fix(auth): 反代后登录白名单读取真实客户端 IP

Docker/1Panel 反代时 request.client.host 为 172.18.0.1;可信内网跳读取 X-Real-IP/X-Forwarded-For。

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Nexus Agent
2026-06-07 21:50:28 +08:00
parent a14fbb3df3
commit 69087988b1
6 changed files with 193 additions and 3 deletions
+4 -3
View File
@@ -16,6 +16,7 @@ from server.api.dependencies import get_auth_service, get_db
from server.api.auth_jwt import get_current_admin
from server.application.services.auth_service import AuthService, JWT_REFRESH_TOKEN_EXPIRE_DAYS
from server.domain.models import Admin, AuditLog
from server.utils.client_ip import get_client_ip
router = APIRouter(prefix="/api/auth", tags=["auth"])
@@ -122,7 +123,7 @@ async def login(
Security: Refresh token is set as HttpOnly cookie (not in JSON body).
Access token is returned in JSON for client-side Bearer auth.
"""
ip_address = request.client.host if request.client else "unknown"
ip_address = get_client_ip(request)
result = await service.login(
username=payload.username,
password=payload.password,
@@ -170,7 +171,7 @@ async def refresh_token(
if not refresh_token:
raise HTTPException(status_code=401, detail="Missing refresh token")
ip_address = request.client.host if request.client else ""
ip_address = get_client_ip(request)
result = await service.refresh_token(refresh_token, ip_address=ip_address)
if not result["success"]:
# Clear the cookie on failure (invalid/expired token)
@@ -313,7 +314,7 @@ async def change_password(
logger.warning(f"Failed to clear refresh tokens from Redis for admin {admin.id}", exc_info=True)
# Audit log with client IP
ip_address = request.client.host if request.client else ""
ip_address = get_client_ip(request)
audit_repo = AuditLogRepositoryImpl(db)
await audit_repo.create(AuditLog(
admin_username=admin.username,