✨ Support read-only publish service

* 🎨 kernel supports read-only publishing services * 🐛 Fix authentication vulnerabilities * 🎨 Protect secret information * 🎨 Adjust the permission control * 🎨 Adjust the permission control * 🎨 Fixed the vulnerability that `getFile` gets file `conf.json` * 🎨 Add API `/api/setting/setPublish` * 🎨 Add API `/api/setting/getPublish` * 🐛 Fixed the issue that PWA-related files could not pass BasicAuth * 🎨 Add a settings panel for publishing features * 📝 Add guide for `Publish Service` * 📝 Update Japanese user guide * 🎨 Merge fixed static file services
2025-12-16 22:50:13 +01:00 · 2024-06-12 21:03:51 +08:00 · 2024-06-12 21:03:51 +08:00 · ba2193403d
commit ba2193403d
parent 536879cb84
47 changed files with 3690 additions and 375 deletions
--- a/kernel/model/auth.go
+++ b/kernel/model/auth.go
@ -0,0 +1,133 @@
+// SiYuan - Refactor your thinking
+// Copyright (c) 2020-present, b3log.org
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package model
+
+import (
+	"crypto/rand"
+	"net/http"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/siyuan-note/logging"
+)
+
+type Account struct {
+	Username string
+	Password string
+	Token    string
+}
+type AccountsMap map[string]*Account
+type ClaimsKeyType string
+
+const (
+	XAuthTokenKey = "X-Auth-Token"
+
+	ClaimsContextKey = "claims"
+
+	iss = "siyuan-publish-reverse-proxy-server"
+	sub = "publish"
+	aud = "siyuan-kernel"
+
+	ClaimsKeyRole string = "role"
+)
+
+var (
+	accountsMap = AccountsMap{}
+
+	key = make([]byte, 32)
+)
+
+func GetBasicAuthAccount(username string) *Account {
+	return accountsMap[username]
+}
+
+func InitAccounts() {
+	accountsMap = AccountsMap{
+		"": &Account{}, // 匿名用户
+	}
+	for _, account := range Conf.Publish.Auth.Accounts {
+		accountsMap[account.Username] = &Account{
+			Username: account.Username,
+			Password: account.Password,
+		}
+	}
+
+	InitJWT()
+}
+
+func InitJWT() {
+	if _, err := rand.Read(key); err != nil {
+		logging.LogErrorf("generate JWT signing key failed: %s", err)
+		return
+	}
+
+	for username, account := range accountsMap {
+		// REF: https://golang-jwt.github.io/jwt/usage/create/
+		t := jwt.NewWithClaims(
+			jwt.SigningMethodHS256,
+			jwt.MapClaims{
+				"iss": iss,
+				"sub": sub,
+				"aud": aud,
+				"jti": username,
+
+				ClaimsKeyRole: RoleReader,
+			},
+		)
+		if token, err := t.SignedString(key); err != nil {
+			logging.LogErrorf("JWT signature failed: %s", err)
+			return
+		} else {
+			account.Token = token
+		}
+	}
+}
+
+func ParseJWT(tokenString string) (*jwt.Token, error) {
+	// REF: https://golang-jwt.github.io/jwt/usage/parse/
+	return jwt.Parse(
+		tokenString,
+		func(token *jwt.Token) (interface{}, error) {
+			return key, nil
+		},
+		jwt.WithIssuer(iss),
+		jwt.WithSubject(sub),
+		jwt.WithAudience(aud),
+	)
+}
+
+func ParseXAuthToken(r *http.Request) *jwt.Token {
+	tokenString := r.Header.Get(XAuthTokenKey)
+	if tokenString != "" {
+		if token, err := ParseJWT(tokenString); err != nil {
+			logging.LogErrorf("JWT parse failed: %s", err)
+		} else {
+			return token
+		}
+	}
+	return nil
+}
+
+func GetTokenClaims(token *jwt.Token) jwt.MapClaims {
+	return token.Claims.(jwt.MapClaims)
+}
+
+func GetClaimRole(claims jwt.MapClaims) Role {
+	if role := claims[ClaimsKeyRole]; role != nil {
+		return Role(role.(float64))
+	}
+	return RoleVisitor
+}