Skip to content

Commit cb016aa

Browse files
Zuoqiu-YingyiZuoqiu-Yingyi
authored
Improve kernel API authentication (#9702)
* 🎨 Add API `/api/network/echo` * 🎨 Improve localhost checking * 🎨 Add `model.CheckReadonly` for some APIs /api/storage/setLocalStorage /api/storage/setLocalStorageVal /api/notebook/openNotebook /api/notebook/removeNotebook /api/search/removeTemplate /api/attr/setBlockAttrs /api/sync/importSyncProviderS3 /api/sync/importSyncProviderWebDAV /api/riff/resetRiffCards /api/snippet/setSnippet /api/av/setAttributeViewBlockAttr /api/archive/zip /api/archive/unzip * 🎨 Remove `model.CheckReadonly` for some APIs /api/history/searchHistory /api/history/getHistoryItems /api/search/findReplace /api/block/getParentNextChildID /api/file/readDir /api/sync/listCloudSyncDir /api/asset/getDocImageAssets /api/template/renderSprig /api/ai/chatGPT /api/ai/chatGPTWithAction * 🎨 improve API `/api/network/echo`
1 parent 70b3406 commit cb016aa

File tree

5 files changed

+110
-51
lines changed

5 files changed

+110
-51
lines changed

app/src/protyle/util/compatibility.ts

+7-5
Original file line numberDiff line numberDiff line change
@@ -263,11 +263,13 @@ export const getLocalStorage = (cb: () => void) => {
263263
});
264264
cb();
265265

266-
// 数据兼容,移除历史数据,3.8.4 移除
267-
fetchPost("/api/storage/removeLocalStorageVals", {
268-
app: Constants.SIYUAN_APPID,
269-
keys: ["leftColumn", "local-searchkey", "local-searchedata", "local-searchekeys", "local-searchetabdata", "rightColumn", "topBar"]
270-
});
266+
if (!window.siyuan.config.readonly) {
267+
// 数据兼容,移除历史数据,3.8.4 移除
268+
fetchPost("/api/storage/removeLocalStorageVals", {
269+
app: Constants.SIYUAN_APPID,
270+
keys: ["leftColumn", "local-searchkey", "local-searchedata", "local-searchekeys", "local-searchetabdata", "rightColumn", "topBar"]
271+
});
272+
}
271273
});
272274
};
273275

kernel/api/network.go

+65
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,71 @@ import (
3333
"github.com/siyuan-note/siyuan/kernel/util"
3434
)
3535

36+
func echo(c *gin.Context) {
37+
ret := gulu.Ret.NewResult()
38+
defer c.JSON(http.StatusOK, ret)
39+
40+
password, passwordSet := c.Request.URL.User.Password()
41+
42+
var rawData any
43+
if data, err := c.GetRawData(); nil == err {
44+
rawData = base64.StdEncoding.EncodeToString(data)
45+
} else {
46+
rawData = nil
47+
}
48+
49+
ret.Data = map[string]interface{}{
50+
"Context": map[string]interface{}{
51+
"Params": c.Params,
52+
"HandlerNames": c.HandlerNames(),
53+
"FullPath": c.FullPath(),
54+
"ClientIP": c.ClientIP(),
55+
"RemoteIP": c.RemoteIP(),
56+
"ContentType": c.ContentType(),
57+
"IsWebsocket": c.IsWebsocket(),
58+
"RawData": rawData,
59+
},
60+
"Request": map[string]interface{}{
61+
"Method": c.Request.Method,
62+
"URL": c.Request.URL,
63+
"Proto": c.Request.Proto,
64+
"ProtoMajor": c.Request.ProtoMajor,
65+
"ProtoMinor": c.Request.ProtoMinor,
66+
"Header": c.Request.Header,
67+
"ContentLength": c.Request.ContentLength,
68+
"TransferEncoding": c.Request.TransferEncoding,
69+
"Close": c.Request.Close,
70+
"Host": c.Request.Host,
71+
"Form": c.Request.Form,
72+
"PostForm": c.Request.PostForm,
73+
"MultipartForm": c.Request.MultipartForm,
74+
"Trailer": c.Request.Trailer,
75+
"RemoteAddr": c.Request.RemoteAddr,
76+
"TLS": c.Request.TLS,
77+
"UserAgent": c.Request.UserAgent(),
78+
"Cookies": c.Request.Cookies(),
79+
"Referer": c.Request.Referer(),
80+
},
81+
"URL": map[string]interface{}{
82+
"EscapedPath": c.Request.URL.EscapedPath(),
83+
"EscapedFragment": c.Request.URL.EscapedFragment(),
84+
"String": c.Request.URL.String(),
85+
"Redacted": c.Request.URL.Redacted(),
86+
"IsAbs": c.Request.URL.IsAbs(),
87+
"Query": c.Request.URL.Query(),
88+
"RequestURI": c.Request.URL.RequestURI(),
89+
"Hostname": c.Request.URL.Hostname(),
90+
"Port": c.Request.URL.Port(),
91+
},
92+
"User": map[string]interface{}{
93+
"Username": c.Request.URL.User.Username(),
94+
"Password": password,
95+
"PasswordSet": passwordSet,
96+
"String": c.Request.URL.User.String(),
97+
},
98+
}
99+
}
100+
36101
func forwardProxy(c *gin.Context) {
37102
ret := gulu.Ret.NewResult()
38103
defer c.JSON(http.StatusOK, ret)

