admin/nexus-terminal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: 添加 passkey 登录功能

Browse Source
This commit is contained in:
Baobhan Sith
2025-05-08 14:13:32 +08:00
parent 56dcbc33e0
commit bc4ae93d7d
20 changed files with 1347 additions and 159 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/backend/src/auth/auth.controller.ts
+292 -98
View File
@@ -1,4 +1,3 @@
import { Request, Response } from 'express';
import bcrypt from 'bcrypt';
import { getDbInstance, runDb, getDb, allDb } from '../database/connection';
@@ -8,13 +7,15 @@ import { NotificationService } from '../services/notification.service';
import { AuditLogService } from '../services/audit.service';
import { ipBlacklistService } from '../services/ip-blacklist.service';
import { captchaService } from '../services/captcha.service';
import { settingsService } from '../services/settings.service';
import { settingsService } from '../services/settings.service';
import { passkeyService } from '../services/passkey.service'; // +++ Passkey Service
import { passkeyRepository } from '../repositories/passkey.repository'; // +++ Passkey Repository
import { userRepository } from '../repositories/user.repository'; // For passkey auth success
const notificationService = new NotificationService();
const auditLogService = new AuditLogService();
export interface User { // Add export keyword
export interface User {
id: number;
username: string;
hashed_password: string;
@@ -27,11 +28,260 @@ declare module 'express-session' {
username?: string;
tempTwoFactorSecret?: string;
requiresTwoFactor?: boolean;
// currentChallenge?: string; // Removed Passkey challenge storage
currentChallenge?: string; // +++ For Passkey challenge storage
passkeyUserHandle?: string; // +++ For Passkey user handle (user ID as string)
rememberMe?: boolean;
}
}
// --- Passkey Controller Methods ---
/**
* 生成 Passkey 注册选项 (POST /api/v1/auth/passkey/registration-options)
*/
export const generatePasskeyRegistrationOptionsHandler = async (req: Request, res: Response): Promise<void> => {
const userId = req.session.userId;
const username = req.session.username;
if (!userId || !username) {
res.status(401).json({ message: '用户未认证。' });
return;
}
try {
// PasskeyService's generateRegistrationOptions expects userId as number
const options = await passkeyService.generateRegistrationOptions(username, userId);
req.session.currentChallenge = options.challenge;
// The user.id from options is a Uint8Array. We need to store the original string userId for userHandle.
req.session.passkeyUserHandle = userId.toString();
console.log(`[AuthController] Generated Passkey registration options for user ${username}, challenge: ${options.challenge.substring(0,10)}...`);
res.json(options);
} catch (error: any) {
console.error(`[AuthController] 生成 Passkey 注册选项时出错 (用户: ${username}):`, error.message, error.stack);
res.status(500).json({ message: '生成 Passkey 注册选项失败。', error: error.message });
}
};
/**
* 验证并保存新的 Passkey (POST /api/v1/auth/passkey/register)
*/
export const verifyPasskeyRegistrationHandler = async (req: Request, res: Response): Promise<void> => {
const registrationResponse = req.body; // The whole body is the response from @simplewebauthn/browser
const expectedChallenge = req.session.currentChallenge;
const userHandle = req.session.passkeyUserHandle;
if (!registrationResponse) {
res.status(400).json({ message: '注册响应不能为空。' });
return;
}
if (!expectedChallenge) {
res.status(400).json({ message: '会话中未找到质询信息,请重试注册流程。' });
return;
}
if (!userHandle) {
res.status(400).json({ message: '会话中未找到用户句柄,请重试注册流程。' });
