mirror of
https://github.com/MHSanaei/3x-ui.git
synced 2026-05-08 14:36:13 +00:00
10ebc6cbdc
* Implement CSRF protection and security hardening across the application - Added CSRF token handling in axios requests and HTML templates. - Introduced CSRF middleware to validate tokens for unsafe HTTP methods. - Implemented login limiter to prevent brute-force attacks. - Enhanced security headers in middleware for improved response security. - Updated login notification to include safe metadata without passwords. - Added tests for CSRF middleware and login limiter functionality. * fix
163 lines
3.8 KiB
Go
163 lines
3.8 KiB
Go
package controller
|
|
|
|
import (
|
|
"fmt"
|
|
"net"
|
|
"net/http"
|
|
"net/netip"
|
|
"strings"
|
|
|
|
"github.com/mhsanaei/3x-ui/v2/config"
|
|
"github.com/mhsanaei/3x-ui/v2/logger"
|
|
"github.com/mhsanaei/3x-ui/v2/web/entity"
|
|
"github.com/mhsanaei/3x-ui/v2/web/session"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// getRemoteIp extracts the real IP address from the request headers or remote address.
|
|
func getRemoteIp(c *gin.Context) string {
|
|
if ip, ok := extractTrustedIP(c.GetHeader("X-Real-IP")); ok {
|
|
return ip
|
|
}
|
|
|
|
if xff := c.GetHeader("X-Forwarded-For"); xff != "" {
|
|
for _, part := range strings.Split(xff, ",") {
|
|
if ip, ok := extractTrustedIP(part); ok {
|
|
return ip
|
|
}
|
|
}
|
|
}
|
|
|
|
if ip, ok := extractTrustedIP(c.Request.RemoteAddr); ok {
|
|
return ip
|
|
}
|
|
|
|
return "unknown"
|
|
}
|
|
|
|
func extractTrustedIP(value string) (string, bool) {
|
|
candidate := strings.TrimSpace(value)
|
|
if candidate == "" {
|
|
return "", false
|
|
}
|
|
|
|
if ip, ok := parseIPCandidate(candidate); ok {
|
|
return ip.String(), true
|
|
}
|
|
|
|
if host, _, err := net.SplitHostPort(candidate); err == nil {
|
|
if ip, ok := parseIPCandidate(host); ok {
|
|
return ip.String(), true
|
|
}
|
|
}
|
|
|
|
if strings.Count(candidate, ":") == 1 {
|
|
if host, _, err := net.SplitHostPort(fmt.Sprintf("[%s]", candidate)); err == nil {
|
|
if ip, ok := parseIPCandidate(host); ok {
|
|
return ip.String(), true
|
|
}
|
|
}
|
|
}
|
|
|
|
return "", false
|
|
}
|
|
|
|
func parseIPCandidate(value string) (netip.Addr, bool) {
|
|
ip, err := netip.ParseAddr(strings.TrimSpace(value))
|
|
if err != nil {
|
|
return netip.Addr{}, false
|
|
}
|
|
return ip.Unmap(), true
|
|
}
|
|
|
|
// jsonMsg sends a JSON response with a message and error status.
|
|
func jsonMsg(c *gin.Context, msg string, err error) {
|
|
jsonMsgObj(c, msg, nil, err)
|
|
}
|
|
|
|
// jsonObj sends a JSON response with an object and error status.
|
|
func jsonObj(c *gin.Context, obj any, err error) {
|
|
jsonMsgObj(c, "", obj, err)
|
|
}
|
|
|
|
// jsonMsgObj sends a JSON response with a message, object, and error status.
|
|
func jsonMsgObj(c *gin.Context, msg string, obj any, err error) {
|
|
m := entity.Msg{
|
|
Obj: obj,
|
|
}
|
|
if err == nil {
|
|
m.Success = true
|
|
if msg != "" {
|
|
m.Msg = msg
|
|
}
|
|
} else {
|
|
m.Success = false
|
|
errStr := err.Error()
|
|
if errStr != "" {
|
|
m.Msg = msg + " (" + errStr + ")"
|
|
logger.Warning(msg+" "+I18nWeb(c, "fail")+": ", err)
|
|
} else if msg != "" {
|
|
m.Msg = msg
|
|
logger.Warning(msg + " " + I18nWeb(c, "fail"))
|
|
} else {
|
|
m.Msg = I18nWeb(c, "somethingWentWrong")
|
|
logger.Warning(I18nWeb(c, "somethingWentWrong") + " " + I18nWeb(c, "fail"))
|
|
}
|
|
}
|
|
c.JSON(http.StatusOK, m)
|
|
}
|
|
|
|
// pureJsonMsg sends a pure JSON message response with custom status code.
|
|
func pureJsonMsg(c *gin.Context, statusCode int, success bool, msg string) {
|
|
c.JSON(statusCode, entity.Msg{
|
|
Success: success,
|
|
Msg: msg,
|
|
})
|
|
}
|
|
|
|
// html renders an HTML template with the provided data and title.
|
|
func html(c *gin.Context, name string, title string, data gin.H) {
|
|
if data == nil {
|
|
data = gin.H{}
|
|
}
|
|
data["title"] = title
|
|
csrfToken, err := session.EnsureCSRFToken(c)
|
|
if err != nil {
|
|
logger.Warning("Unable to create CSRF token:", err)
|
|
} else {
|
|
data["csrf_token"] = csrfToken
|
|
}
|
|
host := c.GetHeader("X-Forwarded-Host")
|
|
if host == "" {
|
|
host = c.GetHeader("X-Real-IP")
|
|
}
|
|
if host == "" {
|
|
var err error
|
|
host, _, err = net.SplitHostPort(c.Request.Host)
|
|
if err != nil {
|
|
host = c.Request.Host
|
|
}
|
|
}
|
|
data["host"] = host
|
|
data["request_uri"] = c.Request.RequestURI
|
|
data["base_path"] = c.GetString("base_path")
|
|
c.HTML(http.StatusOK, name, getContext(data))
|
|
}
|
|
|
|
// getContext adds version and other context data to the provided gin.H.
|
|
func getContext(h gin.H) gin.H {
|
|
a := gin.H{
|
|
"cur_ver": config.GetVersion(),
|
|
}
|
|
for key, value := range h {
|
|
a[key] = value
|
|
}
|
|
return a
|
|
}
|
|
|
|
// isAjax checks if the request is an AJAX request.
|
|
func isAjax(c *gin.Context) bool {
|
|
return c.GetHeader("X-Requested-With") == "XMLHttpRequest"
|
|
}
|