feat(login): Captcha upgrade and add the function to ban IP addresses (#250)

utils/captcha.go

@@ -0,0 +1,48 @@
+package utils
+
+import (
+	"github.com/mojocn/base64Captcha"
+	"time"
+)
+
+var capdString = base64Captcha.NewDriverString(50, 150, 5, 10, 4, "123456789abcdefghijklmnopqrstuvwxyz", nil, nil, nil)
+
+var capdMath = base64Captcha.NewDriverMath(50, 150, 5, 10, nil, nil, nil)
+
+type B64StringCaptchaProvider struct{}
+
+func (p B64StringCaptchaProvider) Generate(ip string) (string, string, error) {
+	_, content, answer := capdString.GenerateIdQuestionAnswer()
+	return content, answer, nil
+}
+
+func (p B64StringCaptchaProvider) Expiration() time.Duration {
+	return 5 * time.Minute
+}
+func (p B64StringCaptchaProvider) Draw(content string) (string, error) {
+	item, err := capdString.DrawCaptcha(content)
+	if err != nil {
+		return "", err
+	}
+	b64str := item.EncodeB64string()
+	return b64str, nil
+}
+
+type B64MathCaptchaProvider struct{}
+
+func (p B64MathCaptchaProvider) Generate(ip string) (string, string, error) {
+	_, content, answer := capdMath.GenerateIdQuestionAnswer()
+	return content, answer, nil
+}
+
+func (p B64MathCaptchaProvider) Expiration() time.Duration {
+	return 5 * time.Minute
+}
+func (p B64MathCaptchaProvider) Draw(content string) (string, error) {
+	item, err := capdMath.DrawCaptcha(content)
+	if err != nil {
+		return "", err
+	}
+	b64str := item.EncodeB64string()
+	return b64str, nil
+}

utils/login_limiter.go

@@ -0,0 +1,305 @@
+package utils
+
+import (
+	"errors"
+	"sync"
+	"time"
+)
+
+// 安全策略配置
+type SecurityPolicy struct {
+	CaptchaThreshold int // 尝试失败次数达到验证码阈值，小于0表示不启用, 0表示强制启用
+	BanThreshold     int // 尝试失败次数达到封禁阈值，为0表示不启用
+	AttemptsWindow   time.Duration
+	BanDuration      time.Duration
+}
+
+// 验证码提供者接口
+type CaptchaProvider interface {
+	Generate(ip string) (string, string, error)
+	//Validate(ip, code string) bool
+	Expiration() time.Duration           // 验证码过期时间, 应该小于 AttemptsWindow
+	Draw(content string) (string, error) // 绘制验证码
+}
+
+// 验证码元数据
+type CaptchaMeta struct {
+	Content   string
+	Answer    string
+	ExpiresAt time.Time
+}
+
+// IP封禁记录
+type BanRecord struct {
+	ExpiresAt time.Time
+	Reason    string
+}
+
+// 登录限制器
+type LoginLimiter struct {
+	mu          sync.Mutex
+	policy      SecurityPolicy
+	attempts    map[string][]time.Time //
+	captchas    map[string]CaptchaMeta
+	bannedIPs   map[string]BanRecord
+	provider    CaptchaProvider
+	cleanupStop chan struct{}
+}
+
+var defaultSecurityPolicy = SecurityPolicy{
+	CaptchaThreshold: 3,
+	BanThreshold:     5,
+	AttemptsWindow:   5 * time.Minute,
+	BanDuration:      30 * time.Minute,
+}
+
+func NewLoginLimiter(policy SecurityPolicy) *LoginLimiter {
+	// 设置默认值
+	if policy.AttemptsWindow == 0 {
+		policy.AttemptsWindow = 5 * time.Minute
+	}
+	if policy.BanDuration == 0 {
