Login page (#1094)

* feat: Add a login page

* feat: Modify save rules, more secure

* remove remoteAddr == "localhost"

* "登录失败次数过多，请等待 %d 分钟后再试

* cookie remove secure

* set cookie expires time by `NotAllowWanAccess`

* prettier

* fix: rename

* feat: auto login if unfilled

* feat: auto login if there is no username/password

* auto login if no username/password

main.go

@@ -156,14 +156,16 @@ func faviconFsFunc(writer http.ResponseWriter, request *http.Request) {
 
 func runWebServer() error {
 	// 启动静态文件服务
-	http.HandleFunc("/static/", web.BasicAuth(staticFsFunc))
-	http.HandleFunc("/favicon.ico", web.BasicAuth(faviconFsFunc))
-
-	http.HandleFunc("/", web.BasicAuth(web.Writing))
-	http.HandleFunc("/save", web.BasicAuth(web.Save))
-	http.HandleFunc("/logs", web.BasicAuth(web.Logs))
-	http.HandleFunc("/clearLog", web.BasicAuth(web.ClearLog))
-	http.HandleFunc("/webhookTest", web.BasicAuth(web.WebhookTest))
+	http.HandleFunc("/static/", web.AuthAssert(staticFsFunc))
+	http.HandleFunc("/favicon.ico", web.AuthAssert(faviconFsFunc))
+	http.HandleFunc("/login", web.AuthAssert(web.Login))
+	http.HandleFunc("/loginFunc", web.AuthAssert(web.LoginFunc))
+
+	http.HandleFunc("/", web.Auth(web.Writing))
+	http.HandleFunc("/save", web.Auth(web.Save))
+	http.HandleFunc("/logs", web.Auth(web.Logs))
+	http.HandleFunc("/clearLog", web.Auth(web.ClearLog))
+	http.HandleFunc("/webhookTest", web.Auth(web.WebhookTest))
 
 	util.Log("监听 %s", *listen)
 

static/constant.js

@@ -226,6 +226,7 @@ const I18N_MAP = {
     "Ipv4CmdHelp": "Get IPv4 through command, only use the first matching IPv4 address of standard output(stdout). Such as: ip -4 addr show eth1",
     "Ipv6CmdHelp": "Get IPv6 through command, only use the first matching IPv6 address of standard output(stdout). Such as: ip -6 addr show eth1",
     "NetInterfaceEmptyHelp": '<span style="color: red">No available network card found</span>',
+    "Login": 'Login',
   },
   'zh-cn': {
     'Logs': '日志',
@@ -287,5 +288,6 @@ const I18N_MAP = {
       <a target="blank" href="https://github.com/jeessy2/ddns-go/wiki/通过命令获取IP参考">点击参考更多</a>
     `,
     "NetInterfaceEmptyHelp": '<span style="color: red">没有找到可用的网卡</span>',
+    "Login": '登录',
   }
 };

static/theme.js

@@ -0,0 +1,22 @@
+function toggleTheme(write = false) {
+  const docEle = document.documentElement;
+  if (docEle.getAttribute("data-theme") === "dark") {
+    docEle.removeAttribute("data-theme");
+    write && localStorage.setItem("theme", "light");
+  } else {
+    docEle.setAttribute("data-theme", "dark");
+    write && localStorage.setItem("theme", "dark");
+  }
+}
+
+const theme = localStorage.getItem("theme") ??
+  (window.matchMedia("(prefers-color-scheme: dark)").matches
+    ? "dark"
+    : "light");
+
+if (theme === "dark") {
+  toggleTheme();
+}
+
+// 主题切换
+document.getElementById("themeButton").addEventListener('click', () => toggleTheme(true));

static/utils.js

@@ -95,6 +95,9 @@ const request = {
   },
   get: async function(path, data, parseFunc) {
     const response = await fetch(`${this.baseURL}${path}?${this.stringify(data)}`)
+    if (response.redirected) {
+      window.location.href = response.url
+    }
     return await (parseFunc||this.parse)(response)
   },
   post: async function(path, data, parseFunc) {
@@ -105,6 +108,9 @@ const request = {
       method: 'POST',
       body: data
     })
+    if (response.redirected) {
+      window.location.href = response.url
+    }
     return await (parseFunc||this.parse)(response)
   }
 }

util/messages.go

@@ -53,11 +53,10 @@ func init() {
 	message.SetString(language.English, "Callback调用失败, 异常信息: %s", "Webhook called failed! Exception: %s")
 
 	// save
-	message.SetString(language.English, "若通过公网访问, 仅允许在ddns-go启动后 5 分钟内完成首次配置", "If accessed via the public network, only allow the first configuration to be completed within 5 minutes after ddns-go starts")
-	message.SetString(language.English, "若从未设置过帐号密码, 仅允许在ddns-go启动后 5 分钟内设置, 请重启ddns-go", "If you have never set an account password, you can only set it within 5 minutes after ddns-go starts, please restart ddns-go")
-	message.SetString(language.English, "启用外网访问, 必须输入登录用户名/密码", "Enable external network access, you must enter the login username/password")
-	message.SetString(language.English, "修改 '通过命令获取' 必须设置帐号密码，请先设置帐号密码", "Modify 'Get by command' must set username/password, please set username/password first")
-	message.SetString(language.English, "密码不安全！尝试使用更长的密码", "insecure password, try using a longer password")
+	message.SetString(language.English, "请在ddns-go启动后 5 分钟内完成首次配置", "Please complete the first configuration within 5 minutes after ddns-go starts")
+	message.SetString(language.English, "之前未设置帐号密码, 仅允许在ddns-go启动后 5 分钟内设置, 请重启ddns-go", "The username/password has not been set before, only allowed to set within 5 minutes after ddns-go starts, please restart ddns-go")
+	message.SetString(language.English, "必须输入登录用户名/密码", "Must enter login username/password")
+	message.SetString(language.English, "密码不安全！尝试使用更复杂的密码", "Password is not secure! Try using a more complex password")
 	message.SetString(language.English, "数据解析失败, 请刷新页面重试", "Data parsing failed, please refresh the page and try again")
 	message.SetString(language.English, "第 %s 个配置未填写域名", "The %s config does not fill in the domain")
 
@@ -113,6 +112,11 @@ func init() {
 	message.SetString(language.English, "失败", "failed")
 	message.SetString(language.English, "成功", "success")
 
+	// Login
+	message.SetString(language.English, "%q 登陆成功", "%q login successfully")
+	message.SetString(language.English, "用户名或密码错误", "Username or password is incorrect")
+	message.SetString(language.English, "登录失败次数过多，请等待 %d 分钟后再试", "Too many login failures, please try again after %d minutes")
+
 }
 
 func Log(key string, args ...interface{}) {

util/net.go

@@ -28,14 +28,6 @@ func IsPrivateNetwork(remoteAddr string) bool {
 			ip.IsLinkLocalUnicast() // 169.254/16, fe80::/10
 	}
 
-	// localhost
-	if remoteAddr == "localhost" {
-		return true
-	}
-	// private domain eg. .cluster.local
-	if strings.HasSuffix(remoteAddr, ".local") {
-		return true
-	}
 	return false
 }
 

util/token.go

@@ -0,0 +1,31 @@
+package util
+
+import (
+	"crypto/hmac"
+	"crypto/sha256"
+	"encoding/base64"
+	"fmt"
+	"math/rand"
+	"time"
+)
+
+// GenerateToken 生成Token
+func GenerateToken(username string) string {
+	key := []byte(generateRandomKey())
+	h := hmac.New(sha256.New, key)
+	msg := fmt.Sprintf("%s%d", username, time.Now().Unix())
+	h.Write([]byte(msg))
+	return base64.StdEncoding.EncodeToString(h.Sum(nil))
+}
+
+// generateRandomKey 生成随机密钥
+func generateRandomKey() string {
+	// 设置随机种子
+	source := rand.NewSource(time.Now().UnixNano())
+	random := rand.New(source)
+
+	// 生成随机的64位整数
+	randomNumber := random.Uint64()
+
+	return fmt.Sprint(randomNumber)
+}

web/auth.go

@@ -0,0 +1,70 @@
+package web
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/jeessy2/ddns-go/v6/config"
+	"github.com/jeessy2/ddns-go/v6/util"
+)
+
+// ViewFunc func
+type ViewFunc func(http.ResponseWriter, *http.Request)
+
+// Auth 验证Token是否已经通过
+func Auth(f ViewFunc) ViewFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		tokenInCookie, err := r.Cookie("token")
+		if err != nil {
+			http.Redirect(w, r, "./login", http.StatusTemporaryRedirect)
+			return
+		}
+
+		conf, _ := config.GetConfigCached()
+
+		// 禁止公网访问
+		if conf.NotAllowWanAccess {
+			if !util.IsPrivateNetwork(r.RemoteAddr) {
+				w.WriteHeader(http.StatusForbidden)
+				util.Log("%q 被禁止从公网访问", util.GetRequestIPStr(r))
+				return
+			}
+		}
+
+		// 验证token
+		if tokenInSystem != "" && tokenInSystem == tokenInCookie.Value {
+			f(w, r) // 执行被装饰的函数
+			return
+		}
+
+		http.Redirect(w, r, "./login", http.StatusTemporaryRedirect)
+	}
+}
+
+// AuthAssert 保护静态等文件不被公网访问
+func AuthAssert(f ViewFunc) ViewFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+
+		conf, err := config.GetConfigCached()
+
+		// 配置文件为空, 启动时间超过3小时禁止从公网访问
+		if err != nil &&
+			time.Now().Unix()-startTime > 3*60*60 && !util.IsPrivateNetwork(r.RemoteAddr) {
+			w.WriteHeader(http.StatusForbidden)
+			util.Log("%q 配置文件为空, 超过3小时禁止从公网访问", util.GetRequestIPStr(r))
+			return
+		}
+
+		// 禁止公网访问
+		if conf.NotAllowWanAccess {
+			if !util.IsPrivateNetwork(r.RemoteAddr) {
+				w.WriteHeader(http.StatusForbidden)
+				util.Log("%q 被禁止从公网访问", util.GetRequestIPStr(r))
+				return
+			}
+		}
+
+		f(w, r) // 执行被装饰的函数
+
+	}
+}