fix: 修复nginx缓存导致串用户问题

2025-09-20 17:26:38 +08:00 · 2024-07-19 13:39:05 +08:00 · 2024-07-19 13:39:05 +08:00 · ce815a98d0
commit ce815a98d0
parent e2cf6b1e14
3 changed files with 44 additions and 1 deletions
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -6,6 +6,7 @@ import (
 	"net/http"
 	"one-api/common"
 	"one-api/model"
+	"strconv"
 	"strings"
 )

@ -15,6 +16,7 @@ func authHelper(c *gin.Context, minRole int) {
 	role := session.Get("role")
 	id := session.Get("id")
 	status := session.Get("status")
+	useAccessToken := false
 	if username == nil {
 		// Check access token
 		accessToken := c.Request.Header.Get("Authorization")
@ -33,6 +35,7 @@ func authHelper(c *gin.Context, minRole int) {
 			role = user.Role
 			id = user.Id
 			status = user.Status
+			useAccessToken = true
 		} else {
 			c.JSON(http.StatusOK, gin.H{
 				"success": false,
@ -42,6 +45,36 @@ func authHelper(c *gin.Context, minRole int) {
 			return
 		}
 	}
+	if !useAccessToken {
+		// get header New-Api-User
+		apiUserIdStr := c.Request.Header.Get("New-Api-User")
+		if apiUserIdStr == "" {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"success": false,
+				"message": "无权进行此操作，请刷新页面或清空缓存后重试",
+			})
+			c.Abort()
+			return
+		}
+		apiUserId, err := strconv.Atoi(apiUserIdStr)
+		if err != nil {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"success": false,
+				"message": "无权进行此操作，登录信息无效，请重新登录",
+			})
+			c.Abort()
+			return
+
+		}
+		if id != apiUserId {
+			c.JSON(http.StatusUnauthorized, gin.H{
+				"success": false,
+				"message": "无权进行此操作，与登录用户不匹配，请重新登录",
+			})
+			c.Abort()
+			return
+		}
+	}
 	if status.(int) == common.UserStatusDisabled {
 		c.JSON(http.StatusOK, gin.H{
 			"success": false,
--- a/web/src/helpers/api.js
+++ b/web/src/helpers/api.js
@ -1,10 +1,13 @@
-import { showError } from './utils';
+import { getUserIdFromLocalStorage, showError } from './utils';
 import axios from 'axios';

 export const API = axios.create({
  baseURL: import.meta.env.VITE_REACT_APP_SERVER_URL
    ? import.meta.env.VITE_REACT_APP_SERVER_URL
    : '',
+  headers: {
+    'New-API-User': getUserIdFromLocalStorage()
+  }
 });

 API.interceptors.response.use(
--- a/web/src/helpers/utils.js
+++ b/web/src/helpers/utils.js
@ -33,6 +33,13 @@ export function getLogo() {
  return logo;
 }

+export function getUserIdFromLocalStorage() {
+  let user = localStorage.getItem('user');
+  if (!user) return -1;
+  user = JSON.parse(user);
+  return user.id;
+}
+
 export function getFooterHTML() {
  return localStorage.getItem('footer_html');
 }