🐶 重构部分用户数据库操作代码

2021-03-18 00:07:30 +08:00
parent d6ef8aa1db
commit 805fec4a67
50 changed files with 478 additions and 453 deletions
--- a/server/api/account.go
+++ b/server/api/account.go
@ -0,0 +1,310 @@
+package api
+
+import (
+	"strings"
+	"time"
+
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+	"next-terminal/server/totp"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+const (
+	RememberEffectiveTime    = time.Hour * time.Duration(24*14)
+	NotRememberEffectiveTime = time.Hour * time.Duration(2)
+)
+
+type LoginAccount struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Remember bool   `json:"remember"`
+	TOTP     string `json:"totp"`
+}
+
+type ConfirmTOTP struct {
+	Secret string `json:"secret"`
+	TOTP   string `json:"totp"`
+}
+
+type ChangePassword struct {
+	NewPassword string `json:"newPassword"`
+	OldPassword string `json:"oldPassword"`
+}
+
+type Authorization struct {
+	Token    string
+	Remember bool
+	User     model.User
+}
+
+func LoginEndpoint(c echo.Context) error {
+	var loginAccount LoginAccount
+	if err := c.Bind(&loginAccount); err != nil {
+		return err
+	}
+
+	user, err := userRepository.FindByUsername(loginAccount.Username)
+
+	// 存储登录失败次数信息
+	loginFailCountKey := loginAccount.Username
+	v, ok := global.Cache.Get(loginFailCountKey)
+	if !ok {
+		v = 1
+	}
+	count := v.(int)
+	if count >= 5 {
+		return Fail(c, -1, "登录失败次数过多，请稍后再试")
+	}
+
+	if err != nil {
+		count++
+		global.Cache.Set(loginFailCountKey, count, time.Minute*time.Duration(5))
+		return FailWithData(c, -1, "您输入的账号或密码不正确", count)
+	}
+
+	if err := utils.Encoder.Match([]byte(user.Password), []byte(loginAccount.Password)); err != nil {
+		count++
+		global.Cache.Set(loginFailCountKey, count, time.Minute*time.Duration(5))
+		return FailWithData(c, -1, "您输入的账号或密码不正确", count)
+	}
+
+	if user.TOTPSecret != "" && user.TOTPSecret != "-" {
+		return Fail(c, 0, "")
+	}
+
+	token, err := LoginSuccess(c, loginAccount, user)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, token)
+}
+
+func LoginSuccess(c echo.Context, loginAccount LoginAccount, user model.User) (token string, err error) {
+	token = strings.Join([]string{utils.UUID(), utils.UUID(), utils.UUID(), utils.UUID()}, "")
+
+	authorization := Authorization{
+		Token:    token,
+		Remember: loginAccount.Remember,
+		User:     user,
+	}
+
+	cacheKey := BuildCacheKeyByToken(token)
+
+	if authorization.Remember {
+		// 记住登录有效期两周
+		global.Cache.Set(cacheKey, authorization, RememberEffectiveTime)
+	} else {
+		global.Cache.Set(cacheKey, authorization, NotRememberEffectiveTime)
+	}
+
+	// 保存登录日志
+	loginLog := model.LoginLog{
+		ID:              token,
+		UserId:          user.ID,
+		ClientIP:        c.RealIP(),
+		ClientUserAgent: c.Request().UserAgent(),
+		LoginTime:       utils.NowJsonTime(),
+		Remember:        authorization.Remember,
+	}
+
+	if model.CreateNewLoginLog(&loginLog) != nil {
+		return "", err
+	}
+
+	// 修改登录状态
+	err = userRepository.Update(&model.User{Online: true, ID: user.ID})
+
+	return token, err
+}
+
+func BuildCacheKeyByToken(token string) string {
+	cacheKey := strings.Join([]string{Token, token}, ":")
+	return cacheKey
+}
+
+func GetTokenFormCacheKey(cacheKey string) string {
+	token := strings.Split(cacheKey, ":")[1]
+	return token
+}
+
+func loginWithTotpEndpoint(c echo.Context) error {
+	var loginAccount LoginAccount
+	if err := c.Bind(&loginAccount); err != nil {
+		return err
+	}
+
+	// 存储登录失败次数信息
+	loginFailCountKey := loginAccount.Username
+	v, ok := global.Cache.Get(loginFailCountKey)
+	if !ok {
+		v = 1
+	}
+	count := v.(int)
+	if count >= 5 {
+		return Fail(c, -1, "登录失败次数过多，请稍后再试")
+	}
+
+	user, err := userRepository.FindByUsername(loginAccount.Username)
+	if err != nil {
+		count++
+		global.Cache.Set(loginFailCountKey, count, time.Minute*time.Duration(5))
+		return FailWithData(c, -1, "您输入的账号或密码不正确", count)
+	}
+
+	if err := utils.Encoder.Match([]byte(user.Password), []byte(loginAccount.Password)); err != nil {
+		count++
+		global.Cache.Set(loginFailCountKey, count, time.Minute*time.Duration(5))
+		return FailWithData(c, -1, "您输入的账号或密码不正确", count)
+	}
+
+	if !totp.Validate(loginAccount.TOTP, user.TOTPSecret) {
+		count++
+		global.Cache.Set(loginFailCountKey, count, time.Minute*time.Duration(5))
+		return FailWithData(c, -1, "您输入双因素认证授权码不正确", count)
+	}
+
+	token, err := LoginSuccess(c, loginAccount, user)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, token)
+}
+
+func LogoutEndpoint(c echo.Context) error {
+	token := GetToken(c)
+	cacheKey := BuildCacheKeyByToken(token)
+	global.Cache.Delete(cacheKey)
+	err := model.Logout(token)
+	if err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func ConfirmTOTPEndpoint(c echo.Context) error {
+	if global.Config.Demo {
+		return Fail(c, 0, "演示模式禁止开启两步验证")
+	}
+	account, _ := GetCurrentAccount(c)
+
+	var confirmTOTP ConfirmTOTP
+	if err := c.Bind(&confirmTOTP); err != nil {
+		return err
+	}
+
+	if !totp.Validate(confirmTOTP.TOTP, confirmTOTP.Secret) {
+		return Fail(c, -1, "TOTP 验证失败，请重试")
+	}
+
+	u := &model.User{
+		TOTPSecret: confirmTOTP.Secret,
+		ID:         account.ID,
+	}
+
+	if err := userRepository.Update(u); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func ReloadTOTPEndpoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+
+	key, err := totp.NewTOTP(totp.GenerateOpts{
+		Issuer:      c.Request().Host,
+		AccountName: account.Username,
+	})
+	if err != nil {
+		return Fail(c, -1, err.Error())
+	}
+
+	qrcode, err := key.Image(200, 200)
+	if err != nil {
+		return Fail(c, -1, err.Error())
+	}
+
+	qrEncode, err := utils.ImageToBase64Encode(qrcode)
+	if err != nil {
+		return Fail(c, -1, err.Error())
+	}
+
+	return Success(c, map[string]string{
+		"qr":     qrEncode,
+		"secret": key.Secret(),
+	})
+}
+
+func ResetTOTPEndpoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+	u := &model.User{
+		TOTPSecret: "-",
+		ID:         account.ID,
+	}
+	if err := userRepository.Update(u); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func ChangePasswordEndpoint(c echo.Context) error {
+	if global.Config.Demo {
+		return Fail(c, 0, "演示模式禁止修改密码")
+	}
+	account, _ := GetCurrentAccount(c)
+
+	var changePassword ChangePassword
+	if err := c.Bind(&changePassword); err != nil {
+		return err
+	}
+
+	if err := utils.Encoder.Match([]byte(account.Password), []byte(changePassword.OldPassword)); err != nil {
+		return Fail(c, -1, "您输入的原密码不正确")
+	}
+
+	passwd, err := utils.Encoder.Encode([]byte(changePassword.NewPassword))
+	if err != nil {
+		return err
+	}
+	u := &model.User{
+		Password: string(passwd),
+		ID:       account.ID,
+	}
+
+	if err := userRepository.Update(u); err != nil {
+		return err
+	}
+
+	return LogoutEndpoint(c)
+}
+
+type AccountInfo struct {
+	Id         string `json:"id"`
+	Username   string `json:"username"`
+	Nickname   string `json:"nickname"`
+	Type       string `json:"type"`
+	EnableTotp bool   `json:"enableTotp"`
+}
+
+func InfoEndpoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+
+	user, err := userRepository.FindById(account.ID)
+	if err != nil {
+		return err
+	}
+
+	info := AccountInfo{
+		Id:         user.ID,
+		Username:   user.Username,
+		Nickname:   user.Nickname,
+		Type:       user.Type,
+		EnableTotp: user.TOTPSecret != "" && user.TOTPSecret != "-",
+	}
+	return Success(c, info)
+}
--- a/server/api/asset.go
+++ b/server/api/asset.go
@ -0,0 +1,324 @@
+package api
+
+import (
+	"bufio"
+	"encoding/csv"
+	"encoding/json"
+	"errors"
+	"strconv"
+	"strings"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func AssetCreateEndpoint(c echo.Context) error {
+	m := echo.Map{}
+	if err := c.Bind(&m); err != nil {
+		return err
+	}
+
+	data, _ := json.Marshal(m)
+	var item model.Asset
+	if err := json.Unmarshal(data, &item); err != nil {
+		return err
+	}
+
+	account, _ := GetCurrentAccount(c)
+	item.Owner = account.ID
+	item.ID = utils.UUID()
+	item.Created = utils.NowJsonTime()
+
+	if err := model.CreateNewAsset(&item); err != nil {
+		return err
+	}
+
+	if err := model.UpdateAssetAttributes(item.ID, item.Protocol, m); err != nil {
+		return err
+	}
+
+	// 创建后自动检测资产是否存活
+	go func() {
+		active := utils.Tcping(item.IP, item.Port)
+		model.UpdateAssetActiveById(active, item.ID)
+	}()
+
+	return Success(c, item)
+}
+
+func AssetImportEndpoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+
+	file, err := c.FormFile("file")
+	if err != nil {
+		return err
+	}
+
+	src, err := file.Open()
+	if err != nil {
+		return err
+	}
+
+	defer src.Close()
+	reader := csv.NewReader(bufio.NewReader(src))
+	records, err := reader.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	total := len(records)
+	if total == 0 {
+		return errors.New("csv数据为空")
+	}
+
+	var successCount = 0
+	var errorCount = 0
+	m := echo.Map{}
+
+	for i := 0; i < total; i++ {
+		record := records[i]
+		if len(record) >= 9 {
+			port, _ := strconv.Atoi(record[3])
+			asset := model.Asset{
+				ID:          utils.UUID(),
+				Name:        record[0],
+				Protocol:    record[1],
+				IP:          record[2],
+				Port:        port,
+				AccountType: constant.Custom,
+				Username:    record[4],
+				Password:    record[5],
+				PrivateKey:  record[6],
+				Passphrase:  record[7],
