search

walinejs / waline

💬 A Simple, Safe Comment System
https://waline.js.org/en/
GNU General Public License v2.0
2.17k stars 381 forks source link

后台管理无法登录 #56

Closed leirock closed 3 years ago

leirock commented 3 years ago

我部署了最新到 waline+MiniValine 之后遇到一个新问题:后台管理无法登录,也无法重新注册账号(不论是 LeanCloud 还是 CloudBase 都是如此),隐私模式下浏览器控制台日志如下

admin:54 GET https://waline.dlzhang.com/token 403
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
Ne @ admin:54
Pe @ admin:54
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
Ie @ admin:54
ze @ admin:54
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
loadUserInfo @ admin:54
(anonymous) @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:10
a @ admin:10
Promise.then (async)
u @ admin:10
(anonymous) @ admin:10
o @ admin:10
(anonymous) @ admin:10
dispatch @ admin:10
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
wt @ admin:54
(anonymous) @ admin:54
(anonymous) @ admin:54
n @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
Show 3 more frames from Library code
admin:54 Error: 获取用户信息失败
    at admin:54
(anonymous) @ admin:54
Promise.catch (async)
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
wt @ admin:54
(anonymous) @ admin:54
(anonymous) @ admin:54
n @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
admin:54 POST https://waline.dlzhang.com/token 403
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
Pe @ admin:54
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
Re @ admin:54
je @ admin:54
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
login @ admin:54
(anonymous) @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:10
a @ admin:10
Promise.then (async)
u @ admin:10
(anonymous) @ admin:10
o @ admin:10
(anonymous) @ admin:10
dispatch @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:10
o @ admin:10
(anonymous) @ admin:10
(anonymous) @ admin:54
c @ admin:15
(anonymous) @ admin:15
(anonymous) @ admin:15
n @ admin:5
l @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:5
(anonymous) @ admin:54
l @ admin:31
f @ admin:31
(anonymous) @ admin:31
b @ admin:31
at @ admin:31
ot @ admin:31
lt @ admin:31
ft @ admin:31
U @ admin:31
Q @ admin:31
Xt @ admin:31
Yt @ admin:31
t.unstable_runWithPriority @ admin:39
Bo @ admin:31
R @ admin:31
Jt @ admin:31
Show 38 more frames from Library code
lizheming commented 3 years ago

粗看了一下应该是安全域名这块有点问题,如果你配了安全域名的话可以先放开一下应该能正常。具体这块我之后再看看修一下。

leirock commented 3 years ago

去掉安全域名依然不行

MHuiG commented 3 years ago

删掉管理员账号试试

lizheming commented 3 years ago

@lei2rock 重新部署了么,我这看现象似乎没有生效?

leirock commented 3 years ago

删掉管理员账号试试

去掉安全域名、删掉Users重新创建管理员,然后刷新浏览器缓存,就可以注册登录了

lizheming commented 3 years ago

OK,该问题遗留两个问题需要我之后跟进一下:

lizheming commented 3 years ago

经测:

  1. 配置安全域名后,后台操作不会受到影响,主要是这块有做 referrer 和接口请求域名同域的判断https://github.com/lizheming/waline/blob/master/packages/server/src/logic/base.js#L12
  2. 同域名登录账号更换密钥不更新导致无法登录的问题。主要是使用了记住登录后登录的 token 保存在了 LocalStorage 中,之后前端判断有 token 是登录态但接口返回错误导致这块有问题。目前的处理方式是获取登录信息接口返回失败后执行登出操作清除本地的 token
leirock commented 3 years ago

刚刚docker重新部署似乎还是失败,是不是要删掉管理员再试试看(控制台报错依旧

lizheming commented 3 years ago

@lei2rock 后台的前端代码 CDN 地址有缓存,可能需要等一段时间才能生效。也可以手动清除下 LocalStorage 手动处理。

leirock commented 3 years ago

@lei2rock 后台的前端代码 CDN 地址有缓存,可能需要等一段时间才能生效。也可以手动清除下 LocalStorage 手动处理。

手动清除 LocalStorage 后还是不行,docker重新拉取了镜像部署了

lizheming commented 3 years ago

@lei2rock 我看了下 https://waline.dlzhang.com 感觉似乎还是 SECURE_DOMAINS 的问题,你可以在里面加下 waline.dlzhang.com 看看?

leirock commented 3 years ago

@lei2rock 我看了下 https://waline.dlzhang.com 感觉似乎还是 SECURE_DOMAINS 的问题,你可以在里面加下 waline.dlzhang.com 看看?

还要加这个呀,那我试试看

MHuiG commented 3 years ago

目前的逻辑是不是改一下host文件映射到localhost就可以绕过安全域名限制了

lizheming commented 3 years ago

@MHuiG 如果是使用 Vercel 和 Cloudbase 部署的话,远端机器没有做 localhost 域名的映射,无法访问到正确的服务。如果是 Docker 部署的话,需要考虑直接通过端口访问的情况,这块需要针对直接端口访问的情况处理一下,我之后再补一下这块。

leirock commented 3 years ago

还是账号密码错误 image

leirock commented 3 years ago

image

leirock commented 3 years ago

可以注册账号,但是无法登录账号

lizheming commented 3 years ago

@lei2rock 刚刚改出了个 Bug 😓 已修复了,估计后台的代码要等下 CDN 缓存更新了。

leirock commented 3 years ago

可以登录了

lizheming commented 3 years ago

@lei2rock 是的,然后又发现另外个 Bug 后台没做管理员权限的校验,我也能登进去 😓 继续改……