Add user password encryption salt (#191)

wu-clan · web-flow · commit eb662e452535 · 2023-07-31T10:53:46.000+08:00
* Add user password encryption salt

* update the salt logic

* Update the SQL files

* Add an update admin login permission interface

* update the is_staff field comment

* update the staff error msg

* Update user backend management operation permissions
diff --git a/backend/app/api/v1/user.py b/backend/app/api/v1/user.py
@@ -94,6 +94,14 @@ async def super_set(request: Request, pk: int):
     return await response_base.fail()
 
 
+@router.put('/{pk}/staff', summary='修改用户后台登录权限', dependencies=[DependsRBAC])
+async def staff_set(request: Request, pk: int):
+    count = await UserService.update_staff(request=request, pk=pk)
+    if count > 0:
+        return await response_base.success()
+    return await response_base.fail()
+
+
 @router.put('/{pk}/status', summary='修改用户状态', dependencies=[DependsRBAC])
 async def status_set(request: Request, pk: int):
     count = await UserService.update_status(request=request, pk=pk)
diff --git a/backend/app/common/casbin_rbac.py b/backend/app/common/casbin_rbac.py
@@ -46,6 +46,8 @@ async def rbac_verify(self, request: Request, _: dict = DependsJwtAuth) -> None:
         user_roles = request.user.roles
         if not user_roles:
             raise AuthorizationError(msg='用户未分配角色，授权失败')
+        if not request.user.is_staff:
+            raise AuthorizationError(msg='此用户已被禁止后台管理操作')
         data_scope = any(role.data_scope == 1 for role in user_roles)
         if data_scope:
             return
diff --git a/backend/app/common/jwt.py b/backend/app/common/jwt.py
@@ -195,6 +195,8 @@ def superuser_verify(request: Request) -> bool:
     is_superuser = request.user.is_superuser
     if not is_superuser:
         raise AuthorizationError(msg='仅管理员有权操作')
+    if not request.user.is_staff:
+        raise AuthorizationError(msg='此管理员已被禁止后台管理操作')
     return is_superuser
 
 
diff --git a/backend/app/crud/crud_user.py b/backend/app/crud/crud_user.py
@@ -3,6 +3,7 @@
 from datetime import datetime
 from typing import NoReturn
 
+from fast_captcha import text_captcha
 from sqlalchemy import select, update, desc, and_
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
@@ -29,11 +30,14 @@ async def update_login_time(self, db: AsyncSession, username: str, login_time: d
         await db.commit()
         return user.rowcount
 
-    async def create(self, db: AsyncSession, create: CreateUser) -> NoReturn:
-        create.password = await jwt.get_hash_password(create.password)
-        new_user = self.model(**create.dict(exclude={'roles'}))
+    async def create(self, db: AsyncSession, obj: CreateUser) -> NoReturn:
+        salt = text_captcha(5)
+        obj.password = await jwt.get_hash_password(obj.password + salt)
+        dict_obj = obj.dict(exclude={'roles'})
+        dict_obj.update({'salt': salt})
+        new_user = self.model(**dict_obj)
         role_list = []
-        for role_id in create.roles:
+        for role_id in obj.roles:
             role_list.append(await db.get(Role, role_id))
         new_user.roles.extend(role_list)
         db.add(new_user)
@@ -64,9 +68,9 @@ async def check_email(self, db: AsyncSession, email: str) -> User | None:
         mail = await db.execute(select(self.model).where(self.model.email == email))
         return mail.scalars().first()
 
-    async def reset_password(self, db: AsyncSession, pk: int, password: str) -> int:
+    async def reset_password(self, db: AsyncSession, pk: int, password: str, salt: str) -> int:
         user = await db.execute(
-            update(self.model).where(self.model.id == pk).values(password=await jwt.get_hash_password(password))
+            update(self.model).where(self.model.id == pk).values(password=await jwt.get_hash_password(password + salt))
         )
         return user.rowcount
 
@@ -94,6 +98,10 @@ async def get_super(self, db: AsyncSession, user_id: int) -> bool:
         user = await self.get(db, user_id)
         return user.is_superuser
 
