sina-video/app/middleware/Safe.php

<?php

declare(strict_types=1);

namespace app\middleware;

use Closure;
use think\Request;
use think\Response;
use think\facade\Log;
use think\facade\Cache;

class Safe
{
    /**
     * @var array
     */
    public static $body = [];

    /**
     * @var array
     */
    public static $user = [];

    /**
     * 处理请求
     *
     * @param  Request    $request
     * @param  Closure    $next
     * @return Response
     */
    public function handle(Request $request, Closure $next)
    {
        $referer = $_SERVER['HTTP_REFERER'] ?? '';
        // 非调试模式 开启referer检测
        if (empty(env('app_debug'))) {
            if (strpos($referer, env('weibo.referer')) === false) {
                abort(
                    json(
                        [
                            'code' => 403,
                            'message' => 'not login.',
                        ]
                    )
                );
                return null;
            }
        }
        if (strpos(\think\facade\Request::url(), '/checkLogin') !== false || strpos(\think\facade\Request::url(), '/groupPageConfig') || strpos(\think\facade\Request::url(), '/notices') || strpos(\think\facade\Request::url(), '/getRule')) {
            return $next($request);
        }
        $token = $request->post('token', '');
        if (empty($token)) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'not login.',
                    ]
                )
            );
            return null;
        }

        if (empty(Cache::get('u:' . $token))) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'token invalid.',
                    ]
                )
            );
            return null;
        }

        $user = json_decode(Cache::get('u:' . $token), true);
        if (empty($user)) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'not login.',
                    ]
                )
            );
            return null;
        }
        // 简单检查token合法性，防止抓包拿到token放到代码里面跑
        $loginToken = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_REFERER'] . get_client_ip(0) . $user['uid']);
        if ($loginToken != $token) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'bad user.',
                    ]
                )
            );
            return null;
        }
        static::$user = $user;
        $body = $request->post('body');
        if (!empty($body)) {
            $tag = $request->post('tag');
            if (empty($tag)) {
                abort(
                    json(
                        [
                            'code' => 500,
                            'message' => '参数错误.',
                        ]
                    )
                );
                return null;
            }
            $jsonText = openssl_decrypt(hex2bin($body), 'aes-256-gcm', hex2bin($user['aes_key']), 1, hex2bin($user['aes_iv']), hex2bin($tag));
            if (empty($jsonText)) {
                abort(
                    json(
                        [
                            'code' => 500,
                            'message' => '参数错误.',
                        ]
                    )
                );
                return null;
            }
            Log::info("requestBody:" . $jsonText);
            static::$body = json_decode($jsonText, true);
            return $next($request);
        }
        return $next($request);
    }
}