+				Description: record[8],
+				Created:     utils.NowJsonTime(),
+				Owner:       account.ID,
+			}
+
+			err := model.CreateNewAsset(&asset)
+			if err != nil {
+				errorCount++
+				m[strconv.Itoa(i)] = err.Error()
+			} else {
+				successCount++
+				// 创建后自动检测资产是否存活
+				go func() {
+					active := utils.Tcping(asset.IP, asset.Port)
+					model.UpdateAssetActiveById(active, asset.ID)
+				}()
+			}
+		}
+	}
+
+	return Success(c, echo.Map{
+		"successCount": successCount,
+		"errorCount":   errorCount,
+		"data":         m,
+	})
+}
+
+func AssetPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	name := c.QueryParam("name")
+	protocol := c.QueryParam("protocol")
+	tags := c.QueryParam("tags")
+	owner := c.QueryParam("owner")
+	sharer := c.QueryParam("sharer")
+	userGroupId := c.QueryParam("userGroupId")
+	ip := c.QueryParam("ip")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	account, _ := GetCurrentAccount(c)
+	items, total, err := model.FindPageAsset(pageIndex, pageSize, name, protocol, tags, account, owner, sharer, userGroupId, ip, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func AssetAllEndpoint(c echo.Context) error {
+	protocol := c.QueryParam("protocol")
+	account, _ := GetCurrentAccount(c)
+	items, _ := model.FindAssetByConditions(protocol, account)
+	return Success(c, items)
+}
+
+func AssetUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	if err := PreCheckAssetPermission(c, id); err != nil {
+		return err
+	}
+
+	m := echo.Map{}
+	if err := c.Bind(&m); err != nil {
+		return err
+	}
+
+	data, _ := json.Marshal(m)
+	var item model.Asset
+	if err := json.Unmarshal(data, &item); err != nil {
+		return err
+	}
+
+	switch item.AccountType {
+	case "credential":
+		item.Username = "-"
+		item.Password = "-"
+		item.PrivateKey = "-"
+		item.Passphrase = "-"
+	case "private-key":
+		item.Password = "-"
+		item.CredentialId = "-"
+		if len(item.Username) == 0 {
+			item.Username = "-"
+		}
+		if len(item.Passphrase) == 0 {
+			item.Passphrase = "-"
+		}
+	case "custom":
+		item.PrivateKey = "-"
+		item.Passphrase = "-"
+		item.CredentialId = "-"
+	}
+
+	if len(item.Tags) == 0 {
+		item.Tags = "-"
+	}
+
+	if item.Description == "" {
+		item.Description = "-"
+	}
+
+	model.UpdateAssetById(&item, id)
+	if err := model.UpdateAssetAttributes(id, item.Protocol, m); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func AssetGetAttributeEndpoint(c echo.Context) error {
+
+	assetId := c.Param("id")
+	if err := PreCheckAssetPermission(c, assetId); err != nil {
+		return err
+	}
+
+	attributeMap, err := model.FindAssetAttrMapByAssetId(assetId)
+	if err != nil {
+		return err
+	}
+	return Success(c, attributeMap)
+}
+
+func AssetUpdateAttributeEndpoint(c echo.Context) error {
+	m := echo.Map{}
+	if err := c.Bind(&m); err != nil {
+		return err
+	}
+
+	assetId := c.Param("id")
+	protocol := c.QueryParam("protocol")
+	err := model.UpdateAssetAttributes(assetId, protocol, m)
+	if err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func AssetDeleteEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	split := strings.Split(id, ",")
+	for i := range split {
+		if err := PreCheckAssetPermission(c, split[i]); err != nil {
+			return err
+		}
+		if err := model.DeleteAssetById(split[i]); err != nil {
+			return err
+		}
+		// 删除资产与用户的关系
+		if err := model.DeleteResourceSharerByResourceId(split[i]); err != nil {
+			return err
+		}
+	}
+
+	return Success(c, nil)
+}
+
+func AssetGetEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+	if err := PreCheckAssetPermission(c, id); err != nil {
+		return err
+	}
+
+	var item model.Asset
+	if item, err = model.FindAssetById(id); err != nil {
+		return err
+	}
+	attributeMap, err := model.FindAssetAttrMapByAssetId(id)
+	if err != nil {
+		return err
+	}
+	itemMap := utils.StructToMap(item)
+	for key := range attributeMap {
+		itemMap[key] = attributeMap[key]
+	}
+
+	return Success(c, itemMap)
+}
+
+func AssetTcpingEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+
+	var item model.Asset
+	if item, err = model.FindAssetById(id); err != nil {
+		return err
+	}
+
+	active := utils.Tcping(item.IP, item.Port)
+
+	model.UpdateAssetActiveById(active, item.ID)
+	return Success(c, active)
+}
+
+func AssetTagsEndpoint(c echo.Context) (err error) {
+	var items []string
+	if items, err = model.FindAssetTags(); err != nil {
+		return err
+	}
+	return Success(c, items)
+}
+
+func AssetChangeOwnerEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+
+	if err := PreCheckAssetPermission(c, id); err != nil {
+		return err
+	}
+
+	owner := c.QueryParam("owner")
+	model.UpdateAssetById(&model.Asset{Owner: owner}, id)
+	return Success(c, "")
+}
+
+func PreCheckAssetPermission(c echo.Context, id string) error {
+	item, err := model.FindAssetById(id)
+	if err != nil {
+		return err
+	}
+
+	if !HasPermission(c, item.Owner) {
+		return errors.New("permission denied")
+	}
+	return nil
+}
--- a/server/api/command.go
+++ b/server/api/command.go
@ -0,0 +1,123 @@
+package api
+
+import (
+	"errors"
+	"strconv"
+	"strings"
+
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func CommandCreateEndpoint(c echo.Context) error {
+	var item model.Command
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	account, _ := GetCurrentAccount(c)
+	item.Owner = account.ID
+	item.ID = utils.UUID()
+	item.Created = utils.NowJsonTime()
+
+	if err := model.CreateNewCommand(&item); err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
+
+func CommandPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	name := c.QueryParam("name")
+	content := c.QueryParam("content")
+	account, _ := GetCurrentAccount(c)
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := model.FindPageCommand(pageIndex, pageSize, name, content, order, field, account)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func CommandUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	if err := PreCheckCommandPermission(c, id); err != nil {
+		return err
+	}
+
+	var item model.Command
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	model.UpdateCommandById(&item, id)
+
+	return Success(c, nil)
+}
+
+func CommandDeleteEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	split := strings.Split(id, ",")
+	for i := range split {
+		if err := PreCheckCommandPermission(c, split[i]); err != nil {
+			return err
+		}
+		if err := model.DeleteCommandById(split[i]); err != nil {
+			return err
+		}
+		// 删除资产与用户的关系
+		if err := model.DeleteResourceSharerByResourceId(split[i]); err != nil {
+			return err
+		}
+	}
+	return Success(c, nil)
+}
+
+func CommandGetEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+
+	if err := PreCheckCommandPermission(c, id); err != nil {
+		return err
+	}
+
+	var item model.Command
+	if item, err = model.FindCommandById(id); err != nil {
+		return err
+	}
+	return Success(c, item)
+}
+
+func CommandChangeOwnerEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+
+	if err := PreCheckCommandPermission(c, id); err != nil {
+		return err
+	}
+
+	owner := c.QueryParam("owner")
+	model.UpdateCommandById(&model.Command{Owner: owner}, id)
+	return Success(c, "")
+}
+
+func PreCheckCommandPermission(c echo.Context, id string) error {
+	item, err := model.FindCommandById(id)
+	if err != nil {
+		return err
+	}
+
+	if !HasPermission(c, item.Owner) {
+		return errors.New("permission denied")
+	}
+	return nil
+}
--- a/server/api/credential.go
+++ b/server/api/credential.go
@ -0,0 +1,184 @@
+package api
+
+import (
+	"errors"
+	"strconv"
+	"strings"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func CredentialAllEndpoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+	items, _ := model.FindAllCredential(account)
+	return Success(c, items)
+}
+func CredentialCreateEndpoint(c echo.Context) error {
+	var item model.Credential
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	account, _ := GetCurrentAccount(c)
+	item.Owner = account.ID
+	item.ID = utils.UUID()
+	item.Created = utils.NowJsonTime()
+
+	switch item.Type {
+	case constant.Custom:
+		item.PrivateKey = "-"
+		item.Passphrase = "-"
+		if len(item.Username) == 0 {
+			item.Username = "-"
+		}
+		if len(item.Password) == 0 {
+			item.Password = "-"
+		}
+	case constant.PrivateKey:
+		item.Password = "-"
+		if len(item.Username) == 0 {
+			item.Username = "-"
+		}
+		if len(item.PrivateKey) == 0 {
+			item.PrivateKey = "-"
+		}
+		if len(item.Passphrase) == 0 {
+			item.Passphrase = "-"
+		}
+	default:
+		return Fail(c, -1, "类型错误")
+	}
+
+	if err := model.CreateNewCredential(&item); err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
+
+func CredentialPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	name := c.QueryParam("name")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	account, _ := GetCurrentAccount(c)
+	items, total, err := model.FindPageCredential(pageIndex, pageSize, name, order, field, account)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func CredentialUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	if err := PreCheckCredentialPermission(c, id); err != nil {
+		return err
+	}
+
+	var item model.Credential
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	switch item.Type {
