diff --git a/fapp/贡献代码.bat b/fapp/贡献代码.bat
index 9f90fa3..854e64e 100644
--- a/fapp/贡献代码.bat
+++ b/fapp/贡献代码.bat
@@ -3,6 +3,8 @@ xcopy ciydao\pages\demo ciyon_ap\pages\demo /s /y /v
xcopy ciydao\pages\main ciyon_ap\pages\main /s /y /v
xcopy ciydao\pages\pub ciyon_ap\pages\pub /s /y /v
xcopy ciydao\util ciyon_ap\util /s /y /v
+xcopy ciydao\index.html ciyon_ap\index.html /s /y /v
xcopy ciydao\main.js ciyon_ap\main.js /s /y /v
xcopy ciydao\vite.config.js ciyon_ap\vite.config.js /s /y /v
+xcopy ..\web\ambdao ..\web\ambap /s /y /v
pause
\ No newline at end of file
diff --git a/web/ambap/common.php b/web/ambap/common.php
index acdfe89..b55e2f5 100644
--- a/web/ambap/common.php
+++ b/web/ambap/common.php
@@ -16,9 +16,12 @@
* get/set config 从SaaS配置表中读写配置项
* get/set/del memvar 从SaaS内存表中读写变量
*/
-$tokenfield = "ciyap";
-$tokensalt = "ast34h$3"; //做数据加解密时的加密因子,每个项目都不要相同。
-$logpath = PATH_ROOT . 'log/';
+$_token = array();
+$_token['type'] = 'localstorage'; //cookie(更安全) 、 localstorage(兼容性好) 微信小程序不支持cookie
+$_token['swapsec'] = 3600; //更换JWT时间
+$_token['expsec'] = 86400; //过期退出时间
+$_token['field'] = 'ciyap';
+$_token['salt'] = 'ast34h$3'; //做数据加解密时的加密因子,每个项目都不要相同。
function verifyfast() {
$rsuser = verifyuser();
@@ -28,13 +31,14 @@ function verifyfast() {
}
function verifyuser() {
global $db;
- global $tokensalt;
- global $tokenfield;
- if (isset($_SERVER['HTTP_' . strtoupper($tokenfield)]))
- $ciyauth = $_SERVER['HTTP_' . strtoupper($tokenfield)];
+ global $_token;
+ if (isset($_COOKIE[$_token['field']]))
+ $ciyauth = $_COOKIE[$_token['field']];
+ else if (isset($_SERVER['HTTP_CIYAUTH']))
+ $ciyauth = $_SERVER['HTTP_CIYAUTH'];
else
- $ciyauth = get('_' . $tokenfield);
- $auth = json_decode(encrypt($ciyauth, 'D', $tokensalt), true);
+ $ciyauth = get('_ciyauth');
+ $auth = json_decode(encrypt($ciyauth, 'D', $_token['salt']), true);
if ($auth == null)
return null;
$csql = new \ciy\sql('ap_user'); //弃用redis集群
@@ -46,16 +50,25 @@ function verifyuser() {
return null;
if ($userrow['stpstatus'] != 10)
return null;
+ if ($userrow['exptimes'] < time() - $_token['expsec'])
+ return null;
if ($userrow['exptimes'] > time())
return $userrow;
- $exp = time() + 86400;
+ $exp = time() + $_token['swapsec'];
$sid = randstr(10);
$auth['_s'] = $sid;
if ($db->execute('update ap_user set exptimes=?,sid=? where id=?', array($exp, $sid, $auth['id'])) === false)
return null;
$authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR);
- $enauth = encrypt($authstr, 'E', $tokensalt);
- header($tokenfield . ': ' . $enauth);
+ $enauth = encrypt($authstr, 'E', $_token['salt']);
+ if ($_token['type'] == 'cookie') {
+ $headercookie = 'Set-Cookie: ' . $_token['field'] . '=' . $enauth . '; expires=' . gmdate('D, d-M-Y H:i:s T', $exp + $_token['swapsec'] + $_token['expsec']) . '; path=/; SameSite=None; Secure; httponly';
+ header($headercookie);
+ } else {
+ //header($_token['field'] . ': ' . $enauth);
+ $_token['__ciyauth'] = $enauth;
+ }
+ //header($_token['field'] . ': ' . $enauth);
return $userrow;
}
//true无权限,false有权限
@@ -101,7 +114,7 @@ function savelog($db, $userid, $types, $msg, $isrequest = false, $time = 0) {
$updata['readuser'] = 0;
$updata['addtimes'] = $time == 0 ? tostamp() : $time;
$updata['ip'] = getip();
