From 3c84ec43a275246ad068dce362d32529981f2d55 Mon Sep 17 00:00:00 2001 From: user Date: Fri, 26 Sep 2025 12:21:58 +0300 Subject: [PATCH] admin fix --- app/api/routes/admin.py | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/app/api/routes/admin.py b/app/api/routes/admin.py index fbbedc8..f4e44df 100644 --- a/app/api/routes/admin.py +++ b/app/api/routes/admin.py @@ -40,6 +40,7 @@ ADMIN_COOKIE_NAME = os.getenv('ADMIN_COOKIE_NAME', 'admin_session') ADMIN_COOKIE_MAX_AGE = int(os.getenv('ADMIN_COOKIE_MAX_AGE', '172800')) # 48h default ADMIN_COOKIE_SAMESITE = os.getenv('ADMIN_COOKIE_SAMESITE', 'Lax') ADMIN_COOKIE_SECURE_MODE = os.getenv('ADMIN_COOKIE_SECURE', 'auto').lower() +ADMIN_HEADER_NAME = os.getenv('ADMIN_HEADER_NAME', 'X-Admin-Token') def _cookie_secure_flag(request) -> bool: @@ -65,13 +66,27 @@ def _set_admin_cookie(resp, request, value: str, max_age: Optional[int] = None): def _clear_admin_cookie(resp, request): _set_admin_cookie(resp, request, '', max_age=0) +def _get_admin_header(request) -> Optional[str]: + target = ADMIN_HEADER_NAME.lower() + for key, value in request.headers.items(): + if key.lower() == target: + return value + return None + def _auth_ok(request) -> bool: token = os.getenv('ADMIN_API_TOKEN') if not token: return False cookie_value = request.cookies.get(ADMIN_COOKIE_NAME) - return cookie_value == token + if cookie_value == token: + return True + header_value = _get_admin_header(request) + if not header_value: + return False + if header_value.startswith('Bearer '): + header_value = header_value.split(' ', 1)[1].strip() + return header_value == token def _unauthorized(): @@ -146,7 +161,12 @@ async def s_api_v1_admin_login(request): _clear_admin_cookie(resp, request) return resp - resp = response.json({"ok": True}) + resp = response.json({ + "ok": True, + "cookie_name": ADMIN_COOKIE_NAME, + "header_name": ADMIN_HEADER_NAME, + "max_age": ADMIN_COOKIE_MAX_AGE, + }) _set_admin_cookie(resp, request, token, ADMIN_COOKIE_MAX_AGE) return resp