237899745/zsglpt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: 登录路由添加CSRF豁免,解决重启后无法登录的问题

Browse Source 
- 添加 /yuyx/api/login, /api/login, /api/auth/login 路由的CSRF豁免
- 登录本身就是建立session的过程,不需要CSRF保护
- 解决服务重启后旧session导致CSRF验证失败的问题

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
yuyx
2026-01-14 13:29:32 +08:00
parent 606cad43dc
commit 722dccdc78
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app.py
View File

@@ -137,6 +137,10 @@ def enforce_csrf_protection():
return return
if request.path.startswith("/static/"): if request.path.startswith("/static/"):
return return
# 登录相关路由豁免 CSRF 检查(登录本身就是建立 session 的过程)
csrf_exempt_paths = {"/yuyx/api/login", "/api/login", "/api/auth/login"}
if request.path in csrf_exempt_paths:
return
if not (current_user.is_authenticated or "admin_id" in session): if not (current_user.is_authenticated or "admin_id" in session):
return return
token = request.headers.get("X-CSRF-Token") or request.form.get("csrf_token") token = request.headers.get("X-CSRF-Token") or request.form.get("csrf_token")