fix: 修复安全问题 - 登录失败返回401 + XSS过滤
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
- 登录失败返回 HTTP 401 而非 200 - 添加 XSS 输入过滤工具函数 - 课程名称和描述字段添加 XSS 过滤验证器
This commit is contained in:
yuliang_guo
@@ -67,7 +67,7 @@ async def login(
|
||||
SystemLogCreate(
|
||||
level="WARNING",
|
||||
type="security",
|
||||
message=f"用户 {login_data.username} 登录失败:密码错误",
|
||||
message=f"用户 {login_data.username} 登录失败:用户名或密码错误",
|
||||
user=login_data.username,
|
||||
ip=request.client.host if request.client else None,
|
||||
path="/api/v1/auth/login",
|
||||
@@ -75,19 +75,27 @@ async def login(
|
||||
user_agent=request.headers.get("user-agent")
|
||||
)
|
||||
)
|
||||
# 不返回 401,统一返回 HTTP 200 + 业务失败码,便于前端友好提示
|
||||
logger.warning("login_failed_wrong_credentials", username=login_data.username)
|
||||
return ResponseModel(
|
||||
code=400,
|
||||
message=str(e) or "用户名或密码错误",
|
||||
data=None,
|
||||
# 返回 HTTP 401 + 统一错误消息(避免用户枚举)
|
||||
from fastapi.responses import JSONResponse
|
||||
return JSONResponse(
|
||||
status_code=401,
|
||||
content={
|
||||
"code": 401,
|
||||
"message": "用户名或密码错误",
|
||||
"data": None,
|
||||
}
|
||||
)
|
||||
except Exception as e:
|
||||
logger.error("login_failed_unexpected", error=str(e))
|
||||
return ResponseModel(
|
||||
code=500,
|
||||
message="登录失败,请稍后重试",
|
||||
data=None,
|
||||
from fastapi.responses import JSONResponse
|
||||
return JSONResponse(
|
||||
status_code=500,
|
||||
content={
|
||||
"code": 500,
|
||||
"message": "登录失败,请稍后重试",
|
||||
"data": None,
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user