return;
}
try {
const verification = await passkeyService.verifyRegistration(
registrationResponse,
expectedChallenge,
userHandle // userHandle is userId as string
);
if (verification.verified && verification.newPasskeyToSave) {
await passkeyRepository.createPasskey(verification.newPasskeyToSave);
const userIdNum = parseInt(userHandle, 10);
console.log(`[AuthController] 用户 ${userHandle} 的 Passkey 注册成功并已保存。 CredentialID: ${verification.newPasskeyToSave.credential_id}`);
auditLogService.logAction('PASSKEY_REGISTERED', { userId: userIdNum, credentialId: verification.newPasskeyToSave.credential_id });
notificationService.sendNotification('PASSKEY_REGISTERED', { userId: userIdNum, username: req.session.username, credentialId: verification.newPasskeyToSave.credential_id });
delete req.session.currentChallenge;
delete req.session.passkeyUserHandle;
res.status(201).json({ verified: true, message: 'Passkey 注册成功。' });
} else {
console.warn(`[AuthController] Passkey 注册验证失败 (用户: ${userHandle}):`, verification);
res.status(400).json({ verified: false, message: 'Passkey 注册验证失败。', error: (verification as any).error?.message || 'Unknown verification error' });
}
} catch (error: any) {
console.error(`[AuthController] 验证 Passkey 注册时出错 (用户: ${userHandle}):`, error.message, error.stack);
res.status(500).json({ verified: false, message: '验证 Passkey 注册失败。', error: error.message });
}
};
/**
* 生成 Passkey 认证选项 (POST /api/v1/auth/passkey/authentication-options)
*/
export const generatePasskeyAuthenticationOptionsHandler = async (req: Request, res: Response): Promise<void> => {
const { username } = req.body; // Can be initiated by username (if not logged in) or for currently logged-in user
try {
// PasskeyService's generateAuthenticationOptions can optionally take a username
const options = await passkeyService.generateAuthenticationOptions(username);
req.session.currentChallenge = options.challenge;
// For authentication, userHandle is not strictly needed in session beforehand if RP ID is specific enough
// or if allowCredentials is used. We'll clear any old one just in case.
delete req.session.passkeyUserHandle;
console.log(`[AuthController] Generated Passkey authentication options (username: ${username || 'any'}), challenge: ${options.challenge.substring(0,10)}...`);
res.json(options);
} catch (error: any) {
console.error(`[AuthController] 生成 Passkey 认证选项时出错 (username: ${username || 'any'}):`, error.message, error.stack);
res.status(500).json({ message: '生成 Passkey 认证选项失败。', error: error.message });
}
};
/**
* 验证 Passkey 凭据并登录用户 (POST /api/v1/auth/passkey/authenticate)
*/
export const verifyPasskeyAuthenticationHandler = async (req: Request, res: Response): Promise<void> => {
const authenticationResponse = req.body; // The whole body is the response from @simplewebauthn/browser
const expectedChallenge = req.session.currentChallenge;
const { rememberMe } = req.body; // Optional rememberMe flag
if (!authenticationResponse) {
res.status(400).json({ message: '认证响应不能为空。' });
return;
}
if (!expectedChallenge) {
res.status(400).json({ message: '会话中未找到质询信息,请重试认证流程。' });
return;
}
try {
const verification = await passkeyService.verifyAuthentication(
authenticationResponse,
expectedChallenge
);
if (verification.verified && verification.userId && verification.passkey) {
const user = await userRepository.findUserById(verification.userId);
if (!user) {
// This should ideally not happen if passkey verification was successful
console.error(`[AuthController] Passkey 认证成功但未找到用户 ID: ${verification.userId}`);