kernel/api/router.go

+29-27
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,9 @@ func ServeAPI(ginServer *gin.Engine) {
3333
ginServer.Handle("POST", "/api/system/loginAuth", model.LoginAuth)
3434
ginServer.Handle("POST", "/api/system/logoutAuth", model.LogoutAuth)
3535
ginServer.Handle("GET", "/api/system/getCaptcha", model.GetCaptcha)
36+
ginServer.Handle("POST", "/api/system/setUILayout", setUILayout) // 这里不加鉴权 After modifying the access authentication code on the browser side, the other side does not refresh https://github.com/siyuan-note/siyuan/issues/8028
37+
38+
ginServer.Handle("GET", "/snippets/*filepath", serveSnippets)
3639

3740
// 需要鉴权
3841

@@ -56,15 +59,14 @@ func ServeAPI(ginServer *gin.Engine) {
5659
ginServer.Handle("POST", "/api/system/setAppearanceMode", model.CheckAuth, setAppearanceMode)
5760
ginServer.Handle("POST", "/api/system/getSysFonts", model.CheckAuth, getSysFonts)
5861
ginServer.Handle("POST", "/api/system/exit", model.CheckAuth, exit)
59-
ginServer.Handle("POST", "/api/system/setUILayout", setUILayout) // 这里不加鉴权 After modifying the access authentication code on the browser side, the other side does not refresh https://github.com/siyuan-note/siyuan/issues/8028
6062
ginServer.Handle("POST", "/api/system/getConf", model.CheckAuth, getConf)
6163
ginServer.Handle("POST", "/api/system/checkUpdate", model.CheckAuth, checkUpdate)
6264
ginServer.Handle("POST", "/api/system/exportLog", model.CheckAuth, exportLog)
6365
ginServer.Handle("POST", "/api/system/getChangelog", model.CheckAuth, getChangelog)
6466

65-
ginServer.Handle("POST", "/api/storage/setLocalStorage", model.CheckAuth, setLocalStorage)
67+
ginServer.Handle("POST", "/api/storage/setLocalStorage", model.CheckAuth, model.CheckReadonly, setLocalStorage)
6668
ginServer.Handle("POST", "/api/storage/getLocalStorage", model.CheckAuth, getLocalStorage)
67-
ginServer.Handle("POST", "/api/storage/setLocalStorageVal", model.CheckAuth, setLocalStorageVal)
69+
ginServer.Handle("POST", "/api/storage/setLocalStorageVal", model.CheckAuth, model.CheckReadonly, setLocalStorageVal)
6870
ginServer.Handle("POST", "/api/storage/removeLocalStorageVals", model.CheckAuth, model.CheckReadonly, removeLocalStorageVals)
6971
ginServer.Handle("POST", "/api/storage/setCriterion", model.CheckAuth, model.CheckReadonly, setCriterion)
7072
ginServer.Handle("POST", "/api/storage/getCriteria", model.CheckAuth, getCriteria)
@@ -78,12 +80,12 @@ func ServeAPI(ginServer *gin.Engine) {
7880
ginServer.Handle("POST", "/api/account/startFreeTrial", model.CheckAuth, model.CheckReadonly, startFreeTrial)
7981

