chore: sync VERSION file with release v1.1.249 [skip ci]

chore: trigger release [force release]
docs: 添加安全漏洞警告
2026-01-23 09:38:02 +00:00 · 2025-12-26 11:26:14 +00:00 · 2025-12-26 19:25:53 +08:00 · 2025-12-26 19:22:08 +08:00 · 2025-12-26 19:15:50 +08:00 · 2025-12-25 14:23:35 +08:00
9 changed files with 585 additions and 4 deletions
--- a/README.md
+++ b/README.md
@@ -1,5 +1,10 @@
 # Claude Relay Service
 > [!CAUTION]
 > **安全更新通知**：v1.1.248 及以下版本存在严重的管理员认证绕过漏洞，攻击者可未授权访问管理面板。
 >
 > **请立即更新到 v1.1.249+ 版本**，或迁移到新一代项目 **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
 <div align="center">
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,5 +1,10 @@
 # Claude Relay Service
 > [!CAUTION]
 > **Security Update**: v1.1.248 and below contain a critical admin authentication bypass vulnerability allowing unauthorized access to the admin panel.
 >
 > **Please update to v1.1.249+ immediately**, or migrate to the next-generation project **[CRS 2.0 (sub2api)](https://github.com/Wei-Shaw/sub2api)**
 <div align="center">
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
--- a/2
+++ b/2
@@ -1 +1 @@
-1.1.239
+1.1.249
--- a/package-lock.json
+++ b/package-lock.json
@@ -892,6 +892,7 @@
      "integrity": "sha512-2BCOP7TN8M+gVDj7/ht3hsaO/B/n5oDbiAyyvnRlNOs+u1o+JWNYTQrmpuNp1/Wq2gcFrI01JAW+paEKDMx/CA==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@babel/code-frame": "^7.27.1",
        "@babel/generator": "^7.28.3",
@@ -3000,6 +3001,7 @@
      "integrity": "sha512-yCAeZl7a0DxgNVteXFHt9+uyFbqXGy/ShC4BlcHkoE0AfGXYv/BUiplV72DjMYXHDBXFjhvr6DD1NiRVfB4j8g==",
      "devOptional": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "undici-types": "~6.21.0"
      }
@@ -3081,6 +3083,7 @@
      "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "bin": {
        "acorn": "bin/acorn"
      },
@@ -3536,6 +3539,7 @@
        }
      ],
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "caniuse-lite": "^1.0.30001737",
        "electron-to-chromium": "^1.5.211",
@@ -4423,6 +4427,7 @@
      "deprecated": "This version is no longer supported. Please see https://eslint.org/version-support for other options.",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@eslint-community/eslint-utils": "^4.2.0",
        "@eslint-community/regexpp": "^4.6.1",
@@ -4479,6 +4484,7 @@
      "integrity": "sha512-82GZUjRS0p/jganf6q1rEO25VSoHH0hKPCTrgillPjdI/3bgBhAE1QzHrHTizjpRvy6pGAvKjDJtk2pF9NDq8w==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "bin": {
        "eslint-config-prettier": "bin/cli.js"
      },
@@ -7586,6 +7592,7 @@
      "integrity": "sha512-I7AIg5boAr5R0FFtJ6rCfD+LFsWHp81dolrFD8S79U9tb8Az2nGrJncnMSnys+bpQJfRUzqs9hnA81OAA3hCuQ==",
      "dev": true,
      "license": "MIT",
      "peer": true,
      "bin": {
        "prettier": "bin/prettier.cjs"
      },
@@ -9104,6 +9111,7 @@
      "resolved": "https://registry.npmmirror.com/winston/-/winston-3.17.0.tgz",
      "integrity": "sha512-DLiFIXYC5fMPxaRg832S6F5mJYvePtmO5G9v9IgUFPhXm9/GkXarH/TUrBAVzhTCzAj9anE/+GjrgXp/54nOgw==",
      "license": "MIT",
      "peer": true,
      "dependencies": {
        "@colors/colors": "^1.6.0",
        "@dabh/diagnostics": "^2.0.2",
--- a/src/app.js
+++ b/src/app.js
@@ -68,6 +68,10 @@ class Application {
      logger.info('🔄 Initializing admin credentials...')
      await this.initializeAdmin()
      // 🔒 安全启动：清理无效/伪造的管理员会话
      logger.info('🔒 Cleaning up invalid admin sessions...')
