19 lines
859 B
Markdown
19 lines
859 B
Markdown
|
|
# API 巡检 B3 — auth.py + auth_jwt.py + dependencies.py
|
|||
|
|
|
|||
|
|
**日期**: 2026-06-06
|
|||
|
|
|
|||
|
|
## 结论: **PASS**(0 P0/P1/P2,无代码修改)
|
|||
|
|
|
|||
|
|
| 模块 | 端点/职责 | 结果 |
|
|||
|
|
|------|-----------|------|
|
|||
|
|
| `auth.py` | login/refresh/logout/TOTP/password/webssh-token/me | ✓ refresh HttpOnly cookie;改密/TOTP 需 JWT |
|
|||
|
|
| `auth_jwt.py` | JwtAuthMiddleware + `get_current_admin` | ✓ PUBLIC_PREFIXES 白名单;`tv` 版本校验 |
|
|||
|
|
| `dependencies.py` | DI + `check_dangerous_command` | ✓ 无 session 泄漏;危险命令 warning 日志 |
|
|||
|
|
|
|||
|
|
## 要点
|
|||
|
|
|
|||
|
|
- 登录失败 → 429 锁定(`auth_service`)
|
|||
|
|
- Refresh 重用检测 + `token_version` 递增(`test_auth_refresh_reuse.py` 覆盖)
|
|||
|
|
- WebSSH token 独立 `purpose=webssh` + `server_id` 绑定
|
|||
|
|
- `check_dangerous_command` 为**警告不阻断**(单人运维接受,与 Scripts/WebSSH 一致)
|