fix: admin auth UX, password policy, deps, db pool

2025-12-17 23:53:11 +08:00
parent 9028f7e272
commit 5851120f87
6 changed files with 46 additions and 18 deletions
--- a/routes/api_auth.py
+++ b/routes/api_auth.py
@@ -43,6 +43,10 @@ def register():
    if not username or not password:
        return jsonify({"error": "用户名和密码不能为空"}), 400

+    is_valid, error_msg = validate_password(password)
+    if not is_valid:
+        return jsonify({"error": error_msg}), 400
+
    client_ip = get_client_ip()

    allowed, error_msg = check_ip_rate_limit(client_ip)
--- a/routes/api_user.py
+++ b/routes/api_user.py
@@ -5,7 +5,7 @@ from __future__ import annotations
 import database
 import email_service
 from app_logger import get_logger
-from app_security import require_ip_not_locked, validate_email
+from app_security import require_ip_not_locked, validate_email, validate_password
 from flask import Blueprint, jsonify, request
 from flask_login import current_user, login_required
 from routes.pages import render_app_spa_or_legacy
@@ -119,8 +119,9 @@ def change_user_password():
    if not current_password or not new_password:
        return jsonify({"error": "请填写完整信息"}), 400

-    if len(new_password) < 6:
-        return jsonify({"error": "新密码至少6位"}), 400
+    is_valid, error_msg = validate_password(new_password)
+    if not is_valid:
+        return jsonify({"error": error_msg}), 400

    user = database.get_user_by_id(current_user.id)
    if not user:
@@ -290,4 +291,3 @@ def get_run_stats():
            "today_attachments": stats.get("total_attachments", 0),
        }
    )
-
--- a/routes/decorators.py
+++ b/routes/decorators.py
@@ -4,7 +4,7 @@ from __future__ import annotations

 from functools import wraps

-from flask import jsonify, request, session
+from flask import jsonify, redirect, request, session, url_for

 from services.runtime import get_logger

@@ -18,9 +18,11 @@ def admin_required(f):
        logger.debug(f"[admin_required] 检查会话，admin_id存在: {'admin_id' in session}")
        if "admin_id" not in session:
            logger.warning(f"[admin_required] 拒绝访问 {request.path} - session中无admin_id")
-            return jsonify({"error": "需要管理员权限"}), 403
+            is_api = request.blueprint == "admin_api" or request.path.startswith("/yuyx/api")
+            if is_api:
+                return jsonify({"error": "需要管理员权限"}), 403
+            return redirect(url_for("pages.admin_login_page"))
        logger.info(f"[admin_required] 管理员 {session.get('admin_username')} 访问 {request.path}")
        return f(*args, **kwargs)

    return decorated_function
-