+	case constant.Custom:
+		item.PrivateKey = "-"
+		item.Passphrase = "-"
+		if len(item.Username) == 0 {
+			item.Username = "-"
+		}
+		if len(item.Password) == 0 {
+			item.Password = "-"
+		}
+	case constant.PrivateKey:
+		item.Password = "-"
+		if len(item.Username) == 0 {
+			item.Username = "-"
+		}
+		if len(item.PrivateKey) == 0 {
+			item.PrivateKey = "-"
+		}
+		if len(item.Passphrase) == 0 {
+			item.Passphrase = "-"
+		}
+	default:
+		return Fail(c, -1, "类型错误")
+	}
+
+	model.UpdateCredentialById(&item, id)
+
+	return Success(c, nil)
+}
+
+func CredentialDeleteEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	split := strings.Split(id, ",")
+	for i := range split {
+		if err := PreCheckCredentialPermission(c, split[i]); err != nil {
+			return err
+		}
+		if err := model.DeleteCredentialById(split[i]); err != nil {
+			return err
+		}
+		// 删除资产与用户的关系
+		if err := model.DeleteResourceSharerByResourceId(split[i]); err != nil {
+			return err
+		}
+	}
+
+	return Success(c, nil)
+}
+
+func CredentialGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	if err := PreCheckCredentialPermission(c, id); err != nil {
+		return err
+	}
+
+	item, err := model.FindCredentialById(id)
+	if err != nil {
+		return err
+	}
+
+	if !HasPermission(c, item.Owner) {
+		return errors.New("permission denied")
+	}
+
+	return Success(c, item)
+}
+
+func CredentialChangeOwnerEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	if err := PreCheckCredentialPermission(c, id); err != nil {
+		return err
+	}
+
+	owner := c.QueryParam("owner")
+	model.UpdateCredentialById(&model.Credential{Owner: owner}, id)
+	return Success(c, "")
+}
+
+func PreCheckCredentialPermission(c echo.Context, id string) error {
+	item, err := model.FindCredentialById(id)
+	if err != nil {
+		return err
+	}
+
+	if !HasPermission(c, item.Owner) {
+		return errors.New("permission denied")
+	}
+	return nil
+}
--- a/server/api/job.go
+++ b/server/api/job.go
@ -0,0 +1,122 @@
+package api
+
+import (
+	"strconv"
+	"strings"
+
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func JobCreateEndpoint(c echo.Context) error {
+	var item model.Job
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	item.ID = utils.UUID()
+	item.Created = utils.NowJsonTime()
+
+	if err := model.CreateNewJob(&item); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func JobPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	name := c.QueryParam("name")
+	status := c.QueryParam("status")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := model.FindPageJob(pageIndex, pageSize, name, status, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func JobUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var item model.Job
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	if err := model.UpdateJobById(&item, id); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func JobChangeStatusEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	status := c.QueryParam("status")
+	if err := model.ChangeJobStatusById(id, status); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func JobExecEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	if err := model.ExecJobById(id); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func JobDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+
+	split := strings.Split(ids, ",")
+	for i := range split {
+		jobId := split[i]
+		if err := model.DeleteJobById(jobId); err != nil {
+			return err
+		}
+	}
+
+	return Success(c, nil)
+}
+
+func JobGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	item, err := model.FindJobById(id)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
+
+func JobGetLogsEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	items, err := model.FindJobLogs(id)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, items)
+}
+
+func JobDeleteLogsEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	if err := model.DeleteJobLogByJobId(id); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
--- a/server/api/login-log.go
+++ b/server/api/login-log.go
@ -0,0 +1,47 @@
+package api
+
+import (
+	"strconv"
+	"strings"
+
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+
+	"github.com/labstack/echo/v4"
+	"github.com/sirupsen/logrus"
+)
+
+func LoginLogPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	userId := c.QueryParam("userId")
+	clientIp := c.QueryParam("clientIp")
+
+	items, total, err := model.FindPageLoginLog(pageIndex, pageSize, userId, clientIp)
+
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func LoginLogDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+	split := strings.Split(ids, ",")
+	for i := range split {
+		token := split[i]
+		global.Cache.Delete(token)
+		if err := model.Logout(token); err != nil {
+			logrus.WithError(err).Error("Cache Delete Failed")
+		}
+	}
+	if err := model.DeleteLoginLogByIdIn(split); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
--- a/server/api/middleware.go
+++ b/server/api/middleware.go
@ -0,0 +1,149 @@
+package api
+
+import (
+	"fmt"
+	"net"
+	"regexp"
+	"strings"
+	"time"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/global"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func ErrorHandler(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+
+		if err := next(c); err != nil {
+
+			if he, ok := err.(*echo.HTTPError); ok {
+				message := fmt.Sprintf("%v", he.Message)
+				return Fail(c, he.Code, message)
+			}
+
+			return Fail(c, 0, err.Error())
+		}
+		return nil
+	}
+}
+
+func TcpWall(next echo.HandlerFunc) echo.HandlerFunc {
+
+	return func(c echo.Context) error {
+
+		if global.Securities == nil {
+			return next(c)
+		}
+
+		ip := c.RealIP()
+		for i := 0; i < len(global.Securities); i++ {
+			security := global.Securities[i]
+
+			if strings.Contains(security.IP, "/") {
+				// CIDR
+				_, ipNet, err := net.ParseCIDR(security.IP)
+				if err != nil {
+					continue
+				}
+				if !ipNet.Contains(net.ParseIP(ip)) {
+					continue
+				}
+			} else if strings.Contains(security.IP, "-") {
+				// 范围段
+				split := strings.Split(security.IP, "-")
+				if len(split) < 2 {
+					continue
+				}
+				start := split[0]
+				end := split[1]
+				intReqIP := utils.IpToInt(ip)
+				if intReqIP < utils.IpToInt(start) || intReqIP > utils.IpToInt(end) {
+					continue
+				}
+			} else {
+				// IP
+				if security.IP != ip {
+					continue
+				}
+			}
+
+			if security.Rule == constant.AccessRuleAllow {
+				return next(c)
+			}
+			if security.Rule == constant.AccessRuleReject {
+				if c.Request().Header.Get("X-Requested-With") != "" || c.Request().Header.Get(Token) != "" {
+					return Fail(c, 0, "您的访问请求被拒绝 :(")
+				} else {
+					return c.HTML(666, "您的访问请求被拒绝 :(")
+				}
+			}
+		}
+
+		return next(c)
+	}
+}
+
+func Auth(next echo.HandlerFunc) echo.HandlerFunc {
+
+	startWithUrls := []string{"/login", "/static", "/favicon.ico", "/logo.svg", "/asciinema"}
+
+	download := regexp.MustCompile(`^/sessions/\w{8}(-\w{4}){3}-\w{12}/download`)
+	recording := regexp.MustCompile(`^/sessions/\w{8}(-\w{4}){3}-\w{12}/recording`)
+
+	return func(c echo.Context) error {
+
+		uri := c.Request().RequestURI
+		if uri == "/" || strings.HasPrefix(uri, "/#") {
+			return next(c)
+		}
+		// 路由拦截 - 登录身份、资源权限判断等
+		for i := range startWithUrls {
+			if strings.HasPrefix(uri, startWithUrls[i]) {
+				return next(c)
+			}
+		}
+
+		if download.FindString(uri) != "" {
+			return next(c)
+		}
+
+		if recording.FindString(uri) != "" {
+			return next(c)
+		}
+
+		token := GetToken(c)
+		cacheKey := BuildCacheKeyByToken(token)
+		authorization, found := global.Cache.Get(cacheKey)
+		if !found {
+			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
+		}
+
+		if authorization.(Authorization).Remember {
+			// 记住登录有效期两周
+			global.Cache.Set(cacheKey, authorization, time.Hour*time.Duration(24*14))
+		} else {
+			global.Cache.Set(cacheKey, authorization, time.Hour*time.Duration(2))
+		}
+
+		return next(c)
+	}
+}
+
+func Admin(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+
+		account, found := GetCurrentAccount(c)
+		if !found {
+			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
+		}
+
+		if account.Type != constant.TypeAdmin {
+			return Fail(c, 403, "permission denied")
+		}
+
+		return next(c)
+	}
+}
--- a/server/api/overview.go
+++ b/server/api/overview.go
@ -0,0 +1,59 @@
+package api
+
+import (
+	"next-terminal/server/constant"
+	"next-terminal/server/model"
+
+	"github.com/labstack/echo/v4"
+)
+
+type Counter struct {
+	User          int64 `json:"user"`
+	Asset         int64 `json:"asset"`
+	Credential    int64 `json:"credential"`
+	OnlineSession int64 `json:"onlineSession"`
+}
+
+func OverviewCounterEndPoint(c echo.Context) error {
+	account, _ := GetCurrentAccount(c)
+
+	var (
+		countUser          int64
+		countOnlineSession int64
+		credential         int64
+		asset              int64
+	)
+	if constant.TypeUser == account.Type {
+		countUser, _ = userRepository.CountOnlineUser()
+		countOnlineSession, _ = model.CountOnlineSession()
+		credential, _ = model.CountCredentialByUserId(account.ID)
+		asset, _ = model.CountAssetByUserId(account.ID)
+	} else {
+		countUser, _ = userRepository.CountOnlineUser()
+		countOnlineSession, _ = model.CountOnlineSession()