- $csql = new \ciy\sql('zc_log');
+ $csql = new \ciy\sql('ap_log');
$db->insert($csql, $updata);
return false;
}
@@ -112,10 +125,10 @@ function gettoken($db, $id) {
$csql = new \ciy\sql('zc_token');
$csql->where('id', $id);
$tokenrow = $db->getone($csql);
- if(!is_array($tokenrow))
+ if (!is_array($tokenrow))
return array();
$cfgtoken = str_replace('{PATH_ROOT}', PATH_ROOT, $tokenrow['cfgtoken']);
- $cfg = getstrparam($cfgtoken , "\n");
+ $cfg = getstrparam($cfgtoken, "\n");
$cfg['accesstoken'] = $tokenrow['accesstoken'];
$cfg['exptimes'] = $tokenrow['exptimes'];
return $cfg;
@@ -191,7 +204,7 @@ function setmemvar($db, $types, $value) {
if ($ind === false) {
$updata['params'] = 1;
} else {
- $updata['params'] = toint(substr($value[0], $ind + 1));
+ $updata['params'] = (int)substr($value[0], $ind + 1);
}
}
if ($db->insert($csql, $updata) === false)
@@ -206,7 +219,7 @@ function delmemvar($db, $types) {
}
function ciy_api($enter, $param) {
$cfg = webini('ciyapi');
- if(is_string($cfg))
+ if (is_string($cfg))
return errjson($cfg);
$time = time();
$payload = json_encode($param);
diff --git a/web/ambap/login.php b/web/ambap/login.php
index 7575d7b..6493c4f 100644
--- a/web/ambap/login.php
+++ b/web/ambap/login.php
@@ -17,8 +17,9 @@ class login {
}
public static function json_login_mobile() {
global $db;
- global $tokensalt;
+ global $_token;
$post = new \ciy\post();
+ $model = $post->get('model');
$user = $post->get('user');
if (empty($user))
return errjson('请填写用户名');
@@ -45,7 +46,7 @@ class login {
if (abs($authtime / 1000 - tostamp()) > 300)
return errjson('您的本地时间与服务器时间相差超过5分钟,请调整本机时间。
服务器时间: ' . date('Y-m-d H:i:s') . '
您本机时间: ' . date('Y-m-d H:i:s', $authtime / 1000));
// if($user == '1')
- // clog(md5('1' . $tokensalt)); //开发生成默认密码
+ // clog(md5('1' . $_token['salt'])); //开发生成默认密码
if ($post->get('pass') != md5($rsuser['password'] . $authtime)) {
$updata = array();
$updata['trytime'] = array('trytime+1');
@@ -53,11 +54,11 @@ class login {
$csql = new \ciy\sql('ap_user');
$csql->where('id', $rsuser['id']);
$db->update($csql, $updata);
- savelog($db, $rsuser['id'], 'LOGINERR', '用户[' . $user . ']登录密码错误' . md5('1' . $tokensalt));
+ savelog($db, $rsuser['id'], 'LOGINERR', '用户[' . $user . ']登录密码错误' . md5('1' . $_token['salt']));
return errjson('用户名或密码错误.');
}
$sid = randstr(10);
- $exp = tostamp() + 86400; //默认三天过期,每天换秘钥
+ $exp = tostamp() + $_token['swapsec'];
$id = $rsuser['id'];
$updata = array();
$updata['logintimes'] = tostamp();
@@ -69,14 +70,14 @@ class login {
$csql->where('id', $id);
if ($db->update($csql, $updata) === false)
return errjson('user数据库更新失败:' . $db->error);
- savelog($db, $rsuser['id'], 'LOGIN', '登录成功');
-
- self::setonline($rsuser, $sid);
- return self::getsync($rsuser);
+ self::saveluser($db, 1, $rsuser['id'], $model);
+ return self::getsync($rsuser, $sid);
}
public static function json_reg_mobile() {
global $db;
+ global $_token;
$post = new \ciy\post();
+ $model = $post->get('model');
$upid = $post->getint('upid');
$user = $post->get('user');
$pass = $post->get('pass');
@@ -93,7 +94,7 @@ class login {
return errjson('该手机号已被注册');
$sid = randstr(10);
- $exp = tostamp() + 86400; //默认三天过期,每天换秘钥
+ $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥
$rsuser = array();
