fix: 生产安全修复 + Go SDK + CAS SSO框架

安全修复: - CRITICAL: SSO重定向URL注入漏洞 - 修复redirect_uri白名单验证 - HIGH: SSO ClientSecret未验证 - 使用crypto/subtle.ConstantTimeCompare验证 - HIGH: 邮件验证码熵值过低(3字节) - 提升到6字节(48位熵) - HIGH: 短信验证码熵值过低(4字节) - 提升到6字节 - HIGH: Goroutine使用已取消上下文 - auth_email.go使用独立context+超时 - HIGH: SQL LIKE查询注入风险 - permission/role仓库使用escapeLikePattern 新功能: - Go SDK: sdk/go/user-management/ 完整SDK实现 - CAS SSO框架: internal/auth/cas.go CAS协议支持其他: - L1Cache实例问题修复 - AuthMiddleware共享l1Cache - 设备指纹XSS防护 - 内存存储替代localStorage - 响应格式协议中间件 - 导出无界查询修复
2026-04-03 17:38:31 +08:00
parent 44e60be918
commit 765a50b7d4
22 changed files with 2318 additions and 71 deletions
--- a/frontend/admin/src/lib/device-fingerprint.ts
+++ b/frontend/admin/src/lib/device-fingerprint.ts
@@ -0,0 +1,78 @@
+/**
+ * 设备指纹模块
+ *
+ * 安全说明：设备指纹存储在内存中，不写入 localStorage/sessionStorage
+ * 以防止 XSS 攻击者读取或注入恶意设备指纹
+ */
+
+export interface DeviceFingerprint {
+  device_id: string
+  device_name: string
+  device_browser: string
+  device_os: string
+}
+
+// 内存中的设备指纹缓存
+let cachedFingerprint: DeviceFingerprint | null = null
+
+// 从 User-Agent 解析浏览器信息
+function parseBrowser(ua: string): string {
+  if (ua.includes('Chrome')) return 'Chrome'
+  if (ua.includes('Firefox')) return 'Firefox'
+  if (ua.includes('Safari')) return 'Safari'
+  if (ua.includes('Edge')) return 'Edge'
+  if (ua.includes('Opera')) return 'Opera'
+  if (ua.includes('IE')) return 'IE'
+  return 'Unknown'
+}
+
+// 从 User-Agent 解析操作系统信息
+function parseOS(ua: string): string {
+  if (ua.includes('Windows')) return 'Windows'
+  if (ua.includes('Mac OS') || ua.includes('macOS')) return 'macOS'
+  if (ua.includes('Linux')) return 'Linux'
+  if (ua.includes('Android')) return 'Android'
+  if (ua.includes('iOS') || ua.includes('iPhone') || ua.includes('iPad')) return 'iOS'
+  return 'Unknown'
+}
+
+// 生成设备 ID
+function generateDeviceId(): string {
+  if (typeof crypto !== 'undefined' && typeof crypto.randomUUID === 'function') {
+    return crypto.randomUUID()
+  }
+  // Fallback: 使用随机字符串（不如 UUID 安全但可用）
+  const browser = parseBrowser(navigator.userAgent)
+  const os = parseOS(navigator.userAgent)
+  return `${browser}-${os}-${Date.now()}-${Math.random().toString(36).slice(2, 10)}`
+}
+
+/**
+ * 获取设备指纹
+ * 每次调用返回相同的内存缓存实例（单例模式）
+ */
+export function getDeviceFingerprint(): DeviceFingerprint {
+  if (cachedFingerprint) {
+    return cachedFingerprint
+  }
+
+  const ua = navigator.userAgent
+  const browser = parseBrowser(ua)
+  const os = parseOS(ua)
+
+  cachedFingerprint = {
+    device_id: generateDeviceId(),
+    device_name: `${browser} on ${os}`,
+    device_browser: browser,
+    device_os: os,
+  }
+
+  return cachedFingerprint
+}
+
+/**
+ * 清除缓存的设备指纹（用于测试或登出）
+ */
+export function clearDeviceFingerprint(): void {
+  cachedFingerprint = null
+}