优化 - 安全性统一格式检查

2018-04-15 20:57:01 +08:00 · 2018-04-15 20:57:01 +08:00 · 0310a46352
commit 0310a46352
parent b929a03dbe
3 changed files with 14 additions and 8 deletions
--- a/helper/Permission.js
+++ b/helper/Permission.js
@ -25,7 +25,7 @@ module.exports.randomString = randomString;

 module.exports.needLogin = (req, res, trueCallBack, falseCallBack) => {
    if (req.session['login']) {
-        if (req.session['login'] === true) {
+        if (req.session['login'] === true && req.session['usernam']) {
            trueCallBack && trueCallBack();
            return true;
        }
--- a/route/user.js
+++ b/route/user.js
@ -17,8 +17,8 @@ router.post('/loginout', function (req, res) {
    MCSERVER.log('[loginout] 用户:' + req.session['username'] + '退出');
    // BUG Note: Ws—close 与 Loginout 时 Session 可能不一定及时同步
    // 导致我们暂时无法用一种很简单的方式来实现动态的更换 token
-    // req.session['login'] = false;
-    // req.session['username'] = null;
+    req.session['login'] = false;
+    req.session['username'] = undefined;
    // req.session['login_md5key'] = null;
    // req.session['token'] = null;
    // req.session['dataModel'] = {};
@ -58,12 +58,13 @@ router.post('/login', function (req, res) {
    //登陆次数加一
    counter.plus('login');
    loginUser(username, password, (loginUser) => {
+        //只有这里 唯一的地方设置 login = true
        req.session['login'] = true;
        req.session['username'] = username;
        req.session['dataModel'] = loginUser.dataModel; //Only read
-        delete MCSERVER.login[ip];
-        req.session['login_md5key'] = null;
+        req.session['login_md5key'] = undefined;
        req.session.save();
+        delete MCSERVER.login[ip];
        response.returnMsg(res, 'login/check', true);
    }, () => {
        //密码错误记录
@ -72,8 +73,10 @@ router.post('/login', function (req, res) {
        MCSERVER.login[ip] > 1000 ? MCSERVER.login[ip] = 1000 : MCSERVER.login[ip] = MCSERVER.login[ip];
        //passwordError
        counter.plus('passwordError');
-        req.session['login'] = undefined;
-        req.session['login_md5key'] = null;
+        req.session['login'] = false;
+        req.session['username'] = undefined;
+        req.session['login_md5key'] = undefined;
+        req.session['dataModel'] = undefined;
        req.session.save();
        response.returnMsg(res, 'login/check', false);
    }, enkey);
--- a/route/websocket.js
+++ b/route/websocket.js
@ -36,14 +36,17 @@ router.ws('/ws', function (ws, req) {
    //从令牌管理器中 获取对应的用户
    var tokens = varCenter.get('user_token');
    username = tokens[token];
+
    //权限判定
-    if (!username || username == "") {
+    if (!username || typeof username != "string" || username.trim() == "") {
        MCSERVER.log('[ WebSocket INIT ]', '错误的令牌 [' + token + '] 尝试发起 Websocket 被拒绝');
        counter.plus('notPermssionCounter');
        ws.close();
        return;
    }

+    username = username.trim();
+
    //创建新的 Ws Session 类
    // var WsSession = _newWsSsession();
    var WsSession = new Object();