+		credential, _ = model.CountCredential()
+		asset, _ = model.CountAsset()
+	}
+	counter := Counter{
+		User:          countUser,
+		OnlineSession: countOnlineSession,
+		Credential:    credential,
+		Asset:         asset,
+	}
+
+	return Success(c, counter)
+}
+
+func OverviewSessionPoint(c echo.Context) (err error) {
+	d := c.QueryParam("d")
+	var results []model.D
+	if d == "m" {
+		results, err = model.CountSessionByDay(30)
+	} else {
+		results, err = model.CountSessionByDay(7)
+	}
+	if err != nil {
+		return err
+	}
+	return Success(c, results)
+}
--- a/server/api/property.go
+++ b/server/api/property.go
@ -0,0 +1,45 @@
+package api
+
+import (
+	"errors"
+	"fmt"
+
+	"next-terminal/server/model"
+
+	"github.com/labstack/echo/v4"
+	"gorm.io/gorm"
+)
+
+func PropertyGetEndpoint(c echo.Context) error {
+	properties := model.FindAllPropertiesMap()
+	return Success(c, properties)
+}
+
+func PropertyUpdateEndpoint(c echo.Context) error {
+	var item map[string]interface{}
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	for key := range item {
+		value := fmt.Sprintf("%v", item[key])
+		if value == "" {
+			value = "-"
+		}
+
+		property := model.Property{
+			Name:  key,
+			Value: value,
+		}
+
+		_, err := model.FindPropertyByName(key)
+		if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
+			if err := model.CreateNewProperty(&property); err != nil {
+				return err
+			}
+		} else {
+			model.UpdatePropertyByName(&property, key)
+		}
+	}
+	return Success(c, nil)
+}
--- a/server/api/resource-sharer.go
+++ b/server/api/resource-sharer.go
@ -0,0 +1,68 @@
+package api
+
+import (
+	"next-terminal/server/model"
+
+	"github.com/labstack/echo/v4"
+)
+
+type RU struct {
+	UserGroupId  string   `json:"userGroupId"`
+	UserId       string   `json:"userId"`
+	ResourceType string   `json:"resourceType"`
+	ResourceIds  []string `json:"resourceIds"`
+}
+
+type UR struct {
+	ResourceId   string   `json:"resourceId"`
+	ResourceType string   `json:"resourceType"`
+	UserIds      []string `json:"userIds"`
+}
+
+func RSGetSharersEndPoint(c echo.Context) error {
+	resourceId := c.QueryParam("resourceId")
+	userIds, err := model.FindUserIdsByResourceId(resourceId)
+	if err != nil {
+		return err
+	}
+	return Success(c, userIds)
+}
+
+func RSOverwriteSharersEndPoint(c echo.Context) error {
+	var ur UR
+	if err := c.Bind(&ur); err != nil {
+		return err
+	}
+
+	if err := model.OverwriteUserIdsByResourceId(ur.ResourceId, ur.ResourceType, ur.UserIds); err != nil {
+		return err
+	}
+
+	return Success(c, "")
+}
+
+func ResourceRemoveByUserIdAssignEndPoint(c echo.Context) error {
+	var ru RU
+	if err := c.Bind(&ru); err != nil {
+		return err
+	}
+
+	if err := model.DeleteByUserIdAndResourceTypeAndResourceIdIn(ru.UserGroupId, ru.UserId, ru.ResourceType, ru.ResourceIds); err != nil {
+		return err
+	}
+
+	return Success(c, "")
+}
+
+func ResourceAddByUserIdAssignEndPoint(c echo.Context) error {
+	var ru RU
+	if err := c.Bind(&ru); err != nil {
+		return err
+	}
+
+	if err := model.AddSharerResources(ru.UserGroupId, ru.UserId, ru.ResourceType, ru.ResourceIds); err != nil {
+		return err
+	}
+
+	return Success(c, "")
+}
--- a/server/api/routes.go
+++ b/server/api/routes.go
@ -0,0 +1,246 @@
+package api
+
+import (
+	"net/http"
+	"next-terminal/server/constant"
+	"next-terminal/server/global"
+	"next-terminal/server/log"
+	"next-terminal/server/model"
+	"next-terminal/server/repository"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+)
+
+const Token = "X-Auth-Token"
+
+var (
+	userRepository repository.UserRepository
+)
+
+func SetupRoutes(ur repository.UserRepository) *echo.Echo {
+	userRepository = ur
+
+	e := echo.New()
+	e.HideBanner = true
+	e.Logger = log.GetEchoLogger()
+
+	e.File("/", "web/build/index.html")
+	e.File("/asciinema.html", "web/build/asciinema.html")
+	e.File("/asciinema-player.js", "web/build/asciinema-player.js")
+	e.File("/asciinema-player.css", "web/build/asciinema-player.css")
+	e.File("/", "web/build/index.html")
+	e.File("/logo.svg", "web/build/logo.svg")
+	e.File("/favicon.ico", "web/build/favicon.ico")
+	e.Static("/static", "web/build/static")
+
+	e.Use(middleware.Recover())
+	e.Use(middleware.CORSWithConfig(middleware.CORSConfig{
+		Skipper:      middleware.DefaultSkipper,
+		AllowOrigins: []string{"*"},
+		AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
+	}))
+	e.Use(ErrorHandler)
+	e.Use(TcpWall)
+	e.Use(Auth)
+
+	e.POST("/login", LoginEndpoint)
+	e.POST("/loginWithTotp", loginWithTotpEndpoint)
+
+	e.GET("/tunnel", TunEndpoint)
+	e.GET("/ssh", SSHEndpoint)
+
+	e.POST("/logout", LogoutEndpoint)
+	e.POST("/change-password", ChangePasswordEndpoint)
+	e.GET("/reload-totp", ReloadTOTPEndpoint)
+	e.POST("/reset-totp", ResetTOTPEndpoint)
+	e.POST("/confirm-totp", ConfirmTOTPEndpoint)
+	e.GET("/info", InfoEndpoint)
+
+	users := e.Group("/users")
+	{
+		users.POST("", Admin(UserCreateEndpoint))
+		users.GET("/paging", UserPagingEndpoint)
+		users.PUT("/:id", Admin(UserUpdateEndpoint))
+		users.DELETE("/:id", Admin(UserDeleteEndpoint))
+		users.GET("/:id", Admin(UserGetEndpoint))
+		users.POST("/:id/change-password", Admin(UserChangePasswordEndpoint))
+		users.POST("/:id/reset-totp", Admin(UserResetTotpEndpoint))
+	}
+
+	userGroups := e.Group("/user-groups", Admin)
+	{
+		userGroups.POST("", UserGroupCreateEndpoint)
+		userGroups.GET("/paging", UserGroupPagingEndpoint)
+		userGroups.PUT("/:id", UserGroupUpdateEndpoint)
+		userGroups.DELETE("/:id", UserGroupDeleteEndpoint)
+		userGroups.GET("/:id", UserGroupGetEndpoint)
+		//userGroups.POST("/:id/members", UserGroupAddMembersEndpoint)
+		//userGroups.DELETE("/:id/members/:memberId", UserGroupDelMembersEndpoint)
+	}
+
+	assets := e.Group("/assets")
+	{
+		assets.GET("", AssetAllEndpoint)
+		assets.POST("", AssetCreateEndpoint)
+		assets.POST("/import", Admin(AssetImportEndpoint))
+		assets.GET("/paging", AssetPagingEndpoint)
+		assets.POST("/:id/tcping", AssetTcpingEndpoint)
+		assets.PUT("/:id", AssetUpdateEndpoint)
+		assets.DELETE("/:id", AssetDeleteEndpoint)
+		assets.GET("/:id", AssetGetEndpoint)
+		assets.GET("/:id/attributes", AssetGetAttributeEndpoint)
+		assets.POST("/:id/change-owner", Admin(AssetChangeOwnerEndpoint))
+	}
+
+	e.GET("/tags", AssetTagsEndpoint)
+
+	commands := e.Group("/commands")
+	{
+		commands.GET("/paging", CommandPagingEndpoint)
+		commands.POST("", CommandCreateEndpoint)
+		commands.PUT("/:id", CommandUpdateEndpoint)
+		commands.DELETE("/:id", CommandDeleteEndpoint)
+		commands.GET("/:id", CommandGetEndpoint)
+		commands.POST("/:id/change-owner", Admin(CommandChangeOwnerEndpoint))
+	}
+
+	credentials := e.Group("/credentials")
+	{
+		credentials.GET("", CredentialAllEndpoint)
+		credentials.GET("/paging", CredentialPagingEndpoint)
+		credentials.POST("", CredentialCreateEndpoint)
+		credentials.PUT("/:id", CredentialUpdateEndpoint)
+		credentials.DELETE("/:id", CredentialDeleteEndpoint)
+		credentials.GET("/:id", CredentialGetEndpoint)
+		credentials.POST("/:id/change-owner", Admin(CredentialChangeOwnerEndpoint))
+	}
+
+	sessions := e.Group("/sessions")
+	{
+		sessions.POST("", SessionCreateEndpoint)
+		sessions.GET("/paging", Admin(SessionPagingEndpoint))
+		sessions.POST("/:id/connect", SessionConnectEndpoint)
+		sessions.POST("/:id/disconnect", Admin(SessionDisconnectEndpoint))
+		sessions.POST("/:id/resize", SessionResizeEndpoint)
+		sessions.GET("/:id/ls", SessionLsEndpoint)
+		sessions.GET("/:id/download", SessionDownloadEndpoint)
+		sessions.POST("/:id/upload", SessionUploadEndpoint)
+		sessions.POST("/:id/mkdir", SessionMkDirEndpoint)
+		sessions.POST("/:id/rm", SessionRmEndpoint)
+		sessions.POST("/:id/rename", SessionRenameEndpoint)
+		sessions.DELETE("/:id", Admin(SessionDeleteEndpoint))
+		sessions.GET("/:id/recording", SessionRecordingEndpoint)
+	}
+
+	resourceSharers := e.Group("/resource-sharers")
+	{
+		resourceSharers.GET("/sharers", RSGetSharersEndPoint)
+		resourceSharers.POST("/overwrite-sharers", RSOverwriteSharersEndPoint)
+		resourceSharers.POST("/remove-resources", Admin(ResourceRemoveByUserIdAssignEndPoint))
+		resourceSharers.POST("/add-resources", Admin(ResourceAddByUserIdAssignEndPoint))
+	}
+
+	loginLogs := e.Group("login-logs", Admin)
+	{
+		loginLogs.GET("/paging", LoginLogPagingEndpoint)
+		loginLogs.DELETE("/:id", LoginLogDeleteEndpoint)
+	}
+
+	e.GET("/properties", Admin(PropertyGetEndpoint))
+	e.PUT("/properties", Admin(PropertyUpdateEndpoint))
+
+	e.GET("/overview/counter", OverviewCounterEndPoint)
+	e.GET("/overview/sessions", OverviewSessionPoint)
+
+	jobs := e.Group("/jobs", Admin)
+	{
+		jobs.POST("", JobCreateEndpoint)
+		jobs.GET("/paging", JobPagingEndpoint)
+		jobs.PUT("/:id", JobUpdateEndpoint)
+		jobs.POST("/:id/change-status", JobChangeStatusEndpoint)
+		jobs.POST("/:id/exec", JobExecEndpoint)
+		jobs.DELETE("/:id", JobDeleteEndpoint)
+		jobs.GET("/:id", JobGetEndpoint)
+		jobs.GET("/:id/logs", JobGetLogsEndpoint)
+		jobs.DELETE("/:id/logs", JobDeleteLogsEndpoint)
+	}
+
+	securities := e.Group("/securities", Admin)
+	{
+		securities.POST("", SecurityCreateEndpoint)
+		securities.GET("/paging", SecurityPagingEndpoint)
+		securities.PUT("/:id", SecurityUpdateEndpoint)
