From 44722a11d3474d3b375d16def6d893508de7fd36 Mon Sep 17 00:00:00 2001 From: yanyongyu Date: Tue, 15 Sep 2020 14:48:15 +0800 Subject: [PATCH] :lock: fix wrong auth check --- nonebot/__init__.py | 4 ++-- nonebot/config.py | 34 ++++++++++++++++++++-------------- nonebot/drivers/fastapi.py | 22 +++++++++++++++++----- 3 files changed, 39 insertions(+), 21 deletions(-) diff --git a/nonebot/__init__.py b/nonebot/__init__.py index 68c2a8d2..bd0ee80b 100644 --- a/nonebot/__init__.py +++ b/nonebot/__init__.py @@ -147,10 +147,10 @@ def init(*, _env_file: Optional[str] = None, **kwargs): """ global _driver if not _driver: - logger.debug("NoneBot is initializing...") + logger.info("NoneBot is initializing...") env = Env() logger.opt( - colors=True).debug(f"Current Env: {env.environment}") + colors=True).info(f"Current Env: {env.environment}") config = Config(**kwargs, _env_file=_env_file or f".env.{env.environment}") diff --git a/nonebot/config.py b/nonebot/config.py index 7b9281fb..9a9c4ffa 100644 --- a/nonebot/config.py +++ b/nonebot/config.py @@ -143,19 +143,6 @@ class Config(BaseConfig): - 说明: NoneBot 的 HTTP 和 WebSocket 服务端监听的端口。 """ - secret: Optional[str] = None - """ - - 类型: ``Optional[str]`` - - 默认值: ``None`` - - 说明: - 上报连接 NoneBot 所需的密钥。 - - 示例: - - .. code-block:: http - - POST /cqhttp/ HTTP/1.1 - Authorization: Bearer kSLuTF2GC2Q4q4ugm3 - """ debug: bool = False """ - 类型: ``bool`` @@ -189,7 +176,26 @@ class Config(BaseConfig): - 类型: ``Optional[str]`` - 默认值: ``None`` - 说明: - API 请求所需密钥,会在调用 API 时在请求头中携带。 + API 请求以及上报所需密钥,在请求头中携带。 + - 示例: + + .. code-block:: http + + POST /cqhttp/ HTTP/1.1 + Authorization: Bearer kSLuTF2GC2Q4q4ugm3 + """ + secret: Optional[str] = None + """ + - 类型: ``Optional[str]`` + - 默认值: ``None`` + - 说明: + HTTP POST 形式上报所需签名,在请求头中携带。 + - 示例: + + .. code-block:: http + + POST /cqhttp/ HTTP/1.1 + X-Signature: sha1=f9ddd4863ace61e64f462d41ca311e3d2c1176e2 """ # bot runtime configs diff --git a/nonebot/drivers/fastapi.py b/nonebot/drivers/fastapi.py index 663998d1..9b95a462 100644 --- a/nonebot/drivers/fastapi.py +++ b/nonebot/drivers/fastapi.py @@ -114,7 +114,8 @@ class Driver(BaseDriver): adapter: str, data: dict = Body(...), x_self_id: Optional[str] = Header(None), - x_signature: Optional[str] = Header(None)): + x_signature: Optional[str] = Header(None), + auth: Optional[str] = Depends(get_auth_bearer)): # 检查self_id if not x_self_id: logger.warning("Missing X-Self-ID Header") @@ -135,6 +136,14 @@ class Driver(BaseDriver): raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Signature is invalid") + access_token = self.config.access_token + if access_token and access_token != auth: + logger.warning("Authorization Header is invalid" + if auth else "Missing Authorization Header") + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, + detail="Authorization Header is invalid" + if auth else "Missing Authorization Header") + if not isinstance(data, dict): logger.warning("Data received is invalid") raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST) @@ -161,22 +170,25 @@ class Driver(BaseDriver): adapter: str, websocket: FastAPIWebSocket, x_self_id: str = Header(None), - access_token: Optional[str] = Depends(get_auth_bearer)): + auth: Optional[str] = Depends(get_auth_bearer)): ws = WebSocket(websocket) - secret = self.config.secret - if secret is not None and secret != access_token: + access_token = self.config.access_token + if access_token and access_token != auth: logger.warning("Authorization Header is invalid" - if access_token else "Missing Authorization Header") + if auth else "Missing Authorization Header") await ws.close(code=status.WS_1008_POLICY_VIOLATION) + return if not x_self_id: logger.warning(f"Missing X-Self-ID Header") await ws.close(code=status.WS_1008_POLICY_VIOLATION) + return if x_self_id in self._clients: logger.warning(f"Connection Conflict: self_id {x_self_id}") await ws.close(code=status.WS_1008_POLICY_VIOLATION) + return # Create Bot Object if adapter in self._adapters: