fix: security and cross-platform improvements for player APIs

zaigie · claude · zaigie · commit 20cbfd38a26f · 2026-02-10T13:53:51.000+08:00
- Fix OptionalJWTMiddleware panic on non-standard Authorization headers
- Hide sensitive fields (ip, steamId, userId) in /api/online_player for unauthenticated users
- Unify userId hiding logic between listPlayers and getPlayer (keep platform prefix)
- Support cross-platform userId for kick/ban/unban operations
- Use safe delimiter "|" in frontend RCON player value to prevent split issues

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/api/player.go b/api/player.go
@@ -19,6 +19,18 @@ const (
 	OrderByLevel      PlayerOrderBy = "level"
 )
 
+// getPlayerActionUserId 获取用于 kick/ban/unban 操作的 userId
+// 优先使用完整的 UserId（支持跨平台），兜底使用 steam_ + SteamId
+func getPlayerActionUserId(player database.Player) string {
+	if player.UserId != "" {
+		return player.UserId
+	}
+	if player.SteamId != "" {
+		return fmt.Sprintf("steam_%s", player.SteamId)
+	}
+	return ""
+}
+
 // listOnlinePlayers godoc
 //
 //	@Summary		List Online Players
@@ -37,6 +49,16 @@ func listOnlinePlayers(c *gin.Context) {
 		return
 	}
 	service.PutPlayersOnline(database.GetDB(), onlinePLayers)
+	// 未登录隐藏敏感字段
+	if !c.GetBool("loggedIn") {
+		for i := range onlinePLayers {
+			onlinePLayers[i].Ip = ""
+			if onlinePLayers[i].UserId != "" {
+				onlinePLayers[i].UserId = strings.Split(onlinePLayers[i].UserId, "_")[0] + "_"
+			}
+			onlinePLayers[i].SteamId = ""
+		}
+	}
 	c.JSON(http.StatusOK, onlinePLayers)
 }
 
@@ -148,7 +170,9 @@ func getPlayer(c *gin.Context) {
 	//未登录隐藏字段
 	if !c.GetBool("loggedIn") {
 		player.Ip = ""
-		player.UserId = ""
+		if player.UserId != "" {
+			player.UserId = strings.Split(player.UserId, "_")[0] + "_"
+		}
 		player.SteamId = ""
 	}
 	c.JSON(http.StatusOK, player)
@@ -180,7 +204,7 @@ func kickPlayer(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
-	err = tool.KickPlayer(fmt.Sprintf("steam_%s", player.SteamId))
+	err = tool.KickPlayer(getPlayerActionUserId(player))
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -214,7 +238,7 @@ func banPlayer(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
-	err = tool.BanPlayer(fmt.Sprintf("steam_%s", player.SteamId))
+	err = tool.BanPlayer(getPlayerActionUserId(player))
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
@@ -248,7 +272,7 @@ func unbanPlayer(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
 	}
-	err = tool.UnBanPlayer(fmt.Sprintf("steam_%s", player.SteamId))
+	err = tool.UnBanPlayer(getPlayerActionUserId(player))
 	if err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
 		return
diff --git a/api/router.go b/api/router.go
@@ -67,14 +67,14 @@ func RegisterRouter(r *gin.Engine) {
 		anonymousGroup.GET("/server", getServer)
 		anonymousGroup.GET("/server/tool", getServerTool)
 		anonymousGroup.GET("/server/metrics", getServerMetrics)
-		anonymousGroup.GET("/online_player", listOnlinePlayers)
 		anonymousGroup.GET("/guild", listGuilds)
 		anonymousGroup.GET("/guild/:admin_player_uid", getGuild)
 	}
 	// 根据登录状态返回不同结果
 	OptionalGroup := apiGroup.Group("")
 	OptionalGroup.Use(auth.OptionalJWTMiddleware())
 	{
+		OptionalGroup.GET("/online_player", listOnlinePlayers)
 		OptionalGroup.GET("/player", listPlayers)
 		OptionalGroup.GET("/player/:player_uid", getPlayer)
 	}
diff --git a/internal/auth/jwt.go b/internal/auth/jwt.go
@@ -56,13 +56,6 @@ func OptionalJWTMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		// 默认未登录
 		c.Set("loggedIn", false)
-		// 捕获可能的 panic，防止中间件崩掉
-		defer func() {
-			if r := recover(); r != nil {
-				// panic 也当未登录
-				c.Set("loggedIn", false)
-			}
-		}()
 		authHeader := c.GetHeader("Authorization")
 		if authHeader != "" {
 			var tokenString string
@@ -71,12 +64,16 @@ func OptionalJWTMiddleware() gin.HandlerFunc {
 			} else if strings.HasPrefix(authHeader, prefixJWT) {
 				tokenString = strings.TrimPrefix(authHeader, prefixJWT)
 			}
-			token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
-				return SecretKey, nil
-			})
-			if claims, ok := token.Claims.(jwt.MapClaims); ok && err == nil && token.Valid {
-				c.Set("claims", claims)
-				c.Set("loggedIn", true)
+			if tokenString != "" {
+				token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+					return SecretKey, nil
+				})
+				if err == nil && token != nil {
+					if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+						c.Set("claims", claims)
+						c.Set("loggedIn", true)
+					}
+				}
 			}
 		}
 		c.Next()
diff --git a/web/src/views/PcHome/PcHome.vue b/web/src/views/PcHome/PcHome.vue
@@ -162,7 +162,7 @@ const getPlayerList = async () => {
   rconPlayerOptions.value = data.value.map((item) => {
     return {
       label: `${item.nickname}(${item.player_uid})`,
-      value: `${item.player_uid}-${item.user_id}-${item.steam_id}`,
+      value: `${item.player_uid}|${item.user_id}|${item.steam_id}`,
     };
   });
 };
@@ -316,21 +316,22 @@ const removeRconCommand = async (uuid) => {
 };
 const fillRconCommand = (rconCommand) => {
   let cmd = rconCommand.placeholder;
+  const playerParts = rconSelectedPlayer.value ? rconSelectedPlayer.value.split("|") : [];
   // {steamUserID}，大小写不敏感
   if (/{steamUserID}/i.test(cmd)) {
     if (!rconSelectedPlayer.value) {
       message.warning(t("message.selectPlayerFirst"));
       return;
     }
-    cmd = cmd.replace(/{steamUserID}/gi, "steam_" + rconSelectedPlayer.value.split("-")[2]);
+    cmd = cmd.replace(/{steamUserID}/gi, "steam_" + playerParts[2]);
   }
   // {userID}，大小写不敏感
   if (/{userID}/i.test(cmd)) {
     if (!rconSelectedPlayer.value) {
       message.warning(t("message.selectPlayerFirst"));
       return;
     }
-    cmd = cmd.replace(/{userID}/gi, rconSelectedPlayer.value.split("-")[1]);
+    cmd = cmd.replace(/{userID}/gi, playerParts[1]);
   }
   // {itemID}，大小写不敏感
   if (/{itemID}/i.test(cmd)) {
@@ -1298,9 +1299,9 @@ onMounted(async () => {
       </div>
       <div class="flex w-full items-center mt-3 justify-between">
         <n-text>
-          PlayerID: {{ rconSelectedPlayer?.split("-")[0] || "-" }}
+          PlayerID: {{ rconSelectedPlayer?.split("|")[0] || "-" }}
         </n-text>
-        <n-text>UserID: {{ rconSelectedPlayer?.split("-")[1] || "-" }}</n-text>
+        <n-text>UserID: {{ rconSelectedPlayer?.split("|")[1] || "-" }}</n-text>
       </div>
 
       <div class="flex w-full items-center mt-3">

Original file line number	Diff line number	Diff line change
`@@ -67,14 +67,14 @@ func RegisterRouter(r *gin.Engine) {`
`67`	`67`	`anonymousGroup.GET("/server", getServer)`
`68`	`68`	`anonymousGroup.GET("/server/tool", getServerTool)`
`69`	`69`	`anonymousGroup.GET("/server/metrics", getServerMetrics)`
`70`		`- anonymousGroup.GET("/online_player", listOnlinePlayers)`
`71`	`70`	`anonymousGroup.GET("/guild", listGuilds)`
`72`	`71`	`anonymousGroup.GET("/guild/:admin_player_uid", getGuild)`
`73`	`72`	`}`
`74`	`73`	`// 根据登录状态返回不同结果`
`75`	`74`	`OptionalGroup := apiGroup.Group("")`
`76`	`75`	`OptionalGroup.Use(auth.OptionalJWTMiddleware())`
`77`	`76`	`{`
	`77`	`+ OptionalGroup.GET("/online_player", listOnlinePlayers)`
`78`	`78`	`OptionalGroup.GET("/player", listPlayers)`
`79`	`79`	`OptionalGroup.GET("/player/:player_uid", getPlayer)`
`80`	`80`	`}`