mirror of
https://github.com/dreamhunter2333/cloudflare_temp_email.git
synced 2026-06-26 01:42:42 +08:00
e6cc8e2ffd
* feat: add Turnstile CAPTCHA for login forms (#767) Add optional Turnstile verification for admin login, user login, and address password login via ENABLE_LOGIN_TURNSTILE_CHECK env var. Does not affect existing Turnstile on address creation / registration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * docs: add ENABLE_LOGIN_TURNSTILE_CHECK to wrangler.toml.template Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: ensure openSettings loaded before admin login modal Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: add Turnstile to site access password and fix settings field name - Add Turnstile to site access password modal in Header.vue - Add /open_api/site_login endpoint for password + Turnstile verification - Fix settings field name from enableTurnstileLogin to enableLoginTurnstileCheck Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: move login endpoints to open_api/auth.ts Move /open_api/site_login and /open_api/admin_login from commom_api.ts to a dedicated open_api/auth.ts file for better code organization. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: change Turnstile check failure status from 500 to 400 Turnstile validation failure is a client error, not a server error. Change all Turnstile check error responses from 500 to 400. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: use unique IDs for multiple Turnstile instances When multiple modals with Turnstile appear simultaneously (e.g., site access + admin login), the hardcoded id="cf-turnstile" causes conflicts. Generate a unique container ID per Turnstile instance to fix this. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: review fixes - cfToken separation, register Turnstile, error codes - Separate cfToken refs in Login.vue to avoid token sharing between login and new address creation Turnstile instances - Add Turnstile check to user registration endpoint (not just verify_code) - Show Turnstile on register tab regardless of enableMailVerify - Pass cf_token in register request body - Fix site_login error message to use CustomAuthPasswordMsg - Fix verifyCode Turnstile error status from 500 to 400 - Restore empty line in commom_api.ts Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: separate register Turnstile logic for with/without mail verify - With mail verify: verify_code already checks Turnstile, register skips Turnstile (token is one-time use) - Without mail verify: register checks Turnstile directly - Separate loginCfToken for login tab to avoid token sharing with register tab Turnstile Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add enableLoginTurnstileCheck to store defaults, simplify changelog Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: add /open_api/credential_login for credential login verification Add credential_login endpoint that verifies both Turnstile token and JWT credential server-side, replacing the generic verify_turnstile endpoint. Credential login now validates the JWT before accepting it. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: improve login endpoints - hash passwords, expose Turnstile refresh, fix status codes - site_login/admin_login: always called, verify hashed password + optional Turnstile - credential_login: always called, verify JWT + optional Turnstile - Frontend sends hashed passwords instead of plaintext - Turnstile component exposes refresh method via defineExpose - Fix Turnstile error status 500→400 in mails_api and telegram_api Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: rename to ENABLE_GLOBAL_TURNSTILE_CHECK and add isGlobalTurnstileEnabled helper - Rename ENABLE_LOGIN_TURNSTILE_CHECK -> ENABLE_GLOBAL_TURNSTILE_CHECK - Add isGlobalTurnstileEnabled() in utils.ts: checks env var + Turnstile keys all present - Backend settings returns enableGlobalTurnstileCheck computed from the helper - All backend endpoints use isGlobalTurnstileEnabled(c) instead of raw env check - Update all frontend refs, docs, changelog, and wrangler template Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: use utils.isGlobalTurnstileEnabled instead of named import Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: add E2E tests for turnstile login endpoints - Test all 3 new /open_api/* endpoints when ENABLE_GLOBAL_TURNSTILE_CHECK is disabled - Verify settings returns enableGlobalTurnstileCheck: false - Test admin_login with correct/wrong/empty hashed password - Test site_login returns 401 when no PASSWORDS configured - Test credential_login with valid JWT, invalid JWT, empty credential - Test address_login with empty cf_token works when turnstile disabled - Add ADMIN_PASSWORDS to E2E wrangler config for admin_login tests Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * test: rename test file to login-endpoints.spec.ts Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: validate JWT payload has address field in credential_login Prevents user tokens or challenge tokens from being accepted as address credentials since they share the same JWT_SECRET. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: refresh Turnstile token on login failure to allow retry After a failed login attempt, the consumed Turnstile token is now refreshed so users can retry without manually refreshing. Also adds ref to signup Turnstile in UserLogin.vue to refresh after verification code is sent (single-use token consumed). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: separate Turnstile tokens for signup and reset password flows Split shared cfToken into signupCfToken and resetCfToken to prevent single-use Turnstile token conflicts between signup tab and reset password modal. Each flow now has its own token ref and refreshes the correct Turnstile widget after use. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: update comments from "login turnstile" to "global turnstile" Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
385 lines
11 KiB
TypeScript
385 lines
11 KiB
TypeScript
import { Context } from "hono";
|
||
import { createMimeMessage } from "mimetext";
|
||
import { UserSettings, RoleAddressConfig } from "./models";
|
||
import { CONSTANTS } from "./constants";
|
||
|
||
export const getJsonObjectValue = <T = any>(
|
||
value: string | any
|
||
): T | null => {
|
||
if (value == undefined || value == null) {
|
||
return null;
|
||
}
|
||
if (typeof value === "object") {
|
||
return value as T;
|
||
}
|
||
if (typeof value !== "string") {
|
||
return null;
|
||
}
|
||
try {
|
||
return JSON.parse(value) as T;
|
||
} catch (e) {
|
||
console.error(`GetJsonValue: Failed to parse ${value}`, e);
|
||
}
|
||
return null;
|
||
}
|
||
|
||
export const getJsonSetting = async <T = any>(
|
||
c: Context<HonoCustomType>, key: string
|
||
): Promise<T | null> => {
|
||
const value = await getSetting(c, key);
|
||
if (!value) {
|
||
return null;
|
||
}
|
||
try {
|
||
return JSON.parse(value) as T;
|
||
} catch (e) {
|
||
console.error(`GetJsonSetting: Failed to parse ${key}`, e);
|
||
}
|
||
