NanamiAdmin
8b9a757bea
- Implement new `/sessionMgr/remove` endpoint for superusers to remove sessions - Refactor session and token management to use sessionTokenMap for better tracking - Update session cleanup logic to handle both tokens and sessions - Add documentation for new API endpoint in docs/api.md - Modify logout handler to use new session removal approach
485 lines
18 KiB
Go
485 lines
18 KiB
Go
package main
|
|
|
|
import (
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"super-frpc/postLog"
|
|
)
|
|
|
|
type RegisterRequest struct {
|
|
Username string `json:"username"`
|
|
Passwd string `json:"passwd"`
|
|
}
|
|
|
|
type LoginRequest struct {
|
|
Username string `json:"username"`
|
|
Passwd string `json:"passwd"`
|
|
}
|
|
|
|
type CreateUserRequest struct {
|
|
Username string `json:"username"`
|
|
Passwd string `json:"passwd"`
|
|
Type string `json:"type"`
|
|
}
|
|
|
|
type RemoveUserRequest struct {
|
|
TargetUserID int `json:"targetUserID"`
|
|
}
|
|
|
|
type RemoveSessionRequest struct {
|
|
SessionID string `json:"sessionID"`
|
|
}
|
|
|
|
func RegisterHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[RegisterHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
postLog.Warning(fmt.Sprintf("[RegisterHandler] Invalid or missing X-Timestamp in header: %s", r.Header.Get("X-Timestamp")))
|
|
return
|
|
}
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Failed to read request body")
|
|
postLog.Warning(fmt.Sprintf("[RegisterHandler] Failed to read request body: %v", err))
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var req RegisterRequest
|
|
if err := json.Unmarshal(body, &req); err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid request format")
|
|
postLog.Warning(fmt.Sprintf("[RegisterHandler] Invalid request format: %v", err))
|
|
return
|
|
}
|
|
|
|
if req.Username == "" || req.Passwd == "" {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Username and password are required")
|
|
postLog.Warning("[RegisterHandler] New user registration failed: username or password is empty")
|
|
return
|
|
}
|
|
|
|
if !isValidInput(req.Username) || !isValidInput(req.Passwd) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid input: contains illegal characters")
|
|
postLog.Debug(fmt.Sprintf("[RegisterHandler] New user registration failed: username or password contains illegal characters \"%s\":\"%s\"", req.Username, req.Passwd))
|
|
return
|
|
}
|
|
|
|
if !isValidPassword(req.Passwd) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Password does not meet complexity requirements (must contain uppercase, lowercase, digit, and special character)")
|
|
postLog.Debug(fmt.Sprintf("[RegisterHandler] New user registration failed: password \"%s\" does not meet complexity requirements", req.Passwd))
|
|
return
|
|
}
|
|
|
|
userID, err := AddUser(req.Username, req.Passwd, "visitor")
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, err.Error())
|
|
postLog.Error(fmt.Sprintf("[RegisterHandler] Failed to register user \"%s\": %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
user, err := GetUserByID(userID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to retrieve user after registration")
|
|
postLog.Error(fmt.Sprintf("[RegisterHandler] Failed to retrieve user \"%s\" after registration: %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
SendSuccessResponse(w, "user registered successfully", map[string]interface{}{
|
|
"userID": user.UserID,
|
|
"username": user.Username,
|
|
"type": user.Type,
|
|
})
|
|
}
|
|
|
|
func LoginHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Failed to read request body")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Failed to read request body: %v", err))
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var req LoginRequest
|
|
if err := json.Unmarshal(body, &req); err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid request format")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Invalid request format: %v", err))
|
|
return
|
|
}
|
|
|
|
if req.Username == "" || req.Passwd == "" {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Username and password are required")
|
|
postLog.Warning("[LoginHandler] Login failed: username or password is empty")
|
|
return
|
|
}
|
|
|
|
if !isValidInput(req.Username) || !isValidInput(req.Passwd) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid input: contains illegal characters")
|
|
postLog.Debug(fmt.Sprintf("[LoginHandler] Login failed: username or password contains illegal characters \"%s\":\"%s\"", req.Username, req.Passwd))
|
|
return
|
|
}
|
|
|
|
user, err := GetUserByUsername(req.Username)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "User not exist")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Login failed: User not exist \"%s\"", req.Username))
|
|
return
|
|
}
|
|
|
|
if !verifyPassword(req.Passwd, user.Passwd) {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid password")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Login failed: invalid password for user \"%s\"", req.Username))
|
|
return
|
|
}
|
|
|
|
existingTokenInfo, err := GetTokenInfo(user.UserID)
|
|
if err == nil && existingTokenInfo != nil {
|
|
SendErrorResponse(w, http.StatusConflict, "User is already logged in")
|
|
