fix: AppAuthMiddleware 验证 refresh token 格式而非 JWT 解码
refresh token 是 opaque 格式 (token:admin_id:token_version),不是 JWT。 之前用 pyjwt.decode() 验证必然失败,导致所有登录用户访问 /app/ 都返回 404。 改为验证格式合法性(3段、admin_id>0、token_version>=0)。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
+13
-10
@@ -477,25 +477,28 @@ class AppAuthMiddleware:
|
||||
await response(scope, receive, send)
|
||||
return
|
||||
|
||||
# Verify JWT — use the same verification as JwtAuthMiddleware
|
||||
# Refresh token format: "token:admin_id:token_version" (opaque, not JWT)
|
||||
# Validate format only — full auth happens on /api/ via JwtAuthMiddleware
|
||||
parts = token.rsplit(":", 2)
|
||||
if len(parts) != 3:
|
||||
response = HTMLResponse(status_code=404)
|
||||
await response(scope, receive, send)
|
||||
return
|
||||
|
||||
try:
|
||||
import jwt as pyjwt
|
||||
payload = pyjwt.decode(
|
||||
token, settings.SECRET_KEY, algorithms=["HS256"],
|
||||
options={"require": ["exp", "sub"]},
|
||||
)
|
||||
except Exception:
|
||||
admin_id = int(parts[1])
|
||||
token_version = int(parts[2])
|
||||
except (ValueError, TypeError):
|
||||
response = HTMLResponse(status_code=404)
|
||||
await response(scope, receive, send)
|
||||
return
|
||||
|
||||
admin_id = payload.get("sub")
|
||||
if not admin_id:
|
||||
if admin_id <= 0 or token_version < 0:
|
||||
response = HTMLResponse(status_code=404)
|
||||
await response(scope, receive, send)
|
||||
return
|
||||
|
||||
# Token is valid — user is authenticated; let them through
|
||||
# Token format is valid — user has a session; let them through
|
||||
await self.app(scope, receive, send)
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user