From 913c3da79b338caa63ce9ee2acb7f96ce78bf0d0 Mon Sep 17 00:00:00 2001
From: Akkia <AkkiaS7@Outlook.com>
Date: Wed, 13 Apr 2022 12:27:40 +0800
Subject: [PATCH 1/5] =?UTF-8?q?feat:=20=E9=80=9A=E8=BF=87=E4=BC=A0?=
 =?UTF-8?q?=E9=80=92=E5=AE=A2=E6=88=B7=E7=AB=AFCookie=E7=9A=84=E6=96=B9?=
 =?UTF-8?q?=E5=BC=8F=E4=BD=BFweb=E7=BB=88=E7=AB=AF=E5=85=BC=E5=AE=B9?=
 =?UTF-8?q?=E8=A2=ABCloudflare=20Access=E4=BF=9D=E6=8A=A4=E7=9A=84?=
 =?UTF-8?q?=E9=9D=A2=E6=9D=BF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cmd/agent/main.go                       | 6 ++++++
 cmd/dashboard/controller/common_page.go | 5 +++--
 model/monitor.go                        | 2 ++
 3 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/cmd/agent/main.go b/cmd/agent/main.go
index 59d8721..0476b0b 100644
--- a/cmd/agent/main.go
+++ b/cmd/agent/main.go
@@ -433,6 +433,12 @@ func handleTerminalTask(task *pb.Task) {
 	}
 	header := http.Header{}
 	header.Add("Secret", agentCliParam.ClientSecret)
+	// 目前只兼容Cloudflare验证
+	// 后续可能需要兼容更多的Cookie验证情况
+	if terminal.Cookie != "" {
+		cfCookie := fmt.Sprintf("CF_Authorization=%s", terminal.Cookie)
+		header.Add("Cookie", cfCookie)
+	}
 	conn, _, err := websocket.DefaultDialer.Dial(fmt.Sprintf("%s://%s/terminal/%s", protocol, terminal.Host, terminal.Session), header)
 	if err != nil {
 		println("Terminal 连接失败：", err)
diff --git a/cmd/dashboard/controller/common_page.go b/cmd/dashboard/controller/common_page.go
index 8eb9692..470c720 100644
--- a/cmd/dashboard/controller/common_page.go
+++ b/cmd/dashboard/controller/common_page.go
@@ -275,13 +275,14 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-
+		var cloudflareCookies string
+		cloudflareCookies, _ = c.Cookie("CF_Authorization")
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,
 			UseSSL:  terminal.useSSL,
 			Session: terminalID,
+			Cookie:  cloudflareCookies,
 		})
-
 		if err := server.TaskStream.Send(&proto.Task{
 			Type: model.TaskTypeTerminal,
 			Data: string(terminalData),
diff --git a/model/monitor.go b/model/monitor.go
index cdabccd..309de37 100644
--- a/model/monitor.go
+++ b/model/monitor.go
@@ -27,6 +27,8 @@ type TerminalTask struct {
 	UseSSL bool `json:"use_ssl,omitempty"`
 	// 会话标识
 	Session string `json:"session,omitempty"`
+	// Agent在连接Server时需要的额外Cookie信息
+	Cookie string `json:"cookie,omitempty"`
 }
 
 const (

From a22c58305ba6e32a17beaaf53901cef3bbf0be53 Mon Sep 17 00:00:00 2001
From: Akkia <AkkiaS7@outlook.com>
Date: Wed, 13 Apr 2022 15:18:05 +0800
Subject: [PATCH 2/5] Update cmd/dashboard/controller/common_page.go

Co-authored-by: naiba <hi@nai.ba>
---
 cmd/dashboard/controller/common_page.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/cmd/dashboard/controller/common_page.go b/cmd/dashboard/controller/common_page.go
index 470c720..1cd2ffb 100644
--- a/cmd/dashboard/controller/common_page.go
+++ b/cmd/dashboard/controller/common_page.go
@@ -275,7 +275,6 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-		var cloudflareCookies string
 		cloudflareCookies, _ = c.Cookie("CF_Authorization")
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,

From 1d6cca7a9e37713997155e3bb7c28440d277a347 Mon Sep 17 00:00:00 2001
From: Akkia <AkkiaS7@outlook.com>
Date: Wed, 13 Apr 2022 15:18:10 +0800
Subject: [PATCH 3/5] Update cmd/dashboard/controller/common_page.go

Co-authored-by: naiba <hi@nai.ba>
---
 cmd/dashboard/controller/common_page.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/dashboard/controller/common_page.go b/cmd/dashboard/controller/common_page.go
index 1cd2ffb..09a0424 100644
--- a/cmd/dashboard/controller/common_page.go
+++ b/cmd/dashboard/controller/common_page.go
@@ -275,7 +275,7 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-		cloudflareCookies, _ = c.Cookie("CF_Authorization")
+cloudflareCookies,  _ := c.Cookie("CF_Authorization")
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,
 			UseSSL:  terminal.useSSL,

From f305d8f55caf4e6d137e4c529924ca0ea43e1f14 Mon Sep 17 00:00:00 2001
From: Akkia <AkkiaS7@Outlook.com>
Date: Wed, 13 Apr 2022 16:45:39 +0800
Subject: [PATCH 4/5] =?UTF-8?q?=E4=B8=BAcloudflareCookies=E5=A2=9E?=
 =?UTF-8?q?=E5=8A=A0=E5=9F=BA=E6=9C=AC=E7=9A=84=E5=90=88=E6=B3=95=E6=80=A7?=
 =?UTF-8?q?=E9=AA=8C=E8=AF=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cmd/dashboard/controller/common_page.go | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/cmd/dashboard/controller/common_page.go b/cmd/dashboard/controller/common_page.go
index 09a0424..42010a5 100644
--- a/cmd/dashboard/controller/common_page.go
+++ b/cmd/dashboard/controller/common_page.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log"
 	"net/http"
+	"regexp"
+	"strings"
 	"sync"
 	"time"
 
@@ -275,7 +277,22 @@ func (cp *commonPage) terminal(c *gin.Context) {
 			}, true)
 			return
 		}
-cloudflareCookies,  _ := c.Cookie("CF_Authorization")
+		cloudflareCookies, _ := c.Cookie("CF_Authorization")
+		// CloudflareCookies合法性验证
+		// 其应该包含.分隔的三组BASE64-URL编码
+		if cloudflareCookies != "" {
+			encodedCookies := strings.Split(cloudflareCookies, ".")
+			if len(encodedCookies) == 3 {
+				for i := 0; i < 3; i++ {
+					if valid, _ := regexp.MatchString("^[A-Za-z0-9-_]+$", encodedCookies[i]); !valid {
+						cloudflareCookies = ""
+						break
+					}
+				}
+			} else {
+				cloudflareCookies = ""
+			}
+		}
 		terminalData, _ := utils.Json.Marshal(&model.TerminalTask{
 			Host:    terminal.host,
 			UseSSL:  terminal.useSSL,

From 48b755a046998a5bf178b3856dde873e0ef3d798 Mon Sep 17 00:00:00 2001
From: naiba <hi@nai.ba>
Date: Wed, 13 Apr 2022 16:51:57 +0800
Subject: [PATCH 5/5] bump dashboard version

---
 README.md                      | 2 +-
 service/singleton/singleton.go | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index baca76a..c2defc1 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@
   <br>
   <small><i>LOGO designed by <a href="https://xio.ng" target="_blank">熊大</a> .</i></small>
   <br><br>
-<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.12.18&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.8.2-brightgreen?style=for-the-badge&logo=linux">
+<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Dashboard%20image?label=Dash%20v0.12.19&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/github/v/release/naiba/nezha?color=brightgreen&label=Agent&style=for-the-badge&logo=github">&nbsp;<img src="https://img.shields.io/github/workflow/status/naiba/nezha/Agent%20release?label=Agent%20CI&logo=github&style=for-the-badge">&nbsp;<img src="https://img.shields.io/badge/Installer-v0.8.2-brightgreen?style=for-the-badge&logo=linux">
   <br>
   <br>
   <p>:trollface: <b>哪吒监控</b> 一站式轻监控轻运维系统。支持系统状态、HTTP(SSL 证书变更、即将到期、到期)、TCP、Ping 监控报警，计划任务和在线终端。</p>
diff --git a/service/singleton/singleton.go b/service/singleton/singleton.go
index 2de0947..e784739 100644
--- a/service/singleton/singleton.go
+++ b/service/singleton/singleton.go
@@ -10,7 +10,7 @@ import (
 	"github.com/naiba/nezha/model"
 )
 
-var Version = "v0.12.18" // ！！记得修改 README 中的 badge 版本！！
+var Version = "v0.12.19" // ！！记得修改 README 中的 badge 版本！！
 
 var (
 	Conf  *model.Config