diff --git a/server/auth.py b/server/auth.py index 8a16ab4..09a1c26 100644 --- a/server/auth.py +++ b/server/auth.py @@ -17,7 +17,7 @@ from config import ( LOGS_DIR, ) -from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username +from .auth_helpers import login_required, api_login_required, get_current_user_record, get_current_username, is_logged_in from .security import ( get_csrf_token, check_rate_limit, @@ -123,8 +123,16 @@ def host_mode_enabled(): def login(): if request.method == 'GET': auth_debug_log(f"[auth_debug] GET /login session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}") - if session.get('username'): + if is_logged_in(): return redirect('/new') + # 避免“session 内残留 username 但已失效”导致 /login <-> /new 重定向循环 + if session.get('username'): + stale_username = session.get('username') + stale_nonce = session.get('login_nonce') + _revoke_login_nonce(stale_username, stale_nonce) + session.clear() + resp = make_response(current_app.send_static_file('login.html')) + return _expire_session_cookie(resp) if not state.container_manager.has_capacity(): return current_app.send_static_file('resource_busy.html'), 503 return current_app.send_static_file('login.html') @@ -242,9 +250,16 @@ def host_login(): def register(): if request.method == 'GET': auth_debug_log(f"[auth_debug] GET /register session={_session_debug_snapshot()} cookie={_cookie_debug_snapshot()}") - if session.get('username'): + if is_logged_in(): auth_debug_log("[auth_debug] GET /register redirected to /new because session.username exists") return redirect('/new') + if session.get('username'): + stale_username = session.get('username') + stale_nonce = session.get('login_nonce') + _revoke_login_nonce(stale_username, stale_nonce) + session.clear() + resp = make_response(current_app.send_static_file('register.html')) + return _expire_session_cookie(resp) return current_app.send_static_file('register.html') data = request.get_json() or {}