ResourceOwnerPasswordValidator 必并必验证图形验证码

Author: zlzforever

.github/workflows/docker-image.yml

@@ -17,6 +17,6 @@ jobs:
       - name: Login docker regsitry
         run: docker login -u zlzforever -p  ${{ secrets.DOCKER_USER_PASSWORD }}
       - name: Build the Docker image
-        run: docker build . --file Dockerfile --tag zlzforever/security-token-service:20251224.7
+        run: docker build . --file Dockerfile --tag zlzforever/security-token-service:20251224.8
       - name: Publish the Docker image
-        run: docker push zlzforever/security-token-service:20251224.7
+        run: docker push zlzforever/security-token-service:20251224.8

src/Client/Client.csproj

@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
     <PropertyGroup>
-        <TargetFramework>net6.0</TargetFramework>
+        <TargetFramework>net9.0</TargetFramework>
         <OutputType>Exe</OutputType>
     </PropertyGroup>
 

src/SecurityTokenService/Controllers/AccountController.cs

@@ -60,7 +60,7 @@ public async Task<IActionResult> ResetPasswordByOriginPassword(
             return new ObjectResult(modelErrorResult);
         }
 
-        var checkCaptchaResult = CheckCaptcha(input.CaptchaCode);
+        var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, Request, input.CaptchaCode);
         if (checkCaptchaResult != null)
         {
             return new ObjectResult(checkCaptchaResult);
@@ -190,7 +190,7 @@ public async Task<IActionResult> Login([FromBody] Inputs.V1.LoginInput model)
             return new ObjectResult(new RedirectResult("/"));
         }
 
-        var checkCaptchaResult = CheckCaptcha(model.CaptchaCode);
+        var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, Request, model.CaptchaCode);
         if (checkCaptchaResult != null)
         {
             return new ObjectResult(checkCaptchaResult);
@@ -385,7 +385,7 @@ public async Task<ApiResult> SendCode([FromBody] Inputs.V1.SendCode input)
             return new ApiResult { Code = 429, Message = "验证码发送过于频繁，请稍后再试", Success = false };
         }
 
-        var checkCaptchaResult = CheckCaptcha(input.CaptchaCode);
+        var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, Request, input.CaptchaCode);
         if (checkCaptchaResult != null)
         {
             return checkCaptchaResult;
@@ -607,38 +607,6 @@ private async Task<ApiResult> SendCodeAsync(string key, Inputs.V1.SendCode input
         }
     }
 
-    private ApiResult CheckCaptcha(string captchaCode)
-    {
-        var captchaId = Request.Cookies["CaptchaId"];
-        if (string.IsNullOrEmpty(captchaId))
-        {
-            captchaId = Request.Headers["Z-CaptchaId"];
-        }
-
-        if (string.IsNullOrEmpty(captchaId))
-        {
-            return new ApiResult { Code = Errors.VerifyCodeIsExpired, Success = false, Message = "验证码已过期， 请刷新" };
-        }
-
-        var cacheKey = string.Format(Util.CaptchaTtlKey, captchaId);
-        var realCaptchaCode = memoryCache.Get<string>(cacheKey);
-        // 步骤3：校验验证码
-        if (string.IsNullOrEmpty(realCaptchaCode))
-        {
-            return new ApiResult { Code = Errors.VerifyCodeIsExpired, Success = false, Message = "验证码已过期， 请刷新" };
-        }
-
-        if (!string.Equals(realCaptchaCode, captchaCode, StringComparison.OrdinalIgnoreCase))
-        {
-            logger.LogError("图形验证码校验失败, {CaptchaId} {RealCaptchaCode} {Actual}", captchaId, realCaptchaCode,
-                captchaCode);
-            return new ApiResult { Code = Errors.VerifyCodeIsInCorrect, Success = false, Message = "验证码错误" };
-        }
-
-        // 步骤4：验证码验证通过后，删除缓存（防止重复使用）
-        memoryCache.Remove(cacheKey);
-        return null;
-    }
 
