duanyangfeng
/
sina-video


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
							<?php

declare(strict_types=1);

namespace app\middleware;

use Closure;
use think\Request;
use think\Response;
use think\facade\Log;
use think\facade\Cache;

class Safe
{
    /**
     * @var array
     */
    public static $body = [];

    /**
     * @var array
     */
    public static $user = [];

    /**
     * 处理请求
     *
     * @param  Request    $request
     * @param  Closure    $next
     * @return Response
     */
    public function handle(Request $request, Closure $next)
    {
        $referer = $_SERVER['HTTP_REFERER'] ?? '';
        // 非调试模式 开启referer检测
        if (empty(env('app_debug'))) {
            if (strpos($referer, env('weibo.referer')) === false) {
                abort(
                    json(
                        [
                            'code' => 403,
                            'message' => 'not login.',
                        ]
                    )
                );
                return null;
            }
        }
        if (strpos(\think\facade\Request::url(), '/checkLogin') !== false || strpos(\think\facade\Request::url(), '/groupPageConfig') || strpos(\think\facade\Request::url(), '/notices') || strpos(\think\facade\Request::url(), '/getRule')) {
            return $next($request);
        }
        $token = $request->post('token', '');
        if (empty($token)) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'not login.',
                    ]
                )
            );
            return null;
        }
        $user = json_decode(Cache::get('u:' . $token), true);
        if (empty($user)) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'not login.',
                    ]
                )
            );
            return null;
        }
        // 简单检查token合法性，防止抓包拿到token放到代码里面跑
        $loginToken = md5($_SERVER['HTTP_USER_AGENT'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_REFERER'] . get_client_ip(0) . $user['uid']);
        if ($loginToken != $token) {
            abort(
                json(
                    [
                        'code' => 403,
                        'message' => 'bad user.',
                    ]
                )
            );
            return null;
        }
        static::$user = $user;
        $body = $request->post('body');
        if (!empty($body)) {
            $tag = $request->post('tag');
            if (empty($tag)) {
                abort(
                    json(
                        [
                            'code' => 500,
                            'message' => '参数错误.',
                        ]
                    )
                );
                return null;
            }
            $jsonText = openssl_decrypt(hex2bin($body), 'aes-256-gcm', hex2bin($user['aes_key']), 1, hex2bin($user['aes_iv']), hex2bin($tag));
            if (empty($jsonText)) {
                abort(
                    json(
                        [
                            'code' => 500,
                            'message' => '参数错误.',
                        ]
                    )
                );
                return null;
            }
            Log::info("requestBody:" . $jsonText);
            static::$body = json_decode($jsonText, true);
            return $next($request);
        }
        return $next($request);
    }
}