mirror of
https://github.com/nonebot/nonebot2.git
synced 2025-07-28 16:51:26 +00:00
🔒 fix wrong auth check
This commit is contained in:
yanyongyu
@ -147,10 +147,10 @@ def init(*, _env_file: Optional[str] = None, **kwargs):
|
|||||||
"""
|
"""
|
||||||
global _driver
|
global _driver
|
||||||
if not _driver:
|
if not _driver:
|
||||||
logger.debug("NoneBot is initializing...")
|
logger.info("NoneBot is initializing...")
|
||||||
env = Env()
|
env = Env()
|
||||||
logger.opt(
|
logger.opt(
|
||||||
colors=True).debug(f"Current <y><b>Env: {env.environment}</b></y>")
|
colors=True).info(f"Current <y><b>Env: {env.environment}</b></y>")
|
||||||
config = Config(**kwargs,
|
config = Config(**kwargs,
|
||||||
_env_file=_env_file or f".env.{env.environment}")
|
_env_file=_env_file or f".env.{env.environment}")
|
||||||
|
|
||||||
|
|||||||
@ -143,19 +143,6 @@ class Config(BaseConfig):
|
|||||||
- 说明:
|
- 说明:
|
||||||
NoneBot 的 HTTP 和 WebSocket 服务端监听的端口。
|
NoneBot 的 HTTP 和 WebSocket 服务端监听的端口。
|
||||||
"""
|
"""
|
||||||
secret: Optional[str] = None
|
|
||||||
"""
|
|
||||||
- 类型: ``Optional[str]``
|
|
||||||
- 默认值: ``None``
|
|
||||||
- 说明:
|
|
||||||
上报连接 NoneBot 所需的密钥。
|
|
||||||
- 示例:
|
|
||||||
|
|
||||||
.. code-block:: http
|
|
||||||
|
|
||||||
POST /cqhttp/ HTTP/1.1
|
|
||||||
Authorization: Bearer kSLuTF2GC2Q4q4ugm3
|
|
||||||
"""
|
|
||||||
debug: bool = False
|
debug: bool = False
|
||||||
"""
|
"""
|
||||||
- 类型: ``bool``
|
- 类型: ``bool``
|
||||||
@ -189,7 +176,26 @@ class Config(BaseConfig):
|
|||||||
- 类型: ``Optional[str]``
|
- 类型: ``Optional[str]``
|
||||||
- 默认值: ``None``
|
- 默认值: ``None``
|
||||||
- 说明:
|
- 说明:
|
||||||
API 请求所需密钥,会在调用 API 时在请求头中携带。
|
API 请求以及上报所需密钥,在请求头中携带。
|
||||||
|
- 示例:
|
||||||
|
|
||||||
|
.. code-block:: http
|
||||||
|
|
||||||
|
POST /cqhttp/ HTTP/1.1
|
||||||
|
Authorization: Bearer kSLuTF2GC2Q4q4ugm3
|
||||||
|
"""
|
||||||
|
secret: Optional[str] = None
|
||||||
|
"""
|
||||||
|
- 类型: ``Optional[str]``
|
||||||
|
- 默认值: ``None``
|
||||||
|
- 说明:
|
||||||
|
HTTP POST 形式上报所需签名,在请求头中携带。
|
||||||
|
- 示例:
|
||||||
|
|
||||||
|
.. code-block:: http
|
||||||
|
|
||||||
|
POST /cqhttp/ HTTP/1.1
|
||||||
|
X-Signature: sha1=f9ddd4863ace61e64f462d41ca311e3d2c1176e2
|
||||||
"""
|
"""
|
||||||
|
|
||||||
# bot runtime configs
|
# bot runtime configs
|
||||||
|
|||||||
@ -114,7 +114,8 @@ class Driver(BaseDriver):
|
|||||||
adapter: str,
|
adapter: str,
|
||||||
data: dict = Body(...),
|
data: dict = Body(...),
|
||||||
x_self_id: Optional[str] = Header(None),
|
x_self_id: Optional[str] = Header(None),
|
||||||
x_signature: Optional[str] = Header(None)):
|
x_signature: Optional[str] = Header(None),
|
||||||
|
auth: Optional[str] = Depends(get_auth_bearer)):
|
||||||
# 检查self_id
|
# 检查self_id
|
||||||
if not x_self_id:
|
if not x_self_id:
|
||||||
logger.warning("Missing X-Self-ID Header")
|
logger.warning("Missing X-Self-ID Header")
|
||||||
@ -135,6 +136,14 @@ class Driver(BaseDriver):
|
|||||||
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
||||||
detail="Signature is invalid")
|
detail="Signature is invalid")
|
||||||
|
|
||||||
|
access_token = self.config.access_token
|
||||||
|
if access_token and access_token != auth:
|
||||||
|
logger.warning("Authorization Header is invalid"
|
||||||
|
if auth else "Missing Authorization Header")
|
||||||
|
raise HTTPException(status_code=status.HTTP_403_FORBIDDEN,
|
||||||
|
detail="Authorization Header is invalid"
|
||||||
|
if auth else "Missing Authorization Header")
|
||||||
|
|
||||||
if not isinstance(data, dict):
|
if not isinstance(data, dict):
|
||||||
logger.warning("Data received is invalid")
|
logger.warning("Data received is invalid")
|
||||||
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)
|
raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST)
|
||||||
@ -161,22 +170,25 @@ class Driver(BaseDriver):
|
|||||||
adapter: str,
|
adapter: str,
|
||||||
websocket: FastAPIWebSocket,
|
websocket: FastAPIWebSocket,
|
||||||
x_self_id: str = Header(None),
|
x_self_id: str = Header(None),
|
||||||
access_token: Optional[str] = Depends(get_auth_bearer)):
|
auth: Optional[str] = Depends(get_auth_bearer)):
|
||||||
ws = WebSocket(websocket)
|
ws = WebSocket(websocket)
|
||||||
|
|
||||||
secret = self.config.secret
|
access_token = self.config.access_token
|
||||||
if secret is not None and secret != access_token:
|
if access_token and access_token != auth:
|
||||||
logger.warning("Authorization Header is invalid"
|
logger.warning("Authorization Header is invalid"
|
||||||
if access_token else "Missing Authorization Header")
|
if auth else "Missing Authorization Header")
|
||||||
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
||||||
|
return
|
||||||
|
|
||||||
if not x_self_id:
|
if not x_self_id:
|
||||||
logger.warning(f"Missing X-Self-ID Header")
|
logger.warning(f"Missing X-Self-ID Header")
|
||||||
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
||||||
|
return
|
||||||
|
|
||||||
if x_self_id in self._clients:
|
if x_self_id in self._clients:
|
||||||
logger.warning(f"Connection Conflict: self_id {x_self_id}")
|
logger.warning(f"Connection Conflict: self_id {x_self_id}")
|
||||||
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
await ws.close(code=status.WS_1008_POLICY_VIOLATION)
|
||||||
|
return
|
||||||
|
|
||||||
# Create Bot Object
|
# Create Bot Object
|
||||||
if adapter in self._adapters:
|
if adapter in self._adapters:
|
||||||
|
|||||||
Reference in New Issue
Block a user