op

.example.env

@@ -25,4 +25,7 @@ default_lang = zh-cn
 API_HOST=
 API_KEY=
 API_SECRET=
-MOCK=
+# if mock weibo's api
+MOCK=
+# the h5 referer to check for safe
+REFERER=

app/admin/controller/Notice.php

@@ -2,7 +2,7 @@
 
 namespace app\admin\controller;
 
-use app\admin\model\SinaNotice;
+use app\admin\model\SystemNotice;
 use think\admin\Controller;
 use think\admin\service\AdminService;
 use think\admin\helper\QueryHelper;
@@ -30,7 +30,7 @@ class Notice extends Controller
      */
     public function index()
     {
-        $this->_query(SinaNotice::class)->layTable(function () {
+        $this->_query(SystemNotice::class)->layTable(function () {
             $this->title = '通知管理';
         }, function (QueryHelper $query) {
         });

app/admin/model/SinaNotice.php → app/admin/model/SystemNotice.php

@@ -4,6 +4,6 @@ namespace app\admin\model;
 
 use think\Model;
 
-class SinaNotice extends Model
+class SystemNotice extends Model
 {
 }

app/index/controller/Index.php

@@ -2,7 +2,7 @@
 
 namespace app\index\controller;
 
-use app\admin\model\SinaNotice;
+use app\admin\model\SystemNotice;
 use app\middleware\Log;
 use app\middleware\Safe;
 use app\service\WeiboService;
@@ -45,8 +45,13 @@ class Index extends Controller
         if (!empty($_COOKIE['SUB'])) {
             $sub = $_COOKIE['SUB'];
         } else {
-            $sub = Request::post('cookie');
-            $uid = $sub;
+            // 只在调试模式下开启从POST参数中获取UID，方便测试联调
+            if (env('app_debug') === true || env('app_debug') === 'true') {
+                $sub = Request::post('cookie');
+                $uid = $sub;
+            } else {
+                return $this->response(403, 'not login.');
+            }
         }
         FacadeLog::info($sub);
         $userInfoRes = (new WeiboService($uid))->userinfo($sub);
@@ -54,7 +59,7 @@ class Index extends Controller
             return $this->response(403, $userInfoRes['msg'] ?? '没有登录');
         }
         // 使用客户端信息生成token 
-        $token =  md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . get_client_ip(0)) . $userInfoRes['data']['uid'];
+        $token =  md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_REFERER'] . get_client_ip(0)) . $userInfoRes['data']['uid'];
         $user = $userInfoRes['data'];
         // 生成加密用的密钥和向量
         $cipher = "aes-256-gcm";
@@ -65,8 +70,13 @@ class Index extends Controller
             'aes_key' => $aesKey,
             'ase_iv' => $iv,
         ]);
+        $cacheUser = [
+            'aes_key' => $aesKey,
+            'ase_iv' => $iv,
+            'uid' => $user['uid'],
+        ];
         // 缓存用户信息1天
-        Cache::set('u:' . $token, json_encode($user), 86400);
+        Cache::set('u:' . $token, json_encode($cacheUser), 86400);
         return $this->successResponse([
             'user' => $user,
             'token' => $token,
@@ -95,7 +105,7 @@ class Index extends Controller
      */
     public function notices()
     {
-        $rows = SinaNotice::limit(20)->order('id', 'desc')->select();
+        $rows = SystemNotice::limit(20)->order('id', 'desc')->select();
         return $this->successResponse([
             "lists" => $rows,
         ]);
@@ -112,7 +122,7 @@ class Index extends Controller
         if (empty($sendRes) || $sendRes['code'] != 10000) {
             return $this->response(403, $sendRes['msg'] ?? '发布失败');
         }
-        Cache::set('u:f:' . Safe::$user['uid'], 1, 0);
+        Cache::set('u:f:' . Safe::$user['uid'], 1, 180 * 86400);
         return $this->successResponse(null, '发布成功！');
     }
     /**
@@ -122,7 +132,7 @@ class Index extends Controller
      */
     public function setFirst()
     {
-        Cache::set('u:f:' . Safe::$user['uid'], 1, 0);
+        Cache::set('u:f:' . Safe::$user['uid'], 1, 180 * 86400);
         return $this->successResponse(null, '操作成功！');
     }
 

app/middleware/Safe.php

@@ -23,10 +23,24 @@ class Safe
      */
     public function handle(Request $request, Closure $next)
     {
+        $referer = $_SERVER['HTTP_REFERER'] ?? '';
+        if (env('app_debug') === false || env('app_debug') === 'false') {
+            if (strpos($referer, env('weibo.referer')) === false) {
+                abort(
+                    json(
+                        [
+                            'code' => 403,
+                            'message' => 'not login.',
+                        ]
+                    )
+                );
+                return null;
+            }
+        }
         if (strpos(\think\facade\Request::url(), '/checkLogin') !== false) {
             return $next($request);
         }
-        $token = $request->get('token', $request->post('token', ''));
+        $token = $request->post('token', '');
         if (empty($token)) {
             abort(
                 json(
@@ -51,7 +65,7 @@ class Safe
             return null;
         }
         // 简单检查token合法性，防止抓包拿到token放到代码里面跑
-        $loginToken = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . get_client_ip(0)) . $user['uid'];
+        $loginToken = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_REFERER'] . get_client_ip(0)) . $user['uid'];
         if ($loginToken != $token) {
             abort(
                 json(

config/database.php

@@ -33,7 +33,7 @@ return [
             // 数据库编码默认采用 utf8
             'charset'         => 'utf8mb4',
             // 数据库表前缀
-            'prefix'          => '',
+            'prefix'          => 'awards_',
             // 数据库部署方式:0 集中式(单一服务器),1 分布式(主从服务器)
             'deploy'          => 0,
             // 数据库读写是否分离 主从式有效

config/session.php

@@ -6,11 +6,11 @@ return [
     // 字段名称
     'name'   => 'PHPSESSID',
     // 驱动方式
-    'type'   => 'file',
+    'type'   => 'cache',
     // 存储连接
-    'store'  => null,
+    'store'  => 'redis',
     // 过期时间
     'expire' => 7200,
     // 文件前缀
-    'prefix' => '',
+    'prefix' => 'wbms:',
 ];