finish SecureSetting

2026-06-12 12:10:25 +08:00 · 2023-03-18 17:14:13 +08:00
parent a409325770
commit 78418429c1
8 changed files with 186 additions and 29 deletions
--- a/backend/api/main.go
+++ b/backend/api/main.go
@@ -84,6 +84,66 @@ func init() {
 		}
 		writeresult(w, codeSuccess, n, messageOk, typeSuccess)
 	}}
+
+	apimap["/api/setPassword"] = &apihandler{"POST", func(w http.ResponseWriter, r *http.Request) {
+		type setpasswordbody struct {
+			Token    string `json:"token"`
+			Password string `json:"password"`
+		}
+		token := r.Header.Get("Authorization")
+		user := usertokens.Get(token)
+		if user == nil {
+			writeresult(w, codeError, nil, errInvalidToken.Error(), typeError)
+			return
+		}
+		var body setpasswordbody
+		defer r.Body.Close()
+		err := json.NewDecoder(r.Body).Decode(&body)
+		if err != nil {
+			writeresult(w, codeError, nil, err.Error(), typeError)
+			return
+		}
+		err = setUserPassword(*user.ID, body.Token, body.Password)
+		if err != nil {
+			writeresult(w, codeError, nil, err.Error(), typeError)
+			return
+		}
+		type message struct {
+			M string `json:"msg"`
+		}
+		writeresult(w, codeSuccess, &message{M: "成功, 请重新登录"}, messageOk, typeSuccess)
+		_ = logout(token)
+	}}
+
+	apimap["/api/setContact"] = &apihandler{"POST", func(w http.ResponseWriter, r *http.Request) {
+		type setcontactbody struct {
+			Token   string `json:"token"`
+			Contact string `json:"contact"`
+		}
+		token := r.Header.Get("Authorization")
+		user := usertokens.Get(token)
+		if user == nil {
+			writeresult(w, codeError, nil, errInvalidToken.Error(), typeError)
+			return
+		}
+		var body setcontactbody
+		defer r.Body.Close()
+		err := json.NewDecoder(r.Body).Decode(&body)
+		if err != nil {
+			writeresult(w, codeError, nil, err.Error(), typeError)
+			return
+		}
+		err = setUserContact(*user.ID, body.Token, body.Contact)
+		if err != nil {
+			writeresult(w, codeError, nil, err.Error(), typeError)
+			return
+		}
+		user.Cont = hideContact(body.Contact)
+		type message struct {
+			M string `json:"msg"`
+		}
+		writeresult(w, codeSuccess, &message{M: "成功, 已将消息报告给课程组长"}, messageOk, typeSuccess)
+	}}
 }

 // Handler serves all backend /api call
--- a/backend/api/upload.go
+++ b/backend/api/upload.go
@@ -7,6 +7,7 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"

 	"github.com/fumiama/imgsz"
 	"github.com/sirupsen/logrus"
@@ -69,24 +70,24 @@ func UploadHandler(w http.ResponseWriter, r *http.Request) {
 			writeresult(w, codeError, nil, err.Error(), typeError)
 			return
 		}
-		avf := userf + "avatar." + format
+		avf := userf + "avatar" + time.Now().Format("_20060102_15_04_05") + "." + format
 		err = os.WriteFile(avf, data, 0644)
 		if err != nil {
 			writeresult(w, codeError, nil, err.Error(), typeError)
 			return
 		}
-		err = global.UserDB.UpdateUserInfo(*user.ID, "", avf[6:], "")
+		/*err = global.UserDB.UpdateUserInfo(*user.ID, "", avf[6:], "")
 		if err != nil {
 			writeresult(w, codeError, nil, err.Error(), typeError)
 			return
 		}
+		user.Avtr = avf[6:]
+		usertokens.Set(token, user)*/
 		writeresult(w, codeSuccess, &upload{
 			Message: messageOk,
 			Code:    codeSuccess,
 			URL:     avf[6:],
 		}, messageOk, typeSuccess)
-		user.Avtr = avf[6:]
-		usertokens.Set(token, user)
 		logrus.Infoln("[file.UploadHandler] save avatar to", avf[6:])
 		return
 	}
--- a/backend/api/user.go
+++ b/backend/api/user.go
@@ -1,10 +1,13 @@
 package api

 import (
+	"crypto/md5"
+	"encoding/hex"
 	"errors"
 	"strings"
 	"time"

+	base14 "github.com/fumiama/go-base16384"
 	"github.com/fumiama/paper-manager/backend/global"
 )

@@ -29,12 +32,7 @@ type getUserInfoResult struct {
 	Contact  string `json:"contact"`
 }

-func getUserInfo(token string) (*getUserInfoResult, error) {
-	user := usertokens.Get(token)
-	if user == nil {
-		return nil, errInvalidToken
-	}
-	cont := user.Cont
+func hideContact(cont string) string {
 	if len(cont) > 7 {
 		sb := strings.Builder{}
 		sb.WriteString(cont[:3])
@@ -42,7 +40,15 @@ func getUserInfo(token string) (*getUserInfoResult, error) {
 			sb.WriteByte('*')
 		}
 		sb.WriteString(cont[len(cont)-4:])
-		cont = sb.String()
+		return sb.String()
+	}
+	return cont
+}
+
+func getUserInfo(token string) (*getUserInfoResult, error) {
+	user := usertokens.Get(token)
+	if user == nil {
+		return nil, errInvalidToken
 	}
 	return &getUserInfoResult{
 		UserID:   *user.ID,
@@ -59,7 +65,7 @@ func getUserInfo(token string) (*getUserInfoResult, error) {
 		Roles:   []role{{RoleName: user.Role.Nick(), Value: user.Role.String()}},
 		Date:    time.Unix(user.Date, 0).Format(chineseDateLayout),
 		Last:    time.Unix(user.Last, 0).Format(chineseDateLayout),
-		Contact: cont,
+		Contact: hideContact(user.Cont),
 	}, nil
 }

@@ -80,3 +86,31 @@ func getUsersCount(token string) (int, error) {
 	}
 	return global.UserDB.GetUsersCount()
 }
+
+func setUserPassword(id int, token, npwd string) error {
+	user, err := global.UserDB.GetUserByID(id)
+	if err != nil {
+		return err
+	}
+	h := md5.New()
+	h.Write(base14.StringToBytes(user.Pswd))
+	h.Write(base14.StringToBytes(npwd))
+	if token != hex.EncodeToString(h.Sum(make([]byte, 0, 16))) {
+		return errInvalidToken
+	}
+	return global.UserDB.UpdateUserPassword(id, npwd)
+}
+
+func setUserContact(id int, token, ncont string) error {
+	user, err := global.UserDB.GetUserByID(id)
+	if err != nil {
+		return err
+	}
+	h := md5.New()
+	h.Write(base14.StringToBytes(user.Cont))
+	h.Write(base14.StringToBytes(ncont))
+	if token != hex.EncodeToString(h.Sum(make([]byte, 0, 16))) {
+		return errInvalidToken
+	}
+	return global.UserDB.UpdateUserContact(id, ncont)
+}