用户 cookie 验证随机失败

huangapple
go评论78阅读模式
英文:

User cookie verification fails randomly

问题

我正在使用两个结构体来保存用户信息:

// SecureDevice保存用户设备的信息
type SecureDevice struct {
Name string // 用户定义的名称
DeviceIP string
Token struct {
Token string
StartingDate time.Time // 令牌只能在一周后失效
}
}

// GlobalUser是一个定义了服务器中所有用户信息的结构体
type GlobalUser struct {
Username string
Password string
Salt string
Mail string
ValidationToken string // 用于验证用户的邮箱地址
Lang string
ConversationsID []int // 用户参与的私人消息
SecureDevicesList []SecureDevice
}

我使用一个函数来检查用户是否已登录:

// IsLoggedIn检查客户端的令牌是否有效
func IsLoggedIn(r *http.Request) string {
ips := strings.Split(r.Header.Get("X-Forwarded-For"), ",")
ip := ips[0]
cookie, err := r.Cookie("auth")
if err != nil {
return "ERR$" + "not_connected"
}
cookieValue := strings.Split(cookie.Value, "$")
println(cookie.Value)
user := GetUser(cookieValue[0])
userToken := cookieValue1
if user.Username == "" {
return "ERR$" + "error"
}
for _, SecureDevice := range user.SecureDevicesList {
if SecureDevice.DeviceIP == ip && SecureDevice.Token.Token == userToken { // 确保提供的令牌是用户的令牌
if time.Since(SecureDevice.Token.StartingDate)*time.Hour >= 168 { // 如果令牌超过1周,丢弃它
return "ERR$" + "error_token_expired"
} else if time.Since(SecureDevice.Token.StartingDate)*time.Second >= 30 { // 如果令牌的年龄在1小时到1周之间,更新令牌
db, err := scribble.New("./brony/db", nil)
if err != nil {
return "ERR$" + "error_internal"
}
tokenBytes, err := GenerateRandomBytes(64) // 生成一个令牌
if err != nil {
return "ERR$" + "error_internal"
}
token := base64.URLEncoding.EncodeToString(tokenBytes)
SecureDevice.Token.Token = token
SecureDevice.Token.StartingDate = time.Now()
errr := db.Write("users", user.Username, user)
if errr != nil {
return "ERR$" + "error_internal"
}
return "TOK$" + user.Username + "$" + SecureDevice.Token.Token
} else if time.Since(SecureDevice.Token.StartingDate)*time.Hour <= 1 {
return "NIL$"
}
} else if SecureDevice.DeviceIP == ip {
return "ERR$" + "error_bad_token"
}
}
return "ERR$" + "error_device_not_registered"
}

但是,当我加载页面时,几乎总是会出现错误:

status := IsLoggedIn(r)
println(status)

由于我正在打印"IsLoggedIn"以了解问题的来源,所以经常会出现错误。

起初我以为是我的令牌更新代码有问题,但是尽管有问题且未完成,但似乎并不是它的问题,因为经过几次刷新后,它说cookie是正常的。我真的不明白问题出在哪里,这真的很烦人,因为我不能就这样放任不管,对用户来说,每次按F5并希望页面刷新时会奇迹般地工作,这将非常令人恼火。代码在Debian服务器上运行。

英文:

I'm using two structs to hold user's info

// SecureDevice holds a user&#39;s device&#39;s infos
type SecureDevice struct {
	Name     string // Defined by the user
	DeviceIP string
	Token    struct {
		Token        string
		StartingDate time.Time // The token is supposed to last only a week before becoming invalid
	}
}

// GlobalUser is a struct defining all user&#39;s infos registered inside the server
type GlobalUser struct {
	Username          string
	Password          string
	Salt              string
	Mail              string
	ValidationToken   string // Used to validate the user&#39;s mail adress
	Lang              string
	ConversationsID   []int // The private messages the user has part in
	SecureDevicesList []SecureDevice
}

