From ec30b57b23400a1b389b5626c3d39796b3a3e47c Mon Sep 17 00:00:00 2001 From: yumoqing Date: Sat, 9 May 2026 16:42:25 +0800 Subject: [PATCH] bugfix --- ahserver/auth_api.py | 48 +++++++++++++++++++--------------- ahserver/websocketProcessor.py | 3 ++- 2 files changed, 29 insertions(+), 22 deletions(-) diff --git a/ahserver/auth_api.py b/ahserver/auth_api.py index 5d69e16..cf0d737 100644 --- a/ahserver/auth_api.py +++ b/ahserver/auth_api.py @@ -20,8 +20,26 @@ from appPublic.dictObject import DictObject from appPublic.rsawrap import RSA from appPublic.log import info, debug, warning, error, critical, exception -def get_client_ip(obj, request): - return request['client_ip'] +class CustomTktAuth(auth.SessionTktAuthentication): + async def get_ticket(self, request): + # 1. 优先尝试从你手动设置的缓存中取 + manual_ticket = request.get('WssCookies') + if manual_ticket: + return manual_ticket + + # 2. 如果没有,再走原有的 Headers/Cookies 逻辑 + return await super().get_ticket(request) + def _get_ip(self, request): + return request['client_ip'] + + def _new_ticket(self, request, user_id): + client_uuid = request.headers.get('client_uuid') + ip = self._get_ip(request) + valid_until = int(time.time()) + self._max_age + return self._ticket.new(user_id, + valid_until=valid_until, + client_ip=ip, + user_data=client_uuid) async def get_session_userinfo(request): d = await auth.get_auth(request) @@ -103,9 +121,9 @@ class AuthAPI: cnt = 32 - len(b) secret = b + b'iqwertyuiopasdfghjklzxcvbnm12345'[:cnt] storage = EncryptedCookieStorage(secret, - secure=True, # <--- 核心:生产环境 HTTPS 必须为 True - samesite='None', # <--- 核心:跨域必须为 None - httponly=True, # 安全建议:防止 XSS 攻击 + secure=True, # <--- 核心:生产环境 HTTPS 必须为 True + samesite='None', # <--- 核心:跨域必须为 None + httponly=True, # 安全建议:防止 XSS 攻击 max_age=24*60*60 ) if self.conf.website.session_redis: @@ -113,9 +131,9 @@ class AuthAPI: # redis = await aioredis.from_url("redis://127.0.0.1:6379") redisdb = await redis.Redis.from_url(url) storage = MyRedisStorage(redisdb, - secure=True, # <--- 核心:生产环境 HTTPS 必须为 True - samesite='None', # <--- 核心:跨域必须为 None - httponly=True, # 安全建议:防止 XSS 攻击 + secure=True, # <--- 核心:生产环境 HTTPS 必须为 True + samesite='None', # <--- 核心:跨域必须为 None + httponly=True, # 安全建议:防止 XSS 攻击 max_age=24*60*60 ) aiohttp_session.setup(app, storage) @@ -130,19 +148,7 @@ class AuthAPI: if self.conf.website.session_reissue_time: session_reissue_time = self.conf.website.session_reissue_time - def _new_ticket(self, request, user_id): - client_uuid = request.headers.get('client_uuid') - ip = self._get_ip(request) - valid_until = int(time.time()) + self._max_age - # print(f'hack: my _new_ticket() called ... remote {ip=}, {client_uuid=}') - return self._ticket.new(user_id, - valid_until=valid_until, - client_ip=ip, - user_data=client_uuid) - - TktAuthentication._get_ip = get_client_ip - TktAuthentication._new_ticket = _new_ticket - policy = auth.SessionTktAuthentication(secret, + policy = CustomTktAuth(secret, session_max_time, reissue_time=session_reissue_time, include_ip=True) diff --git a/ahserver/websocketProcessor.py b/ahserver/websocketProcessor.py index d64d8e7..1fb7767 100644 --- a/ahserver/websocketProcessor.py +++ b/ahserver/websocketProcessor.py @@ -143,7 +143,8 @@ class WebsocketProcessor(PythonScriptProcessor): async def path_call(self, request,params={}): cookie = request.headers.get('Sec-WebSocket-Protocol', None) if cookie: - request.headers['Cookies'] = cookie + # request.headers['Cookies'] = cookie + request['WssCookies'] = cookie userid = await get_user() debug(f'{cookie=}, {userid=}') await self.set_run_env(request)