules/sys/settings/fix.js';
+import {http, logger, simpleNanoId, utils} from '@certd/basic';
+import {CodeService} from '../../../modules/basic/service/code-service.js';
+import {SmsServiceFactory} from '../../../modules/basic/sms/factory.js';


 /**
@@ -159,4 +166,29 @@ export class SysSettingsController extends CrudController<SysSettingsService> {
  async getSmsTypeDefine(@Body('type') type: string) {
    return this.ok(SmsServiceFactory.getDefine(type));
  }
+
+
+
+  @Post("/safe/get", { summary: "sys:settings:view" })
+  async safeGet() {
+    const res = await this.service.getSetting<SysSafeSetting>(SysSafeSetting);
+    const clone:SysSafeSetting = cloneDeep(res);
+    delete clone.hidden?.openPassword;
+    return this.ok(clone);
+  }
+
+  @Post("/safe/save", { summary: "sys:settings:edit" })
+  async safeSave(@Body(ALL) body: any) {
+    if(body.hidden.openPassword){
+      body.hidden.openPassword = utils.hash.md5(body.hidden.openPassword);
+    }
+    const blankSetting = new SysSafeSetting()
+    const setting = await this.service.getSetting<SysSafeSetting>(SysSafeSetting);
+    const newSetting = merge(blankSetting,cloneDeep(setting), body);
+    if(newSetting.hidden?.enabled && !newSetting.hidden?.openPassword){
+      throw new Error("首次设置需要填写解锁密码")
+    }
+    await this.service.saveSetting(blankSetting);
+    return this.ok({});
+  }
 }
@@ -0,0 +1,54 @@
+import {Inject, Provide} from '@midwayjs/core';
+import {IMidwayKoaContext, IWebMiddleware, NextFunction} from '@midwayjs/koa';
+import {hiddenStatus, SafeService} from "../modules/sys/settings/safe-service.js";
+import {SiteOffException} from "@certd/lib-server";
+
+
+/**
+ * 隐藏环境
+ */
+@Provide()
+export class HiddenMiddleware implements IWebMiddleware {
+  @Inject()
+  hiddenService: SafeService;
+
+  resolve() {
+    return async (ctx: IMidwayKoaContext, next: NextFunction) => {
+
+      async function pass() {
+        hiddenStatus.updateRequestTime()
+        await next();
+      }
+
+      const hiddenSetting = await this.hiddenService.getHiddenSetting();
+      if (!hiddenSetting || !hiddenSetting?.enabled) {
+        //未开启站点隐藏，直接通过
+        return await pass()
+      }
+
+      const req = ctx.request;
+      if (hiddenSetting.hiddenOpenApi === false && req.url.startsWith(`/api/v1/`) ) {
+        //不隐藏开放接口
+        await next();
+        return
+      }
+
+      //判断当前是否是隐藏状态
+      if (!hiddenStatus.isHidden) {
+        return await pass()
+      }
+
+      //判断是否有解锁文件,如果有就返回true并删除文件
+      if (hiddenStatus.hasUnHiddenFile()) {
+        //临时修改为未隐藏
+        hiddenStatus.isHidden = false;
+        return await pass()
+      }
+
+      if (req.url === `/api/unhidden/${hiddenSetting.openPath}`) {
+        return await pass();
+      }
+      throw new SiteOffException('此站点已关闭');
+    }
+  }
+}
@@ -4,6 +4,7 @@ import { UserService } from '../sys/authority/service/user-service.js';
 import { PlusService, SysInstallInfo, SysPrivateSettings, SysSettingsService } from '@certd/lib-server';
 import { nanoid } from 'nanoid';
 import crypto from 'crypto';
+import {SafeService} from "../sys/settings/safe-service.js";

@Autoload()
@Scope(ScopeEnum.Request, { allowDowngrade: true })
@@ -18,6 +19,8 @@ export class AutoAInitSite {
  sysSettingsService: SysSettingsService;
  @Inject()
  plusService: PlusService;
+  @Inject()
+  safeService: SafeService;

  @Init()
  async init() {
@@ -57,6 +60,8 @@ export class AutoAInitSite {
      logger.error('授权许可验证失败', e);
    }

