fix: harden login for MLPS requirements

This commit is contained in:
2026-05-14 11:05:20 +08:00
parent ecf3ee1ef0
commit 879677516f
39 changed files with 1230 additions and 71 deletions
+22 -7
View File
@@ -9,8 +9,10 @@ import (
)
type loginRequest struct {
Username string `json:"username" binding:"required"`
Password string `json:"password" binding:"required"`
Username string `json:"username" binding:"required"`
Password string `json:"password"`
EncryptedPassword string `json:"encrypted_password"`
PasswordKeyID string `json:"password_key_id"`
}
type loginResponse struct {
@@ -28,11 +30,13 @@ func loginHandler(svc *app.AuthService) gin.HandlerFunc {
}
result, err := svc.Login(c.Request.Context(), app.LoginInput{
Username: body.Username,
Password: body.Password,
IP: c.ClientIP(),
UserAgent: c.Request.UserAgent(),
RequestID: middleware.RequestIDFromGin(c),
Username: body.Username,
Password: body.Password,
EncryptedPassword: body.EncryptedPassword,
PasswordKeyID: body.PasswordKeyID,
IP: c.ClientIP(),
UserAgent: c.Request.UserAgent(),
RequestID: middleware.RequestIDFromGin(c),
})
if err != nil {
response.Error(c, err)
@@ -47,6 +51,17 @@ func loginHandler(svc *app.AuthService) gin.HandlerFunc {
}
}
func passwordPublicKeyHandler(svc *app.AuthService) gin.HandlerFunc {
return func(c *gin.Context) {
key := svc.PasswordPublicKey()
if key == nil {
response.Error(c, response.ErrNotFound(40420, "password_cipher_disabled", "password cipher is disabled"))
return
}
response.Success(c, key)
}
}
func meHandler(accounts *app.AccountService) gin.HandlerFunc {
return func(c *gin.Context) {
actor := actorFromGin(c)
+18 -1
View File
@@ -6,12 +6,14 @@ import (
"go.uber.org/zap"
"github.com/geo-platform/tenant-api/internal/ops/app"
sharedconfig "github.com/geo-platform/tenant-api/internal/shared/config"
"github.com/geo-platform/tenant-api/internal/shared/middleware"
"github.com/geo-platform/tenant-api/internal/shared/response"
)
type Deps struct {
Engine *gin.Engine
Server sharedconfig.ServerConfig
Logger *zap.Logger
DB *pgxpool.Pool
MonitoringDB *pgxpool.Pool
@@ -26,13 +28,27 @@ type Deps struct {
Compliance *app.ComplianceService
}
func (d Deps) ServerAllowedOrigins() []string {
return d.Server.AllowedOrigins
}
func (d Deps) ServerSecurityHeadersEnabled() bool {
return d.Server.SecurityHeaders.Enabled
}
func RegisterRoutes(d Deps) {
d.Engine.Use(
middleware.Recovery(d.Logger),
middleware.RequestID(),
middleware.Logger(d.Logger),
middleware.CORS(),
)
if d.ServerSecurityHeadersEnabled() {
d.Engine.Use(middleware.SecurityHeaders())
}
d.Engine.Use(middleware.CORSWithConfig(middleware.CORSConfig{
AllowedOrigins: d.ServerAllowedOrigins(),
AllowAll: len(d.ServerAllowedOrigins()) == 0,
}))
d.Engine.GET("/api/health/live", func(c *gin.Context) {
response.Success(c, gin.H{"status": "alive"})
@@ -53,6 +69,7 @@ func RegisterRoutes(d Deps) {
api := d.Engine.Group("/api/ops")
{
api.GET("/auth/password-key", passwordPublicKeyHandler(d.Auth))
api.POST("/auth/login", loginHandler(d.Auth))
}