feat: file security key

Author: modstart

module/Member/Util/MemberUtil.php

@@ -347,6 +347,23 @@ private static function suggestUsernameNickname($memberUserId, $prefix = '用户
         ]);
     }
 
+    public static function registerId($id, $data = [])
+    {
+        $memberUser = ModelUtil::insert('member_user', array_merge([
+            'id' => $id,
+            'status' => MemberStatus::NORMAL,
+            'vipId' => MemberVipUtil::defaultVipId(),
+            'groupId' => MemberGroupUtil::defaultGroupId(),
+            'isDeleted' => false,
+        ], $data));
+        return Response::generate(0, 'ok', $memberUser);
+    }
+
+    public static function registerUsername($username)
+    {
+        return self::register($username, '', '', '', true);
+    }
+
     public static function registerUsernameQuick($username)
     {
         $suggestionUsername = $username;
@@ -558,6 +575,9 @@ public static function changePassword($memberUserId, $new, $old = null, $ignoreO
      */
     public static function setAvatar($userId, $avatarData, $avatarExt = 'jpg')
     {
+        if (!in_array($avatarExt, ['jpg', 'jpeg', 'png', 'gif'])) {
+            return Response::generate(-1, '图片格式不正确');
+        }
         $memberUser = self::get($userId);
         if (empty($memberUser)) {
             return Response::generate(-1, '用户不存在');

module/Vendor/Middleware/NoneLoginOperateAuthMiddleware.php

@@ -21,8 +21,6 @@ class NoneLoginOperateAuthMiddleware
      */
     public function handle($request, \Closure $next)
     {
-        $appKey = config('env.APP_KEY');
-        BizException::throwsIfEmpty('APP_KEY为空', $appKey);
         $input = InputPackage::buildFromInput();
         $timestamp = $input->getInteger('timestamp');
         BizException::throwsIf('已超时效（操作时间显示为24小时内，timestamp=' . time() . '）', !($timestamp <= time() && $timestamp > time() - TimeUtil::PERIOD_DAY));
@@ -34,4 +32,4 @@ public function handle($request, \Closure $next)
         BizException::throwsIf('sign错误', $sign != $signCalc);
         return $next($request);
     }
-}
+}

module/Vendor/Util/NoneLoginOperateUtil.php

@@ -6,6 +6,7 @@
 
 use ModStart\Core\Exception\BizException;
 use ModStart\Core\Input\Request;
+use ModStart\Core\Util\EnvUtil;
 use ModStart\Core\Util\RandomUtil;
 
 class NoneLoginOperateUtil
@@ -25,8 +26,7 @@ public static function generateUrl($url, $param = [], $domainUrl = null)
 
     public static function sign($url, $nonce, $timestamp, $param)
     {
-        $appKey = config('env.APP_KEY');
-        BizException::throwsIfEmpty('APP_KEY为空', $appKey);
-        return md5($url . ':' . $appKey . ':' . $nonce . ':' . $timestamp . ':' . $param);
+        $securityKey = EnvUtil::securityKey();
+        return md5($url . ':' . $securityKey . ':' . $nonce . ':' . $timestamp . ':' . $param);
     }
 }

vendor/modstart/modstart/src/Command/ModuleInstallAllCommand.php

@@ -50,6 +50,7 @@ public function handle()
                 if (ModelUtil::count('admin_user') <= 0) {
                     foreach ($initUsers as $initUser) {
                         Admin::add($initUser['user'], $initUser['password']);
+                        $this->warn(">>> Init User: {$initUser['user']}");
                     }
                 }
             }

vendor/modstart/modstart/src/Core/Util/EnvUtil.php

@@ -37,4 +37,13 @@ public static function iniFileConfig($key)
     {
         return @ini_get($key);
     }
+
+    public static function securityKey()
+    {
+        static $key = null;
+        if (null === $key) {
+            $key = md5(json_encode(config('env')));
+        }
+        return $key;
+    }
 }

vendor/modstart/modstart/src/Core/Util/FileUtil.php

@@ -599,9 +599,9 @@ public static function fopenGetContext()
     /**
      * 将远程文件保存为本地可用
      * @param $path string 可以为 http://example.com/xxxxx.xxx /data/xxxxx.xxx
-     * @param string $ext 文件后缀
-     * @param string $downloadStream 是否使用流下载
-     * @return string|null 返回本地临时路径或本地文件绝对路径，注意使用safeCleanLocalTemp来清理文件，如果是本地其他路径可能会误删
+     * @param $ext string 文件后缀
+     * @param $downloadStream boolean 是否使用流下载，默认为false
+     * @return string|null 返回本地临时路径或本地文件绝对路径，注意使用 safeCleanLocalTemp 来清理文件，如果是本地其他路径可能会误删
      */
     public static function savePathToLocalTemp($path, $ext = null, $downloadStream = false)
     {
@@ -611,8 +611,12 @@ public static function savePathToLocalTemp($path, $ext = null, $downloadStream =
         if (empty($ext)) {
             $ext = self::extension($path);
         }
-        $appKey = config('env.APP_KEY');
-        $tempPath = public_path('temp/' . md5($appKey . ':' . $path) . (starts_with($ext, '.') ? $ext : '.' . $ext));
+        $ext = ltrim(strtolower($ext), '.');
+        BizException::throwsIf('Unsupported Path Extension', in_array($ext, [
+            'php', 'php3', 'php4', 'php5', 'phps', 'phtml',
+        ]));
+        $securityKey = md5(json_encode(config('env')));
+        $tempPath = public_path('temp/' . md5($securityKey . ':' . $path) . '.' . $ext);
         if (file_exists($tempPath)) {
             return $tempPath;
         }
@@ -674,8 +678,8 @@ public static function generateLocalTempPath($ext = 'tmp', $hash = null, $realpa
             }
             BizException::throws('FileUtil generateLocalTempPath error');
         }
-        $appKey = config('env.APP_KEY');
-        $p = 'temp/' . md5($appKey . ':' . $hash) . '.' . $ext;
+        $securityKey = md5(json_encode(config('env')));
+        $p = 'temp/' . md5($securityKey . ':' . $hash) . '.' . $ext;
         return $realpath ? public_path($p) : $p;
     }