Files
Nexus/docs/reports/2026-06-06-api-audit-b3-auth.md
T

19 lines
859 B
Markdown
Raw Normal View History

# API 巡检 B3 — auth.py + auth_jwt.py + dependencies.py
**日期**: 2026-06-06
## 结论: **PASS**0 P0/P1/P2,无代码修改)
| 模块 | 端点/职责 | 结果 |
|------|-----------|------|
| `auth.py` | login/refresh/logout/TOTP/password/webssh-token/me | ✓ refresh HttpOnly cookie;改密/TOTP 需 JWT |
| `auth_jwt.py` | JwtAuthMiddleware + `get_current_admin` | ✓ PUBLIC_PREFIXES 白名单;`tv` 版本校验 |
| `dependencies.py` | DI + `check_dangerous_command` | ✓ 无 session 泄漏;危险命令 warning 日志 |
## 要点
- 登录失败 → 429 锁定(`auth_service`
- Refresh 重用检测 + `token_version` 递增(`test_auth_refresh_reuse.py` 覆盖)
- WebSSH token 独立 `purpose=webssh` + `server_id` 绑定
- `check_dangerous_command` 为**警告不阻断**(单人运维接受,与 Scripts/WebSSH 一致)