$rsuser['upid'] = $upid;
$rsuser['stpstatus'] = 10;
@@ -123,12 +124,12 @@ class login {
if ($upid > 0) {
//上级用户统计
}
- savelog($db, $rsuser['id'], 'LOGIN', '手机注册成功');
- self::setonline($rsuser, $sid);
- return self::getsync($rsuser);
+ self::saveluser($db, 1, $rsuser['id'], '手机注册:' . $model);
+ return self::getsync($rsuser, $sid);
}
public static function json_wx_autouser() {
global $db;
+ global $_token;
$post = new \ciy\post();
$code = $post->get('code');
$upid = $post->getint('upid');
@@ -145,7 +146,7 @@ class login {
$rsuser = $db->getone($csql);
$userid = 0;
$sid = randstr(10);
- $exp = tostamp() + 86400; //默认三天过期,每天换秘钥
+ $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥
if (is_array($rsuser)) {
$userid = $rsuser['id'];
if ($rsuser['upid'] == 0 && $upid > 0 && $upid != $userid)
@@ -210,12 +211,13 @@ class login {
// return errjson('上线统计失败:' . $db->error);
}
}
- self::setonline($rsuser, $sid);
- return self::getsync($rsuser);
+ return self::getsync($rsuser, $sid);
}
public static function json_forgetpass() {
global $db;
+ global $_token;
$post = new \ciy\post();
+ $model = $post->get('model');
$mobile = $post->get('user');
$pass = $post->get('pass');
$code = $post->get('capsms');
@@ -254,7 +256,7 @@ class login {
return errjson($errmsg);
}
$sid = randstr(10);
- $exp = tostamp() + 86400; //默认三天过期,每天换秘钥
+ $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥
$updata = array();
$updata['trytime'] = 0;
$updata['password'] = $pass;
@@ -267,10 +269,8 @@ class login {
$csql->where('id', $caprow['vuser']);
if ($db->update($csql, $updata) === false)
return errjson('密码更新失败:' . $db->error);
- savelog($db, $rsuser['id'], 'LOGIN', '密码找回成功');
-
- self::setonline($rsuser, $sid);
- return self::getsync($rsuser);
+ self::saveluser($db, 1, $rsuser['id'], '密码找回成功:' . $model);
+ return self::getsync($rsuser, $sid);
return succjson();
}
public static function json_sendsms() {
@@ -323,19 +323,24 @@ class login {
$rsuser = verifyfast();
return self::getsync($rsuser);
}
- static function setonline($userrow, $sid) {
- global $tokensalt;
- global $tokenfield;
- $auth = array();
- $auth['id'] = $userrow['id'];
- $auth["_s"] = $sid;
- $authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR);
- $enauth = encrypt($authstr, 'E', $tokensalt);
- header($tokenfield . ': ' . $enauth);
- }
- static function getsync($userrow) {
+ static function getsync($userrow, $sid = '') {
global $db;
+ global $_token;
$ret = array();
+ if (!empty($sid)) {
+ $auth = array();
+ $auth['id'] = $userrow['id'];
+ $auth["_s"] = $sid;
+ $authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR);
+ $enauth = encrypt($authstr, 'E', $_token['salt']);
+ if ($_token['type'] == 'cookie') {
+ $headercookie = 'Set-Cookie: ' . $_token['field'] . '=' . $enauth . '; expires=' . gmdate('D, d-M-Y H:i:s T', time() + $_token['swapsec'] + $_token['expsec']) . '; path=/; SameSite=None; Secure; httponly';
+ header($headercookie); //Cookie方式,安全性好
+ } else {
+ $ret['_ciyauth'] = $enauth; //Localstorage方式,兼容性更好
+ //header($_token['field'] . ': ' . $enauth); //有坑
+ }
+ }
$ret['storage'] = array();
$csql = new \ciy\sql('zc_admin');
$csql->column('id,name');
@@ -370,6 +375,7 @@ class login {
$ret['me']['email'] = $extrow['email'];
$ret['me']['wxno'] = $extrow['wxno'];
