From 5d6bdcb1e37ca6ca42129b6ffc4a128a38b360cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=BC=97=E4=BA=A7-=E7=8E=8B=E5=9D=A4?= Date: Sat, 8 Nov 2025 21:44:59 +0800 Subject: [PATCH] dao251108 --- fapp/贡献代码.bat | 2 ++ web/ambap/common.php | 47 ++++++++++++++++--------- web/ambap/login.php | 83 +++++++++++++++++++++++++++----------------- web/ambap/me.php | 39 ++++++++++++++++++--- 4 files changed, 118 insertions(+), 53 deletions(-) diff --git a/fapp/贡献代码.bat b/fapp/贡献代码.bat index 9f90fa3..854e64e 100644 --- a/fapp/贡献代码.bat +++ b/fapp/贡献代码.bat @@ -3,6 +3,8 @@ xcopy ciydao\pages\demo ciyon_ap\pages\demo /s /y /v xcopy ciydao\pages\main ciyon_ap\pages\main /s /y /v xcopy ciydao\pages\pub ciyon_ap\pages\pub /s /y /v xcopy ciydao\util ciyon_ap\util /s /y /v +xcopy ciydao\index.html ciyon_ap\index.html /s /y /v xcopy ciydao\main.js ciyon_ap\main.js /s /y /v xcopy ciydao\vite.config.js ciyon_ap\vite.config.js /s /y /v +xcopy ..\web\ambdao ..\web\ambap /s /y /v pause \ No newline at end of file diff --git a/web/ambap/common.php b/web/ambap/common.php index acdfe89..b55e2f5 100644 --- a/web/ambap/common.php +++ b/web/ambap/common.php @@ -16,9 +16,12 @@ * get/set config 从SaaS配置表中读写配置项 * get/set/del memvar 从SaaS内存表中读写变量 */ -$tokenfield = "ciyap"; -$tokensalt = "ast34h$3"; //做数据加解密时的加密因子,每个项目都不要相同。 -$logpath = PATH_ROOT . 'log/'; +$_token = array(); +$_token['type'] = 'localstorage'; //cookie(更安全) 、 localstorage(兼容性好) 微信小程序不支持cookie +$_token['swapsec'] = 3600; //更换JWT时间 +$_token['expsec'] = 86400; //过期退出时间 +$_token['field'] = 'ciyap'; +$_token['salt'] = 'ast34h$3'; //做数据加解密时的加密因子,每个项目都不要相同。 function verifyfast() { $rsuser = verifyuser(); @@ -28,13 +31,14 @@ function verifyfast() { } function verifyuser() { global $db; - global $tokensalt; - global $tokenfield; - if (isset($_SERVER['HTTP_' . strtoupper($tokenfield)])) - $ciyauth = $_SERVER['HTTP_' . strtoupper($tokenfield)]; + global $_token; + if (isset($_COOKIE[$_token['field']])) + $ciyauth = $_COOKIE[$_token['field']]; + else if (isset($_SERVER['HTTP_CIYAUTH'])) + $ciyauth = $_SERVER['HTTP_CIYAUTH']; else - $ciyauth = get('_' . $tokenfield); - $auth = json_decode(encrypt($ciyauth, 'D', $tokensalt), true); + $ciyauth = get('_ciyauth'); + $auth = json_decode(encrypt($ciyauth, 'D', $_token['salt']), true); if ($auth == null) return null; $csql = new \ciy\sql('ap_user'); //弃用redis集群 @@ -46,16 +50,25 @@ function verifyuser() { return null; if ($userrow['stpstatus'] != 10) return null; + if ($userrow['exptimes'] < time() - $_token['expsec']) + return null; if ($userrow['exptimes'] > time()) return $userrow; - $exp = time() + 86400; + $exp = time() + $_token['swapsec']; $sid = randstr(10); $auth['_s'] = $sid; if ($db->execute('update ap_user set exptimes=?,sid=? where id=?', array($exp, $sid, $auth['id'])) === false) return null; $authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR); - $enauth = encrypt($authstr, 'E', $tokensalt); - header($tokenfield . ': ' . $enauth); + $enauth = encrypt($authstr, 'E', $_token['salt']); + if ($_token['type'] == 'cookie') { + $headercookie = 'Set-Cookie: ' . $_token['field'] . '=' . $enauth . '; expires=' . gmdate('D, d-M-Y H:i:s T', $exp + $_token['swapsec'] + $_token['expsec']) . '; path=/; SameSite=None; Secure; httponly'; + header($headercookie); + } else { + //header($_token['field'] . ': ' . $enauth); + $_token['__ciyauth'] = $enauth; + } + //header($_token['field'] . ': ' . $enauth); return $userrow; } //true无权限,false有权限 @@ -101,7 +114,7 @@ function savelog($db, $userid, $types, $msg, $isrequest = false, $time = 0) { $updata['readuser'] = 0; $updata['addtimes'] = $time == 0 ? tostamp() : $time; $updata['ip'] = getip(); - $csql = new \ciy\sql('zc_log'); + $csql = new \ciy\sql('ap_log'); $db->insert($csql, $updata); return false; } @@ -112,10 +125,10 @@ function gettoken($db, $id) { $csql = new \ciy\sql('zc_token'); $csql->where('id', $id); $tokenrow = $db->getone($csql); - if(!is_array($tokenrow)) + if (!is_array($tokenrow)) return array(); $cfgtoken = str_replace('{PATH_ROOT}', PATH_ROOT, $tokenrow['cfgtoken']); - $cfg = getstrparam($cfgtoken , "\n"); + $cfg = getstrparam($cfgtoken, "\n"); $cfg['accesstoken'] = $tokenrow['accesstoken']; $cfg['exptimes'] = $tokenrow['exptimes']; return $cfg; @@ -191,7 +204,7 @@ function setmemvar($db, $types, $value) { if ($ind === false) { $updata['params'] = 1; } else { - $updata['params'] = toint(substr($value[0], $ind + 1)); + $updata['params'] = (int)substr($value[0], $ind + 1); } } if ($db->insert($csql, $updata) === false) @@ -206,7 +219,7 @@ function delmemvar($db, $types) { } function ciy_api($enter, $param) { $cfg = webini('ciyapi'); - if(is_string($cfg)) + if (is_string($cfg)) return errjson($cfg); $time = time(); $payload = json_encode($param); diff --git a/web/ambap/login.php b/web/ambap/login.php index 7575d7b..6493c4f 100644 --- a/web/ambap/login.php +++ b/web/ambap/login.php @@ -17,8 +17,9 @@ class login { } public static function json_login_mobile() { global $db; - global $tokensalt; + global $_token; $post = new \ciy\post(); + $model = $post->get('model'); $user = $post->get('user'); if (empty($user)) return errjson('请填写用户名'); @@ -45,7 +46,7 @@ class login { if (abs($authtime / 1000 - tostamp()) > 300) return errjson('您的本地时间与服务器时间相差超过5分钟,请调整本机时间。
服务器时间: ' . date('Y-m-d H:i:s') . '
您本机时间: ' . date('Y-m-d H:i:s', $authtime / 1000)); // if($user == '1') - // clog(md5('1' . $tokensalt)); //开发生成默认密码 + // clog(md5('1' . $_token['salt'])); //开发生成默认密码 if ($post->get('pass') != md5($rsuser['password'] . $authtime)) { $updata = array(); $updata['trytime'] = array('trytime+1'); @@ -53,11 +54,11 @@ class login { $csql = new \ciy\sql('ap_user'); $csql->where('id', $rsuser['id']); $db->update($csql, $updata); - savelog($db, $rsuser['id'], 'LOGINERR', '用户[' . $user . ']登录密码错误' . md5('1' . $tokensalt)); + savelog($db, $rsuser['id'], 'LOGINERR', '用户[' . $user . ']登录密码错误' . md5('1' . $_token['salt'])); return errjson('用户名或密码错误.'); } $sid = randstr(10); - $exp = tostamp() + 86400; //默认三天过期,每天换秘钥 + $exp = tostamp() + $_token['swapsec']; $id = $rsuser['id']; $updata = array(); $updata['logintimes'] = tostamp(); @@ -69,14 +70,14 @@ class login { $csql->where('id', $id); if ($db->update($csql, $updata) === false) return errjson('user数据库更新失败:' . $db->error); - savelog($db, $rsuser['id'], 'LOGIN', '登录成功'); - - self::setonline($rsuser, $sid); - return self::getsync($rsuser); + self::saveluser($db, 1, $rsuser['id'], $model); + return self::getsync($rsuser, $sid); } public static function json_reg_mobile() { global $db; + global $_token; $post = new \ciy\post(); + $model = $post->get('model'); $upid = $post->getint('upid'); $user = $post->get('user'); $pass = $post->get('pass'); @@ -93,7 +94,7 @@ class login { return errjson('该手机号已被注册'); $sid = randstr(10); - $exp = tostamp() + 86400; //默认三天过期,每天换秘钥 + $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥 $rsuser = array(); $rsuser['upid'] = $upid; $rsuser['stpstatus'] = 10; @@ -123,12 +124,12 @@ class login { if ($upid > 0) { //上级用户统计 } - savelog($db, $rsuser['id'], 'LOGIN', '手机注册成功'); - self::setonline($rsuser, $sid); - return self::getsync($rsuser); + self::saveluser($db, 1, $rsuser['id'], '手机注册:' . $model); + return self::getsync($rsuser, $sid); } public static function json_wx_autouser() { global $db; + global $_token; $post = new \ciy\post(); $code = $post->get('code'); $upid = $post->getint('upid'); @@ -145,7 +146,7 @@ class login { $rsuser = $db->getone($csql); $userid = 0; $sid = randstr(10); - $exp = tostamp() + 86400; //默认三天过期,每天换秘钥 + $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥 if (is_array($rsuser)) { $userid = $rsuser['id']; if ($rsuser['upid'] == 0 && $upid > 0 && $upid != $userid) @@ -210,12 +211,13 @@ class login { // return errjson('上线统计失败:' . $db->error); } } - self::setonline($rsuser, $sid); - return self::getsync($rsuser); + return self::getsync($rsuser, $sid); } public static function json_forgetpass() { global $db; + global $_token; $post = new \ciy\post(); + $model = $post->get('model'); $mobile = $post->get('user'); $pass = $post->get('pass'); $code = $post->get('capsms'); @@ -254,7 +256,7 @@ class login { return errjson($errmsg); } $sid = randstr(10); - $exp = tostamp() + 86400; //默认三天过期,每天换秘钥 + $exp = tostamp() + $_token['swapsec']; //默认三天过期,每天换秘钥 $updata = array(); $updata['trytime'] = 0; $updata['password'] = $pass; @@ -267,10 +269,8 @@ class login { $csql->where('id', $caprow['vuser']); if ($db->update($csql, $updata) === false) return errjson('密码更新失败:' . $db->error); - savelog($db, $rsuser['id'], 'LOGIN', '密码找回成功'); - - self::setonline($rsuser, $sid); - return self::getsync($rsuser); + self::saveluser($db, 1, $rsuser['id'], '密码找回成功:' . $model); + return self::getsync($rsuser, $sid); return succjson(); } public static function json_sendsms() { @@ -323,19 +323,24 @@ class login { $rsuser = verifyfast(); return self::getsync($rsuser); } - static function setonline($userrow, $sid) { - global $tokensalt; - global $tokenfield; - $auth = array(); - $auth['id'] = $userrow['id']; - $auth["_s"] = $sid; - $authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR); - $enauth = encrypt($authstr, 'E', $tokensalt); - header($tokenfield . ': ' . $enauth); - } - static function getsync($userrow) { + static function getsync($userrow, $sid = '') { global $db; + global $_token; $ret = array(); + if (!empty($sid)) { + $auth = array(); + $auth['id'] = $userrow['id']; + $auth["_s"] = $sid; + $authstr = json_encode($auth, JSON_PARTIAL_OUTPUT_ON_ERROR); + $enauth = encrypt($authstr, 'E', $_token['salt']); + if ($_token['type'] == 'cookie') { + $headercookie = 'Set-Cookie: ' . $_token['field'] . '=' . $enauth . '; expires=' . gmdate('D, d-M-Y H:i:s T', time() + $_token['swapsec'] + $_token['expsec']) . '; path=/; SameSite=None; Secure; httponly'; + header($headercookie); //Cookie方式,安全性好 + } else { + $ret['_ciyauth'] = $enauth; //Localstorage方式,兼容性更好 + //header($_token['field'] . ': ' . $enauth); //有坑 + } + } $ret['storage'] = array(); $csql = new \ciy\sql('zc_admin'); $csql->column('id,name'); @@ -370,6 +375,7 @@ class login { $ret['me']['email'] = $extrow['email']; $ret['me']['wxno'] = $extrow['wxno']; $ret['me']['idid'] = $extrow['idid']; + $ret['me']['cciy'] = $extrow['cciy']; $ret['me']['cashtype'] = $extrow['cashtype']; $ret['me']['bankno'] = $extrow['bankno']; $ret['me']['bankname'] = $extrow['bankname']; @@ -382,7 +388,9 @@ class login { public static function json_logout() { global $db; $rsuser = verifyuser(); - savelog($db, $rsuser['id'], 'LOGIN', '退出登录'); + if (is_array($rsuser)) { + self::saveluser($db, 2, $rsuser['id']); + } return succjson(); } public static function json_debug() { @@ -393,4 +401,15 @@ class login { $ret['list'] = $db->get($csql); return succjson($ret); } + private static function saveluser($db, $isinout, $userid, $model = '') { + $updata = array(); + $updata['isinout'] = $isinout; + $updata['loguser'] = $userid; + $updata['addtimes'] = tostamp(); + $updata['ip'] = getip(); + $updata['model'] = dbstr($model, 250); + $csql = new \ciy\sql('ap_luser'); + $db->insert($csql, $updata); + return false; + } } diff --git a/web/ambap/me.php b/web/ambap/me.php index c7aeb10..2693345 100644 --- a/web/ambap/me.php +++ b/web/ambap/me.php @@ -3,6 +3,15 @@ namespace web\ambap; class me { + + public static function json_signpath() { + $rsuser = verifyfast(); + $post = new \ciy\post(); + $path = $post->get('path');//'/pages/main/index'; + $ret['sign'] = hash_hmac('sha256', $path, $rsuser['wxminakey'], false); + $ret['path'] = $path; + return succjson($ret); + } public static function json_invoicetitle_get() { global $db; $rsuser = verifyfast(); @@ -58,7 +67,6 @@ class me { $db->commit(); } catch (\Exception $ex) { $db->rollback(); - savelogfile('err_db', $ex->getMessage()); return errjson($ex->getMessage()); } $ret['data'] = $updata; @@ -129,7 +137,6 @@ class me { $db->commit(); } catch (\Exception $ex) { $db->rollback(); - savelogfile('err_db', $ex->getMessage()); return errjson($ex->getMessage()); } $ret['data'] = $updata; @@ -511,7 +518,6 @@ class me { $db->commit(); } catch (\Exception $ex) { $db->rollback(); - savelogfile('err_db', $ex->getMessage()); return errjson($ex->getMessage()); } return succjson(); @@ -557,7 +563,6 @@ class me { $db->commit(); } catch (\Exception $ex) { $db->rollback(); - savelogfile('err_db', $ex->getMessage()); return errjson($ex->getMessage()); } return succjson(); @@ -733,6 +738,32 @@ class me { $ret['recommend'] = 2; return succjson($ret); } + public static function json_me_bank_info_change() { + global $db; + $rsuser = verifyfast(); + $post = new \ciy\post(); + $bankno = $post->get('bankno'); + $bankname = $post->get('bankname'); + $bankaccount = $post->get('bankaccount'); + $bankcode = $post->get('bankcode'); + $updata = array(); + $updata['bankno'] = $bankno; + $updata['bankname'] = $bankname; + $updata['bankaccount'] = $bankaccount; + $updata['bankcode'] = $bankcode; + $csql = new \ciy\sql('ap_usr_ext'); + $csql->where('id', $rsuser['id']); + $extrow = $db->getone($csql); + if (is_array($extrow)) { + if ($db->update($csql, $updata) === false) + return errjson('ext更新失败:' . $db->error); + } else { + $updata['id'] = $rsuser['id']; + if ($db->insert($csql, $updata) === false) + return errjson('ext新增失败:' . $db->error); + } + return succjson(); + } public static function json_userinfo_change() { global $db; $rsuser = verifyfast();