중복 로그인 방지

2024-04-22 17:58:53 +09:00
parent f8557078cc
commit ba19cc0006
4 changed files with 26 additions and 3 deletions
--- a/core/service.go
+++ b/core/service.go
@ -2,6 +2,8 @@ package core

 import (
 	"context"
+	"crypto/md5"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@ -113,6 +115,7 @@ type serviceDescription struct {
 	divisionsSerialized []byte
 	serviceSerialized   []byte
 	divisionsSplits     map[string][]byte
+	mustUseChecksum     bool
 }

 func (sh *serviceDescription) isValidToken(apiToken primitive.ObjectID) bool {
@ -613,7 +616,23 @@ func (sh *serviceDescription) authorize(w http.ResponseWriter, r *http.Request)
 	queryvals := r.URL.Query()
 	authtype := queryvals.Get("type")
 	uid := queryvals.Get("id")
-	if sk := queryvals.Get("sk"); len(sk) > 0 {
+	sk := queryvals.Get("sk")
+
+	checksum := r.Header.Get("AS-X-CHECKSUM")
+	if len(checksum) > 0 || sh.mustUseChecksum {
+		nonce := queryvals.Get("nonce")
+		cookie := r.Header.Get("Cookie")
+
+		h := md5.New()
+		h.Write([]byte(cookie + nonce + sk))
+
+		if checksum != hex.EncodeToString(h.Sum(nil)) {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+	}
+
+	if len(sk) > 0 {
 		success, err := sh.sessionProvider.Touch(sk)
 		if err != nil {
 			logger.Error("authorize failed. sessionProvider.Touch err:", err)
@ -723,7 +742,7 @@ func (sh *serviceDescription) authorize(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	sk, err := sh.sessionProvider.New(&session.Authorization{
+	sk, err = sh.sessionProvider.New(&session.Authorization{
 		Account:  accid,
 		Platform: authtype,
 		Uid:      uid,