simon/wecom_it_smart_desk
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

P0安全修复: WS token改subprotocol + nginx日志关闭 + 类型修复 + 降级验证 + 依赖

Browse Source
This commit is contained in:
Simon
2026-06-14 21:21:48 +08:00
parent edbb86835e
commit ddebbe61a5
12 changed files with 628 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/agents.py
+10 -4
View File
@@ -21,7 +21,7 @@ from uuid import UUID
import pyotp
import qrcode
import redis.asyncio as aioredis
from passlib.hash import bcrypt
import bcrypt # P1 修复: 直接使用 bcrypt 库替代 passlib
from fastapi import APIRouter, Depends, Header, Query, Request
from pydantic import BaseModel, Field
from slowapi import Limiter
@@ -217,13 +217,19 @@ async def agent_login(
logger.warning(
f"企微API不可达,已注册坐席降级放行: user_id={body.user_id}"
)
# P1 修复: 降级放行时,如果 agent 有 password_hash 则必须验证本地密码
if existing_agent and existing_agent.password_hash:
if not body.password:
raise AppException(1011, "请输入本地密码")
if not bcrypt.checkpw(body.password.encode('utf-8'), existing_agent.password_hash.encode('utf-8')):
raise AppException(1011, "本地密码错误")
# P0-#5: 本地密码认证(企微验证失败时的备用认证)
# 检查是否需要本地密码验证
local_password_verified = False
if body.password and agent and agent.password_hash:
# 验证本地密码
if bcrypt.verify(body.password, agent.password_hash):
if bcrypt.checkpw(body.password.encode('utf-8'), agent.password_hash.encode('utf-8')):
local_password_verified = True
logger.info(f"本地密码验证通过: user_id={body.user_id}")
else:
@@ -566,11 +572,11 @@ async def update_agent_password(
if agent.password_hash:
if not body.old_password:
raise AppException(1012, "请输入旧密码")
if not bcrypt.verify(body.old_password, agent.password_hash):
if not bcrypt.checkpw(body.old_password.encode('utf-8'), agent.password_hash.encode('utf-8')):
raise AppException(1013, "旧密码错误")
# 设置新密码
agent.password_hash = bcrypt.hash(body.new_password)
agent.password_hash = bcrypt.hashpw(body.new_password.encode('utf-8'), bcrypt.gensalt()).decode('utf-8')
agent.updated_at = datetime.now()
db.add(agent)
await db.flush()