优化JWT解码逻辑，添加错误处理以防止空用户ID导致的权限拒绝

2024-12-31 01:44:29 +08:00 · 2024-12-31 01:44:29 +08:00 · 079dbeaf81
commit 079dbeaf81
parent 394bcd83ba
5 changed files with 29 additions and 3 deletions
--- a/src/jwt/jwt.cpp
+++ b/src/jwt/jwt.cpp
@ -1,6 +1,8 @@
 #include "jwt.h"

 #include <chrono>
+#include <print>
+
 #include <jwt-cpp/jwt.h>


@ -23,9 +25,13 @@ extern "C"

    auto get_payload(const char* token) -> char*
    {
-        auto decoded_token = jwt::decode(token);
-        auto payload       = decoded_token.get_payload_claim("user_id").as_string();
-        return strdup(payload.c_str());
+        try {
+            auto decoded_token = jwt::decode(token);
+            auto payload       = decoded_token.get_payload_claim("user_id").as_string();
+            return strdup(payload.c_str());
+        } catch (...) {
+            return nullptr;
+        }
    }

    auto verify_token(const char* token, const char* secret) -> int
--- a/src/server/auth/delete.c
+++ b/src/server/auth/delete.c
@ -82,6 +82,11 @@ int user_delete_handler(mg_connection* conn, void* cbdata)
    }

    char* user_id = get_payload(form.token);
+    if (!user_id) {
+        res_permission_denied(conn);
+        delete_form_dtor(&form);
+        return 1;
+    }

    if (form.user_id && strcmp(user_id, form.user_id)) {
        int perm1;
--- a/src/server/auth/repasswd.c
+++ b/src/server/auth/repasswd.c
@ -150,6 +150,11 @@ int user_repasswd_handler(mg_connection* conn, void* cbdata)
    }

    char* user_id = get_payload(form.token);
+    if (!user_id) {
+        res_permission_denied(conn);
+        repasswd_form_dtor(&form);
+        return 1;
+    }

    if (form.user_id && strcmp(user_id, form.user_id)) {
        impl_others(conn, user_id, &form);
--- a/src/server/study/problems.c
+++ b/src/server/study/problems.c
@ -255,6 +255,11 @@ int problems_handler(mg_connection* conn, void* cbdata)
        res_need_token(conn);
    } else {
        char* user_id = get_payload(form.token);
+        if (!user_id) {
+            res_permission_denied(conn);
+            problem_form_dtor(&form);
+            return 1;
+        }
        int result;
        int flag = get_user_permission(user_id, &result);
        if (!flag) {
--- a/src/server/study/sets.c
+++ b/src/server/study/sets.c
@ -204,6 +204,11 @@ int sets_handler(mg_connection* conn, void* cbdata)
        res_need_token(conn);
    } else {
        char* user_id = get_payload(form.token);
+        if (!user_id) {
+            res_permission_denied(conn);
+            set_form_dtor(&form);
+            return 1;
+        }
        int result;
        int flag = get_user_permission(user_id, &result);
        if (!flag) {