Merge branch 'hotfix/security' of http://git.yoho.cn/fe/yohobuy-node into hotfix/security

@@ -7,6 +7,7 @@
 const Promise = require('bluebird');
 const Promise = require('bluebird');
 const co = Promise.coroutine;
 const co = Promise.coroutine;
 const helpers = global.yoho.helpers;
 const helpers = global.yoho.helpers;
+const logger = global.yoho.logger;
 const _ = require('lodash');
 const _ = require('lodash');
 
 
 const crypto = global.yoho.crypto;
 const crypto = global.yoho.crypto;
@@ -270,20 +271,29 @@ const auditCheckStatus = (uid, checkType, step) => {
  * 校验进入第二步
  * 校验进入第二步
  * @param type $checkCode
  * @param type $checkCode
  * @param type $uid
  * @param type $uid
+ * @param type MaxTime
  * @return boolean
  * @return boolean
  */
  */
-const checkCode = (ckCode, uid) => {
-    // checkCode里空格用+替换
-    let code = decodeURIComponent(ckCode);
-    let checkStr = crypto.decrypt('yoho9646abcdefgh', code);
+const checkCode = (ckCode, uid, time) => {
+    time = parseInt(`0${time}`, 10) || 86400000;
 
 
-    let checkInfo = checkStr.split('_'),
-        checkUid = checkInfo[0],
-        timeDiff = Date.parse(new Date()) - checkInfo[1]; // 时间差，秒 24h 86400
+    try {
+        // checkCode里空格用+替换
+        let code = decodeURIComponent(ckCode);
+        let checkStr = crypto.decrypt('yoho9646abcdefgh', code);
+
+        let checkInfo = checkStr.split('_'),
+            checkUid = checkInfo[0],
+            timeDiff = Date.parse(new Date()) - checkInfo[1]; // 时间差，秒 24h 86400000
+
+        if (checkStr.indexOf('completeverify') > 0 && String(checkUid) === String(uid) && timeDiff <= time) {
+            return true;
+        } else {
+            return false;
+        }
+    } catch (e) { // eslint-disable-line
+        logger.error(`account checkCode decrypt error [checkCode]:${ckCode}`);
 
 
-    if (checkStr.indexOf('completeverify') > 0 && String(checkUid) === String(uid) && timeDiff <= 86400) {
-        return true;
-    } else {
         return false;
         return false;
     }
     }
 };
 };
@@ -776,8 +786,25 @@ const identityMobile = (req) => {
 const sendMobileMsg = (req, uid) => {
 const sendMobileMsg = (req, uid) => {
     return co(function*() {
     return co(function*() {
         let mobile = req.body.mobile || '',
         let mobile = req.body.mobile || '',
+            _code = req.body.checkCode,
             resqData = {code: 400};
             resqData = {code: 400};
 
 
+        // 发送验证码前置数据校验
+        if (!_code) {
+            let verifyInfo = yield accountApi.getVerifyInfo(uid);
+
+            mobile = _.get(verifyInfo, 'data.mobile', '');
+            if (!mobile) {
+                return Object.assign(resqData, {
+                    message: '数据验证错误'
+                });
+            }
+        } else if (!checkCode(_code, uid)) {
+            return Object.assign(resqData, {
+                message: '数据验证错误'
+            });
+        }
+
         let mobileInfo = handleMobile(mobile);
         let mobileInfo = handleMobile(mobile);
 
 
         resqData = yield accountApi.sendMobileMsg(uid, mobileInfo.mobile, mobileInfo.area);
         resqData = yield accountApi.sendMobileMsg(uid, mobileInfo.mobile, mobileInfo.area);
@@ -792,22 +819,37 @@ const checkMobileMsg = (req, uid) => {
     return co(function*() {
     return co(function*() {
         let mobile = req.body.mobile || '',
         let mobile = req.body.mobile || '',
             code = req.body.code || '',
             code = req.body.code || '',
-            resqData;
+            _code = req.body.checkCode,
+            resqData = {code: 400};
+
+        // 校验验证码前置数据校验
+        if (!_code) {
+            let verifyInfo = yield accountApi.getVerifyInfo(uid);
+
+            mobile = _.get(verifyInfo, 'data.mobile', '');
+            if (!mobile) {
+                return Object.assign(resqData, {
+                    message: '数据验证错误'
+                });
+            }
+        } else if (!checkCode(_code, uid)) {
+            return Object.assign(resqData, {
+                message: '数据验证错误'
+            });
+        }
 
