From 46fb4d0fd099fb2e2f8b42d784548ced2649414a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=96=BB=E5=8B=87=E7=A5=A5?= <237899745@qq.com> Date: Mon, 24 Nov 2025 10:03:57 +0800 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=A7=20=E6=94=B9=E8=BF=9B=E5=8F=8D?= =?UTF-8?q?=E5=90=91=E4=BB=A3=E7=90=86=E5=92=8CSession=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E9=85=8D=E7=BD=AE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加trust proxy配置,支持在Nginx/Cloudflare后正确识别客户端IP和协议 - 优化Session cookie配置,HTTPS环境下使用sameSite=none以支持跨域 - 移除测试脚本test_captcha.sh 这些改进确保系统在反向代理环境下正常工作,并提升了安全性。 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- backend/server.js | 8 +++-- test_captcha.sh | 90 ----------------------------------------------- 2 files changed, 6 insertions(+), 92 deletions(-) delete mode 100755 test_captcha.sh diff --git a/backend/server.js b/backend/server.js index d384d61..3d20dee 100644 --- a/backend/server.js +++ b/backend/server.js @@ -22,6 +22,8 @@ const { generateToken, authMiddleware, adminMiddleware } = require('./auth'); const app = express(); const PORT = process.env.PORT || 40001; +// 在反向代理(如 Nginx/Cloudflare)后部署时,信任代理以正确识别协议/IP/HTTPS +app.set('trust proxy', process.env.TRUST_PROXY || true); // 配置CORS - 严格白名单模式 const allowedOrigins = process.env.ALLOWED_ORIGINS @@ -72,15 +74,17 @@ app.use(express.json()); app.use(cookieParser()); // Session配置(用于验证码) +const isSecureCookie = process.env.COOKIE_SECURE === 'true'; +const sameSiteMode = isSecureCookie ? 'none' : 'lax'; // HTTPS下允许跨域获取验证码 app.use(session({ secret: process.env.SESSION_SECRET || 'your-session-secret-change-in-production', resave: false, saveUninitialized: true, // 改为true,确保验证码请求时创建session name: 'captcha.sid', // 自定义session cookie名称 cookie: { - secure: process.env.COOKIE_SECURE === 'true', + secure: isSecureCookie, httpOnly: true, - sameSite: 'lax', // 添加sameSite属性 + sameSite: sameSiteMode, maxAge: 10 * 60 * 1000 // 10分钟 } })); diff --git a/test_captcha.sh b/test_captcha.sh deleted file mode 100755 index ea07ce1..0000000 --- a/test_captcha.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/bash - -# 登录验证码功能测试脚本 - -echo "================================" -echo "登录验证码功能测试" -echo "================================" -echo "" - -BASE_URL="http://localhost:40001" - -echo "1. 测试验证码API..." -response=$(curl -s -w "\n%{http_code}" "$BASE_URL/api/captcha") -http_code=$(echo "$response" | tail -n1) -if [ "$http_code" = "200" ]; then - echo "✓ 验证码API正常 (HTTP $http_code)" -else - echo "✗ 验证码API异常 (HTTP $http_code)" -fi -echo "" - -echo "2. 测试第一次登录失败(不需要验证码)..." -response=$(curl -s -X POST "$BASE_URL/api/login" \ - -H "Content-Type: application/json" \ - -d '{"username":"test","password":"wrong"}' \ - -c cookies.txt) -echo "$response" | jq -r '.message' -needCaptcha=$(echo "$response" | jq -r '.needCaptcha // false') -if [ "$needCaptcha" = "false" ]; then - echo "✓ 第一次失败不需要验证码" -else - echo "⚠ 第一次失败就需要验证码(可能之前已有失败记录)" -fi -echo "" - -echo "3. 测试第二次登录失败(不需要验证码)..." -response=$(curl -s -X POST "$BASE_URL/api/login" \ - -H "Content-Type: application/json" \ - -d '{"username":"test","password":"wrong"}' \ - -b cookies.txt -c cookies.txt) -echo "$response" | jq -r '.message' -needCaptcha=$(echo "$response" | jq -r '.needCaptcha // false') -if [ "$needCaptcha" = "false" ]; then - echo "✓ 第二次失败不需要验证码" -else - echo "⚠ 第二次失败就需要验证码(可能之前已有失败记录)" -fi -echo "" - -echo "4. 测试第三次登录失败(应该需要验证码)..." -response=$(curl -s -X POST "$BASE_URL/api/login" \ - -H "Content-Type: application/json" \ - -d '{"username":"test","password":"wrong"}' \ - -b cookies.txt -c cookies.txt) -echo "$response" | jq -r '.message' -needCaptcha=$(echo "$response" | jq -r '.needCaptcha // false') -if [ "$needCaptcha" = "true" ]; then - echo "✓ 第三次失败需要验证码" -else - echo "✗ 第三次失败应该需要验证码" -fi -echo "" - -echo "5. 测试不提供验证码时登录..." -response=$(curl -s -X POST "$BASE_URL/api/login" \ - -H "Content-Type: application/json" \ - -d '{"username":"admin","password":"admin123"}' \ - -b cookies.txt -c cookies.txt) -message=$(echo "$response" | jq -r '.message') -echo "$message" -if [[ "$message" == *"验证码"* ]]; then - echo "✓ 正确要求输入验证码" -else - echo "⚠ 未要求验证码(用户可能不存在或之前没有失败记录)" -fi -echo "" - -# 清理 -rm -f cookies.txt - -echo "================================" -echo "测试完成" -echo "================================" -echo "" -echo "注意事项:" -echo "1. 确保后端服务已启动 (node backend/server.js)" -echo "2. 测试用户'test'可能不存在,这是正常的" -echo "3. 如果要完整测试,请使用浏览器手动测试" -echo "4. 防爆破机制会在失败5次后封锁30分钟" -echo ""