CrescentLeaf/LingChair
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: 令牌驗證額外添加是否為有效令牌

Browse Source 
* 如果解密無效, 直接返回一個無效的令牌, 並加以判斷
This commit is contained in:
CrescentLeaf
2025-09-25 12:12:12 +08:00
parent 9cc3a2149e
commit 4fa3e16ab7
4 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/api/BaseApi.ts
View File

@@ -25,7 +25,7 @@ export default abstract class BaseApi {
} }
checkToken(token: Token, deviceId: string) { checkToken(token: Token, deviceId: string) {
if (token.expired_time < Date.now()) return false if (token.expired_time < Date.now()) return false
if (!User.findById(token.author)) return false if (!token.author || !User.findById(token.author)) return false
if (deviceId != null) if (deviceId != null)
if (token.device_id != deviceId) if (token.device_id != deviceId)
return false return false

4
server/api/FileTokenManager.ts
View File

@@ -22,9 +22,13 @@ export default class FileTokenManager {
} }
static decode(token: string) { static decode(token: string) {
if (token == null) throw new Error('令牌為空!') if (token == null) throw new Error('令牌為空!')
try {
return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update( return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key + '_file'), '01234567890123456').update(
Buffer.from(token, 'hex') Buffer.from(token, 'hex')
).toString()) as Token ).toString()) as Token
} catch(e) {
throw new Error('令牌無效!')
}
} }
/** /**

4
server/api/TokenManager.ts
View File

@@ -23,9 +23,13 @@ export default class TokenManager {
} }
static decode(token: string) { static decode(token: string) {
if (token == null) throw new Error('令牌為空!') if (token == null) throw new Error('令牌為空!')
try {
return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update( return JSON.parse(crypto.createDecipheriv("aes-256-gcm", normalizeKey(config.aes_key), '01234567890123456').update(
Buffer.from(token, 'hex') Buffer.from(token, 'hex')
).toString()) as Token ).toString()) as Token
} catch(e) {
return {} as Token
}
} }
static make(user: User, time_: number | null | undefined, device_id: string) { static make(user: User, time_: number | null | undefined, device_id: string) {

2
server/api/UserApi.ts
View File

@@ -26,7 +26,7 @@ export default class UserApi extends BaseApi {
msg: "登錄令牌失效", msg: "登錄令牌失效",
code: 401, code: 401,
} }
if (!User.findById(access_token.author)) return { if (!access_token.author || !User.findById(access_token.author)) return {
msg: "賬號不存在", msg: "賬號不存在",
code: 401, code: 401,
} }