+    //加载站点隐藏配置
+    await this.safeService.reloadHiddenStatus(true)
    logger.info('初始化站点完成');
  }

@@ -0,0 +1,110 @@
+import {Inject, Provide, Scope, ScopeEnum} from '@midwayjs/core';
+import {SiteHidden, SysSafeSetting, SysSettingsService} from "@certd/lib-server";
+import fs from "fs";
+import {logger, utils} from "@certd/basic";
+import {cloneDeep, merge} from "lodash-es";
+
+
+export class HiddenStatus {
+
+
+  isHidden = false;
+  lastRequestTime = 0;
+  intervalId: any = null;
+
+  hasUnHiddenFile() {
+    if (fs.existsSync(`./data/.unhidden`)) {
+      fs.unlinkSync(`./data/.unhidden`)
+      return true
+    }
+    return false
+  }
+
+  updateRequestTime() {
+    this.lastRequestTime = Date.now();
+  }
+
+  startCheck(autoHiddenTimes = 5) {
+    this.stopCheck()
+    this.intervalId = setInterval(() => {
+      //默认5分钟后自动隐藏
+      if (!this.isHidden && Date.now() - this.lastRequestTime > 1000 * 60 * autoHiddenTimes) {
+        this.isHidden = true;
+      }
+    }, 1000 * 60)
+  }
+
+  stopCheck() {
+    if (this.intervalId) {
+      clearInterval(this.intervalId)
+      this.intervalId = null
+    }
+  }
+
+}
+
+export const hiddenStatus = new HiddenStatus();
+
+
+@Provide('safeService')
+@Scope(ScopeEnum.Request, {allowDowngrade: true})
+export class SafeService {
+
+  @Inject()
+  sysSettingsService: SysSettingsService;
+
+
+  async reloadHiddenStatus(immediate = false) {
+    const hidden = await this.getHiddenSetting()
+    if (hidden.enabled) {
+      logger.error("启动站点隐藏");
+      hiddenStatus.isHidden = false
+      if (immediate) {
+        hiddenStatus.isHidden = true;
+      }
+      const autoHiddenTimes = hidden.autoHiddenTimes || 5;
+      hiddenStatus.startCheck(autoHiddenTimes);
+    } else {
+      logger.error("关闭站点隐藏");
+      hiddenStatus.isHidden = false;
+      hiddenStatus.stopCheck()
+    }
+  }
+
+
+  async getHiddenSetting(): Promise<SiteHidden> {
+    const safeSetting = await this.getSafeSetting()
+    return safeSetting.hidden || {enabled: false}
+  }
+
+  async getSafeSetting() {
+    return await this.sysSettingsService.getSetting<SysSafeSetting>(SysSafeSetting)
+  }
+
+  async hiddenImmediately() {
+    return hiddenStatus.isHidden = true
+  }
+
+  async saveSafeSetting(body: SysSafeSetting) {
+
+    // 更新hidden配置
+    if (body.hidden.openPassword) {
+      body.hidden.openPassword = utils.hash.md5(body.hidden.openPassword);
+    }
+    const blankSetting = new SysSafeSetting()
+    const setting = await this.getSafeSetting()
+    const newSetting = merge(blankSetting, cloneDeep(setting), body);
+    if (newSetting.hidden?.enabled && !newSetting.hidden?.openPassword) {
+      throw new Error("首次设置需要填写解锁密码")
+    }
+
+    if(isNaN(newSetting.hidden.autoHiddenTimes) || newSetting.hidden.autoHiddenTimes < 1){
+      newSetting.hidden.autoHiddenTimes = 1
+    }
+
+    await this.sysSettingsService.saveSetting(newSetting);
+
+    await this.reloadHiddenStatus(false)
+
+  }
+}
@@ -128,11 +128,11 @@ export class DeployCertToTencentAll extends AbstractTaskPlugin {
    });

    let certId:string = null
-    if (typeof certId === 'string') {
-      certId = this.tencentCertId  as string;
-    } else {
+    if (typeof certId === 'object') {
      //上传
      certId = await this.uploadToTencent(access,this.tencentCertId as CertInfo);
+    } else {
+      certId = this.tencentCertId  as string;
    }

    const params = {