From 722dccdc7805043297c8f410c30929ade748724c Mon Sep 17 00:00:00 2001
From: yuyx <237899745@qq.com>
Date: Wed, 14 Jan 2026 13:29:32 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E7=99=BB=E5=BD=95=E8=B7=AF=E7=94=B1?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0CSRF=E8=B1=81=E5=85=8D=EF=BC=8C=E8=A7=A3?=
 =?UTF-8?q?=E5=86=B3=E9=87=8D=E5=90=AF=E5=90=8E=E6=97=A0=E6=B3=95=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 添加 /yuyx/api/login, /api/login, /api/auth/login 路由的CSRF豁免
- 登录本身就是建立session的过程，不需要CSRF保护
- 解决服务重启后旧session导致CSRF验证失败的问题

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 app.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/app.py b/app.py
index 1639782..d80468c 100644
--- a/app.py
+++ b/app.py
@@ -137,6 +137,10 @@ def enforce_csrf_protection():
         return
     if request.path.startswith("/static/"):
         return
+    # 登录相关路由豁免 CSRF 检查（登录本身就是建立 session 的过程）
+    csrf_exempt_paths = {"/yuyx/api/login", "/api/login", "/api/auth/login"}
+    if request.path in csrf_exempt_paths:
+        return
     if not (current_user.is_authenticated or "admin_id" in session):
         return
     token = request.headers.get("X-CSRF-Token") or request.form.get("csrf_token")