fix: prevent login/register redirect loops on stale sessions
This commit is contained in:
parent
d798d39da3
commit
2fd4782f5c
@ -17,7 +17,7 @@ from config import (
|
||||
LOGS_DIR,
|
||||
)
|
||||
|
||||
from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username
|
||||
from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username, is_logged_in
|
||||
from .security import (
|
||||
get_csrf_token,
|
||||
check_rate_limit,
|
||||
@ -123,8 +123,16 @@ def host_mode_enabled():
|
||||
def login():
|
||||
if request.method == 'GET':
|
||||
auth_debug_log(f"[auth_debug] GET /login session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}")
|
||||
if session.get('username'):
|
||||
if is_logged_in():
|
||||
return redirect('/new')
|
||||
# 避免“session 内残留 username 但已失效”导致 /login <-> /new 重定向循环
|
||||
if session.get('username'):
|
||||
stale_username = session.get('username')
|
||||
stale_nonce = session.get('login_nonce')
|
||||
_revoke_login_nonce(stale_username, stale_nonce)
|
||||
session.clear()
|
||||
resp = make_response(current_app.send_static_file('login.html'))
|
||||
return _expire_session_cookie(resp)
|
||||
if not state.container_manager.has_capacity():
|
||||
return current_app.send_static_file('resource_busy.html'), 503
|
||||
return current_app.send_static_file('login.html')
|
||||
@ -242,9 +250,16 @@ def host_login():
|
||||
def register():
|
||||
if request.method == 'GET':
|
||||
auth_debug_log(f"[auth_debug] GET /register session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}")
|
||||
if session.get('username'):
|
||||
if is_logged_in():
|
||||
auth_debug_log("[auth_debug] GET /register redirected to /new because session.username exists")
|
||||
return redirect('/new')
|
||||
if session.get('username'):
|
||||
stale_username = session.get('username')
|
||||
stale_nonce = session.get('login_nonce')
|
||||
_revoke_login_nonce(stale_username, stale_nonce)
|
||||
session.clear()
|
||||
resp = make_response(current_app.send_static_file('register.html'))
|
||||
return _expire_session_cookie(resp)
|
||||
return current_app.send_static_file('register.html')
|
||||
|
||||
data = request.get_json() or {}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user