 
         if (mobile === '') {
         if (mobile === '') {
-            resqData = {
-                code: 400,
+            Object.assign(resqData, {
                 message: '手机号为空',
                 message: '手机号为空',
                 data: ''
                 data: ''
-            };
+            });
             return resqData;
             return resqData;
         }
         }
         if (code === '') {
         if (code === '') {
-            resqData = {
-                code: 400,
+            Object.assign(resqData, {
                 message: '验证码为空',
                 message: '验证码为空',
                 data: ''
                 data: ''
-            };
+            });
             return resqData;
             return resqData;
         }
         }
         let mobileInfo = handleMobile(mobile);
         let mobileInfo = handleMobile(mobile);
@@ -817,7 +859,11 @@ const checkMobileMsg = (req, uid) => {
             let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) + '_' +
             let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) + '_' +
                 mobileInfo.mobile + mobileInfo.area + 'completeverify');
                 mobileInfo.mobile + mobileInfo.area + 'completeverify');
 
 
-            resqData.data = encodeURIComponent(ckCode);
+
+            Object.assign(resqData, {
+                code: 200,
+                data: encodeURIComponent(ckCode)
+            });
         }
         }
         return resqData;
         return resqData;
     })();
     })();
@@ -833,6 +879,15 @@ const sendEmail = (req) => {
             email = req.body.email || '',
             email = req.body.email || '',
             resqData = {code: 400};
             resqData = {code: 400};
 
 
+        let verifyInfo = yield accountApi.getVerifyInfo(uid);
+
+        email = _.get(verifyInfo, 'data.email', '');
+        if (!email) {
+            return Object.assign(resqData, {
+                message: '数据验证错误'
+            });
+        }
+
         let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) +
         let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) +
             '_' + email + checkType + 'completeverify');
             '_' + email + checkType + 'completeverify');
 
 
@@ -864,7 +919,16 @@ const checkEmail = (req) => {
 const modifyPwd = (req, params) => {
 const modifyPwd = (req, params) => {
     return co(function*() {
     return co(function*() {
         let uid = params.uid,
         let uid = params.uid,
-            newPwd = params.newPwd || '';
+            newPwd = params.newPwd || '',
+            _code = params.checkCode;
+
+        // 前置数据校验
+        if (!_code || !checkCode(_code, uid, 600000)) {
+            return {
+                code: 400,
+                message: '数据验证错误'
+            };
+        }
 
 
         let resqData = yield accountApi.modifyPwd(uid, newPwd);
         let resqData = yield accountApi.modifyPwd(uid, newPwd);
 
 
@@ -879,8 +943,17 @@ const modifyMobile = (req, uid) => {
     return co(function*() {
     return co(function*() {
         let mobile = req.body.mobile || '',
         let mobile = req.body.mobile || '',
             code = req.body.code || '',
             code = req.body.code || '',
+            _code = req.body.checkCode,
             resqData = {code: 400};
             resqData = {code: 400};
 
 
+        // 校验验证码前置数据校验
+        // 校验checkCode，有效时间10分钟（checkCode在调改接口前获取，考虑网络延时，服务器间的时间差，设置10分钟）
+        if (!_code || !checkCode(_code, uid, 600000)) {
+            return Object.assign(resqData, {
+                message: '数据验证错误'
+            });
+        }
+
         if (mobile === '') {
         if (mobile === '') {
             resqData = {
             resqData = {
                 code: 400,
                 code: 400,
@@ -937,8 +1010,16 @@ const modifyEmail = (req) => {
     return co(function*() {
     return co(function*() {
         let uid = req.user.uid,
         let uid = req.user.uid,
             email = req.body.email || '',
             email = req.body.email || '',
+            _code = req.body.checkCode,
             resqData = {code: 400};
             resqData = {code: 400};
 
 
+        // 前置数据校验
+        if (!_code || !checkCode(_code, uid, 600000)) {
+            return Object.assign(resqData, {
+                message: '数据验证错误'
+            });
+        }
+
         let check = yield accountApi.checkVerifyEmail(uid, email);
         let check = yield accountApi.checkVerifyEmail(uid, email);
 
 
         if (check.code === 200) {
         if (check.code === 200) {

@@ -21,9 +21,14 @@ var $checkUser = $('.check-user'),
 var sInt,
 var sInt,
     active;
     active;
 
 
+var baseQs;
+
 var captcha = new Captcha('.captcha-safe-form-r').init();
 var captcha = new Captcha('.captcha-safe-form-r').init();
 
 
 require('../common');
 require('../common');
+
+baseQs = window.queryString();
+
 $.ajaxSetup({
 $.ajaxSetup({
     async: false
     async: false
 });
 });
@@ -66,6 +71,9 @@ function checkFormAjax(ajaxData) {
 
