feat: magic-dash-pro模板登录功能安全化升级，使用rsa加密传输代替原有的明文密码传输

Author: CNFeffery

.gitignore

@@ -1,4 +1,5 @@
 __pycache__/
 dist/
 **/*.db
-.vscode/
+.vscode/
+*.pem

magic_dash/templates/magic-dash-pro/assets/js/basic_callbacks.js

@@ -139,6 +139,60 @@ window.dash_clientside = Object.assign({}, window.dash_clientside, {
                     [true, 'antd-full-screen-exit'] :
                     [false, 'antd-full-screen']
             )
+        },
+        // 使用Web Crypto API加密密码
+        encryptPassword: async (password, publicKeyPem) => {
+            if (!password || !publicKeyPem) {
+                return null;
+            }
+
+            // 将PEM格式的公钥转换为ArrayBuffer
+            const pemHeader = '-----BEGIN PUBLIC KEY-----';
+            const pemFooter = '-----END PUBLIC KEY-----';
+            const pemContents = publicKeyPem
+                .replace(pemHeader, '')
+                .replace(pemFooter, '')
+                .replace(/\s/g, '');
+
+            const binaryString = window.atob(pemContents);
+            const bytes = new Uint8Array(binaryString.length);
+            for (let i = 0; i < binaryString.length; i++) {
+                bytes[i] = binaryString.charCodeAt(i);
+            }
+
+            // 导入公钥
+            const publicKey = await window.crypto.subtle.importKey(
+                'spki',
+                bytes.buffer,
+                {
+                    name: 'RSA-OAEP',
+                    hash: 'SHA-256'
+                },
+                false,
+                ['encrypt']
+            );
+
+            // 加密密码
+            const encoder = new TextEncoder();
+            const passwordData = encoder.encode(password);
+
+            const encryptedData = await window.crypto.subtle.encrypt(
+                {
+                    name: 'RSA-OAEP'
+                },
+                publicKey,
+                passwordData
+            );
+
+            // 将加密后的数据转换为Base64字符串
+            const encryptedBytes = new Uint8Array(encryptedData);
+            let binary = '';
+            for (let i = 0; i < encryptedBytes.byteLength; i++) {
+                binary += String.fromCharCode(encryptedBytes[i]);
+            }
+            const encryptedBase64 = window.btoa(binary);
+
+            return encryptedBase64;
         }
     }
 });

magic_dash/templates/magic-dash-pro/callbacks/login_c.py

@@ -7,30 +7,56 @@
 from dash import set_props, dcc
 from flask_login import login_user
 import feffery_antd_components as fac
-from dash.dependencies import Input, Output, State
 from flask_principal import identity_changed, Identity
+from dash.dependencies import Input, Output, State, ClientsideFunction
 
 from server import app, User
 from models.users import Users
 from configs import BaseConfig
 from models.logs import LoginLogs
+from utils.crypto_utils import decrypt_password
+
+
+app.clientside_callback(
+    # 基于浏览器内置Web Crypto API加密密码
+    ClientsideFunction(namespace="clientside_basic", function_name="encryptPassword"),
+    Output("login-password-crypto", "data"),
+    Input("login-password", "value"),
+    State("login-rsa-pubkey", "data"),
+)
 
 
 @app.callback(
-    [Output("login-form", "helps"), Output("login-form", "validateStatuses")],
+    [
+        Output("login-user-name-form-item", "help"),
+        Output("login-password-form-item", "help"),
+        Output("login-user-name-form-item", "validateStatus"),
+        Output("login-password-form-item", "validateStatus"),
+    ],
     [Input("login-button", "nClicks"), Input("login-password", "nSubmit")],
-    [State("login-form", "values"), State("login-remember-me", "checked")],
+    [
+        State("login-user-name", "value"),
+        State("login-password-crypto", "data"),
+        State("login-remember-me", "checked"),
+    ],
     running=[
         [Output("login-button", "loading"), True, False],
     ],
     prevent_initial_call=True,
 )
-def handle_login(nClicks, nSubmit, values, remember_me):
+def handle_login(nClicks, nSubmit, user_name, password_crypto, remember_me):
     """处理用户登录逻辑"""
 
     time.sleep(0.25)
 