8082
ginServer.Handle("POST", "/api/notebook/lsNotebooks", model.CheckAuth, lsNotebooks)
81-
ginServer.Handle("POST", "/api/notebook/openNotebook", model.CheckAuth, openNotebook)
83+
ginServer.Handle("POST", "/api/notebook/openNotebook", model.CheckAuth, model.CheckReadonly, openNotebook)
8284
ginServer.Handle("POST", "/api/notebook/closeNotebook", model.CheckAuth, model.CheckReadonly, closeNotebook)
8385
ginServer.Handle("POST", "/api/notebook/getNotebookConf", model.CheckAuth, getNotebookConf)
8486
ginServer.Handle("POST", "/api/notebook/setNotebookConf", model.CheckAuth, model.CheckReadonly, setNotebookConf)
8587
ginServer.Handle("POST", "/api/notebook/createNotebook", model.CheckAuth, model.CheckReadonly, createNotebook)
86-
ginServer.Handle("POST", "/api/notebook/removeNotebook", model.CheckAuth, removeNotebook)
88+
ginServer.Handle("POST", "/api/notebook/removeNotebook", model.CheckAuth, model.CheckReadonly, removeNotebook)
8789
ginServer.Handle("POST", "/api/notebook/renameNotebook", model.CheckAuth, model.CheckReadonly, renameNotebook)
8890
ginServer.Handle("POST", "/api/notebook/changeSortNotebook", model.CheckAuth, model.CheckReadonly, changeSortNotebook)
8991
ginServer.Handle("POST", "/api/notebook/setNotebookIcon", model.CheckAuth, model.CheckReadonly, setNotebookIcon)
@@ -122,8 +124,8 @@ func ServeAPI(ginServer *gin.Engine) {
122124
ginServer.Handle("POST", "/api/history/rollbackDocHistory", model.CheckAuth, model.CheckReadonly, rollbackDocHistory)
123125
ginServer.Handle("POST", "/api/history/clearWorkspaceHistory", model.CheckAuth, model.CheckReadonly, clearWorkspaceHistory)
124126
ginServer.Handle("POST", "/api/history/reindexHistory", model.CheckAuth, model.CheckReadonly, reindexHistory)
125-
ginServer.Handle("POST", "/api/history/searchHistory", model.CheckAuth, model.CheckReadonly, searchHistory)
126-
ginServer.Handle("POST", "/api/history/getHistoryItems", model.CheckAuth, model.CheckReadonly, getHistoryItems)
127+
ginServer.Handle("POST", "/api/history/searchHistory", model.CheckAuth, searchHistory)
128+
ginServer.Handle("POST", "/api/history/getHistoryItems", model.CheckAuth, getHistoryItems)
127129

128130
ginServer.Handle("POST", "/api/outline/getDocOutline", model.CheckAuth, getDocOutline)
129131
ginServer.Handle("POST", "/api/bookmark/getBookmark", model.CheckAuth, getBookmark)
@@ -141,14 +143,14 @@ func ServeAPI(ginServer *gin.Engine) {
141143