$ret['me']['idid'] = $extrow['idid'];
+ $ret['me']['cciy'] = $extrow['cciy'];
$ret['me']['cashtype'] = $extrow['cashtype'];
$ret['me']['bankno'] = $extrow['bankno'];
$ret['me']['bankname'] = $extrow['bankname'];
@@ -382,7 +388,9 @@ class login {
public static function json_logout() {
global $db;
$rsuser = verifyuser();
- savelog($db, $rsuser['id'], 'LOGIN', '退出登录');
+ if (is_array($rsuser)) {
+ self::saveluser($db, 2, $rsuser['id']);
+ }
return succjson();
}
public static function json_debug() {
@@ -393,4 +401,15 @@ class login {
$ret['list'] = $db->get($csql);
return succjson($ret);
}
+ private static function saveluser($db, $isinout, $userid, $model = '') {
+ $updata = array();
+ $updata['isinout'] = $isinout;
+ $updata['loguser'] = $userid;
+ $updata['addtimes'] = tostamp();
+ $updata['ip'] = getip();
+ $updata['model'] = dbstr($model, 250);
+ $csql = new \ciy\sql('ap_luser');
+ $db->insert($csql, $updata);
+ return false;
+ }
}
diff --git a/web/ambap/me.php b/web/ambap/me.php
index c7aeb10..2693345 100644
--- a/web/ambap/me.php
+++ b/web/ambap/me.php
@@ -3,6 +3,15 @@
namespace web\ambap;
class me {
+
+ public static function json_signpath() {
+ $rsuser = verifyfast();
+ $post = new \ciy\post();
+ $path = $post->get('path');//'/pages/main/index';
+ $ret['sign'] = hash_hmac('sha256', $path, $rsuser['wxminakey'], false);
+ $ret['path'] = $path;
+ return succjson($ret);
+ }
public static function json_invoicetitle_get() {
global $db;
$rsuser = verifyfast();
@@ -58,7 +67,6 @@ class me {
$db->commit();
} catch (\Exception $ex) {
$db->rollback();
- savelogfile('err_db', $ex->getMessage());
return errjson($ex->getMessage());
}
$ret['data'] = $updata;
@@ -129,7 +137,6 @@ class me {
$db->commit();
} catch (\Exception $ex) {
$db->rollback();
- savelogfile('err_db', $ex->getMessage());
return errjson($ex->getMessage());
}
$ret['data'] = $updata;
@@ -511,7 +518,6 @@ class me {
$db->commit();
} catch (\Exception $ex) {
$db->rollback();
- savelogfile('err_db', $ex->getMessage());
return errjson($ex->getMessage());
}
return succjson();
@@ -557,7 +563,6 @@ class me {
$db->commit();
} catch (\Exception $ex) {
$db->rollback();
- savelogfile('err_db', $ex->getMessage());
return errjson($ex->getMessage());
}
return succjson();
@@ -733,6 +738,32 @@ class me {
$ret['recommend'] = 2;
return succjson($ret);
}
+ public static function json_me_bank_info_change() {
+ global $db;
+ $rsuser = verifyfast();
+ $post = new \ciy\post();
+ $bankno = $post->get('bankno');
+ $bankname = $post->get('bankname');
+ $bankaccount = $post->get('bankaccount');
+ $bankcode = $post->get('bankcode');
+ $updata = array();
+ $updata['bankno'] = $bankno;
+ $updata['bankname'] = $bankname;
+ $updata['bankaccount'] = $bankaccount;
+ $updata['bankcode'] = $bankcode;
+ $csql = new \ciy\sql('ap_usr_ext');
+ $csql->where('id', $rsuser['id']);
+ $extrow = $db->getone($csql);
+ if (is_array($extrow)) {
+ if ($db->update($csql, $updata) === false)
+ return errjson('ext更新失败:' . $db->error);
+ } else {
+ $updata['id'] = $rsuser['id'];
+ if ($db->insert($csql, $updata) === false)
+ return errjson('ext新增失败:' . $db->error);
+ }
+ return succjson();
+ }
public static function json_userinfo_change() {
global $db;
$rsuser = verifyfast();