diff --git a/backend/controller/accapi.go b/backend/controller/accapi.go index c8bf86c..77d685b 100644 --- a/backend/controller/accapi.go +++ b/backend/controller/accapi.go @@ -31,6 +31,14 @@ func NewAccountRouter(rg *gin.RouterGroup, as service.AccountService) *AccountRo // 创建账户 func (ar *AccountRouter) CreateAccount(c *gin.Context) { + + _, err := ar.Auth(c, ServiceOnly) + + if err != nil { + ar.StatusCode(c, 401, err.Error()) + return + } + // 取body的json里的uin var body AccountCreateBody @@ -105,6 +113,14 @@ func (ar *AccountRouter) LoginAccount(c *gin.Context) { // 重置密码 func (ar *AccountRouter) ResetPassword(c *gin.Context) { + + _, err := ar.Auth(c, ServiceOnly) + + if err != nil { + ar.StatusCode(c, 401, err.Error()) + return + } + // 取body的json里的uin var body AccountCreateBody diff --git a/backend/controller/api.go b/backend/controller/api.go index 7197bdb..5c9adf5 100644 --- a/backend/controller/api.go +++ b/backend/controller/api.go @@ -1,6 +1,7 @@ package controller import ( + "errors" "net/http" "strings" "time" @@ -9,6 +10,7 @@ import ( "github.com/RockChinQ/Campux/backend/util" "github.com/gin-contrib/cors" "github.com/gin-gonic/gin" + "github.com/spf13/viper" ) type APIController struct { @@ -40,6 +42,8 @@ func NewApiController( ) } + // 鉴权中间件 + r.Use(func(c *gin.Context) { if strings.HasPrefix(c.Request.URL.Path, "/v1") { c.Next() @@ -68,6 +72,45 @@ func NewApiController( type APIRouter struct { } +type AuthenticationType int + +const ( + UserOnly AuthenticationType = 1 + ServiceOnly AuthenticationType = 2 + Both AuthenticationType = 3 +) + +// 鉴权 +// 如果是服务鉴权,则拿Authorization头对比service.token +// 其他的都是用户鉴权,直接尝试从GetUin取uin +func (ar *APIRouter) Auth(c *gin.Context, authType AuthenticationType) (int64, error) { + serviceToken := viper.GetString("service.token") + + uin, err := int64(-1), errors.New("authentication failed") + + if authType&ServiceOnly == ServiceOnly { + bearer := c.GetHeader("Authorization") + if bearer != "" { + bearer = bearer[7:] + + if bearer == serviceToken { + uin = 0 + err = nil + } + } + } + + if err == nil { + return uin, err + } + + if authType&UserOnly == UserOnly { + uin, err = ar.GetUin(c) + } + + return uin, err +} + // 从jwt取uin func (ar *APIRouter) GetUin(c *gin.Context) (int64, error) { diff --git a/backend/controller/postapi.go b/backend/controller/postapi.go index 6c14fb9..47d381f 100644 --- a/backend/controller/postapi.go +++ b/backend/controller/postapi.go @@ -98,7 +98,8 @@ func (pr *PostRouter) PostNew(c *gin.Context) { // 下载图片 func (pr *PostRouter) DownloadImage(c *gin.Context) { - _, err := pr.GetUin(c) + + _, err := pr.Auth(c, Both) if err != nil { pr.StatusCode(c, 401, err.Error()) @@ -162,6 +163,16 @@ func (pr *PostRouter) GetSelfPosts(c *gin.Context) { // 获取稿件列表 func (pr *PostRouter) GetPosts(c *gin.Context) { + + _, err := pr.Auth(c, Both) + + if err != nil { + pr.StatusCode(c, 401, err.Error()) + return + } + + // TODO 检查用户权限 + var body GetPostsBody if err := c.ShouldBindJSON(&body); err != nil { @@ -189,13 +200,15 @@ func (pr *PostRouter) GetPosts(c *gin.Context) { } func (pr *PostRouter) GetPostInfo(c *gin.Context) { - _, err := pr.GetUin(c) + _, err := pr.Auth(c, Both) if err != nil { pr.StatusCode(c, 401, err.Error()) return } + // TODO 检查用户权限 + id := c.Param("id") idInt, err := strconv.Atoi(id) @@ -256,6 +269,8 @@ func (pr *PostRouter) ReviewPost(c *gin.Context) { return } + // TODO 检查用户权限 + // 取body的json里的id, status, comment var body PostReviewBody