feat(security): unify token validation for message endpoints

2026-04-05 11:47:50 +08:00 · 2024-10-08 14:32:29 +08:00
parent 284082741e
commit 4f01b82b81
4 changed files with 8 additions and 21 deletions
--- a/app/api/endpoints/message.py
+++ b/app/api/endpoints/message.py
@@ -9,7 +9,7 @@ from starlette.responses import PlainTextResponse
 from app import schemas
 from app.chain.message import MessageChain
 from app.core.config import settings, global_vars
-from app.core.security import verify_token
+from app.core.security import verify_token, verify_apitoken
 from app.db import get_db
 from app.db.models import User
 from app.db.models.message import Message
@@ -30,7 +30,8 @@ def start_message_chain(body: Any, form: Any, args: Any):


@router.post("/", summary="接收用户消息", response_model=schemas.Response)
-async def user_message(background_tasks: BackgroundTasks, request: Request):
+async def user_message(background_tasks: BackgroundTasks, request: Request,
+                       _: schemas.TokenPayload = Depends(verify_apitoken)):
    """
    用户消息响应，配置请求中需要添加参数：token=API_TOKEN&source=消息配置名
    """
@@ -102,18 +103,17 @@ def wechat_verify(echostr: str, msg_signature: str, timestamp: Union[str, int],
    return "未找到对应的消息配置"


-def vocechat_verify(token: str) -> Any:
+def vocechat_verify() -> Any:
    """
    VoceChat验证响应
    """
-    if token == settings.API_TOKEN:
-        return {"status": "OK"}
-    return {"status": "API_TOKEN ERROR"}
+    return {"status": "OK"}


@router.get("/", summary="回调请求验证")
 def incoming_verify(token: str = None, echostr: str = None, msg_signature: str = None,
-                    timestamp: Union[str, int] = None, nonce: str = None, source: str = None) -> Any:
+                    timestamp: Union[str, int] = None, nonce: str = None, source: str = None,
+                    _: schemas.TokenPayload = Depends(verify_apitoken)) -> Any:
    """
    微信/VoceChat等验证响应
    """
@@ -121,7 +121,7 @@ def incoming_verify(token: str = None, echostr: str = None, msg_signature: str =
                f"msg_signature={msg_signature}, timestamp={timestamp}, nonce={nonce}")
    if echostr and msg_signature and timestamp and nonce:
        return wechat_verify(echostr, msg_signature, timestamp, nonce, source)
-    return vocechat_verify(token)
+    return vocechat_verify()


@router.post("/webpush/subscribe", summary="客户端webpush通知订阅", response_model=schemas.Response)
--- a/app/modules/slack/init.py
+++ b/app/modules/slack/init.py
@@ -171,10 +171,6 @@ class SlackModule(_ModuleBase, _MessageBase[Slack]):
        client_config = self.get_config(source)
        if not client_config:
            return None
-        # 校验token
-        token = args.get("token")
-        if not token or token != settings.API_TOKEN:
-            return None
        try:
            msg_json: dict = json.loads(body)
        except Exception as err:
--- a/app/modules/telegram/init.py
+++ b/app/modules/telegram/init.py
@@ -85,10 +85,6 @@ class TelegramModule(_ModuleBase, _MessageBase[Telegram]):
        if not client_config:
            return None
        client: Telegram = self.get_instance(source)
-        # 校验token
-        token = args.get("token")
-        if not token or token != settings.API_TOKEN:
-            return None
        try:
            message: dict = json.loads(body)
        except Exception as err:
--- a/app/modules/vocechat/init.py
+++ b/app/modules/vocechat/init.py
@@ -81,11 +81,6 @@ class VoceChatModule(_ModuleBase, _MessageBase[VoceChat]):
                # 非新消息
                return None
            logger.debug(f"收到VoceChat请求：{msg_body}")
-            # token校验
-            token = args.get("token")
-            if not token or token != settings.API_TOKEN:
-                logger.warn(f"VoceChat请求token校验失败：{token}")
-                return None
            # 文本内容
            content = msg_body.get("detail", {}).get("content")
            # 用户ID