return null;
|
||
}
|
||
|
||
export const getSetting = async (
|
||
c: Context<HonoCustomType>, key: string
|
||
): Promise<string | null> => {
|
||
try {
|
||
const value = await c.env.DB.prepare(
|
||
`SELECT value FROM settings where key = ?`
|
||
).bind(key).first<string>("value");
|
||
return value;
|
||
} catch (error) {
|
||
console.error(`GetSetting: Failed to get ${key}`, error);
|
||
}
|
||
return null;
|
||
}
|
||
|
||
export const saveSetting = async (
|
||
c: Context<HonoCustomType>,
|
||
key: string, value: string
|
||
) => {
|
||
await c.env.DB.prepare(
|
||
`INSERT or REPLACE INTO settings (key, value) VALUES (?, ?)`
|
||
+ ` ON CONFLICT(key) DO UPDATE SET value = ?, updated_at = datetime('now')`
|
||
).bind(key, value, value).run();
|
||
return true;
|
||
}
|
||
|
||
export const getStringValue = (value: any): string => {
|
||
if (typeof value === "string") {
|
||
return value;
|
||
}
|
||
return "";
|
||
}
|
||
|
||
export const getSplitStringListValue = (
|
||
value: any, demiliter: string = ","
|
||
): string[] => {
|
||
const valueToSplit = getStringValue(value);
|
||
return valueToSplit.split(demiliter)
|
||
.map((item: string) => item.trim())
|
||
.filter((item: string) => item.length > 0);
|
||
}
|
||
|
||
export const getBooleanValue = (
|
||
value: boolean | string | any
|
||
): boolean => {
|
||
if (typeof value === "boolean") {
|
||
return value;
|
||
}
|
||
if (typeof value === "string") {
|
||
return value === "true";
|
||
}
|
||
return false;
|
||
}
|
||
|
||
export const getIntValue = (
|
||
value: number | string | any,
|
||
defaultValue: number = 0
|
||
): number => {
|
||
if (typeof value === "number") {
|
||
return value;
|
||
}
|
||
if (typeof value === "string") {
|
||
try {
|
||
return parseInt(value);
|
||
} catch (e) {
|
||
console.error(`Failed to parse int value: ${value}`);
|
||
}
|
||
}
|
||
return defaultValue;
|
||
}
|
||
|
||
export const getStringArray = (
|
||
value: string | string[] | undefined | null
|
||
): string[] => {
|
||
if (!value) {
|
||
return [];
|
||
}
|
||
// check if value is an array, if not use json.parse
|
||
if (!Array.isArray(value)) {
|
||
try {
|
||
return JSON.parse(value);
|
||
} catch (e) {
|
||
console.error("Failed to parse value", e);
|
||
return [];
|
||
}
|
||
}
|
||
return value;
|
||
}
|
||
|
||
export const getDefaultDomains = (c: Context<HonoCustomType>): string[] => {
|
||
if (c.env.DEFAULT_DOMAINS == undefined || c.env.DEFAULT_DOMAINS == null) {
|
||
return getDomains(c);
|
||
}
|
||
const domains = getStringArray(c.env.DEFAULT_DOMAINS);
|
||
return domains || getDomains(c);
|
||
}
|
||
|
||
export const getDomains = (c: Context<HonoCustomType>): string[] => {
|
||
if (!c.env.DOMAINS) {
|
||
return [];
|
||
}
|
||
// check if DOMAINS is an array, if not use json.parse
|
||
if (!Array.isArray(c.env.DOMAINS)) {
|
||
try {
|
||
return JSON.parse(c.env.DOMAINS);
|
||
} catch (e) {
|
||
console.error("Failed to parse DOMAINS", e);
|
||
return [];
|
||
}
|
||
}
|
||
return c.env.DOMAINS;
|
||
}
|
||
|
||
export const getUserRoles = (c: Context<HonoCustomType>): UserRole[] => {
|
||
if (!c.env.USER_ROLES) {
|
||
return [];
|
||
}
|
||
// check if USER_ROLES is an array, if not use json.parse
|
||
if (!Array.isArray(c.env.USER_ROLES)) {
|
||
try {
|
||
return JSON.parse(c.env.USER_ROLES);
|
||
} catch (e) {
|
||
console.error("Failed to parse USER_ROLES", e);
|
||
return [];
|
||
}
|
||
}
|
||
return c.env.USER_ROLES;
|
||
}
|
||
|
||
export const getAnotherWorkerList = (c: Context<HonoCustomType>): AnotherWorker[] => {
