fe / yohobuy-node · Commits

Go to a project

Authored by yyq
Commit c366181ae608ba32b13ff91b3db4c361da621d6b 2 parents fcfc1adb 62bcd22a

Merge branch 'hotfix/security' into release/security

Inline Side-by-side
Showing 7 changed files with 46 additions and 9 deletions
@@ -77,7 +77,7 @@ exports.index = (req, res, next) => { @@ -77,7 +77,7 @@ exports.index = (req, res, next) => {
77 */ 77 */
78 exports.tags = (req, res, next) => { 78 exports.tags = (req, res, next) => {
79 79
80 - let query = req.query.query = escape(req.query.query); 80 + let query = req.query.query = (req.query.query || '').replace(/<|>/ig, '');
81 let page = req.query.page || 1; 81 let page = req.query.page || 1;
82 let pageSize = req.query.pageSize || 20; 82 let pageSize = req.query.pageSize || 20;
83 let type = req.query.type || 0; 83 let type = req.query.type || 0;
@@ -215,7 +215,8 @@ const renren = { @@ -215,7 +215,8 @@ const renren = {
215 const cancelBind = (req, res) => { 215 const cancelBind = (req, res) => {
216 let type = req.params.type; 216 let type = req.params.type;
217 217
218 - if (!(req.get('Refer') || '').match(/yohobuy.com/)) { 218 +
  219 + if (!(req.get('Referer') || '').match(/yohobuy.com/)) {
219 return res.send({ 220 return res.send({
220 code: 501, 221 code: 501,
221 message: '非法请求' 222 message: '非法请求'
@@ -44,6 +44,10 @@ const bind = { @@ -44,6 +44,10 @@ const bind = {
44 title: '联合登录补全信息' 44 title: '联合登录补全信息'
45 }); 45 });
46 }, 46 },
  47 + captchaSuccess: (req, res) => {
  48 + req.session.type = 'relateStep1';
  49 + return res.json({code: 200, message: '验证成功'});
  50 + },
47 noregist: (req, res) => { 51 noregist: (req, res) => {
48 let mobile = req.body.mobile; 52 let mobile = req.body.mobile;
49 let sourceType = req.body.sourceType; 53 let sourceType = req.body.sourceType;
@@ -69,6 +73,10 @@ const bind = { @@ -69,6 +73,10 @@ const bind = {
69 let openId = req.body.openId; 73 let openId = req.body.openId;
70 let area = req.body.area; 74 let area = req.body.area;
71 75
  76 + if (req.session.verifyCode !== 'relateStep1') {
  77 + return next();
  78 + }
  79 +
72 // UserService.findByMobileAsync(area, mobile).then(user => { 80 // UserService.findByMobileAsync(area, mobile).then(user => {
73 // if (user) { 81 // if (user) {
74 // return { 82 // return {
@@ -113,6 +121,8 @@ const bind = { @@ -113,6 +121,8 @@ const bind = {
113 title: '绑定手机号' 121 title: '绑定手机号'
114 }; 122 };
115 123
  124 + req.session.type = '';
  125 +
116 res.render('bind/success', data); 126 res.render('bind/success', data);
117 }, 127 },
118 bindCheck: (req, res, next) => { 128 bindCheck: (req, res, next) => {
@@ -121,6 +131,10 @@ const bind = { @@ -121,6 +131,10 @@ const bind = {
121 let area = req.body.area || '86'; 131 let area = req.body.area || '86';
122 let sourceType = req.body.sourceType; 132 let sourceType = req.body.sourceType;
123 133
  134 + if (req.session.type !== 'relateStep1') {
  135 + return res.json({code: 400, message: '非法请求'});
  136 + }
  137 +
124 if (mobile && openId && area && sourceType) { 138 if (mobile && openId && area && sourceType) {
125 139
126 /** 140 /**
@@ -170,6 +184,10 @@ const bind = { @@ -170,6 +184,10 @@ const bind = {
170 let mobile = req.body.mobile; 184 let mobile = req.body.mobile;
171 let area = req.body.area; 185 let area = req.body.area;
172 186
  187 + if (req.session.type !== 'relateStep1') {
  188 + return res.json({code: 400, message: '非法请求'});
  189 + }
  190 +
173 bindService.sendBindMsg(area, mobile).then(result => { 191 bindService.sendBindMsg(area, mobile).then(result => {
174 if (result && result.code) { 192 if (result && result.code) {
