feat: WebClient 1.4.2

README.md

@@ -2,7 +2,8 @@
 
 [English Doc](README_EN.md)
 
-本项目使用 Go 实现了 RustDesk 的 API，并包含了 Web Admin 和 Web 客户端。RustDesk 是一个远程桌面软件，提供了自托管的解决方案。
+本项目使用 Go 实现了 RustDesk 的 API，并包含了 Web Admin 和 Web 客户端。
+
 
 <div align=center>
 <img src="https://img.shields.io/badge/golang-1.22-blue"/>
@@ -13,6 +14,14 @@
 <img src="https://github.com/lejianwen/rustdesk-api/actions/workflows/build.yml/badge.svg"/>
 </div>
 
+## 搭配[lejianwen/rustdesk-server]使用更佳。
+> [lejianwen/rustdesk-server]fork自RustDesk Server官方仓库
+> 1. 解决了使用API链接超时问题
+> 2. 可以强制登录后才能发起链接
+> 3. 支持客户端websocket
+
+
+
 # 特性
 
 - PC端API
@@ -182,6 +191,7 @@
 | RUSTDESK_API_MYSQL_PASSWORD                            | mysql密码                                                                        | 111111                       |
 | RUSTDESK_API_MYSQL_ADDR                                | mysql地址                                                                        | 192.168.1.66:3306            |
 | RUSTDESK_API_MYSQL_DBNAME                              | mysql数据库名                                                                      | rustdesk                     |
+| RUSTDESK_API_MYSQL_TLS                             | 是否启用TLS, 可选值: `true`, `false`, `skip-verify`, `custom` | `false`                      |
 | -----RUSTDESK配置-----                                   | ----------                                                                     | ----------                   |
 | RUSTDESK_API_RUSTDESK_ID_SERVER                        | Rustdesk的id服务器地址                                                               | 192.168.1.66:21116           |
 | RUSTDESK_API_RUSTDESK_RELAY_SERVER                     | Rustdesk的relay服务器地址                                                            | 192.168.1.66:21117           |
@@ -325,3 +335,5 @@
 </a>
 
 ## 感谢你的支持！如果这个项目对你有帮助，请点个⭐️鼓励一下，谢谢！
+
+[lejianwen/rustdesk-server]: https://github.com/lejianwen/rustdesk-server

README_EN.md

@@ -12,6 +12,13 @@ desktop software that provides self-hosted solutions.
 <img src="https://github.com/lejianwen/rustdesk-api/actions/workflows/build.yml/badge.svg"/>
 </div>
 
+## Better used with [lejianwen/rustdesk-server].
+> [lejianwen/rustdesk-server] is a fork of the official RustDesk Server repository.
+> 1. Solves the API connection timeout issue.
+> 2. Can enforce login before initiating a connection.
+> 3. Supports client websocket.
+
+
 # Features
 
 - PC API
@@ -181,6 +188,7 @@ The table below does not list all configurations. Please refer to the configurat
 | RUSTDESK_API_MYSQL_PASSWORD                            | MySQL password                                                                                                                                      | 111111                        |
 | RUSTDESK_API_MYSQL_ADDR                                | MySQL address                                                                                                                                       | 192.168.1.66:3306             |
 | RUSTDESK_API_MYSQL_DBNAME                              | MySQL database name                                                                                                                                 | rustdesk                      |
+| RUSTDESK_API_MYSQL_TLS                             | Whether to enable TLS, optional values: `true`, `false`, `skip-verify`, `custom` | `false`                       |
 | ----- RUSTDESK Configuration -----                     | ---------------------------------------                                                                                                             | ----------------------------- |
 | RUSTDESK_API_RUSTDESK_ID_SERVER                        | Rustdesk ID server address                                                                                                                          | 192.168.1.66:21116            |
 | RUSTDESK_API_RUSTDESK_RELAY_SERVER                     | Rustdesk relay server address                                                                                                                       | 192.168.1.66:21117            |
@@ -325,3 +333,6 @@ Thanks to everyone who contributed!
 </a>
 