postLog.Warning(fmt.Sprintf("[LoginHandler] Login failed: user \"%s\" is already logged in", req.Username))
|
|
return
|
|
}
|
|
|
|
token, err := GenerateToken(user.UserID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to generate token")
|
|
postLog.Error(fmt.Sprintf("[LoginHandler] Failed to generate token for user \"%s\": %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
if err := JoinSession(user.UserID, user.Username, token); err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to create session")
|
|
postLog.Error(fmt.Sprintf("[LoginHandler] Failed to create session for user \"%s\": %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
SendSuccessResponse(w, "Login successful", map[string]interface{}{
|
|
"token": token,
|
|
"userID": user.UserID,
|
|
"username": user.Username,
|
|
"type": user.Type,
|
|
})
|
|
postLog.Info(fmt.Sprintf("[LoginHandler] User \"%s\" Login successful", req.Username))
|
|
}
|
|
|
|
func LogoutHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[LogoutHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
|
|
userID, err := GetUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[LogoutHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
|
|
sessionTokenMux.RLock()
|
|
sessionID := ""
|
|
for sid, token := range sessionTokenMap {
|
|
if token == r.Header.Get("X-Token") {
|
|
sessionID = sid
|
|
break
|
|
}
|
|
}
|
|
sessionTokenMux.RUnlock()
|
|
|
|
if sessionID == "" {
|
|
SendErrorResponse(w, http.StatusNotFound, "Session not found for token")
|
|
postLog.Warning(fmt.Sprintf("[LogoutHandler] Session not found for token from user [%d]%s", userID, GetUsernameByID(userID)))
|
|
return
|
|
}
|
|
|
|
if err := RemoveSession(sessionID); err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to logout")
|
|
postLog.Error(fmt.Sprintf("[LogoutHandler] Failed to logout user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
|
|
SendSuccessResponse(w, "Logout successful", nil)
|
|
postLog.Info(fmt.Sprintf("[LogoutHandler] User [%d]%s Logout successful", userID, GetUsernameByID(userID)))
|
|
}
|
|
|
|
func RemoveSessionHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[RemoveSessionHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
postLog.Warning("[RemoveSessionHandler] Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Failed to read request body")
|
|
postLog.Warning(fmt.Sprintf("[RemoveSessionHandler] Failed to read request body: %v", err))
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var req RemoveSessionRequest
|
|
if err := json.Unmarshal(body, &req); err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid request format")
|
|
postLog.Warning(fmt.Sprintf("[RemoveSessionHandler] Invalid request format: %v", err))
|
|
return
|
|
}
|
|
|
|
if req.SessionID == "" {
|
|
SendErrorResponse(w, http.StatusBadRequest, "SessionID is required")
|
|
postLog.Warning("[RemoveSessionHandler] SessionID is empty")
|
|
return
|
|
}
|
|
|
|
userID, err := extractUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[RemoveSessionHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
|
|
if err := CheckPermission(userID, "superuser"); err != nil {
|
|
SendErrorResponse(w, http.StatusForbidden, "Permission denied")
|
|
postLog.Warning(fmt.Sprintf("[RemoveSessionHandler] Permission denied for user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
|
|
if err := RemoveSession(req.SessionID); err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, fmt.Sprintf("Failed to remove session: %v", err))
|
|
postLog.Error(fmt.Sprintf("[RemoveSessionHandler] Failed to remove session %s: %v", req.SessionID, err))
|
|
return
|
|
}
|
|
|
|
postLog.Info(fmt.Sprintf("[RemoveSessionHandler] User [%d]%s removed session %s", userID, GetUsernameByID(userID), req.SessionID))
|
|
SendSuccessResponse(w, "Session removed successfully", nil)
|
|
}
|
|
|
|
func CreateUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
userID, err := extractUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
user, err := GetUserByID(userID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to get user info")
|
|
postLog.Error(fmt.Sprintf("[CreateUserHandler] Failed to get user info for user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
if user.Type != "superuser" {
|
|
SendErrorResponse(w, http.StatusForbidden, "Permission denied")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] Permission denied: non-superuser token for user [%d]%s", userID, GetUsernameByID(userID)))
|
|
return
|
|
}
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Failed to read request body")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] Failed to read request body: %v", err))
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var req CreateUserRequest
|
|
if err := json.Unmarshal(body, &req); err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid request format")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] Invalid request format: %v", err))
|
|
return
|
|
}
|
|
|
|
if req.Username == "" || req.Passwd == "" || req.Type == "" {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Username, password, and type are required")
|
|
postLog.Warning("[CreateUserHandler] CreateUser failed: username, password, or type is empty")
|
|
return
|
|
}
|
|
|
|
