refactor(webapi): remove ability to update without node_id & patch potential security risk

app/routes.php

@@ -290,17 +290,15 @@ return function (SlimApp $app): void {
     $app->group('/mod_mu', function (): void {
         // 流媒体检测
         $this->post('/media/saveReport', App\Controllers\Node\NodeController::class . ':saveReport');
-        // 其他
+        // 节点
         $this->get('/nodes/{id}/info', App\Controllers\Node\NodeController::class . ':getInfo');
         $this->post('/nodes/{id}/info', App\Controllers\Node\NodeController::class . ':info');
-        $this->get('/nodes', App\Controllers\Node\NodeController::class . ':getAllInfo');
-        $this->post('/nodes/config', App\Controllers\Node\NodeController::class . ':getConfig');
-
+        // 用户
         $this->get('/users', App\Controllers\Node\UserController::class . ':index');
         $this->post('/users/traffic', App\Controllers\Node\UserController::class . ':addTraffic');
         $this->post('/users/aliveip', App\Controllers\Node\UserController::class . ':addAliveIp');
         $this->post('/users/detectlog', App\Controllers\Node\UserController::class . ':addDetectLog');
-
+        // 审计 & 杂七杂八的功能
         $this->get('/func/detect_rules', App\Controllers\Node\FuncController::class . ':getDetectLogs');
         $this->post('/func/block_ip', App\Controllers\Node\FuncController::class . ':addBlockIp');
         $this->get('/func/block_ip', App\Controllers\Node\FuncController::class . ':getBlockip');

src/Controllers/Node/FuncController.php

@@ -76,16 +76,11 @@ final class FuncController extends BaseController
 
         $data = $request->getParam('data');
         $node_id = $params['node_id'];
-        if ($node_id === '0') {
-            $node = Node::where('node_ip', $_SERVER['REMOTE_ADDR'])->first();
-            $node_id = $node->id;
-        }
         $node = Node::find($node_id);
         if ($node === null) {
-            $res = [
+            return $response->withJson([
                 'ret' => 0,
-            ];
-            return $response->withJson($res);
+            ]);
         }
 
         if (count($data) > 0) {

src/Controllers/Node/NodeController.php

@@ -7,7 +7,6 @@ namespace App\Controllers\Node;
 use App\Controllers\BaseController;
 use App\Models\Node;
 use App\Models\StreamMedia;
-use App\Services\Config;
 use App\Utils\ResponseHelper;
 use Psr\Http\Message\ResponseInterface;
 use Slim\Http\Request;
@@ -20,21 +19,9 @@ final class NodeController extends BaseController
      */
     public function saveReport(Request $request, Response $response, array $args): void
     {
-        // $request_ip = $_SERVER["REMOTE_ADDR"];
         $node_id = $request->getParam('node_id');
         $content = $request->getParam('content');
         $result = \json_decode(base64_decode($content), true);
-
-        /* $node = Node::where('node_ip', $request_ip)->first();
-        if ($node != null) {
-            $report = new StreamMedia;
-            $report->node_id = $node->id;
-            $report->result = \json_encode($result);
-            $report->created_at = \time();
-            $report->save();
-            die('ok');
-        } */
-
         $report = new StreamMedia();
         $report->node_id = $node_id;
         $report->result = \json_encode($result);
@@ -49,10 +36,6 @@ final class NodeController extends BaseController
     public function info(Request $request, Response $response, array $args)
     {
         $node_id = $args['id'];
-        if ($node_id === '0') {
-            $node = Node::where('node_ip', $_SERVER['REMOTE_ADDR'])->first();
-            $node_id = $node->id;
-        }
         $load = $request->getParam('load');
         $uptime = $request->getParam('uptime');
         $node = Node::find($node_id);
@@ -78,10 +61,6 @@ final class NodeController extends BaseController
     public function getInfo(Request $request, Response $response, array $args): ResponseInterface
     {
         $node_id = $args['id'];
-        if ($node_id === '0') {
-            $node = Node::where('node_ip', $_SERVER['REMOTE_ADDR'])->first();
-            $node_id = $node->id;
-        }
         $node = Node::find($node_id);
         if ($node === null) {
             $res = [
@@ -113,58 +92,4 @@ final class NodeController extends BaseController
             'data' => $data,
         ]);
     }
-
-    /**
-     * @param array     $args
-     */
-    public function getAllInfo(Request $request, Response $response, array $args): ResponseInterface
-    {
-        $nodes = Node::where('node_ip', '<>', null)->where(
-            static function ($query): void {
-                $query->where('sort', '=', 0)
-                    ->orWhere('sort', '=', 10)
-                    ->orWhere('sort', '=', 12)
-                    ->orWhere('sort', '=', 13)
-                    ->orWhere('sort', '=', 14);
-            }
-        )->get();
-
-        return ResponseHelper::etagJson($request, $response, [
-            'ret' => 1,
-            'data' => $nodes,
-        ]);
-    }
-
-    /**
-     * @param array     $args
-     */
-    public function getConfig(Request $request, Response $response, array $args)
-    {
-        $data = $request->getParsedBody();
-        switch ($data['type']) {
-            case 'database':
-                $db_config = Config::getDbConfig();
-                $db_config['host'] = $this->getServerIP();
-                $res = [
-                    'ret' => 1,
-                    'data' => $db_config,
-                ];
-                break;
-        }
-        return $response->withJson($res);
-    }
-
-    private function getServerIP()
-    {
-        if (isset($_SERVER)) {
-            if ($_SERVER['SERVER_ADDR']) {
-                $serverIP = $_SERVER['SERVER_ADDR'];
-            } else {
-                $serverIP = $_SERVER['LOCAL_ADDR'];
-            }
-        } else {
-            $serverIP = getenv('SERVER_ADDR');
-        }
-        return $serverIP;
-    }
 }

src/Controllers/Node/UserController.php

@@ -32,17 +32,13 @@ final class UserController extends BaseController
     public function index($request, $response, $args): ResponseInterface
     {
         $node_id = $request->getQueryParam('node_id');
-
-        if (!$node_id) {
-            $node = Node::where('node_ip', $request->getServerParam('REMOTE_ADDR'))->first();
-        } else {
-            $node = Node::where('id', '=', $node_id)->first();
-            if ($node === null) {
-                return $response->withJson([
-                    'ret' => 0,
-                ]);
-            }
+        $node = Node::find($node_id);
+        if ($node === null) {
+            return $response->withJson([
+                'ret' => 0,
+            ]);
         }
+
         $node->update(['node_heartbeat' => \time()]);
 
         if (($node->node_bandwidth_limit !== 0) && $node->node_bandwidth_limit < $node->node_bandwidth) {
@@ -132,10 +128,6 @@ final class UserController extends BaseController
         $data = $data->data;
 
         $node_id = $request->getQueryParam('node_id');
-        if (!$node_id) {
-            $node = Node::where('node_ip', $_SERVER['REMOTE_ADDR'])->first();
-            $node_id = $node->id;
-        }
         $node = Node::find($node_id);
 
         if ($node === null) {
@@ -145,7 +137,7 @@ final class UserController extends BaseController
         }
 
         $pdo = DB::getPdo();
-        $stat = $pdo->prepare('UPDATE user SET t = UNIX_TIMESTAMP(), u = u + ?, d = d + ? WHERE id = ?');
+        $stat = $pdo->prepare('UPDATE user SET t = UNIX_TIMESTAMP(), u = u + ?, d = d + ?, transfer_total = transfer_total + ? WHERE id = ?');
 
         $rate = (float) $node->traffic_rate;
         $sum = 0;
@@ -154,7 +146,7 @@ final class UserController extends BaseController
             $d = $log?->d;
             $user_id = $log?->user_id;
             if ($user_id) {
-                $stat->execute([(int) ($u * $rate), (int) ($d * $rate), $user_id]);
+                $stat->execute([(int) ($u * $rate), (int) ($d * $rate), (int) ($u + $d), $user_id]);
             }
             $sum += $u + $d;
         }
@@ -186,20 +178,14 @@ final class UserController extends BaseController
         $data = \json_decode($request->getBody()->__toString());
         if (!$data || !\is_array($data?->data)) {
             return $response->withJson([
-                'ret' => 1,
-                'data' => 'ok',
+                'ret' => 0,
             ]);
         }
         $data = $data->data;
 
         $node_id = $request->getQueryParam('node_id');
-        if (!$node_id) {
-            $node_id = Node::where('node_ip', $request->getServerParam('REMOTE_ADDR'))->value('id');
-        } elseif (!Node::where('id', $node_id)->exists()) {
-            $node_id = null;
-        }
 
-        if ($node_id === null) {
+        if ($node_id === null || !Node::where('id', $node_id)->exists()) {
             return $response->withJson([
                 'ret' => 0,
             ]);
@@ -237,20 +223,14 @@ final class UserController extends BaseController
         $data = \json_decode($request->getBody()->__toString());
         if (!$data || !\is_array($data?->data)) {
             return $response->withJson([
-                'ret' => 1,
-                'data' => 'ok',
+                'ret' => 0,
             ]);
         }
         $data = $data->data;
 
         $node_id = $request->getQueryParam('node_id');
-        if (!$node_id) {
-            $node_id = Node::where('node_ip', $request->getServerParam('REMOTE_ADDR'))->value('id');
-        } elseif (!Node::where('id', $node_id)->exists()) {
-            $node_id = null;
-        }
 
-        if ($node_id === null) {
+        if ($node_id === null || !Node::where('id', $node_id)->exists()) {
             return $response->withJson([
                 'ret' => 0,
             ]);