175 return res.json(result); 193 return res.json(result);
@@ -65,9 +65,10 @@ router.get('/passport/login/renren/callback', login.renren.callback); @@ -65,9 +65,10 @@ router.get('/passport/login/renren/callback', login.renren.callback);
65 router.get('/passport/login/account', login.common.needCaptcha); 65 router.get('/passport/login/account', login.common.needCaptcha);
66 66
67 // 第三方登录后绑定 67 // 第三方登录后绑定
68 -router.get('/passport/thirdlogin/index', bind.indexPage); 68 +router.get('/passport/thirdlogin/index', captcha.tryGeetest, bind.indexPage);
69 router.get('/passport/thirdlogin/bindsuccess', bind.bindSuccess); 69 router.get('/passport/thirdlogin/bindsuccess', bind.bindSuccess);
70 router.post('/passport/thirdlogin/noregist', bind.noregist); 70 router.post('/passport/thirdlogin/noregist', bind.noregist);
  71 +router.post('/passport/thirdlogin/checkCaptcha', captcha.requiredAPI, bind.captchaSuccess); // 图形验证码成功
71 router.post('/passport/thirdlogin/relate', bind.relate); 72 router.post('/passport/thirdlogin/relate', bind.relate);
72 73
73 router.post('/passport/autouserinfo/bindCheck', bind.bindCheck); 74 router.post('/passport/autouserinfo/bindCheck', bind.bindCheck);
@@ -4,7 +4,7 @@ @@ -4,7 +4,7 @@
4 <span class="yoho">YOHO!FAMILY</span> 4 <span class="yoho">YOHO!FAMILY</span>
5 </h3> 5 </h3>
6 6
7 - <p class="safeword">为了您的账户安全,请您完善账户信息,以便为您提供更优质的服务</p> 7 + <p class="safeword">**为了您的账户安全,请您完善账户信息,以便为您提供更优质的服务</p>
8 <form action="" id="bindmobileform" method="post"> 8 <form action="" id="bindmobileform" method="post">
9 <input type="hidden" value="{{openId}}" id="openId" name="openId"/> 9 <input type="hidden" value="{{openId}}" id="openId" name="openId"/>
10 <input type="hidden" value="{{sourceType}}" id="sourceType" name="sourceType"/> 10 <input type="hidden" value="{{sourceType}}" id="sourceType" name="sourceType"/>
@@ -41,6 +41,12 @@ @@ -41,6 +41,12 @@
41 </div> 41 </div>
42 </div> 42 </div>
43 </div> 43 </div>
  44 +
  45 + <div class="yohobindrow" style="height: 100px;">
  46 + <div class="name phonetag"></div>
  47 + <div id="captcha" style="display: inline-block; position: relative;">
  48 + </div>
  49 + </div>
44 </form> 50 </form>
45 51
46 <div class="protoctolwrapper"> 52 <div class="protoctolwrapper">
@@ -121,3 +127,5 @@ @@ -121,3 +127,5 @@
121 </div> 127 </div>
122 <div class="backdrop" style="display:none"></div> 128 <div class="backdrop" style="display:none"></div>
123 </div> 129 </div>
  130 +
  131 +{{> gee-captcha}}
@@ -5,6 +5,7 @@ @@ -5,6 +5,7 @@
5 */ 5 */
6 var $ = require('yoho-jquery'); 6 var $ = require('yoho-jquery');
7 var phoneRegx = require('../common/mail-phone-regx').phoneRegx; 7 var phoneRegx = require('../common/mail-phone-regx').phoneRegx;
  8 +var Captcha = require('../../plugins/captcha');
8 9
9 var nopermissionoption = $('#nopermissionmessage').html(); // 倒计时dom 10 var nopermissionoption = $('#nopermissionmessage').html(); // 倒计时dom
10 var sendmessagehtml = $('.validatewrapper').html(); // 发送短信dom 11 var sendmessagehtml = $('.validatewrapper').html(); // 发送短信dom
@@ -17,6 +18,8 @@ var $wrapper = $('.bindwrapper'), @@ -17,6 +18,8 @@ var $wrapper = $('.bindwrapper'),
17 $phoneTip = $wrapper.find('.phone-err-tip'), 18 $phoneTip = $wrapper.find('.phone-err-tip'),
18 $nextBtn = $wrapper.find('.yohobindbtn'); 19 $nextBtn = $wrapper.find('.yohobindbtn');
19 20
  21 +var captcha = new Captcha('#captcha', {checkURI: '/passport/thirdlogin/checkCaptcha'}).init();
  22 +
20 require('../../simple-header'); 23 require('../../simple-header');
21 24
22 /** 25 /**
