fix: Normal user can not change the name of their own address book (#341)

* add "disable_pwd" and "auto_oidc" at /admin/login-options

* fix: build RedirectURL by host and scheme, not Origin

Dockerfile.dev

@@ -42,11 +42,11 @@ RUN if [ "$COUNTRY" = "CN" ] ; then \
     fi && \
     apk update && apk add --no-cache git
 
-ARG FREONTEND_GIT_REPO=https://github.com/lejianwen/rustdesk-api-web.git
+ARG FRONTEND_GIT_REPO=https://github.com/lejianwen/rustdesk-api-web.git
 ARG FRONTEND_GIT_BRANCH=master
 # Clone the frontend repository
 
-RUN git clone -b $FRONTEND_GIT_BRANCH $FREONTEND_GIT_REPO .
+RUN git clone -b $FRONTEND_GIT_BRANCH $FRONTEND_GIT_REPO .
 
 # Install required tools without caching index to minimize image size
 RUN if [ "$COUNTRY" = "CN" ] ; then \
@@ -91,4 +91,4 @@ VOLUME /app/data
 EXPOSE 21114
 
 # Define the command to run the application
-CMD ["./apimain"]
+CMD ["./apimain"]

README.md

@@ -94,8 +94,8 @@
     - 对于`OIDC`, `Issuer`是必须的。`Scopes`是可选的，默认为 `openid,profile,email`. 确保可以获取 `sub`,`email` 和`preferred_username`
     - `github oauth app`在`Settings`->`Developer settings`->`OAuth Apps`->`New OAuth App`
       中创建,地址 [https://github.com/settings/developers](https://github.com/settings/developers)
-    - `Authorization callback URL`填写`http://<your server[:port]>/api/oauth/callback`
-      ，比如`http://127.0.0.1:21114/api/oauth/callback`
+    - `Authorization callback URL`填写`http://<your server[:port]>/api/oidc/callback`
+      ，比如`http://127.0.0.1:21114/api/oidc/callback`
 7. 登录日志
 8. 链接日志
 9. 文件传输日志
@@ -255,6 +255,12 @@
     #或者使用generate_api.go生成api并运行
     go generate generate_api.go
     ```
+   > 注意：使用 `go run` 或编译后的二进制时，当前目录下必须存在 `conf` 和 `resources`
+   > 目录。如果在其他目录运行，可通过 `-c` 和环境变量
+   > `RUSTDESK_API_GIN_RESOURCES_PATH` 指定绝对路径，例如：
+   > ```bash
+   > RUSTDESK_API_GIN_RESOURCES_PATH=/opt/rustdesk-api/resources ./apimain -c /opt/rustdesk-api/conf/config.yaml
+   > ```
 5. 编译，如果想自己编译,先cd到项目根目录，然后windows下直接运行`build.bat`,linux下运行`build.sh`,编译后会在`release`
    目录下生成对应的可执行文件。直接运行编译后的可执行文件即可。
 

README_EN.md

@@ -94,8 +94,8 @@ displaying data.Frontend code is available at [rustdesk-api-web](https://github.
     - For `OIDC`, you must set the `Issuer`. And `Scopes` is optional which default is `openid,email,profile`, please make sure this `Oauth App` can access `sub`, `email` and `preferred_username`
     - Create a `GitHub OAuth App`
       at `Settings` -> `Developer settings` -> `OAuth Apps` -> `New OAuth App` [here](https://github.com/settings/developers).
-    - Set the `Authorization callback URL` to `http://<your server[:port]>/api/oauth/callback`,
-      e.g., `http://127.0.0.1:21114/api/oauth/callback`.
+    - Set the `Authorization callback URL` to `http://<your server[:port]>/api/oidc/callback`,
+      e.g., `http://127.0.0.1:21114/api/oidc/callback`.
    
 7. Login logs
 8. Connection logs
@@ -251,10 +251,17 @@ Download the release from [release](https://github.com/lejianwen/rustdesk-api/re
 4. Run:
     ```bash
     # Run directly
-    go run cmd/apimain.go
-    # Or generate and run the API using generate_api.go
-    go generate generate_api.go
-    ```
+   go run cmd/apimain.go
+   # Or generate and run the API using generate_api.go
+   go generate generate_api.go
+   ```
+   > **Note:** When using `go run` or the compiled binary, the `conf` and `resources`
+   > directories must exist relative to the current working directory. If you run
+   > the program from another location, specify absolute paths with `-c` and the
+   > `RUSTDESK_API_GIN_RESOURCES_PATH` environment variable. Example:
+   > ```bash
+   > RUSTDESK_API_GIN_RESOURCES_PATH=/opt/rustdesk-api/resources ./apimain -c /opt/rustdesk-api/conf/config.yaml
+   > ```
 
 5. To compile, change to the project root directory. For Windows, run `build.bat`, and for Linux, run `build.sh`. After
    compiling, the corresponding executables will be generated in the `release` directory. Run the compiled executables
@@ -317,4 +324,4 @@ Thanks to everyone who contributed!
   <img src="https://contrib.rocks/image?repo=lejianwen/rustdesk-api" />
 </a>
 
-## Thanks for your support! If you find this project useful, please give it a ⭐️. Thank you!
+## Thanks for your support! If you find this project useful, please give it a ⭐️. Thank you!

cmd/apimain.go

@@ -2,6 +2,10 @@ package main
 
 import (
 	"fmt"
+	"os"
+	"strconv"
+	"time"
+
 	"github.com/go-redis/redis/v8"
 	"github.com/lejianwen/rustdesk-api/v2/config"
 	"github.com/lejianwen/rustdesk-api/v2/global"
@@ -17,11 +21,10 @@ import (
 	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
 	"github.com/spf13/cobra"
-	"os"
-	"strconv"
-	"time"
 )
 
+const DatabaseVersion = 264
+
 // @title 管理系统API
 // @version 1.0
 // @description 接口
@@ -210,7 +213,7 @@ func InitGlobal() {
 }
 
 func DatabaseAutoUpdate() {
-	version := 262
+	version := DatabaseVersion
 
 	db := global.DB
 
@@ -342,7 +345,11 @@ func Migrate(version uint) {
 		// 生成随机密码
 		pwd := utils.RandomString(8)
 		global.Logger.Info("Admin Password Is: ", pwd)
-		admin.Password = service.AllService.UserService.EncryptPassword(pwd)
+		var err error
+		admin.Password, err = utils.EncryptPassword(pwd)
+		if err != nil {
+			global.Logger.Fatalf("failed to generate admin password: %v", err)
+		}
 		global.DB.Create(admin)
 	}
 

config/oauth.go

@@ -3,24 +3,20 @@ package config
 type GithubOauth struct {
 	ClientId     string `mapstructure:"client-id"`
 	ClientSecret string `mapstructure:"client-secret"`
-	RedirectUrl  string `mapstructure:"redirect-url"`
 }
 
 type GoogleOauth struct {
 	ClientId     string `mapstructure:"client-id"`
 	ClientSecret string `mapstructure:"client-secret"`
-	RedirectUrl  string `mapstructure:"redirect-url"`
 }
 
 type OidcOauth struct {
 	Issuer       string `mapstructure:"issuer"`
 	ClientId     string `mapstructure:"client-id"`
 	ClientSecret string `mapstructure:"client-secret"`
-	RedirectUrl  string `mapstructure:"redirect-url"`
 }
 
 type LinuxdoOauth struct {
 	ClientId     string `mapstructure:"client-id"`
 	ClientSecret string `mapstructure:"client-secret"`
-	RedirectUrl  string `mapstructure:"redirect-url"`
 }

docker-compose-dev.yaml

@@ -5,7 +5,7 @@ services:
       dockerfile: Dockerfile.dev
       args:
         COUNTRY: CN
-        FREONTEND_GIT_REPO: https://github.com/lejianwen/rustdesk-api-web.git
+        FRONTEND_GIT_REPO: https://github.com/lejianwen/rustdesk-api-web.git
         FRONTEND_GIT_BRANCH: master
     # image: lejianwen/rustdesk-api
     container_name: rustdesk-api
@@ -21,4 +21,4 @@ services:
       - ./data/rustdesk/api:/app/data #将数据库挂载出来方便备份
       - ./conf:/app/conf # config
       # - ./resources:/app/resources # 静态资源
-    restart: unless-stopped
+    restart: unless-stopped

docs/admin/admin_docs.go

@@ -5569,8 +5569,7 @@ const docTemplateadmin = `{
             "required": [
                 "client_id",
                 "client_secret",
-                "oauth_type",
-                "redirect_url"
+                "oauth_type"
             ],
             "properties": {
                 "auto_register": {
@@ -5600,9 +5599,6 @@ const docTemplateadmin = `{
                 "pkce_method": {
                     "type": "string"
                 },
-                "redirect_url": {
-                    "type": "string"
-                },
                 "scopes": {
                     "type": "string"
                 }
@@ -6296,9 +6292,6 @@ const docTemplateadmin = `{
                 "pkce_method": {
                     "type": "string"
                 },
-                "redirect_url": {
-                    "type": "string"
-                },
                 "scopes": {
                     "type": "string"
                 },

docs/admin/admin_swagger.json

@@ -5562,8 +5562,7 @@
             "required": [
                 "client_id",
                 "client_secret",
-                "oauth_type",
-                "redirect_url"
+                "oauth_type"
             ],
             "properties": {
                 "auto_register": {
@@ -5593,9 +5592,6 @@
                 "pkce_method": {
                     "type": "string"
                 },
-                "redirect_url": {
-                    "type": "string"
-                },
                 "scopes": {
                     "type": "string"
                 }
@@ -6289,9 +6285,6 @@
                 "pkce_method": {
                     "type": "string"
                 },
-                "redirect_url": {
-                    "type": "string"
-                },
                 "scopes": {
                     "type": "string"
                 },
@@ -6595,4 +6588,4 @@
             "in": "header"
         }
     }
-}
+}

docs/admin/admin_swagger.yaml

@@ -143,15 +143,12 @@ definitions:
         type: boolean
       pkce_method:
         type: string
-      redirect_url:
-        type: string
       scopes:
         type: string
     required:
     - client_id
     - client_secret
     - oauth_type
-    - redirect_url
     type: object
   admin.PeerBatchDeleteForm:
     properties:
@@ -611,8 +608,6 @@ definitions:
         type: boolean
       pkce_method:
         type: string
-      redirect_url:
-        type: string
       scopes:
         type: string
       updated_at:

docs/api/api_docs.go

@@ -954,35 +954,6 @@ const docTemplateapi = `{
                 }
             }
         },
-        "/oauth/callback": {
-            "get": {
-                "description": "OauthCallback",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Oauth"
-                ],
-                "summary": "OauthCallback",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/api.LoginRes"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/response.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
         "/oidc/auth": {
             "post": {
                 "description": "OidcAuth",
@@ -1041,6 +1012,35 @@ const docTemplateapi = `{
                 }
             }
         },
+        "/oidc/callback": {
+            "get": {
+                "description": "OauthCallback",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Oauth"
+                ],
+                "summary": "OauthCallback",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.LoginRes"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/response.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/peers": {
             "get": {
                 "security": [

docs/api/api_swagger.json

@@ -947,35 +947,6 @@
                 }
             }
         },
-        "/oauth/callback": {
-            "get": {
-                "description": "OauthCallback",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "Oauth"
-                ],
-                "summary": "OauthCallback",
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/api.LoginRes"
-                        }
-                    },
-                    "500": {
-                        "description": "Internal Server Error",
-                        "schema": {
-                            "$ref": "#/definitions/response.ErrorResponse"
-                        }
-                    }
-                }
-            }
-        },
         "/oidc/auth": {
             "post": {
                 "description": "OidcAuth",
@@ -1034,6 +1005,35 @@
                 }
             }
         },
+        "/oidc/callback": {
+            "get": {
+                "description": "OauthCallback",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Oauth"
+                ],
+                "summary": "OauthCallback",
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.LoginRes"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/response.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/peers": {
             "get": {
                 "security": [

