Skip to content

Commit

Permalink
FIX : 用户信息password字段隐藏.避免安全隐患. (#297)
Browse files Browse the repository at this point in the history 
* LoginListener.php: 修复因为多点登录复用同一个token导致该账号最近一次登录的设备登出就无法获得正确的用户在线情况
SystemUserService.php: 1. 重写 token-key 正则匹配 2. kickUser 保证获取到所有token,一次性全部下线。 3. hasTokenBlack 只判断传入token所在scene的情况,否则会导致判断多重scene而导致在线用户监控列表出错。

* fix 用户返回信息会出现password字段,虽然是加密过的字段,但依旧存在安全隐患。故隐藏。

* UserAuthService.php 修复因为隐藏password导致user模型 toarray之后无法获取password导致登录流程出错的问题

* UserAuthService.php fix:获取主键value 而不是主键 key (Tab 按快了)
  • Loading branch information
@ShaBaoFa
ShaBaoFa committed Jul 5, 2024
1 parent cf6eddd commit 84e8bb6
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 7 deletions.
6 changes: 6 additions & 0 deletions app/System/Model/SystemUser.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@ class SystemUser extends MineModel
*/
protected ?string $table = 'system_user';

/**
* 隐藏的字段列表.
* @var string[]
*/
protected array $hidden = ['password', 'deleted_at'];

/**
* The attributes that are mass assignable.
*/
Expand Down
15 changes: 8 additions & 7 deletions app/System/Service/Dependencies/UserAuthService.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,14 +45,15 @@ public function login(UserServiceVo $userServiceVo): string
$mapper = container()->get(SystemUserMapper::class);
try {
event(new UserLoginBefore(['username' => $userServiceVo->getUsername(), 'password' => $userServiceVo->getPassword()]));
$userinfo = $mapper->checkUserByUsername($userServiceVo->getUsername())->toArray();
$password = $userinfo['password'];
unset($userinfo['password']);
$userLoginAfter = new UserLoginAfter($userinfo);
if ($mapper->checkPass($userServiceVo->getPassword(), $password)) {
/**
* @var SystemUser $userinfo
*/
$userinfo = $mapper->checkUserByUsername($userServiceVo->getUsername());
$userLoginAfter = new UserLoginAfter($userinfo->toArray());
if ($mapper->checkPass($userServiceVo->getPassword(), $userinfo->password)) {
if (
($userinfo['status'] == SystemUser::USER_NORMAL)
|| ($userinfo['status'] == SystemUser::USER_BAN && $userinfo['id'] == env('SUPER_ADMIN'))
($userinfo->status == SystemUser::USER_NORMAL)
|| ($userinfo->status == SystemUser::USER_BAN && $userinfo->getKey() == env('SUPER_ADMIN'))
) {
$userLoginAfter->message = t('jwt.login_success');
$token = user()->getToken($userLoginAfter->userinfo);
Expand Down

0 comments on commit 84e8bb6

Please sign in to comment.