+		securities.DELETE("/:id", SecurityDeleteEndpoint)
+		securities.GET("/:id", SecurityGetEndpoint)
+	}
+
+	return e
+}
+
+type H map[string]interface{}
+
+func Fail(c echo.Context, code int, message string) error {
+	return c.JSON(200, H{
+		"code":    code,
+		"message": message,
+	})
+}
+
+func FailWithData(c echo.Context, code int, message string, data interface{}) error {
+	return c.JSON(200, H{
+		"code":    code,
+		"message": message,
+		"data":    data,
+	})
+}
+
+func Success(c echo.Context, data interface{}) error {
+	return c.JSON(200, H{
+		"code":    1,
+		"message": "success",
+		"data":    data,
+	})
+}
+
+func NotFound(c echo.Context, message string) error {
+	return c.JSON(200, H{
+		"code":    -1,
+		"message": message,
+	})
+}
+
+func GetToken(c echo.Context) string {
+	token := c.Request().Header.Get(Token)
+	if len(token) > 0 {
+		return token
+	}
+	return c.QueryParam(Token)
+}
+
+func GetCurrentAccount(c echo.Context) (model.User, bool) {
+	token := GetToken(c)
+	cacheKey := BuildCacheKeyByToken(token)
+	get, b := global.Cache.Get(cacheKey)
+	if b {
+		return get.(Authorization).User, true
+	}
+	return model.User{}, false
+}
+
+func HasPermission(c echo.Context, owner string) bool {
+	// 检测是否登录
+	account, found := GetCurrentAccount(c)
+	if !found {
+		return false
+	}
+	// 检测是否为管理人员
+	if constant.TypeAdmin == account.Type {
+		return true
+	}
+	// 检测是否为所有者
+	if owner == account.ID {
+		return true
+	}
+	return false
+}
--- a/server/api/security.go
+++ b/server/api/security.go
@ -0,0 +1,116 @@
+package api
+
+import (
+	"strconv"
+	"strings"
+
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+func SecurityCreateEndpoint(c echo.Context) error {
+	var item model.AccessSecurity
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	item.ID = utils.UUID()
+	item.Source = "管理员添加"
+
+	if err := model.CreateNewSecurity(&item); err != nil {
+		return err
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func ReloadAccessSecurity() error {
+	rules, err := model.FindAllAccessSecurities()
+	if err != nil {
+		return err
+	}
+	if len(rules) > 0 {
+		var securities []*global.Security
+		for i := 0; i < len(rules); i++ {
+			rule := global.Security{
+				IP:   rules[i].IP,
+				Rule: rules[i].Rule,
+			}
+			securities = append(securities, &rule)
+		}
+		global.Securities = securities
+	}
+	return nil
+}
+
+func SecurityPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	ip := c.QueryParam("ip")
+	rule := c.QueryParam("rule")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := model.FindPageSecurity(pageIndex, pageSize, ip, rule, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func SecurityUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var item model.AccessSecurity
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	if err := model.UpdateSecurityById(&item, id); err != nil {
+		return err
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func SecurityDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+
+	split := strings.Split(ids, ",")
+	for i := range split {
+		jobId := split[i]
+		if err := model.DeleteSecurityById(jobId); err != nil {
+			return err
+		}
+	}
+	// 更新内存中的安全规则
+	if err := ReloadAccessSecurity(); err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func SecurityGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	item, err := model.FindSecurityById(id)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
--- a/server/api/session.go
+++ b/server/api/session.go
@ -0,0 +1,617 @@
+package api
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net/http"
+	"os"
+	"path"
+	"strconv"
+	"strings"
+	"sync"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/sftp"
+	"github.com/sirupsen/logrus"
+)
+
+func SessionPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	status := c.QueryParam("status")
+	userId := c.QueryParam("userId")
+	clientIp := c.QueryParam("clientIp")
+	assetId := c.QueryParam("assetId")
+	protocol := c.QueryParam("protocol")
+
+	items, total, err := model.FindPageSession(pageIndex, pageSize, status, userId, clientIp, assetId, protocol)
+
+	if err != nil {
+		return err
+	}
+
+	for i := 0; i < len(items); i++ {
+		if status == constant.Disconnected && len(items[i].Recording) > 0 {
+
+			var recording string
+			if items[i].Mode == constant.Naive {
+				recording = items[i].Recording
+			} else {
+				recording = items[i].Recording + "/recording"
+			}
+
+			if utils.FileExists(recording) {
+				items[i].Recording = "1"
+			} else {
+				items[i].Recording = "0"
+			}
+		} else {
+			items[i].Recording = "0"
+		}
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func SessionDeleteEndpoint(c echo.Context) error {
+	sessionIds := c.Param("id")
+	split := strings.Split(sessionIds, ",")
+	err := model.DeleteSessionByIds(split)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func SessionConnectEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+
+	session := model.Session{}
+	session.ID = sessionId
+	session.Status = constant.Connected
+	session.ConnectedTime = utils.NowJsonTime()
+
+	if err := model.UpdateSessionById(&session, sessionId); err != nil {
+		return err
+	}
+	return Success(c, nil)
+}
+
+func SessionDisconnectEndpoint(c echo.Context) error {
+	sessionIds := c.Param("id")
+
+	split := strings.Split(sessionIds, ",")
+	for i := range split {
+		CloseSessionById(split[i], ForcedDisconnect, "管理员强制关闭了此会话")
+	}
+	return Success(c, nil)
+}
+
+var mutex sync.Mutex
+
+func CloseSessionById(sessionId string, code int, reason string) {
+	mutex.Lock()
+	defer mutex.Unlock()
+	observable, _ := global.Store.Get(sessionId)
+	if observable != nil {
+		logrus.Debugf("会话%v创建者退出，原因：%v", sessionId, reason)
+		observable.Subject.Close(code, reason)
+
+		for i := 0; i < len(observable.Observers); i++ {
+			observable.Observers[i].Close(code, reason)
+			logrus.Debugf("强制踢出会话%v的观察者", sessionId)
+		}
+	}
+	global.Store.Del(sessionId)
+
+	s, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return
+	}
+
+	if s.Status == constant.Disconnected {
+		return
+	}
+
+	if s.Status == constant.Connecting {
+		// 会话还未建立成功，无需保留数据
+		_ = model.DeleteSessionById(sessionId)
+		return
+	}
+
+	session := model.Session{}
+	session.ID = sessionId
+	session.Status = constant.Disconnected
+	session.DisconnectedTime = utils.NowJsonTime()
+	session.Code = code
+	session.Message = reason
+
+	_ = model.UpdateSessionById(&session, sessionId)
+}
+
+func SessionResizeEndpoint(c echo.Context) error {
+	width := c.QueryParam("width")
+	height := c.QueryParam("height")
+	sessionId := c.Param("id")
+
+	if len(width) == 0 || len(height) == 0 {
+		panic("参数异常")
+	}
+
+	intWidth, _ := strconv.Atoi(width)
+
+	intHeight, _ := strconv.Atoi(height)
+
+	if err := model.UpdateSessionWindowSizeById(intWidth, intHeight, sessionId); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func SessionCreateEndpoint(c echo.Context) error {
+	assetId := c.QueryParam("assetId")
+	mode := c.QueryParam("mode")
+
+	if mode == constant.Naive {
+		mode = constant.Naive
+	} else {
+		mode = constant.Guacd
+	}
+
+	user, _ := GetCurrentAccount(c)
+
+	if constant.TypeUser == user.Type {
+		// 检测是否有访问权限
+		assetIds, err := model.FindAssetIdsByUserId(user.ID)
+		if err != nil {
+			return err
+		}
+
+		if !utils.Contains(assetIds, assetId) {
+			return errors.New("您没有权限访问此资产")
+		}
+	}
+
+	asset, err := model.FindAssetById(assetId)
+	if err != nil {
+		return err
+	}
+
+	session := &model.Session{
+		ID:         utils.UUID(),
+		AssetId:    asset.ID,
+		Username:   asset.Username,
+		Password:   asset.Password,
+		PrivateKey: asset.PrivateKey,
+		Passphrase: asset.Passphrase,
+		Protocol:   asset.Protocol,
+		IP:         asset.IP,
+		Port:       asset.Port,
+		Status:     constant.NoConnect,
+		Creator:    user.ID,
+		ClientIP:   c.RealIP(),
+		Mode:       mode,
+	}
+
+	if asset.AccountType == "credential" {
+		credential, err := model.FindCredentialById(asset.CredentialId)
+		if err != nil {
+			return err
+		}
+
+		if credential.Type == constant.Custom {
+			session.Username = credential.Username
+			session.Password = credential.Password
+		} else {
+			session.Username = credential.Username
+			session.PrivateKey = credential.PrivateKey
+			session.Passphrase = credential.Passphrase
+		}
+	}
+
+	if err := model.CreateNewSession(session); err != nil {
+		return err
+	}
+
+	return Success(c, echo.Map{"id": session.ID})
+}
+
+func SessionUploadEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	file, err := c.FormFile("file")
+	if err != nil {
+		return err
+	}
+
+	filename := file.Filename
+	src, err := file.Open()
+	if err != nil {
+		return err
+	}
+
+	remoteDir := c.QueryParam("dir")
+	remoteFile := path.Join(remoteDir, filename)
+
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+
+		dstFile, err := tun.Subject.NextTerminal.SftpClient.Create(remoteFile)
+		if err != nil {
+			return err
+		}
+		defer dstFile.Close()
+
+		buf := make([]byte, 1024)
+		for {
+			n, err := src.Read(buf)
+			if err != nil {
+				if err != io.EOF {
+					logrus.Warnf("文件上传错误 %v", err)
+				} else {
+					break
+				}
+			}
+			_, _ = dstFile.Write(buf[:n])
+		}
+		return Success(c, nil)
+	} else if "rdp" == session.Protocol {