 ## Thanks for your support! If you find this project useful, please give it a ⭐️. Thank you!
+
+
+[lejianwen/rustdesk-server]: https://github.com/lejianwen/rustdesk-server

cmd/apimain.go

@@ -23,7 +23,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-const DatabaseVersion = 264
+const DatabaseVersion = 265
 
 // @title 管理系统API
 // @version 1.0
@@ -145,11 +145,12 @@ func InitGlobal() {
 	//gorm
 	if global.Config.Gorm.Type == config.TypeMysql {
 
-		dsn := fmt.Sprintf("%s:%s@(%s)/%s?charset=utf8mb4&parseTime=True&loc=Local",
+		dsn := fmt.Sprintf("%s:%s@(%s)/%s?charset=utf8mb4&parseTime=True&loc=Local&tls=%s",
 			global.Config.Mysql.Username,
 			global.Config.Mysql.Password,
 			global.Config.Mysql.Addr,
 			global.Config.Mysql.Dbname,
+			global.Config.Mysql.Tls,
 		)
 
 		global.DB = orm.NewMysql(&orm.MysqlConfig{

conf/config.yaml

@@ -31,6 +31,7 @@ mysql:
   password: ""
   addr: ""
   dbname: ""
+  tls: "false" # true / false / skip-verify / custom
 
 postgresql:
   host: "127.0.0.1"
@@ -80,4 +81,4 @@ ldap:
     last-name: "sn"
     sync: false         # If true, the user will be synchronized to the database when the user logs in. If false, the user will be synchronized to the database when the user be created.
     admin-group: "cn=admin,dc=example,dc=com" # The group name of the admin group, if the user is in this group, the user will be an admin.
-
+    allow-group: "cn=users,dc=example,dc=com" # The group name of the users group, if the user is in this group, the user will be an login. 

config/gorm.go

@@ -17,6 +17,7 @@ type Mysql struct {
 	Username string `mapstructure:"username"`
 	Password string `mapstructure:"password"`
 	Dbname   string `mapstructure:"dbname"`
+	Tls      string `mapstructure:"tls"` // true / false / skip-verify / custom
 }
 
 type Postgresql struct {

config/ldap.go

@@ -11,6 +11,7 @@ type LdapUser struct {
 	LastName        string `mapstructure:"last-name"`
 	Sync            bool   `mapstructure:"sync"`        // Will sync the user's information to the internal database
 	AdminGroup      string `mapstructure:"admin-group"` // Which group is the admin group
+	AllowGroup      string `mapstructure:"allow-group"` // Which group is allowed to login
 }
 
 // type LdapGroup struct {

go.mod

@@ -25,6 +25,7 @@ require (
 	github.com/swaggo/files v1.0.1
 	github.com/swaggo/gin-swagger v1.6.0
 	github.com/swaggo/swag v1.16.3
+	golang.org/x/crypto v0.33.0
 	golang.org/x/oauth2 v0.23.0
 	golang.org/x/text v0.22.0
 	gorm.io/driver/mysql v1.5.7
@@ -84,7 +85,6 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.9 // indirect
 	golang.org/x/arch v0.0.0-20210923205945-b76863e36670 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/image v0.13.0 // indirect
 	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.11.0 // indirect

http/controller/admin/login.go

@@ -169,8 +169,8 @@ func (ct *Login) LoginOptions(c *gin.Context) {
 		"ops":          ops,
 		"register":     global.Config.App.Register,
 		"need_captcha": needCaptcha,
-		"disable_pwd": 	global.Config.App.DisablePwdLogin,
-		"auto_oidc":  	global.Config.App.DisablePwdLogin && len(ops) == 1,
+		"disable_pwd":  global.Config.App.DisablePwdLogin,
+		"auto_oidc":    global.Config.App.DisablePwdLogin && len(ops) == 1,
 	})
 }
 
