安全与质量修复: P0-4/P0-5 + P1-6~P1-13 (8项)

P0-4: install.py _write_env() 值加引号转义,防止含#$\等字符的密码破坏.env格式
P0-5: install.py _build_redis_url() URL编码redis密码,防止@:等字符破坏URL解析
P1-6: auth_service.py _decode_access_token() 验证exp/sub声明存在,拒绝畸形JWT
P1-7: websocket.py + webssh.py WebSocket JWT验证增加updated_at检查,密码修改后令牌失效
P1-8: auth.py 无refresh_token的logout返回更明确的提示信息
P1-9: install.py create_admin增加_is_installed()检查,防止.env存在后重复创建
P1-10: servers.py server_stats() 改用SQL聚合查询,避免加载全部服务器对象
P1-11: heartbeat_flush.py 移除get_redis()永不返回None的死代码
P1-13: sync_engine_v2.py completed/failed计数器加asyncio.Lock防止并发竞态

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-05-22 23:04:40 +08:00
parent 4af9acf564
commit d744d7df8e
8 changed files with 128 additions and 62 deletions
-3
View File
@@ -35,9 +35,6 @@ async def heartbeat_flush_loop():
await asyncio.sleep(FLUSH_INTERVAL)
redis = get_redis()
if redis is None:
logger.warning("Redis unavailable — skip heartbeat flush")
continue
# Scan all heartbeat:* keys
try: