From d6b36e52254adbb526b547a9b0029b3cc68133b0 Mon Sep 17 00:00:00 2001 From: EstrellaXD Date: Wed, 6 Sep 2023 21:19:59 +0800 Subject: [PATCH 1/3] change: - add random pwd_key. - backend auth change from Auth token to cookies --- backend/src/module/api/__init__.py | 2 - backend/src/module/api/auth.py | 87 +++++++++++------------------- backend/src/module/api/bangumi.py | 62 +++++++-------------- backend/src/module/api/config.py | 12 ++--- backend/src/module/api/download.py | 65 ---------------------- backend/src/module/api/log.py | 12 ++--- backend/src/module/api/program.py | 6 +-- backend/src/module/api/rss.py | 80 ++++++++++----------------- backend/src/module/api/search.py | 13 ++--- backend/src/module/security/api.py | 32 ++++++----- backend/src/module/security/jwt.py | 9 +++- 11 files changed, 114 insertions(+), 266 deletions(-) delete mode 100644 backend/src/module/api/download.py diff --git a/backend/src/module/api/__init__.py b/backend/src/module/api/__init__.py index bd5cddd1..38999e4d 100644 --- a/backend/src/module/api/__init__.py +++ b/backend/src/module/api/__init__.py @@ -3,7 +3,6 @@ from fastapi import APIRouter from .auth import router as auth_router from .bangumi import router as bangumi_router from .config import router as config_router -from .download import router as download_router from .log import router as log_router from .program import router as program_router from .rss import router as rss_router @@ -16,7 +15,6 @@ v1 = APIRouter(prefix="/v1") v1.include_router(auth_router) v1.include_router(log_router) v1.include_router(program_router) -v1.include_router(download_router) v1.include_router(bangumi_router) v1.include_router(config_router) v1.include_router(rss_router) diff --git a/backend/src/module/api/auth.py b/backend/src/module/api/auth.py index 18a44023..9c47ed23 100644 --- a/backend/src/module/api/auth.py +++ b/backend/src/module/api/auth.py @@ -2,7 +2,7 @@ from datetime import timedelta from fastapi import APIRouter, Depends, HTTPException, status from fastapi.security import OAuth2PasswordRequestForm -from fastapi.responses import JSONResponse +from fastapi.responses import JSONResponse, Response from module.models.user import User, UserUpdate from module.models import APIResponse @@ -10,6 +10,7 @@ from module.security.api import ( auth_user, get_current_user, update_user_info, + active_user ) from module.security.jwt import create_access_token @@ -17,70 +18,46 @@ router = APIRouter(prefix="/auth", tags=["auth"]) @router.post("/login", response_model=dict) -async def login(form_data: OAuth2PasswordRequestForm = Depends()): +async def login(response: Response, form_data=Depends(OAuth2PasswordRequestForm)): user = User(username=form_data.username, password=form_data.password) auth_user(user) token = create_access_token( data={"sub": user.username}, expires_delta=timedelta(days=1) ) + response.set_cookie(key="token", value=token, httponly=True, max_age=86400) + return {"access_token": token, "token_type": "bearer"} + +@router.get("/refresh_token", response_model=dict, dependencies=[Depends(get_current_user)]) +async def refresh(response: Response): + token = create_access_token( + data={"sub": get_current_user}, expires_delta=timedelta(days=1) + ) + response.set_cookie(key="token", value=token, httponly=True, max_age=86400) + return {"access_token": token, "token_type": "bearer"} + + +@router.get("/logout", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def logout(response: Response): + active_user.clear() + response.delete_cookie(key="token") return JSONResponse( - status_code=status.HTTP_200_OK, - content={ - "access_token": token, - "token_type": "bearer", - "expire": 86400, - }, + status_code=200, + content={"msg_en": "Logout successfully.", "msg_zh": "登出成功。"}, ) -@router.get("/refresh_token", response_model=dict) -async def refresh(current_user: User = Depends(get_current_user)): - if not current_user: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid token" - ) - token = create_access_token(data={"sub": current_user.username}) - return JSONResponse( - status_code=status.HTTP_200_OK, - content={ - "access_token": token, - "token_type": "bearer", - "expire": 86400, - }, - ) - - -@router.get("/logout", response_model=APIResponse) -async def logout(current_user: User = Depends(get_current_user)): - if not current_user: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid token" - ) - return JSONResponse( - status_code=status.HTTP_200_OK, - content={ - "msg_en": "Logout success", - "msg_zh": "登出成功", - }, - ) - - -@router.post("/update", response_model=dict) +@router.post("/update", response_model=dict, dependencies=[Depends(get_current_user)]) async def update_user( - user_data: UserUpdate, current_user: User = Depends(get_current_user) + user_data: UserUpdate, response: Response ): - if not current_user: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid token" - ) - if update_user_info(user_data, current_user): - return JSONResponse( - status_code=status.HTTP_200_OK, - content={ - "message": "update success", - "access_token": create_access_token({"sub": user_data.username}), - "token_type": "bearer", - "expire": 86400, - }, + old_user = active_user[0] + if update_user_info(user_data, old_user): + token = create_access_token(data={"sub": old_user}, expires_delta=timedelta(days=1)) + response.set_cookie( + key="token", + value=token, + httponly=True, + max_age=86400, ) + return {"access_token": token, "token_type": "bearer"} diff --git a/backend/src/module/api/bangumi.py b/backend/src/module/api/bangumi.py index df18c687..a96c22c2 100644 --- a/backend/src/module/api/bangumi.py +++ b/backend/src/module/api/bangumi.py @@ -16,93 +16,67 @@ def str_to_list(data: Bangumi): return data -@router.get("/get/all", response_model=list[Bangumi]) -async def get_all_data(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/get/all", response_model=list[Bangumi], dependencies=[Depends(get_current_user)]) +async def get_all_data(): with TorrentManager() as manager: return manager.bangumi.search_all() -@router.get("/get/{bangumi_id}", response_model=Bangumi) -async def get_data(bangumi_id: str, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/get/{bangumi_id}", response_model=Bangumi, dependencies=[Depends(get_current_user)]) +async def get_data(bangumi_id: str): with TorrentManager() as manager: resp = manager.search_one(bangumi_id) return resp -@router.patch("/update/{bangumi_id}", response_model=APIResponse) +@router.patch("/update/{bangumi_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) async def update_rule( - bangumi_id: int, data: BangumiUpdate, current_user=Depends(get_current_user) + bangumi_id: int, data: BangumiUpdate, ): - if not current_user: - raise UNAUTHORIZED with TorrentManager() as manager: resp = manager.update_rule(bangumi_id, data) return u_response(resp) -@router.delete(path="/delete/{bangumi_id}", response_model=APIResponse) -async def delete_rule( - bangumi_id: str, file: bool = False, current_user=Depends(get_current_user) -): - if not current_user: - raise UNAUTHORIZED +@router.delete(path="/delete/{bangumi_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def delete_rule(bangumi_id: str, file: bool = False): with TorrentManager() as manager: resp = manager.delete_rule(bangumi_id, file) return u_response(resp) -@router.delete(path="/delete/many/", response_model=APIResponse) -async def delete_many_rule( - bangumi_id: list, file: bool = False, current_user=Depends(get_current_user) -): - if not current_user: - raise UNAUTHORIZED +@router.delete(path="/delete/many/", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def delete_many_rule(bangumi_id: list, file: bool = False): with TorrentManager() as manager: for i in bangumi_id: resp = manager.delete_rule(i, file) return u_response(resp) -@router.delete(path="/disable/{bangumi_id}", response_model=APIResponse) -async def disable_rule( - bangumi_id: str, file: bool = False, current_user=Depends(get_current_user) -): - if not current_user: - raise UNAUTHORIZED +@router.delete(path="/disable/{bangumi_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def disable_rule(bangumi_id: str, file: bool = False): with TorrentManager() as manager: resp = manager.disable_rule(bangumi_id, file) return u_response(resp) -@router.delete(path="/disable/many/", response_model=APIResponse) -async def disable_many_rule( - bangumi_id: list, file: bool = False, current_user=Depends(get_current_user) -): - if not current_user: - raise UNAUTHORIZED +@router.delete(path="/disable/many/", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def disable_many_rule(bangumi_id: list, file: bool = False): with TorrentManager() as manager: for i in bangumi_id: resp = manager.disable_rule(i, file) return u_response(resp) -@router.get(path="/enable/{bangumi_id}", response_model=APIResponse) -async def enable_rule(bangumi_id: str, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get(path="/enable/{bangumi_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def enable_rule(bangumi_id: str): with TorrentManager() as manager: resp = manager.enable_rule(bangumi_id) return u_response(resp) -@router.get("/reset/all", response_model=APIResponse) -async def reset_all(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/reset/all", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def reset_all(): with TorrentManager() as manager: manager.bangumi.delete_all() return JSONResponse( diff --git a/backend/src/module/api/config.py b/backend/src/module/api/config.py index 5f9138b6..3b307599 100644 --- a/backend/src/module/api/config.py +++ b/backend/src/module/api/config.py @@ -11,17 +11,13 @@ router = APIRouter(prefix="/config", tags=["config"]) logger = logging.getLogger(__name__) -@router.get("/get", response_model=Config) -async def get_config(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/get", response_model=Config, dependencies=[Depends(get_current_user)]) +async def get_config(): return settings -@router.patch("/update", response_model=APIResponse) -async def update_config(config: Config, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.patch("/update", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def update_config(config: Config): try: settings.save(config_dict=config.dict()) settings.load() diff --git a/backend/src/module/api/download.py b/backend/src/module/api/download.py deleted file mode 100644 index 1ebf3581..00000000 --- a/backend/src/module/api/download.py +++ /dev/null @@ -1,65 +0,0 @@ -from fastapi import APIRouter, Depends -from fastapi.responses import JSONResponse - -from module.manager import SeasonCollector -from module.models import Bangumi, RSSItem, APIResponse -from module.rss import RSSAnalyser -from module.security.api import get_current_user, UNAUTHORIZED - -router = APIRouter(prefix="/download", tags=["download"]) -analyser = RSSAnalyser() - - -@router.post("/analysis", response_model=Bangumi) -async def analysis(rss: RSSItem, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED - data = analyser.link_to_data(rss) - if data: - return data - else: - return JSONResponse( - status_code=406, - content={"msg_en": "Analysis failed.", "msg_zh": "解析失败。"}, - ) - - -@router.post("/collection", response_model=APIResponse) -async def download_collection(data: Bangumi, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED - if data: - with SeasonCollector() as collector: - if collector.collect_season(data, data.rss_link[0]): - return JSONResponse( - status_code=200, - content={"msg_en": "Add torrent successfully.", "msg_zh": "添加种子成功。"}, - ) - else: - return JSONResponse( - status_code=406, - content={"msg_en": "Add torrent failed.", "msg_zh": "添加种子失败。"}, - ) - else: - return JSONResponse( - status_code=406, - content={"msg_en": "Add torrent failed.", "msg_zh": "添加种子失败。"}, - ) - - -@router.post("/subscribe", response_model=APIResponse) -async def subscribe(data: Bangumi, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED - if data: - with SeasonCollector() as collector: - collector.subscribe_season(data) - return JSONResponse( - status_code=200, - content={"msg_en": "Subscribe successfully.", "msg_zh": "订阅成功。"}, - ) - else: - return JSONResponse( - status_code=406, - content={"msg_en": "Subscribe failed.", "msg_zh": "订阅失败。"