auditLogService.logAction('PASSKEY_AUTH_FAILURE', { credentialId: verification.passkey.credential_id, reason: 'User not found after verification' });
res.status(401).json({ verified: false, message: 'Passkey 认证失败:用户数据错误。' });
return;
}
console.log(`[AuthController] 用户 ${user.username} (ID: ${user.id}) 通过 Passkey (ID: ${verification.passkey.id}) 认证成功。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
auditLogService.logAction('PASSKEY_AUTH_SUCCESS', { userId: user.id, username: user.username, credentialId: verification.passkey.credential_id, ip: clientIp });
notificationService.sendNotification('LOGIN_SUCCESS', { userId: user.id, username: user.username, ip: clientIp, method: 'Passkey' });
// Setup session similar to password login
req.session.userId = user.id;
req.session.username = user.username;
req.session.requiresTwoFactor = false; // Passkey implies 2FA characteristics
if (rememberMe) {
req.session.cookie.maxAge = 315360000000; // 10 years
} else {
req.session.cookie.maxAge = undefined; // Session cookie
}
delete req.session.currentChallenge;
delete req.session.passkeyUserHandle;
res.status(200).json({
verified: true,
message: 'Passkey 认证成功。',
user: { id: user.id, username: user.username }
});
} else {
console.warn(`[AuthController] Passkey 认证验证失败:`, verification);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
auditLogService.logAction('PASSKEY_AUTH_FAILURE', {
credentialId: authenticationResponse.id,
reason: 'Verification failed',
ip: clientIp
});
res.status(401).json({ verified: false, message: 'Passkey 认证失败。' });
}
} catch (error: any) {
console.error(`[AuthController] 验证 Passkey 认证时出错:`, error.message, error.stack);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
auditLogService.logAction('PASSKEY_AUTH_FAILURE', {
credentialId: authenticationResponse?.id || 'unknown',
reason: error.message,
ip: clientIp
});
res.status(500).json({ verified: false, message: '验证 Passkey 认证失败。', error: error.message });
}
};
/**
* 获取当前认证用户的所有 Passkey (GET /api/v1/user/passkeys)
*/
export const listUserPasskeysHandler = async (req: Request, res: Response): Promise<void> => {
const userId = req.session.userId;
const username = req.session.username;
if (!userId || !username) {
res.status(401).json({ message: '用户未认证。' });
return;
}
try {
const passkeys = await passkeyService.listPasskeysByUserId(userId);
console.log(`[AuthController] 用户 ${username} (ID: ${userId}) 获取了 Passkey 列表,数量: ${passkeys.length}`);
res.status(200).json(passkeys);
} catch (error: any) {
console.error(`[AuthController] 用户 ${username} (ID: ${userId}) 获取 Passkey 列表时出错:`, error.message, error.stack);
res.status(500).json({ message: '获取 Passkey 列表失败。', error: error.message });
}
};
/**
* 删除当前认证用户指定的 Passkey (DELETE /api/v1/user/passkeys/:credentialID)
*/
export const deleteUserPasskeyHandler = async (req: Request, res: Response): Promise<void> => {
const userId = req.session.userId;
const username = req.session.username;
const { credentialID } = req.params;
if (!userId || !username) {
res.status(401).json({ message: '用户未认证。' });
return;
}
if (!credentialID) {
res.status(400).json({ message: '必须提供 Passkey 的 CredentialID。' });
return;
}
try {
const wasDeleted = await passkeyService.deletePasskey(userId, credentialID);
if (wasDeleted) {
console.log(`[AuthController] 用户 ${username} (ID: ${userId}) 成功删除了 Passkey (CredentialID: ${credentialID})。`);
auditLogService.logAction('PASSKEY_DELETED', { userId, username, credentialId: credentialID });
notificationService.sendNotification('PASSKEY_DELETED', { userId, username, credentialId: credentialID });
