✨ Support read-only publish service

* 🎨 kernel supports read-only publishing services

* 🐛 Fix authentication vulnerabilities

* 🎨 Protect secret information

* 🎨 Adjust the permission control

* 🎨 Adjust the permission control

* 🎨 Fixed the vulnerability that `getFile` gets file `conf.json`

* 🎨 Add API `/api/setting/setPublish`

* 🎨 Add API `/api/setting/getPublish`

* 🐛 Fixed the issue that PWA-related files could not pass BasicAuth

* 🎨 Add a settings panel for publishing features

* 📝 Add guide for `Publish Service`

* 📝 Update Japanese user guide

* 🎨 Merge fixed static file services

kernel/model/auth.go

@@ -0,0 +1,133 @@
+// SiYuan - Refactor your thinking
+// Copyright (c) 2020-present, b3log.org
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package model
+
+import (
+	"crypto/rand"
+	"net/http"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/siyuan-note/logging"
+)
+
+type Account struct {
+	Username string
+	Password string
+	Token    string
+}
+type AccountsMap map[string]*Account
+type ClaimsKeyType string
+
+const (
+	XAuthTokenKey = "X-Auth-Token"
+
+	ClaimsContextKey = "claims"
+
+	iss = "siyuan-publish-reverse-proxy-server"
+	sub = "publish"
+	aud = "siyuan-kernel"
+
+	ClaimsKeyRole string = "role"
+)
+
+var (
+	accountsMap = AccountsMap{}
+
+	key = make([]byte, 32)
+)
+
+func GetBasicAuthAccount(username string) *Account {
+	return accountsMap[username]
+}
+
+func InitAccounts() {
+	accountsMap = AccountsMap{
+		"": &Account{}, // 匿名用户
+	}
+	for _, account := range Conf.Publish.Auth.Accounts {
+		accountsMap[account.Username] = &Account{
+			Username: account.Username,
+			Password: account.Password,
+		}
+	}
+
+	InitJWT()
+}
+
+func InitJWT() {
+	if _, err := rand.Read(key); err != nil {
+		logging.LogErrorf("generate JWT signing key failed: %s", err)
+		return
+	}
+
+	for username, account := range accountsMap {
+		// REF: https://golang-jwt.github.io/jwt/usage/create/
+		t := jwt.NewWithClaims(
+			jwt.SigningMethodHS256,
+			jwt.MapClaims{
+				"iss": iss,
+				"sub": sub,
+				"aud": aud,
+				"jti": username,
+
+				ClaimsKeyRole: RoleReader,
+			},
+		)
+		if token, err := t.SignedString(key); err != nil {
+			logging.LogErrorf("JWT signature failed: %s", err)
+			return
+		} else {
+			account.Token = token
+		}
+	}
+}
+
+func ParseJWT(tokenString string) (*jwt.Token, error) {
+	// REF: https://golang-jwt.github.io/jwt/usage/parse/
+	return jwt.Parse(
+		tokenString,
+		func(token *jwt.Token) (interface{}, error) {
+			return key, nil
+		},
+		jwt.WithIssuer(iss),
+		jwt.WithSubject(sub),
+		jwt.WithAudience(aud),
+	)
+}
+
+func ParseXAuthToken(r *http.Request) *jwt.Token {
+	tokenString := r.Header.Get(XAuthTokenKey)
+	if tokenString != "" {
+		if token, err := ParseJWT(tokenString); err != nil {
+			logging.LogErrorf("JWT parse failed: %s", err)
+		} else {
+			return token
+		}
+	}
+	return nil
+}
+
+func GetTokenClaims(token *jwt.Token) jwt.MapClaims {
+	return token.Claims.(jwt.MapClaims)
+}
+
+func GetClaimRole(claims jwt.MapClaims) Role {
+	if role := claims[ClaimsKeyRole]; role != nil {
+		return Role(role.(float64))
+	}
+	return RoleVisitor
+}

kernel/model/conf.go

@@ -76,6 +76,7 @@ type AppConf struct {
 	Stat           *conf.Stat       `json:"stat"`           // 统计
 	Api            *conf.API        `json:"api"`            // API
 	Repo           *conf.Repo       `json:"repo"`           // 数据仓库
+	Publish        *conf.Publish    `json:"publish"`        // 发布服务
 	OpenHelp       bool             `json:"openHelp"`       // 启动后是否需要打开用户指南
 	ShowChangelog  bool             `json:"showChangelog"`  // 是否显示版本更新日志
 	CloudRegion    int              `json:"cloudRegion"`    // 云端区域，0：中国大陆，1：北美
@@ -357,6 +358,10 @@ func InitConf() {
 		Conf.Bazaar = conf.NewBazaar()
 	}
 
+	if nil == Conf.Publish {
+		Conf.Publish = conf.NewPublish()
+	}
+
 	if nil == Conf.Repo {
 		Conf.Repo = conf.NewRepo()
 	}
@@ -894,6 +899,24 @@ func GetMaskedConf() (ret *AppConf, err error) {
 	return
 }
 
+// REF: https://github.com/siyuan-note/siyuan/issues/11364
+// HideConfSecret 隐藏设置中的秘密信息
+func HideConfSecret(c *AppConf) {
+	c.AI = &conf.AI{}
+	c.Api = &conf.API{}
+	c.Flashcard = &conf.Flashcard{}
+	c.LocalIPs = []string{}
+	c.Publish = &conf.Publish{}
+	c.Repo = &conf.Repo{}
+	c.Sync = &conf.Sync{}
+	c.System.AppDir = ""
+	c.System.ConfDir = ""
+	c.System.DataDir = ""
+	c.System.HomeDir = ""
+	c.System.Name = ""
+	c.System.NetworkProxy = &conf.NetworkProxy{}
+}
+
 func clearPortJSON() {
 	pid := fmt.Sprintf("%d", os.Getpid())
 	portJSON := filepath.Join(util.HomeDir, ".config", "siyuan", "port.json")

kernel/model/role.go

@@ -0,0 +1,56 @@
+// SiYuan - Refactor your thinking
+// Copyright (c) 2020-present, b3log.org
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package model
+
+import "github.com/gin-gonic/gin"
+
+type Role uint
+
+const (
+	RoleContextKey = "role"
+)
+
+const (
+	RoleAdministrator Role = iota // 管理员
+	RoleEditor                    // 编辑者
+	RoleReader                    // 读者
+	RoleVisitor                   // 匿名访问者
+)
+
+func IsValidRole(role Role, roles []Role) bool {
+	for _, role_ := range roles {
+		if role == role_ {
+			return true
+		}
+	}
+	return false
+}
+
+func IsReadOnlyRole(role Role) bool {
+	return IsValidRole(role, []Role{
+		RoleReader,
+		RoleVisitor,
+	})
+}
+
+func GetGinContextRole(c *gin.Context) Role {
+	if role, exists := c.Get(RoleContextKey); exists {
+		return role.(Role)
+	} else {
+		return RoleVisitor
+	}
+}

kernel/model/session.go

@@ -164,6 +164,16 @@ func CheckReadonly(c *gin.Context) {
 }
 
 func CheckAuth(c *gin.Context) {
+	// 已通过 JWT 认证
+	if role := GetGinContextRole(c); IsValidRole(role, []Role{
+		RoleAdministrator,
+		RoleEditor,
+		RoleReader,
+	}) {
+		c.Next()
+		return
+	}
+
 	//logging.LogInfof("check auth for [%s]", c.Request.RequestURI)
 	localhost := util.IsLocalHost(c.Request.RemoteAddr)
 
@@ -171,6 +181,7 @@ func CheckAuth(c *gin.Context) {
 	if "" == Conf.AccessAuthCode {
 		// Skip the empty access authorization code check https://github.com/siyuan-note/siyuan/issues/9709
 		if util.SiyuanAccessAuthCodeBypass {
+			c.Set(RoleContextKey, RoleAdministrator)
 			c.Next()
 			return
 		}
@@ -190,6 +201,7 @@ func CheckAuth(c *gin.Context) {
 			return
 		}
 
+		c.Set(RoleContextKey, RoleAdministrator)
 		c.Next()
 		return
 	}
@@ -206,19 +218,23 @@ func CheckAuth(c *gin.Context) {
 	// 放过来自本机的某些请求
 	if localhost {
 		if strings.HasPrefix(c.Request.RequestURI, "/assets/") {
+			c.Set(RoleContextKey, RoleAdministrator)
 			c.Next()
 			return
 		}
 		if strings.HasPrefix(c.Request.RequestURI, "/api/system/exit") {
+			c.Set(RoleContextKey, RoleAdministrator)
 			c.Next()
 			return
 		}
 		if strings.HasPrefix(c.Request.RequestURI, "/api/system/getNetwork") {
+			c.Set(RoleContextKey, RoleAdministrator)
 			c.Next()
 			return
 		}
 		if strings.HasPrefix(c.Request.RequestURI, "/api/sync/performSync") {
 			if util.ContainerIOS == util.Container || util.ContainerAndroid == util.Container {
+				c.Set(RoleContextKey, RoleAdministrator)
 				c.Next()
 				return
 			}
@@ -229,6 +245,7 @@ func CheckAuth(c *gin.Context) {
 	session := util.GetSession(c)
 	workspaceSession := util.GetWorkspaceSession(session)
 	if workspaceSession.AccessAuthCode == Conf.AccessAuthCode {
+		c.Set(RoleContextKey, RoleAdministrator)
 		c.Next()
 		return
 	}
@@ -248,6 +265,7 @@ func CheckAuth(c *gin.Context) {
 
 		if "" != token {
 			if Conf.Api.Token == token {
+				c.Set(RoleContextKey, RoleAdministrator)
 				c.Next()
 				return
 			}
@@ -261,6 +279,7 @@ func CheckAuth(c *gin.Context) {
 	// 通过 API token (query-params: token)
 	if token := c.Query("token"); "" != token {
 		if Conf.Api.Token == token {
+			c.Set(RoleContextKey, RoleAdministrator)
 			c.Next()
 			return
 		}
@@ -300,9 +319,43 @@ func CheckAuth(c *gin.Context) {
 		return
 	}
 
+	c.Set(RoleContextKey, RoleAdministrator)
 	c.Next()
 }
 
+func CheckAdminRole(c *gin.Context) {
+	if IsValidRole(GetGinContextRole(c), []Role{
+		RoleAdministrator,
+	}) {
+		c.Next()
+	} else {
+		c.AbortWithStatus(http.StatusForbidden)
+	}
+}
+
+func CheckEditRole(c *gin.Context) {
+	if IsValidRole(GetGinContextRole(c), []Role{
+		RoleAdministrator,
+		RoleEditor,
+	}) {
+		c.Next()
+	} else {
+		c.AbortWithStatus(http.StatusForbidden)
+	}
+}
+
+func CheckReadRole(c *gin.Context) {
+	if IsValidRole(GetGinContextRole(c), []Role{
+		RoleAdministrator,
+		RoleEditor,
+		RoleReader,
+	}) {
+		c.Next()
+	} else {
+		c.AbortWithStatus(http.StatusForbidden)
+	}
+}
+
 var timingAPIs = map[string]int{
 	"/api/search/fullTextSearchBlock": 200, // Monitor the search performance and suggest solutions https://github.com/siyuan-note/siyuan/issues/7873
 }