|
||
if (!c.env.ANOTHER_WORKER_LIST) {
|
||
return [];
|
||
}
|
||
// check if ANOTHER_WORKER_LIST is an array, if not use json.parse
|
||
if (!Array.isArray(c.env.ANOTHER_WORKER_LIST)) {
|
||
try {
|
||
return JSON.parse(c.env.ANOTHER_WORKER_LIST);
|
||
} catch (e) {
|
||
console.error("Failed to parse ANOTHER_WORKER_LIST", e);
|
||
return [];
|
||
}
|
||
}
|
||
return c.env.ANOTHER_WORKER_LIST;
|
||
}
|
||
|
||
export const getPasswords = (c: Context<HonoCustomType>): string[] => {
|
||
if (!c.env.PASSWORDS) {
|
||
return [];
|
||
}
|
||
// check if PASSWORDS is an array, if not use json.parse
|
||
if (!Array.isArray(c.env.PASSWORDS)) {
|
||
try {
|
||
const res = JSON.parse(c.env.PASSWORDS) as string[];
|
||
return res.filter((item) => item.length > 0);
|
||
} catch (e) {
|
||
console.error("Failed to parse PASSWORDS", e);
|
||
return [];
|
||
}
|
||
}
|
||
return c.env.PASSWORDS.filter((item) => item.length > 0);
|
||
}
|
||
|
||
export const getAdminPasswords = (c: Context<HonoCustomType>): string[] => {
|
||
if (!c.env.ADMIN_PASSWORDS) {
|
||
return [];
|
||
}
|
||
// check if ADMIN_PASSWORDS is an array, if not use json.parse
|
||
if (!Array.isArray(c.env.ADMIN_PASSWORDS)) {
|
||
try {
|
||
const res = JSON.parse(c.env.ADMIN_PASSWORDS) as string[];
|
||
return res.filter((item) => item.length > 0);
|
||
} catch (e) {
|
||
console.error("Failed to parse ADMIN_PASSWORDS", e);
|
||
return [];
|
||
}
|
||
}
|
||
return c.env.ADMIN_PASSWORDS.filter((item) => item.length > 0);
|
||
}
|
||
|
||
export const checkIsAdmin = (c: Context<HonoCustomType>): boolean => {
|
||
const adminPasswords = getAdminPasswords(c);
|
||
if (!adminPasswords.length) return false;
|
||
const adminAuth = c.req.raw.headers.get("x-admin-auth");
|
||
return !!adminAuth && adminPasswords.includes(adminAuth);
|
||
}
|
||
|
||
export const getEnvStringList = (value: string | string[] | undefined): string[] => {
|
||
if (!value) {
|
||
return [];
|
||
}
|
||
// check if is an array, if not use json.parse
|
||
if (!Array.isArray(value)) {
|
||
try {
|
||
const res = JSON.parse(value) as string[];
|
||
return res.filter((item) => item.length > 0);
|
||
} catch (e) {
|
||
console.error("Failed to parse ADMIN_PASSWORDS", e);
|
||
return [];
|
||
}
|
||
}
|
||
return value.filter((item) => item.length > 0);
|
||
}
|
||
|
||
export const sendAdminInternalMail = async (
|
||
c: Context<HonoCustomType>, toMail: string, subject: string, text: string
|
||
): Promise<boolean> => {
|
||
try {
|
||
|
||
const msg = createMimeMessage();
|
||
msg.setSender({
|
||
name: "Admin",
|
||
addr: "admin@internal"
|
||
});
|
||
msg.setRecipient(toMail);
|
||
msg.setSubject(subject);
|
||
msg.addMessage({
|
||
contentType: 'text/plain',
|
||
data: text
|
||
});
|
||
const message_id = Math.random().toString(36).substring(2, 15);
|
||
const { success } = await c.env.DB.prepare(
|
||
`INSERT INTO raw_mails (source, address, raw, message_id) VALUES (?, ?, ?, ?)`
|
||
).bind(
|
||
"admin@internal", toMail, msg.asRaw(), message_id
|
||
).run();
|
||
if (!success) {
|
||
console.log(`Failed save message from admin@internal to ${toMail}`);
|
||
}
|
||
return success;
|
||
} catch (error) {
|
||
console.log("sendAdminInternalMail error", error);
|
||
return false;
|
||
}
|
||
};
|
||
|
||
export const isGlobalTurnstileEnabled = (c: Context<HonoCustomType>): boolean => {
|
||
return getBooleanValue(c.env.ENABLE_GLOBAL_TURNSTILE_CHECK)
|
||
&& !!c.env.CF_TURNSTILE_SITE_KEY
|
||
&& !!c.env.CF_TURNSTILE_SECRET_KEY;
|
||
}
|
