Skip to content

feat: csrf, two tokens verify #5692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: test/html
Choose a base branch
from
Open

feat: csrf, two tokens verify #5692

wants to merge 3 commits into from

Conversation

fishwww-ww
Copy link
Contributor

No description provided.

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 23, 2025
edited
Loading

Preview sandbox Image:

registry.cn-hangzhou.aliyuncs.com/fastgpt/fastgpt-pr:fatsgpt_sandbox_f7f5da3e371f1f8d831854c428f98007ef7f5801

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 23, 2025
edited
Loading

Preview fastgpt Image:

registry.cn-hangzhou.aliyuncs.com/fastgpt/fastgpt-pr:fatsgpt_f7f5da3e371f1f8d831854c428f98007ef7f5801

@github-actions GitHub Actions
Copy link

github-actions bot commented Sep 23, 2025
edited
Loading

Preview mcp_server Image:

registry.cn-hangzhou.aliyuncs.com/fastgpt/fastgpt-pr:fatsgpt_mcp_server_f7f5da3e371f1f8d831854c428f98007ef7f5801

FinleyGe
FinleyGe requested changes Sep 25, 2025
View reviewed changes
packages/service/common/middle/csrf.ts
@@ -0,0 +1,32 @@
import type { NextApiRequest, NextApiResponse } from 'next';
import { verifyCsrfToken } from '../../support/permission/auth/common';
import { generateCsrfToken } from '../../../../projects/app/src/web/support/user/api';
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

verifyCsrfToken 和 generateCsrfToken 应该放在一个模块里面

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

前端检测到cookie即将过期, 要主动请求generateCsrfToken, 所以generateCsrfToken放在了api模块, 便于请求; verifyCsrfToken则放在中间件模块用于验证CsrfToken

packages/service/common/middle/csrf.ts Outdated

try {
const csrfToken = await getCsrfTokenFromRequest(req);
verifyCsrfToken(csrfToken || '');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

参数能接受 undefined 不就行了

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

projects/app/src/web/common/utils/csrfToken.ts
};

const isTokenValid = (expiresAt: number): boolean => {
const currentTime = Math.floor(Date.now() / 1000);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

怎么还 /1000,直接比较 timestamp 不就行了吗

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jwt标准是用秒级时间戳来生成签名, 这里 /1000 是为与jwt的秒级别统一

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FinleyGe FinleyGe FinleyGe requested changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fishwww-ww @FinleyGe