feat: 防止密码爆破攻击

TheTNB · Jun 23, 2024 · ed22e79 · ed22e79
1 parent 15dd5bb
commit ed22e79
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 4 deletions.
diff --git a/app/providers/route_service_provider.go b/app/providers/route_service_provider.go
@@ -2,7 +2,9 @@ package providers
 
 import (
 	"github.com/goravel/framework/contracts/foundation"
+	contractshttp "github.com/goravel/framework/contracts/http"
 	"github.com/goravel/framework/facades"
+	"github.com/goravel/framework/http/limit"
 
 	"github.com/TheTNB/panel/app/http"
 	"github.com/TheTNB/panel/routes"
@@ -25,5 +27,23 @@ func (receiver *RouteServiceProvider) Boot(app foundation.Application) {
 }
 
 func (receiver *RouteServiceProvider) configureRateLimiting() {
-
+	facades.RateLimiter().ForWithLimits("login", func(ctx contractshttp.Context) []contractshttp.Limit {
+		return []contractshttp.Limit{
+			limit.PerMinute(5).By(ctx.Request().Ip()).Response(func(ctx contractshttp.Context) {
+				ctx.Request().AbortWithStatusJson(contractshttp.StatusTooManyRequests, contractshttp.Json{
+					"message": "请求过于频繁，请等待一分钟后再试",
+				})
+			}),
+			limit.PerHour(100).By(ctx.Request().Ip()).Response(func(ctx contractshttp.Context) {
+				ctx.Request().AbortWithStatusJson(contractshttp.StatusTooManyRequests, contractshttp.Json{
+					"message": "请求过于频繁，请等待一小时后再试",
+				})
+			}),
+			limit.PerDay(1000).Response(func(ctx contractshttp.Context) {
+				ctx.Request().AbortWithStatusJson(contractshttp.StatusTooManyRequests, contractshttp.Json{
+					"message": "面板遭受登录爆破攻击过多，已暂时屏蔽登录，请立刻更换面板端口！",
+				})
+			}),
+		}
+	})
 }
diff --git a/config/cors.go b/config/cors.go
@@ -14,10 +14,10 @@ func init() {
 		// in web browsers. You are free to adjust these settings as needed.
 		//
 		// To learn more: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
-		"paths":                []string{"*"},
+		"paths":                []string{"1145141919810"}, // 避免框架使用CORS中间件
 		"allowed_methods":      []string{"*"},
 		"allowed_origins":      []string{"*"},
-		"allowed_headers":      []string{"*"},
+		"allowed_headers":      []string{"“"},
 		"exposed_headers":      []string{""},
 		"max_age":              0,
 		"supports_credentials": false,

diff --git a/routes/api.go b/routes/api.go
@@ -3,6 +3,7 @@ package routes
 import (
 	"github.com/goravel/framework/contracts/route"
 	"github.com/goravel/framework/facades"
+	frameworkmiddleware "github.com/goravel/framework/http/middleware"
 
 	"github.com/TheTNB/panel/app/http/controllers"
 	"github.com/TheTNB/panel/app/http/middleware"
@@ -25,7 +26,7 @@ func Api() {
 		})
 		r.Prefix("user").Group(func(r route.Router) {
 			userController := controllers.NewUserController()
-			r.Post("login", userController.Login)
+			r.Middleware(frameworkmiddleware.Throttle("login")).Post("login", userController.Login)
 			r.Middleware(middleware.Jwt()).Get("info", userController.Info)
 		})
 		r.Prefix("task").Middleware(middleware.Jwt()).Group(func(r route.Router) {