(Security) Fixed a critical security issue in the authentication service

Author: XIYUEKONGLING

OpenBioCardServer/Models/Entities/Token.cs

@@ -20,6 +20,9 @@ public class Token
     public DateTime CreatedAt { get; set; } = DateTime.UtcNow;
     public DateTime LastUsed { get; set; } = DateTime.UtcNow;
 
+    // Token过期时间（默认7天）
+    public DateTime ExpiresAt { get; set; } = DateTime.UtcNow.AddDays(7);
+    
     /// <summary>
     /// 设备信息（可选），用于标识设备
     /// </summary>
@@ -28,4 +31,7 @@ public class Token
 
     // Navigation property
     public Account Account { get; set; } = null!;
+    
+    // 检查Token是否过期
+    public bool IsExpired() => DateTime.UtcNow > ExpiresAt;
 }

OpenBioCardServer/Program.cs

@@ -97,6 +97,7 @@ await context.HttpContext.Response.WriteAsJsonAsync(new
         // Services
         builder.Services.AddScoped<ClassicAuthService>();
         builder.Services.AddScoped<AuthService>();
+        builder.Services.AddHostedService<TokenCleanupService>();
 
         var app = builder.Build();
 

OpenBioCardServer/Services/AuthService.cs

@@ -27,21 +27,20 @@ public AuthService(
         if (string.IsNullOrWhiteSpace(token))
             return (false, null);
 
-        // Check if it's a root token
-        if (token.StartsWith("root-"))
-        {
-            var rootAccount = await GetRootAccountAsync();
-            return (rootAccount != null, rootAccount);
-        }
-
         var tokenEntity = await _context.Tokens
             .Include(t => t.Account)
             .FirstOrDefaultAsync(t => t.TokenValue == token);
 
         if (tokenEntity == null)
             return (false, null);
+        
+        if (tokenEntity.IsExpired())
+        {
+            _context.Tokens.Remove(tokenEntity);
+            await _context.SaveChangesAsync();
+            return (false, null);
+        }
 
-        // Update last used timestamp
         tokenEntity.LastUsed = DateTime.UtcNow;
         await _context.SaveChangesAsync();
 
@@ -59,25 +58,41 @@ public AuthService(
 
     public async Task<string> CreateTokenAsync(Account account)
     {
-        string tokenValue = account.Type == UserType.Root
-            ? $"root-{Guid.NewGuid()}"
-            : Guid.NewGuid().ToString();
-
-        if (account.Type != UserType.Root)
+        const int maxTokensPerAccount = 10;
+    
+        var existingTokenCount = await _context.Tokens
+            .CountAsync(t => t.AccountId == account.Id && t.ExpiresAt > DateTime.UtcNow);
+    
+        if (existingTokenCount >= maxTokensPerAccount)
         {
-            var token = new Token
+            var oldestToken = await _context.Tokens
+                .Where(t => t.AccountId == account.Id)
+                .OrderBy(t => t.CreatedAt)
+                .FirstOrDefaultAsync();
+        
+            if (oldestToken != null)
             {
-                TokenValue = tokenValue,
-                AccountId = account.Id
-            };
-
-            _context.Tokens.Add(token);
-            await _context.SaveChangesAsync();
+                _context.Tokens.Remove(oldestToken);
+            }
         }
 
+        var tokenValue = Guid.NewGuid().ToString();
+
+        var token = new Token
+        {
+            TokenValue = tokenValue,
+            AccountId = account.Id,
+            DeviceInfo = account.Type == UserType.Root ? "Root Login" : null,
+            ExpiresAt = DateTime.UtcNow.AddDays(7)
+        };
+
+        _context.Tokens.Add(token);
+        await _context.SaveChangesAsync();
+
         return tokenValue;
     }
 
+
     public async Task<bool> HasAdminPermissionAsync(Account account) =>
         account.Type == UserType.Admin || account.Type == UserType.Root;
 

OpenBioCardServer/Services/ClassicAuthService.cs

@@ -23,22 +23,20 @@ public ClassicAuthService(
 
     public async Task<(bool isValid, Account? account)> ValidateTokenAsync(string token)
     {
-        // Check if it's a root token
-        if (token.StartsWith("root-"))
-        {
-            // For root, we don't store tokens in DB, just verify format and return root account
-            var rootAccount = await GetRootAccountAsync();
-            return (rootAccount != null, rootAccount);
-        }
-
         var tokenEntity = await _context.Tokens
             .Include(t => t.Account)
             .FirstOrDefaultAsync(t => t.TokenValue == token);
 
         if (tokenEntity == null)
             return (false, null);
+        
+        if (tokenEntity.IsExpired())
+        {
+            _context.Tokens.Remove(tokenEntity);
+            await _context.SaveChangesAsync();
+            return (false, null);
+        }
 
-        // Update last used timestamp
         tokenEntity.LastUsed = DateTime.UtcNow;
         await _context.SaveChangesAsync();
 
@@ -57,26 +55,36 @@ public ClassicAuthService(
 
     public async Task<string> CreateTokenAsync(Account account)
     {
-        string tokenValue;
-        
-        if (account.Type == UserType.Root)
+        const int maxTokensPerAccount = 10;
+    
+        var existingTokenCount = await _context.Tokens
+            .CountAsync(t => t.AccountId == account.Id && t.ExpiresAt > DateTime.UtcNow);
+    
+        if (existingTokenCount >= maxTokensPerAccount)
         {
-            // Root tokens have special format and are not stored in DB
-            tokenValue = $"root-{Guid.NewGuid()}";
+            var oldestToken = await _context.Tokens
+                .Where(t => t.AccountId == account.Id)
+                .OrderBy(t => t.CreatedAt)
+                .FirstOrDefaultAsync();
+        
+            if (oldestToken != null)
+            {
+                _context.Tokens.Remove(oldestToken);
+            }
         }
-        else
+
+        var tokenValue = Guid.NewGuid().ToString();
+
+        var token = new Token
         {
-            tokenValue = Guid.NewGuid().ToString();
-            
-            var token = new Token
-            {
-                TokenValue = tokenValue,
-                AccountId = account.Id
-            };
+            TokenValue = tokenValue,
+            AccountId = account.Id,
+            DeviceInfo = account.Type == UserType.Root ? "Root Login" : null,
+            ExpiresAt = DateTime.UtcNow.AddDays(7)
+        };
 
-            _context.Tokens.Add(token);
-            await _context.SaveChangesAsync();
-        }
+        _context.Tokens.Add(token);
+        await _context.SaveChangesAsync();
 
         return tokenValue;
     }

OpenBioCardServer/Services/TokenCleanupService.cs

@@ -0,0 +1,56 @@
+using Microsoft.EntityFrameworkCore;
+using OpenBioCardServer.Data;
+
+namespace OpenBioCardServer.Services;
+
+public class TokenCleanupService : BackgroundService
+{
+    private readonly IServiceProvider _services;
+    private readonly ILogger<TokenCleanupService> _logger;
+    private readonly TimeSpan _cleanupInterval = TimeSpan.FromHours(1);
+
+    public TokenCleanupService(
+        IServiceProvider services,
+        ILogger<TokenCleanupService> logger)
+    {
+        _services = services;
+        _logger = logger;
+    }
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        _logger.LogInformation("Token cleanup service started");
+
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try
+            {
+                await CleanupExpiredTokensAsync();
+            }
+            catch (Exception ex)
+            {
+                _logger.LogError(ex, "Error cleaning expired tokens");
+            }
+
+            await Task.Delay(_cleanupInterval, stoppingToken);
+        }
+    }
+
+    private async Task CleanupExpiredTokensAsync()
+    {
+        using var scope = _services.CreateScope();
+        var context = scope.ServiceProvider.GetRequiredService<AppDbContext>();
+
+        var expiredTokens = await context.Tokens
+            .Where(t => t.ExpiresAt < DateTime.UtcNow)
+            .ToListAsync();
+
+        if (expiredTokens.Any())
+        {
+            context.Tokens.RemoveRange(expiredTokens);
+            await context.SaveChangesAsync();
+            
+            _logger.LogInformation("Cleared {{Count}} expired tokens", expiredTokens.Count);
+        }
+    }
+}