      await this.cleanupInvalidSessions()
      // 💰 初始化费用数据
      logger.info('💰 Checking cost data initialization...')
      const costInitService = require('./services/costInitService')
@@ -426,6 +430,54 @@ class Application {
    }
  }
  // 🔒 清理无效/伪造的管理员会话（安全启动检查）
  async cleanupInvalidSessions() {
    try {
      const client = redis.getClient()
      // 获取所有 session:* 键
      const sessionKeys = await client.keys('session:*')
      let validCount = 0
      let invalidCount = 0
      for (const key of sessionKeys) {
        // 跳过 admin_credentials（系统凭据）
        if (key === 'session:admin_credentials') {
          continue
        }
        const sessionData = await client.hgetall(key)
        // 检查会话完整性：必须有 username 和 loginTime
        const hasUsername = !!sessionData.username
        const hasLoginTime = !!sessionData.loginTime
        if (!hasUsername || !hasLoginTime) {
          // 无效会话 - 可能是漏洞利用创建的伪造会话
          invalidCount++
          logger.security(
            `🔒 Removing invalid session: ${key} (username: ${hasUsername}, loginTime: ${hasLoginTime})`
          )
          await client.del(key)
        } else {
          validCount++
        }
      }
      if (invalidCount > 0) {
        logger.security(`🔒 Startup security check: Removed ${invalidCount} invalid sessions`)
      }
      logger.success(
        `✅ Session cleanup completed: ${validCount} valid, ${invalidCount} invalid removed`
      )
    } catch (error) {
      // 清理失败不应阻止服务启动
      logger.error('❌ Failed to cleanup invalid sessions:', error.message)
    }
  }
  // 🔍 Redis健康检查
  async checkRedisHealth() {
    try {
--- a/src/middleware/auth.js
+++ b/src/middleware/auth.js
@@ -1389,6 +1389,18 @@ const authenticateAdmin = async (req, res, next) => {
      })
    }
    // 🔒 安全修复：验证会话必须字段（防止伪造会话绕过认证）
    if (!adminSession.username || !adminSession.loginTime) {
      logger.security(
        `🔒 Corrupted admin session from ${req.ip || 'unknown'} - missing required fields (username: ${!!adminSession.username}, loginTime: ${!!adminSession.loginTime})`
      )
      await redis.deleteSession(token) // 清理无效/伪造的会话
      return res.status(401).json({
        error: 'Invalid session',
        message: 'Session data corrupted or incomplete'
      })
    }
    // 检查会话活跃性（可选：检查最后活动时间）
    const now = new Date()
    const lastActivity = new Date(adminSession.lastActivity || adminSession.loginTime)
--- a/src/routes/admin/index.js
+++ b/src/routes/admin/index.js
@@ -24,6 +24,7 @@ const usageStatsRoutes = require('./usageStats')
 const systemRoutes = require('./system')
 const concurrencyRoutes = require('./concurrency')
 const claudeRelayConfigRoutes = require('./claudeRelayConfig')
 const syncRoutes = require('./sync')
 // 挂载所有子路由
 // 使用完整路径的模块（直接挂载到根路径）
@@ -39,6 +40,7 @@ router.use('/', usageStatsRoutes)
 router.use('/', systemRoutes)
 router.use('/', concurrencyRoutes)
 router.use('/', claudeRelayConfigRoutes)
 router.use('/', syncRoutes)
 // 使用相对路径的模块（需要指定基础路径前缀）
 router.use('/account-groups', accountGroupsRoutes)
--- a/src/routes/admin/sync.js
+++ b/src/routes/admin/sync.js
@@ -0,0 +1,460 @@
 /**
 * Admin Routes - Sync / Export (for migration)
 * Exports account data (including secrets) for safe server-to-server syncing.
 */
 const express = require('express')
 const router = express.Router()
 const { authenticateAdmin } = require('../../middleware/auth')
 const redis = require('../../models/redis')
 const claudeAccountService = require('../../services/claudeAccountService')
 const claudeConsoleAccountService = require('../../services/claudeConsoleAccountService')
 const openaiAccountService = require('../../services/openaiAccountService')
 const openaiResponsesAccountService = require('../../services/openaiResponsesAccountService')
 const logger = require('../../utils/logger')
 function toBool(value, defaultValue = false) {
  if (value === undefined || value === null || value === '') {
    return defaultValue
  }
  if (value === true || value === 'true') {
    return true
  }
  if (value === false || value === 'false') {
    return false
  }
  return defaultValue
 }
 function normalizeProxy(proxy) {
  if (!proxy || typeof proxy !== 'object') {
    return null
  }
  const protocol = proxy.protocol || proxy.type || proxy.scheme || ''
  const host = proxy.host || ''
  const port = Number(proxy.port || 0)
  if (!protocol || !host || !Number.isFinite(port) || port <= 0) {
    return null
  }
  return {
    protocol: String(protocol),
    host: String(host),
    port,
    username: proxy.username ? String(proxy.username) : '',
    password: proxy.password ? String(proxy.password) : ''
  }
 }
 function buildModelMappingFromSupportedModels(supportedModels) {
  if (!supportedModels) {
    return null
  }
  if (Array.isArray(supportedModels)) {
    const mapping = {}
    for (const model of supportedModels) {
      if (typeof model === 'string' && model.trim()) {
        mapping[model.trim()] = model.trim()
      }
    }
    return Object.keys(mapping).length ? mapping : null
  }
  if (typeof supportedModels === 'object') {
    const mapping = {}
    for (const [from, to] of Object.entries(supportedModels)) {
      if (typeof from === 'string' && typeof to === 'string' && from.trim() && to.trim()) {
        mapping[from.trim()] = to.trim()
      }
    }
    return Object.keys(mapping).length ? mapping : null
  }
  return null
 }
 function safeParseJson(raw, fallback = null) {
  if (!raw || typeof raw !== 'string') {
    return fallback
  }
  try {
    return JSON.parse(raw)
  } catch (_) {
    return fallback
  }
 }
 // Export accounts for migration (includes secrets).
 // GET /admin/sync/export-accounts?include_secrets=true
 router.get('/sync/export-accounts', authenticateAdmin, async (req, res) => {
  try {
    const includeSecrets = toBool(req.query.include_secrets, false)
    if (!includeSecrets) {
      return res.status(400).json({
        success: false,
        error: 'include_secrets_required',
        message: 'Set include_secrets=true to export secrets'
      })
    }
    // ===== Claude official OAuth / Setup Token accounts =====
    const rawClaudeAccounts = await redis.getAllClaudeAccounts()
    const claudeAccounts = rawClaudeAccounts.map((account) => {
      // Backward compatible extraction: prefer individual fields, fallback to claudeAiOauth JSON blob.
      let decryptedClaudeAiOauth = null
      if (account.claudeAiOauth) {
        try {
          const raw = claudeAccountService._decryptSensitiveData(account.claudeAiOauth)
          decryptedClaudeAiOauth = raw ? JSON.parse(raw) : null
        } catch (_) {
          decryptedClaudeAiOauth = null
        }
      }
      const rawScopes =
        account.scopes && account.scopes.trim()
          ? account.scopes
          : decryptedClaudeAiOauth?.scopes
            ? decryptedClaudeAiOauth.scopes.join(' ')
            : ''
      const scopes = rawScopes && rawScopes.trim() ? rawScopes.trim().split(' ') : []
      const isOAuth = scopes.includes('user:profile') && scopes.includes('user:inference')
      const authType = isOAuth ? 'oauth' : 'setup-token'
      const accessToken =
        account.accessToken && String(account.accessToken).trim()
          ? claudeAccountService._decryptSensitiveData(account.accessToken)
          : decryptedClaudeAiOauth?.accessToken || ''
      const refreshToken =
        account.refreshToken && String(account.refreshToken).trim()
          ? claudeAccountService._decryptSensitiveData(account.refreshToken)
          : decryptedClaudeAiOauth?.refreshToken || ''
      let expiresAt = null
      const expiresAtMs = Number.parseInt(account.expiresAt, 10)
      if (Number.isFinite(expiresAtMs) && expiresAtMs > 0) {
        expiresAt = new Date(expiresAtMs).toISOString()
      } else if (decryptedClaudeAiOauth?.expiresAt) {
        try {
          expiresAt = new Date(Number(decryptedClaudeAiOauth.expiresAt)).toISOString()
