Feat: auth for remote callback / Modify: use map to store hooks in filesystem

middleware/auth.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"github.com/HFO4/cloudreve/models"
 	"github.com/HFO4/cloudreve/pkg/auth"
+	"github.com/HFO4/cloudreve/pkg/cache"
 	"github.com/HFO4/cloudreve/pkg/serializer"
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -25,6 +26,7 @@ func SignRequired() gin.HandlerFunc {
 		if err != nil {
 			c.JSON(200, serializer.Err(serializer.CodeCheckLogin, err.Error(), err))
 			c.Abort()
+			return
 		}
 		c.Next()
 	}
@@ -103,3 +105,55 @@ func WebDAVAuth() gin.HandlerFunc {
 		c.Next()
 	}
 }
+
+// RemoteCallbackAuth 远程回调签名验证
+// TODO 测试
+func RemoteCallbackAuth() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		// 验证 Callback Key
+		callbackKey := c.Param("key")
+		if callbackKey == "" {
+			c.JSON(200, serializer.ParamErr("Callback Key 不能为空", nil))
+			c.Abort()
+			return
+		}
+		callbackSessionRaw, exist := cache.Get("callback_" + callbackKey)
+		if !exist {
+			c.JSON(200, serializer.ParamErr("回调会话不存在或已过期", nil))
+			c.Abort()
+			return
+		}
+		callbackSession := callbackSessionRaw.(serializer.UploadSession)
+		c.Set("callbackSession", &callbackSession)
+
+		// 清理回调会话
+		_ = cache.Deletes([]string{callbackKey}, "callback_")
+
+		// 查找用户
+		user, err := model.GetUserByID(callbackSession.UID)
+		if err != nil {
+			c.JSON(200, serializer.Err(serializer.CodeCheckLogin, "找不到用户", err))
+			c.Abort()
+			return
+		}
+		c.Set("user", &user)
+
+		// 检查存储策略是否一致
+		if user.GetPolicyID() != callbackSession.PolicyID {
+			c.JSON(200, serializer.Err(serializer.CodePolicyNotAllowed, "存储策略已变更，请重新上传", nil))
+			c.Abort()
+			return
+		}
+
+		// 验证签名
+		authInstance := auth.HMACAuth{SecretKey: []byte(user.Policy.SecretKey)}
+		if err := auth.CheckRequest(authInstance, c.Request); err != nil {
+			c.JSON(200, serializer.Err(serializer.CodeCheckLogin, err.Error(), err))
+			c.Abort()
+			return
+		}
+
+		c.Next()
+
+	}
+}