And I'm using a function to check if the user is logged in

// IsLoggedIn checks if client&#39;s token is valid
func IsLoggedIn(r *http.Request) string {
	ips := strings.Split(r.Header.Get(&quot;X-Forwarded-For&quot;), &quot;, &quot;)
	ip := ips[0]
	cookie, err := r.Cookie(&quot;auth&quot;)
	if err != nil {
		return &quot;ERR$&quot; + &quot;not_connected&quot;
	}
	cookieValue := strings.Split(cookie.Value, &quot;$&quot;)
	println(cookie.Value)
	user := GetUser(cookieValue[0])
	userToken := cookieValue[1]
	if user.Username == &quot;&quot; {
		return &quot;ERR$&quot; + &quot;error&quot;
	}
	for _, SecureDevice := range user.SecureDevicesList {
		if SecureDevice.DeviceIP == ip &amp;&amp; SecureDevice.Token.Token == userToken { // We make sure that the token provided is actually the user&#39;s token
			if time.Since(SecureDevice.Token.StartingDate)*time.Hour &gt;= 168 { // If token is older than 1 week, we throw it away
				return &quot;ERR$&quot; + &quot;error_token_expired&quot;
			} else if time.Since(SecureDevice.Token.StartingDate)*time.Second &gt;= 30 { // If it&#39;s age is between 1 hour and one week, we renew it
				db, err := scribble.New(&quot;./brony/db&quot;, nil)
				if err != nil {
					return &quot;ERR$&quot; + &quot;error_internal&quot;
				}
				tokenBytes, err := GenerateRandomBytes(64) // Generates a salt
				if err != nil {
					return &quot;ERR$&quot; + &quot;error_internal&quot;
				}
				token := base64.URLEncoding.EncodeToString(tokenBytes)
				SecureDevice.Token.Token = token
				SecureDevice.Token.StartingDate = time.Now()
				errr := db.Write(&quot;users&quot;, user.Username, user)
				if errr != nil {
					return &quot;ERR$&quot; + &quot;error_internal&quot;
				}
				return &quot;TOK$&quot; + user.Username + &quot;$&quot; + SecureDevice.Token.Token
			} else if time.Since(SecureDevice.Token.StartingDate)*time.Hour &lt;= 1 {
				return &quot;NIL$&quot;
			}
		} else if SecureDevice.DeviceIP == ip {
			return &quot;ERR$&quot; + &quot;error_bad_token&quot;
		}
	}
	return &quot;ERR$&quot; + &quot;error_device_not_registered&quot;
}

But almost always when I load the page with

status := IsLoggedIn(r)
println(status)

It often gives me an error, since I'm printing "IsLoggedIn" to understand where the problem comes from

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
NIL$

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
NIL$

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired
test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
ERR$error_token_expired

test$ppDXRggtztyA9OBbdZh1t1ESqRo2XvuOBt4xlDai9kVxwq-_3zlWyvgNgA7AZcSpasJ_YnXZvoG                                                                                                                                                             qlz1syF9X8g==
NIL$

At first I thought it was my token's renewal code which was faulty, but while beeing faulty and unfinished, it doesn't seem to be it's fault since after a few f5, it said that the cookie was ok. I really don't understand where the fault is, and it's starting to get really annoying, as I can't just let it be, it would be very annoying to say the least for a user to do f5 everytime and hope that when the page will refresh, it will miraculously work. The code runs on a debian server

答案1

得分: 0

你的问题可能是你处理 time.Since 返回值进行比较的方式不正确。

time.Since 方法返回 Duration 类型,并且内部表示为 int64 类型。值以纳秒为单位。

尝试这样做:

elapsedHours := int64(time.Since(SecureDevice.Token.StartingDate).Hours())
if elapsedHours >= 168 {
    //...
} else if elapsedHours >= 30 {
   //...
} else if elapsedHours <= 1 {
   //...
}
英文:

Your issue might be, the way you handle time.Since return value for comparison.

time.Since method returns type Duration and internally represented as type int64. Value is in Nanoseconds.

Try this-

elapsedHours := int64(time.Since(SecureDevice.Token.StartingDate).Hours())
if elapsedHours &gt;= 168 {
    //...
} else if elapsedHours &gt;= 30 {
   //...
} else if elapsedHours &lt;= 1 {
   //...
}

huangapple
  • 本文由 发表于 2017年7月2日 00:55:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/44863386.html
  • backend
  • cookies
  • go
  • web
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定