        } catch (_) {
          expiresAt = null
        }
      }
      const proxy = account.proxy ? normalizeProxy(safeParseJson(account.proxy)) : null
      // 🔧 Parse subscriptionInfo to extract org_uuid and account_uuid
      let orgUuid = null
      let accountUuid = null
      if (account.subscriptionInfo) {
        try {
          const subscriptionInfo = JSON.parse(account.subscriptionInfo)
          orgUuid = subscriptionInfo.organizationUuid || null
          accountUuid = subscriptionInfo.accountUuid || null
        } catch (_) {
          // Ignore parse errors
        }
      }
      // 🔧 Calculate expires_in from expires_at
      let expiresIn = null
      if (expiresAt) {
        try {
          const expiresAtTime = new Date(expiresAt).getTime()
          const nowTime = Date.now()
          const diffSeconds = Math.floor((expiresAtTime - nowTime) / 1000)
          if (diffSeconds > 0) {
            expiresIn = diffSeconds
          }
        } catch (_) {
          // Ignore calculation errors
        }
      }
      // 🔧 Use default expires_in if calculation failed (Anthropic OAuth: 8 hours)
      if (!expiresIn && isOAuth) {
        expiresIn = 28800 // 8 hours
      }
      const credentials = {
        access_token: accessToken,
        refresh_token: refreshToken || undefined,
        expires_at: expiresAt || undefined,
        expires_in: expiresIn || undefined,
        scope: scopes.join(' ') || undefined,
        token_type: 'Bearer'
      }
      // 🔧 Add auth info as top-level credentials fields
      if (orgUuid) {
        credentials.org_uuid = orgUuid
      }
      if (accountUuid) {
        credentials.account_uuid = accountUuid
      }
      // 🔧 Store complete original CRS data in extra
      const extra = {
        crs_account_id: account.id,
        crs_kind: 'claude-account',
        crs_id: account.id,
        crs_name: account.name,
        crs_description: account.description || '',
        crs_platform: account.platform || 'claude',
        crs_auth_type: authType,
        crs_is_active: account.isActive === 'true',
        crs_schedulable: account.schedulable !== 'false',
        crs_priority: Number.parseInt(account.priority, 10) || 50,
        crs_status: account.status || 'active',
        crs_scopes: scopes,
        crs_subscription_info: account.subscriptionInfo || undefined
      }
      return {
        kind: 'claude-account',
        id: account.id,
        name: account.name,
        description: account.description || '',
        platform: account.platform || 'claude',
        authType,
        isActive: account.isActive === 'true',
        schedulable: account.schedulable !== 'false',
        priority: Number.parseInt(account.priority, 10) || 50,
        status: account.status || 'active',
        proxy,
        credentials,
        extra
      }
    })
    // ===== Claude Console API Key accounts =====
    const claudeConsoleSummaries = await claudeConsoleAccountService.getAllAccounts()
    const claudeConsoleAccounts = []
    for (const summary of claudeConsoleSummaries) {
      const full = await claudeConsoleAccountService.getAccount(summary.id)
      if (!full) {
        continue
      }
      const proxy = normalizeProxy(full.proxy)
      const modelMapping = buildModelMappingFromSupportedModels(full.supportedModels)
      const credentials = {
        api_key: full.apiKey,
        base_url: full.apiUrl
      }
      if (modelMapping) {
        credentials.model_mapping = modelMapping
      }
      if (full.userAgent) {
        credentials.user_agent = full.userAgent
      }
      claudeConsoleAccounts.push({
        kind: 'claude-console-account',
        id: full.id,
        name: full.name,
        description: full.description || '',
        platform: full.platform || 'claude-console',
        isActive: full.isActive === true,
        schedulable: full.schedulable !== false,
        priority: Number.parseInt(full.priority, 10) || 50,
        status: full.status || 'active',
        proxy,
        maxConcurrentTasks: Number.parseInt(full.maxConcurrentTasks, 10) || 0,
        credentials,
        extra: {
          crs_account_id: full.id,
          crs_kind: 'claude-console-account',
          crs_id: full.id,
          crs_name: full.name,
          crs_description: full.description || '',
          crs_platform: full.platform || 'claude-console',
          crs_is_active: full.isActive === true,
          crs_schedulable: full.schedulable !== false,
          crs_priority: Number.parseInt(full.priority, 10) || 50,
          crs_status: full.status || 'active'
        }
      })
    }
    // ===== OpenAI OAuth accounts =====
    const openaiOAuthAccounts = []
    {
      const client = redis.getClientSafe()
      const openaiKeys = await client.keys('openai:account:*')
      for (const key of openaiKeys) {
        const id = key.split(':').slice(2).join(':')
        const account = await openaiAccountService.getAccount(id)
        if (!account) {
          continue
        }
        const accessToken = account.accessToken
          ? openaiAccountService.decrypt(account.accessToken)
          : ''
        if (!accessToken) {
          // Skip broken/legacy records without decryptable token
          continue
        }
        const scopes =
          account.scopes && typeof account.scopes === 'string' && account.scopes.trim()
            ? account.scopes.trim().split(' ')
            : []
        const proxy = normalizeProxy(account.proxy)
        // 🔧 Calculate expires_in from expires_at
        let expiresIn = null
        if (account.expiresAt) {
          try {
            const expiresAtTime = new Date(account.expiresAt).getTime()
            const nowTime = Date.now()
            const diffSeconds = Math.floor((expiresAtTime - nowTime) / 1000)
            if (diffSeconds > 0) {
              expiresIn = diffSeconds
            }
          } catch (_) {
            // Ignore calculation errors
          }
        }
        // 🔧 Use default expires_in if calculation failed (OpenAI OAuth: 10 days)
        if (!expiresIn) {
          expiresIn = 864000 // 10 days
        }
        const credentials = {
          access_token: accessToken,
          refresh_token: account.refreshToken || undefined,
          id_token: account.idToken || undefined,
          expires_at: account.expiresAt || undefined,
          expires_in: expiresIn || undefined,
          scope: scopes.join(' ') || undefined,
          token_type: 'Bearer'
        }
        // 🔧 Add auth info as top-level credentials fields
        if (account.accountId) {
          credentials.chatgpt_account_id = account.accountId
        }
        if (account.chatgptUserId) {
          credentials.chatgpt_user_id = account.chatgptUserId
        }
        if (account.organizationId) {
          credentials.organization_id = account.organizationId
        }
        // 🔧 Store complete original CRS data in extra
        const extra = {
          crs_account_id: account.id,
          crs_kind: 'openai-oauth-account',
          crs_id: account.id,
          crs_name: account.name,
          crs_description: account.description || '',
          crs_platform: account.platform || 'openai',
          crs_is_active: account.isActive === 'true',
          crs_schedulable: account.schedulable !== 'false',
          crs_priority: Number.parseInt(account.priority, 10) || 50,
          crs_status: account.status || 'active',
          crs_scopes: scopes,
          crs_email: account.email || undefined,
          crs_chatgpt_account_id: account.accountId || undefined,
          crs_chatgpt_user_id: account.chatgptUserId || undefined,
          crs_organization_id: account.organizationId || undefined
        }
        openaiOAuthAccounts.push({
          kind: 'openai-oauth-account',
          id: account.id,
          name: account.name,
          description: account.description || '',
          platform: account.platform || 'openai',
          authType: 'oauth',
          isActive: account.isActive === 'true',
          schedulable: account.schedulable !== 'false',
          priority: Number.parseInt(account.priority, 10) || 50,
          status: account.status || 'active',
          proxy,
          credentials,
          extra
        })
      }
    }
    // ===== OpenAI Responses API Key accounts =====
    const openaiResponsesAccounts = []
    const client = redis.getClientSafe()
    const openaiResponseKeys = await client.keys('openai_responses_account:*')
    for (const key of openaiResponseKeys) {
      const id = key.split(':').slice(1).join(':')
      const full = await openaiResponsesAccountService.getAccount(id)
      if (!full) {
        continue
      }
      const proxy = normalizeProxy(full.proxy)
      const credentials = {
        api_key: full.apiKey,
        base_url: full.baseApi
      }
      if (full.userAgent) {
        credentials.user_agent = full.userAgent
      }
      openaiResponsesAccounts.push({
        kind: 'openai-responses-account',
        id: full.id,
        name: full.name,
        description: full.description || '',
        platform: full.platform || 'openai-responses',
        isActive: full.isActive === 'true',
        schedulable: full.schedulable !== 'false',