res.status(200).json({ message: 'Passkey 删除成功。' });
} else {
// 这通常不应该发生,因为 service 层会在找不到或权限不足时抛出错误
console.warn(`[AuthController] 用户 ${username} (ID: ${userId}) 删除 Passkey (CredentialID: ${credentialID}) 失败,但未抛出错误。`);
res.status(404).json({ message: 'Passkey 未找到或无法删除。' });
}
} catch (error: any) {
console.error(`[AuthController] 用户 ${username} (ID: ${userId}) 删除 Passkey (CredentialID: ${credentialID}) 时出错:`, error.message, error.stack);
if (error.message === 'Passkey not found.') {
res.status(404).json({ message: '指定的 Passkey 未找到。' });
} else if (error.message === 'Unauthorized to delete this passkey.') {
auditLogService.logAction('PASSKEY_DELETE_UNAUTHORIZED', { userId, username, credentialIdAttempted: credentialID });
res.status(403).json({ message: '无权删除此 Passkey。' });
} else {
res.status(500).json({ message: '删除 Passkey 失败。', error: error.message });
}
}
};
/**
* 处理用户登录请求 (POST /api/v1/auth/login)
@@ -61,7 +311,7 @@ export const login = async (req: Request, res: Response): Promise<void> => {
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
ipBlacklistService.recordFailedAttempt(clientIp);
auditLogService.logAction('LOGIN_FAILURE', { username, reason: 'Invalid CAPTCHA token', ip: clientIp });
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'Invalid CAPTCHA token', ip: clientIp }); // 取消注释
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'Invalid CAPTCHA token', ip: clientIp });
res.status(401).json({ message: 'CAPTCHA 验证失败。' });
return;
}
@@ -84,12 +334,9 @@ export const login = async (req: Request, res: Response): Promise<void> => {
if (!user) {
console.log(`登录尝试失败: 用户未找到 - ${username}`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
// 记录失败尝试
ipBlacklistService.recordFailedAttempt(clientIp);
// 记录审计日志 (添加 IP)
auditLogService.logAction('LOGIN_FAILURE', { username, reason: 'User not found', ip: clientIp });
// 发送登录失败通知
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'User not found', ip: clientIp }); // 取消注释
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'User not found', ip: clientIp });
res.status(401).json({ message: '无效的凭据。' });
return;
}
@@ -98,13 +345,10 @@ export const login = async (req: Request, res: Response): Promise<void> => {
if (!isMatch) {
console.log(`登录尝试失败: 密码错误 - ${username}`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown'; // 获取客户端 IP
// 记录失败尝试
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
ipBlacklistService.recordFailedAttempt(clientIp);
// 记录审计日志 (添加 IP)
auditLogService.logAction('LOGIN_FAILURE', { username, reason: 'Invalid password', ip: clientIp });
// 发送登录失败通知
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'Invalid password', ip: clientIp }); // 取消注释
notificationService.sendNotification('LOGIN_FAILURE', { username, reason: 'Invalid password', ip: clientIp });
res.status(401).json({ message: '无效的凭据。' });
return;
}
@@ -112,30 +356,23 @@ export const login = async (req: Request, res: Response): Promise<void> => {
// 检查是否启用了 2FA
if (user.two_factor_secret) {
console.log(`用户 ${username} 已启用 2FA,需要进行二次验证。`);
// 不设置完整 session,只标记需要 2FA
req.session.userId = user.id; // 临时存储 userId 以便 2FA 验证
req.session.userId = user.id;
req.session.requiresTwoFactor = true;
req.session.rememberMe = rememberMe; // 临时存储 rememberMe 状态
req.session.rememberMe = rememberMe;
res.status(200).json({ message: '需要进行两步验证。', requiresTwoFactor: true });
} else {
// --- 认证成功 (未启用 2FA) ---
console.log(`登录成功 (无 2FA): ${username}`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown'; // 获取客户端 IP