+		policy.BanDuration = 30 * time.Minute
+	}
+
+	ll := &LoginLimiter{
+		policy:      policy,
+		attempts:    make(map[string][]time.Time),
+		captchas:    make(map[string]CaptchaMeta),
+		bannedIPs:   make(map[string]BanRecord),
+		cleanupStop: make(chan struct{}),
+	}
+	go ll.cleanupRoutine()
+	return ll
+}
+
+// 注册验证码提供者
+func (ll *LoginLimiter) RegisterProvider(p CaptchaProvider) {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+	ll.provider = p
+}
+
+// isDisabled 检查是否禁用登录限制
+func (ll *LoginLimiter) isDisabled() bool {
+	return ll.policy.CaptchaThreshold < 0 && ll.policy.BanThreshold == 0
+}
+
+// 记录登录失败尝试
+func (ll *LoginLimiter) RecordFailedAttempt(ip string) {
+	if ll.isDisabled() {
+		return
+	}
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	if banned, _ := ll.isBanned(ip); banned {
+		return
+	}
+
+	now := time.Now()
+	windowStart := now.Add(-ll.policy.AttemptsWindow)
+
+	// 清理过期尝试
+	validAttempts := ll.pruneAttempts(ip, windowStart)
+
+	// 记录新尝试
+	validAttempts = append(validAttempts, now)
+	ll.attempts[ip] = validAttempts
+
+	// 检查封禁条件
+	if ll.policy.BanThreshold > 0 && len(validAttempts) >= ll.policy.BanThreshold {
+		ll.banIP(ip, "excessive failed attempts")
+		return
+	}
+
+	return
+}
+
+// 生成验证码
+func (ll *LoginLimiter) RequireCaptcha(ip string) (error, CaptchaMeta) {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	if ll.provider == nil {
+		return errors.New("no captcha provider available"), CaptchaMeta{}
+	}
+
+	content, answer, err := ll.provider.Generate(ip)
+	if err != nil {
+		return err, CaptchaMeta{}
+	}
+
+	// 存储验证码
+	ll.captchas[ip] = CaptchaMeta{
+		Content:   content,
+		Answer:    answer,
+		ExpiresAt: time.Now().Add(ll.provider.Expiration()),
+	}
+
+	return nil, ll.captchas[ip]
+}
+
+// 验证验证码
+func (ll *LoginLimiter) VerifyCaptcha(ip, answer string) bool {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	// 查找匹配验证码
+	if ll.provider == nil {
+		return false
+	}
+
+	// 获取并验证验证码
+	captcha, exists := ll.captchas[ip]
+	if !exists {
+		return false
+	}
+
+	// 清理过期验证码
+	if time.Now().After(captcha.ExpiresAt) {
+		delete(ll.captchas, ip)
+		return false
+	}
+
+	// 验证并清理状态
+	if answer == captcha.Answer {
+		delete(ll.captchas, ip)
+		return true
+	}
+
+	return false
+}
+
+func (ll *LoginLimiter) DrawCaptcha(content string) (err error, str string) {
+	str, err = ll.provider.Draw(content)
+	return
+}
+
+func (ll *LoginLimiter) RemoveCaptcha(ip string) {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	_, exists := ll.captchas[ip]
+	if exists {
+		delete(ll.captchas, ip)
+	}
+}
+
+// 清除记录窗口
+func (ll *LoginLimiter) RemoveAttempts(ip string) {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	_, exists := ll.attempts[ip]
+	if exists {
+		delete(ll.attempts, ip)
+	}
+}
+
+// CheckSecurityStatus 检查安全状态
+func (ll *LoginLimiter) CheckSecurityStatus(ip string) (banned bool, captchaRequired bool) {
+	if ll.isDisabled() {
+		return
+	}
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	// 检查封禁状态
+	if banned, _ = ll.isBanned(ip); banned {
+		return
+	}
+
+	// 清理过期数据
+	ll.pruneAttempts(ip, time.Now().Add(-ll.policy.AttemptsWindow))
+	ll.pruneCaptchas(ip)
+
+	// 检查验证码要求
+	captchaRequired = len(ll.attempts[ip]) >= ll.policy.CaptchaThreshold
+
+	return
+}
+
+// 后台清理任务
+func (ll *LoginLimiter) cleanupRoutine() {
+	ticker := time.NewTicker(1 * time.Minute)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			ll.cleanupExpired()
+		case <-ll.cleanupStop:
+			return
+		}
+	}
+}
+
+// 内部工具方法
+func (ll *LoginLimiter) isBanned(ip string) (bool, BanRecord) {
+	record, exists := ll.bannedIPs[ip]
+	if !exists {
+		return false, BanRecord{}
+	}
+	if time.Now().After(record.ExpiresAt) {
+		delete(ll.bannedIPs, ip)
+		return false, BanRecord{}
+	}
+	return true, record
+}
+
+func (ll *LoginLimiter) banIP(ip, reason string) {
+	ll.bannedIPs[ip] = BanRecord{
+		ExpiresAt: time.Now().Add(ll.policy.BanDuration),
+		Reason:    reason,
+	}
+	delete(ll.attempts, ip)
+	delete(ll.captchas, ip)
+}
+
+func (ll *LoginLimiter) pruneAttempts(ip string, cutoff time.Time) []time.Time {
+	var valid []time.Time
+	for _, t := range ll.attempts[ip] {
+		if t.After(cutoff) {
+			valid = append(valid, t)
+		}
+	}
+	if len(valid) == 0 {
+		delete(ll.attempts, ip)
+	} else {
+		ll.attempts[ip] = valid
+	}
+	return valid
+}
+
+func (ll *LoginLimiter) pruneCaptchas(ip string) {
+	if captcha, exists := ll.captchas[ip]; exists {
+		if time.Now().After(captcha.ExpiresAt) {
+			delete(ll.captchas, ip)
+		}
+	}
+}
+
+func (ll *LoginLimiter) cleanupExpired() {
+	ll.mu.Lock()
+	defer ll.mu.Unlock()
+
+	now := time.Now()
+
+	// 清理封禁记录
+	for ip, record := range ll.bannedIPs {
+		if now.After(record.ExpiresAt) {
+			delete(ll.bannedIPs, ip)
+		}
+	}
+
+	// 清理尝试记录
+	for ip := range ll.attempts {
+		ll.pruneAttempts(ip, now.Add(-ll.policy.AttemptsWindow))
+	}
+
+	// 清理验证码
+	for ip := range ll.captchas {
+		ll.pruneCaptchas(ip)
+	}
+}

utils/login_limiter_test.go

@@ -0,0 +1,286 @@
+package utils
+
+import (
+	"fmt"
+	"testing"
+	"time"
+)
+
+type MockCaptchaProvider struct{}
+
+func (p *MockCaptchaProvider) Generate(ip string) (string, string, error) {
+	return "CONTENT", "MOCK", nil
+}
+
+func (p *MockCaptchaProvider) Validate(ip, code string) bool {
+	return code == "MOCK"
+}
+
+func (p *MockCaptchaProvider) Expiration() time.Duration {
+	return 2 * time.Second
+}
+func (p *MockCaptchaProvider) Draw(content string) (string, error) {
+	return "MOCK", nil
+}
+
+func TestSecurityWorkflow(t *testing.T) {
+	policy := SecurityPolicy{
+		CaptchaThreshold: 3,
+		BanThreshold:     5,
+		AttemptsWindow:   5 * time.Minute,
+		BanDuration:      5 * time.Minute,
+	}
+	limiter := NewLoginLimiter(policy)
