fix(rdp): WS JWT 改路径避免 Guacamole 查询串冲突
Guacamole connect() 追加 ?hostname= 会破坏 ?token= 导致 403。 Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
+11
-4
@@ -5,7 +5,7 @@ from __future__ import annotations
|
||||
import logging
|
||||
from typing import Optional
|
||||
|
||||
from fastapi import APIRouter, Path, Query, WebSocket, WebSocketDisconnect
|
||||
from fastapi import APIRouter, Path, WebSocket, WebSocketDisconnect
|
||||
|
||||
from server.config import settings
|
||||
from server.domain.models import Admin
|
||||
@@ -55,13 +55,20 @@ async def _verify_rdp_access_token(token: str) -> Optional[Admin]:
|
||||
return admin
|
||||
|
||||
|
||||
@router.websocket("/ws/rdp/hosts/{host_id}")
|
||||
@router.websocket("/ws/rdp/hosts/{host_id}/tunnel/{access_token}")
|
||||
async def rdp_guacamole_ws(
|
||||
websocket: WebSocket,
|
||||
host_id: int = Path(...),
|
||||
token: Optional[str] = Query(None),
|
||||
access_token: str = Path(..., description="URL-encoded JWT (not query — Guacamole appends ?connect)"),
|
||||
):
|
||||
"""Transparent Guacamole tunnel to guacd after JWT + RDP host lookup."""
|
||||
"""Transparent Guacamole tunnel to guacd after JWT + RDP host lookup.
|
||||
|
||||
Token is in the path because guacamole-common-js ``Client.connect()`` always
|
||||
appends ``?hostname=...`` to the tunnel URL; a ``?token=`` query would break JWT parsing.
|
||||
"""
|
||||
from urllib.parse import unquote
|
||||
|
||||
token = unquote(access_token).strip()
|
||||
if not token:
|
||||
await websocket.close(code=4001, reason="Missing JWT token")
|
||||
return
|
||||
|
||||
Reference in New Issue
Block a user