docs/api/api_swagger.yaml

@@ -792,25 +792,6 @@ paths:
       summary: 登出
       tags:
       - 登录
-  /oauth/callback:
-    get:
-      consumes:
-      - application/json
-      description: OauthCallback
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/api.LoginRes'
-        "500":
-          description: Internal Server Error
-          schema:
-            $ref: '#/definitions/response.ErrorResponse'
-      summary: OauthCallback
-      tags:
-      - Oauth
   /oidc/auth:
     post:
       consumes:
@@ -849,6 +830,25 @@ paths:
       summary: OidcAuthQuery
       tags:
       - Oauth
+  /oidc/callback:
+    get:
+      consumes:
+      - application/json
+      description: OauthCallback
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api.LoginRes'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/response.ErrorResponse'
+      summary: OauthCallback
+      tags:
+      - Oauth
   /peers:
     get:
       consumes:

http/controller/admin/file.go

@@ -38,7 +38,7 @@ func (f *File) Notify(c *gin.Context) {
 
 	res := global.Oss.Verify(c.Request)
 	if !res {
-		response.Fail(c, 101, "权限错误")
+		response.Fail(c, 101, response.TranslateMsg(c, "NoAccess"))
 		return
 	}
 	fm := &FileBack{}

http/controller/admin/login.go

@@ -2,6 +2,7 @@ package admin
 
 import (
 	"fmt"
+
 	"github.com/gin-gonic/gin"
 	"github.com/lejianwen/rustdesk-api/v2/global"
 	"github.com/lejianwen/rustdesk-api/v2/http/controller/api"
@@ -168,6 +169,8 @@ func (ct *Login) LoginOptions(c *gin.Context) {
 		"ops":          ops,
 		"register":     global.Config.App.Register,
 		"need_captcha": needCaptcha,
+		"disable_pwd": 	global.Config.App.DisablePwdLogin,
+		"auto_oidc":  	global.Config.App.DisablePwdLogin && len(ops) == 1,
 	})
 }
 
@@ -188,7 +191,7 @@ func (ct *Login) OidcAuth(c *gin.Context) {
 		return
 	}
 
-	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(f.Op)
+	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(c, f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return

http/controller/admin/my/addressBookCollection.go

@@ -98,10 +98,10 @@ func (abc *AddressBookCollection) Update(c *gin.Context) {
 		return
 	}
 	u := service.AllService.UserService.CurUser(c)
-	if f.UserId != u.Id {
-		response.Fail(c, 101, response.TranslateMsg(c, "NoAccess"))
-		return
-	}
+	//if f.UserId != u.Id {
+	//	response.Fail(c, 101, response.TranslateMsg(c, "NoAccess"))
+	//	return
+	//}
 	ex := service.AllService.AddressBookService.CollectionInfoById(f.Id)
 	if ex.Id == 0 {
 		response.Fail(c, 101, response.TranslateMsg(c, "ItemNotFound"))

http/controller/admin/oauth.go

@@ -1,13 +1,14 @@
 package admin
 
 import (
+	"strconv"
+
 	"github.com/gin-gonic/gin"
 	"github.com/lejianwen/rustdesk-api/v2/global"
 	"github.com/lejianwen/rustdesk-api/v2/http/request/admin"
 	adminReq "github.com/lejianwen/rustdesk-api/v2/http/request/admin"
 	"github.com/lejianwen/rustdesk-api/v2/http/response"
 	"github.com/lejianwen/rustdesk-api/v2/service"
-	"strconv"
 )
 
 type Oauth struct {
@@ -43,7 +44,7 @@ func (o *Oauth) ToBind(c *gin.Context) {
 		return
 	}
 
-	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(f.Op)
+	err, state, verifier, nonce, url := service.AllService.OauthService.BeginAuth(c, f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return
@@ -68,16 +69,16 @@ func (o *Oauth) Confirm(c *gin.Context) {
 	j := &adminReq.OauthConfirmForm{}
 	err := c.ShouldBindJSON(j)
 	if err != nil {
-		response.Fail(c, 101, "参数错误"+err.Error())
+		response.Fail(c, 101, response.TranslateMsg(c, "ParamsError")+err.Error())
 		return
 	}
 	if j.Code == "" {
-		response.Fail(c, 101, "参数错误: code 不存在")
+		response.Fail(c, 101, response.TranslateMsg(c, "ParamsError"))
 		return
 	}
 	v := service.AllService.OauthService.GetOauthCache(j.Code)
 	if v == nil {
-		response.Fail(c, 101, "授权已过期")
+		response.Fail(c, 101, response.TranslateMsg(c, "OauthExpired"))
 		return
 	}
 	u := service.AllService.UserService.CurUser(c)

http/controller/admin/user.go

@@ -8,6 +8,7 @@ import (
 	adResp "github.com/lejianwen/rustdesk-api/v2/http/response/admin"
 	"github.com/lejianwen/rustdesk-api/v2/model"
 	"github.com/lejianwen/rustdesk-api/v2/service"
+	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"gorm.io/gorm"
 	"strconv"
 )
@@ -243,11 +244,10 @@ func (ct *User) ChangeCurPwd(c *gin.Context) {
 		return
 	}
 	u := service.AllService.UserService.CurUser(c)
-	// If the password is not empty, the old password is verified
-	// otherwise, the old password is not verified
+	// Verify the old password only when the account already has one set
 	if !service.AllService.UserService.IsPasswordEmptyByUser(u) {
-		oldPwd := service.AllService.UserService.EncryptPassword(f.OldPassword)
-		if u.Password != oldPwd {
+		ok, _, err := utils.VerifyPassword(u.Password, f.OldPassword)
+		if err != nil || !ok {
 			response.Fail(c, 101, response.TranslateMsg(c, "OldPasswordError"))
 			return
 		}