 
     $.post(ajaxData.url, ajaxData.data, function(data) {
     $.post(ajaxData.url, ajaxData.data, function(data) {
         if (typeof data.code !== 'undefined' && data.code === 200) {
         if (typeof data.code !== 'undefined' && data.code === 200) {
+            if (ajaxData.cb && typeof ajaxData.cb === 'function') {
+                ajaxData.cb(data); // eslint-disable-line
+            }
             res = successInfoAction(ajaxData.opt);
             res = successInfoAction(ajaxData.opt);
         } else {
         } else {
             ajaxData.txt = ajaxData.txt !== '' && ajaxData.txt !== null ? ajaxData.txt : data.message;
             ajaxData.txt = ajaxData.txt !== '' && ajaxData.txt !== null ? ajaxData.txt : data.message;
@@ -174,9 +182,15 @@ function checkForm(dom) {
                 url: '/home/account/checkmobilemsg',
                 url: '/home/account/checkmobilemsg',
                 data: {
                 data: {
                     mobile: mobileValue,
                     mobile: mobileValue,
-                    code: $('#inputcode').val()
+                    code: $('#inputcode').val(),
+                    checkCode: baseQs.checkCode || ''
                 },
                 },
-                txt: '验证码错误！'
+                txt: '验证码错误！',
+                cb: function(data) {
+                    if (data.code === 200) {
+                        baseQs.checkCode = data.data;
+                    }
+                }
             });
             });
             return checkFormAjax(ajaxData);
             return checkFormAjax(ajaxData);
         }
         }
@@ -227,10 +241,15 @@ function code() {
 function sendMobileMsg(mobileV) {
 function sendMobileMsg(mobileV) {
     var $code = $('#inputcode'),
     var $code = $('#inputcode'),
         $ccheckInfo = $code.parent().find('check-info');
         $ccheckInfo = $code.parent().find('check-info');
-
-    $.post('/home/account/sendmobilemsg', {
+    var reqData = {
         mobile: mobileV
         mobile: mobileV
-    }, function(data) {
+    };
+
+    if (baseQs.checkCode) {
+        reqData.checkCode = baseQs.checkCode;
+    }
+
+    $.post('/home/account/sendmobilemsg', reqData, function(data) {
         if (typeof data.code !== 'undefined' && data.code === 200) {
         if (typeof data.code !== 'undefined' && data.code === 200) {
             canSend = false;
             canSend = false;
             sInt = setInterval(function() {
             sInt = setInterval(function() {
@@ -360,7 +379,8 @@ function submitForm() {
                 url: '/home/account/checkmobilemsg',
                 url: '/home/account/checkmobilemsg',
                 data: {
                 data: {
                     mobile: $('#realAccount').val(),
                     mobile: $('#realAccount').val(),
-                    code: $('#inputcode').val()
+                    code: $('#inputcode').val(),
+                    checkCode: baseQs.checkCode || ''
                 },
                 },
                 hrefUrl: '/home/account/' + curType + '?step=2'
                 hrefUrl: '/home/account/' + curType + '?step=2'
             };
             };
@@ -373,12 +393,15 @@ function submitForm() {
                 data: $('#pwdform').serialize(),
                 data: $('#pwdform').serialize(),
                 hrefUrl: '/home/account/userpwd?step=3&success=true'
                 hrefUrl: '/home/account/userpwd?step=3&success=true'
             };
             };
+
+            opt.data.checkCode = baseQs.checkCode || '';
             ajaxAction(opt);
             ajaxAction(opt);
         } else if (curType === 'email') {
         } else if (curType === 'email') {
             opt = {
             opt = {
                 url: '/home/account/modifyemail',
                 url: '/home/account/modifyemail',
                 data: {
                 data: {
-                    email: $('#email').val()
+                    email: $('#email').val(),
+                    checkCode: baseQs.checkCode || ''
                 },
                 },
                 hrefUrl: '/home/account/sendemailsuccess?email=' + $('#email').val() +
                 hrefUrl: '/home/account/sendemailsuccess?email=' + $('#email').val() +
                         '&type=2&checkType=email'
                         '&type=2&checkType=email'
@@ -389,7 +412,8 @@ function submitForm() {
                 url: '/home/account/modifymobile',
                 url: '/home/account/modifymobile',
                 data: {
                 data: {
                     mobile: $('#mobilevalue').val(),
                     mobile: $('#mobilevalue').val(),
-                    code: $('#inputcode').val()
+                    code: $('#inputcode').val(),
+                    checkCode: baseQs.checkCode || ''
                 },
                 },
                 hrefUrl: '/home/account/mobile?step=3&success=true'
                 hrefUrl: '/home/account/mobile?step=3&success=true'
             };
             };