// 重置失败尝试次数
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
ipBlacklistService.resetAttempts(clientIp);
// 记录审计日志 (添加 IP)
auditLogService.logAction('LOGIN_SUCCESS', { userId: user.id, username, ip: clientIp });
notificationService.sendNotification('LOGIN_SUCCESS', { userId: user.id, username, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('LOGIN_SUCCESS', { userId: user.id, username, ip: clientIp });
req.session.userId = user.id;
req.session.username = user.username;
req.session.requiresTwoFactor = false; // 明确标记不需要 2FA
req.session.requiresTwoFactor = false;
// 根据 rememberMe 设置 cookie maxAge
if (rememberMe) {
// 如果勾选了“记住我”,设置 cookie 有效期为 10 年 (毫秒)
req.session.cookie.maxAge = 315360000000;
} else {
// 如果未勾选,则不设置 maxAge,使其成为会话 cookie
req.session.cookie.maxAge = undefined;
}
@@ -159,17 +396,14 @@ export const getAuthStatus = async (req: Request, res: Response): Promise<void>
const username = req.session.username;
if (!userId || !username || req.session.requiresTwoFactor) {
// 如果 session 无效或 2FA 未完成,视为未认证
res.status(401).json({ isAuthenticated: false });
return;
}
try {
const db = await getDbInstance(); // Get DB instance
// 查询用户的 2FA 状态 using promisified getDb
const db = await getDbInstance();
const user = await getDb<{ two_factor_secret: string | null }>(db, 'SELECT two_factor_secret FROM users WHERE id = ?', [userId]);
// 如果找不到用户,也视为未认证
if (!user) {
res.status(401).json({ isAuthenticated: false });
return;
@@ -180,7 +414,7 @@ export const getAuthStatus = async (req: Request, res: Response): Promise<void>
user: {
id: userId,
username: username,
isTwoFactorEnabled: !!user.two_factor_secret // 返回 2FA 是否启用
isTwoFactorEnabled: !!user.two_factor_secret
}
});
@@ -194,9 +428,8 @@ export const getAuthStatus = async (req: Request, res: Response): Promise<void>
*/
export const verifyLogin2FA = async (req: Request, res: Response): Promise<void> => {
const { token } = req.body;
const userId = req.session.userId; // 获取之前临时存储的 userId
const userId = req.session.userId;
// 检查 session 状态
if (!userId || !req.session.requiresTwoFactor) {
res.status(400).json({ message: '无效的请求或会话状态。' });
return;
@@ -209,7 +442,6 @@ export const verifyLogin2FA = async (req: Request, res: Response): Promise<void>
try {
const db = await getDbInstance();
// 获取用户的 2FA 密钥 using promisified getDb
const user = await getDb<User>(db, 'SELECT id, username, two_factor_secret FROM users WHERE id = ?', [userId]);
@@ -220,35 +452,27 @@ export const verifyLogin2FA = async (req: Request, res: Response): Promise<void>
return;
}
// 验证 TOTP 令牌
const verified = speakeasy.totp.verify({
secret: user.two_factor_secret,
encoding: 'base32',
token: token,
window: 1 // 允许前后一个时间窗口 (30秒) 的容错
window: 1
});
if (verified) {
console.log(`用户 ${user.username} 2FA 验证成功。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown'; // 获取客户端 IP
// 重置失败尝试次数
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
ipBlacklistService.resetAttempts(clientIp);
// 记录审计日志 (2FA 成功也算登录成功) (添加 IP)
auditLogService.logAction('LOGIN_SUCCESS', { userId: user.id, username: user.username, ip: clientIp, twoFactor: true });
notificationService.sendNotification('LOGIN_SUCCESS', { userId: user.id, username: user.username, ip: clientIp, twoFactor: true }); // 添加通知调用
// 验证成功,建立完整会话
notificationService.sendNotification('LOGIN_SUCCESS', { userId: user.id, username: user.username, ip: clientIp, twoFactor: true });
req.session.username = user.username;
req.session.requiresTwoFactor = false; // 标记 2FA 已完成
req.session.requiresTwoFactor = false;
// 根据之前存储在 session 中的 rememberMe 设置 cookie maxAge
