fix(security): security audit fixes for API vulnerabilities
Security fixes: - Fix sensitive data exposure: UserResponse no longer contains email/phone - Add UserSelfResponse for authenticated user's own data - Protect Gorse endpoints with admin role requirement - Add rate limiting (10 req/min) to auth endpoints - Fix CORS configuration to use allowed origins list - Add pagination parameter validation (max 100 per page) Changes: - dto/dto.go: Add UserSelfResponse type - dto/user_converter.go: Add ConvertUserToSelfResponse - handler/user_handler.go: Use secure response types - middleware/cors.go: Implement origin whitelist - middleware/ratelimit.go: Enhance rate limiter - router/router.go: Add auth rate limit, protect Gorse - service/admin_*.go: Use ConvertUserToResponse
This commit is contained in:
@@ -1,20 +1,49 @@
|
||||
package middleware
|
||||
|
||||
import "github.com/gin-gonic/gin"
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
var allowedOrigins = []string{
|
||||
"https://bbs.littlelan.cn",
|
||||
"http://localhost:3000",
|
||||
"http://localhost:5173",
|
||||
"http://127.0.0.1:3000",
|
||||
"http://127.0.0.1:5173",
|
||||
}
|
||||
|
||||
// CORS CORS中间件
|
||||
func CORS() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
c.Header("Access-Control-Allow-Origin", "*")
|
||||
origin := c.GetHeader("Origin")
|
||||
allowedOrigin := ""
|
||||
|
||||
for _, o := range allowedOrigins {
|
||||
if o == origin {
|
||||
allowedOrigin = o
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if allowedOrigin == "" {
|
||||
if strings.HasPrefix(origin, "http://localhost") || strings.HasPrefix(origin, "http://127.0.0.1") {
|
||||
allowedOrigin = origin
|
||||
}
|
||||
}
|
||||
|
||||
if allowedOrigin != "" {
|
||||
c.Header("Access-Control-Allow-Origin", allowedOrigin)
|
||||
c.Header("Access-Control-Allow-Credentials", "true")
|
||||
}
|
||||
|
||||
c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH, DELETE, OPTIONS")
|
||||
// 添加 WebSocket 升级所需的头
|
||||
c.Header("Access-Control-Allow-Headers", "Origin, Content-Type, Accept, Authorization, Connection, Upgrade, Sec-WebSocket-Key, Sec-WebSocket-Version, Sec-WebSocket-Protocol, Sec-WebSocket-Extensions")
|
||||
c.Header("Access-Control-Expose-Headers", "Content-Length, Connection, Upgrade")
|
||||
c.Header("Access-Control-Allow-Credentials", "true")
|
||||
|
||||
// 处理 WebSocket 升级请求的预检
|
||||
if c.Request.Method == "OPTIONS" {
|
||||
c.AbortWithStatus(204)
|
||||
c.AbortWithStatus(http.StatusNoContent)
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
@@ -8,7 +8,6 @@ import (
|
||||
"github.com/gin-gonic/gin"
|
||||
)
|
||||
|
||||
// RateLimiter 限流器
|
||||
type RateLimiter struct {
|
||||
requests map[string][]time.Time
|
||||
mu sync.Mutex
|
||||
@@ -16,7 +15,6 @@ type RateLimiter struct {
|
||||
window time.Duration
|
||||
}
|
||||
|
||||
// NewRateLimiter 创建限流器
|
||||
func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
|
||||
rl := &RateLimiter{
|
||||
requests: make(map[string][]time.Time),
|
||||
@@ -24,7 +22,6 @@ func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
|
||||
window: window,
|
||||
}
|
||||
|
||||
// 定期清理过期的记录
|
||||
go func() {
|
||||
for {
|
||||
time.Sleep(window)
|
||||
@@ -35,7 +32,6 @@ func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
|
||||
return rl
|
||||
}
|
||||
|
||||
// cleanup 清理过期的记录
|
||||
func (rl *RateLimiter) cleanup() {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
@@ -56,7 +52,6 @@ func (rl *RateLimiter) cleanup() {
|
||||
}
|
||||
}
|
||||
|
||||
// isAllowed 检查是否允许请求
|
||||
func (rl *RateLimiter) isAllowed(key string) bool {
|
||||
rl.mu.Lock()
|
||||
defer rl.mu.Unlock()
|
||||
@@ -64,7 +59,6 @@ func (rl *RateLimiter) isAllowed(key string) bool {
|
||||
now := time.Now()
|
||||
times := rl.requests[key]
|
||||
|
||||
// 过滤掉过期的
|
||||
var valid []time.Time
|
||||
for _, t := range times {
|
||||
if now.Sub(t) < rl.window {
|
||||
@@ -81,7 +75,6 @@ func (rl *RateLimiter) isAllowed(key string) bool {
|
||||
return true
|
||||
}
|
||||
|
||||
// RateLimit 限流中间件
|
||||
func RateLimit(requestsPerMinute int) gin.HandlerFunc {
|
||||
limiter := NewRateLimiter(requestsPerMinute, time.Minute)
|
||||
|
||||
@@ -91,7 +84,29 @@ func RateLimit(requestsPerMinute int) gin.HandlerFunc {
|
||||
if !limiter.isAllowed(ip) {
|
||||
c.JSON(http.StatusTooManyRequests, gin.H{
|
||||
"code": 429,
|
||||
"message": "too many requests",
|
||||
"message": "too many requests, please try again later",
|
||||
})
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
func RateLimitWithKey(requestsPerMinute int, keyFunc func(c *gin.Context) string) gin.HandlerFunc {
|
||||
limiter := NewRateLimiter(requestsPerMinute, time.Minute)
|
||||
|
||||
return func(c *gin.Context) {
|
||||
key := keyFunc(c)
|
||||
if key == "" {
|
||||
key = c.ClientIP()
|
||||
}
|
||||
|
||||
if !limiter.isAllowed(key) {
|
||||
c.JSON(http.StatusTooManyRequests, gin.H{
|
||||
"code": 429,
|
||||
"message": "too many requests, please try again later",
|
||||
})
|
||||
c.Abort()
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user