github/claude-relay-service
1
0
Fork 0
mirror of https://github.com/Wei-Shaw/claude-relay-service.git synced 2026-01-22 16:43:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'fix-authenticateUserOrAdmin-bypass'

Browse Source
This commit is contained in:
shaw
2025-12-29 13:45:44 +08:00
parent 3c64038fa7 45b81bd478
commit a0cbafd759
1 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
src/middleware/auth.js
View File

@@ -1434,7 +1434,6 @@ const authenticateAdmin = async (req, res, next) => {
// 设置管理员信息(只包含必要信息) // 设置管理员信息(只包含必要信息)
req.admin = { req.admin = {
id: adminSession.adminId || 'admin',
username: adminSession.username, username: adminSession.username,
sessionId: token, sessionId: token,
loginTime: adminSession.loginTime loginTime: adminSession.loginTime
@@ -1567,17 +1566,25 @@ const authenticateUserOrAdmin = async (req, res, next) => {
try { try {
const adminSession = await redis.getSession(adminToken) const adminSession = await redis.getSession(adminToken)
if (adminSession && Object.keys(adminSession).length > 0) { if (adminSession && Object.keys(adminSession).length > 0) {
req.admin = { // 🔒 安全修复:验证会话必须字段(与 authenticateAdmin 保持一致)
id: adminSession.adminId || 'admin', if (!adminSession.username || !adminSession.loginTime) {
username: adminSession.username, logger.security(
sessionId: adminToken, `🔒 Corrupted admin session in authenticateUserOrAdmin from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
loginTime: adminSession.loginTime )
} await redis.deleteSession(adminToken) // 清理无效/伪造的会话
req.userType = 'admin' // 不返回 401继续尝试用户认证
} else {
req.admin = {
username: adminSession.username,
sessionId: adminToken,
loginTime: adminSession.loginTime
}
req.userType = 'admin'
const authDuration = Date.now() - startTime const authDuration = Date.now() - startTime
logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`) logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`)
return next() return next()
}
} }
} catch (error) { } catch (error) {
logger.debug('Admin authentication failed, trying user authentication:', error.message) logger.debug('Admin authentication failed, trying user authentication:', error.message)