按协议判断连接权限，优化权限检查效率

server/fwd/auth/auth.go

@@ -0,0 +1,131 @@
+package auth
+
+import (
+	"log/slog"
+	"net"
+	"proxy-server/server/fwd/core"
+	"proxy-server/server/pkg/models"
+	"proxy-server/server/pkg/orm"
+	"strconv"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+type Protocol string
+
+const (
+	Socks5 = Protocol("socks5")
+	Http   = Protocol("http")
+)
+
+func CheckIp(conn net.Conn, proto Protocol) (*core.AuthContext, error) {
+
+	// 获取用户地址
+	remoteAddr := conn.RemoteAddr().String()
+	remoteHost, _, err := net.SplitHostPort(remoteAddr)
+	if err != nil {
+		return nil, errors.Wrap(err, "noAuth 认证失败")
+	}
+
+	// 获取服务端口
+	localAddr := conn.LocalAddr().String()
+	_, _localPort, err := net.SplitHostPort(localAddr)
+	localPort, err := strconv.Atoi(_localPort)
+	if err != nil {
+		return nil, errors.Wrap(err, "noAuth 认证失败")
+	}
+
+	// 查询权限记录
+	slog.Debug("用户 " + remoteHost + " 请求连接到 " + _localPort)
+	var channels []models.Channel
+	err = orm.DB.Find(&channels, &models.Channel{
+		AuthIp:   true,
+		UserAddr: remoteHost,
+		NodePort: localPort,
+		Protocol: string(proto),
+	}).Error
+	if err != nil {
+		return nil, errors.New("查询用户权限失败")
+	}
+	// 记录应该只有一条
+	channel, err := orm.MaySingle(channels)
+	if err != nil {
+		return nil, errors.Wrap(err, "不在白名单内")
+	}
+
+	// 检查是否需要密码认证
+	if channel.AuthPass {
+		return nil, errors.New("需要密码认证")
+	}
+
+	// 检查权限是否过期
+	timeout := channel.Expiration.Sub(time.Now()).Seconds()
+	if timeout <= 0 {
+		return nil, errors.New("权限已过期")
+	}
+
+	return &core.AuthContext{
+		Timeout: timeout,
+		Payload: core.Payload{
+			ID: channel.UserId,
+		},
+	}, nil
+}
+
+func CheckPass(conn net.Conn, proto Protocol, username, password string) (*core.AuthContext, error) {
+
+	// 获取服务端口
+	localAddr := conn.LocalAddr().String()
+	_, _localPort, err := net.SplitHostPort(localAddr)
+	localPort, err := strconv.Atoi(_localPort)
+	if err != nil {
+		return nil, errors.Wrap(err, "noAuth 认证失败")
+	}
+
+	// 查询权限记录
+	var channel models.Channel
+	err = orm.DB.Take(&channel, &models.Channel{
+		AuthPass: true,
+		Username: username,
+		NodePort: localPort,
+		Protocol: string(proto),
+	}).Error
+	if err != nil {
+		return nil, errors.Wrap(err, "用户不存在")
+	}
+
+	// 检查密码 todo 哈希
+	if channel.Password != password {
+		return nil, errors.New("密码错误")
+	}
+
+	// 如果用户设置了双验证则检查 ip 是否在白名单中
+	if channel.AuthIp {
+
+		// 获取用户地址
+		remoteAddr := conn.RemoteAddr().String()
+		remoteHost, _, err := net.SplitHostPort(remoteAddr)
+		if err != nil {
+			return nil, errors.Wrap(err, "无法获取连接信息")
+		}
+
+		// 查询权限记录
+		if channel.UserAddr != remoteHost {
+			return nil, errors.New("不在白名单内")
+		}
+	}
+
+	// 检查权限是否过期
+	timeout := channel.Expiration.Sub(time.Now()).Seconds()
+	if timeout <= 0 {
+		return nil, errors.New("权限已过期")
+	}
+
+	return &core.AuthContext{
+		Timeout: timeout,
+		Payload: core.Payload{
+			ID: channel.UserId,
+		},
+	}, nil
+}