-    values = values or {}
+    # 解密前端传输的加密密码
+    password = decrypt_password(password_crypto)
+
+    # 构造兼容原有判断逻辑的表单values
+    values = {
+        "login-user-name": user_name,
+        "login-password": password,
+    }
 
     # 提取当前登录行为对应的系统、浏览器信息
     user_agent = parse(str(request.user_agent))
@@ -55,15 +81,11 @@ def handle_login(nClicks, nSubmit, values, remember_me):
 
         return [
             # 表单帮助信息
-            {
-                "用户名": "请输入用户名" if not values.get("login-user-name") else None,
-                "密码": "请输入密码" if not values.get("login-password") else None,
-            },
+            "请输入用户名" if not values.get("login-user-name") else None,
+            "请输入密码" if not values.get("login-password") else None,
             # 表单帮助状态
-            {
-                "用户名": "error" if not values.get("login-user-name") else None,
-                "密码": "error" if not values.get("login-password") else None,
-            },
+            "error" if not values.get("login-user-name") else None,
+            "error" if not values.get("login-password") else None,
         ]
 
     # 校验用户登录信息
@@ -96,9 +118,11 @@ def handle_login(nClicks, nSubmit, values, remember_me):
 
         return [
             # 表单帮助信息
-            {"用户名": "用户不存在"},
+            "用户不存在",
+            None,
             # 表单帮助状态
-            {"用户名": "error"},
+            "error",
+            None,
         ]
 
     else:
@@ -129,9 +153,11 @@ def handle_login(nClicks, nSubmit, values, remember_me):
 
             return [
                 # 表单帮助信息
-                {"密码": "密码错误"},
+                None,
+                "密码错误",
                 # 表单帮助状态
-                {"密码": "error"},
+                None,
+                "error",
             ]
 
         # 更新用户信息表session_token字段
@@ -174,4 +200,4 @@ def handle_login(nClicks, nSubmit, values, remember_me):
             login_datetime=datetime.now().strftime("%Y-%m-%d %H:%M:%S"),
         )
 
-    return [{}, {}]
+    return [None] * 4

magic_dash/templates/magic-dash-pro/configs/__init__.py

@@ -2,3 +2,4 @@
 from .router_config import RouterConfig  # noqa: F401
 from .layout_config import LayoutConfig  # noqa: F401
 from .auth_config import AuthConfig  # noqa: F401
+from .database_config import DatabaseConfig  # noqa: F401

magic_dash/templates/magic-dash-pro/configs/base_config.py

@@ -50,3 +50,9 @@ class BaseConfig:
     fullscreen_watermark_generator: Callable = (
         lambda current_user: current_user.user_name
     )
+
+    # 用于登录密码加密传输的RSA公钥文件路径
+    rsa_public_key_path: str = "magic_dash_pro_public_key.pem"
+
+    # 用于登录密码加密传输的RSA私钥文件路径
+    rsa_private_key_path: str = "magic_dash_pro_private_key.pem"

magic_dash/templates/magic-dash-pro/models/init_db.py

@@ -1,22 +1,68 @@
+import os
 import questionary
 from rich.console import Console
 from rich.panel import Panel
 from rich.text import Text
 from werkzeug.security import generate_password_hash
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.backends import default_backend
 
 from models import db
 
 # 导入相关数据表模型
 from .users import Users
 from .departments import Departments
-from configs import AuthConfig
+from configs import AuthConfig, BaseConfig
 
