fe / yohobuy-node · Commits

Go to a project

Authored by yyq
Commit fcfc1adb0dfde91fa24a56dd9ca391e0cb6644aa 2 parents d913acfa dd96150d

Merge branch 'hotfix/security' into release/security

Inline Side-by-side
Showing 5 changed files with 141 additions and 29 deletions
... ... @@ -77,7 +77,7 @@ exports.index = (req, res, next) => {
*/
exports.tags = (req, res, next) => {
let query = req.query.query;
let query = req.query.query = escape(req.query.query);
let page = req.query.page || 1;
let pageSize = req.query.pageSize || 20;
let type = req.query.type || 0;
... ...
... ... @@ -215,6 +215,13 @@ const renren = {
const cancelBind = (req, res) => {
let type = req.params.type;
if (!(req.get('Refer') || '').match(/yohobuy.com/)) {
return res.send({
code: 501,
message: '非法请求'
});
}
if (!type) {
res.status(400).json({
code: 400,
... ...
... ... @@ -7,6 +7,7 @@
const Promise = require('bluebird');
const co = Promise.coroutine;
const helpers = global.yoho.helpers;
const logger = global.yoho.logger;
const _ = require('lodash');
const crypto = global.yoho.crypto;
... ... @@ -270,20 +271,29 @@ const auditCheckStatus = (uid, checkType, step) => {
* 校验进入第二步
* @param type $checkCode
* @param type $uid
* @param type MaxTime
* @return boolean
*/
const checkCode = (ckCode, uid) => {
// checkCode里空格用+替换
let code = decodeURIComponent(ckCode);
let checkStr = crypto.decrypt('yoho9646abcdefgh', code);
const checkCode = (ckCode, uid, time) => {
time = parseInt(`0${time}`, 10) || 86400000;
let checkInfo = checkStr.split('_'),
checkUid = checkInfo[0],
timeDiff = Date.parse(new Date()) - checkInfo[1]; // 时间差,秒 24h 86400
try {
// checkCode里空格用+替换
let code = decodeURIComponent(ckCode);
let checkStr = crypto.decrypt('yoho9646abcdefgh', code);
let checkInfo = checkStr.split('_'),
checkUid = checkInfo[0],
timeDiff = Date.parse(new Date()) - checkInfo[1]; // 时间差,秒 24h 86400000
if (checkStr.indexOf('completeverify') > 0 && String(checkUid) === String(uid) && timeDiff <= time) {
return true;
} else {
return false;
}
} catch (e) { // eslint-disable-line
logger.error(`account checkCode decrypt error [checkCode]:${ckCode}`);
if (checkStr.indexOf('completeverify') > 0 && String(checkUid) === String(uid) && timeDiff <= 86400) {
return true;
} else {
return false;
}
};
... ... @@ -776,8 +786,25 @@ const identityMobile = (req) => {
const sendMobileMsg = (req, uid) => {
return co(function*() {
let mobile = req.body.mobile || '',
_code = req.body.checkCode,
resqData = {code: 400};
// 发送验证码前置数据校验
if (!_code) {
let verifyInfo = yield accountApi.getVerifyInfo(uid);
mobile = _.get(verifyInfo, 'data.mobile', '');
if (!mobile) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
} else if (!checkCode(_code, uid)) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
let mobileInfo = handleMobile(mobile);
resqData = yield accountApi.sendMobileMsg(uid, mobileInfo.mobile, mobileInfo.area);
... ... @@ -792,22 +819,37 @@ const checkMobileMsg = (req, uid) => {
return co(function*() {
let mobile = req.body.mobile || '',
code = req.body.code || '',
resqData;
_code = req.body.checkCode,
resqData = {code: 400};
// 校验验证码前置数据校验
if (!_code) {
let verifyInfo = yield accountApi.getVerifyInfo(uid);
mobile = _.get(verifyInfo, 'data.mobile', '');
if (!mobile) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
} else if (!checkCode(_code, uid)) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
if (mobile === '') {
resqData = {
code: 400,
Object.assign(resqData, {
message: '手机号为空',
data: ''
};
});
return resqData;
}
if (code === '') {
resqData = {
code: 400,
Object.assign(resqData, {
message: '验证码为空',
data: ''
};
});
return resqData;
}
let mobileInfo = handleMobile(mobile);
... ... @@ -817,7 +859,11 @@ const checkMobileMsg = (req, uid) => {
let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) + '_' +
mobileInfo.mobile + mobileInfo.area + 'completeverify');
resqData.data = encodeURIComponent(ckCode);
Object.assign(resqData, {
code: 200,
data: encodeURIComponent(ckCode)
});
}
return resqData;
})();
... ... @@ -833,6 +879,15 @@ const sendEmail = (req) => {
email = req.body.email || '',
resqData = {code: 400};
let verifyInfo = yield accountApi.getVerifyInfo(uid);
