fix: 令牌驗證額外添加是否為有效令牌

* 如果解密無效, 直接返回一個無效的令牌, 並加以判斷
2025-09-25 12:12:12 +08:00
parent 9cc3a2149e
commit 4fa3e16ab7
4 changed files with 16 additions and 8 deletions
--- a/server/api/BaseApi.ts
+++ b/server/api/BaseApi.ts
@@ -25,7 +25,7 @@ export default abstract class BaseApi {
    }
    checkToken(token: Token, deviceId: string) {
        if (token.expired_time < Date.now()) return false
-        if (!User.findById(token.author)) return false
+        if (!token.author || !User.findById(token.author)) return false
        if (deviceId != null)
            if (token.device_id != deviceId)
                return false
--- a/server/api/FileTokenManager.ts
+++ b/server/api/FileTokenManager.ts
@@ -22,9 +22,13 @@ export default class FileTokenManager {
    }
    static decode(token: string) {
        if (token == null) throw new Error('令牌為空!')
-        return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update(
-            Buffer.from(token, 'hex')
-        ).toString()) as Token
+        try {
+            return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update(
+                Buffer.from(token, 'hex')
+            ).toString()) as Token
+        } catch(e) {
+            throw new Error('令牌無效!')
+        }
    }

    /**
--- a/server/api/TokenManager.ts
+++ b/server/api/TokenManager.ts
@@ -23,9 +23,13 @@ export default class TokenManager {
    }
    static decode(token: string) {
        if (token == null) throw new Error('令牌為空!')
-        return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update(
-            Buffer.from(token, 'hex')
-        ).toString()) as Token
+        try {
+            return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update(
+                Buffer.from(token, 'hex')
+            ).toString()) as Token
+        } catch(e) {
+            return {} as Token
+        }
    }

    static make(user: User, time_: number | null | undefined, device_id: string) {
--- a/server/api/UserApi.ts
+++ b/server/api/UserApi.ts
@@ -26,7 +26,7 @@ export default class UserApi extends BaseApi {
                    msg: "登錄令牌失效",
                    code: 401,
                }
-                if (!User.findById(access_token.author)) return {
+                if (!access_token.author || !User.findById(access_token.author)) return {
                    msg: "賬號不存在",
                    code: 401,
                }