From 9d510afa60c25ecda0df3ea2aa6d1767b5ffbd9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=96=BB=E5=8B=87=E7=A5=A5?= <237899745@qq.com> Date: Tue, 11 Nov 2025 13:23:18 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8:=20=E4=BF=AE=E5=A4=8D?= =?UTF-8?q?=E5=AF=86=E7=A0=81=E4=BF=AE=E6=94=B9=E6=97=A0=E9=9C=80=E9=AA=8C?= =?UTF-8?q?=E8=AF=81=E6=97=A7=E5=AF=86=E7=A0=81=E7=9A=84=E5=AE=89=E5=85=A8?= =?UTF-8?q?=E6=BC=8F=E6=B4=9E?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 问题描述: - 用户修改密码时不需要验证当前密码 - 攻击者获取session后可直接修改密码 - 违反基本的安全最佳实践 修复内容: 1. 添加current_password必填验证 2. 在更新密码前验证当前密码正确性 3. 验证失败返回401错误 4. 更新API文档注释 API变更: POST /api/user/change-password 请求参数: - current_password (新增,必填) - new_password (已有,必填) 影响范围: 用户密码修改功能 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- backend/server.js | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/backend/server.js b/backend/server.js index b0ac7b7..8826da2 100644 --- a/backend/server.js +++ b/backend/server.js @@ -353,10 +353,11 @@ app.post('/api/admin/update-profile', } ); -// 修改当前用户密码(管理员直接修改,不需要验证当前密码) +// 修改当前用户密码(需要验证当前密码) app.post('/api/user/change-password', authMiddleware, [ + body('current_password').notEmpty().withMessage('当前密码不能为空'), body('new_password').isLength({ min: 6 }).withMessage('新密码至少6个字符') ], (req, res) => { @@ -369,9 +370,26 @@ app.post('/api/user/change-password', } try { - const { new_password } = req.body; + const { current_password, new_password } = req.body; - // 直接更新密码,不需要验证当前密码 + // 获取当前用户信息 + const user = UserDB.findById(req.user.id); + if (!user) { + return res.status(404).json({ + success: false, + message: '用户不存在' + }); + } + + // 验证当前密码 + if (!UserDB.verifyPassword(current_password, user.password)) { + return res.status(401).json({ + success: false, + message: '当前密码错误' + }); + } + + // 更新密码 UserDB.update(req.user.id, { password: new_password }); res.json({