next-terminal/server/api/middleware.go

package api

import (
	"fmt"
	"net"
	"strings"
	"time"

	"next-terminal/server/constant"
	"next-terminal/server/global/cache"
	"next-terminal/server/global/security"
	"next-terminal/server/utils"

	"github.com/labstack/echo/v4"
)

func ErrorHandler(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {

		if err := next(c); err != nil {

			if he, ok := err.(*echo.HTTPError); ok {
				message := fmt.Sprintf("%v", he.Message)
				return Fail(c, he.Code, message)
			}

			return Fail(c, 0, err.Error())
		}
		return nil
	}
}

func TcpWall(next echo.HandlerFunc) echo.HandlerFunc {

	return func(c echo.Context) error {
		securities := security.GlobalSecurityManager.Values()
		if len(securities) == 0 {
			return next(c)
		}

		ip := c.RealIP()

		for _, s := range securities {
			if strings.Contains(s.IP, "/") {
				// CIDR
				_, ipNet, err := net.ParseCIDR(s.IP)
				if err != nil {
					continue
				}
				if !ipNet.Contains(net.ParseIP(ip)) {
					continue
				}
			} else if strings.Contains(s.IP, "-") {
				// 范围段
				split := strings.Split(s.IP, "-")
				if len(split) < 2 {
					continue
				}
				start := split[0]
				end := split[1]
				intReqIP := utils.IpToInt(ip)
				if intReqIP < utils.IpToInt(start) || intReqIP > utils.IpToInt(end) {
					continue
				}
			} else {
				// IP
				if s.IP != ip {
					continue
				}
			}

			if s.Rule == constant.AccessRuleAllow {
				return next(c)
			}
			if s.Rule == constant.AccessRuleReject {
				if c.Request().Header.Get("X-Requested-With") != "" || c.Request().Header.Get(constant.Token) != "" {
					return Fail(c, 0, "您的访问请求被拒绝 :(")
				} else {
					return c.HTML(666, "您的访问请求被拒绝 :(")
				}
			}
		}

		return next(c)
	}
}

func Auth(next echo.HandlerFunc) echo.HandlerFunc {

	anonymousUrls := []string{"/login", "/static", "/favicon.ico", "/logo.svg", "/asciinema"}

	return func(c echo.Context) error {

		uri := c.Request().RequestURI
		if uri == "/" || strings.HasPrefix(uri, "/#") {
			return next(c)
		}
		// 路由拦截 - 登录身份、资源权限判断等
		for i := range anonymousUrls {
			if strings.HasPrefix(uri, anonymousUrls[i]) {
				return next(c)
			}
		}

		token := GetToken(c)
		if token == "" {
			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
		}
		cacheKey := userService.BuildCacheKeyByToken(token)
		authorization, found := cache.GlobalCache.Get(cacheKey)
		if !found {
			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
		}

		if authorization.(Authorization).Remember {
			// 记住登录有效期两周
			cache.GlobalCache.Set(cacheKey, authorization, time.Hour*time.Duration(24*14))
		} else {
			cache.GlobalCache.Set(cacheKey, authorization, time.Hour*time.Duration(2))
		}

		return next(c)
	}
}

func Admin(next echo.HandlerFunc) echo.HandlerFunc {
	return func(c echo.Context) error {

		account, found := GetCurrentAccount(c)
		if !found {
			return Fail(c, 401, "您的登录信息已失效，请重新登录后再试。")
		}

		if account.Type != constant.TypeAdmin {
			return Fail(c, 403, "permission denied")
		}

		return next(c)
	}
}