search

0xJacky / nginx-ui

Yet another WebUI for Nginx
https://nginxui.com
GNU Affero General Public License v3.0
5.07k stars 367 forks source link

密码长度过长导致无法登录 #703

Open simonaries opened 6 hours ago

simonaries commented 6 hours ago

注册完成后,使用用户名密码登录时出现;用户名或密码错误,我可以确定密码是相同的,查看日志发现存在ban ip,我是部署在192.168.1.8,使用的192.168.1.9的浏览器访问 2024/11/06 22:00:29 /home/runner/work/nginx-ui/nginx-ui/api/user/auth.go:53 [2.359ms] [rows:1] SELECT count(*) FROM ban_ips WHERE ban_ips.ip = "192.168.1.9" AND ban_ips.expired_at >= 1730901629 AND ban_ips.attempts >= 10

2024/11/06 22:00:29 /home/runner/work/nginx-ui/nginx-ui/model/user.go:40 [0.743ms] [rows:0] SELECT * FROM passkeys WHERE user_id = 1 AND passkeys.deleted_at IS NULL LIMIT 1

2024/11/06 22:00:29 /home/runner/work/nginx-ui/nginx-ui/internal/user/login.go:20 [2.952ms] [rows:1] SELECT * FROM auths WHERE auths.name = "simonaries" AND auths.deleted_at IS NULL ORDER BY auths.id LIMIT 1

2024/11/06 22:00:31 /home/runner/work/nginx-ui/nginx-ui/internal/user/login.go:38 [3.134ms] [rows:1] SELECT * FROM ban_ips WHERE ban_ips.ip = "192.168.1.9" ORDER BY ban_ips.ip LIMIT 1

2024/11/06 22:00:31 /home/runner/work/nginx-ui/nginx-ui/internal/user/login.go:40 [29.487ms] [rows:1] INSERT INTO ban_ips (ip,attempts,expired_at) VALUES ("192.168.1.9",1,1730902231)

2024/11/06 22:00:31 /home/runner/work/nginx-ui/nginx-ui/internal/user/login.go:46 [12.166ms] [rows:2] UPDATE ban_ips SET attempts=ban_ips.attempts+1 WHERE ban_ips.ip = "192.168.1.9" [GIN] 2024/11/06 - 22:00:31 | 403 | 2.056718541s | 192.168.1.9 | POST "/api/login" 2024-11-06 22:04:18 DEBUG /home/runner/work/nginx-ui/nginx-ui/internal/cron/cron.go:68 clean expired auth tokens

2024/11/06 22:04:18 /home/runner/work/nginx-ui/nginx-ui/internal/cron/cron.go:70 [5.603ms] [rows:0] DELETE FROM auth_tokens WHERE auth_tokens.expired_at < 1730901858

0xJacky commented 6 hours ago

可是这个错误就是密码错误呀

simonaries commented 6 hours ago

我是复制粘贴的,密码内部有做什么处理吗,比如有什么特殊字符被处理掉了

0xJacky commented 6 hours ago

提供一下密码的格式,比如包含什么字符,我试试

0xJacky commented 6 hours ago

密码都是 bcrypt 加密的,数据库里当然不会存明文

simonaries commented 6 hours ago

screen-capture.webm kqsaNUG%GKV0s$Wk20#9VM!

simonaries commented 6 hours ago

bcrypt 加密的是ok的,我的意思就是是不是有什么特殊字符被处理掉了

0xJacky commented 5 hours ago

很抽象,我可以正常登录

0xJacky commented 5 hours ago

https://github.com/user-attachments/assets/11e88955-6857-4571-900c-73b1a392a51b

simonaries commented 5 hours ago

有点抽象了,

0xJacky commented 5 hours ago

部署方式是脚本部署的吗?

simonaries commented 5 hours ago

对的,脚本部署的,会不会更平台有关系,我是在deploylinux 上虚拟的debian里部署的,但是应该也没有关系吧,我看都能正常跑

0xJacky commented 5 hours ago

我也用的 Debian,或者你换个用户名和密码试试?

simonaries commented 5 hours ago

giao,换了用户名可以,我知道了,可能是我第一次的时候,注册的时候就是用的simonaries这个用户名,然后密码是这个kqsaNUG%GKV0s$Wk20#9VM!xwY_8%b1JEauTTuC6LgLHuT$omYQXauQ%v2MGTPv%VJWpQP$P%OrmfWUSINJ@udLHml7HdW,然后当时登录也是密码错误,你试试这个密码。后面删除ini文件,重新启动注册,用相同的用户名,但是是不是密码没有办法修改,导致用这个用户名就没法登录,我刚刚换了一个用户名和密码okl了

0xJacky commented 5 hours ago

我怀疑是不是超长了

simonaries commented 5 hours ago

我最开始也是这样想的,哈哈哈,当时没注意,自动生成的密码,但是后面重新注册修改不了密码,也没有办法重置数据库,就只找到删除ini文件重新注册的方法

0xJacky commented 5 hours ago

Bcrypt是OpenBSD和SUSE Linux等操作系统默认的密码哈希算法。但是在使用Bcrypt算法的实现时,要注意它有最大密码长度限制,通常为50~72字符,准确的长度限制取决于具体的Bcrypt实现。超过最大长度的密码将被截断。

https://blog.csdn.net/chszs/article/details/60970765

0xJacky commented 5 hours ago

那这个 issue 先保留,后续我会限制密码的最大长度

simonaries commented 5 hours ago

ok