+
+		if strings.Contains(remoteFile, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+
+		// Destination
+		dst, err := os.Create(path.Join(drivePath, remoteFile))
+		if err != nil {
+			return err
+		}
+		defer dst.Close()
+
+		// Copy
+		if _, err = io.Copy(dst, src); err != nil {
+			return err
+		}
+		return Success(c, nil)
+	}
+
+	return err
+}
+
+func SessionDownloadEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	//remoteDir := c.Query("dir")
+	remoteFile := c.QueryParam("file")
+	// 获取带后缀的文件名称
+	filenameWithSuffix := path.Base(remoteFile)
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+
+		dstFile, err := tun.Subject.NextTerminal.SftpClient.Open(remoteFile)
+		if err != nil {
+			return err
+		}
+
+		defer dstFile.Close()
+		c.Response().Header().Set("Content-Disposition", fmt.Sprintf("attachment; filename=%s", filenameWithSuffix))
+
+		var buff bytes.Buffer
+		if _, err := dstFile.WriteTo(&buff); err != nil {
+			return err
+		}
+
+		return c.Stream(http.StatusOK, echo.MIMEOctetStream, bytes.NewReader(buff.Bytes()))
+	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteFile, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+		return c.Attachment(path.Join(drivePath, remoteFile), filenameWithSuffix)
+	}
+
+	return err
+}
+
+type File struct {
+	Name    string         `json:"name"`
+	Path    string         `json:"path"`
+	IsDir   bool           `json:"isDir"`
+	Mode    string         `json:"mode"`
+	IsLink  bool           `json:"isLink"`
+	ModTime utils.JsonTime `json:"modTime"`
+	Size    int64          `json:"size"`
+}
+
+func SessionLsEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	remoteDir := c.QueryParam("dir")
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+
+		if tun.Subject.NextTerminal == nil {
+			nextTerminal, err := CreateNextTerminalBySession(session)
+			if err != nil {
+				return err
+			}
+			tun.Subject.NextTerminal = nextTerminal
+		}
+
+		if tun.Subject.NextTerminal.SftpClient == nil {
+			sftpClient, err := sftp.NewClient(tun.Subject.NextTerminal.SshClient)
+			if err != nil {
+				logrus.Errorf("创建sftp客户端失败：%v", err.Error())
+				return err
+			}
+			tun.Subject.NextTerminal.SftpClient = sftpClient
+		}
+
+		fileInfos, err := tun.Subject.NextTerminal.SftpClient.ReadDir(remoteDir)
+		if err != nil {
+			return err
+		}
+
+		var files = make([]File, 0)
+		for i := range fileInfos {
+
+			// 忽略因此文件
+			if strings.HasPrefix(fileInfos[i].Name(), ".") {
+				continue
+			}
+
+			file := File{
+				Name:    fileInfos[i].Name(),
+				Path:    path.Join(remoteDir, fileInfos[i].Name()),
+				IsDir:   fileInfos[i].IsDir(),
+				Mode:    fileInfos[i].Mode().String(),
+				IsLink:  fileInfos[i].Mode()&os.ModeSymlink == os.ModeSymlink,
+				ModTime: utils.NewJsonTime(fileInfos[i].ModTime()),
+				Size:    fileInfos[i].Size(),
+			}
+
+			files = append(files, file)
+		}
+
+		return Success(c, files)
+	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteDir, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+		fileInfos, err := ioutil.ReadDir(path.Join(drivePath, remoteDir))
+		if err != nil {
+			return err
+		}
+
+		var files = make([]File, 0)
+		for i := range fileInfos {
+			file := File{
+				Name:    fileInfos[i].Name(),
+				Path:    path.Join(remoteDir, fileInfos[i].Name()),
+				IsDir:   fileInfos[i].IsDir(),
+				Mode:    fileInfos[i].Mode().String(),
+				IsLink:  fileInfos[i].Mode()&os.ModeSymlink == os.ModeSymlink,
+				ModTime: utils.NewJsonTime(fileInfos[i].ModTime()),
+				Size:    fileInfos[i].Size(),
+			}
+
+			files = append(files, file)
+		}
+
+		return Success(c, files)
+	}
+
+	return errors.New("当前协议不支持此操作")
+}
+
+func SafetyRuleTrigger(c echo.Context) {
+	logrus.Warnf("IP %v 尝试进行攻击，请ban掉此IP", c.RealIP())
+	security := model.AccessSecurity{
+		ID:     utils.UUID(),
+		Source: "安全规则触发",
+		IP:     c.RealIP(),
+		Rule:   constant.AccessRuleReject,
+	}
+
+	_ = model.CreateNewSecurity(&security)
+}
+
+func SessionMkDirEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	remoteDir := c.QueryParam("dir")
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+		if err := tun.Subject.NextTerminal.SftpClient.Mkdir(remoteDir); err != nil {
+			return err
+		}
+		return Success(c, nil)
+	} else if "rdp" == session.Protocol {
+		if strings.Contains(remoteDir, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+
+		if err := os.MkdirAll(path.Join(drivePath, remoteDir), os.ModePerm); err != nil {
+			return err
+		}
+		return Success(c, nil)
+	}
+
+	return errors.New("当前协议不支持此操作")
+}
+
+func SessionRmEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	key := c.QueryParam("key")
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+
+		sftpClient := tun.Subject.NextTerminal.SftpClient
+
+		stat, err := sftpClient.Stat(key)
+		if err != nil {
+			return err
+		}
+
+		if stat.IsDir() {
+			fileInfos, err := sftpClient.ReadDir(key)
+			if err != nil {
+				return err
+			}
+
+			for i := range fileInfos {
+				if err := sftpClient.Remove(path.Join(key, fileInfos[i].Name())); err != nil {
+					return err
+				}
+			}
+
+			if err := sftpClient.RemoveDirectory(key); err != nil {
+				return err
+			}
+		} else {
+			if err := sftpClient.Remove(key); err != nil {
+				return err
+			}
+		}
+
+		return Success(c, nil)
+	} else if "rdp" == session.Protocol {
+		if strings.Contains(key, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+
+		if err := os.RemoveAll(path.Join(drivePath, key)); err != nil {
+			return err
+		}
+
+		return Success(c, nil)
+	}
+
+	return errors.New("当前协议不支持此操作")
+}
+
+func SessionRenameEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+	oldName := c.QueryParam("oldName")
+	newName := c.QueryParam("newName")
+	if "ssh" == session.Protocol {
+		tun, ok := global.Store.Get(sessionId)
+		if !ok {
+			return errors.New("获取sftp客户端失败")
+		}
+
+		sftpClient := tun.Subject.NextTerminal.SftpClient
+
+		if err := sftpClient.Rename(oldName, newName); err != nil {
+			return err
+		}
+
+		return Success(c, nil)
+	} else if "rdp" == session.Protocol {
+		if strings.Contains(oldName, "../") {
+			SafetyRuleTrigger(c)
+			return Fail(c, -1, ":) 您的IP已被记录，请去向管理员自首。")
+		}
+		drivePath, err := model.GetDrivePath()
+		if err != nil {
+			return err
+		}
+
+		if err := os.Rename(path.Join(drivePath, oldName), path.Join(drivePath, newName)); err != nil {
+			return err
+		}
+
+		return Success(c, nil)
+	}
+	return errors.New("当前协议不支持此操作")
+}
+
+func SessionRecordingEndpoint(c echo.Context) error {
+	sessionId := c.Param("id")
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		return err
+	}
+
+	var recording string
+	if session.Mode == constant.Naive {
+		recording = session.Recording
+	} else {
+		recording = session.Recording + "/recording"
+	}
+
+	logrus.Debugf("读取录屏文件：%v,是否存在: %v, 是否为文件: %v", recording, utils.FileExists(recording), utils.IsFile(recording))
+	return c.File(recording)
+}
--- a/server/api/ssh.go
+++ b/server/api/ssh.go
@ -0,0 +1,264 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"path"
+	"strconv"
+	"time"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/global"
+	"next-terminal/server/guacd"
+	"next-terminal/server/model"
+	"next-terminal/server/term"
+	"next-terminal/server/utils"
+
+	"github.com/gorilla/websocket"
+	"github.com/labstack/echo/v4"
+	"github.com/sirupsen/logrus"
+)
+
+var UpGrader = websocket.Upgrader{
+	CheckOrigin: func(r *http.Request) bool {
+		return true
+	},
+	Subprotocols: []string{"guacamole"},
+}
+
+const (
+	Connected = "connected"
+	Data      = "data"
+	Resize    = "resize"
+	Closed    = "closed"
+)
+
+type Message struct {
+	Type    string `json:"type"`
+	Content string `json:"content"`
+}
+
+type WindowSize struct {
+	Cols int `json:"cols"`
+	Rows int `json:"rows"`
+}
+
+func SSHEndpoint(c echo.Context) (err error) {
+	ws, err := UpGrader.Upgrade(c.Response().Writer, c.Request(), nil)
+	if err != nil {
+		logrus.Errorf("升级为WebSocket协议失败：%v", err.Error())
+		return err
+	}
+
+	sessionId := c.QueryParam("sessionId")
+	cols, _ := strconv.Atoi(c.QueryParam("cols"))
+	rows, _ := strconv.Atoi(c.QueryParam("rows"))
+
+	session, err := model.FindSessionById(sessionId)
+	if err != nil {
+		msg := Message{
+			Type:    Closed,
+			Content: "get sshSession error." + err.Error(),
+		}
+		_ = WriteMessage(ws, msg)
+		return err
+	}
+
+	user, _ := GetCurrentAccount(c)
+	if constant.TypeUser == user.Type {
+		// 检测是否有访问权限
+		assetIds, err := model.FindAssetIdsByUserId(user.ID)
+		if err != nil {
+			return err
+		}
+
+		if !utils.Contains(assetIds, session.AssetId) {
+			msg := Message{
+				Type:    Closed,
+				Content: "您没有权限访问此资产",
+			}
+			return WriteMessage(ws, msg)
+		}
+	}
+
+	var (
+		username   = session.Username
+		password   = session.Password
+		privateKey = session.PrivateKey
+		passphrase = session.Passphrase
+		ip         = session.IP
+		port       = session.Port
+	)
+
+	recording := ""
+	propertyMap := model.FindAllPropertiesMap()
+	if propertyMap[guacd.EnableRecording] == "true" {
+		recording = path.Join(propertyMap[guacd.RecordingPath], sessionId, "recording.cast")
+	}
+
+	tun := global.Tun{
+		Protocol:  session.Protocol,
+		Mode:      session.Mode,
+		WebSocket: ws,