}, - ) diff --git a/backend/src/module/api/log.py b/backend/src/module/api/log.py index 520e316d..04d1434d 100644 --- a/backend/src/module/api/log.py +++ b/backend/src/module/api/log.py @@ -8,10 +8,8 @@ from module.models import APIResponse router = APIRouter(prefix="/log", tags=["log"]) -@router.get("") -async def get_log(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("", response_model=str, dependencies=[Depends(get_current_user)]) +async def get_log(): if LOG_PATH.exists(): with open(LOG_PATH, "rb") as f: return Response(f.read(), media_type="text/plain") @@ -19,10 +17,8 @@ async def get_log(current_user=Depends(get_current_user)): return Response("Log file not found", status_code=404) -@router.get("/clear", response_model=APIResponse) -async def clear_log(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/clear", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def clear_log(): if LOG_PATH.exists(): LOG_PATH.write_text("") return JSONResponse( diff --git a/backend/src/module/api/program.py b/backend/src/module/api/program.py index 8f679ad2..a118408b 100644 --- a/backend/src/module/api/program.py +++ b/backend/src/module/api/program.py @@ -25,10 +25,8 @@ async def shutdown(): program.stop() -@router.get("/restart", response_model=APIResponse) -async def restart(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/restart", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def restart(): try: program.restart() return JSONResponse( diff --git a/backend/src/module/api/rss.py b/backend/src/module/api/rss.py index d2d98331..8c4926cb 100644 --- a/backend/src/module/api/rss.py +++ b/backend/src/module/api/rss.py @@ -13,36 +13,28 @@ from module.manager import SeasonCollector router = APIRouter(prefix="/rss", tags=["rss"]) -@router.get(path="", response_model=list[RSSItem]) -async def get_rss(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get(path="", response_model=list[RSSItem], dependencies=[Depends(get_current_user)]) +async def get_rss(): with RSSEngine() as engine: return engine.rss.search_all() -@router.post(path="/add", response_model=APIResponse) -async def add_rss(rss: RSSItem, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post(path="/add", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def add_rss(rss: RSSItem, ): with RSSEngine() as engine: result = engine.add_rss(rss.url, rss.name, rss.aggregate) return u_response(result) -@router.post(path="/enable/many", response_model=APIResponse) -async def enable_many_rss(rss_ids: list[int], current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post(path="/enable/many", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def enable_many_rss(rss_ids: list[int], ): with RSSEngine() as engine: result = engine.enable_list(rss_ids) return u_response(result) -@router.delete(path="/delete/{rss_id}", response_model=APIResponse) -async def delete_rss(rss_id: int, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.delete(path="/delete/{rss_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def delete_rss(rss_id: int, ): with RSSEngine() as engine: if engine.rss.delete(rss_id): return JSONResponse( @@ -56,19 +48,15 @@ async def delete_rss(rss_id: int, current_user=Depends(get_current_user)): ) -@router.post(path="/delete/many", response_model=APIResponse) -async def delete_many_rss(rss_ids: list[int], current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post(path="/delete/many", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def delete_many_rss(rss_ids: list[int], ): with RSSEngine() as engine: result = engine.delete_list(rss_ids) return u_response(result) -@router.patch(path="/disable/{rss_id}", response_model=APIResponse) -async def disable_rss(rss_id: int, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.patch(path="/disable/{rss_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def disable_rss(rss_id: int, ): with RSSEngine() as engine: if engine.rss.disable(rss_id): return JSONResponse( @@ -82,16 +70,14 @@ async def disable_rss(rss_id: int, current_user=Depends(get_current_user)): ) -@router.post(path="/disable/many", response_model=APIResponse) -async def disable_many_rss(rss_ids: list[int], current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post(path="/disable/many", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def disable_many_rss(rss_ids: list[int], ): with RSSEngine() as engine: result = engine.disable_list(rss_ids) return u_response(result) -@router.patch(path="/update/{rss_id}", response_model=APIResponse) +@router.patch(path="/update/{rss_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) async def update_rss( rss_id: int, data: RSSUpdate, current_user=Depends(get_current_user) ): @@ -110,10 +96,8 @@ async def update_rss( ) -@router.get(path="/refresh/all", response_model=APIResponse) -async def refresh_all(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get(path="/refresh/all", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def refresh_all(): with RSSEngine() as engine, DownloadClient() as client: engine.refresh_rss(client) return JSONResponse( @@ -122,10 +106,8 @@ async def refresh_all(current_user=Depends(get_current_user)): ) -@router.get(path="/refresh/{rss_id}", response_model=APIResponse) -async def refresh_rss(rss_id: int, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get(path="/refresh/{rss_id}", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def refresh_rss(rss_id: int, ): with RSSEngine() as engine, DownloadClient() as client: engine.refresh_rss(client, rss_id) return JSONResponse( @@ -134,10 +116,8 @@ async def refresh_rss(rss_id: int, current_user=Depends(get_current_user)): ) -@router.get(path="/torrent/{rss_id}", response_model=list[Torrent]) -async def get_torrent(rss_id: int, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get(path="/torrent/{rss_id}", response_model=list[Torrent], dependencies=[Depends(get_current_user)]) +async def get_torrent(rss_id: int, ): with RSSEngine() as engine: return engine.get_rss_torrents(rss_id) @@ -146,10 +126,8 @@ async def get_torrent(rss_id: int, current_user=Depends(get_current_user)): analyser = RSSAnalyser() -@router.post("/analysis", response_model=Bangumi) -async def analysis(rss: RSSItem, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post("/analysis", response_model=Bangumi, dependencies=[Depends(get_current_user)]) +async def analysis(rss: RSSItem, ): data = analyser.link_to_data(rss) if isinstance(data, Bangumi): return data @@ -157,19 +135,15 @@ async def analysis(rss: RSSItem, current_user=Depends(get_current_user)): return u_response(data) -@router.post("/collect", response_model=APIResponse) -async def download_collection(data: Bangumi, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post("/collect", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def download_collection(data: Bangumi, ): with SeasonCollector() as collector: resp = collector.collect_season(data, data.rss_link) return u_response(resp) -@router.post("/subscribe", response_model=APIResponse) -async def subscribe(data: Bangumi, current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.post("/subscribe", response_model=APIResponse, dependencies=[Depends(get_current_user)]) +async def subscribe(data: Bangumi, ): with SeasonCollector() as collector: resp = collector.subscribe_season(data) return u_response(resp) diff --git a/backend/src/module/api/search.py b/backend/src/module/api/search.py index ae9453b8..3ad90984 100644 --- a/backend/src/module/api/search.py +++ b/backend/src/module/api/search.py @@ -9,17 +9,14 @@ from module.models import Bangumi router = APIRouter(prefix="/search", tags=["search"]) -@router.get("/bangumi", response_model=list[Bangumi]) +@router.get("/bangumi", response_model=list[Bangumi], dependencies=[Depends(get_current_user)]) async def search_torrents( site: str = "mikan", - keywords: str = Query(None), - current_user=Depends(get_current_user), + keywords: str = Query(None) ): """ Server Send Event for per Bangumi item """ - if not current_user: - raise UNAUTHORIZED if not keywords: return [] keywords = keywords.split(" ") @@ -29,8 +26,6 @@ async def search_torrents( ) -@router.get("/provider", response_model=list[str]) -async def search_provider(current_user=Depends(get_current_user)): - if not current_user: - raise UNAUTHORIZED +@router.get("/provider", response_model=list[str], dependencies=[Depends(get_current_user)]) +async def search_provider(): return list(SEARCH_CONFIG.keys()) diff --git a/backend/src/module/security/api.py b/backend/src/module/security/api.py index 65f27787..b5647b14 100644 --- a/backend/src/module/security/api.py +++ b/backend/src/module/security/api.py @@ -1,4 +1,4 @@ -from fastapi