update

app/controller/util.js

@@ -1,7 +1,9 @@
 'use strict';
 const Controller = require('egg').Controller;
 const { CrudController } = require('naf-framework-mongoose-free/lib/controller');
+const { BusinessError, ErrorCode } = require('naf-core').Error;
 const _ = require('lodash');
+const moment = require('moment');
 // 业务工具
 class UtilController extends Controller {
   constructor(ctx) {
@@ -10,19 +12,18 @@ class UtilController extends Controller {
     this.bodyObject = this.ctx.request.body;
     this.service = this.ctx.service.util;
     this.tradeService = this.ctx.service.util.trade;
+
   }
   async util() {
-    const request = this.ctx.request;
-    console.log(request);
-    const ip = _.get(request, 'header.x-real-ip');
-    const forward = _.get(request, 'header.x-forwarded-for');
-    const host = _.get(request, 'header.host');
-    const referer = _.get(request, 'header.referer');
-    const query = this.ctx.query;
-    const body = _.get(request, 'body');
-    this.ctx.ok({ ip, forward, host, referer, query, body });
+    this.ctx.ok();
+  }
+
+  async crk() {
+    const key = await this.ctx.service.util.rk.crk();
+    this.ctx.ok({ data: key });
   }
 
+
   /**
    * 查询是否可以购买
    */

app/middleware/checkUserRK.js

@@ -0,0 +1,24 @@
+'use strict';
+const _ = require('lodash');
+const whiteList = [ '/util/crk', '/admin/login', '/user/wxLogin', '/user/login', '/user' ];
+module.exports = options => {
+  return async function checkuserrk(ctx, next) {
+    const request = _.get(ctx, 'request');
+    const method = _.get(request, 'method');
+    const uri = _.get(request, 'url');
+    if (process.env.NODE_ENV === 'development') await next();
+    // get方法放过
+    else if (method === 'GET') await next();
+    else {
+      // 白名单中的路由放过: 查看是否以白名单中每一项为结尾,如果是的话,那就说明这个路由不需要检查requestKey
+      const inWhiteList = whiteList.find(f => _.endsWith(uri, f));
+      if (inWhiteList) await next();
+      // 管理员的post放过
+      else if (ctx.admin) await next();
+      // 检查rk
+      else {
+        await ctx.service.util.rk.urk();
+      }
+    }
+  };
+};

app/service/user/admin.js

@@ -93,7 +93,6 @@ class AdminService extends CrudService {
     const key = this.ctx.service.util.user.getDeleteUserKey(_id, target);
     return key;
   }
-
 }
 
 module.exports = AdminService;

app/service/util/rk.js

@@ -0,0 +1,68 @@
+'use strict';
+const { CrudService } = require('naf-framework-mongoose-free/lib/service');
+const { BusinessError, ErrorCode } = require('naf-core').Error;
+const _ = require('lodash');
+const assert = require('assert');
+
+//
+class RkService extends CrudService {
+  constructor(ctx) {
+    super(ctx, 'rk');
+    this.redis = this.app.redis;
+    this.keyPrefix = 'requestKey:';
+  }
+  // 检测,使用key
+  async urk() {
+    const key = _.get(this.ctx, 'request.header.rk');
+    const keyName = this.getKeyName(key);
+    const value = await this.redis.get(keyName);
+    if (!value) throw new BusinessError(ErrorCode.SERVICE_FAULT, '未找到请求key');
+    await this.redis.del(keyName);
+    const keyInfo = JSON.parse(value);
+    const obj = this.getKeyInfo();
+    console.log(keyInfo);
+    console.log(obj);
+    if (!_.isEqual(keyInfo, obj)) throw new BusinessError(ErrorCode.DATA_INVALID, 'key校验错误,拒绝请求');
+  }
+  // 生成key
+  async crk() {
+    const obj = this.getKeyInfo();
+    const str = JSON.stringify(obj);
+    const key = Math.random().toString(36).substr(2, 15);
+    await this.redis.set(this.getKeyName(key), str, 'EX', 180);
+    return key;
+  }
+
+  getKeyInfo() {
+    const request = this.ctx.request;
+    const ip = _.get(request, 'header.x-real-ip');
+    const forward = _.get(request, 'header.x-forwarded-for');
+    const host = _.get(request, 'header.host');
+    const referer = _.get(request, 'header.referer');
+    const query = this.ctx.query;
+    const body = _.get(request, 'body');
+    const userAgent = _.get(request, 'header.user-agent');
+    const obj = {};
+    const ut = _.get(request, 'header.token');
+    const at = _.get(request, 'header.admin-token');
+    console.log(request);
+    if (!ip) throw new BusinessError(ErrorCode.DATA_INVALID, '1-缺少生成key的参数');
+    if (!referer) throw new BusinessError(ErrorCode.DATA_INVALID, '2-缺少生成key的参数');
+    if (forward) obj.forward = forward;
+    if (host) obj.host = host;
+    if (query) obj.query = query;
+    if (body) obj.body = body;
+    if (userAgent) obj.userAgent = userAgent;
+    if (ut) obj.ut = ut;
+    if (at) obj.at = at;
+    obj.ip = ip;
+    obj.referer = referer;
+    return obj;
+  }
+
+  getKeyName(key) {
+    return `${this.keyPrefix}${key}`;
+  }
+}
+
+module.exports = RkService;

app/z_router/util.js

@@ -7,6 +7,7 @@ const rkey = 'util';
 const ckey = 'util';
 const keyZh = '工具接口';
 const routes = [
+  { method: 'post', path: `${rkey}/crk`, controller: `${ckey}.crk`, zh: `${keyZh}-创建请求key` },
   { method: 'get', path: `${rkey}/util`, controller: `${ckey}.util`, zh: `${keyZh}-工具` },
   { method: 'post', path: `${rkey}/checkCanBuy`, controller: `${ckey}.checkCanBuy`, zh: `${keyZh}-检查是否可以购买商品` },
   { method: 'post', path: `${rkey}/checkCartBuy`, controller: `${ckey}.checkCartBuy`, zh: `${keyZh}-检查选中的购物车商品是否可以购买` },

config/config.default.js

@@ -17,7 +17,7 @@ module.exports = appInfo => {
   config.keys = appInfo.name + '_1664237342649_2194';
   config.appName = '天恩活泉商城-服务';
   // add your middleware config here
-  config.middleware = [ 'errorEmail', 'setUserFromToken', 'checkLogin' ]; // , 'checkLogin'
+  config.middleware = [ 'errorEmail', 'setUserFromToken', 'checkLogin', 'checkUserRK' ]; // , 'checkLogin'
 
   // add your user config here
   const userConfig = {