@@ -191,7 +191,7 @@ func (ct *Login) OidcAuth(c *gin.Context) {
 		return
 	}
 
-	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(c, f.Op)
+	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return

http/controller/admin/oauth.go

@@ -44,7 +44,7 @@ func (o *Oauth) ToBind(c *gin.Context) {
 		return
 	}
 
-	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(c, f.Op)
+	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return

http/controller/admin/peer.go

@@ -114,6 +114,9 @@ func (ct *Peer) List(c *gin.Context) {
 		if query.Ip != "" {
 			tx.Where("last_online_ip like ?", "%"+query.Ip+"%")
 		}
+		if query.Alias != "" {
+			tx.Where("alias like ?", "%"+query.Alias+"%")
+		}
 	})
 	response.Success(c, res)
 }

http/controller/api/index.go

@@ -49,7 +49,7 @@ func (i *Index) Heartbeat(c *gin.Context) {
 		c.JSON(http.StatusOK, gin.H{})
 		return
 	}
-	peer := service.AllService.PeerService.FindByUuid(info.Uuid)
+	peer := service.AllService.PeerService.FindById(info.Id)
 	if peer == nil || peer.RowId == 0 {
 		c.JSON(http.StatusOK, gin.H{})
 		return

http/controller/api/ouath.go

@@ -36,7 +36,7 @@ func (o *Oauth) OidcAuth(c *gin.Context) {
 
 	oauthService := service.AllService.OauthService
 
-	err, state, verifier, nonce, url := oauthService.BeginAuth(c, f.Op)
+	err, state, verifier, nonce, url := oauthService.BeginAuth(f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return
@@ -80,7 +80,8 @@ func (o *Oauth) OidcAuthQueryPre(c *gin.Context) (*model.User, *model.UserToken)
 
 	// 如果 UserId 为 0，说明还在授权中
 	if v.UserId == 0 {
-		c.JSON(http.StatusOK, gin.H{"message": "Authorization in progress, please login and bind"})
+		//fix: 1.4.2 webclient oidc
+		c.JSON(http.StatusOK, gin.H{"message": "Authorization in progress, please login and bind", "error": "No authed oidc is found"})
 		return nil, nil
 	}
 
@@ -170,7 +171,7 @@ func (o *Oauth) OauthCallback(c *gin.Context) {
 	var user *model.User
 	// 获取用户信息
 	code := c.Query("code")
-	err, oauthUser := oauthService.Callback(c, code, verifier, op, nonce)
+	err, oauthUser := oauthService.Callback(code, verifier, op, nonce)
 	if err != nil {
 		c.HTML(http.StatusOK, "oauth_fail.html", gin.H{
 			"message":     "OauthFailed",

http/controller/api/peer.go

@@ -31,10 +31,10 @@ func (p *Peer) SysInfo(c *gin.Context) {
 		return
 	}
 	fpe := f.ToPeer()
-	pe := service.AllService.PeerService.FindByUuid(f.Uuid)
+	pe := service.AllService.PeerService.FindById(f.Id)
 	if pe.RowId == 0 {
 		pe = f.ToPeer()
-		pe.UserId = service.AllService.UserService.FindLatestUserIdFromLoginLogByUuid(pe.Uuid)
+		pe.UserId = service.AllService.UserService.FindLatestUserIdFromLoginLogByUuid(pe.Uuid, pe.Id)
 		err = service.AllService.PeerService.Create(pe)
 		if err != nil {
 			response.Error(c, response.TranslateMsg(c, "OperationFailed")+err.Error())
@@ -42,7 +42,7 @@ func (p *Peer) SysInfo(c *gin.Context) {
 		}
 	} else {
 		if pe.UserId == 0 {
-			pe.UserId = service.AllService.UserService.FindLatestUserIdFromLoginLogByUuid(pe.Uuid)
+			pe.UserId = service.AllService.UserService.FindLatestUserIdFromLoginLogByUuid(pe.Uuid, pe.Id)
 		}
 		fpe.RowId = pe.RowId
 		fpe.UserId = pe.UserId

http/request/admin/peer.go

@@ -13,6 +13,7 @@ type PeerForm struct {
 	Uuid     string `json:"uuid"`
 	Version  string `json:"version"`
 	GroupId  uint   `json:"group_id"`
+	Alias    string `json:"alias"`
 }
 
 type PeerBatchDeleteForm struct {
@@ -32,6 +33,7 @@ func (f *PeerForm) ToPeer() *model.Peer {
 		Uuid:     f.Uuid,
 		Version:  f.Version,
 		GroupId:  f.GroupId,
+		Alias:    f.Alias,
 	}
 }
 
@@ -43,6 +45,7 @@ type PeerQuery struct {
 	Uuids    string `json:"uuids" form:"uuids"`
 	Ip       string `json:"ip" form:"ip"`
 	Username string `json:"username" form:"username"`
+	Alias    string `json:"alias" form:"alias"`
 }
 
 type SimpleDataQuery struct {

model/oauth.go

@@ -41,6 +41,7 @@ type Oauth struct {
 	OauthType    string `json:"oauth_type"`
 	ClientId     string `json:"client_id"`
 	ClientSecret string `json:"client_secret"`
+	//RedirectUrl  string `json:"redirect_url"`
 	AutoRegister *bool  `json:"auto_register"`
 	Scopes       string `json:"scopes"`
 	Issuer       string `json:"issuer"`

model/peer.go

@@ -15,6 +15,7 @@ type Peer struct {
 	LastOnlineTime int64  `json:"last_online_time"  gorm:"default:0;not null;"`
 	LastOnlineIp   string `json:"last_online_ip"  gorm:"default:'';not null;"`
 	GroupId        uint   `json:"group_id"  gorm:"default:0;not null;index"`
+	Alias          string `json:"alias" gorm:"default:'';not null;index"`
 	TimeModel
 }
 

resources/web2/index.html

@@ -32,7 +32,7 @@
     <title>RustDesk</title>
     <script src="/webclient-config/index.js"></script>
     <link rel="manifest" href="manifest.json"/>
-    <script type="module" crossorigin src="js/dist/index.js?v=ddbe54f1"></script>
+    <script type="module" crossorigin src="js/dist/index.js?v=bd4ac5e9"></script>
     <link rel="modulepreload" href="js/dist/vendor.js?v=0b990c6e"/>
     <style>
         html,
@@ -319,26 +319,5 @@
 </script>
 <script src="libs/stream/ponyfill.min.js"></script>
 <script src="libs/stream/StreamSaver.min.js"></script>
-<script src="libs/firebase-app.js?8.10.1"></script>
-<script src="libs/firebase-analytics.js?8.10.1"></script>
-
-<script>
-    // Your web app's Firebase configuration
-    // For Firebase JS SDK v7.20.0 and later, measurementId is optional
-    const firebaseConfig = {
-        apiKey: "AIzaSyCgehIZk1aFP0E7wZtYRRqrfvNiNAF39-A",
-        authDomain: "rustdesk.firebaseapp.com",
-        databaseURL: "https://rustdesk.firebaseio.com",
-        projectId: "rustdesk",
-        storageBucket: "rustdesk.appspot.com",
-        messagingSenderId: "768133699366",
-        appId: "1:768133699366:web:d50faf0792cb208d7993e7",
-        measurementId: "G-9PEH85N6ZQ",
-    };
-
-    // Initialize Firebase
-    firebase.initializeApp(firebaseConfig);
-    firebase.analytics();
-</script>
 </body>
 </html>

service/ldap.go

@@ -137,6 +137,17 @@ func (ls *LdapService) Authenticate(username, password string) (*model.User, err
 		return nil, ErrLdapUserDisabled
 	}
 	cfg := &Config.Ldap
+
+	// Skip allow-group check for admins
+    isAdmin := ls.isUserAdmin(cfg, ldapUser)
+    
+    // non-admins only check if allow-group is configured
+    if !isAdmin && cfg.User.AllowGroup != "" {
+        if !ls.isUserInGroup(cfg, ldapUser, cfg.User.AllowGroup) {
+            return nil, errors.New("user not in allowed group")
+        }
+    }
+
 	err = ls.verifyCredentials(cfg, ldapUser.Dn, password)
 	if err != nil {
 		return nil, err
@@ -148,6 +159,46 @@ func (ls *LdapService) Authenticate(username, password string) (*model.User, err
 	return user, nil
 }
 
+// isUserInGroup checks if the user is a member of the specified group. by_sw
+func (ls *LdapService) isUserInGroup(cfg *config.Ldap, ldapUser *LdapUser, groupDN string) bool {
+    // Check "memberOf" directly
+    if len(ldapUser.MemberOf) > 0 {
+        for _, group := range ldapUser.MemberOf {
+            if strings.EqualFold(group, groupDN) {
+                return true
+            }
+        }
+    }
+
+    // For "member" attribute, perform a reverse search on the group
+    member := "member"
+    userDN := ldap.EscapeFilter(ldapUser.Dn)
+    groupDN = ldap.EscapeFilter(groupDN)
+    groupFilter := fmt.Sprintf("(%s=%s)", member, userDN)
+
+    // Create the LDAP search request
+    groupSearchRequest := ldap.NewSearchRequest(
+        groupDN,
+        ldap.ScopeWholeSubtree,
+        ldap.NeverDerefAliases,
+        0,     // Unlimited search results
+        0,     // No time limit
+        false, // Return both attributes and DN
+        groupFilter,
+        []string{"dn"},
+        nil,
+    )
+
+    // Perform the group search
+    groupResult, err := ls.searchResult(cfg, groupSearchRequest)
+    if err != nil {
+        return false
+    }
+
+    // If any results are returned, the user is part of the group
+    return len(groupResult.Entries) > 0
+}
+
 // mapToLocalUser checks whether the user exists locally; if not, creates one.
 // If the user exists and Ldap.Sync is enabled, it updates local info.
 func (ls *LdapService) mapToLocalUser(cfg *config.Ldap, lu *LdapUser) (*model.User, error) {

service/oauth.go

@@ -6,7 +6,6 @@ import (
 	"errors"
 
 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/gin-gonic/gin"
 	"github.com/lejianwen/rustdesk-api/v2/model"
 	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"golang.org/x/oauth2"
@@ -96,20 +95,16 @@ func (os *OauthService) DeleteOauthCache(key string) {
 	OauthCache.Delete(key)
 }
 
-func (os *OauthService) BeginAuth(c *gin.Context, op string) (error error, state, verifier, nonce, url string) {
+func (os *OauthService) BeginAuth(op string) (error error, state, verifier, nonce, url string) {
 	state = utils.RandomString(10) + strconv.FormatInt(time.Now().Unix(), 10)
 	verifier = ""
 	nonce = ""
 	if op == model.OauthTypeWebauth {
-		host := c.GetHeader("Origin")
-		if host == "" {
-			host = Config.Rustdesk.ApiServer
-		}
-		url = host + "/_admin/#/oauth/" + state
+		url = Config.Rustdesk.ApiServer + "/_admin/#/oauth/" + state
 		//url = "http://localhost:8888/_admin/#/oauth/" + code
 		return nil, state, verifier, nonce, url
 	}
-	err, oauthInfo, oauthConfig, _ := os.GetOauthConfig(c, op)
+	err, oauthInfo, oauthConfig, _ := os.GetOauthConfig(op)
 	if err == nil {
 		extras := make([]oauth2.AuthCodeOption, 0, 3)
 
@@ -174,18 +169,16 @@ func (os *OauthService) LinuxdoProvider() *oidc.Provider {
 }
 
 // GetOauthConfig retrieves the OAuth2 configuration based on the provider name
-func (os *OauthService) GetOauthConfig(c *gin.Context, op string) (err error, oauthInfo *model.Oauth, oauthConfig *oauth2.Config, provider *oidc.Provider) {
+func (os *OauthService) GetOauthConfig(op string) (err error, oauthInfo *model.Oauth, oauthConfig *oauth2.Config, provider *oidc.Provider) {
 	//err, oauthInfo, oauthConfig = os.getOauthConfigGeneral(op)
 	oauthInfo = os.InfoByOp(op)
 	if oauthInfo.Id == 0 || oauthInfo.ClientId == "" || oauthInfo.ClientSecret == "" {
 		return errors.New("ConfigNotFound"), nil, nil, nil
 	}
-	redirectUrl := os.buildRedirectURL(c)
-	Logger.Debug("Redirect URL: ", redirectUrl)
 	oauthConfig = &oauth2.Config{
 		ClientID:     oauthInfo.ClientId,
 		ClientSecret: oauthInfo.ClientSecret,
-		RedirectURL:  redirectUrl,
+		RedirectURL:  Config.Rustdesk.ApiServer + "/api/oidc/callback",
 	}
 
 	// Maybe should validate the oauthConfig here
@@ -340,8 +333,8 @@ func (os *OauthService) oidcCallback(oauthConfig *oauth2.Config, provider *oidc.
 }
 
 // Callback: Get user information by code and op(Oauth provider)
-func (os *OauthService) Callback(c *gin.Context, code, verifier, op, nonce string) (err error, oauthUser *model.OauthUser) {
-	err, oauthInfo, oauthConfig, provider := os.GetOauthConfig(c, op)
+func (os *OauthService) Callback(code, verifier, op, nonce string) (err error, oauthUser *model.OauthUser) {
+	err, oauthInfo, oauthConfig, provider := os.GetOauthConfig(op)
 	// oauthType is already validated in GetOauthConfig
 	if err != nil {
 		return err, nil
@@ -527,22 +520,3 @@ func (os *OauthService) getGithubPrimaryEmail(client *http.Client, githubUser *m
 
 	return fmt.Errorf("no primary verified email found")
 }
-
-func (os *OauthService) buildRedirectURL(c *gin.Context) string {
-	baseUrl := Config.Rustdesk.ApiServer
-	host := c.Request.Host
-
-	if host != "" {
-		scheme := c.GetHeader("X-Forwarded-Proto")
-		if scheme == "" {
-			if c.Request.TLS != nil {
-				scheme = "https"
-			} else {
-				scheme = "http"
-			}
-		}
-		baseUrl = fmt.Sprintf("%s://%s", scheme, host)
-	}
-
-	return fmt.Sprintf("%s/api/oidc/callback", baseUrl)
-}

service/user.go

@@ -395,10 +395,10 @@ func (us *UserService) UserThirdInfo(userId uint, op string) *model.UserThird {
 	return ut
 }
 
-// FindLatestUserIdFromLoginLogByUuid 根据uuid查找最后登录的用户id
-func (us *UserService) FindLatestUserIdFromLoginLogByUuid(uuid string) uint {
+// FindLatestUserIdFromLoginLogByUuid 根据uuid和设备id查找最后登录的用户id
+func (us *UserService) FindLatestUserIdFromLoginLogByUuid(uuid string, deviceId string) uint {
 	llog := &model.LoginLog{}
-	DB.Where("uuid = ?", uuid).Order("id desc").First(llog)
+	DB.Where("uuid = ? and device_id = ?", uuid, deviceId).Order("id desc").First(llog)
 	return llog.UserId
 }