        priority: Number.parseInt(full.priority, 10) || 50,
        status: full.status || 'active',
        proxy,
        credentials,
        extra: {
          crs_account_id: full.id,
          crs_kind: 'openai-responses-account',
          crs_id: full.id,
          crs_name: full.name,
          crs_description: full.description || '',
          crs_platform: full.platform || 'openai-responses',
          crs_is_active: full.isActive === 'true',
          crs_schedulable: full.schedulable !== 'false',
          crs_priority: Number.parseInt(full.priority, 10) || 50,
          crs_status: full.status || 'active'
        }
      })
    }
    return res.json({
      success: true,
      data: {
        exportedAt: new Date().toISOString(),
        claudeAccounts,
        claudeConsoleAccounts,
        openaiOAuthAccounts,
        openaiResponsesAccounts
      }
    })
  } catch (error) {
    logger.error('❌ Failed to export accounts for sync:', error)
    return res.status(500).json({
      success: false,
      error: 'export_failed',
      message: error.message
    })
  }
 })
 module.exports = router
--- a/src/routes/web.js
+++ b/src/routes/web.js
@@ -164,13 +164,27 @@ router.post('/auth/change-password', async (req, res) => {
    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
    // 🔒 安全修复：检查空对象
    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }
    // 🔒 安全修复：验证会话完整性
    if (!sessionData.username || !sessionData.loginTime) {
      logger.security(
        `🔒 Invalid session structure in /auth/change-password from ${req.ip || 'unknown'}`
      )
      await redis.deleteSession(token)
      return res.status(401).json({
        error: 'Invalid session',
        message: 'Session data corrupted or incomplete'
      })
    }
    // 获取当前管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -269,13 +283,25 @@ router.get('/auth/user', async (req, res) => {
    // 获取当前会话
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+
    // 🔒 安全修复：检查空对象
    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }
    // 🔒 安全修复：验证会话完整性
    if (!sessionData.username || !sessionData.loginTime) {
      logger.security(`🔒 Invalid session structure in /auth/user from ${req.ip || 'unknown'}`)
      await redis.deleteSession(token)
      return res.status(401).json({
        error: 'Invalid session',
        message: 'Session data corrupted or incomplete'
      })
    }
    // 获取管理员信息
    const adminData = await redis.getSession('admin_credentials')
    if (!adminData) {
@@ -316,13 +342,24 @@ router.post('/auth/refresh', async (req, res) => {
    const sessionData = await redis.getSession(token)
-    if (!sessionData) {
+    // 🔒 安全修复：检查空对象（hgetall 对不存在的 key 返回 {}）
    if (!sessionData || Object.keys(sessionData).length === 0) {
      return res.status(401).json({
        error: 'Invalid token',
        message: 'Session expired or invalid'
      })
    }
    // 🔒 安全修复：验证会话完整性（必须有 username 和 loginTime）
    if (!sessionData.username || !sessionData.loginTime) {
      logger.security(`🔒 Invalid session structure detected from ${req.ip || 'unknown'}`)
      await redis.deleteSession(token) // 清理无效/伪造的会话
      return res.status(401).json({
        error: 'Invalid session',
        message: 'Session data corrupted or incomplete'
      })
    }
    // 更新最后活动时间
    sessionData.lastActivity = new Date().toISOString()
    await redis.setSession(token, sessionData, config.security.adminSessionTimeout)
Author	SHA1	Message	Date
github-actions[bot]	fc57133230	chore: sync VERSION file with release v1.1.249 [skip ci]	2025-12-26 11:26:14 +00:00
shaw	1f06af4a56	chore: trigger release [force release]	2025-12-26 19:25:53 +08:00
shaw	6165fad090	docs: 添加安全漏洞警告	2025-12-26 19:22:08 +08:00
shaw	d53a399d41	revert: 回退到安全漏洞修复版本	2025-12-26 19:15:50 +08:00
shaw	982cca1020	fix: 修复鉴权检测的重大安全漏洞	2025-12-25 14:23:35 +08:00
github-actions[bot]	792ba51290	chore: sync VERSION file with release v1.1.240 [skip ci]	2025-12-25 02:46:09 +00:00
Wesley Liddick	74d138a2fb	Merge pull request #842 from IanShaw027/feat/account-export-api feat(admin): 添加账户导出同步 API	2025-12-24 21:45:55 -05:00
IanShaw027	b88698191e	style(admin): fix ESLint curly rule violations in sync.js 为单行 if 语句添加花括号以符合 ESLint curly 规则要求	2025-12-24 17:57:30 -08:00
IanShaw027	11c38b23d1	style(admin): format sync.js with prettier 修复 CI 格式化检查失败问题	2025-12-24 17:52:51 -08:00
IanShaw027	b2dfc2eb25	feat(admin): 添加账户导出同步 API - 新增 /api/accounts 端点，支持导出所有账户数据 - 新增 /api/proxies 端点，支持导出所有代理配置 - 支持 Sub2API 从 CRS 批量同步账户 - 包含完整的 credentials 和 extra 字段 - 提供账户类型标识 (oauth/setup_token/api_key) 相关 PR: Sub2API 端实现账户同步功能	2025-12-24 17:35:11 -08:00