增强JWT令牌安全性

JWT.py

@@ -9,3 +9,4 @@ oauth2_scheme = OAuth2PasswordBearer(
     )
 
 SECRET_KEY = asyncio.run(database.Database().get_setting('SECRET_KEY'))
+ALGORITHM = "HS256"

frontend/index.html

@@ -1,10 +1,10 @@
 <!DOCTYPE html>
-<html lang="en">
+<html lang="zh-CN">
   <head>
     <meta charset="UTF-8">
     <link rel="icon" href="/favicon.ico">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <title>Welcome to Vuetify 3</title>
+    <title>Findreve</title>
   </head>
   <body>
     <div id="app"></div>

frontend/src/views/Admin.vue

@@ -43,17 +43,9 @@
       <v-list nav>
         <v-list-item prepend-icon="mdi-view-dashboard" title="仪表盘" value="dashboard" @click="currentTab = 'dashboard'"></v-list-item>
         <v-list-item prepend-icon="mdi-tag-multiple" title="物品管理" value="items" @click="currentTab = 'items'"></v-list-item>
-        <v-list-item prepend-icon="mdi-qrcode-scan" title="生成码" value="qrcodes" @click="currentTab = 'qrcodes'"></v-list-item>
         <v-list-item prepend-icon="mdi-account-cog" title="用户设置" value="settings" @click="currentTab = 'settings'"></v-list-item>
         <v-list-item prepend-icon="mdi-information" title="关于系统" value="about" @click="currentTab = 'about'"></v-list-item>
       </v-list>
-      <template v-slot:append>
-        <div class="pa-2">
-          <v-btn block color="primary" @click="drawer = false">
-            关闭菜单
-          </v-btn>
-        </div>
-      </template>
     </v-navigation-drawer>
 
     <!-- 主内容区 -->
@@ -216,12 +208,6 @@
           </v-data-table>
         </div>
         
-        <!-- 其他标签页内容 -->
-        <div v-if="currentTab === 'qrcodes'">
-          <h2 class="text-h4 mb-4">生成二维码</h2>
-          <p>此功能正在开发中...</p>
-        </div>
-        
         <div v-if="currentTab === 'settings'">
           <h2 class="text-h4 mb-4">用户设置</h2>
           

routes/admin.py

@@ -3,6 +3,8 @@ from typing import Annotated, Literal, Optional
 from fastapi import Depends, Query
 from fastapi import HTTPException
 import JWT
+import jwt
+from jwt import InvalidTokenError
 from model import database
 from model.response import DefaultResponse
 from model.items import Item
@@ -15,7 +17,22 @@ async def is_admin(token: Annotated[str, Depends(JWT.oauth2_scheme)]) -> Literal
     使用方法：
     >>> APIRouter(dependencies=[Depends(is_admin)])
     '''
+    credentials_exception = HTTPException(
+        status_code=401,
+        detail="Could not validate credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+    
+    try:
+        payload = jwt.decode(token, JWT.SECRET_KEY, algorithms=[JWT.ALGORITHM])
+        username = payload.get("sub")
+        if username is None or not await database.Database().get_setting('account') == username:
+            raise credentials_exception
+        else:
             return True
+    except InvalidTokenError:
+        raise credentials_exception
+        
 
 Router = APIRouter(
     prefix='/api/admin', 

routes/session.py

@@ -48,7 +48,7 @@ async def login_for_access_token(
     user = await authenticate_user(form_data.username, form_data.password)
     if not user:
         raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=401,
             detail="Incorrect username or password",
             headers={"WWW-Authenticate": "Bearer"},
         )