+    async def get_staff(self, db: AsyncSession, user_id: int) -> bool:
+        user = await self.get(db, user_id)
+        return user.is_staff
+
     async def get_status(self, db: AsyncSession, user_id: int) -> bool:
         user = await self.get(db, user_id)
         return user.status
@@ -109,6 +117,13 @@ async def set_super(self, db: AsyncSession, user_id: int) -> int:
         )
         return user.rowcount
 
+    async def set_staff(self, db: AsyncSession, user_id: int) -> int:
+        staff_status = await self.get_staff(db, user_id)
+        user = await db.execute(
+            update(self.model).where(self.model.id == user_id).values(is_staff=False if staff_status else True)
+        )
+        return user.rowcount
+
     async def set_status(self, db: AsyncSession, user_id: int) -> int:
         status = await self.get_status(db, user_id)
         user = await db.execute(
diff --git a/backend/app/models/sys_user.py b/backend/app/models/sys_user.py
@@ -22,8 +22,10 @@ class User(Base):
     username: Mapped[str] = mapped_column(String(20), unique=True, index=True, comment='用户名')
     nickname: Mapped[str] = mapped_column(String(20), unique=True, comment='昵称')
     password: Mapped[str] = mapped_column(String(255), comment='密码')
+    salt: Mapped[str] = mapped_column(String(5), comment='加密盐')
     email: Mapped[str] = mapped_column(String(50), unique=True, index=True, comment='邮箱')
     is_superuser: Mapped[bool] = mapped_column(default=False, comment='超级权限(0否 1是)')
+    is_staff: Mapped[bool] = mapped_column(default=False, comment='后台管理登陆(0否 1是)')
     status: Mapped[int] = mapped_column(default=1, comment='用户账号状态(0停用 1正常)')
     is_multi_login: Mapped[bool] = mapped_column(default=False, comment='是否重复登陆(0否 1是)')
     avatar: Mapped[str | None] = mapped_column(String(255), default=None, comment='头像')
diff --git a/backend/app/schemas/role.py b/backend/app/schemas/role.py
@@ -11,7 +11,9 @@
 
 class RoleBase(SchemaBase):
     name: str
-    data_scope: RoleDataScopeType = Field(default=RoleDataScopeType.custom, description='权限范围（1：全部数据权限 2：自定义数据权限）')
+    data_scope: RoleDataScopeType = Field(
+        default=RoleDataScopeType.custom, description='权限范围（1：全部数据权限 2：自定义数据权限）'
+    )  # E501
     status: StatusType = Field(default=StatusType.enable)
     remark: str | None = None
 
diff --git a/backend/app/services/auth_service.py b/backend/app/services/auth_service.py
@@ -29,7 +29,7 @@ async def swagger_login(self, *, form_data: OAuth2PasswordRequestForm):
             current_user = await UserDao.get_by_username(db, form_data.username)
             if not current_user:
                 raise errors.NotFoundError(msg='用户不存在')
-            elif not await jwt.password_verify(form_data.password, current_user.password):
+            elif not await jwt.password_verify(form_data.password + current_user.salt, current_user.password):
                 raise errors.AuthorizationError(msg='密码错误')
             elif not current_user.status:
                 raise errors.AuthorizationError(msg='用户已锁定, 登陆失败')
@@ -47,7 +47,7 @@ async def login(self, *, request: Request, obj: AuthLogin, background_tasks: Bac
                 current_user = await UserDao.get_by_username(db, obj.username)
                 if not current_user:
                     raise errors.NotFoundError(msg='用户不存在')
-                elif not await jwt.password_verify(obj.password, current_user.password):
+                elif not await jwt.password_verify(obj.password + current_user.salt, current_user.password):
                     raise errors.AuthorizationError(msg='密码错误')
                 elif not current_user.status:
                     raise errors.AuthorizationError(msg='用户已锁定, 登陆失败')
diff --git a/backend/app/services/user_service.py b/backend/app/services/user_service.py
@@ -40,14 +40,14 @@ async def register(*, obj: CreateUser) -> NoReturn:
     @staticmethod
     async def pwd_reset(*, request: Request, obj: ResetPassword) -> int:
         async with async_db_session.begin() as db:
-            iop = obj.old_password
-            if not await password_verify(iop, request.user.password):
+            op = obj.old_password
+            if not await password_verify(op + request.user.salt, request.user.password):
                 raise errors.ForbiddenError(msg='旧密码错误')
             np1 = obj.new_password
             np2 = obj.confirm_password
             if np1 != np2:
                 raise errors.ForbiddenError(msg='两次密码输入不一致')
-            count = await UserDao.reset_password(db, request.user.id, obj.new_password)
+            count = await UserDao.reset_password(db, request.user.id, obj.new_password, request.user.salt)
             prefix = [
                 f'{settings.TOKEN_REDIS_PREFIX}:{request.user.id}:',
                 f'{settings.TOKEN_REFRESH_REDIS_PREFIX}:{request.user.id}:',
@@ -128,6 +128,18 @@ async def update_permission(*, request: Request, pk: int) -> int:
                 count = await UserDao.set_super(db, pk)
                 return count
 
+    @staticmethod
+    async def update_staff(*, request: Request, pk: int) -> int:
+        async with async_db_session.begin() as db:
+            await jwt.superuser_verify(request)
+            if not await UserDao.get(db, pk):
+                raise errors.NotFoundError(msg='用户不存在')
+            else:
+                if pk == request.user.id:
+                    raise errors.ForbiddenError(msg='禁止修改自身后台管理登陆权限')
+                count = await UserDao.set_staff(db, pk)
+                return count
+
     @staticmethod
     async def update_status(*, request: Request, pk: int) -> int:
         async with async_db_session.begin() as db:
diff --git a/backend/sql/create_tables.sql b/backend/sql/create_tables.sql
@@ -202,8 +202,10 @@ CREATE TABLE sys_user
     username        VARCHAR(20)  NOT NULL COMMENT '用户名',
     nickname        VARCHAR(20)  NOT NULL COMMENT '昵称',
     password        VARCHAR(255) NOT NULL COMMENT '密码',
+    salt            VARCHAR(5)   NOT NULL COMMENT '加密盐',
     email           VARCHAR(50)  NOT NULL COMMENT '邮箱',
     is_superuser    BOOL         NOT NULL COMMENT '超级权限(0否 1是)',
+    is_staff        BOOL         NOT NULL COMMENT '后台管理登陆(0否 1是)',
     status          INTEGER      NOT NULL COMMENT '用户账号状态(0停用 1正常)',
     is_multi_login  BOOL         NOT NULL COMMENT '是否重复登陆(0否 1是)',
     avatar          VARCHAR(255) COMMENT '头像',
diff --git a/backend/sql/init_test_data.sql b/backend/sql/init_test_data.sql
@@ -26,8 +26,8 @@ VALUES (1, 'test', 2, 1, null, '2023-06-26 17:13:45', null);
 INSERT INTO fba.sys_role_menu (id, role_id, menu_id)
 VALUES (1, 1, 1);
 
-INSERT INTO fba.sys_user (id, uuid, username, nickname, password, email, is_superuser, status, is_multi_login, avatar, phone, join_time, last_login_time, dept_id, created_time, updated_time)
-VALUES (1, 'af4c804f-3966-4949-ace2-3bb7416ea926', 'test', 'test', '$2b$12$TpdL7kKriqhpJHSBMT.Fr.hJNBx5SdUybi.NT1DV5MojYpV9PpRre', 'test@gmail.com', 1, 1, 0, null, null, '2023-06-26 17:13:45', null, 1, '2023-06-26 17:13:45', null);
+INSERT INTO fba.sys_user (id, uuid, username, nickname, password, salt, email, is_superuser, is_staff, status, is_multi_login, avatar, phone, join_time, last_login_time, dept_id, created_time, updated_time)
+VALUES (1, 'af4c804f-3966-4949-ace2-3bb7416ea926', 'test', 'test', '$2b$12$eYLKJttq2/e66er1VK7NFezNIYkAu.XTGrJppJpqOW1DHmbcBf5ou', 'NvxNx', 'test@example.com', 1, 1, 1, 0, null, null, '2023-06-26 17:13:45', null, 1, '2023-06-26 17:13:45', null);
 
 INSERT INTO fba.sys_user_role (id, user_id, role_id)
 VALUES (1, 1, 1);
