🔀 sync: sync upstream

model/log.go

@@ -9,9 +9,9 @@ import (
 )
 
 type Log struct {
-	Id               int    `json:"id;index:idx_created_at_id,priority:1"`
+	Id               int    `json:"id"`
 	UserId           int    `json:"user_id" gorm:"index"`
-	CreatedAt        int64  `json:"created_at" gorm:"bigint;index:idx_created_at_id,priority:2;index:idx_created_at_type"`
+	CreatedAt        int64  `json:"created_at" gorm:"bigint;index:idx_created_at_type"`
 	Type             int    `json:"type" gorm:"index:idx_created_at_type"`
 	Content          string `json:"content"`
 	Username         string `json:"username" gorm:"index:index_username_model_name,priority:2;default:''"`

model/token.go

@@ -3,8 +3,9 @@ package model
 import (
 	"errors"
 	"fmt"
-	"gorm.io/gorm"
 	"one-api/common"
+
+	"gorm.io/gorm"
 )
 
 type Token struct {
@@ -38,39 +39,43 @@ func ValidateUserToken(key string) (token *Token, err error) {
 		return nil, errors.New("未提供令牌")
 	}
 	token, err = CacheGetTokenByKey(key)
-	if err == nil {
-		if token.Status == common.TokenStatusExhausted {
-			return nil, errors.New("该令牌额度已用尽")
-		} else if token.Status == common.TokenStatusExpired {
-			return nil, errors.New("该令牌已过期")
+	if err != nil {
+		common.SysError("CacheGetTokenByKey failed: " + err.Error())
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("无效的令牌")
 		}
-		if token.Status != common.TokenStatusEnabled {
-			return nil, errors.New("该令牌状态不可用")
-		}
-		if token.ExpiredTime != -1 && token.ExpiredTime < common.GetTimestamp() {
-			if !common.RedisEnabled {
-				token.Status = common.TokenStatusExpired
-				err := token.SelectUpdate()
-				if err != nil {
-					common.SysError("failed to update token status" + err.Error())
-				}
-			}
-			return nil, errors.New("该令牌已过期")
-		}
-		if !token.UnlimitedQuota && token.RemainQuota <= 0 {
-			if !common.RedisEnabled {
-				// in this case, we can make sure the token is exhausted
-				token.Status = common.TokenStatusExhausted
-				err := token.SelectUpdate()
-				if err != nil {
-					common.SysError("failed to update token status" + err.Error())
-				}
-			}
-			return nil, errors.New("该令牌额度已用尽")
-		}
-		return token, nil
+		return nil, errors.New("令牌验证失败")
 	}
-	return nil, errors.New("无效的令牌")
+	if token.Status == common.TokenStatusExhausted {
+		return nil, errors.New("该令牌额度已用尽")
+	} else if token.Status == common.TokenStatusExpired {
+		return nil, errors.New("该令牌已过期")
+	}
+	if token.Status != common.TokenStatusEnabled {
+		return nil, errors.New("该令牌状态不可用")
+	}
+	if token.ExpiredTime != -1 && token.ExpiredTime < common.GetTimestamp() {
+		if !common.RedisEnabled {
+			token.Status = common.TokenStatusExpired
+			err := token.SelectUpdate()
+			if err != nil {
+				common.SysError("failed to update token status" + err.Error())
+			}
+		}
+		return nil, errors.New("该令牌已过期")
+	}
+	if !token.UnlimitedQuota && token.RemainQuota <= 0 {
+		if !common.RedisEnabled {
+			// in this case, we can make sure the token is exhausted
+			token.Status = common.TokenStatusExhausted
+			err := token.SelectUpdate()
+			if err != nil {
+				common.SysError("failed to update token status" + err.Error())
+			}
+		}
+		return nil, errors.New("该令牌额度已用尽")
+	}
+	return token, nil
 }
 
 func GetTokenByIds(id int, userId int) (*Token, error) {

model/user.go

@@ -139,7 +139,15 @@ func (user *User) ValidateAndFill() (err error) {
 	if user.Username == "" || password == "" {
 		return errors.New("用户名或密码为空")
 	}
-	DB.Where(User{Username: user.Username}).First(user)
+	err = DB.Where("username = ?", user.Username).First(user).Error
+	if err != nil {
+		// we must make sure check username firstly
+		// consider this case: a malicious user set his username as other's email
+		err := DB.Where("email = ?", user.Username).First(user).Error
+		if err != nil {
+			return errors.New("用户名或密码错误，或用户已被封禁")
+		}
+	}
 	okay := common.ValidatePasswordAndHash(password, user.Password)
 	if !okay || user.Status != common.UserStatusEnabled {
 		return errors.New("用户名或密码错误，或用户已被封禁")