email = _.get(verifyInfo, 'data.email', '');
if (!email) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
let ckCode = crypto.encryption('yoho9646abcdefgh', uid + '_' + Date.parse(new Date()) +
'_' + email + checkType + 'completeverify');
... ... @@ -864,7 +919,16 @@ const checkEmail = (req) => {
const modifyPwd = (req, params) => {
return co(function*() {
let uid = params.uid,
newPwd = params.newPwd || '';
newPwd = params.newPwd || '',
_code = params.checkCode;
// 前置数据校验
if (!_code || !checkCode(_code, uid, 600000)) {
return {
code: 400,
message: '数据验证错误'
};
}
let resqData = yield accountApi.modifyPwd(uid, newPwd);
... ... @@ -879,8 +943,17 @@ const modifyMobile = (req, uid) => {
return co(function*() {
let mobile = req.body.mobile || '',
code = req.body.code || '',
_code = req.body.checkCode,
resqData = {code: 400};
// 校验验证码前置数据校验
// 校验checkCode,有效时间10分钟(checkCode在调改接口前获取,考虑网络延时,服务器间的时间差,设置10分钟)
if (!_code || !checkCode(_code, uid, 600000)) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
if (mobile === '') {
resqData = {
code: 400,
... ... @@ -937,8 +1010,16 @@ const modifyEmail = (req) => {
return co(function*() {
let uid = req.user.uid,
email = req.body.email || '',
_code = req.body.checkCode,
resqData = {code: 400};
// 前置数据校验
if (!_code || !checkCode(_code, uid, 600000)) {
return Object.assign(resqData, {
message: '数据验证错误'
});
}
let check = yield accountApi.checkVerifyEmail(uid, email);
if (check.code === 200) {
... ...
... ... @@ -73,7 +73,7 @@ Dialog.prototype.packageInfo = function() {
key = $this.attr('name');
if (key) {
data[key] = $.trim($this.val());
data[key] = $.trim($('<div/>').text($this.val()).html());
}
});
... ...
... ... @@ -21,9 +21,14 @@ var $checkUser = $('.check-user'),
var sInt,
active;
var baseQs;
var captcha = new Captcha('.captcha-safe-form-r').init();
require('../common');
baseQs = window.queryString();
$.ajaxSetup({
async: false
});
... ... @@ -66,6 +71,9 @@ function checkFormAjax(ajaxData) {
$.post(ajaxData.url, ajaxData.data, function(data) {
if (typeof data.code !== 'undefined' && data.code === 200) {
if (ajaxData.cb && typeof ajaxData.cb === 'function') {
ajaxData.cb(data); // eslint-disable-line
}
res = successInfoAction(ajaxData.opt);
} else {
ajaxData.txt = ajaxData.txt !== '' && ajaxData.txt !== null ? ajaxData.txt : data.message;
... ... @@ -174,9 +182,15 @@ function checkForm(dom) {
url: '/home/account/checkmobilemsg',
data: {
mobile: mobileValue,
code: $('#inputcode').val()
code: $('#inputcode').val(),
checkCode: baseQs.checkCode || ''
},
txt: '验证码错误!'
txt: '验证码错误!',
cb: function(data) {
if (data.code === 200) {
baseQs.checkCode = data.data;
}
}
});
return checkFormAjax(ajaxData);
}
... ... @@ -227,10 +241,15 @@ function code() {
function sendMobileMsg(mobileV) {
var $code = $('#inputcode'),
$ccheckInfo = $code.parent().find('check-info');
$.post('/home/account/sendmobilemsg', {
var reqData = {
mobile: mobileV
}, function(data) {
};
if (baseQs.checkCode) {
reqData.checkCode = baseQs.checkCode;
}
$.post('/home/account/sendmobilemsg', reqData, function(data) {
if (typeof data.code !== 'undefined' && data.code === 200) {
canSend = false;
sInt = setInterval(function() {
... ... @@ -360,7 +379,8 @@ function submitForm() {
url: '/home/account/checkmobilemsg',
data: {
mobile: $('#realAccount').val(),
code: $('#inputcode').val()
code: $('#inputcode').val(),
checkCode: baseQs.checkCode || ''
},
hrefUrl: '/home/account/' + curType + '?step=2'
};
... ... @@ -373,12 +393,15 @@ function submitForm() {
data: $('#pwdform').serialize(),
hrefUrl: '/home/account/userpwd?step=3&success=true'
};
opt.data.checkCode = baseQs.checkCode || '';
ajaxAction(opt);
} else if (curType === 'email') {
opt = {
url: '/home/account/modifyemail',
data: {
email: $('#email').val()
email: $('#email').val(),
checkCode: baseQs.checkCode || ''
},
hrefUrl: '/home/account/sendemailsuccess?email=' + $('#email').val() +
'&type=2&checkType=email'
... ... @@ -389,7 +412,8 @@ function submitForm() {
url: '/home/account/modifymobile',
data: {
mobile: $('#mobilevalue').val(),
code: $('#inputcode').val()
code: $('#inputcode').val(),
checkCode: baseQs.checkCode || ''
},
hrefUrl: '/home/account/mobile?step=3&success=true'
};
... ...