@@ -229,6 +232,7 @@ function sendMessageValidate() { @@ -229,6 +232,7 @@ function sendMessageValidate() {
229 return; 232 return;
230 } 233 }
231 circleTime($('#mobile').val()); 234 circleTime($('#mobile').val());
  235 +
232 $.ajax({ 236 $.ajax({
233 type: 'POST', 237 type: 'POST',
234 url: '/passport/autouserinfo/sendBindMsg', 238 url: '/passport/autouserinfo/sendBindMsg',
@@ -323,6 +327,8 @@ function nextStep() { @@ -323,6 +327,8 @@ function nextStep() {
323 } 327 }
324 openId = $('#openId').val() || '29803EC6D4AAC3AAB8ABDB6AE829D579'; 328 openId = $('#openId').val() || '29803EC6D4AAC3AAB8ABDB6AE829D579';
325 sourceType = $('#sourceType').val() || 'qq'; 329 sourceType = $('#sourceType').val() || 'qq';
  330 +
  331 + captcha.check().then(function() {
326 $.ajax({ 332 $.ajax({
327 type: 'post', 333 type: 'post',
328 url: '/passport/autouserinfo/bindCheck', 334 url: '/passport/autouserinfo/bindCheck',
@@ -347,7 +353,7 @@ function nextStep() { @@ -347,7 +353,7 @@ function nextStep() {
347 $('#registphone').text(mobile); 353 $('#registphone').text(mobile);
348 $('#username').text(username); 354 $('#username').text(username);
349 if (headImg === '') { 355 if (headImg === '') {
350 - $('#userphoto').attr('src', 'https://img10.static.yhbimg.com/headimg/2013/11/28/09/' + 356 + $('#userphoto').attr('src', 'http://img10.static.yhbimg.com/headimg/2013/11/28/09/' +
351 '01cae078abe5fe320c88cdf4c220212688.gif?imageView/2/w/100/h/100'); 357 '01cae078abe5fe320c88cdf4c220212688.gif?imageView/2/w/100/h/100');
352 } else { 358 } else {
353 $('#userphoto').attr('src', headImg); 359 $('#userphoto').attr('src', headImg);
@@ -360,19 +366,17 @@ function nextStep() { @@ -360,19 +366,17 @@ function nextStep() {
360 }); 366 });
361 $('#alreayregist').show(); 367 $('#alreayregist').show();
362 } else if (data.code === 203) { 368 } else if (data.code === 203) {
363 -  
364 // 已注册 可关联 369 // 已注册 可关联
365 $('#bindmobileform').attr('action', data.data.next); 370 $('#bindmobileform').attr('action', data.data.next);
366 $('#bindmobileform').submit(); 371 $('#bindmobileform').submit();
367 } else if (data.code === 205) { 372 } else if (data.code === 205) {
368 -  
369 // 未注册 不可关联 373 // 未注册 不可关联
370 username = data.data.user.username; 374 username = data.data.user.username;
371 headImg = data.data.user.headImg; 375 headImg = data.data.user.headImg;
372 $('#registphonetwo').text(mobile); 376 $('#registphonetwo').text(mobile);
373 $('#username1').text(username); 377 $('#username1').text(username);
374 if (headImg === '') { 378 if (headImg === '') {
375 - $('#userphoto1').attr('src', 'https://img10.static.yhbimg.com/headimg/2013/11/28/09/' + 379 + $('#userphoto1').attr('src', 'http://img10.static.yhbimg.com/headimg/2013/11/28/09/' +
376 '01cae078abe5fe320c88cdf4c220212688.gif?imageView/2/w/100/h/100'); 380 '01cae078abe5fe320c88cdf4c220212688.gif?imageView/2/w/100/h/100');
377 } else { 381 } else {
378 $('#userphoto1').attr('src', headImg); 382 $('#userphoto1').attr('src', headImg);
@@ -394,6 +398,7 @@ function nextStep() { @@ -394,6 +398,7 @@ function nextStep() {
394 } 398 }
395 }); 399 });
396 }); 400 });
  401 + });
397 } 402 }
398 403
399 $wrapper.on('keydown', '.phonenum', function(e) { 404 $wrapper.on('keydown', '.phonenum', function(e) {
@@ -37,8 +37,12 @@ @@ -37,8 +37,12 @@
37 .bindwrapper { 37 .bindwrapper {
38 margin: 0 auto; 38 margin: 0 auto;
39 padding-top: 122px; 39 padding-top: 122px;
40 - min-height: 450px; 40 + min-height: 550px;
41 width: 980px; 41 width: 980px;
  42 +
  43 + .img-check-tip {
  44 + top: 110px !important;
  45 + }
42 } 46 }
43 47
44 .welcomeword { 48 .welcomeword {