fix: AppAuthMiddleware 验证 refresh token 格式而非 JWT 解码

refresh token 是 opaque 格式 (token:admin_id:token_version),不是 JWT。
之前用 pyjwt.decode() 验证必然失败,导致所有登录用户访问 /app/ 都返回 404。
改为验证格式合法性(3段、admin_id>0、token_version>=0)。

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Your Name
2026-05-30 05:10:39 +08:00
parent 64a8a18287
commit deffa8a8f4
+13 -10
View File
@@ -477,25 +477,28 @@ class AppAuthMiddleware:
await response(scope, receive, send)
return
# Verify JWT — use the same verification as JwtAuthMiddleware
# Refresh token format: "token:admin_id:token_version" (opaque, not JWT)
# Validate format only — full auth happens on /api/ via JwtAuthMiddleware
parts = token.rsplit(":", 2)
if len(parts) != 3:
response = HTMLResponse(status_code=404)
await response(scope, receive, send)
return
try:
import jwt as pyjwt
payload = pyjwt.decode(
token, settings.SECRET_KEY, algorithms=["HS256"],
options={"require": ["exp", "sub"]},
)
except Exception:
admin_id = int(parts[1])
token_version = int(parts[2])
except (ValueError, TypeError):
response = HTMLResponse(status_code=404)
await response(scope, receive, send)
return
admin_id = payload.get("sub")
if not admin_id:
if admin_id <= 0 or token_version < 0:
response = HTMLResponse(status_code=404)
await response(scope, receive, send)
return
# Token is valid — user is authenticated; let them through
# Token format is valid — user has a session; let them through
await self.app(scope, receive, send)