音视频链接加密播放

Author: TruthHun88

controllers/DocumentController.go

@@ -292,18 +292,22 @@ func (this *DocumentController) Read() {
 					contentSelection.SetAttr("alt", doc.DocumentName+" - 图"+fmt.Sprint(i+1))
 				}
 			})
+
 			medias := []string{"video", "audio"}
 			for _, item := range medias {
 				query.Find(item).Each(func(idx int, sel *goquery.Selection) {
 					title := strings.TrimSpace(sel.Text())
 					poster, _ := sel.Attr("poster")
 					src, _ := sel.Attr("src")
+					sign, _ := utils.GenerateSign(src, time.Duration(utils.MediaDuration)*time.Second)
+					src = src + "?sign=" + sign
 					if item == "video" {
 						sel.BeforeHtml(fmt.Sprintf(videoBoxFmt, title, poster, src, title))
 						sel.Remove()
 					} else {
 						sel.SetAttr("preload", "true")
 						sel.SetAttr("controlslist", "nodownload")
+						sel.SetAttr("src", src)
 					}
 				})
 			}

controllers/StaticController.go

@@ -38,7 +38,21 @@ func (this *StaticController) APP() {
 func (this *StaticController) Uploads() {
 	file := strings.TrimLeft(this.GetString(":splat"), "./")
 	path := strings.ReplaceAll(filepath.Join("uploads", file), "\\", "/")
-	fmt.Println("===========", path)
+
+	// 签名验证
+	sign := this.GetString("sign")
+	if !this.isValidSign(sign, path) {
+		// 签名验证不通过，需要再次验证书籍是否是用户的（针对编辑状态）
+		if !this.isBookOwner() {
+			this.Abort("404")
+			return
+		}
+	}
+
+	if utils.IsSignUsed(sign) {
+		this.Abort("404")
+	}
+
 	http.ServeFile(this.Ctx.ResponseWriter, this.Ctx.Request, path)
 }
 
@@ -62,26 +76,29 @@ func (this *StaticController) ProjectsFile() {
 
 	object := filepath.Join("projects/", strings.TrimLeft(this.GetString(":splat"), "./"))
 	object = strings.ReplaceAll(object, "\\", "/")
+
 	// 不是音频和视频，直接跳转
 	if !this.isMedia(object) {
 		this.Redirect(this.OssDomain+"/"+object, 302)
 		return
 	}
 
-	// query := this.Ctx.Request.URL.Query()
 	// 签名验证
 	sign := this.GetString("sign")
-	if !this.isValidSign(sign) {
+	if !this.isValidSign(sign, object) {
 		// 签名验证不通过，需要再次验证书籍是否是用户的（针对编辑状态）
 		if !this.isBookOwner() {
 			this.Abort("404")
 			return
 		}
 	}
 
-	var expireInSec int64 = 2
+	if utils.IsSignUsed(sign) {
+		this.Abort("404")
+	}
+
 	if bucket, err := store.ModelStoreOss.GetBucket(); err == nil {
-		object, _ = bucket.SignURL(object, http.MethodGet, expireInSec)
+		object, _ = bucket.SignURL(object, http.MethodGet, utils.MediaDuration)
 		if slice := strings.Split(object, "/"); len(slice) > 2 {
 			object = strings.Join(slice[3:], "/")
 		}
@@ -152,6 +169,10 @@ func (this *StaticController) isBookOwner() (yes bool) {
 }
 
 // 是否是合法的签名（针对音频和视频，签名不可用的时候再验证用户有没有登录，用户登录了再验证用户是不是书籍所有人）
-func (this *StaticController) isValidSign(sign string) bool {
-	return false
+func (this *StaticController) isValidSign(sign, path string) bool {
+	signPath, err := utils.ParseSign(sign)
+	if err != nil {
+		return false
+	}
+	return signPath == path
 }

go.mod

@@ -17,6 +17,7 @@ require (
 	github.com/astaxie/beego v1.12.3
 	github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f // indirect
 	github.com/boombuler/barcode v1.0.0
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
 	github.com/disintegration/imaging v1.6.1
 	github.com/go-sql-driver/mysql v1.5.0
 	github.com/golang/protobuf v1.4.3 // indirect

go.sum

@@ -68,6 +68,8 @@ github.com/cupcake/rdb v0.0.0-20161107195141-43ba34106c76/go.mod h1:vYwsqCOLxGii
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
 github.com/disintegration/imaging v1.6.1 h1:JnBbK6ECIZb1NsWIikP9pd8gIlTIRx7fuDNpU9fsxOE=
 github.com/disintegration/imaging v1.6.1/go.mod h1:xuIt+sRxDFrHS0drzXUlCJthkJ8k7lkkUojDSR247MQ=
 github.com/edsrzf/mmap-go v0.0.0-20170320065105-0bce6a688712/go.mod h1:YO35OhQPt3KJa3ryjFM5Bs14WD66h8eGKpfaBNrHW5M=

utils/jwt.go

@@ -0,0 +1,95 @@
+package utils
+
+import (
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/astaxie/beego"
+	"github.com/dgrijalva/jwt-go"
+)
+
+// CustomClaims CustomClaims
+type CustomClaims struct {
+	Path string
+	jwt.StandardClaims
+}
+
+var (
+	jwtSecret     = beego.AppConfig.DefaultString("jwt_secret", "bookstack.cn")
+	usedSign      sync.Map
+	MediaDuration int64 = beego.AppConfig.DefaultInt64("media_duration", 3600*5)
+)
+
+func init() {
+	go func() {
+		for {
+			time.Sleep(600 * time.Second)
+			clearExpireSign()
+		}
+	}()
+}
+
+func clearExpireSign() {
+	// 清除超过24小时
+	usedSign.Range(func(signMD5, timestamp interface{}) bool {
+		if time.Now().Unix()-timestamp.(int64) > MediaDuration {
+			usedSign.Delete(signMD5)
+		}
+		return true
+	})
+}
+
+// IsSignUsed 签名是否已被使用
+func IsSignUsed(sign string) bool {
+	signMD5 := MD5Sub16(sign)
+	if _, ok := usedSign.Load(signMD5); ok {
+		return true
+	}
+	usedSign.Store(signMD5, time.Now().Unix())
+	return false
+}
+
+// GenerateSign 生成token
+func GenerateSign(path string, expire ...time.Duration) (sign string, err error) {
+	path = strings.TrimLeft(path, "/")
+	// 默认过期时间为一个月
+	expireDuration := time.Now().Add(30 * 24 * time.Hour)
+	if len(expire) > 0 {
+		expireDuration = time.Now().Add(expire[0])
+	}
+
+	customClaims := &CustomClaims{
+		path,
+		jwt.StandardClaims{
+			ExpiresAt: expireDuration.Unix(),
+		},
+	}
+
+	// 将 uid，过期时间作为数据写入 token 中
+	jwtToken := jwt.NewWithClaims(jwt.SigningMethodHS256, customClaims)
+
+	// secret 用于对用户数据进行签名，不能暴露
+	return jwtToken.SignedString([]byte(jwtSecret))
+}
+
+// ParseSign 解析jwt token
+func ParseSign(sign string) (path string, err error) {
+	var token = &jwt.Token{}
+	token, err = jwt.ParseWithClaims(sign, &CustomClaims{}, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(jwtSecret), nil
+	})
+
+	if err != nil {
+		return
+	}
+
+	if claims, ok := token.Claims.(*CustomClaims); ok && token.Valid {
+		return strings.TrimLeft(claims.Path, "/"), nil
+	}
+	return "", err
+}