bugfix

2026-05-09 16:42:25 +08:00 · 2026-05-09 16:42:25 +08:00 · ec30b57b23
commit ec30b57b23
parent dd3fc6e37a
2 changed files with 29 additions and 22 deletions
--- a/ahserver/auth_api.py
+++ b/ahserver/auth_api.py
@ -20,8 +20,26 @@ from appPublic.dictObject import DictObject
 from appPublic.rsawrap import RSA
 from appPublic.log import info, debug, warning, error, critical, exception
-def get_client_ip(obj, request):
+class CustomTktAuth(auth.SessionTktAuthentication):
-	return request['client_ip']
+	async def get_ticket(self, request):
 		# 1. 优先尝试从你手动设置的缓存中取
 		manual_ticket = request.get('WssCookies')
 		if manual_ticket:
 			return manual_ticket
 		# 2. 如果没有，再走原有的 Headers/Cookies 逻辑
 		return await super().get_ticket(request)
 	def _get_ip(self, request):
 		return request['client_ip']
 	def _new_ticket(self, request, user_id):
 		client_uuid = request.headers.get('client_uuid')
 		ip = self._get_ip(request)
 		valid_until = int(time.time()) + self._max_age
 		return self._ticket.new(user_id, 
 						valid_until=valid_until, 
 						client_ip=ip, 
 						user_data=client_uuid)
 async def get_session_userinfo(request):
 	d = await auth.get_auth(request)
@ -103,9 +121,9 @@ class AuthAPI:
 		cnt = 32 - len(b)
 		secret = b + b'iqwertyuiopasdfghjklzxcvbnm12345'[:cnt]
 		storage = EncryptedCookieStorage(secret,
-			secure=True,          # <--- 核心：生产环境 HTTPS 必须为 True
+			secure=True,		  # <--- 核心：生产环境 HTTPS 必须为 True
-			samesite='None',      # <--- 核心：跨域必须为 None
+			samesite='None',	  # <--- 核心：跨域必须为 None
-			httponly=True,        # 安全建议：防止 XSS 攻击
+			httponly=True,		# 安全建议：防止 XSS 攻击
 			max_age=24*60*60  
 		)
 		if self.conf.website.session_redis:
@ -113,9 +131,9 @@ class AuthAPI:
 			# redis = await aioredis.from_url("redis://127.0.0.1:6379")
 			redisdb = await redis.Redis.from_url(url)
 			storage = MyRedisStorage(redisdb,
-				secure=True,          # <--- 核心：生产环境 HTTPS 必须为 True
+				secure=True,		  # <--- 核心：生产环境 HTTPS 必须为 True
-				samesite='None',      # <--- 核心：跨域必须为 None
+				samesite='None',	  # <--- 核心：跨域必须为 None
-				httponly=True,        # 安全建议：防止 XSS 攻击
+				httponly=True,		# 安全建议：防止 XSS 攻击
 				max_age=24*60*60  
 			)
 		aiohttp_session.setup(app, storage)
@ -130,19 +148,7 @@ class AuthAPI:
 		if self.conf.website.session_reissue_time:
 			session_reissue_time = self.conf.website.session_reissue_time
-		def _new_ticket(self, request, user_id):
+		policy = CustomTktAuth(secret, 
 			client_uuid = request.headers.get('client_uuid')
 			ip = self._get_ip(request)
 			valid_until = int(time.time()) + self._max_age
 			# print(f'hack: my _new_ticket() called ... remote {ip=}, {client_uuid=}')
 			return self._ticket.new(user_id, 
 							valid_until=valid_until, 
 							client_ip=ip, 
 							user_data=client_uuid)
 		TktAuthentication._get_ip = get_client_ip
 		TktAuthentication._new_ticket = _new_ticket
 		policy = auth.SessionTktAuthentication(secret, 
 										session_max_time,
 										reissue_time=session_reissue_time,
 									   include_ip=True)
--- a/ahserver/websocketProcessor.py
+++ b/ahserver/websocketProcessor.py
@ -143,7 +143,8 @@ class WebsocketProcessor(PythonScriptProcessor):
 	async def path_call(self, request,params={}):
 		cookie = request.headers.get('Sec-WebSocket-Protocol', None)
 		if cookie:
-			request.headers['Cookies'] = cookie
+			# request.headers['Cookies'] = cookie
 			request['WssCookies'] = cookie
 			userid = await get_user()
 			debug(f'{cookie=}, {userid=}')
 		await self.set_run_env(request)