Fix the login password verification (#568)

wu-clan · web-flow · commit 644f7a04136c · 2025-04-07T11:04:39.000+08:00
* Fix the login password verification

* Update the check criteria
diff --git a/backend/app/admin/api/v1/sys/token.py b/backend/app/admin/api/v1/sys/token.py
@@ -61,7 +61,8 @@ def append_token_detail() -> None:
         extra_info = await redis_client.get(f'{settings.TOKEN_EXTRA_INFO_REDIS_PREFIX}:{session_uuid}')
         if extra_info:
             extra_info = json.loads(extra_info)
-            if extra_info.get('login_type') != 'swagger':
+            # 排除 swagger 登录生成的 token
+            if extra_info.get('swagger') is None:
                 if username is not None:
                     if username == extra_info.get('username'):
                         append_token_detail()
diff --git a/backend/app/admin/service/auth_service.py b/backend/app/admin/service/auth_service.py
@@ -33,7 +33,7 @@ class AuthService:
     """认证服务类"""
 
     @staticmethod
-    async def user_verify(db: AsyncSession, username: str, password: str) -> User:
+    async def user_verify(db: AsyncSession, username: str, password: str | None) -> User:
         """
         验证用户名和密码
 
@@ -45,10 +45,16 @@ async def user_verify(db: AsyncSession, username: str, password: str) -> User:
         user = await user_dao.get_by_username(db, username)
         if not user:
             raise errors.NotFoundError(msg='用户名或密码有误')
-        elif not password_verify(password, user.password):
+
+        if user.password is None:
             raise errors.AuthorizationError(msg='用户名或密码有误')
-        elif not user.status:
+        else:
+            if not password_verify(password, user.password):
+                raise errors.AuthorizationError(msg='用户名或密码有误')
+
+        if not user.status:
             raise errors.AuthorizationError(msg='用户已被锁定, 请联系统管理员')
+
         return user
 
     async def swagger_login(self, *, obj: HTTPBasicCredentials) -> tuple[str, User]:
@@ -65,7 +71,7 @@ async def swagger_login(self, *, obj: HTTPBasicCredentials) -> tuple[str, User]:
                 str(user.id),
                 user.is_multi_login,
                 # extra info
-                login_type='swagger',
+                swagger=True,
             )
             return a_token.access_token, user
 
