179 lines
6.4 KiB
Python
179 lines
6.4 KiB
Python
# app/utils/decorators.py
|
||
from functools import wraps
|
||
from flask_jwt_extended import get_jwt, verify_jwt_in_request, get_jwt_identity
|
||
from flask import jsonify, g, request, current_app, has_request_context
|
||
import logging
|
||
import json
|
||
|
||
def _verify_user_active():
|
||
"""
|
||
JWT「幽灵令牌」安全漏洞修复:
|
||
在 Token 签名验证通过之后,进一步检查用户在数据库中是否仍然存在且未被禁用。
|
||
|
||
调用时机:login_required / permission_required 装饰器中,
|
||
在 verify_jwt_in_request() 成功之后立即调用。
|
||
|
||
返回 True → 用户正常,放行
|
||
返回 False → 用户已从数据库删除或被禁用,阻断请求
|
||
"""
|
||
try:
|
||
claims = get_jwt()
|
||
user_id = claims.get('sub')
|
||
if user_id is None:
|
||
return True
|
||
|
||
from app.models.system import SysUser
|
||
user = SysUser.query.get(user_id)
|
||
if user is None:
|
||
current_app.logger.warning(
|
||
f"🚫 [Ghost Token Blocked] user_id={user_id} not found in database (deleted account)"
|
||
)
|
||
return False
|
||
|
||
if user.status != 'active':
|
||
current_app.logger.warning(
|
||
f"🚫 [Token Blocked] user_id={user_id} status={user.status} (disabled account)"
|
||
)
|
||
return False
|
||
|
||
return True
|
||
except Exception as e:
|
||
current_app.logger.error(f"User active check error: {e}")
|
||
return True # 出错时 fail-open,避免数据库故障导致全站不可用
|
||
|
||
|
||
def _verify_token_in_redis():
|
||
"""
|
||
验证当前 Token 是否与 Redis 中存储的 Token 一致(单设备登录互踢)
|
||
"""
|
||
from app.extensions import redis_client
|
||
from flask import current_app
|
||
|
||
if redis_client is None:
|
||
return True
|
||
|
||
try:
|
||
auth_header = request.headers.get('Authorization', '')
|
||
if not auth_header.startswith('Bearer '):
|
||
return True
|
||
|
||
request_token = auth_header[7:]
|
||
claims = get_jwt()
|
||
user_id = claims.get('sub')
|
||
if user_id is None:
|
||
return True
|
||
|
||
stored_token = redis_client.get(f"user_token_{user_id}")
|
||
if stored_token is None:
|
||
return True
|
||
|
||
if request_token != stored_token:
|
||
current_app.logger.warning(f"Token mismatch for user {user_id}: request token != stored token")
|
||
return False
|
||
|
||
return True
|
||
except Exception as e:
|
||
current_app.logger.error(f"Redis token verification error: {e}")
|
||
return True
|
||
|
||
def _raise_token_mismatch_error():
|
||
"""抛出 Token 不一致的错误"""
|
||
return jsonify({
|
||
'msg': '您的账号已在其他设备登录,请重新登录',
|
||
'code': 401,
|
||
'reason': 'token_mismatch'
|
||
}), 401
|
||
|
||
def role_required(*roles):
|
||
"""自定义装饰器:检查用户角色"""
|
||
def wrapper(fn):
|
||
@wraps(fn)
|
||
def decorator(*args, **kwargs):
|
||
claims = get_jwt()
|
||
user_role = claims.get('role')
|
||
user_role_upper = user_role.upper() if user_role else None
|
||
|
||
if user_role_upper == 'SUPER_ADMIN':
|
||
return fn(*args, **kwargs)
|
||
|
||
if user_role_upper not in [r.upper() for r in roles]:
|
||
return jsonify(msg='权限不足:您没有访问此资源的权限'), 403
|
||
|
||
return fn(*args, **kwargs)
|
||
return decorator
|
||
return wrapper
|
||
|
||
def login_required(fn):
|
||
"""
|
||
验证 JWT 令牌是否存在且有效,并检查用户是否仍在数据库中且未被禁用。
|
||
双重防护:1) Token 签名验证 2) 数据库用户存在性 3) Redis 单设备互踢
|
||
"""
|
||
@wraps(fn)
|
||
def decorator(*args, **kwargs):
|
||
try:
|
||
verify_jwt_in_request()
|
||
except Exception as e:
|
||
logging.warning(f"JWT verification failed: {e}")
|
||
return jsonify(msg='登录已过期,请重新登录'), 401
|
||
|
||
# ★ 幽灵令牌漏洞修复:检查用户是否已从数据库删除或被禁用
|
||
if not _verify_user_active():
|
||
return jsonify(msg='账号已失效(已删除或已禁用),请重新登录'), 401
|
||
|
||
if not _verify_token_in_redis():
|
||
return _raise_token_mismatch_error()
|
||
|
||
return fn(*args, **kwargs)
|
||
return decorator
|
||
|
||
def permission_required(permission_code):
|
||
"""检查当前用户是否拥有指定权限码,同时检查用户是否仍然有效"""
|
||
def wrapper(fn):
|
||
@wraps(fn)
|
||
def decorator(*args, **kwargs):
|
||
try:
|
||
verify_jwt_in_request()
|
||
except Exception as e:
|
||
logging.warning(f"JWT verification failed: {e}")
|
||
return jsonify(msg='登录已过期,请重新登录'), 401
|
||
|
||
# ★ 幽灵令牌漏洞修复:检查用户是否已从数据库删除或被禁用
|
||
if not _verify_user_active():
|
||
return jsonify(msg='账号已失效(已删除或已禁用),请重新登录'), 401
|
||
|
||
if not _verify_token_in_redis():
|
||
return _raise_token_mismatch_error()
|
||
|
||
claims = get_jwt()
|
||
user_role = claims.get('role')
|
||
if user_role and user_role.upper() == 'SUPER_ADMIN':
|
||
return fn(*args, **kwargs)
|
||
|
||
try:
|
||
from app.services.auth_service import AuthService
|
||
perm_dict = AuthService.get_user_permissions(user_role)
|
||
except Exception as e:
|
||
logging.warning(f"Failed to fetch permissions for role {user_role}: {e}")
|
||
return jsonify(msg='权限查询失败'), 403
|
||
|
||
all_perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
|
||
if permission_code not in all_perms:
|
||
logging.warning(f"权限检查失败: 角色={user_role}, 所需权限={permission_code}")
|
||
return jsonify(msg='权限不足:您没有访问此资源的权限'), 403
|
||
return fn(*args, **kwargs)
|
||
return decorator
|
||
return wrapper
|
||
|
||
def audit_log(module: str = None, action: str = None, get_target_id_fn=None, get_target_name_fn=None, get_details_fn=None):
|
||
"""
|
||
已废弃!
|
||
由 SQLAlchemy 底层监听器(app/core/audit_listener.py)全面接管审计日志入库。
|
||
此装饰器保留空壳以防项目中其他文件 import 引用时报错。
|
||
"""
|
||
def wrapper(fn):
|
||
from functools import wraps
|
||
@wraps(fn)
|
||
def decorator(*inner_args, **inner_kwargs):
|
||
return fn(*inner_args, **inner_kwargs)
|
||
return decorator
|
||
return wrapper |