if req.Type != "admin" && req.Type != "user" && req.Type != "superuser" {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid type: must be 'admin' or 'user' or 'superuser'")
|
|
postLog.Warning(fmt.Sprintf("[CreateUserHandler] CreateUser failed: invalid type: %s", req.Type))
|
|
return
|
|
}
|
|
|
|
userID, err = AddUser(req.Username, req.Passwd, req.Type)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, err.Error())
|
|
postLog.Error(fmt.Sprintf("[RegisterHandler] Failed to register user \"%s\": %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
user, err = GetUserByID(userID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to retrieve user after creation")
|
|
postLog.Error(fmt.Sprintf("[CreateUserHandler] Failed to retrieve user \"%s\" after creation: %v", req.Username, err))
|
|
return
|
|
}
|
|
|
|
SendSuccessResponse(w, "User created successfully", map[string]interface{}{
|
|
"userID": user.UserID,
|
|
"username": user.Username,
|
|
"type": user.Type,
|
|
})
|
|
}
|
|
|
|
func RemoveUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[RemoveUserHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
userID, err := extractUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[RemoveUserHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
user, err := GetUserByID(userID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to get user info")
|
|
postLog.Error(fmt.Sprintf("[RemoveUserHandler] Failed to get user info for user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
if user.Type != "superuser" {
|
|
SendErrorResponse(w, http.StatusForbidden, "Permission denied")
|
|
postLog.Warning(fmt.Sprintf("[RemoveUserHandler] Permission denied: non-superuser token for user [%d]%s", userID, GetUsernameByID(userID)))
|
|
return
|
|
}
|
|
|
|
body, err := io.ReadAll(r.Body)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Failed to read request body")
|
|
postLog.Warning(fmt.Sprintf("[RemoveUserHandler] Failed to read request body: %v", err))
|
|
return
|
|
}
|
|
defer r.Body.Close()
|
|
|
|
var req RemoveUserRequest
|
|
if err := json.Unmarshal(body, &req); err != nil {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid request format")
|
|
postLog.Warning(fmt.Sprintf("[RemoveUserHandler] Invalid request format: %v", err))
|
|
return
|
|
}
|
|
if req.TargetUserID == 0 {
|
|
SendErrorResponse(w, http.StatusBadRequest, "TargetUserID is required")
|
|
postLog.Warning("[RemoveUserHandler] RemoveUser failed: TargetUserID is empty")
|
|
return
|
|
}
|
|
if err := RemoveUser(req.TargetUserID); err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, err.Error())
|
|
postLog.Error(fmt.Sprintf("[RemoveUserHandler] Failed to remove user [%d]: %v", req.TargetUserID, err))
|
|
return
|
|
}
|
|
SendSuccessResponse(w, "User removed successfully", nil)
|
|
}
|
|
|
|
func ListUserHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[ListUserHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
userID, err := extractUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[ListUserHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
user, err := GetUserByID(userID)
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to get user info")
|
|
postLog.Error(fmt.Sprintf("[ListUserHandler] Failed to get user info for user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
if user.Type != "superuser" {
|
|
SendErrorResponse(w, http.StatusForbidden, "Permission denied")
|
|
postLog.Warning(fmt.Sprintf("[ListUserHandler] Permission denied: non-superuser token for user [%d]%s", userID, GetUsernameByID(userID)))
|
|
return
|
|
}
|
|
userList, err := DBQueryUsers()
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusInternalServerError, "Failed to list users")
|
|
postLog.Error(fmt.Sprintf("[ListUserHandler] Failed to list users: %v", err))
|
|
return
|
|
}
|
|
SendSuccessResponse(w, "User list retrieved successfully", userList)
|
|
}
|
|
|
|
func ListActiveSessionsHandler(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodGet {
|
|
SendErrorResponse(w, http.StatusMethodNotAllowed, "Invalid request method")
|
|
postLog.Warning(fmt.Sprintf("[ListActiveSessionsHandler] Invalid request method: %s", r.Method))
|
|
return
|
|
}
|
|
|
|
if !ValidateTimeStamp(r.Header) {
|
|
SendErrorResponse(w, http.StatusBadRequest, "Invalid or missing X-Timestamp in header")
|
|
postLog.Warning("[ListActiveSessionsHandler] Invalid or missing X-Timestamp in header")
|
|
return
|
|
}
|
|
|
|
userID, err := extractUserIDFromToken(r.Header.Get("X-Token"))
|
|
if err != nil {
|
|
SendErrorResponse(w, http.StatusUnauthorized, "Invalid or missing token")
|
|
postLog.Warning(fmt.Sprintf("[ListActiveSessionsHandler] Invalid or missing token: %v", err))
|
|
return
|
|
}
|
|
|
|
if err := CheckPermission(userID, "superuser"); err != nil {
|
|
SendErrorResponse(w, http.StatusForbidden, "Permission denied")
|
|
postLog.Warning(fmt.Sprintf("[ListActiveSessionsHandler] Permission denied for user [%d]%s: %v", userID, GetUsernameByID(userID), err))
|
|
return
|
|
}
|
|
|
|
sessions := ListActiveSessions()
|
|
postLog.Debug(fmt.Sprintf("[ListActiveSessionsHandler] User [%d]%s listed %d active sessions", userID, GetUsernameByID(userID), len(sessions)))
|
|
SendSuccessResponse(w, "Active sessions listed", sessions)
|
|
}
|