fix: AppAuthMiddleware 类定义移到 add_middleware 调用之前
Python 模块级代码顺序执行,类必须先定义再引用。 之前 add_middleware(AppAuthMiddleware) 在第404行但类定义在第495行, 导致 NameError 服务启动失败。同时修复 _is_install_mode → is_install_mode。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+56
-55
@@ -398,60 +398,6 @@ class SecurityHeadersMiddleware:
|
||||
|
||||
await self.app(scope, receive, send_with_headers)
|
||||
|
||||
app.add_middleware(SecurityHeadersMiddleware)
|
||||
|
||||
# AppAuth: protect /app/ HTML pages behind refresh-cookie (standalone, before JWT/DB/CORS)
|
||||
app.add_middleware(AppAuthMiddleware)
|
||||
|
||||
# F2a-10 / F2d-02: global JWT gate for all /api/* (inside DbSession — uses request.state.db)
|
||||
app.add_middleware(JwtAuthMiddleware)
|
||||
|
||||
# D7: DB session leak fix middleware (must be added BEFORE CORS so it wraps all requests)
|
||||
app.add_middleware(DbSessionMiddleware)
|
||||
|
||||
# CORS — restrict to actual frontend origin (ECC security fix: was allow_origins=["*"])
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=[o.strip() for o in settings.CORS_ORIGINS.split(",") if o.strip()] if settings.CORS_ORIGINS else ["http://localhost:8600"],
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
)
|
||||
|
||||
# Register all API routers
|
||||
|
||||
# D2: Install wizard (always registered — works in both modes)
|
||||
app.include_router(install_router)
|
||||
|
||||
# Normal API routers (require full app init)
|
||||
app.include_router(servers_router)
|
||||
app.include_router(auth_router)
|
||||
app.include_router(agent_router)
|
||||
app.include_router(scripts_router)
|
||||
app.include_router(settings_router)
|
||||
app.include_router(schedule_router)
|
||||
app.include_router(preset_router)
|
||||
app.include_router(ssh_key_preset_router)
|
||||
app.include_router(audit_router)
|
||||
app.include_router(alert_history_router)
|
||||
app.include_router(retry_router)
|
||||
|
||||
# WebSocket + Health check routers (new in v6.0)
|
||||
app.include_router(websocket_router)
|
||||
app.include_router(health_router)
|
||||
|
||||
# Asset management (Platform, Node, SSH Sessions, Command Logs)
|
||||
app.include_router(assets_router)
|
||||
|
||||
# Web SSH Terminal
|
||||
app.include_router(webssh_router)
|
||||
|
||||
# Sync Engine v2 (Step 4)
|
||||
app.include_router(sync_v2_router)
|
||||
|
||||
# Global Search
|
||||
app.include_router(search_router)
|
||||
|
||||
# ── AppAuth: protect /app/ pages behind refresh-cookie auth ──
|
||||
|
||||
# Public /app/ paths that anyone can access without login
|
||||
@@ -516,7 +462,7 @@ class AppAuthMiddleware:
|
||||
await self.app(scope, receive, send)
|
||||
return
|
||||
|
||||
if _is_install_mode():
|
||||
if is_install_mode():
|
||||
await self.app(scope, receive, send)
|
||||
return
|
||||
|
||||
@@ -553,6 +499,61 @@ class AppAuthMiddleware:
|
||||
await self.app(scope, receive, send)
|
||||
|
||||
|
||||
app.add_middleware(SecurityHeadersMiddleware)
|
||||
|
||||
# AppAuth: protect /app/ HTML pages behind refresh-cookie (standalone, before JWT/DB/CORS)
|
||||
app.add_middleware(AppAuthMiddleware)
|
||||
|
||||
# F2a-10 / F2d-02: global JWT gate for all /api/* (inside DbSession — uses request.state.db)
|
||||
app.add_middleware(JwtAuthMiddleware)
|
||||
|
||||
# D7: DB session leak fix middleware (must be added BEFORE CORS so it wraps all requests)
|
||||
app.add_middleware(DbSessionMiddleware)
|
||||
|
||||
# CORS — restrict to actual frontend origin (ECC security fix: was allow_origins=["*"])
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=[o.strip() for o in settings.CORS_ORIGINS.split(",") if o.strip()] if settings.CORS_ORIGINS else ["http://localhost:8600"],
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
)
|
||||
|
||||
# Register all API routers
|
||||
|
||||
# D2: Install wizard (always registered — works in both modes)
|
||||
app.include_router(install_router)
|
||||
|
||||
# Normal API routers (require full app init)
|
||||
app.include_router(servers_router)
|
||||
app.include_router(auth_router)
|
||||
app.include_router(agent_router)
|
||||
app.include_router(scripts_router)
|
||||
app.include_router(settings_router)
|
||||
app.include_router(schedule_router)
|
||||
app.include_router(preset_router)
|
||||
app.include_router(ssh_key_preset_router)
|
||||
app.include_router(audit_router)
|
||||
app.include_router(alert_history_router)
|
||||
app.include_router(retry_router)
|
||||
|
||||
# WebSocket + Health check routers (new in v6.0)
|
||||
app.include_router(websocket_router)
|
||||
app.include_router(health_router)
|
||||
|
||||
# Asset management (Platform, Node, SSH Sessions, Command Logs)
|
||||
app.include_router(assets_router)
|
||||
|
||||
# Web SSH Terminal
|
||||
app.include_router(webssh_router)
|
||||
|
||||
# Sync Engine v2 (Step 4)
|
||||
app.include_router(sync_v2_router)
|
||||
|
||||
# Global Search
|
||||
app.include_router(search_router)
|
||||
|
||||
|
||||
# ── Custom 404: return blank HTML to hide backend identity ──
|
||||
@app.exception_handler(StarletteHTTPException)
|
||||
async def custom_http_exception_handler(request: Request, exc: StarletteHTTPException):
|
||||
|
||||
Reference in New Issue
Block a user