142144
ginServer.Handle("POST", "/api/search/searchTag", model.CheckAuth, searchTag)
143145
ginServer.Handle("POST", "/api/search/searchTemplate", model.CheckAuth, searchTemplate)
144-
ginServer.Handle("POST", "/api/search/removeTemplate", model.CheckAuth, removeTemplate)
146+
ginServer.Handle("POST", "/api/search/removeTemplate", model.CheckAuth, model.CheckReadonly, removeTemplate)
145147
ginServer.Handle("POST", "/api/search/searchWidget", model.CheckAuth, searchWidget)
146148
ginServer.Handle("POST", "/api/search/searchRefBlock", model.CheckAuth, searchRefBlock)
147149
ginServer.Handle("POST", "/api/search/searchEmbedBlock", model.CheckAuth, searchEmbedBlock)
148150
ginServer.Handle("POST", "/api/search/getEmbedBlock", model.CheckAuth, getEmbedBlock)
149151
ginServer.Handle("POST", "/api/search/fullTextSearchBlock", model.CheckAuth, fullTextSearchBlock)
150152
ginServer.Handle("POST", "/api/search/searchAsset", model.CheckAuth, searchAsset)
151-
ginServer.Handle("POST", "/api/search/findReplace", model.CheckAuth, model.CheckReadonly, findReplace)
153+
ginServer.Handle("POST", "/api/search/findReplace", model.CheckAuth, findReplace)
152154
ginServer.Handle("POST", "/api/search/fullTextSearchAssetContent", model.CheckAuth, fullTextSearchAssetContent)
153155
ginServer.Handle("POST", "/api/search/getAssetContent", model.CheckAuth, getAssetContent)
154156

@@ -183,14 +185,14 @@ func ServeAPI(ginServer *gin.Engine) {
183185
ginServer.Handle("POST", "/api/block/getHeadingChildrenDOM", model.CheckAuth, getHeadingChildrenDOM)
184186
ginServer.Handle("POST", "/api/block/swapBlockRef", model.CheckAuth, model.CheckReadonly, swapBlockRef)
185187
ginServer.Handle("POST", "/api/block/transferBlockRef", model.CheckAuth, model.CheckReadonly, transferBlockRef)
186-
ginServer.Handle("POST", "/api/block/getParentNextChildID", model.CheckAuth, model.CheckReadonly, getParentNextChildID)
188+
ginServer.Handle("POST", "/api/block/getParentNextChildID", model.CheckAuth, getParentNextChildID)
187189

188190
ginServer.Handle("POST", "/api/file/getFile", model.CheckAuth, getFile)
189191
ginServer.Handle("POST", "/api/file/putFile", model.CheckAuth, model.CheckReadonly, putFile)
190192
ginServer.Handle("POST", "/api/file/copyFile", model.CheckAuth, model.CheckReadonly, copyFile)
191193
ginServer.Handle("POST", "/api/file/removeFile", model.CheckAuth, model.CheckReadonly, removeFile)
192194
ginServer.Handle("POST", "/api/file/renameFile", model.CheckAuth, model.CheckReadonly, renameFile)
193-
ginServer.Handle("POST", "/api/file/readDir", model.CheckAuth, model.CheckReadonly, readDir)
195+
ginServer.Handle("POST", "/api/file/readDir", model.CheckAuth, readDir)
194196

195197
ginServer.Handle("POST", "/api/ref/refreshBacklink", model.CheckAuth, refreshBacklink)
196198
ginServer.Handle("POST", "/api/ref/getBacklink", model.CheckAuth, getBacklink)
@@ -200,7 +202,7 @@ func ServeAPI(ginServer *gin.Engine) {
200202

201203
ginServer.Handle("POST", "/api/attr/getBookmarkLabels", model.CheckAuth, getBookmarkLabels)
202204
ginServer.Handle("POST", "/api/attr/resetBlockAttrs", model.CheckAuth, model.CheckReadonly, resetBlockAttrs)
203-
ginServer.Handle("POST", "/api/attr/setBlockAttrs", model.CheckAuth, setBlockAttrs)
205+
ginServer.Handle("POST", "/api/attr/setBlockAttrs", model.CheckAuth, model.CheckReadonly, setBlockAttrs)
204206
ginServer.Handle("POST", "/api/attr/getBlockAttrs", model.CheckAuth, getBlockAttrs)
205207

206208
ginServer.Handle("POST", "/api/cloud/getCloudSpace", model.CheckAuth, getCloudSpace)
@@ -215,15 +217,15 @@ func ServeAPI(ginServer *gin.Engine) {
215217
ginServer.Handle("POST", "/api/sync/setCloudSyncDir", model.CheckAuth, model.CheckReadonly, setCloudSyncDir)
216218
ginServer.Handle("POST", "/api/sync/createCloudSyncDir", model.CheckAuth, model.CheckReadonly, createCloudSyncDir)
217219
ginServer.Handle("POST", "/api/sync/removeCloudSyncDir", model.CheckAuth, model.CheckReadonly, removeCloudSyncDir)
218-
ginServer.Handle("POST", "/api/sync/listCloudSyncDir", model.CheckAuth, model.CheckReadonly, listCloudSyncDir)
220+
ginServer.Handle("POST", "/api/sync/listCloudSyncDir", model.CheckAuth, listCloudSyncDir)
219221
ginServer.Handle("POST", "/api/sync/performSync", model.CheckAuth, model.CheckReadonly, performSync)
220222
ginServer.Handle("POST", "/api/sync/performBootSync", model.CheckAuth, model.CheckReadonly, performBootSync)
221223
ginServer.Handle("POST", "/api/sync/getBootSync", model.CheckAuth, getBootSync)
222224
ginServer.Handle("POST", "/api/sync/getSyncInfo", model.CheckAuth, getSyncInfo)
223225
ginServer.Handle("POST", "/api/sync/exportSyncProviderS3", model.CheckAuth, exportSyncProviderS3)
224-
ginServer.Handle("POST", "/api/sync/importSyncProviderS3", model.CheckAuth, importSyncProviderS3)
226+
ginServer.Handle("POST", "/api/sync/importSyncProviderS3", model.CheckAuth, model.CheckReadonly, importSyncProviderS3)
225227
ginServer.Handle("POST", "/api/sync/exportSyncProviderWebDAV", model.CheckAuth, exportSyncProviderWebDAV)
226-
ginServer.Handle("POST", "/api/sync/importSyncProviderWebDAV", model.CheckAuth, importSyncProviderWebDAV)
228+
ginServer.Handle("POST", "/api/sync/importSyncProviderWebDAV", model.CheckAuth, model.CheckReadonly, importSyncProviderWebDAV)
227229

228230
ginServer.Handle("POST", "/api/inbox/getShorthands", model.CheckAuth, getShorthands)
229231
ginServer.Handle("POST", "/api/inbox/getShorthand", model.CheckAuth, getShorthand)
@@ -243,7 +245,7 @@ func ServeAPI(ginServer *gin.Engine) {
243245
ginServer.Handle("POST", "/api/asset/getMissingAssets", model.CheckAuth, getMissingAssets)
244246
ginServer.Handle("POST", "/api/asset/removeUnusedAsset", model.CheckAuth, model.CheckReadonly, removeUnusedAsset)
245247
ginServer.Handle("POST", "/api/asset/removeUnusedAssets", model.CheckAuth, model.CheckReadonly, removeUnusedAssets)
246-
ginServer.Handle("POST", "/api/asset/getDocImageAssets", model.CheckAuth, model.CheckReadonly, getDocImageAssets)
248+
ginServer.Handle("POST", "/api/asset/getDocImageAssets", model.CheckAuth, getDocImageAssets)
247249
ginServer.Handle("POST", "/api/asset/renameAsset", model.CheckAuth, model.CheckReadonly, renameAsset)
248250
ginServer.Handle("POST", "/api/asset/getImageOCRText", model.CheckAuth, model.CheckReadonly, getImageOCRText)
249251
ginServer.Handle("POST", "/api/asset/setImageOCRText", model.CheckAuth, model.CheckReadonly, setImageOCRText)
@@ -284,7 +286,7 @@ func ServeAPI(ginServer *gin.Engine) {
284286

