添加 - 安全性增强

app.js

@@ -151,7 +151,7 @@ app.use('/public', express.static('./public'));
 
 // console 中间件挂载
 app.use((req, res, next) => {
-    console.log('[', req.protocol.green, req.httpVersion.green, req.method.cyan, ']', req.originalUrl);
+    console.log('[', req.protocol.green, req.method.cyan, ']', req.originalUrl);
     if (MCSERVER.localProperty.is_allow_csrf) {
         res.header("Access-Control-Allow-Origin", "*");
         res.header('Access-Control-Allow-Methods', 'GET, POST');

core/User/User.js

@@ -1,7 +1,11 @@
 //用户模型
 
 const DataModel = require('../DataModel');
-const { md5, createPassword, randomString } = require('./CryptoMine');
+const {
+    md5,
+    createPassword,
+    randomString
+} = require('./CryptoMine');
 const fs = require('fs');
 
 const USER_SAVE_PATH = 'users/';
@@ -36,14 +40,14 @@ class User {
 
     isPassword(password) {
         let tmp = createPassword(password, this.dataModel.salt);
-        if (tmp.password == this.dataModel.password) {
+        if (tmp.password === this.dataModel.password) {
             this.updateLastDate();
             return true;
         }
         return false;
     }
 
-    getPasswordMD5(){
+    getPasswordMD5() {
         return this.dataModel.password;
     }
 
@@ -69,5 +73,7 @@ class User {
 }
 
 
-module.exports = { User, USER_SAVE_PATH };
-
+module.exports = {
+    User,
+    USER_SAVE_PATH
+};

core/User/UserCenter.js

@@ -92,7 +92,7 @@ class UserCenter {
             if (md5key && !notSafeLogin) {
                 let userMd5 = loginUser.getPasswordMD5();
                 let md5Passworded = md5(userMd5 + md5key);
-                return md5Passworded == password ? truecb && truecb(loginUser) : falsecb && falsecb();
+                return md5Passworded === password ? truecb && truecb(loginUser) : falsecb && falsecb();
             }
 
             // 一般模式 供ftp 等登录

helper/LoginedContainer.js

@@ -0,0 +1,24 @@
+var Logined = {};
+
+module.exports.addLogined = (username, userdata) => {
+    if (username && userdata)
+        Logined[username] = userdata;
+    else
+        throw new Error("Username or Userdata is Null");
+}
+
+module.exports.delLogined = (username) => {
+    if (username) {
+        Logined[username] = undefined;
+        delete Logined[username];
+    } else
+        throw new Error("Username or Userdata is Null");
+}
+
+
+module.exports.isLogined = (username) => {
+    if (Logined.hasOwnProperty(username) && Logined[username]) {
+        return Logined[username];
+    }
+    return null;
+}

helper/Permission.js

@@ -1,3 +1,5 @@
+const loginedContainer = require('./LoginedContainer');
+
 function randomString(len) {
     len = len || 32;
     var $chars = 'ABCDEFGHIJKLNMOPQRSTUVWXYZabcdefghijklnmopqrstuvwxyz1234567890_';
@@ -24,8 +26,9 @@ function defaultFalseCallBack(req, res, ResponseKey, ResponseValue, notAjaxRedir
 module.exports.randomString = randomString;
 
 module.exports.needLogin = (req, res, trueCallBack, falseCallBack) => {
-    if (req.session['login']) {
-        if (req.session['login'] === true && req.session['usernam']) {
+    let username = req.session['usernam'];
+    if (req.session['login'] && loginedContainer.isLogined(username)) {
+        if (req.session['login'] === true && username) {
             trueCallBack && trueCallBack();
             return true;
         }

model/VarCenter.js

@@ -3,10 +3,16 @@ global.__MCSERVER_VAR_LIST__ = {};
 
 
 module.exports.set = (key, value) => {
-    global.__MCSERVER_VAR_LIST__[key] = value;
+    if (key)
+        global.__MCSERVER_VAR_LIST__[key] = value;
+    else
+        throw new Error("key is undefined")
 }
 
 
 module.exports.get = (key, def = undefined) => {
-    return global.__MCSERVER_VAR_LIST__[key] || def;
+    if (key)
+        return global.__MCSERVER_VAR_LIST__[key] || def;
+    else
+        throw new Error("key is undefined")
 }

route/token.js

@@ -24,6 +24,12 @@ router.get('/', function (req, res) {
             });
             return;
         }
+        let maybeUsername = VarCenter.get('user_token')[req.session['token']];
+        if (maybeUsername) {
+            console.log("已经存在！！！！！！！！！！！！！！");
+
+        }
+
         VarCenter.get('user_token')[req.session['token']] = username;
         req.session.save();
         response.returnMsg(res, 'token', {

route/user.js

@@ -8,10 +8,13 @@ const {
 } = require('../model/UserModel');
 const response = require('../helper/Response');
 const permssion = require('../helper/Permission');
+const loginedContainer = require('../helper/LoginedContainer');
 const tools = require('../core/tools');
 
 const userManager = userCenter();
 
+
+
 router.post('/loginout', function (req, res) {
 
     MCSERVER.log('[loginout] 用户:' + req.session['username'] + '退出');
@@ -19,10 +22,6 @@ router.post('/loginout', function (req, res) {
     // 导致我们暂时无法用一种很简单的方式来实现动态的更换 token
     req.session['login'] = false;
     req.session['username'] = undefined;
-    // req.session['login_md5key'] = null;
-    // req.session['token'] = null;
-    // req.session['dataModel'] = {};
-    // req.session.save();
     req.session.destroy();
     response.returnMsg(res, 'user/logout', 'loginOut');
     res.end();
@@ -65,6 +64,8 @@ router.post('/login', function (req, res) {
         req.session['login_md5key'] = undefined;
         req.session.save();
         delete MCSERVER.login[ip];
+        //添加到 login 容器
+        loginedContainer.addLogined(username, loginUser.dataModel);
         response.returnMsg(res, 'login/check', true);
     }, () => {
         //密码错误记录
@@ -78,14 +79,19 @@ router.post('/login', function (req, res) {
         req.session['login_md5key'] = undefined;
         req.session['dataModel'] = undefined;
         req.session.save();
+        //删除到 login 容器
+        loginedContainer.delLogined(username);
         response.returnMsg(res, 'login/check', false);
     }, enkey);
 });
 
 router.get('/login_key', function (req, res) {
-    let username = req.query.username || '';
+    let username = req.query.username || null;
     let md5Key = req.session['login_md5key'] || tools.randomString(32);
 
+    if (!username && !permssion.needLogin()) return;
+
+
     req.session['login_md5key'] = md5Key;
     //取salt
     let loggingUser = userManager.get(username);

route/websocket.js

@@ -9,6 +9,7 @@ const {
 
 const permssion = require('../helper/Permission');
 const response = require('../helper/Response');
+const loginedContainer = require('../helper/LoginedContainer');
 const counter = require('../core/counter');
 
 const expressWs = require('express-ws')(router);
@@ -62,6 +63,12 @@ router.ws('/ws', function (ws, req) {
         return;
     }
 
+    if (!loginedContainer.isLogined(username)) {
+        MCSERVER.warning('这是十分危险的请求 | 已经阻止', '可能的用户值:' + username + ' 令牌值: ' + token);
+        ws.close();
+        return;
+    }
+
     username = username.trim();
 
     let WsSession = new WebsocketSession({