Merge branch 'fix-authenticateUserOrAdmin-bypass'

2026-01-22 16:43:35 +00:00 · 2025-12-29 13:45:44 +08:00
parent 3c64038fa7 45b81bd478
commit a0cbafd759
1 changed files with 18 additions and 11 deletions
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -1434,7 +1434,6 @@ const authenticateAdmin = async (req, res, next) => {

    // 设置管理员信息（只包含必要信息）
    req.admin = {
-      id: adminSession.adminId || 'admin',
      username: adminSession.username,
      sessionId: token,
      loginTime: adminSession.loginTime
@@ -1567,8 +1566,15 @@ const authenticateUserOrAdmin = async (req, res, next) => {
      try {
        const adminSession = await redis.getSession(adminToken)
        if (adminSession && Object.keys(adminSession).length > 0) {
+          // 🔒 安全修复：验证会话必须字段（与 authenticateAdmin 保持一致）
+          if (!adminSession.username || !adminSession.loginTime) {
+            logger.security(
+              `🔒 Corrupted admin session in authenticateUserOrAdmin from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
+            )
+            await redis.deleteSession(adminToken) // 清理无效/伪造的会话
+            // 不返回 401，继续尝试用户认证
+          } else {
            req.admin = {
-            id: adminSession.adminId || 'admin',
              username: adminSession.username,
              sessionId: adminToken,
              loginTime: adminSession.loginTime
@@ -1579,6 +1585,7 @@ const authenticateUserOrAdmin = async (req, res, next) => {
            logger.security(`🔐 Admin authenticated: ${adminSession.username} in ${authDuration}ms`)
            return next()
          }
+        }
      } catch (error) {
        logger.debug('Admin authentication failed, trying user authentication:', error.message)
      }