diff --git a/src/middleware/auth.js b/src/middleware/auth.js index 44e3cb37..f051a266 100644 --- a/src/middleware/auth.js +++ b/src/middleware/auth.js @@ -1434,7 +1434,6 @@ const authenticateAdmin = async (req, res, next) => { // 设置管理员信息(只包含必要信息) req.admin = { - id: adminSession.adminId || 'admin', username: adminSession.username, sessionId: token, loginTime: adminSession.loginTime @@ -1567,17 +1566,25 @@ const authenticateUserOrAdmin = async (req, res, next) => { try { const adminSession = await redis.getSession(adminToken) if (adminSession && Object.keys(adminSession).length > 0) { - req.admin = { - id: adminSession.adminId || 'admin', - username: adminSession.username, - sessionId: adminToken, - loginTime: adminSession.loginTime - } - req.userType = 'admin' + // 🔒 安全修复:验证会话必须字段(与 authenticateAdmin 保持一致) + if (!adminSession.username || !adminSession.loginTime) { + logger.security( + `🔒 Corrupted admin session in authenticateUserOrAdmin from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})` + ) + await redis.deleteSession(adminToken) // 清理无效/伪造的会话 + // 不返回 401,继续尝试用户认证 + } else { + req.admin = { + username: adminSession.username, + sessionId: adminToken, + loginTime: adminSession.loginTime + } + req.userType = 'admin' - const authDuration = Date.now() - startTime - logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`) - return next() + const authDuration = Date.now() - startTime + logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`) + return next() + } } } catch (error) { logger.debug('Admin authentication failed, trying user authentication:', error.message)