(servicecomb-service-center) branch dev updated: When determining whether to lock the login, only the request from console will be locked. (#1513)

[humingcheng]

This is an automated email from the ASF dual-hosted git repository.

humingcheng pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git


The following commit(s) were added to refs/heads/dev by this push:
     new 9dd12125 When determining whether to lock the login, only the request 
from console  will be locked. (#1513)
9dd12125 is described below

commit 9dd121251eae32bd95d6343131059a9d0f6952f0
Author: melod_yi <melod.yi....@gmail.com>
AuthorDate: Sat Aug 23 18:27:14 2025 +0800

    When determining whether to lock the login, only the request from console  
will be locked. (#1513)
    
    When determining whether to lock the login, only the request from console  
will be locked. (#1513)
---
 server/service/rbac/authr_plugin.go | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/server/service/rbac/authr_plugin.go 
b/server/service/rbac/authr_plugin.go
index 18adb12c..f9956140 100644
--- a/server/service/rbac/authr_plugin.go
+++ b/server/service/rbac/authr_plugin.go
@@ -21,10 +21,11 @@ import (
        "context"
        "crypto/rsa"
        "fmt"
+       "net/http"
+       "strings"
 
        "github.com/apache/servicecomb-service-center/pkg/log"
        "github.com/apache/servicecomb-service-center/pkg/privacy"
-       "github.com/apache/servicecomb-service-center/pkg/util"
        "github.com/go-chassis/cari/pkg/errsvc"
        "github.com/go-chassis/cari/rbac"
        "github.com/go-chassis/go-chassis/v2/security/authr"
@@ -42,8 +43,14 @@ func newEmbeddedAuthenticator(_ *authr.Options) 
(authr.Authenticator, error) {
 
 // Login check db user and password,will verify and return token for valid 
account
 func (a *EmbeddedAuthenticator) Login(ctx context.Context, user string, 
password string, opts ...authr.LoginOption) (string, error) {
-       ip := util.GetIPFromContext(ctx)
-       if IsBanned(MakeBanKey(user, ip)) {
+       // Get x-real-ip directly from context
+       var ip string
+       if req, ok := ctx.Value("http_request").(*http.Request); ok && req != 
nil {
+               ip = strings.TrimSpace(req.Header.Get("x-real-ip"))
+       }
+
+       shouldCheckBan := ip != ""
+       if shouldCheckBan && IsBanned(MakeBanKey(user, ip)) {
                log.Warn(fmt.Sprintf("ip [%s] is banned, account: %s", ip, 
user))
                return "", ErrAccountBlocked
        }
@@ -54,14 +61,18 @@ func (a *EmbeddedAuthenticator) Login(ctx context.Context, 
user string, password
        account, err := GetAccount(ctx, user)
        if err != nil {
                if errsvc.IsErrEqualCode(err, rbac.ErrAccountNotExist) {
-                       TryLockAccount(MakeBanKey(user, ip))
+                       if shouldCheckBan {
+                               TryLockAccount(MakeBanKey(user, ip))
+                       }
                        return "", UserOrPwdWrongError()
                }
                return "", err
        }
        same := privacy.SamePassword(account.Password, password)
        if !same {
-               TryLockAccount(MakeBanKey(user, ip))
+               if shouldCheckBan {
+                       TryLockAccount(MakeBanKey(user, ip))
+               }
                return "", UserOrPwdWrongError()
        }