if (req.session.rememberMe) {
// 如果勾选了“记住我”,设置 cookie 有效期为 1 年 (毫秒)
req.session.cookie.maxAge = 315360000000; // 10 years (Effectively permanent)
req.session.cookie.maxAge = 315360000000;
} else {
// 如果未勾选,则不设置 maxAge,使其成为会话 cookie
req.session.cookie.maxAge = undefined; // 或者 null
req.session.cookie.maxAge = undefined;
}
// 清除临时的 rememberMe 状态
delete req.session.rememberMe;
res.status(200).json({
@@ -257,12 +481,10 @@ export const verifyLogin2FA = async (req: Request, res: Response): Promise<void>
});
} else {
console.log(`用户 ${user.username} 2FA 验证失败: 验证码错误。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown'; // 获取客户端 IP
// 记录失败尝试
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
ipBlacklistService.recordFailedAttempt(clientIp);
// 记录审计日志 (添加 IP)
auditLogService.logAction('LOGIN_FAILURE', { userId: user.id, username: user.username, reason: 'Invalid 2FA token', ip: clientIp });
notificationService.sendNotification('LOGIN_FAILURE', { userId: user.id, username: user.username, reason: 'Invalid 2FA token', ip: clientIp }); // 添加通知调用
notificationService.sendNotification('LOGIN_FAILURE', { userId: user.id, username: user.username, reason: 'Invalid 2FA token', ip: clientIp });
res.status(401).json({ message: '验证码无效。' });
}
@@ -278,15 +500,13 @@ export const verifyLogin2FA = async (req: Request, res: Response): Promise<void>
*/
export const changePassword = async (req: Request, res: Response): Promise<void> => {
const { currentPassword, newPassword } = req.body;
const userId = req.session.userId; // 从会话中获取用户 ID
const userId = req.session.userId;
// 检查用户是否登录且 2FA 已完成 (如果需要)
if (!userId || req.session.requiresTwoFactor) {
res.status(401).json({ message: '用户未认证或认证未完成,请先登录。' });
return;
}
// 基础输入验证
if (!currentPassword || !newPassword) {
res.status(400).json({ message: '当前密码和新密码不能为空。' });
return;
@@ -335,10 +555,9 @@ export const changePassword = async (req: Request, res: Response): Promise<void>
}
console.log(`用户 ${userId} 密码已成功修改。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown'; // 获取客户端 IP
// 记录审计日志 (添加 IP)
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
auditLogService.logAction('PASSWORD_CHANGED', { userId, ip: clientIp });
notificationService.sendNotification('PASSWORD_CHANGED', { userId, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('PASSWORD_CHANGED', { userId, ip: clientIp });
res.status(200).json({ message: '密码已成功修改。' });
@@ -354,7 +573,7 @@ export const changePassword = async (req: Request, res: Response): Promise<void>
*/
export const setup2FA = async (req: Request, res: Response): Promise<void> => {
const userId = req.session.userId;
const username = req.session.username; // 获取用户名用于 OTP URL
const username = req.session.username;
if (!userId || !username || req.session.requiresTwoFactor) {
res.status(401).json({ message: '用户未认证或认证未完成。' });
@@ -363,7 +582,6 @@ export const setup2FA = async (req: Request, res: Response): Promise<void> => {
try {
const db = await getDbInstance();
// 检查用户是否已启用 2FA using promisified getDb
const user = await getDb<{ two_factor_secret: string | null }>(db, 'SELECT two_factor_secret FROM users WHERE id = ?', [userId]);
const existingSecret = user ? user.two_factor_secret : null;
@@ -373,30 +591,25 @@ export const setup2FA = async (req: Request, res: Response): Promise<void> => {
return;
}
// 生成新的 2FA 密钥
const secret = speakeasy.generateSecret({
length: 20,
name: `NexusTerminal (${username})` // 应用名称和用户名,显示在 Authenticator 应用中
name: `NexusTerminal (${username})`
});
// 将临时密钥存储在 session 中,等待验证