http/controller/api/ouath.go

@@ -1,6 +1,8 @@
 package api
 
 import (
+	"net/http"
+
 	"github.com/gin-gonic/gin"
 	"github.com/lejianwen/rustdesk-api/v2/global"
 	"github.com/lejianwen/rustdesk-api/v2/http/request/api"
@@ -10,7 +12,6 @@ import (
 	"github.com/lejianwen/rustdesk-api/v2/service"
 	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"github.com/nicksnyder/go-i18n/v2/i18n"
-	"net/http"
 )
 
 type Oauth struct {
@@ -35,7 +36,7 @@ func (o *Oauth) OidcAuth(c *gin.Context) {
 
 	oauthService := service.AllService.OauthService
 
-	err, state, verifier, nonce, url := oauthService.BeginAuth(f.Op)
+	err, state, verifier, nonce, url := oauthService.BeginAuth(c, f.Op)
 	if err != nil {
 		response.Error(c, response.TranslateMsg(c, err.Error()))
 		return
@@ -142,7 +143,7 @@ func (o *Oauth) OidcAuthQuery(c *gin.Context) {
 // @Produce  json
 // @Success 200 {object} apiResp.LoginRes
 // @Failure 500 {object} response.ErrorResponse
-// @Router /oauth/callback [get]
+// @Router /oidc/callback [get]
 func (o *Oauth) OauthCallback(c *gin.Context) {
 	state := c.Query("state")
 	if state == "" {
@@ -169,7 +170,7 @@ func (o *Oauth) OauthCallback(c *gin.Context) {
 	var user *model.User
 	// 获取用户信息
 	code := c.Query("code")
-	err, oauthUser := oauthService.Callback(code, verifier, op, nonce)
+	err, oauthUser := oauthService.Callback(c, code, verifier, op, nonce)
 	if err != nil {
 		c.HTML(http.StatusOK, "oauth_fail.html", gin.H{
 			"message":     "OauthFailed",
@@ -225,8 +226,7 @@ func (o *Oauth) OauthCallback(c *gin.Context) {
 			if !*oauthConfig.AutoRegister {
 				//c.String(http.StatusInternalServerError, "还未绑定用户，请先绑定")
 				oauthCache.UpdateFromOauthUser(oauthUser)
-				url := global.Config.Rustdesk.ApiServer + "/_admin/#/oauth/bind/" + cacheKey
-				c.Redirect(http.StatusFound, url)
+				c.Redirect(http.StatusFound, "/_admin/#/oauth/bind/"+cacheKey)
 				return
 			}
 
@@ -251,8 +251,7 @@ func (o *Oauth) OauthCallback(c *gin.Context) {
 				Type:     model.LoginLogTypeOauth,
 				Platform: oauthService.DeviceOs,
 			})*/
-			url := global.Config.Rustdesk.ApiServer + "/_admin/#/"
-			c.Redirect(http.StatusFound, url)
+			c.Redirect(http.StatusFound, "/_admin/#/")
 			return
 		}
 		c.HTML(http.StatusOK, "oauth_success.html", gin.H{

http/middleware/admin.go

@@ -13,13 +13,13 @@ func BackendUserAuth() gin.HandlerFunc {
 		//测试先关闭
 		token := c.GetHeader("api-token")
 		if token == "" {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}
 		user, ut := service.AllService.UserService.InfoByAccessToken(token)
 		if user.Id == 0 {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}

http/middleware/admin_privilege.go

@@ -12,7 +12,7 @@ func AdminPrivilege() gin.HandlerFunc {
 		u := service.AllService.UserService.CurUser(c)
 
 		if !service.AllService.UserService.IsAdmin(u) {
-			response.Fail(c, 403, "无权限")
+			response.Fail(c, 403, response.TranslateMsg(c, "NoAccess"))
 			c.Abort()
 			return
 		}

http/middleware/jwt.go

@@ -12,18 +12,18 @@ func JwtAuth() gin.HandlerFunc {
 		//测试先关闭
 		token := c.GetHeader("api-token")
 		if token == "" {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}
 		uid, err := global.Jwt.ParseToken(token)
 		if err != nil {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}
 		if uid == 0 {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}
@@ -34,12 +34,12 @@ func JwtAuth() gin.HandlerFunc {
 		//	Username: "测试用户",
 		//}
 		if user.Id == 0 {
-			response.Fail(c, 403, "请先登录")
+			response.Fail(c, 403, response.TranslateMsg(c, "NeedLogin"))
 			c.Abort()
 			return
 		}
 		if !service.AllService.UserService.CheckUserEnable(user) {
-			response.Fail(c, 101, "你已被禁用")
+			response.Fail(c, 101, response.TranslateMsg(c, "Banned"))
 			c.Abort()
 			return
 		}

http/request/admin/oauth.go

@@ -22,7 +22,6 @@ type OauthForm struct {
 	Scopes       string `json:"scopes" validate:"omitempty"`
 	ClientId     string `json:"client_id" validate:"required"`
 	ClientSecret string `json:"client_secret" validate:"required"`
-	RedirectUrl  string `json:"redirect_url" validate:"required"`
 	AutoRegister *bool  `json:"auto_register"`
 	PkceEnable   *bool  `json:"pkce_enable"`
 	PkceMethod   string `json:"pkce_method"`
@@ -34,7 +33,6 @@ func (of *OauthForm) ToOauth() *model.Oauth {
 		OauthType:    of.OauthType,
 		ClientId:     of.ClientId,
 		ClientSecret: of.ClientSecret,
-		RedirectUrl:  of.RedirectUrl,
 		AutoRegister: of.AutoRegister,
 		Issuer:       of.Issuer,
 		Scopes:       of.Scopes,

http/request/admin/user.go

@@ -14,6 +14,7 @@ type UserForm struct {
 	GroupId  uint             `json:"group_id" validate:"required"`
 	IsAdmin  *bool            `json:"is_admin" `
 	Status   model.StatusCode `json:"status" validate:"required,gte=0"`
+	Remark   string           `json:"remark"`
 }
 
