强化安全性

helper/Permission.js

@@ -40,8 +40,9 @@ module.exports.needLogin = (req, res, trueCallBack, falseCallBack) => {
 const counter = require('../core/counter');
 
 module.exports.isMaster = (wsSession, notPermssionCounter) => {
-    if (wsSession.username) {
-        if (wsSession.username.trim().substr(0, 1) == '#') {
+    let username = wsSession.username.trim() || '';
+    if (username) {
+        if (username.substr(0, 1) == '#') {
             return true;
         }
     }

route/token.js

@@ -9,13 +9,16 @@ const counter = require('../core/counter');
 router.get('/', function (req, res) {
     //ajax 会受到浏览器跨域限制，姑不能对其进行csrf攻击获取token，尽管它可伪造。
     if (req.xhr) {
+        var UUID = require('uuid');
         if (!req.session['token']) {
-            req.session['token'] = permssion.randomString(32);
+            //强化 token
+            req.session['token'] = permssion.randomString(6) + UUID.v4();
         }
-        VarCenter.get('user_token')[req.session['token']] = req.session['username'];
+        let username = req.session['username'].trim();
+        VarCenter.get('user_token')[req.session['token']] = username;
         response.returnMsg(res, 'token', {
             token: req.session['token'],
-            username: req.session['username'],
+            username: username,
         });
     } else {
         counter.plus('csrfCounter');
@@ -28,12 +31,5 @@ router.get('/', function (req, res) {
 //模块导出
 module.exports = router;
 
-    // res.header('X-Powered-By','Mcserver Manager HTT_P_SERVER');
-    //res.cookie('token_to',permssion.randomString(32));
-
-
-
-
-
-
-
+// res.header('X-Powered-By','Mcserver Manager HTT_P_SERVER');
+//res.cookie('token_to',permssion.randomString(32));

route/user.js

@@ -53,7 +53,6 @@ router.post('/login', function (req, res) {
     };
     //登陆次数加一
     counter.plus('login');
-    // password = tools.md5(password + enkey);
     loginUser(username, password, (loginUser) => {
         req.session['login'] = true;
         req.session['username'] = username;