+	}
+
+	if session.ConnectionId != "" {
+		// 监控会话
+		observable, ok := global.Store.Get(sessionId)
+		if ok {
+			observers := append(observable.Observers, tun)
+			observable.Observers = observers
+			global.Store.Set(sessionId, observable)
+			logrus.Debugf("加入会话%v,当前观察者数量为：%v", session.ConnectionId, len(observers))
+		}
+
+		return err
+	}
+
+	nextTerminal, err := term.NewNextTerminal(ip, port, username, password, privateKey, passphrase, rows, cols, recording)
+
+	if err != nil {
+		logrus.Errorf("创建SSH客户端失败：%v", err.Error())
+		msg := Message{
+			Type:    Closed,
+			Content: err.Error(),
+		}
+		err := WriteMessage(ws, msg)
+		return err
+	}
+	tun.NextTerminal = nextTerminal
+
+	var observers []global.Tun
+	observable := global.Observable{
+		Subject:   &tun,
+		Observers: observers,
+	}
+
+	global.Store.Set(sessionId, &observable)
+
+	sess := model.Session{
+		ConnectionId: sessionId,
+		Width:        cols,
+		Height:       rows,
+		Status:       constant.Connecting,
+		Recording:    recording,
+	}
+	// 创建新会话
+	logrus.Debugf("创建新会话 %v", sess.ConnectionId)
+	if err := model.UpdateSessionById(&sess, sessionId); err != nil {
+		return err
+	}
+
+	msg := Message{
+		Type:    Connected,
+		Content: "",
+	}
+	_ = WriteMessage(ws, msg)
+
+	quitChan := make(chan bool)
+
+	go ReadMessage(nextTerminal, quitChan, ws)
+
+	for {
+		_, message, err := ws.ReadMessage()
+		if err != nil {
+			// web socket会话关闭后主动关闭ssh会话
+			CloseSessionById(sessionId, Normal, "正常退出")
+			quitChan <- true
+			quitChan <- true
+			break
+		}
+
+		var msg Message
+		err = json.Unmarshal(message, &msg)
+		if err != nil {
+			logrus.Warnf("解析Json失败: %v, 原始字符串：%v", err, string(message))
+			continue
+		}
+
+		switch msg.Type {
+		case Resize:
+			var winSize WindowSize
+			err = json.Unmarshal([]byte(msg.Content), &winSize)
+			if err != nil {
+				logrus.Warnf("解析SSH会话窗口大小失败: %v", err)
+				continue
+			}
+			if err := nextTerminal.WindowChange(winSize.Rows, winSize.Cols); err != nil {
+				logrus.Warnf("更改SSH会话窗口大小失败: %v", err)
+				continue
+			}
+		case Data:
+			_, err = nextTerminal.Write([]byte(msg.Content))
+			if err != nil {
+				logrus.Debugf("SSH会话写入失败: %v", err)
+				msg := Message{
+					Type:    Closed,
+					Content: "the remote connection is closed.",
+				}
+				_ = WriteMessage(ws, msg)
+			}
+		}
+
+	}
+	return err
+}
+
+func ReadMessage(nextTerminal *term.NextTerminal, quitChan chan bool, ws *websocket.Conn) {
+
+	var quit bool
+	for {
+		select {
+		case quit = <-quitChan:
+			if quit {
+				return
+			}
+		default:
+			p, n, err := nextTerminal.Read()
+			if err != nil {
+				msg := Message{
+					Type:    Closed,
+					Content: err.Error(),
+				}
+				_ = WriteMessage(ws, msg)
+			}
+			if n > 0 {
+				s := string(p)
+				msg := Message{
+					Type:    Data,
+					Content: s,
+				}
+				_ = WriteMessage(ws, msg)
+			}
+			time.Sleep(time.Duration(10) * time.Millisecond)
+		}
+	}
+}
+
+func WriteMessage(ws *websocket.Conn, msg Message) error {
+	message, err := json.Marshal(msg)
+	if err != nil {
+		return err
+	}
+	WriteByteMessage(ws, message)
+	return err
+}
+
+func WriteByteMessage(ws *websocket.Conn, p []byte) {
+	err := ws.WriteMessage(websocket.TextMessage, p)
+	if err != nil {
+		logrus.Debugf("write: %v", err)
+	}
+}
+
+func CreateNextTerminalBySession(session model.Session) (*term.NextTerminal, error) {
+	var (
+		username   = session.Username
+		password   = session.Password
+		privateKey = session.PrivateKey
+		passphrase = session.Passphrase
+		ip         = session.IP
+		port       = session.Port
+	)
+	return term.NewNextTerminal(ip, port, username, password, privateKey, passphrase, 10, 10, "")
+}
--- a/server/api/tunnel.go
+++ b/server/api/tunnel.go
@ -0,0 +1,251 @@
+package api
+
+import (
+	"errors"
+	"path"
+	"strconv"
+
+	"next-terminal/server/constant"
+	"next-terminal/server/global"
+	"next-terminal/server/guacd"
+	"next-terminal/server/model"
+
+	"github.com/gorilla/websocket"
+	"github.com/labstack/echo/v4"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	TunnelClosed     int = -1
+	Normal           int = 0
+	NotFoundSession  int = 800
+	NewTunnelError   int = 801
+	ForcedDisconnect int = 802
+)
+
+func TunEndpoint(c echo.Context) error {
+
+	ws, err := UpGrader.Upgrade(c.Response().Writer, c.Request(), nil)
+	if err != nil {
+		logrus.Errorf("升级为WebSocket协议失败：%v", err.Error())
+		return err
+	}
+
+	width := c.QueryParam("width")
+	height := c.QueryParam("height")
+	dpi := c.QueryParam("dpi")
+	sessionId := c.QueryParam("sessionId")
+	connectionId := c.QueryParam("connectionId")
+
+	intWidth, _ := strconv.Atoi(width)
+	intHeight, _ := strconv.Atoi(height)
+
+	configuration := guacd.NewConfiguration()
+
+	propertyMap := model.FindAllPropertiesMap()
+
+	var session model.Session
+
+	if len(connectionId) > 0 {
+		session, err = model.FindSessionByConnectionId(connectionId)
+		if err != nil {
+			logrus.Warnf("会话不存在")
+			return err
+		}
+		if session.Status != constant.Connected {
+			logrus.Warnf("会话未在线")
+			return errors.New("会话未在线")
+		}
+		configuration.ConnectionID = connectionId
+		sessionId = session.ID
+		configuration.SetParameter("width", strconv.Itoa(session.Width))
+		configuration.SetParameter("height", strconv.Itoa(session.Height))
+		configuration.SetParameter("dpi", "96")
+	} else {
+		configuration.SetParameter("width", width)
+		configuration.SetParameter("height", height)
+		configuration.SetParameter("dpi", dpi)
+		session, err = model.FindSessionById(sessionId)
+		if err != nil {
+			CloseSessionById(sessionId, NotFoundSession, "会话不存在")
+			return err
+		}
+
+		if propertyMap[guacd.EnableRecording] == "true" {
+			configuration.SetParameter(guacd.RecordingPath, path.Join(propertyMap[guacd.RecordingPath], sessionId))
+			configuration.SetParameter(guacd.CreateRecordingPath, propertyMap[guacd.CreateRecordingPath])
+		} else {
+			configuration.SetParameter(guacd.RecordingPath, "")
+		}
+
+		configuration.Protocol = session.Protocol
+		switch configuration.Protocol {
+		case "rdp":
+			configuration.SetParameter("username", session.Username)
+			configuration.SetParameter("password", session.Password)
+
+			configuration.SetParameter("security", "any")
+			configuration.SetParameter("ignore-cert", "true")
+			configuration.SetParameter("create-drive-path", "true")
+			configuration.SetParameter("resize-method", "reconnect")
+			configuration.SetParameter(guacd.EnableDrive, propertyMap[guacd.EnableDrive])
+			configuration.SetParameter(guacd.DriveName, propertyMap[guacd.DriveName])
+			configuration.SetParameter(guacd.DrivePath, propertyMap[guacd.DrivePath])
+			configuration.SetParameter(guacd.EnableWallpaper, propertyMap[guacd.EnableWallpaper])
+			configuration.SetParameter(guacd.EnableTheming, propertyMap[guacd.EnableTheming])
+			configuration.SetParameter(guacd.EnableFontSmoothing, propertyMap[guacd.EnableFontSmoothing])
+			configuration.SetParameter(guacd.EnableFullWindowDrag, propertyMap[guacd.EnableFullWindowDrag])
+			configuration.SetParameter(guacd.EnableDesktopComposition, propertyMap[guacd.EnableDesktopComposition])
+			configuration.SetParameter(guacd.EnableMenuAnimations, propertyMap[guacd.EnableMenuAnimations])
+			configuration.SetParameter(guacd.DisableBitmapCaching, propertyMap[guacd.DisableBitmapCaching])
+			configuration.SetParameter(guacd.DisableOffscreenCaching, propertyMap[guacd.DisableOffscreenCaching])
+			configuration.SetParameter(guacd.DisableGlyphCaching, propertyMap[guacd.DisableGlyphCaching])
+		case "ssh":
+			if len(session.PrivateKey) > 0 && session.PrivateKey != "-" {
+				configuration.SetParameter("username", session.Username)
+				configuration.SetParameter("private-key", session.PrivateKey)
+				configuration.SetParameter("passphrase", session.Passphrase)
+			} else {
+				configuration.SetParameter("username", session.Username)
+				configuration.SetParameter("password", session.Password)
+			}
+
+			configuration.SetParameter(guacd.FontSize, propertyMap[guacd.FontSize])
+			configuration.SetParameter(guacd.FontName, propertyMap[guacd.FontName])
+			configuration.SetParameter(guacd.ColorScheme, propertyMap[guacd.ColorScheme])
+			configuration.SetParameter(guacd.Backspace, propertyMap[guacd.Backspace])
+			configuration.SetParameter(guacd.TerminalType, propertyMap[guacd.TerminalType])
+		case "vnc":
+			configuration.SetParameter("username", session.Username)
+			configuration.SetParameter("password", session.Password)
+		case "telnet":
+			configuration.SetParameter("username", session.Username)
+			configuration.SetParameter("password", session.Password)
+
+			configuration.SetParameter(guacd.FontSize, propertyMap[guacd.FontSize])
+			configuration.SetParameter(guacd.FontName, propertyMap[guacd.FontName])
+			configuration.SetParameter(guacd.ColorScheme, propertyMap[guacd.ColorScheme])
+			configuration.SetParameter(guacd.Backspace, propertyMap[guacd.Backspace])
+			configuration.SetParameter(guacd.TerminalType, propertyMap[guacd.TerminalType])
+		case "kubernetes":
+
+			configuration.SetParameter(guacd.FontSize, propertyMap[guacd.FontSize])
+			configuration.SetParameter(guacd.FontName, propertyMap[guacd.FontName])
+			configuration.SetParameter(guacd.ColorScheme, propertyMap[guacd.ColorScheme])
+			configuration.SetParameter(guacd.Backspace, propertyMap[guacd.Backspace])
+			configuration.SetParameter(guacd.TerminalType, propertyMap[guacd.TerminalType])
+		default:
+			logrus.WithField("configuration.Protocol", configuration.Protocol).Error("UnSupport Protocol")
+			return Fail(c, 400, "不支持的协议")
+		}
+
+		configuration.SetParameter("hostname", session.IP)
+		configuration.SetParameter("port", strconv.Itoa(session.Port))
+
+		// 加载资产配置的属性，优先级比全局配置的高，因此最后加载，覆盖掉全局配置
+		attributes, _ := model.FindAssetAttributeByAssetId(session.AssetId)
+		if len(attributes) > 0 {
+			for i := range attributes {
+				attribute := attributes[i]
+				configuration.SetParameter(attribute.Name, attribute.Value)
+			}
+		}
+	}
+	for name := range configuration.Parameters {
+		// 替换数据库空格字符串占位符为真正的空格
+		if configuration.Parameters[name] == "-" {
+			configuration.Parameters[name] = ""
+		}
+	}
+
+	addr := propertyMap[guacd.Host] + ":" + propertyMap[guacd.Port]
+
+	tunnel, err := guacd.NewTunnel(addr, configuration)
+	if err != nil {
+		if connectionId == "" {
+			CloseSessionById(sessionId, NewTunnelError, err.Error())
+		}
+		logrus.Printf("建立连接失败: %v", err.Error())
+		return err
+	}
+
+	tun := global.Tun{
+		Protocol:  session.Protocol,
+		Mode:      session.Mode,
+		WebSocket: ws,
+		Tunnel:    tunnel,
+	}
+
+	if len(session.ConnectionId) == 0 {
+
+		var observers []global.Tun
+		observable := global.Observable{
+			Subject:   &tun,
+			Observers: observers,
+		}
+
+		global.Store.Set(sessionId, &observable)
+
+		sess := model.Session{
+			ConnectionId: tunnel.UUID,
+			Width:        intWidth,
+			Height:       intHeight,
+			Status:       constant.Connecting,
+			Recording:    configuration.GetParameter(guacd.RecordingPath),
+		}
+		// 创建新会话
+		logrus.Debugf("创建新会话 %v", sess.ConnectionId)
+		if err := model.UpdateSessionById(&sess, sessionId); err != nil {
+			return err
+		}
+	} else {
+		// 监控会话
+		observable, ok := global.Store.Get(sessionId)
+		if ok {
+			observers := append(observable.Observers, tun)
+			observable.Observers = observers
+			global.Store.Set(sessionId, observable)
+			logrus.Debugf("加入会话%v,当前观察者数量为：%v", session.ConnectionId, len(observers))
+		}
+	}
+
+	go func() {
+		for {
+			instruction, err := tunnel.Read()
+			if err != nil {
+				if connectionId == "" {
+					CloseSessionById(sessionId, TunnelClosed, "远程连接关闭")
+				}
+				break
+			}
+			if len(instruction) == 0 {
+				continue
+			}
+			err = ws.WriteMessage(websocket.TextMessage, instruction)
+			if err != nil {
+				if connectionId == "" {
+					CloseSessionById(sessionId, Normal, "正常退出")
+				}
+				break
+			}
+		}
+	}()
+
+	for {
+		_, message, err := ws.ReadMessage()
+		if err != nil {
+			if connectionId == "" {
+				CloseSessionById(sessionId, Normal, "正常退出")
+			}
+			break
+		}
+		_, err = tunnel.WriteAndFlush(message)
+		if err != nil {
+			if connectionId == "" {
+				CloseSessionById(sessionId, TunnelClosed, "远程连接关闭")
+			}
+			break
+		}
+	}
+	return err
+}
--- a/server/api/user-group.go
+++ b/server/api/user-group.go
@ -0,0 +1,136 @@
+package api
+
+import (
+	"strconv"
+	"strings"
+
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+)
+
+type UserGroup struct {
+	Id      string   `json:"id"`
+	Name    string   `json:"name"`
+	Members []string `json:"members"`
+}
+
+func UserGroupCreateEndpoint(c echo.Context) error {
+	var item UserGroup
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+
+	userGroup := model.UserGroup{
+		ID:      utils.UUID(),
+		Created: utils.NowJsonTime(),
+		Name:    item.Name,
+	}
+
+	if err := model.CreateNewUserGroup(&userGroup, item.Members); err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
+
+func UserGroupPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	name := c.QueryParam("name")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := model.FindPageUserGroup(pageIndex, pageSize, name, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func UserGroupUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var item UserGroup
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+	userGroup := model.UserGroup{
+		Name: item.Name,
+	}
+
+	if err := model.UpdateUserGroupById(&userGroup, item.Members, id); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func UserGroupDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+	split := strings.Split(ids, ",")
+	for i := range split {
+		userId := split[i]
+		model.DeleteUserGroupById(userId)
+	}
+
+	return Success(c, nil)
+}
+
+func UserGroupGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	item, err := model.FindUserGroupById(id)
+	if err != nil {
+		return err
+	}
+
+	members, err := model.FindUserGroupMembersByUserGroupId(id)
+	if err != nil {
+		return err
+	}
+
+	userGroup := UserGroup{
+		Id:      item.ID,
+		Name:    item.Name,
+		Members: members,
+	}
+
+	return Success(c, userGroup)
+}
+
+func UserGroupAddMembersEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var items []string
+	if err := c.Bind(&items); err != nil {
+		return err
+	}
+
+	if err := model.AddUserGroupMembers(global.DB, items, id); err != nil {
+		return err
+	}
+	return Success(c, "")
+}
+
+func UserGroupDelMembersEndpoint(c echo.Context) (err error) {
+	id := c.Param("id")
+	memberIdsStr := c.Param("memberId")
+	memberIds := strings.Split(memberIdsStr, ",")
+	for i := range memberIds {
+		memberId := memberIds[i]
+		err = global.DB.Where("user_group_id = ? and user_id = ?", id, memberId).Delete(&model.UserGroupMember{}).Error
+		if err != nil {
+			return err
+		}
+	}
+
+	return Success(c, "")
+}
--- a/server/api/user.go
+++ b/server/api/user.go
@ -0,0 +1,163 @@
+package api
+
+import (
+	"strconv"
+	"strings"
+
+	"next-terminal/server/global"
+	"next-terminal/server/model"
+	"next-terminal/server/utils"
+
+	"github.com/labstack/echo/v4"
+	"github.com/sirupsen/logrus"
+)
+
+func UserCreateEndpoint(c echo.Context) error {
+	var item model.User
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+	password := item.Password
+
+	var pass []byte
+	var err error
+	if pass, err = utils.Encoder.Encode([]byte(password)); err != nil {
+		return err
+	}
+	item.Password = string(pass)
+
+	item.ID = utils.UUID()
+	item.Created = utils.NowJsonTime()
+
+	if err := userRepository.Create(&item); err != nil {
+		return err
+	}
+
+	if item.Mail != "" {
+		go model.SendMail(item.Mail, "[Next Terminal] 注册通知", "你好，"+item.Nickname+"。管理员为你注册了账号："+item.Username+" 密码："+password)
+	}
+	return Success(c, item)
+}
+
+func UserPagingEndpoint(c echo.Context) error {
+	pageIndex, _ := strconv.Atoi(c.QueryParam("pageIndex"))
+	pageSize, _ := strconv.Atoi(c.QueryParam("pageSize"))
+	username := c.QueryParam("username")
+	nickname := c.QueryParam("nickname")
+	mail := c.QueryParam("mail")
+
+	order := c.QueryParam("order")
+	field := c.QueryParam("field")
+
+	items, total, err := userRepository.Find(pageIndex, pageSize, username, nickname, mail, order, field)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, H{
+		"total": total,
+		"items": items,
+	})
+}
+
+func UserUpdateEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	var item model.User
+	if err := c.Bind(&item); err != nil {
+		return err
+	}
+	item.ID = id
+
+	if err := userRepository.Update(&item); err != nil {
+		return err
+	}
+
+	return Success(c, nil)
+}
+
+func UserDeleteEndpoint(c echo.Context) error {
+	ids := c.Param("id")
+	account, found := GetCurrentAccount(c)
+	if !found {
+		return Fail(c, -1, "获取当前登录账户失败")
+	}
+	split := strings.Split(ids, ",")
+	for i := range split {
+		userId := split[i]
+		if account.ID == userId {
+			return Fail(c, -1, "不允许删除自身账户")
+		}
+		// 将用户强制下线
+		loginLogs, err := model.FindAliveLoginLogsByUserId(userId)
+		if err != nil {
+			return err
+		}
+
+		for j := range loginLogs {
+			global.Cache.Delete(loginLogs[j].ID)
+			if err := model.Logout(loginLogs[j].ID); err != nil {
+				logrus.WithError(err).WithField("id:", loginLogs[j].ID).Error("Cache Deleted Error")
+				return Fail(c, 500, "强制下线错误")
+			}
+		}
+
+		// 删除用户
+		if err := userRepository.DeleteById(userId); err != nil {
+			return err
+		}
+	}
+
+	return Success(c, nil)
+}
+
+func UserGetEndpoint(c echo.Context) error {
+	id := c.Param("id")
+
+	item, err := userRepository.FindById(id)
+	if err != nil {
+		return err
+	}
+
+	return Success(c, item)
+}
+
+func UserChangePasswordEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	password := c.QueryParam("password")
+
+	user, err := userRepository.FindById(id)
+	if err != nil {
+		return err
+	}
+
+	passwd, err := utils.Encoder.Encode([]byte(password))
+	if err != nil {
+		return err
+	}
+	u := &model.User{
+		Password: string(passwd),
+		ID:       id,
+	}
+	if err := userRepository.Update(u); err != nil {
+		return err
+	}
+
+	if user.Mail != "" {
+		go model.SendMail(user.Mail, "[Next Terminal] 密码修改通知", "你好，"+user.Nickname+"。管理员已将你的密码修改为："+password)
+	}
+
+	return Success(c, "")
+}
+
+func UserResetTotpEndpoint(c echo.Context) error {
+	id := c.Param("id")
+	u := &model.User{
+		TOTPSecret: "-",
+		ID:         id,
+	}
+	if err := userRepository.Update(u); err != nil {
+		return err
+	}
+	return Success(c, "")
+}