||
|
||
export const checkCfTurnstile = async (
|
||
c: Context<HonoCustomType>, token: string | undefined | null
|
||
): Promise<void> => {
|
||
if (!c.env.CF_TURNSTILE_SITE_KEY || !c.env.CF_TURNSTILE_SECRET_KEY) {
|
||
return;
|
||
}
|
||
if (!token) {
|
||
throw new Error("Captcha token is required");
|
||
}
|
||
const reqIp = c.req.raw.headers.get("cf-connecting-ip");
|
||
const formData = new FormData();
|
||
formData.append('secret', c.env.CF_TURNSTILE_SECRET_KEY);
|
||
formData.append('response', token);
|
||
if (reqIp) formData.append('remoteip', reqIp);
|
||
const url = 'https://challenges.cloudflare.com/turnstile/v0/siteverify';
|
||
const result = await fetch(url, {
|
||
body: formData,
|
||
method: 'POST',
|
||
});
|
||
const captchaRes: any = await result.json();
|
||
if (!captchaRes.success) {
|
||
console.log("Captcha failed", captchaRes);
|
||
throw new Error("Captcha failed");
|
||
}
|
||
}
|
||
|
||
export const checkUserPassword = (password: string) => {
|
||
if (!password || password.length < 1 || password.length > 100) {
|
||
throw new Error("Invalid password")
|
||
}
|
||
return true;
|
||
}
|
||
|
||
export const hashPassword = async (password: string): Promise<string> => {
|
||
// use crypto to hash password
|
||
const digest = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password));
|
||
const hashArray = Array.from(new Uint8Array(digest));
|
||
return hashArray.map(byte => byte.toString(16).padStart(2, '0')).join('');
|
||
}
|
||
|
||
export const getMaxAddressCount = async (
|
||
c: Context<HonoCustomType>,
|
||
userRole: string | null | undefined,
|
||
settings: UserSettings
|
||
): Promise<number> => {
|
||
if (!userRole) return settings.maxAddressCount;
|
||
const roleConfigs = await getJsonSetting<RoleAddressConfig>(c, CONSTANTS.ROLE_ADDRESS_CONFIG_KEY);
|
||
if (!roleConfigs) return settings.maxAddressCount;
|
||
const roleMaxCount = roleConfigs[userRole]?.maxAddressCount;
|
||
if (typeof roleMaxCount !== 'number') return settings.maxAddressCount;
|
||
if (roleMaxCount <= 0) return settings.maxAddressCount;
|
||
return roleMaxCount;
|
||
};
|
||
|
||
/**
|
||
* 检查用户是否已达到地址数量限制
|
||
* @param c - Hono Context
|
||
* @param user_id - 用户 ID
|
||
* @param userRole - 用户角色
|
||
* @returns true 表示已超限,false 表示未超限
|
||
*/
|
||
export const isAddressCountLimitReached = async (
|
||
c: Context<HonoCustomType>,
|
||
user_id: number | string,
|
||
userRole: string | null | undefined
|
||
): Promise<boolean> => {
|
||
const value = await getJsonSetting(c, CONSTANTS.USER_SETTINGS_KEY);
|
||
const settings = new UserSettings(value);
|
||
const maxAddressCount = await getMaxAddressCount(c, userRole, settings);
|
||
|
||
if (maxAddressCount <= 0) return false;
|
||
|
||
const { count } = await c.env.DB.prepare(
|
||
`SELECT COUNT(*) as count FROM users_address where user_id = ?`
|
||
).bind(user_id).first<{ count: number }>() || { count: 0 };
|
||
|
||
return count >= maxAddressCount;
|
||
};
|
||
|
||
export default {
|
||
getJsonObjectValue,
|
||
getSetting,
|
||
saveSetting,
|
||
getStringValue,
|
||
getSplitStringListValue,
|
||
getBooleanValue,
|
||
getIntValue,
|
||
getStringArray,
|
||
getDefaultDomains,
|
||
getDomains,
|
||
getUserRoles,
|
||
getAnotherWorkerList,
|
||
getPasswords,
|
||
getAdminPasswords,
|
||
checkIsAdmin,
|
||
getEnvStringList,
|
||
sendAdminInternalMail,
|
||
isGlobalTurnstileEnabled,
|
||
checkCfTurnstile,
|
||
checkUserPassword,
|
||
getJsonSetting,
|
||
getJsonValue: getJsonObjectValue,
|
||
getStringList: getStringArray
|
||
}
|