+	ip := "192.168.1.100"
+
+	// 测试正常失败记录
+	for i := 0; i < 3; i++ {
+		limiter.RecordFailedAttempt(ip)
+	}
+	isBanned, capRequired := limiter.CheckSecurityStatus(ip)
+	fmt.Printf("IP: %s, Banned: %v, Captcha Required: %v\n", ip, isBanned, capRequired)
+	if isBanned {
+		t.Error("IP should not be banned yet")
+	}
+	if !capRequired {
+		t.Error("Captcha should be required")
+	}
+	// 测试触发封禁
+	for i := 0; i < 3; i++ {
+		limiter.RecordFailedAttempt(ip)
+		isBanned, capRequired = limiter.CheckSecurityStatus(ip)
+		fmt.Printf("IP: %s, Banned: %v, Captcha Required: %v\n", ip, isBanned, capRequired)
+	}
+
+	// 测试封禁状态
+	if isBanned, _ = limiter.CheckSecurityStatus(ip); !isBanned {
+		t.Error("IP should be banned")
+	}
+}
+
+func TestCaptchaFlow(t *testing.T) {
+	policy := SecurityPolicy{CaptchaThreshold: 2}
+	limiter := NewLoginLimiter(policy)
+	limiter.RegisterProvider(&MockCaptchaProvider{})
+	ip := "10.0.0.1"
+
+	// 触发验证码要求
+	limiter.RecordFailedAttempt(ip)
+	limiter.RecordFailedAttempt(ip)
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+
+	// 生成验证码
+	err, capc := limiter.RequireCaptcha(ip)
+	if err != nil {
+		t.Fatalf("生成验证码失败: %v", err)
+	}
+	fmt.Printf("验证码内容: %#v\n", capc)
+
+	// 验证成功
+	if !limiter.VerifyCaptcha(ip, capc.Answer) {
+		t.Error("验证码应该验证成功")
+	}
+
+	limiter.RemoveAttempts(ip)
+	// 验证后状态
+	if banned, need := limiter.CheckSecurityStatus(ip); banned || need {
+		t.Error("验证成功后应该重置状态")
+	}
+}
+
+func TestCaptchaMustFlow(t *testing.T) {
+	policy := SecurityPolicy{CaptchaThreshold: 0}
+	limiter := NewLoginLimiter(policy)
+	limiter.RegisterProvider(&MockCaptchaProvider{})
+	ip := "10.0.0.1"
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+
+	// 生成验证码
+	err, capc := limiter.RequireCaptcha(ip)
+	if err != nil {
+		t.Fatalf("生成验证码失败: %v", err)
+	}
+	fmt.Printf("验证码内容: %#v\n", capc)
+
+	// 验证成功
+	if !limiter.VerifyCaptcha(ip, capc.Answer) {
+		t.Error("验证码应该验证成功")
+	}
+
+	// 验证后状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+}
+func TestAttemptTimeout(t *testing.T) {
+	policy := SecurityPolicy{CaptchaThreshold: 2, AttemptsWindow: 1 * time.Second}
+	limiter := NewLoginLimiter(policy)
+	limiter.RegisterProvider(&MockCaptchaProvider{})
+	ip := "10.0.0.1"
+
+	// 触发验证码要求
+	limiter.RecordFailedAttempt(ip)
+	limiter.RecordFailedAttempt(ip)
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+
+	// 生成验证码
+	err, _ := limiter.RequireCaptcha(ip)
+	if err != nil {
+		t.Fatalf("生成验证码失败: %v", err)
+	}
+	// 等待超过 AttemptsWindow
+	time.Sleep(2 * time.Second)
+	// 触发验证码要求
+	limiter.RecordFailedAttempt(ip)
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); need {
+		t.Error("不应该需要验证码")
+	}
+}
+
+func TestCaptchaTimeout(t *testing.T) {
+	policy := SecurityPolicy{CaptchaThreshold: 2}
+	limiter := NewLoginLimiter(policy)
+	limiter.RegisterProvider(&MockCaptchaProvider{})
+	ip := "10.0.0.1"
+
+	// 触发验证码要求
+	limiter.RecordFailedAttempt(ip)
+	limiter.RecordFailedAttempt(ip)
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+
+	// 生成验证码
+	err, _ := limiter.RequireCaptcha(ip)
+	if err != nil {
+		t.Fatalf("生成验证码失败: %v", err)
+	}
+
+	// 等待超过 CaptchaValidPeriod
+	time.Sleep(3 * time.Second)
+
+	code := "MOCK"
+	// 验证成功
+	if limiter.VerifyCaptcha(ip, code) {
+		t.Error("验证码应该已过期")
+	}
+
+}
+
+func TestBanFlow(t *testing.T) {
+	policy := SecurityPolicy{BanThreshold: 5}
+	limiter := NewLoginLimiter(policy)
+	ip := "10.0.0.1"
+	// 触发ban
+	for i := 0; i < 5; i++ {
+		limiter.RecordFailedAttempt(ip)
+	}
+
+	// 检查状态
+	if banned, _ := limiter.CheckSecurityStatus(ip); !banned {
+		t.Error("should be banned")
+	}
+}
+func TestBanDisableFlow(t *testing.T) {
+	policy := SecurityPolicy{BanThreshold: 0}
+	limiter := NewLoginLimiter(policy)
+	ip := "10.0.0.1"
+	// 触发ban
+	for i := 0; i < 5; i++ {
+		limiter.RecordFailedAttempt(ip)
+	}
+
+	// 检查状态
+	if banned, _ := limiter.CheckSecurityStatus(ip); banned {
+		t.Error("should not be banned")
+	}
+}
+func TestBanTimeout(t *testing.T) {
+	policy := SecurityPolicy{BanThreshold: 5, BanDuration: 1 * time.Second}
+	limiter := NewLoginLimiter(policy)
+	ip := "10.0.0.1"
+	// 触发ban
+	// 触发ban
+	for i := 0; i < 5; i++ {
+		limiter.RecordFailedAttempt(ip)
+	}
+
+	time.Sleep(2 * time.Second)
+
+	// 检查状态
+	if banned, _ := limiter.CheckSecurityStatus(ip); banned {
+		t.Error("should not be banned")
+	}
+}
+
+func TestLimiterDisabled(t *testing.T) {
+	policy := SecurityPolicy{BanThreshold: 0, CaptchaThreshold: -1}
+	limiter := NewLoginLimiter(policy)
+	ip := "10.0.0.1"
+	// 触发ban
+	for i := 0; i < 5; i++ {
+		limiter.RecordFailedAttempt(ip)
+	}
+
+	// 检查状态
+	if banned, capNeed := limiter.CheckSecurityStatus(ip); banned || capNeed {
+		fmt.Printf("IP: %s, Banned: %v, Captcha Required: %v\n", ip, banned, capNeed)
+		t.Error("should not be banned or need captcha")
+	}
+}
+
+func TestB64CaptchaFlow(t *testing.T) {
+	limiter := NewLoginLimiter(defaultSecurityPolicy)
+	limiter.RegisterProvider(B64StringCaptchaProvider{})
+	ip := "10.0.0.1"
+
+	// 触发验证码要求
+	limiter.RecordFailedAttempt(ip)
+	limiter.RecordFailedAttempt(ip)
+	limiter.RecordFailedAttempt(ip)
+
+	// 检查状态
+	if _, need := limiter.CheckSecurityStatus(ip); !need {
+		t.Error("应该需要验证码")
+	}
+
+	// 生成验证码
+	err, capc := limiter.RequireCaptcha(ip)
+	if err != nil {
+		t.Fatalf("生成验证码失败: %v", err)
+	}
+	fmt.Printf("验证码内容: %#v\n", capc)
+
+	//draw
+	err, b64 := limiter.DrawCaptcha(capc.Content)
+	if err != nil {
+		t.Fatalf("绘制验证码失败: %v", err)
+	}
+	fmt.Printf("验证码内容: %#v\n", b64)
+
+	// 验证成功
+	if !limiter.VerifyCaptcha(ip, capc.Answer) {
+		t.Error("验证码应该验证成功")
+	}
+	limiter.RemoveAttempts(ip)
+	// 验证后状态
+	if banned, need := limiter.CheckSecurityStatus(ip); banned || need {
+		t.Error("验证成功后应该重置状态")
+	}
+}