feat(system-security): Optimized unauthenticated settings to enhance …

…system security (#7142)

backend/app/api/v1/auth.go

@@ -2,14 +2,11 @@ package v1
 
 import (
 	"encoding/base64"
-	"net/http"
-
 	"github.com/1Panel-dev/1Panel/backend/app/api/v1/helper"
 	"github.com/1Panel-dev/1Panel/backend/app/dto"
 	"github.com/1Panel-dev/1Panel/backend/app/model"
 	"github.com/1Panel-dev/1Panel/backend/constant"
 	"github.com/1Panel-dev/1Panel/backend/global"
-	"github.com/1Panel-dev/1Panel/backend/middleware"
 	"github.com/1Panel-dev/1Panel/backend/utils/captcha"
 	"github.com/1Panel-dev/1Panel/backend/utils/qqwry"
 	"github.com/gin-gonic/gin"
@@ -37,11 +34,18 @@ func (b *BaseApi) Login(c *gin.Context) {
 			return
 		}
 	}
+
 	entranceItem := c.Request.Header.Get("EntranceCode")
 	var entrance []byte
 	if len(entranceItem) != 0 {
 		entrance, _ = base64.StdEncoding.DecodeString(entranceItem)
 	}
+	if len(entrance) == 0 {
+		cookieValue, err := c.Cookie("SecurityEntrance")
+		if err == nil {
+			entrance, _ = base64.StdEncoding.DecodeString(cookieValue)
+		}
+	}
 
 	user, err := authService.Login(c, req, string(entrance))
 	go saveLoginLogs(c, err)
@@ -108,34 +112,6 @@ func (b *BaseApi) Captcha(c *gin.Context) {
 	helper.SuccessWithData(c, captcha)
 }
 
-// @Tags Auth
-// @Summary Load safety status
-// @Description 获取系统安全登录状态
-// @Success 200
-// @Router /auth/issafety [get]
-func (b *BaseApi) CheckIsSafety(c *gin.Context) {
-	code := c.DefaultQuery("code", "")
-	status, err := authService.CheckIsSafety(code)
-	if err != nil {
-		helper.ErrorWithDetail(c, constant.CodeErrInternalServer, constant.ErrTypeInternalServer, err)
-		return
-	}
-	if status == "disable" && len(code) != 0 {
-		helper.ErrResponse(c, http.StatusNotFound)
-		return
-	}
-	if status == "unpass" {
-		code := middleware.LoadErrCode()
-		if code != 200 {
-			helper.ErrResponse(c, code)
-			return
-		}
-		helper.ErrorWithDetail(c, constant.CodeErrEntrance, constant.ErrTypeInternalServer, nil)
-		return
-	}
-	helper.SuccessWithOutData(c)
-}
-
 func (b *BaseApi) GetResponsePage(c *gin.Context) {
 	pageCode, err := authService.GetResponsePage()
 	if err != nil {

backend/app/service/auth.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"crypto/hmac"
+	"encoding/base64"
 	"strconv"
 
 	"github.com/1Panel-dev/1Panel/backend/app/dto"
@@ -19,12 +20,13 @@ import (
 type AuthService struct{}
 
 type IAuthService interface {
-	CheckIsSafety(code string) (string, error)
 	GetResponsePage() (string, error)
 	VerifyCode(code string) (bool, error)
 	Login(c *gin.Context, info dto.Login, entrance string) (*dto.UserLoginInfo, error)
 	LogOut(c *gin.Context) error
 	MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error)
+	GetSecurityEntrance() string
+	IsLogin(c *gin.Context) bool
 }
 
 func NewIAuthService() IAuthService {
@@ -64,7 +66,16 @@ func (u *AuthService) Login(c *gin.Context, info dto.Login, entrance string) (*d
 	if mfa.Value == "enable" {
 		return &dto.UserLoginInfo{Name: nameSetting.Value, MfaStatus: mfa.Value}, nil
 	}
-	return u.generateSession(c, info.Name, info.AuthMethod)
+
+	loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
+	if err != nil {
+		return nil, err
+	}
+	if entrance != "" {
+		entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
+		c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
+	}
+	return loginUser, nil
 }
 
 func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance string) (*dto.UserLoginInfo, error) {
@@ -103,7 +114,15 @@ func (u *AuthService) MFALogin(c *gin.Context, info dto.MFALogin, entrance strin
 		return nil, constant.ErrAuth
 	}
 
