安全性增强 - 更加严格的判断

app.js

@@ -126,12 +126,12 @@ app.use(bodyParser.json());
 var UUID = require('uuid');
 app.use(session({
     secret: UUID.v4(),
-    name: 'Mcserver_session',
+    name: 'Mcserver_session-' + UUID.v1(),
     cookie: {
         maxAge: 1000 * 60 * 60 * 4
     },
     resave: true,
-    saveUninitialized: true,
+    saveUninitialized: true
 }));
 
 //使用 gzip 静态文本压缩，但是如果你使用反向代理或某 HTTP 服务自带的gzip，请关闭它

route/token.js

@@ -8,15 +8,15 @@ const UUID = require('uuid');
 //Token 
 
 router.get('/', function (req, res) {
+    let username = req.session['username'] || undefined;
     //ajax 会受到浏览器跨域限制，姑不能对其进行csrf攻击获取token，尽管它可伪造。
     if (req.xhr) {
         if (!req.session['token']) {
-            MCSERVER.log('[ Token ]', '用户 ', req.session['username'], ' 请求更新令牌');
+            MCSERVER.log('[ Token ]', '用户 ', username, ' 请求更新令牌');
             //强化 token
             req.session['token'] = permssion.randomString(6) + UUID.v4().replace(/-/igm, "");
         }
-        let username = req.session['username'] || undefined;
-        if (username == undefined || username.trim() == '') {
+        if (username == undefined || username.trim() == '' || !req.session['login']) {
             //用户未登录，返回一个随机的 token 给它，并且这个 token 与正常的 token 几乎一模一样
             response.returnMsg(res, 'token', {
                 token: permssion.randomString(6) + UUID.v4().replace(/-/igm, ""),
@@ -25,6 +25,7 @@ router.get('/', function (req, res) {
             return;
         }
         VarCenter.get('user_token')[req.session['token']] = username;
+        req.session.save();
         response.returnMsg(res, 'token', {
             token: req.session['token'],
             username: username,
@@ -34,6 +35,7 @@ router.get('/', function (req, res) {
         res.send('<h1>CSRF 防御策略</h1><hr><p>您不能直接访问本页面,这是为了防御 CSRF 攻击,务必直接访问首页!</p>' +
             '<p>具体信息我们将统计到非法 API 请求,这可能需要值得您注意.</p>');
     }
+    res.end();
 });
 
 

route/user.js

@@ -13,14 +13,19 @@ const tools = require('../core/tools');
 const userManager = userCenter();
 
 router.post('/loginout', function (req, res) {
-    permssion.needLogin(req, res, () => {
-        MCSERVER.log('[loginout] 用户:' + req.session['username'] + '退出');
-        req.session.destroy();
-        response.returnMsg(res, 'user/logout', 'loginOut');
-    }, () => {
-        response.returnMsg(res, 'MASTER!', 'Please Login!!! | 请登陆好么?');
-    });
 
+    MCSERVER.log('[loginout] 用户:' + req.session['username'] + '退出');
+    // BUG Note: Ws—close 与 Loginout 时 Session 可能不一定及时同步
+    // 导致我们暂时无法用一种很简单的方式来实现动态的更换 token
+    // req.session['login'] = false;
+    // req.session['username'] = null;
+    // req.session['login_md5key'] = null;
+    // req.session['token'] = null;
+    // req.session['dataModel'] = {};
+    // req.session.save();
+    req.session.destroy();
+    response.returnMsg(res, 'user/logout', 'loginOut');
+    res.end();
 });
 
 MCSERVER.login._banip = 0;
@@ -58,6 +63,7 @@ router.post('/login', function (req, res) {
         req.session['dataModel'] = loginUser.dataModel; //Only read
         delete MCSERVER.login[ip];
         req.session['login_md5key'] = null;
+        req.session.save();
         response.returnMsg(res, 'login/check', true);
     }, () => {
         //密码错误记录
@@ -68,6 +74,7 @@ router.post('/login', function (req, res) {
         counter.plus('passwordError');
         req.session['login'] = undefined;
         req.session['login_md5key'] = null;
+        req.session.save();
         response.returnMsg(res, 'login/check', false);
     }, enkey);
 });

route/websocket.js

@@ -89,15 +89,10 @@ router.ws('/ws', function (ws, req) {
             let obj;
             let reqs = req;
 
-            // console.log('TOKEN' + req.session['token']++)
             //Websocket 自定义协议解析
-
             reqHeaderObj = JSON.parse(reqHeader);
             if (!reqHeaderObj) return;
 
-            //console
-            // console.log(' [ WebSocket MSG ] ', reqHeaderObj['RequestValue']);
-
             WebSocketObserver().emit('ws/req', {
                 ws: ws,
                 req: req,
@@ -120,9 +115,8 @@ router.ws('/ws', function (ws, req) {
 
         //释放一些数据
         delete varCenter.get('user_token')[token];
-        // varCenter.get('user_token')[token] = undefined;
-        req.session['token'] = undefined;
-        req.session.save();
+        // req.session['token'] = undefined;
+        // req.session.save();
         delete WsSession;
 
         //释放全局变量