import Depends, HTTPException, status +from fastapi import Depends, HTTPException, status, Cookie from fastapi.security import OAuth2PasswordBearer from module.database import Database @@ -8,25 +8,21 @@ from .jwt import verify_token oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/api/v1/auth/login") +active_user = [] -async def get_current_user(token: str = Depends(oauth2_scheme)): + +async def get_current_user(token: str = Cookie(None)): if not token: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid token" - ) + raise UNAUTHORIZED payload = verify_token(token) if not payload: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid token" - ) + raise UNAUTHORIZED username = payload.get("sub") - with Database() as db: - user = db.user.get_user(username) - if not user: - raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, detail="invalid username" - ) - return user + if not username: + raise UNAUTHORIZED + if username not in active_user: + raise UNAUTHORIZED + return username async def get_token_data(token: str = Depends(oauth2_scheme)): @@ -41,7 +37,7 @@ async def get_token_data(token: str = Depends(oauth2_scheme)): def update_user_info(user_data: UserUpdate, current_user): try: with Database() as db: - db.user.update_user(current_user.username, user_data) + db.user.update_user(current_user, user_data) return True except Exception as e: raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e)) @@ -49,7 +45,9 @@ def update_user_info(user_data: UserUpdate, current_user): def auth_user(user: User): with Database() as db: - db.user.auth_user(user) + if db.user.auth_user(user): + active_user.append(user.username) + return True UNAUTHORIZED = HTTPException( diff --git a/backend/src/module/security/jwt.py b/backend/src/module/security/jwt.py index 78ca595d..35c832a9 100644 --- a/backend/src/module/security/jwt.py +++ b/backend/src/module/security/jwt.py @@ -3,7 +3,14 @@ from datetime import datetime, timedelta from jose import JWTError, jwt from passlib.context import CryptContext -app_pwd_key = "auto_bangumi" + +def generate_key(): + import secrets + + return secrets.token_urlsafe(32) + + +app_pwd_key = generate_key() app_pwd_algorithm = "HS256" # Hashing 密码 From a430258a2b2a2cf32a618feb828749b81dd2443e Mon Sep 17 00:00:00 2001 From: EstrellaXD Date: Wed, 6 Sep 2023 21:35:59 +0800 Subject: [PATCH 2/3] change: axios default setting. --- webui/src/utils/axios.ts | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/webui/src/utils/axios.ts b/webui/src/utils/axios.ts index 02a08602..432f973b 100644 --- a/webui/src/utils/axios.ts +++ b/webui/src/utils/axios.ts @@ -3,15 +3,18 @@ import type { ApiError } from "#/api"; export const axios = Axios.create(); -axios.interceptors.request.use((config) => { - const { auth } = useAuth(); +// axios.interceptors.request.use((config) => { +// const { auth } = useAuth(); +// +// // if (auth.value !== '' && config.headers) { +// // config.headers.Authorization = auth.value; +// // } +// +// return config; +// }); - if (auth.value !== '' && config.headers) { - config.headers.Authorization = auth.value; - } - - return config; -}); +// axios.defaults.baseURL = '/api/v1'; +axios.defaults.withCredentials = true; axios.interceptors.response.use( (res) => { From 52b9dac72be32811591e5c43e7563aca01fd570c Mon Sep 17 00:00:00 2001 From: EstrellaXD Date: Wed, 6 Sep 2023 21:42:32 +0800 Subject: [PATCH 3/3] fix: refresh-token bug. --- backend/src/module/api/auth.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/src/module/api/auth.py b/backend/src/module/api/auth.py index 9c47ed23..80b81bfc 100644 --- a/backend/src/module/api/auth.py +++ b/backend/src/module/api/auth.py @@ -31,7 +31,7 @@ async def login(response: Response, form_data=Depends(OAuth2PasswordRequestForm) @router.get("/refresh_token", response_model=dict, dependencies=[Depends(get_current_user)]) async def refresh(response: Response): token = create_access_token( - data={"sub": get_current_user}, expires_delta=timedelta(days=1) + data={"sub": get_current_user()}, expires_delta=timedelta(days=1) ) response.set_cookie(key="token", value=token, httponly=True, max_age=86400) return {"access_token": token, "token_type": "bearer"}