     private async Task<ApiResult> CheckUserAvailableAsync(User user)
     {

src/SecurityTokenService/IdentityServer/ResourceOwnerPasswordValidator.cs

@@ -2,23 +2,49 @@
 using IdentityModel;
 using IdentityServer4.Models;
 using IdentityServer4.Validation;
+using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using SecurityTokenService.Identity;
+using SecurityTokenService.Utils;
 
 namespace SecurityTokenService.IdentityServer;
 
 public class ResourceOwnerPasswordValidator(
     IOptionsMonitor<IdentityExtensionOptions> identityExtensionOptions,
     UserManager<User> userManager,
+    IMemoryCache memoryCache,
+    ILogger<ResourceOwnerPasswordValidator> logger,
+    IHttpContextAccessor contextAccessor,
     SignInManager<User> signInManager)
     : IResourceOwnerPasswordValidator
 {
     private readonly IdentityExtensionOptions _identityExtensionOptions = identityExtensionOptions.CurrentValue;
 
     public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
     {
+        if (contextAccessor.HttpContext == null)
+        {
+            context.Result = new GrantValidationResult(
+                TokenRequestErrors.InvalidRequest,
+                "invalid_request");
+            return;
+        }
+
+        var request = contextAccessor.HttpContext.Request;
+        var captchaCode = context.Request.Raw["CaptchaCode"];
+        var checkCaptchaResult = Util.CheckCaptcha(memoryCache, logger, request, captchaCode);
+        if (checkCaptchaResult != null)
+        {
+            context.Result = new GrantValidationResult(
+                TokenRequestErrors.InvalidRequest,
+                "invalid_captcha_code");
+            return;
+        }
+
         User user;
         if (string.IsNullOrWhiteSpace(_identityExtensionOptions.SoftDeleteColumn))
         {
@@ -34,15 +60,15 @@ public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
                     (x.UserName == context.UserName || x.Email == context.UserName ||
                      x.PhoneNumber == context.UserName));
         }
-        
+
         if (user == null)
         {
             context.Result = new GrantValidationResult(
                 TokenRequestErrors.InvalidGrant,
                 "invalid_username");
             return;
         }
-        
+
         var result = await signInManager.PasswordSignInAsync(user, context.Password,
             false, false);
         if (result.Succeeded)
@@ -52,6 +78,7 @@ public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
                 OidcConstants.AuthenticationMethods.Password);
             return;
         }
+
         context.Result = new GrantValidationResult(
             TokenRequestErrors.InvalidGrant,
             "invalid_password");

src/SecurityTokenService/Middlewares/DecryptRequestMiddleware.cs

@@ -70,7 +70,7 @@ public async Task InvokeAsync(HttpContext context, ILogger<DecryptRequestMiddlew
                     return;
                 }
 
-                using var ase = Util.CreateAesEcb(encryptKey);
+                using var ase = Util.CreateAes(encryptKey);
                 // 前端固定对称加密的 KEY，仅应用对 WF 对一些敏感数据的拦截。
                 await DecryptV1Body(context, ase, logger);
             }
@@ -110,7 +110,7 @@ private static async Task DecryptV1Body(HttpContext context, Aes aes, ILogger<De
             // 处理兼容问题,替换掉双引号的字符串
             var replaceBodyContent = bodyContent.Replace("\"", "");
             // 解密请求body
-            var decryptedBody = Util.AesEcbDecrypt(aes, replaceBodyContent);
+            var decryptedBody = Util.AesDecrypt(aes, replaceBodyContent);
             logger.LogDebug($"DecryptRequestMiddleware_V1_解密:{System.Text.Encoding.UTF8.GetString(decryptedBody)}");
             context.Request.Body = new MemoryStream(decryptedBody);
         }

src/SecurityTokenService/Utils/Util.cs

@@ -2,6 +2,11 @@
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
 using System.Text;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Caching.Memory;
+using Microsoft.Extensions.Logging;
+using SecurityTokenService.Controllers;
+
 
 namespace SecurityTokenService.Utils;
 
@@ -25,6 +30,40 @@ public static class Util
     public const string PurposeLogin = "Login";
     public const string PurposeRegister = "Register";
 
+    public static ApiResult CheckCaptcha(IMemoryCache memoryCache, ILogger logger, HttpRequest request,
+        string captchaCode)
+    {
+        var captchaId = request.Cookies["CaptchaId"];
+        if (string.IsNullOrEmpty(captchaId))
+        {
+            captchaId = request.Headers["Z-CaptchaId"];
+        }
+
+        if (string.IsNullOrEmpty(captchaId))
+        {
+            return new ApiResult { Code = Errors.VerifyCodeIsExpired, Success = false, Message = "验证码已过期， 请刷新" };
+        }
+
+        var cacheKey = string.Format(CaptchaTtlKey, captchaId);
+        var realCaptchaCode = memoryCache.Get<string>(cacheKey);
+        // 步骤3：校验验证码
+        if (string.IsNullOrEmpty(realCaptchaCode))
+        {
+            return new ApiResult { Code = Errors.VerifyCodeIsExpired, Success = false, Message = "验证码已过期， 请刷新" };
+        }
+
+        if (!string.Equals(realCaptchaCode, captchaCode, StringComparison.OrdinalIgnoreCase))
+        {
+            logger.LogError("图形验证码校验失败, {CaptchaId} {RealCaptchaCode} {Actual}", captchaId, realCaptchaCode,
+                captchaCode);
+            return new ApiResult { Code = Errors.VerifyCodeIsInCorrect, Success = false, Message = "验证码错误" };
+        }
+
+        // 步骤4：验证码验证通过后，删除缓存（防止重复使用）
+        memoryCache.Remove(cacheKey);
+        return null;
+    }
+
     public static void GenerateCertificate(string path)
     {
         // 设置证书的有效期
@@ -50,27 +89,29 @@ public static void GenerateCertificate(string path)
         System.IO.File.WriteAllBytes(path, certBytes);
     }
 
-    public static Aes CreateAesEcb(string key)
+    public static Aes CreateAes(string key, CipherMode cipherMode = CipherMode.ECB,
+        PaddingMode paddingMode = PaddingMode.PKCS7)
     {
         var keyArray = Encoding.UTF8.GetBytes(key);
         var aes = Aes.Create();
         aes.Key = keyArray;
-        aes.Mode = CipherMode.ECB;
-        aes.Padding = PaddingMode.PKCS7;
+        aes.Mode = cipherMode;
+        aes.Padding = paddingMode;
         return aes;
     }
 
-    public static string CreateAesKey()
+    public static string CreateAesKey(CipherMode cipherMode = CipherMode.ECB,
+        PaddingMode paddingMode = PaddingMode.PKCS7, int size = 128)
     {
         var aes = Aes.Create();
-        aes.Mode = CipherMode.ECB;
-        aes.Padding = PaddingMode.PKCS7;
-        aes.KeySize = 128; // 可以设置为 128、192 或 256 位
+        aes.Mode = cipherMode;
+        aes.Padding = paddingMode;
+        aes.KeySize = size; // 可以设置为 128、192 或 256 位
         aes.GenerateKey();
         return Convert.ToBase64String(aes.Key);
     }
 
-    public static byte[] AesEcbDecrypt(Aes aes, string text)
+    public static byte[] AesDecrypt(Aes aes, string text)
     {
         var toEncryptArray = Convert.FromBase64String(text);
         using var decrypt = aes.CreateDecryptor();

src/SecurityTokenService/sts.json

@@ -102,7 +102,8 @@
       "AllowAccessTokensViaBrowser": true,
       "RequireConsent": false,
       "AllowedGrantTypes": [
-        "authorization_code"
+        "authorization_code",
+        "password"
       ],
       "AllowOfflineAccess": true,
       "IdentityTokenLifetime": 108000,