nas/Auto_Bangumi
1
0
Fork 0
mirror of https://github.com/EstrellaXD/Auto_Bangumi.git synced 2026-03-20 03:46:40 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c7c709fa66796536c9899eaa607fd06156e75437
Auto_Bangumi/backend/src/module/security/jwt.py
Estrella Pan c7c709fa66 fix(security): harden auth, JWT, WebAuthn, and API endpoints 
- Persist JWT secret to config/.jwt_secret (survives restarts)
- Change active_user from list to dict with timestamps
- Extract username from cookie token instead of list index
- Add SSRF protection (_validate_url) for setup test endpoints
- Mask sensitive config fields (password, api_key, token, secret)
- Add auth guards to notification test endpoints
- Fix path traversal in /posters endpoint using resolved path check
- Add CORS middleware with empty allow_origins
- WebAuthn: add challenge TTL (300s), max capacity (100), cleanup
- Remove hardcoded default password from User model
- Use timezone-aware datetime in passkey models
- Adapt unit tests for active_user dict and cookie-based auth

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 11:46:12 +01:00

68 lines
1.8 KiB
Python
Raw Blame History

import secrets
from datetime import datetime, timedelta, timezone
from pathlib import Path
from jose import JWTError, jwt
from passlib.context import CryptContext
_SECRET_PATH = Path("config/.jwt_secret")
def _load_or_create_secret() -> str:
if _SECRET_PATH.exists():
return _SECRET_PATH.read_text().strip()
secret = secrets.token_hex(32)
_SECRET_PATH.parent.mkdir(parents=True, exist_ok=True)
_SECRET_PATH.write_text(secret)
return secret
app_pwd_key = _load_or_create_secret()
app_pwd_algorithm = "HS256"
# Hashing 密码
app_pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
# 创建 JWT Token
def create_access_token(data: dict, expires_delta: timedelta | None = None):
to_encode = data.copy()
if expires_delta:
expire = datetime.now(timezone.utc) + expires_delta
else:
expire = datetime.now(timezone.utc) + timedelta(minutes=1440)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, app_pwd_key, algorithm=app_pwd_algorithm)
return encoded_jwt
# 解码 Token
def decode_token(token: str):
try:
payload = jwt.decode(token, app_pwd_key, algorithms=[app_pwd_algorithm])
username = payload.get("sub")
if username is None:
return None
return payload
except JWTError:
return None
def verify_token(token: str):
token_data = decode_token(token)
if token_data is None:
return None
expires = token_data.get("exp")
if datetime.now(timezone.utc) >= datetime.fromtimestamp(expires, tz=timezone.utc):
raise JWTError("Token expired")
return token_data
# 密码加密&验证
def verify_password(plain_password, hashed_password):
return app_pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password):
return app_pwd_context.hash(password)
Reference in New Issue View Git Blame Copy Permalink