285287
ginServer.Handle("POST", "/api/template/render", model.CheckAuth, renderTemplate)
286288
ginServer.Handle("POST", "/api/template/docSaveAsTemplate", model.CheckAuth, model.CheckReadonly, docSaveAsTemplate)
287-
ginServer.Handle("POST", "/api/template/renderSprig", model.CheckAuth, model.CheckReadonly, renderSprig)
289+
ginServer.Handle("POST", "/api/template/renderSprig", model.CheckAuth, renderSprig)
288290

289291
ginServer.Handle("POST", "/api/transactions", model.CheckAuth, model.CheckReadonly, performTransactions)
290292

@@ -363,33 +365,33 @@ func ServeAPI(ginServer *gin.Engine) {
363365
ginServer.Handle("POST", "/api/riff/getRiffCards", model.CheckAuth, getRiffCards)
364366
ginServer.Handle("POST", "/api/riff/getTreeRiffCards", model.CheckAuth, getTreeRiffCards)
365367
ginServer.Handle("POST", "/api/riff/getNotebookRiffCards", model.CheckAuth, getNotebookRiffCards)
366-
ginServer.Handle("POST", "/api/riff/resetRiffCards", model.CheckAuth, resetRiffCards)
368+
ginServer.Handle("POST", "/api/riff/resetRiffCards", model.CheckAuth, model.CheckReadonly, resetRiffCards)
367369

368370
ginServer.Handle("POST", "/api/notification/pushMsg", model.CheckAuth, pushMsg)
369371
ginServer.Handle("POST", "/api/notification/pushErrMsg", model.CheckAuth, pushErrMsg)
370372

371373
ginServer.Handle("POST", "/api/snippet/getSnippet", model.CheckAuth, getSnippet)
372-
ginServer.Handle("POST", "/api/snippet/setSnippet", model.CheckAuth, setSnippet)
374+
ginServer.Handle("POST", "/api/snippet/setSnippet", model.CheckAuth, model.CheckReadonly, setSnippet)
373375
ginServer.Handle("POST", "/api/snippet/removeSnippet", model.CheckAuth, model.CheckReadonly, removeSnippet)
374-
ginServer.Handle("GET", "/snippets/*filepath", serveSnippets)
375376

376377
ginServer.Handle("POST", "/api/av/renderAttributeView", model.CheckAuth, renderAttributeView)
377378
ginServer.Handle("POST", "/api/av/getAttributeViewKeys", model.CheckAuth, getAttributeViewKeys)
378-
ginServer.Handle("POST", "/api/av/setAttributeViewBlockAttr", model.CheckAuth, setAttributeViewBlockAttr)
379+
ginServer.Handle("POST", "/api/av/setAttributeViewBlockAttr", model.CheckAuth, model.CheckReadonly, setAttributeViewBlockAttr)
379380

380-
ginServer.Handle("POST", "/api/ai/chatGPT", model.CheckAuth, model.CheckReadonly, chatGPT)
381-
ginServer.Handle("POST", "/api/ai/chatGPTWithAction", model.CheckAuth, model.CheckReadonly, chatGPTWithAction)
381+
ginServer.Handle("POST", "/api/ai/chatGPT", model.CheckAuth, chatGPT)
382+
ginServer.Handle("POST", "/api/ai/chatGPTWithAction", model.CheckAuth, chatGPTWithAction)
382383

383384
ginServer.Handle("POST", "/api/petal/loadPetals", model.CheckAuth, loadPetals)
384385
ginServer.Handle("POST", "/api/petal/setPetalEnabled", model.CheckAuth, model.CheckReadonly, setPetalEnabled)
385386

386-
ginServer.Handle("POST", "/api/network/forwardProxy", model.CheckAuth, model.CheckReadonly, forwardProxy)
387+
ginServer.Any("/api/network/echo", model.CheckAuth, echo)
388+
ginServer.Handle("POST", "/api/network/forwardProxy", model.CheckAuth, forwardProxy)
387389

388390
ginServer.Handle("GET", "/ws/broadcast", model.CheckAuth, broadcast)
389-
ginServer.Handle("GET", "/api/broadcast/channels", model.CheckAuth, getChannels)
390391
ginServer.Handle("POST", "/api/broadcast/postMessage", model.CheckAuth, postMessage)
392+
ginServer.Handle("POST", "/api/broadcast/getChannels", model.CheckAuth, getChannels)
391393
ginServer.Handle("POST", "/api/broadcast/getChannelInfo", model.CheckAuth, getChannelInfo)
392394

393-
ginServer.Handle("POST", "/api/archive/zip", model.CheckAuth, zip)
394-
ginServer.Handle("POST", "/api/archive/unzip", model.CheckAuth, unzip)
395+
ginServer.Handle("POST", "/api/archive/zip", model.CheckAuth, model.CheckReadonly, zip)
396+
ginServer.Handle("POST", "/api/archive/unzip", model.CheckAuth, model.CheckReadonly, unzip)
395397
}

kernel/model/session.go

+3-1
Original file line numberDiff line numberDiff line change
@@ -163,10 +163,12 @@ func CheckAuth(c *gin.Context) {
163163
// 未设置访问授权码
164164
if "" == Conf.AccessAuthCode {
165165
// Authenticate requests with the Origin header other than 127.0.0.1 https://github.com/siyuan-note/siyuan/issues/9180
166+
clientIP := c.ClientIP()
166167
host := c.GetHeader("Host")
167168
origin := c.GetHeader("Origin")
168169
forwardedHost := c.GetHeader("X-Forwarded-Host")
169170
if !localhost ||
171+
("" != clientIP && !util.IsLocalHostname(clientIP)) ||
170172
("" != host && !util.IsLocalHost(host)) ||
171173
("" != origin && !util.IsLocalOrigin(origin) && !strings.HasPrefix(origin, "chrome-extension://")) ||
172174
("" != forwardedHost && !util.IsLocalHost(forwardedHost)) {
@@ -243,7 +245,7 @@ func CheckAuth(c *gin.Context) {
243245
if workspaceSession.AccessAuthCode != Conf.AccessAuthCode {
244246
userAgentHeader := c.GetHeader("User-Agent")
245247
if strings.HasPrefix(userAgentHeader, "SiYuan/") || strings.HasPrefix(userAgentHeader, "Mozilla/") {
246-
if "GET" != c.Request.Method {
248+
if "GET" != c.Request.Method || c.IsWebsocket() {
247249
c.JSON(http.StatusUnauthorized, map[string]interface{}{"code": -1, "msg": Conf.Language(156)})
248250
c.Abort()
249251
return

kernel/util/net.go

+6-18
Original file line numberDiff line numberDiff line change
@@ -47,23 +47,8 @@ func ValidOptionalPort(port string) bool {
4747
return true
4848
}
4949

50-
func SplitHost(host string) (hostname, port string) {
51-
hostname = host
52-
53-
colon := strings.LastIndexByte(hostname, ':')
54-
if colon != -1 && ValidOptionalPort(hostname[colon:]) {
55-
hostname, port = hostname[:colon], hostname[colon+1:]
56-
}
57-
58-
if strings.HasPrefix(hostname, "[") && strings.HasSuffix(hostname, "]") {
59-
hostname = hostname[1 : len(hostname)-1]
60-
}
61-
62-
return
63-
}
64-
6550
func IsLocalHostname(hostname string) bool {
66-
if "localhost" == hostname {
51+
if "localhost" == hostname || strings.HasSuffix(hostname, ".localhost") {
6752
return true
6853
}
6954
if ip := net.ParseIP(hostname); nil != ip {
@@ -73,8 +58,11 @@ func IsLocalHostname(hostname string) bool {
7358
}
7459

7560
func IsLocalHost(host string) bool {
76-
hostname, _ := SplitHost(host)
77-
return IsLocalHostname(hostname)
61+
if hostname, _, err := net.SplitHostPort(strings.TrimSpace(host)); nil != err {
62+
return false
63+
} else {
64+
return IsLocalHostname(hostname)
65+
}
7866
}
7967

8068
func IsLocalOrigin(origin string) bool {

0 commit comments

Comments
 (0)