 # 创建rich console实例
 console = Console()
 
 # 创建表（如果表不存在）
 db.create_tables([Users, Departments])
 
+
+def generate_rsa_key_pair():
+    """生成RSA密钥对并保存到项目根目录"""
+
+    private_key_path = BaseConfig.rsa_private_key_path
+    public_key_path = BaseConfig.rsa_public_key_path
+
+    # 生成RSA密钥对
+    private_key = rsa.generate_private_key(
+        public_exponent=65537, key_size=2048, backend=default_backend()
+    )
+
+    # 序列化私钥
+    private_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.PKCS8,
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+
+    # 序列化公钥
+    public_key = private_key.public_key()
+    public_pem = public_key.public_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PublicFormat.SubjectPublicKeyInfo,
+    )
+
+    # 保存到文件
+    with open(private_key_path, "wb") as f:
+        f.write(private_pem)
+
+    with open(public_key_path, "wb") as f:
+        f.write(public_pem)
+
+
+def check_rsa_keys_exist():
+    """检查RSA密钥对文件是否已存在"""
+
+    return os.path.exists(BaseConfig.rsa_private_key_path) and os.path.exists(
+        BaseConfig.rsa_public_key_path
+    )
+
+
 # 统一的questionary样式
 custom_style = questionary.Style(
     [
@@ -43,6 +89,68 @@
     executed_operations = []
     admin_created = False
 
+    # 0. RSA密钥对生成
+    console.print("\n[dim]请确认以下安全密钥操作：[/dim]\n")
+
+    # 检查是否已存在RSA密钥对
+    if check_rsa_keys_exist():
+        # 已存在密钥，询问是否覆盖
+        confirm_override = questionary.confirm(
+            f"检测到已存在RSA密钥对文件（{BaseConfig.rsa_private_key_path} 和 {BaseConfig.rsa_public_key_path}），是否重新生成并覆盖？",
+            default=False,
+            style=custom_style,
+        ).ask()
+
+        if confirm_override:
+            try:
+                generate_rsa_key_pair()
+                executed_operations.append(
+                    (
+                        "RSA密钥对",
+                        f"已重新生成并覆盖\n    私钥: {BaseConfig.rsa_private_key_path}\n    公钥: {BaseConfig.rsa_public_key_path}",
+                        "yellow",
+                        "green",
+                    )
+                )
+            except Exception as e:
+                executed_operations.append(
+                    ("RSA密钥对", f"重新生成失败: {str(e)}", "yellow", "red")
+                )
+        else:
+            executed_operations.append(
+                (
+                    "RSA密钥对",
+                    f"保留现有密钥文件\n    私钥: {BaseConfig.rsa_private_key_path}\n    公钥: {BaseConfig.rsa_public_key_path}",
+                    "dim",
+                    "dim",
+                )
+            )
+    else:
+        # 不存在密钥，询问是否生成
+        confirm_generate = questionary.confirm(
+            "当前项目根目录中不存在RSA密钥对文件，是否生成新的RSA密钥对？",
+            default=True,
+            style=custom_style,
+        ).ask()
+
+        if confirm_generate:
+            try:
+                generate_rsa_key_pair()
+                executed_operations.append(
+                    (
+                        "RSA密钥对",
+                        f"已生成\n    私钥: {BaseConfig.rsa_private_key_path}\n    公钥: {BaseConfig.rsa_public_key_path}",
+                        "yellow",
+                        "green",
+                    )
+                )
+            except Exception as e:
+                executed_operations.append(
+                    ("RSA密钥对", f"生成失败: {str(e)}", "yellow", "red")
+                )
+        else:
+            executed_operations.append(("RSA密钥对", "已跳过生成", "dim", "dim"))
+
     # 1. 询问是否重置部门表
     console.print("\n[dim]请确认以下数据库操作：[/dim]\n")
     confirm_departments = questionary.confirm(

magic_dash/templates/magic-dash-pro/requirements.txt

@@ -9,3 +9,4 @@ flask-compress
 flask-principal
 yarl
 pandas
+cryptography