From 78fa4faab52f87ac782f162ba5f7744e0a4a9a7b Mon Sep 17 00:00:00 2001 From: r350178982 <32759763+r350178982@users.noreply.github.com> Date: Tue, 24 Sep 2024 16:13:54 +0800 Subject: [PATCH] update login simple-check by jwt --- seahub/auth/views.py | 70 +++++++++++++++++++++++--------------------- seahub/settings.py | 3 ++ 2 files changed, 39 insertions(+), 34 deletions(-) diff --git a/seahub/auth/views.py b/seahub/auth/views.py index 415249579cf..dd27af90a42 100644 --- a/seahub/auth/views.py +++ b/seahub/auth/views.py @@ -1,6 +1,7 @@ # Copyright (c) 2012-2016 Seafile Ltd. import hashlib import logging +import jwt from datetime import datetime from django.conf import settings # Avoid shadowing the login() view below. @@ -17,7 +18,7 @@ from django.views.decorators.cache import never_cache from saml2.ident import decode from seaserv import seafile_api, ccnet_api - +from seahub.settings import SSO_SECRET_KEY from seahub.auth import REDIRECT_FIELD_NAME, get_backends from seahub.auth import login as auth_login from seahub.auth.models import SocialAuthUser @@ -215,42 +216,43 @@ def login(request, template_name='registration/login.html', }) def login_simple_check(request): - """A simple check for login called by thirdpart systems(OA, etc). - - Token generation: MD5(secret_key + foo@foo.com + 2014-1-1).hexdigest() - Token length: 32 hexadecimal digits. - """ - username = request.GET.get('user', '') - random_key = request.GET.get('token', '') - - if not username or not random_key: - raise Http404 - - today = datetime.now().strftime('%Y-%m-%d') - expect = hashlib.md5((settings.SECRET_KEY+username+today).encode('utf-8')).hexdigest() - if expect == random_key: - try: - user = User.objects.get(email=username) - except User.DoesNotExist: - raise Http404 - - for backend in get_backends(): - user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) - auth_login(request, user) + if not SSO_SECRET_KEY: + return render_error(request, 'Permission denied.') + + login_token = request.GET.get('token', '') + if not login_token: + return render_error(request, 'token invalid.') - # Ensure the user-originating redirection url is safe. - if REDIRECT_FIELD_NAME in request.GET: - next_page = request.GET[REDIRECT_FIELD_NAME] - if not url_has_allowed_host_and_scheme(url=next_page, allowed_hosts=request.get_host()): - next_page = settings.LOGIN_REDIRECT_URL - else: - next_page = settings.SITE_ROOT - - return HttpResponseRedirect(next_page) + try: + payload = jwt.decode(login_token, SSO_SECRET_KEY, algorithms=['HS256']) + except jwt.ExpiredSignatureError: + return render_error(request, 'token expired.') + except jwt.PyJWTError: + return render_error(request, 'token invalid.') + + if 'exp' not in payload: + return render_error(request, 'token invalid.') + + user_id = payload.get('user_id') + if not user_id: + return render_error(request, 'token invalid.') + + try: + user = User.objects.get(email=user_id) + except User.DoesNotExist: + return render_error(request, 'token invalid.') + + for backend in get_backends(): + user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) + auth_login(request, user) + if REDIRECT_FIELD_NAME in request.GET: + next_page = request.GET[REDIRECT_FIELD_NAME] + if not url_has_allowed_host_and_scheme(url=next_page, allowed_hosts=request.get_host()): + next_page = settings.LOGIN_REDIRECT_URL else: - raise Http404 - + next_page = settings.SITE_ROOT + return HttpResponseRedirect(next_page) def logout(request, next_page=None, template_name='registration/logged_out.html', diff --git a/seahub/settings.py b/seahub/settings.py index 65b20a6a9de..f02a0f5d24a 100644 --- a/seahub/settings.py +++ b/seahub/settings.py @@ -764,6 +764,9 @@ def genpassword(): THIRDPART_WEBSITE_SECRET_KEY = '' THIRDPART_WEBSITE_URL = '' + +SSO_SECRET_KEY = '' + # client sso CLIENT_SSO_VIA_LOCAL_BROWSER = False CLIENT_SSO_TOKEN_EXPIRATION = 5 * 60