From e71407ee624f49797d71113839d1bcb3ee49c105 Mon Sep 17 00:00:00 2001 From: Seefs Date: Tue, 30 Sep 2025 13:18:18 +0800 Subject: [PATCH] fix: passkey security --- controller/passkey.go | 21 +++----- router/api-router.go | 2 +- .../table/users/UsersColumnDefs.jsx | 54 ++++++++++++------- web/src/hooks/users/useUsersData.jsx | 2 +- 4 files changed, 44 insertions(+), 35 deletions(-) diff --git a/controller/passkey.go b/controller/passkey.go index 3bdec8f0f..7ffacf5d6 100644 --- a/controller/passkey.go +++ b/controller/passkey.go @@ -189,13 +189,8 @@ func PasskeyStatus(c *gin.Context) { } data := gin.H{ - "enabled": true, - "last_used_at": credential.LastUsedAt, - "backup_eligible": credential.BackupEligible, - "backup_state": credential.BackupState, - } - if credential != nil { - data["credential_aaguid"] = fmt.Sprintf("%x", credential.AAGUID) + "enabled": true, + "last_used_at": credential.LastUsedAt, } c.JSON(http.StatusOK, gin.H{ @@ -278,14 +273,14 @@ func PasskeyLoginFinish(c *gin.Context) { return nil, errors.New("该用户已被禁用") } - // 验证用户句柄(如果提供的话) if len(userHandle) > 0 { - if userID, parseErr := strconv.Atoi(string(userHandle)); parseErr == nil { - if userID != user.Id { - return nil, errors.New("用户句柄与凭证不匹配") - } + userID, parseErr := strconv.Atoi(string(userHandle)) + if parseErr != nil { + // 记录异常但继续验证,因为某些客户端可能使用非数字格式 + common.SysLog(fmt.Sprintf("PasskeyLogin: userHandle parse error for credential, length: %d", len(userHandle))) + } else if userID != user.Id { + return nil, errors.New("用户句柄与凭证不匹配") } - // 如果解析失败,不做严格验证,因为某些情况下userHandle可能为空或格式不同 } return passkeysvc.NewWebAuthnUser(user, credential), nil diff --git a/router/api-router.go b/router/api-router.go index 4afc0a0fa..d29615914 100644 --- a/router/api-router.go +++ b/router/api-router.go @@ -99,7 +99,7 @@ func SetApiRouter(router *gin.Engine) { adminRoute.POST("/manage", controller.ManageUser) adminRoute.PUT("/", controller.UpdateUser) adminRoute.DELETE("/:id", controller.DeleteUser) - adminRoute.DELETE("/:id/passkey", controller.AdminResetPasskey) + adminRoute.DELETE("/:id/reset_passkey", controller.AdminResetPasskey) // Admin 2FA routes adminRoute.GET("/2fa/stats", controller.Admin2FAStats) diff --git a/web/src/components/table/users/UsersColumnDefs.jsx b/web/src/components/table/users/UsersColumnDefs.jsx index 6cd9e9785..37b4c7f25 100644 --- a/web/src/components/table/users/UsersColumnDefs.jsx +++ b/web/src/components/table/users/UsersColumnDefs.jsx @@ -26,7 +26,9 @@ import { Progress, Popover, Typography, + Dropdown, } from '@douyinfe/semi-ui'; +import { IconMore } from '@douyinfe/semi-icons'; import { renderGroup, renderNumber, renderQuota } from '../../../helpers'; /** @@ -213,6 +215,28 @@ const renderOperations = ( return <>; } + const moreMenu = [ + { + node: 'item', + name: t('重置 Passkey'), + onClick: () => showResetPasskeyModal(record), + }, + { + node: 'item', + name: t('重置 2FA'), + onClick: () => showResetTwoFAModal(record), + }, + { + node: 'divider', + }, + { + node: 'item', + name: t('注销'), + type: 'danger', + onClick: () => showDeleteModal(record), + }, + ]; + return ( {record.status === 1 ? ( @@ -255,27 +279,17 @@ const renderOperations = ( > {t('降级')} - - - +