-	return u.generateSession(c, info.Name, info.AuthMethod)
+	loginUser, err := u.generateSession(c, info.Name, info.AuthMethod)
+	if err != nil {
+		return nil, err
+	}
+	if entrance != "" {
+		entranceValue := base64.StdEncoding.EncodeToString([]byte(entrance))
+		c.SetCookie("SecurityEntrance", entranceValue, 0, "", "", false, true)
+	}
+	return loginUser, nil
 }
 
 func (u *AuthService) generateSession(c *gin.Context, name, authMethod string) (*dto.UserLoginInfo, error) {
@@ -173,24 +192,30 @@ func (u *AuthService) VerifyCode(code string) (bool, error) {
 	return hmac.Equal([]byte(setting.Value), []byte(code)), nil
 }
 
-func (u *AuthService) CheckIsSafety(code string) (string, error) {
-	status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
+func (u *AuthService) GetResponsePage() (string, error) {
+	pageCode, err := settingRepo.Get(settingRepo.WithByKey("NoAuthSetting"))
 	if err != nil {
 		return "", err
 	}
-	if len(status.Value) == 0 {
-		return "disable", nil
+	return pageCode.Value, nil
+}
+
+func (u *AuthService) GetSecurityEntrance() string {
+	status, err := settingRepo.Get(settingRepo.WithByKey("SecurityEntrance"))
+	if err != nil {
+		return ""
 	}
-	if status.Value == code {
-		return "pass", nil
+	if len(status.Value) == 0 {
+		return ""
 	}
-	return "unpass", nil
+	return status.Value
 }
 
-func (u *AuthService) GetResponsePage() (string, error) {
-	pageCode, err := settingRepo.Get(settingRepo.WithByKey("NoAuthSetting"))
+func (u *AuthService) IsLogin(c *gin.Context) bool {
+	sID, _ := c.Cookie(constant.SessionName)
+	_, err := global.SESSION.Get(sID)
 	if err != nil {
-		return "", err
+		return false
 	}
-	return pageCode.Value, nil
+	return true
 }

backend/constant/common.go

@@ -23,3 +23,87 @@ const (
 	DateTimeLayout     = "2006-01-02 15:04:05" // or use time.DateTime while go version >= 1.20
 	DateTimeSlimLayout = "20060102150405"
 )
+
+var WebUrlMap = map[string]struct{}{
+	"/apps":           {},
+	"/apps/all":       {},
+	"/apps/installed": {},
+	"/apps/upgrade":   {},
+
+	"/containers":           {},
+	"/containers/container": {},
+	"/containers/image":     {},
+	"/containers/network":   {},
+	"/containers/volume":    {},
+	"/containers/repo":      {},
+	"/containers/compose":   {},
+	"/containers/template":  {},
+	"/containers/setting":   {},
+
+	"/cronjobs": {},
+
+	"/databases":                   {},
+	"/databases/mysql":             {},
+	"/databases/mysql/remote":      {},
+	"/databases/postgresql":        {},
+	"/databases/postgresql/remote": {},
+	"/databases/redis":             {},
+	"/databases/redis/remote":      {},
+
+	"/hosts":                  {},
+	"/hosts/files":            {},
+	"/hosts/monitor/monitor":  {},
+	"/hosts/monitor/setting":  {},
+	"/hosts/terminal":         {},
+	"/hosts/firewall/port":    {},
+	"/hosts/firewall/forward": {},
+	"/hosts/firewall/ip":      {},
+	"/hosts/process/process":  {},
+	"/hosts/process/network":  {},
+	"/hosts/ssh/ssh":          {},
+	"/hosts/ssh/log":          {},
+	"/hosts/ssh/session":      {},
+
+	"/logs":           {},
+	"/logs/operation": {},
+	"/logs/login":     {},
+	"/logs/website":   {},
+	"/logs/system":    {},
+	"/logs/ssh":       {},
+
+	"/settings":               {},
+	"/settings/panel":         {},
+	"/settings/backupaccount": {},
+	"/settings/license":       {},
+	"/settings/about":         {},
+	"/settings/safe":          {},
+	"/settings/snapshot":      {},
+	"/settings/expired":       {},
+
+	"/toolbox":              {},
+	"/toolbox/device":       {},
+	"/toolbox/supervisor":   {},
+	"/toolbox/clam":         {},
+	"/toolbox/clam/setting": {},
+	"/toolbox/ftp":          {},
+	"/toolbox/fail2ban":     {},
+	"/toolbox/clean":        {},
+
+	"/websites":                 {},
+	"/websites/ssl":             {},
+	"/websites/runtimes/php":    {},
+	"/websites/runtimes/node":   {},
+	"/websites/runtimes/java":   {},
+	"/websites/runtimes/net":    {},
+	"/websites/runtimes/go":     {},
+	"/websites/runtimes/python": {},
+
+	"/login": {},
+}
+
+var DynamicRoutes = []string{
+	`^/containers/composeDetail/[^/]+$`,
+	`^/databases/mysql/setting/[^/]+/[^/]+$`,
+	`^/databases/postgresql/setting/[^/]+/[^/]+$`,
+	`^/websites/[^/]+/config/[^/]+$`,
+}