增强JWT令牌安全性

2025-07-15 11:23:03 +08:00
parent 03198de9c5
commit 1a3a03dd6f
5 changed files with 23 additions and 19 deletions
--- a/routes/admin.py
+++ b/routes/admin.py
@@ -3,6 +3,8 @@ from typing import Annotated, Literal, Optional
 from fastapi import Depends, Query
 from fastapi import HTTPException
 import JWT
+import jwt
+from jwt import InvalidTokenError
 from model import database
 from model.response import DefaultResponse
 from model.items import Item
@@ -15,7 +17,22 @@ async def is_admin(token: Annotated[str, Depends(JWT.oauth2_scheme)]) -> Literal
    使用方法：
    >>> APIRouter(dependencies=[Depends(is_admin)])
    '''
-    return True
+    credentials_exception = HTTPException(
+        status_code=401,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    try:
+        payload = jwt.decode(token, JWT.SECRET_KEY, algorithms=[JWT.ALGORITHM])
+        username = payload.get("sub")
+        if username is None or not await database.Database().get_setting('account') == username:
+            raise credentials_exception
+        else:
+            return True
+    except InvalidTokenError:
+        raise credentials_exception
+        

 Router = APIRouter(
    prefix='/api/admin', 
--- a/routes/session.py
+++ b/routes/session.py
@@ -48,7 +48,7 @@ async def login_for_access_token(
    user = await authenticate_user(form_data.username, form_data.password)
    if not user:
        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=401,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )