si-meng-spec/ToDoList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden authentication system (JWT, cookies, rate limiting, password policy)

Browse Source 
- Replace hardcoded JWT secret with randomly generated key persisted to file
- Replace hardcoded default password with random password shown in logs
- Migrate token storage from localStorage to HttpOnly SameSite=strict cookie
- Add IP-based login rate limiter (5 attempts / 15 min, 429 on lockout)
- Add token_version for JWT revocation on password change
- Add password strength validation (min 6 chars, 3+ unique characters)
- Inject decoded user payload into request.state.user in auth middleware
- Add /api/auth/me and /api/auth/logout endpoints
- Narrow auth middleware exception handling (JWTError only, not all Exception)
- Update updated_at timestamp on password change
- Remove localStorage token management from frontend (axios, router, store)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
祀梦
2026-05-17 15:54:45 +08:00
parent 1047bcece9
commit 9d4d869d57
13 changed files with 249 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/app/utils/auth.py
View File

@@ -1,13 +1,15 @@
from datetime import datetime, timedelta, timezone
from typing import Optional
import secrets
from jose import JWTError, jwt
from passlib.context import CryptContext
from fastapi import Request, HTTPException
from sqlalchemy.orm import Session
from app.config import JWT_SECRET, ACCESS_TOKEN_EXPIRE_MINUTES
from app.database import get_db
from app.models.user_settings import UserSettings
from app.utils.logger import logger
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
@@ -34,8 +36,7 @@ def decode_access_token(token: str) -> dict:
def get_current_user(request: Request) -> dict:
auth_header = request.headers.get("Authorization", "")
token = auth_header.replace("Bearer ", "")
token = request.cookies.get("access_token", "")
if not token:
raise HTTPException(status_code=401, detail="未登录")
try:
@@ -47,5 +48,10 @@ def get_current_user(request: Request) -> dict:
def set_default_password(db: Session, settings: UserSettings):
if not settings.password_hash:
settings.password_hash = hash_password("elysia")
password = secrets.token_urlsafe(8)[:8]
settings.password_hash = hash_password(password)
db.commit()
logger.warning("=" * 50)
logger.warning(f" 初始密码: {password}")
logger.warning(" 请登录后立即修改!")
logger.warning("=" * 50)