 func (uf *UserForm) FromUser(user *model.User) *UserForm {
@@ -25,6 +26,7 @@ func (uf *UserForm) FromUser(user *model.User) *UserForm {
 	uf.GroupId = user.GroupId
 	uf.IsAdmin = user.IsAdmin
 	uf.Status = user.Status
+	uf.Remark = user.Remark
 	return uf
 }
 func (uf *UserForm) ToUser() *model.User {
@@ -37,6 +39,7 @@ func (uf *UserForm) ToUser() *model.User {
 	user.GroupId = uf.GroupId
 	user.IsAdmin = uf.IsAdmin
 	user.Status = uf.Status
+	user.Remark = uf.Remark
 	return user
 }
 

http/router/api.go

@@ -49,6 +49,10 @@ func ApiInit(g *gin.Engine) {
 		frg.GET("/oauth/callback", o.OauthCallback)
 		frg.GET("/oauth/login", o.OauthCallback)
 		frg.GET("/oauth/msg", o.Message)
+
+		frg.GET("/oidc/callback", o.OauthCallback)
+		frg.GET("/oidc/login", o.OauthCallback)
+		frg.GET("/oidc/msg", o.Message)
 	}
 	{
 		pe := &api.Peer{}

model/oauth.go

@@ -30,9 +30,9 @@ func ValidateOauthType(oauthType string) error {
 }
 
 const (
-	UserEndpointGithub string = "https://api.github.com/user"
+	UserEndpointGithub  string = "https://api.github.com/user"
 	UserEndpointLinuxdo string = "https://connect.linux.do/api/user"
-	IssuerGoogle       string = "https://accounts.google.com"
+	IssuerGoogle        string = "https://accounts.google.com"
 )
 
 type Oauth struct {
@@ -41,12 +41,11 @@ type Oauth struct {
 	OauthType    string `json:"oauth_type"`
 	ClientId     string `json:"client_id"`
 	ClientSecret string `json:"client_secret"`
-	RedirectUrl  string `json:"redirect_url"`
 	AutoRegister *bool  `json:"auto_register"`
 	Scopes       string `json:"scopes"`
 	Issuer       string `json:"issuer"`
-	PkceEnable	 *bool  `json:"pkce_enable"`
-	PkceMethod	 string `json:"pkce_method"`
+	PkceEnable   *bool  `json:"pkce_enable"`
+	PkceMethod   string `json:"pkce_method"`
 	TimeModel
 }
 

model/user.go

@@ -11,6 +11,7 @@ type User struct {
 	GroupId  uint       `json:"group_id" gorm:"default:0;not null;index"`
 	IsAdmin  *bool      `json:"is_admin" gorm:"default:0;not null;"`
 	Status   StatusCode `json:"status" gorm:"default:1;not null;"`
+	Remark   string     `json:"remark" gorm:"default:'';not null;"`
 	TimeModel
 }
 

resources/i18n/en.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "No access."
 other = "No access."
 
+[NeedLogin]
+description = "Need login."
+one = "Please log in first."
+other = "Please log in first."
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "Username or password error."

resources/i18n/es.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "Sin acceso."
 other = "Sin acceso."
 
+[NeedLogin]
+description = "Need login."
+one = "Por favor inicie sesión primero."
+other = "Por favor inicie sesión primero."
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "Error de usuario o contraseña."

resources/i18n/fr.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "Aucun d'access."
 other = "Aucun d'access."
 
+[NeedLogin]
+description = "Need login."
+one = "Veuillez d'abord vous connecter."
+other = "Veuillez d'abord vous connecter."
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "Nom d'utilisateur ou de mot de passe incorrect."
@@ -161,4 +166,4 @@ other = "Banni."
 [RegisterSuccessWaitAdminConfirm]
 description = "Register success wait admin confirm."
 one = "Inscription réussie, veuillez attendre la confirmation de l'administrateur."
-other = "Inscription réussie, veuillez attendre la confirmation de l'administrateur."
+other = "Inscription réussie, veuillez attendre la confirmation de l'administrateur."

resources/i18n/ko.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "접근할 수 없습니다."
 other = "접근할 수 없습니다."
 
+[NeedLogin]
+description = "Need login."
+one = "먼저 로그인해주세요."
+other = "먼저 로그인해주세요."
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "사용자 이름이나 비밀번호가 올바르지 않습니다."

resources/i18n/ru.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "Нет доступа."
 other = "Нет доступа."
 
+[NeedLogin]
+description = "Need login."
+one = "Пожалуйста, войдите в систему."
+other = "Пожалуйста, войдите в систему."
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "Неправильное имя пользователя или пароль."
@@ -161,4 +166,4 @@ other = "Заблокировано."
 [RegisterSuccessWaitAdminConfirm]
 description = "Register success wait admin confirm."
 one = "Регистрация прошла успешно, ожидайте подтверждения администратора."
-other = "Регистрация прошла успешно, ожидайте подтверждения администратора."
+other = "Регистрация прошла успешно, ожидайте подтверждения администратора."

resources/i18n/zh_CN.toml

@@ -33,6 +33,11 @@ description = "No access."
 one = "无权限。"
 other = "无权限。"
 
+[NeedLogin]
+description = "Need login."
+one = "请先登录。"
+other = "请先登录。"
+
 [UsernameOrPasswordError]
 description = "Username or password error."
 one = "用户名或密码错误。"

resources/i18n/zh_TW.toml

@@ -5,8 +5,8 @@ other = "測試2 {{.P0}}"
 
 [ParamsError]
 description = "Params validation failed."
-one = "引數錯誤。"
-other = "引數錯誤。"
+one = "參數驗證失敗。"
+other = "參數驗證失敗。"
 
 [OperationFailed]
 description = "OperationFailed."
@@ -20,18 +20,23 @@ other = "操作成功。"
 
 [ItemExists]
 description = "Item already exists."
-one = "資料已存在。"
-other = "資料已存在。"
+one = "項目已存在。"
+other = "項目已存在。"
 
 [ItemNotFound]
 description = "Item not found."
-one = "資料不存在。"
-other = "資料不存在。"
+one = "找不到項目。"
+other = "找不到項目。"
 
 [NoAccess]
 description = "No access."
-one = "無許可權。"
-other = "無許可權。"
+one = "無權限存取。"
+other = "無權限存取。"
+
+[NeedLogin]
+description = "Need login."
+one = "請先登入。"
+other = "請先登入。"
 
