v2.0.1更新

2026-05-26 08:39:12 +08:00
parent cb0c367eb7
commit c575d711ee
34 changed files with 750 additions and 204 deletions
--- a/frontend/api/save_session.php
+++ b/frontend/api/save_session.php
@@ -18,10 +18,9 @@ require_once __DIR__ . '/../config.php';
 // 设置响应头
 header('Content-Type: application/json; charset=utf-8');

-// 允许跨域（如果需要）
-header('Access-Control-Allow-Origin: *');
+// 仅允许同源请求
 header('Access-Control-Allow-Methods: POST, OPTIONS');
-header('Access-Control-Allow-Headers: Content-Type');
+header('Access-Control-Allow-Headers: Content-Type, Authorization');

 // 处理预检请求
 if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
@@ -93,6 +92,67 @@ if (!in_array($data['user_type'], $validUserTypes)) {
    exit();
 }

+// 验证 JWT Token
+$authHeader = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+if (empty($authHeader) || !preg_match('/^Bearer\s+(.+)$/i', $authHeader, $matches)) {
+    http_response_code(401);
+    echo json_encode([
+        'success' => false,
+        'message' => '缺少认证令牌'
+    ]);
+    exit();
+}
+
+$token = $matches[1];
+$apiUrl = API_BASE_URL . '/api/auth/me';
+
+$ch = curl_init();
+curl_setopt_array($ch, [
+    CURLOPT_URL => $apiUrl,
+    CURLOPT_RETURNTRANSFER => true,
+    CURLOPT_TIMEOUT => 10,
+    CURLOPT_HTTPHEADER => [
+        'Authorization: Bearer ' . $token,
+        'Content-Type: application/json'
+    ],
+    CURLOPT_SSL_VERIFYPEER => false,
+    CURLOPT_SSL_VERIFYHOST => 0
+]);
+
+$apiResponse = curl_exec($ch);
+$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($httpCode !== 200 || empty($apiResponse)) {
+    http_response_code(401);
+    echo json_encode([
+        'success' => false,
+        'message' => '认证令牌无效或已过期'
+    ]);
+    exit();
+}
+
+$tokenData = json_decode($apiResponse, true);
+if (!$tokenData || !isset($tokenData['success']) || !$tokenData['success']) {
+    http_response_code(401);
+    echo json_encode([
+        'success' => false,
+        'message' => '认证验证失败'
+    ]);
+    exit();
+}
+
+// 验证 token 中的 user_id 与请求数据中的 user_id 一致
+$tokenUserId = $tokenData['data']['user_id'] ?? null;
+if ($tokenUserId === null || intval($tokenUserId) !== intval($data['user_id'])) {
+    http_response_code(403);
+    echo json_encode([
+        'success' => false,
+        'message' => '身份验证不匹配'
+    ]);
+    exit();
+}
+
 // 设置 Session 变量
 $_SESSION['user_id'] = $data['user_id'];
 $_SESSION['user_type'] = $data['user_type'];