feat: check for server-only operations

Subilan · Subilan · commit 3575573dd6c4 · 2024-07-21T02:36:59.000+08:00
diff --git a/common/router.go b/common/router.go
@@ -65,11 +65,12 @@ func (r *Router) Init() {
 
 	r.Router.Use(cors.New(cors.Config{
 		AllowOrigins:     utils.GlobalConfig.AllowedOrigins,
-		AllowMethods:     []string{"POST", "GET"},
+		AllowMethods:     []string{"POST", "GET", "PATCH", "DELETE"},
 		AllowCredentials: true,
 		MaxAge:           time.Duration(utils.GlobalConfig.Token.Expiration) * time.Minute,
 	}))
 	r.Router.Use(middleware.TokenCheck)
+	r.Router.Use(middleware.ServerCheck)
 }
 
 func (r *Router) Run() {
diff --git a/errors/model.go b/errors/model.go
@@ -30,7 +30,7 @@ const (
 	RespErrMsgUnauth  = "Authentication Failed"
 
 	RespErrCodeForbidden = 1202
-	RespErrMsgForbidden  = "No permission"
+	RespErrMsgForbidden  = "Forbidden"
 
 	RespErrCodeInvalidToken = 1203
 	RespErrMsgInvalidToken  = "Invalid token"
diff --git a/handlers/response.go b/handlers/response.go
@@ -3,6 +3,7 @@ package handlers
 import (
 	"github.com/gin-gonic/gin"
 	"net/http"
+	"seatimc/backend/errors"
 )
 
 type Response struct {
@@ -38,3 +39,13 @@ func RespTokenError(ctx *gin.Context, errCode int, errMsg string) {
 	}
 	ctx.JSON(resp.HttpCode, resp)
 }
+
+func RespForbidden(ctx *gin.Context) {
+	resp := Response{
+		HttpCode: http.StatusForbidden,
+		Code:     errors.RespErrCodeForbidden,
+		Msg:      errors.RespErrMsgForbidden,
+		Data:     false,
+	}
+	ctx.JSON(resp.HttpCode, resp)
+}
diff --git a/handlers/user/verify-mcid.go b/handlers/user/verify-mcid.go
@@ -7,7 +7,7 @@ import (
 	"seatimc/backend/utils"
 )
 
-func HandleVerifyMCID(ctx *gin.Context) *errors.CustomErr {
+func HandleMCIDVerify(ctx *gin.Context) *errors.CustomErr {
 	playername := ctx.DefaultQuery("playername", "")
 
 	if playername == "" {
diff --git a/middleware/servercheck.go b/middleware/servercheck.go
@@ -0,0 +1,20 @@
+package middleware
+
+import (
+	"github.com/gin-gonic/gin"
+	"seatimc/backend/handlers"
+	"seatimc/backend/utils"
+)
+
+func ServerCheck(ctx *gin.Context) {
+	if !utils.IsServerOnly(ctx.Request.RequestURI) {
+		return
+	}
+
+	// Header naming conventions considered from https://stackoverflow.com/questions/3561381/custom-http-headers-naming-conventions
+	if ctx.Request.Header.Get("Seati-Server-Secret") != utils.GlobalConfig.ServerSecret {
+		handlers.RespForbidden(ctx)
+		ctx.Abort()
+		return
+	}
+}
diff --git a/utils/booleans.go b/utils/booleans.go
@@ -15,6 +15,19 @@ func NeedAuthorize(uri string) bool {
 	return false
 }
 
+// 根据 URI 前缀判断该 URI 请求是否必须来自服务器
+func IsServerOnly(uri string) bool {
+	needs := GlobalConfig.ServerOnlyEndpoints
+
+	for i := 0; i < len(needs); i++ {
+		if strings.HasPrefix(uri, needs[i]) {
+			return true
+		}
+	}
+
+	return false
+}
+
 func IsTrue(boolean string) bool {
 	return strings.EqualFold(boolean, "true")
 }
diff --git a/utils/config.go b/utils/config.go
@@ -28,6 +28,8 @@ type Config struct {
 	Version                string         `yaml:"version"`
 	EnableConfigWhitelist  bool           `yaml:"enable-config-whitelist"`
 	NeedAuthorizeEndpoints []string       `yaml:"need-authorize-endpoints"`
+	ServerOnlyEndpoints    []string       `yaml:"server-only-endpoints"`
+	ServerSecret           string         `yaml:"server-secret"`
 }
 
 var GlobalConfig *Config
diff --git a/utils/database-user.go b/utils/database-user.go
@@ -1,6 +1,10 @@
 package utils
 
-import "seatimc/backend/errors"
+import (
+	errs "errors"
+	"gorm.io/gorm"
+	"seatimc/backend/errors"
+)
 
 func IsUsernameUsed(username string) (bool, *errors.CustomErr) {
 	conn := GetDBConn()
@@ -28,6 +32,30 @@ func IsMCIDUsed(mcid string) (bool, *errors.CustomErr) {
 	return count > 0, nil
 }
 
+func GetMCIDUsage(mcid string) (*MCIDUsage, *errors.CustomErr) {
+	conn := GetDBConn()
+	var user Users
+
+	result := conn.Model(&Users{}).Where(&Users{MCID: mcid}).First(&user)
+
+	if result.Error != nil {
+		if errs.Is(result.Error, gorm.ErrRecordNotFound) {
+			return &MCIDUsage{
+				Used:     false,
+				Verified: false,
+				With:     "",
+			}, nil
+		}
+		return nil, errors.DbError(result.Error)
+	}
+
+	return &MCIDUsage{
+		Used:     true,
+		Verified: user.MCIDVerified,
+		With:     user.Username,
+	}, nil
+}
+
 func GetUserByUsername(username string) (*Users, *errors.CustomErr) {
 	conn := GetDBConn()
 	var user Users
diff --git a/utils/structs.go b/utils/structs.go
@@ -15,6 +15,12 @@ type JWTClaims struct {
 	Payload JWTPayload `json:"payload"`
 }
 
+type MCIDUsage struct {
+	Used     bool   `json:"used"`
+	Verified bool   `json:"verified"`
+	With     string `json:"with"`
+}
+
 /**
  * Status:
  * 1 - Pending - 创建中

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ import (`
`7`	`7`	`"seatimc/backend/utils"`
`8`	`8`	`)`
`9`	`9`
`10`		`-func HandleVerifyMCID(ctx gin.Context) errors.CustomErr {`
	`10`	`+func HandleMCIDVerify(ctx gin.Context) errors.CustomErr {`
`11`	`11`	`playername := ctx.DefaultQuery("playername", "")`
`12`	`12`
`13`	`13`	`if playername == "" {`
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,8 @@ type Config struct {`
`28`	`28`	Version string `yaml:"version"`
`29`	`29`	EnableConfigWhitelist bool `yaml:"enable-config-whitelist"`
`30`	`30`	NeedAuthorizeEndpoints []string `yaml:"need-authorize-endpoints"`
	`31`	+ ServerOnlyEndpoints []string `yaml:"server-only-endpoints"`
	`32`	+ ServerSecret string `yaml:"server-secret"`
`31`	`33`	`}`
`32`	`34`
`33`	`35`	`var GlobalConfig *Config`