b500613d22
背景: 防 token 泄漏被滥用 + 限共享账号人数。
- 新增 app/services/active_ip.py:
Redis ZSET 'active_ips' 存 IP,score=last_seen_unix
登录/refresh 时 check_or_register_login_ip():
IP 已在 set → 刷新 score,放行(老用户重连)
IP 不在 set + ZCARD < 30 → 加入,放行
IP 不在 set + ZCARD >= 30 → raise 429
每个已认证请求 _resolve_user() 调 touch_ip_dependency()
滑动 TTL,30 天没活动自动从 set 剔除
- get_client_ip() 取真实 IP,优先级 X-Forwarded-For > X-Real-IP > client.host
trust_x_forwarded_for 默认 True(生产 Caddy/Nginx 后面)
- config 加 3 个开关:
site_max_active_ips: int = 30
site_active_ip_idle_days: int = 30
trust_x_forwarded_for: bool = True
- admin.py 加 3 个端点:
GET /admin/active-ips — 看当前活跃 IP 列表 + last_seen
POST /admin/active-ips/kick — 强制踢出指定 IP(body={ip})
DELETE /admin/active-ips/{ip}— 简写踢出
- 注: refresh 也算 IP 占用(拿到 access token 就能用)
但已存在的 IP 直接放行,不会踢自己
79 lines
2.8 KiB
Python
79 lines
2.8 KiB
Python
"""登录/刷新/登出。"""
|
|
from __future__ import annotations
|
|
|
|
from datetime import datetime, timezone
|
|
|
|
from fastapi import APIRouter, Depends, HTTPException, Request, status
|
|
from jwt.exceptions import InvalidTokenError
|
|
from sqlalchemy import select
|
|
from sqlalchemy.ext.asyncio import AsyncSession
|
|
|
|
from app.config import settings
|
|
from app.core.security import (
|
|
create_access_token,
|
|
create_refresh_token,
|
|
decode_token,
|
|
verify_password,
|
|
)
|
|
from app.database import get_session
|
|
from app.models.user import User
|
|
from app.schemas.auth import LoginRequest, RefreshRequest, TokenPair
|
|
from app.services.active_ip import check_or_register_login_ip, get_client_ip
|
|
|
|
router = APIRouter(prefix="/auth", tags=["auth"])
|
|
|
|
|
|
def _pair_for(user: User) -> TokenPair:
|
|
access = create_access_token(user.id, extra={"role": user.role.value})
|
|
refresh = create_refresh_token(user.id)
|
|
return TokenPair(
|
|
access_token=access,
|
|
refresh_token=refresh,
|
|
expires_in=settings.access_token_ttl_min * 60,
|
|
)
|
|
|
|
|
|
@router.post("/login", response_model=TokenPair)
|
|
async def login(
|
|
body: LoginRequest,
|
|
request: Request,
|
|
session: AsyncSession = Depends(get_session),
|
|
):
|
|
# === 先校验 IP 上限(在查 DB 前,避免密码错误也消耗 DB)===
|
|
# 注:这一步是公开的(未认证),不暴露"这个 IP 是不是 owner"的信息
|
|
client_ip = get_client_ip(request)
|
|
await check_or_register_login_ip(client_ip)
|
|
|
|
result = await session.execute(select(User).where(User.username == body.username))
|
|
user = result.scalars().first()
|
|
if not user or not user.is_active or not verify_password(body.password, user.password_hash):
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid credentials")
|
|
user.last_login_at = datetime.now(timezone.utc)
|
|
await session.commit()
|
|
return _pair_for(user)
|
|
|
|
|
|
@router.post("/refresh", response_model=TokenPair)
|
|
async def refresh(
|
|
body: RefreshRequest,
|
|
request: Request,
|
|
session: AsyncSession = Depends(get_session),
|
|
):
|
|
# refresh 也要算 IP 占用(因为 refresh 拿到 access token 就能用)
|
|
# 但如果 IP 已经在 set 里,等于合法老用户,直接放过
|
|
client_ip = get_client_ip(request)
|
|
await check_or_register_login_ip(client_ip)
|
|
|
|
try:
|
|
payload = decode_token(body.refresh_token)
|
|
if payload.get("type") != "refresh":
|
|
raise InvalidTokenError("wrong type")
|
|
uid = int(payload["sub"])
|
|
except (InvalidTokenError, KeyError, ValueError):
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Invalid refresh token")
|
|
result = await session.execute(select(User).where(User.id == uid, User.is_active.is_(True)))
|
|
user = result.scalars().first()
|
|
if not user:
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "User not found")
|
|
return _pair_for(user)
|