ProjectHentai/nonebot2
6
0
Fork 0
mirror of https://github.com/nonebot/nonebot2.git synced 2025-10-31 15:06:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

🔒 fix wrong auth check

Browse Source
This commit is contained in:
yanyongyu
2020-09-15 14:48:15 +08:00
parent 50601934b9
commit 44722a11d3
3 changed files with 39 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
nonebot/__init__.py
View File

@@ -147,10 +147,10 @@ def init(*, _env_file: Optional[str] = None, **kwargs):
"""
global _driver
if not _driver:
logger.debug("NoneBot is initializing...")
logger.info("NoneBot is initializing...")
env = Env()
logger.opt(
colors=True).debug(f"Current <y><b>Env: {env.environment}</b></y>")
colors=True).info(f"Current <y><b>Env: {env.environment}</b></y>")
config = Config(**kwargs,
_env_file=_env_file or f".env.{env.environment}")

34
nonebot/config.py
View File

@@ -143,19 +143,6 @@ class Config(BaseConfig):
- 说明:
NoneBot 的 HTTP 和 WebSocket 服务端监听的端口。
"""
secret: Optional[str] = None
"""
- 类型: ``Optional[str]``
- 默认值: ``None``
- 说明:
上报连接 NoneBot 所需的密钥。
- 示例:
.. code-block:: http
POST /cqhttp/ HTTP/1.1
Authorization: Bearer kSLuTF2GC2Q4q4ugm3
"""
debug: bool = False
"""
- 类型: ``bool``
@@ -189,7 +176,26 @@ class Config(BaseConfig):
- 类型: ``Optional[str]``
- 默认值: ``None``
- 说明:
API 请求所需密钥,会在调用 API 时在请求头中携带。
API 请求以及上报所需密钥,在请求头中携带。
- 示例:
.. code-block:: http
POST /cqhttp/ HTTP/1.1
Authorization: Bearer kSLuTF2GC2Q4q4ugm3
"""
secret: Optional[str] = None
"""
- 类型: ``Optional[str]``
- 默认值: ``None``
- 说明:
HTTP POST 形式上报所需签名,在请求头中携带。
- 示例:
.. code-block:: http
POST /cqhttp/ HTTP/1.1
X-Signature: sha1=f9ddd4863ace61e64f462d41ca311e3d2c1176e2
"""
# bot runtime configs

22
nonebot/drivers/fastapi.py
View File

@@ -114,7 +114,8 @@ class Driver(BaseDriver):
adapter: str,
data: dict = Body(...),
x_self_id: Optional[str] = Header(None),
x_signature: Optional[str] = Header(None)):
x_signature: Optional[str] = Header(None),
auth: Optional[str] = Depends(get_auth_bearer)):
# 检查self_id
if not x_self_id:
logger.warning("Missing X-Self-ID Header")
@@ -135,6 +136,14 @@ class Driver(BaseDriver):
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
detail="Signature is invalid")
access_token = self.config.access_token
if access_token and access_token != auth:
logger.warning("Authorization Header is invalid"
if auth else "Missing Authorization Header")
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
detail="Authorization Header is invalid"
if auth else "Missing Authorization Header")
if not isinstance(data, dict):
logger.warning("Data received is invalid")
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)
@@ -161,22 +170,25 @@ class Driver(BaseDriver):
adapter: str,
websocket: FastAPIWebSocket,
x_self_id: str = Header(None),
access_token: Optional[str] = Depends(get_auth_bearer)):
auth: Optional[str] = Depends(get_auth_bearer)):
ws = WebSocket(websocket)
secret = self.config.secret
if secret is not None and secret != access_token:
access_token = self.config.access_token
if access_token and access_token != auth:
logger.warning("Authorization Header is invalid"
if access_token else "Missing Authorization Header")
if auth else "Missing Authorization Header")
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
return
if not x_self_id:
logger.warning(f"Missing X-Self-ID Header")
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
return
if x_self_id in self._clients:
logger.warning(f"Connection Conflict: self_id {x_self_id}")
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
return
# Create Bot Object
if adapter in self._adapters: