fix(auth): T1-01 reject admin JWT query tokens
Some checks failed
CI / pytest (Python 3.10) (push) Has been cancelled
CI / pytest (Python 3.11) (push) Has been cancelled
CI / pytest (Python 3.12) (push) Has been cancelled

This commit is contained in:
Hermes Agent
2026-07-05 21:50:24 +08:00
parent 6a436a7941
commit 4189e60d8d
2 changed files with 9 additions and 7 deletions

View File

@@ -117,17 +117,12 @@ def get_current_user(
) -> AdminUser:
"""FastAPI 依赖:从 Authorization: Bearer *** JWT,返回 AdminUser。
缺失/无效/过期一律 401 (走业务错误码 E012xx 系列).
支持从 URL query 参数 ``t`` 获取 token仅用于管理后台 Web 页面场景)
缺失/无效/过期一律 401 (走业务错误码 E012xx 系列)
管理后台 JWT 不允许通过 URL query 参数传递,避免进入浏览器历史、日志或 Referer
"""
raw_token: str | None = None
if credentials is not None and credentials.scheme.lower() == "bearer":
raw_token = credentials.credentials
# fallback: URL query 参数 t管理后台 Web 登录页跳转场景)
if raw_token is None:
query_token = request.query_params.get("t")
if query_token:
raw_token = query_token
if raw_token is None:
raise BusinessError(
AUTH_TOKEN_INVALID, detail={"reason": "missing bearer token"}

View File

@@ -106,6 +106,13 @@ def test_get_current_user_accepts_valid_token(client, auth_token):
assert body["is_active"] is True
def test_get_current_user_rejects_query_token(client, auth_token):
"""Admin JWT 不允许通过 URL query 参数传递,避免进入日志/Referer/历史记录。"""
resp = client.get(f"/api/auth/me?t={auth_token}")
assert resp.status_code == 401
assert resp.headers.get("WWW-Authenticate", "").lower() == "bearer"
def test_get_current_user_rejects_inactive(settings):
"""直接构造 inactive 用户 token → 403。"""
from admin.db import AdminUser, AdminUserRepo, ensure_schema