req.session.tempTwoFactorSecret = secret.base32;
// 生成 OTP Auth URL (用于生成二维码)
if (!secret.otpauth_url) {
throw new Error('无法生成 OTP Auth URL');
}
// 生成二维码 Data URL
qrcode.toDataURL(secret.otpauth_url, (err, data_url) => {
if (err) {
console.error('生成二维码时出错:', err);
throw new Error('生成二维码失败');
}
// 返回密钥 (base32) 和二维码数据 URL 给前端
res.json({
secret: secret.base32, // 供用户手动输入
qrCodeUrl: data_url // 用于显示二维码图片
secret: secret.base32,
qrCodeUrl: data_url
});
});
@@ -415,7 +628,7 @@ export const setup2FA = async (req: Request, res: Response): Promise<void> => {
export const verifyAndActivate2FA = async (req: Request, res: Response): Promise<void> => {
const { token } = req.body;
const userId = req.session.userId;
const tempSecret = req.session.tempTwoFactorSecret; // 获取存储在 session 中的临时密钥
const tempSecret = req.session.tempTwoFactorSecret;
if (!userId || req.session.requiresTwoFactor) {
res.status(401).json({ message: '用户未认证或认证未完成。' });
@@ -434,16 +647,14 @@ export const verifyAndActivate2FA = async (req: Request, res: Response): Promise
try {
const db = await getDbInstance();
// 使用临时密钥验证用户提交的令牌
const verified = speakeasy.totp.verify({
secret: tempSecret,
encoding: 'base32',
token: token,
window: 1 // 允许一定的时钟漂移
window: 1
});
if (verified) {
// 验证成功,将密钥永久存储到数据库 using promisified runDb
const now = Math.floor(Date.now() / 1000);
const result = await runDb(db,
'UPDATE users SET two_factor_secret = ?, updated_at = ? WHERE id = ?',
@@ -457,16 +668,13 @@ export const verifyAndActivate2FA = async (req: Request, res: Response): Promise
console.log(`用户 ${userId} 已成功激活两步验证。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
// 记录审计日志 (添加 IP)
auditLogService.logAction('2FA_ENABLED', { userId, ip: clientIp });
notificationService.sendNotification('2FA_ENABLED', { userId, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('2FA_ENABLED', { userId, ip: clientIp });
// 清除 session 中的临时密钥
delete req.session.tempTwoFactorSecret;
res.status(200).json({ message: '两步验证已成功激活!' });
} else {
// 验证失败
console.log(`用户 ${userId} 2FA 激活失败: 验证码错误。`);
res.status(400).json({ message: '验证码无效。' });
}
@@ -482,7 +690,7 @@ export const verifyAndActivate2FA = async (req: Request, res: Response): Promise
*/
export const disable2FA = async (req: Request, res: Response): Promise<void> => {
const userId = req.session.userId;
const { password } = req.body; // 需要验证当前密码以禁用
const { password } = req.body;
if (!userId || req.session.requiresTwoFactor) {
res.status(401).json({ message: '用户未认证或认证未完成。' });
@@ -496,7 +704,6 @@ export const disable2FA = async (req: Request, res: Response): Promise<void> =>
try {
const db = await getDbInstance();
// 验证当前密码
const user = await getDb<User>(db, 'SELECT id, hashed_password FROM users WHERE id = ?', [userId]);
if (!user) {
@@ -507,7 +714,6 @@ export const disable2FA = async (req: Request, res: Response): Promise<void> =>
res.status(400).json({ message: '当前密码不正确。' }); return;
}
// 清除数据库中的 2FA 密钥
const now = Math.floor(Date.now() / 1000);
const result = await runDb(db,
'UPDATE users SET two_factor_secret = NULL, updated_at = ? WHERE id = ?',
@@ -521,9 +727,8 @@ export const disable2FA = async (req: Request, res: Response): Promise<void> =>
console.log(`用户 ${userId} 已成功禁用两步验证。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
// 记录审计日志 (添加 IP)
auditLogService.logAction('2FA_DISABLED', { userId, ip: clientIp });
notificationService.sendNotification('2FA_DISABLED', { userId, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('2FA_DISABLED', { userId, ip: clientIp });
res.status(200).json({ message: '两步验证已成功禁用。' });
@@ -539,8 +744,7 @@ export const disable2FA = async (req: Request, res: Response): Promise<void> =>
*/
export const needsSetup = async (req: Request, res: Response): Promise<void> => {
try {
const db = await getDbInstance(); // Get DB instance
// Use promisified getDb
const db = await getDbInstance();
const row = await getDb<{ count: number }>(db, 'SELECT COUNT(*) as count FROM users');
const userCount = row ? row.count : 0;
@@ -548,7 +752,6 @@ export const needsSetup = async (req: Request, res: Response): Promise<void> =>
} catch (error) {
console.error('检查设置状态时发生内部错误:', error);
// 如果检查失败,保守起见返回 false,避免用户卡在设置页面
res.status(500).json({ message: '检查设置状态时发生错误。', needsSetup: false });
}
};
@@ -559,7 +762,6 @@ export const needsSetup = async (req: Request, res: Response): Promise<void> =>
export const setupAdmin = async (req: Request, res: Response): Promise<void> => {
const { username, password, confirmPassword } = req.body;
// 基本输入验证
if (!username || !password || !confirmPassword) {
res.status(400).json({ message: '用户名、密码和确认密码不能为空。' });
return;
@@ -576,7 +778,6 @@ export const setupAdmin = async (req: Request, res: Response): Promise<void> =>
try {
const db = await getDbInstance();
// 检查数据库中是否已存在用户
const row = await getDb<{ count: number }>(db, 'SELECT COUNT(*) as count FROM users');
const userCount = row ? row.count : 0;
@@ -586,12 +787,10 @@ export const setupAdmin = async (req: Request, res: Response): Promise<void> =>
return;
}
// 哈希密码
const saltRounds = 10;
const hashedPassword = await bcrypt.hash(password, saltRounds);
const now = Math.floor(Date.now() / 1000);
// 插入新用户
const result = await runDb(db,
`INSERT INTO users (username, hashed_password, created_at, updated_at)
VALUES (?, ?, ?, ?)`,
@@ -607,9 +806,8 @@ export const setupAdmin = async (req: Request, res: Response): Promise<void> =>
console.log(`初始管理员账号 '${username}' (ID: ${newUser.id}) 已成功创建。`);
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
// 记录审计日志 (添加 IP)
auditLogService.logAction('ADMIN_SETUP_COMPLETE', { userId: newUser.id, username, ip: clientIp });
notificationService.sendNotification('ADMIN_SETUP_COMPLETE', { userId: newUser.id, username, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('ADMIN_SETUP_COMPLETE', { userId: newUser.id, username, ip: clientIp });
res.status(201).json({ message: '初始管理员账号创建成功!' });
@@ -629,17 +827,14 @@ export const logout = (req: Request, res: Response): void => {
req.session.destroy((err) => {
if (err) {
console.error(`销毁用户 ${userId} (${username}) 的会话时出错:`, err);
// 即使销毁失败,也尝试让前端认为已登出
res.status(500).json({ message: '登出时发生服务器内部错误。' });
} else {
console.log(`用户 ${userId} (${username}) 已成功登出。`);
// 清除客户端的 session cookie (通常 connect-sqlite3 会处理,但显式设置更保险)
res.clearCookie('connect.sid'); // 'connect.sid' 是 express-session 的默认 cookie 名称
// 记录审计日志
if (userId) { // 仅在能获取到 userId 时记录
res.clearCookie('connect.sid');
if (userId) {
const clientIp = req.ip || req.socket?.remoteAddress || 'unknown';
auditLogService.logAction('LOGOUT', { userId, username, ip: clientIp });
notificationService.sendNotification('LOGOUT', { userId, username, ip: clientIp }); // 添加通知调用
notificationService.sendNotification('LOGOUT', { userId, username, ip: clientIp });
}
res.status(200).json({ message: '已成功登出。' });
}
@@ -666,7 +861,6 @@ export const getPublicCaptchaConfig = async (req: Request, res: Response): Promi
res.status(200).json(publicConfig);
} catch (error: any) {
console.error('[AuthController] 获取公共 CAPTCHA 配置时出错:', error);
// 即使出错,也返回一个“禁用”状态,避免前端出错
res.status(500).json({
enabled: false,
provider: 'none',