feat: prevent public_key endpoint from being cached #1234

Author: 0xJacky

api/crypto/crypto.go

@@ -2,14 +2,30 @@ package crypto
 
 import (
 	"net/http"
+	"time"
 
 	"github.com/0xJacky/Nginx-UI/internal/crypto"
 	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
 	"github.com/uozi-tech/cosy"
 )
 
 // GetPublicKey generates a new ED25519 key pair and registers it in the cache
 func GetPublicKey(c *gin.Context) {
+	var data struct {
+		Timestamp   int64  `json:"timestamp" binding:"required"`
+		Fingerprint string `json:"fingerprint" binding:"required"`
+	}
+
+	if !cosy.BindAndValid(c, &data) {
+		return
+	}
+
+	if time.Now().Unix()-data.Timestamp > 10 {
+		cosy.ErrHandler(c, crypto.ErrTimeout)
+		return
+	}
+
 	params, err := crypto.GetCryptoParams()
 	if err != nil {
 		cosy.ErrHandler(c, err)
@@ -18,5 +34,6 @@ func GetPublicKey(c *gin.Context) {
 
 	c.JSON(http.StatusOK, gin.H{
 		"public_key": params.PublicKey,
+		"request_id": uuid.NewString(),
 	})
 }

api/crypto/router.go

@@ -5,6 +5,6 @@ import "github.com/gin-gonic/gin"
 func InitPublicRouter(r *gin.RouterGroup) {
 	g := r.Group("/crypto")
 	{
-		g.GET("public_key", GetPublicKey)
+		g.POST("public_key", GetPublicKey)
 	}
 }

app/package.json

@@ -15,6 +15,7 @@
   "dependencies": {
     "@0xjacky/vue-github-button": "^3.1.1",
     "@ant-design/icons-vue": "^7.0.1",
+    "@fingerprintjs/fingerprintjs": "^4.6.2",
     "@formkit/auto-animate": "^0.8.2",
     "@simplewebauthn/browser": "^13.1.2",
     "@uozi-admin/curd": "^4.5.3",

app/pnpm-lock.yaml

@@ -0,0 +1,43 @@
+import FingerprintJS from '@fingerprintjs/fingerprintjs'
+
+let fpPromise: Promise<string> | null = null
+
+/**
+ * Get browser fingerprint
+ * Use caching mechanism to avoid duplicate calculations
+ */
+export async function getBrowserFingerprint(): Promise<string> {
+  if (!fpPromise) {
+    fpPromise = generateFingerprint()
+  }
+  return fpPromise
+}
+
+/**
+ * Generate browser fingerprint
+ */
+async function generateFingerprint(): Promise<string> {
+  try {
+    // Initialize FingerprintJS
+    const fp = await FingerprintJS.load()
+
+    // Get fingerprint result
+    const result = await fp.get()
+
+    // Return fingerprint ID
+    return result.visitorId
+  }
+  catch (error) {
+    console.warn('Failed to generate browser fingerprint, fallback to User Agent:', error)
+    // If fingerprint generation fails, fallback to User Agent
+    return navigator.userAgent
+  }
+}
+
+/**
+ * Clear fingerprint cache
+ * Force regenerate fingerprint
+ */
+export function clearFingerprintCache(): void {
+  fpPromise = null
+}

app/src/lib/helper/fingerprint.ts

@@ -73,3 +73,5 @@ export {
   fromNow,
   urlJoin,
 }
+
+export { clearFingerprintCache, getBrowserFingerprint } from './fingerprint'

app/src/lib/helper/index.ts

@@ -1,8 +1,10 @@
 import type { CosyError } from './types'
 import { http, useAxios } from '@uozi-admin/request'
+import dayjs from 'dayjs'
 import JSEncrypt from 'jsencrypt'
 import { storeToRefs } from 'pinia'
 import use2FAModal from '@/components/TwoFA/use2FAModal'
+import { getBrowserFingerprint } from '@/lib/helper'
 import { useNProgress } from '@/lib/nprogress/nprogress'
 import { useSettingsStore, useUserStore } from '@/pinia'
 import router from '@/routes'
@@ -16,7 +18,11 @@ const dedupe = useMessageDedupe()
 // Helper function for encrypting JSON data
 // eslint-disable-next-line ts/no-explicit-any
 async function encryptJsonData(data: any): Promise<string> {
-  const cryptoParams = await http.get('/crypto/public_key')
+  const fingerprint = await getBrowserFingerprint()
+  const cryptoParams = await http.post('/crypto/public_key', {
+    timestamp: dayjs().unix(),
+    fingerprint,
+  })
   const { public_key } = await cryptoParams
 
   // Encrypt data with RSA public key