Cloudreve/middleware/session.go

package middleware

import (
	"net/http"
	"strings"

	"github.com/cloudreve/Cloudreve/v3/pkg/conf"
	"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
	"github.com/cloudreve/Cloudreve/v3/pkg/util"
	"github.com/gin-contrib/sessions"
	"github.com/gin-contrib/sessions/memstore"
	"github.com/gin-contrib/sessions/redis"
	"github.com/gin-gonic/gin"
)

// Store session存储
var Store memstore.Store

// Session 初始化session
func Session(secret string) gin.HandlerFunc {
	// Redis设置不为空，且非测试模式时使用Redis
	if conf.RedisConfig.Server != "" && gin.Mode() != gin.TestMode {
		var err error
		Store, err = redis.NewStoreWithDB(10, conf.RedisConfig.Network, conf.RedisConfig.Server, conf.RedisConfig.Password, conf.RedisConfig.DB, []byte(secret))
		if err != nil {
			util.Log().Panic("Failed to connect to Redis：%s", err)
		}

		util.Log().Info("Connect to Redis server %q.", conf.RedisConfig.Server)
	} else {
		Store = memstore.NewStore([]byte(secret))
	}

	sameSiteMode := http.SameSiteDefaultMode
	switch strings.ToLower(conf.CORSConfig.SameSite) {
	case "default":
		sameSiteMode = http.SameSiteDefaultMode
	case "none":
		sameSiteMode = http.SameSiteNoneMode
	case "strict":
		sameSiteMode = http.SameSiteStrictMode
	case "lax":
		sameSiteMode = http.SameSiteLaxMode
	}

	// Also set Secure: true if using SSL, you should though
	Store.Options(sessions.Options{
		HttpOnly: true,
		MaxAge:   60 * 86400,
		Path:     "/",
		SameSite: sameSiteMode,
		Secure:   conf.CORSConfig.Secure,
	})

	return sessions.Sessions("cloudreve-session", Store)
}

// CSRFInit 初始化CSRF标记
func CSRFInit() gin.HandlerFunc {
	return func(c *gin.Context) {
		util.SetSession(c, map[string]interface{}{"CSRF": true})
		c.Next()
	}
}

// CSRFCheck 检查CSRF标记
func CSRFCheck() gin.HandlerFunc {
	return func(c *gin.Context) {
		if check, ok := util.GetSession(c, "CSRF").(bool); ok && check {
			c.Next()
			return
		}

		c.JSON(200, serializer.Err(serializer.CodeNoPermissionErr, "Invalid origin", nil))
		c.Abort()
	}
}
-												Feat: User login

											
										
										
											2019-11-11 19:13:17 +08:00
+								package middleware
 								import (
-												Added `same-site` policy for session options (#1381)

* Feat: added same-site policy for session options

* Feat: configurations in conf package to control the `SameSite` mode and `Secure` value of the session.

Co-authored-by: AaronLiu <abslant@126.com>
											
										
										
											2022-12-16 13:59:26 +08:00
+									"net/http"
 									"strings"
-												Comply with Golang semantic import versioning (#630)

* Code: compatible with semantic import versioning

* Tools & Docs: compatible with semantic import versioning

* Clean go.mod & go.sum
											
										
										
											2020-11-21 17:34:55 +08:00
+									"github.com/cloudreve/Cloudreve/v3/pkg/conf"
 									"github.com/cloudreve/Cloudreve/v3/pkg/serializer"
 									"github.com/cloudreve/Cloudreve/v3/pkg/util"
-												Feat: User login

											
										
										
											2019-11-11 19:13:17 +08:00
+									"github.com/gin-contrib/sessions"
-												Modify: using memstore to store session

											
										
										
											2019-11-12 13:55:33 +08:00
+									"github.com/gin-contrib/sessions/memstore"
-												Fix: folder with the same name should not be created

											
										
										
											2019-11-27 19:14:13 +08:00
+									"github.com/gin-contrib/sessions/redis"
-												Feat: User login

											
										
										
											2019-11-11 19:13:17 +08:00
+									"github.com/gin-gonic/gin"
 								)
-												Feat: User/Me

											
										
										
											2019-11-12 15:34:54 +08:00
+								// Store session存储
-												Modify: use uri parameter in Get File

											
										
										
											2019-11-29 15:24:23 +08:00
+								var Store memstore.Store
-												Feat: User/Me

											
										
										
											2019-11-12 15:34:54 +08:00
-												Feat: User login

											
										
										
											2019-11-11 19:13:17 +08:00
+								// Session 初始化session
 								func Session(secret string) gin.HandlerFunc {
-												Fix: Redis should not be used in test mode

											
										
										
											2019-11-27 21:53:07 +08:00
+									// Redis设置不为空，且非测试模式时使用Redis
-												Modify: use uri parameter in Get File

											
										
										
											2019-11-29 15:24:23 +08:00
+									if conf.RedisConfig.Server != "" && gin.Mode() != gin.TestMode {
-												Feat: redis for session storing

											
										
										
											2019-11-27 19:53:39 +08:00
+										var err error
-												Add: Unix Socket support (#466)

* Update conf.go

* Update driver.go

* Update session.go

* Update defaults.go

* Update main.go

* Update conf.go

* Update defaults.go
											
										
										
											2020-08-12 20:31:28 +08:00
+										Store, err = redis.NewStoreWithDB(10, conf.RedisConfig.Network, conf.RedisConfig.Server, conf.RedisConfig.Password, conf.RedisConfig.DB, []byte(secret))
-												Feat: redis for session storing

											
										
										
											2019-11-27 19:53:39 +08:00
+										if err != nil {
-												i18n: logs in bootstrapper and response code in middleware

											
										
										
											2022-09-29 17:39:48 +08:00
+											util.Log().Panic("Failed to connect to Redis：%s", err)
-												Feat: redis for session storing

											
										
										
											2019-11-27 19:53:39 +08:00
+										}
-												Modify: use uri parameter in Get File

											
										
										
											2019-11-29 15:24:23 +08:00
-												i18n: logs in bootstrapper and response code in middleware

											
										
										
											2022-09-29 17:39:48 +08:00
+										util.Log().Info("Connect to Redis server %q.", conf.RedisConfig.Server)
-												Feat: redis for session storing

											
										
										
											2019-11-27 19:53:39 +08:00
+									} else {
 										Store = memstore.NewStore([]byte(secret))
-												Fix: folder with the same name should not be created

											
										
										
											2019-11-27 19:14:13 +08:00
+									}
-												Modify: code style

											
										
										
											2019-11-28 21:21:46 +08:00
-												Added `same-site` policy for session options (#1381)

* Feat: added same-site policy for session options

* Feat: configurations in conf package to control the `SameSite` mode and `Secure` value of the session.

Co-authored-by: AaronLiu <abslant@126.com>
											
										
										
											2022-12-16 13:59:26 +08:00
+									sameSiteMode := http.SameSiteDefaultMode
 									switch strings.ToLower(conf.CORSConfig.SameSite) {
 									case "default":
 										sameSiteMode = http.SameSiteDefaultMode
 									case "none":
 										sameSiteMode = http.SameSiteNoneMode
 									case "strict":
 										sameSiteMode = http.SameSiteStrictMode
 									case "lax":
 										sameSiteMode = http.SameSiteLaxMode
 									}
-												Feat: User/Me

											
										
										
											2019-11-12 15:34:54 +08:00
+									// Also set Secure: true if using SSL, you should though
-												Added `same-site` policy for session options (#1381)

* Feat: added same-site policy for session options

* Feat: configurations in conf package to control the `SameSite` mode and `Secure` value of the session.

Co-authored-by: AaronLiu <abslant@126.com>
											
										
										
											2022-12-16 13:59:26 +08:00
+									Store.Options(sessions.Options{
 										HttpOnly: true,
 										MaxAge:   60 * 86400,
 										Path:     "/",
 										SameSite: sameSiteMode,
 										Secure:   conf.CORSConfig.Secure,
 									})
-												Feat: User/Me

											
										
										
											2019-11-12 15:34:54 +08:00
+									return sessions.Sessions("cloudreve-session", Store)
-												Feat: User login

											
										
										
											2019-11-11 19:13:17 +08:00
+								}
-												Fix: file preview URL in share page should not be accessed directly

											
										
										
											2020-03-17 15:57:38 +08:00
 								// CSRFInit 初始化CSRF标记
 								func CSRFInit() gin.HandlerFunc {
 									return func(c *gin.Context) {
 										util.SetSession(c, map[string]interface{}{"CSRF": true})
 										c.Next()
 									}
 								}
 								// CSRFCheck 检查CSRF标记
 								func CSRFCheck() gin.HandlerFunc {
 									return func(c *gin.Context) {
 										if check, ok := util.GetSession(c, "CSRF").(bool); ok && check {
 											c.Next()
 											return
 										}
-												i18n: logs in bootstrapper and response code in middleware

											
										
										
											2022-09-29 17:39:48 +08:00
+										c.JSON(200, serializer.Err(serializer.CodeNoPermissionErr, "Invalid origin", nil))
-												Fix: file preview URL in share page should not be accessed directly

											
										
										
											2020-03-17 15:57:38 +08:00
+										c.Abort()
 									}
 								}