移除Host头验证中间件及相关逻辑,简化OAuth相关API的请求处理,优化代码结构和可读性。

This commit is contained in:
2025-09-22 20:29:46 +08:00
parent c1b5c76e5c
commit 75969253d0
10 changed files with 22 additions and 339 deletions
-31
View File
@@ -38,11 +38,6 @@ import {
logout,
type UserRole
} from "~/api/login/auth.server";
import {
validateRequest,
isProtectedRoute,
logSecurityEvent
} from "~/middleware/host-validation";
// 定义需要高级权限的路径
export const developerOnlyPaths = [
@@ -75,32 +70,6 @@ export async function loader({ request }: LoaderFunctionArgs) {
const url = new URL(request.url);
const pathname = url.pathname;
// ==================== Host头验证 ====================
// 1. 首先进行Host头验证,防止Host Header注入攻击
const hostValidation = validateRequest(request);
if (!hostValidation.valid) {
// 记录安全事件
logSecurityEvent('host_validation_failed', hostValidation.error || 'Unknown validation error', request);
// 对于受保护的路由,直接返回403错误
if (isProtectedRoute(pathname)) {
throw new Response("Forbidden: Invalid Host header", {
status: 403,
statusText: "Forbidden"
});
}
// 对于普通路由,重定向到错误页面
console.error('❌ Host验证失败:', hostValidation.error);
throw new Response("Forbidden: Invalid request headers", {
status: 403,
statusText: "Forbidden"
});
}
// console.log('✅ Host验证通过,继续处理请求');
// ==================== Host头验证结束 ====================
// 排除不需要登录验证的路径
const publicPaths = ['/login', '/favicon.ico', '/callback'];
const isPublicPath = publicPaths.some(path => pathname.startsWith(path));