fix: prevent login/register redirect loops on stale sessions

This commit is contained in:
JOJO 2026-04-07 20:15:23 +08:00
parent d798d39da3
commit 2fd4782f5c

View File

@ -17,7 +17,7 @@ from config import (
LOGS_DIR,
)
from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username
from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username, is_logged_in
from .security import (
get_csrf_token,
check_rate_limit,
@ -123,8 +123,16 @@ def host_mode_enabled():
def login():
if request.method == 'GET':
auth_debug_log(f"[auth_debug] GET /login session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}")
if session.get('username'):
if is_logged_in():
return redirect('/new')
# 避免“session 内残留 username 但已失效”导致 /login <-> /new 重定向循环
if session.get('username'):
stale_username = session.get('username')
stale_nonce = session.get('login_nonce')
_revoke_login_nonce(stale_username, stale_nonce)
session.clear()
resp = make_response(current_app.send_static_file('login.html'))
return _expire_session_cookie(resp)
if not state.container_manager.has_capacity():
return current_app.send_static_file('resource_busy.html'), 503
return current_app.send_static_file('login.html')
@ -242,9 +250,16 @@ def host_login():
def register():
if request.method == 'GET':
auth_debug_log(f"[auth_debug] GET /register session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}")
if session.get('username'):
if is_logged_in():
auth_debug_log("[auth_debug] GET /register redirected to /new because session.username exists")
return redirect('/new')
if session.get('username'):
stale_username = session.get('username')
stale_nonce = session.get('login_nonce')
_revoke_login_nonce(stale_username, stale_nonce)
session.clear()
resp = make_response(current_app.send_static_file('register.html'))
return _expire_session_cookie(resp)
return current_app.send_static_file('register.html')
data = request.get_json() or {}