 [UsernameOrPasswordError]
 description = "Username or password error."
@@ -45,24 +50,23 @@ other = "系統錯誤。"
 
 [ConfigNotFound]
 description = "Config not found."
-one = "配置不存在。"
-other = "配置不存在。"
+one = "找不到設定。"
+other = "找不到設定。"
 
-#授權過期
 [OauthExpired]
 description = "Oauth expired."
-one = "授權過期，請重新授權。"
-other = "授權過期，請重新授權。"
+one = "OAuth 已過期，請重試。"
+other = "OAuth 已過期，請重試。"
 
 [OauthFailed]
 description = "Oauth failed."
-one = "授權失敗。"
-other = "授權失敗。"
+one = "OAuth 失敗。"
+other = "OAuth 失敗。"
 
 [OauthHasBindOtherUser]
 description = "Oauth has bind other user."
-one = "授權已繫結其他使用者。"
-other = "授權已繫結其他使用者。"
+one = "OAuth 已綁定其他使用者。"
+other = "OAuth 已綁定其他使用者。"
 
 [ParamIsEmpty]
 description = "Param is empty."
@@ -71,56 +75,64 @@ other = "{{.P0}} 為空。"
 
 [BindFail]
 description = "Bind fail."
-one = "繫結失敗。"
-other = "繫結失敗。"
+one = "綁定失敗。"
+other = "綁定失敗。"
+
 [BindSuccess]
 description = "Bind success."
-one = "繫結成功。"
-other = "繫結成功。"
+one = "綁定成功。"
+other = "綁定成功。"
+
 [OauthHasBeenSuccess]
 description = "Oauth has been success."
-one = "授權已成功。"
-other = "授權已成功。"
+one = "OAuth 已成功。"
+other = "OAuth 已成功。"
+
 [OauthSuccess]
 description = "Oauth success."
-one = "授權成功。"
-other = "授權成功。"
+one = "OAuth 成功。"
+other = "OAuth 成功。"
+
 [OauthRegisterSuccess]
 description = "Oauth register success."
-one = "授權註冊成功。"
-other = "授權註冊成功。"
+one = "OAuth 註冊成功。"
+other = "OAuth 註冊成功。"
+
 [OauthRegisterFailed]
 description = "Oauth register failed."
-one = "授權註冊失敗。"
-other = "授權註冊失敗。"
+one = "OAuth 註冊失敗。"
+other = "OAuth 註冊失敗。"
+
 [GetOauthTokenError]
 description = "Get oauth token error."
-one = "獲取授權token失敗。"
-other = "獲取授權token失敗。"
+one = "取得 OAuth 權杖錯誤。"
+other = "取得 OAuth 權杖錯誤。"
+
 [GetOauthUserInfoError]
 description = "Get oauth user info error."
-one = "獲取授權使用者資訊失敗。"
-other = "獲取授權使用者資訊失敗。"
+one = "取得 OAuth 使用者資訊錯誤。"
+other = "取得 OAuth 使用者資訊錯誤。"
+
 [DecodeOauthUserInfoError]
 description = "Decode oauth user info error."
-one = "解析授權使用者資訊失敗。"
-other = "解析授權使用者資訊失敗。"
+one = "解析 OAuth 使用者資訊錯誤。"
+other = "解析 OAuth 使用者資訊錯誤。"
 
 [OldPasswordError]
 description = "Old password error."
 one = "舊密碼錯誤。"
 other = "舊密碼錯誤。"
 
-
 [DefaultGroup]
 description = "Default group."
-one = "預設組"
-other = "預設組"
+one = "預設群組"
+other = "預設群組"
 
 [ShareGroup]
 description = "Share group."
-one = "共享組"
-other = "共享組"
+one = "共享群組"
+other = "共享群組"
+
 [RegisterClosed]
 description = "Register closed."
 one = "註冊已關閉。"
@@ -138,20 +150,20 @@ other = "驗證碼錯誤。"
 
 [PwdLoginDisabled]
 description = "Password login disabled."
-one = "密碼登錄已禁用。"
-other = "密碼登錄已禁用。"
+one = "密碼登入已停用。"
+other = "密碼登入已停用。"
 
 [CannotShareToSelf]
 description = "Cannot share to self."
-one = "無法共享給自己。"
-other = "無法共享給自己。"
+one = "無法分享給自己。"
+other = "無法分享給自己。"
 
 [Banned]
 description = "Banned."
-one = "禁止使用。"
-other = "禁止使用。"
+one = "已被禁用。"
+other = "已被禁用。"
 
 [RegisterSuccessWaitAdminConfirm]
-description = "Register success wait admin confirm."
-one = "註冊成功，請等待管理員確認。"
-other = "註冊成功，請等待管理員確認。"
+description = "Register success, wait admin confirm."
+one = "註冊成功，等待管理員確認。"
+other = "註冊成功，等待管理員確認。"

resources/templates/oauth_fail.html

@@ -62,7 +62,7 @@
         var title = 'OauthFailed'
         var msg = '{{.message}}'
         var btn = 'Close'
-        document.writeln('<script src="/api/oauth/msg?lang=' + lang + '&msg=' + msg + '&title=OauthFailed"><\/script>');
+        document.writeln('<script src="/api/oidc/msg?lang=' + lang + '&msg=' + msg + '&title=OauthFailed"><\/script>');
     </script>
 </head>
 <body>

resources/templates/oauth_success.html

@@ -61,7 +61,7 @@
         var title = 'OauthSuccess'
         var msg = '{{.message}}'
         var btn = 'Close'
-        document.writeln('<script src="/api/oauth/msg?lang=' + lang + '&msg=' + msg + '&title=OauthSuccess"><\/script>');
+        document.writeln('<script src="/api/oidc/msg?lang=' + lang + '&msg=' + msg + '&title=OauthSuccess"><\/script>');
     </script>
 </head>
 <body>

service/oauth.go

@@ -4,11 +4,14 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+
 	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/gin-gonic/gin"
 	"github.com/lejianwen/rustdesk-api/v2/model"
 	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/github"
+
 	// "golang.org/x/oauth2/google"
 	"gorm.io/gorm"
 	// "io"
@@ -93,16 +96,20 @@ func (os *OauthService) DeleteOauthCache(key string) {
 	OauthCache.Delete(key)
 }
 
-func (os *OauthService) BeginAuth(op string) (error error, state, verifier, nonce, url string) {
+func (os *OauthService) BeginAuth(c *gin.Context, op string) (error error, state, verifier, nonce, url string) {
 	state = utils.RandomString(10) + strconv.FormatInt(time.Now().Unix(), 10)
 	verifier = ""
 	nonce = ""
 	if op == model.OauthTypeWebauth {
-		url = Config.Rustdesk.ApiServer + "/_admin/#/oauth/" + state
+		host := c.GetHeader("Origin")
+		if host == "" {
+			host = Config.Rustdesk.ApiServer
+		}
+		url = host + "/_admin/#/oauth/" + state
 		//url = "http://localhost:8888/_admin/#/oauth/" + code
 		return nil, state, verifier, nonce, url
 	}
-	err, oauthInfo, oauthConfig, _ := os.GetOauthConfig(op)
+	err, oauthInfo, oauthConfig, _ := os.GetOauthConfig(c, op)
 	if err == nil {
 		extras := make([]oauth2.AuthCodeOption, 0, 3)
 
@@ -167,20 +174,18 @@ func (os *OauthService) LinuxdoProvider() *oidc.Provider {
 }
 
 // GetOauthConfig retrieves the OAuth2 configuration based on the provider name
-func (os *OauthService) GetOauthConfig(op string) (err error, oauthInfo *model.Oauth, oauthConfig *oauth2.Config, provider *oidc.Provider) {
+func (os *OauthService) GetOauthConfig(c *gin.Context, op string) (err error, oauthInfo *model.Oauth, oauthConfig *oauth2.Config, provider *oidc.Provider) {
 	//err, oauthInfo, oauthConfig = os.getOauthConfigGeneral(op)
 	oauthInfo = os.InfoByOp(op)
 	if oauthInfo.Id == 0 || oauthInfo.ClientId == "" || oauthInfo.ClientSecret == "" {
 		return errors.New("ConfigNotFound"), nil, nil, nil
 	}
-	// If the redirect URL is empty, use the default redirect URL
-	if oauthInfo.RedirectUrl == "" {
-		oauthInfo.RedirectUrl = Config.Rustdesk.ApiServer + "/api/oidc/callback"
-	}
+	redirectUrl := os.buildRedirectURL(c)
+	Logger.Debug("Redirect URL: ", redirectUrl)
 	oauthConfig = &oauth2.Config{
 		ClientID:     oauthInfo.ClientId,
 		ClientSecret: oauthInfo.ClientSecret,
-		RedirectURL:  oauthInfo.RedirectUrl,
+		RedirectURL:  redirectUrl,
 	}
 
 	// Maybe should validate the oauthConfig here
@@ -335,8 +340,8 @@ func (os *OauthService) oidcCallback(oauthConfig *oauth2.Config, provider *oidc.
 }
 
 // Callback: Get user information by code and op(Oauth provider)
-func (os *OauthService) Callback(code, verifier, op, nonce string) (err error, oauthUser *model.OauthUser) {
-	err, oauthInfo, oauthConfig, provider := os.GetOauthConfig(op)
+func (os *OauthService) Callback(c *gin.Context, code, verifier, op, nonce string) (err error, oauthUser *model.OauthUser) {
+	err, oauthInfo, oauthConfig, provider := os.GetOauthConfig(c, op)
 	// oauthType is already validated in GetOauthConfig
 	if err != nil {
 		return err, nil
@@ -522,3 +527,22 @@ func (os *OauthService) getGithubPrimaryEmail(client *http.Client, githubUser *m
 
 	return fmt.Errorf("no primary verified email found")
 }
+
+func (os *OauthService) buildRedirectURL(c *gin.Context) string {
+	baseUrl := Config.Rustdesk.ApiServer
+	host := c.Request.Host
+
+	if host != "" {
+		scheme := c.GetHeader("X-Forwarded-Proto")
+		if scheme == "" {
+			if c.Request.TLS != nil {
+				scheme = "https"
+			} else {
+				scheme = "http"
+			}
+		}
+		baseUrl = fmt.Sprintf("%s://%s", scheme, host)
+	}
+
+	return fmt.Sprintf("%s/api/oidc/callback", baseUrl)
+}

service/user.go

@@ -2,14 +2,14 @@ package service
 
 import (
 	"errors"
-	"github.com/lejianwen/rustdesk-api/v2/model"
-	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"math/rand"
 	"strconv"
 	"strings"
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/lejianwen/rustdesk-api/v2/model"
+	"github.com/lejianwen/rustdesk-api/v2/utils"
 	"gorm.io/gorm"
 )
 
@@ -55,7 +55,18 @@ func (us *UserService) InfoByUsernamePassword(username, password string) *model.
 		Logger.Warn("Fallback to local database")
 	}
 	u := &model.User{}
-	DB.Where("username = ? and password = ?", username, us.EncryptPassword(password)).First(u)
+	DB.Where("username = ?", username).First(u)
+	if u.Id == 0 {
+		return u
+	}
+	ok, newHash, err := utils.VerifyPassword(u.Password, password)
+	if err != nil || !ok {
+		return &model.User{}
+	}
+	if newHash != "" {
+		DB.Model(u).Update("password", newHash)
+		u.Password = newHash
+	}
 	return u
 }
 
@@ -151,11 +162,6 @@ func (us *UserService) ListIdAndNameByGroupId(groupId uint) (res []*model.User)
 	return res
 }
 
-// EncryptPassword 加密密码
-func (us *UserService) EncryptPassword(password string) string {
-	return utils.Md5(password + "rustdesk-api")
-}
-
 // CheckUserEnable 判断用户是否禁用
 func (us *UserService) CheckUserEnable(u *model.User) bool {
 	return u.Status == model.COMMON_STATUS_ENABLE
@@ -168,7 +174,11 @@ func (us *UserService) Create(u *model.User) error {
 		return errors.New("UsernameExists")
 	}
 	u.Username = us.formatUsername(u.Username)
-	u.Password = us.EncryptPassword(u.Password)
+	var err error
+	u.Password, err = utils.EncryptPassword(u.Password)
+	if err != nil {
+		return err
+	}
 	res := DB.Create(u).Error
 	return res
 }
@@ -268,8 +278,12 @@ func (us *UserService) FlushTokenByUuids(uuids []string) error {
 
 // UpdatePassword 更新密码
 func (us *UserService) UpdatePassword(u *model.User, password string) error {
-	u.Password = us.EncryptPassword(password)
-	err := DB.Model(u).Update("password", u.Password).Error
+	var err error
+	u.Password, err = utils.EncryptPassword(password)
+	if err != nil {
+		return err
+	}
+	err = DB.Model(u).Update("password", u.Password).Error
 	if err != nil {
 		return err
 	}
@@ -486,8 +500,9 @@ func (us *UserService) RefreshAccessToken(ut *model.UserToken) {
 	ut.ExpiredAt = us.UserTokenExpireTimestamp()
 	DB.Model(ut).Update("expired_at", ut.ExpiredAt)
 }
+
 func (us *UserService) AutoRefreshAccessToken(ut *model.UserToken) {
-	if ut.ExpiredAt-time.Now().Unix() < 86400 {
+	if ut.ExpiredAt-time.Now().Unix() < Config.App.TokenExpire.Milliseconds()/3000 {
 		us.RefreshAccessToken(ut)
 	}
 }

utils/captcha.go

@@ -5,7 +5,8 @@ import (
 	"time"
 )
 
-var capdString = base64Captcha.NewDriverString(50, 150, 0, 5, 4, "123456789abcdefghijklmnopqrstuvwxyz", nil, nil, nil)
+var capdString = base64Captcha.NewDriverString(50, 150, 0, 5, 4, "123456789abcdefghijklmnopqrstuvwxyz", nil, nil,
+	[]string{"3Dumb.ttf", "ApothecaryFont.ttf", "Comismsh.ttf", "Flim-Flam.ttf", "RitaSmith.ttf", "wqy-microhei.ttc"})
 
 var capdMath = base64Captcha.NewDriverMath(50, 150, 3, 10, nil, nil, nil)
 

utils/password.go

@@ -0,0 +1,42 @@
+package utils
+
+import (
+	"errors"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// EncryptPassword hashes the input password using bcrypt.
+// An error is returned if hashing fails.
+func EncryptPassword(password string) (string, error) {
+	bs, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(bs), nil
+}
+
+// VerifyPassword checks the input password against the stored hash.
+// When a legacy MD5 hash is provided, the password is rehashed with bcrypt
+// and the new hash is returned. Any internal bcrypt error is returned.
+func VerifyPassword(hash, input string) (bool, string, error) {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(input))
+	if err == nil {
+		return true, "", nil
+	}
+
+	var invalidPrefixErr bcrypt.InvalidHashPrefixError
+	if errors.As(err, &invalidPrefixErr) || errors.Is(err, bcrypt.ErrHashTooShort) {
+		// Try fallback to legacy MD5 hash verification
+		if hash == Md5(input+"rustdesk-api") {
+			newHash, err2 := bcrypt.GenerateFromPassword([]byte(input), bcrypt.DefaultCost)
+			if err2 != nil {
+				return true, "", err2
+			}
+			return true, string(newHash), nil
+		}
+	}
+	if errors.Is(err, bcrypt.ErrMismatchedHashAndPassword) {
+		return false, "", nil
+	}
+	return false, "", err
+}

utils/password_test.go

@@ -0,0 +1,40 @@
+package utils
+
+import (
+	"testing"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestVerifyPasswordMD5(t *testing.T) {
+	hash := Md5("secret" + "rustdesk-api")
+	ok, newHash, err := VerifyPassword(hash, "secret")
+	if err != nil {
+		t.Fatalf("md5 verify failed: %v", err)
+	}
+	if !ok || newHash == "" {
+		t.Fatalf("md5 migration failed")
+	}
+	if bcrypt.CompareHashAndPassword([]byte(newHash), []byte("secret")) != nil {
+		t.Fatalf("invalid rehash")
+	}
+}
+
+func TestVerifyPasswordBcrypt(t *testing.T) {
+	b, _ := bcrypt.GenerateFromPassword([]byte("pass"), bcrypt.DefaultCost)
+	ok, newHash, err := VerifyPassword(string(b), "pass")
+	if err != nil || !ok || newHash != "" {
+		t.Fatalf("bcrypt verify failed")
+	}
+}
+
+func TestVerifyPasswordMigrate(t *testing.T) {
+	md5hash := Md5("mypass" + "rustdesk-api")
+	ok, newHash, err := VerifyPassword(md5hash, "mypass")
+	if err != nil || !ok || newHash == "" {
+		t.Fatalf("expected bcrypt rehash")
+	}
+	if bcrypt.CompareHashAndPassword([]byte(newHash), []byte("mypass")) != nil {
+		t.Fatalf("rehash not valid bcrypt")
+	}
+}

utils/tools.go

@@ -2,9 +2,9 @@ package utils
 
 import (
 	"crypto/md5"
+	crand "crypto/rand"
 	"encoding/json"
 	"fmt"
-	"math/rand"
 	"reflect"
 	"runtime/debug"
 	"strings"
@@ -69,8 +69,12 @@ func RandomString(n int) string {
 	const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
 	length := len(letterBytes)
 	b := make([]byte, n)
-	for i := range b {
-		b[i] = letterBytes[rand.Intn(length)]
+	randomBytes := make([]byte, n)
+	if _, err := crand.Read(randomBytes); err != nil {
+		return ""
+	}
+	for i, rb := range randomBytes {
+		b[i] = letterBytes[int(rb)%length]
 	}
 	return string(b)
 }