Spaces:
Running
Running
解决上传图像失败,导致数据异常问题
Browse files- router_users_auth.py +4 -0
- router_users_profile.py +13 -1
router_users_auth.py
CHANGED
|
@@ -197,6 +197,10 @@ async def register_user(request: Request, user: UserRegister):
|
|
| 197 |
new_user = user.dict()
|
| 198 |
new_user.pop("code", None) # 移除验证码字段,不存入数据库
|
| 199 |
|
|
|
|
|
|
|
|
|
|
|
|
|
| 200 |
# 🔒 P0安全增强:密码哈希化存储(不再存储明文密码)
|
| 201 |
new_user["password"] = hash_password(new_user["password"])
|
| 202 |
|
|
|
|
| 197 |
new_user = user.dict()
|
| 198 |
new_user.pop("code", None) # 移除验证码字段,不存入数据库
|
| 199 |
|
| 200 |
+
# 🔒 安全防护:拒绝 base64 头像数据
|
| 201 |
+
if new_user.get("avatarDataUrl", "").startswith("data:"):
|
| 202 |
+
new_user["avatarDataUrl"] = ""
|
| 203 |
+
|
| 204 |
# 🔒 P0安全增强:密码哈希化存储(不再存储明文密码)
|
| 205 |
new_user["password"] = hash_password(new_user["password"])
|
| 206 |
|
router_users_profile.py
CHANGED
|
@@ -63,6 +63,12 @@ async def get_user_profile(account: str):
|
|
| 63 |
user_data["receivedFavorites"] = sum(item.get("favorites", 0) for item in user_items)
|
| 64 |
user_data["receivedUses"] = sum(item.get("uses", 0) for item in user_items)
|
| 65 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 66 |
# 返回用户数据(排除敏感的密码字段)
|
| 67 |
return {"status": "success", "data": {k: v for k, v in user_data.items() if k != "password"}}
|
| 68 |
|
|
@@ -109,7 +115,13 @@ async def update_user_profile(account: str, update_data: UserUpdate):
|
|
| 109 |
|
| 110 |
# 遍历请求中的字段,只更新非空值
|
| 111 |
# exclude_unset=True 表示只包含请求中明确传递的字段
|
| 112 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 113 |
if v is not None:
|
| 114 |
user[k] = v
|
| 115 |
|
|
|
|
| 63 |
user_data["receivedFavorites"] = sum(item.get("favorites", 0) for item in user_items)
|
| 64 |
user_data["receivedUses"] = sum(item.get("uses", 0) for item in user_items)
|
| 65 |
|
| 66 |
+
# 🔒 运行时自愈:如果 avatarDataUrl 是 base64,清除它并持久化修复
|
| 67 |
+
if user_data.get("avatarDataUrl", "").startswith("data:"):
|
| 68 |
+
user_data["avatarDataUrl"] = ""
|
| 69 |
+
users_db[account] = user_data
|
| 70 |
+
db.save_data("users.json", users_db)
|
| 71 |
+
|
| 72 |
# 返回用户数据(排除敏感的密码字段)
|
| 73 |
return {"status": "success", "data": {k: v for k, v in user_data.items() if k != "password"}}
|
| 74 |
|
|
|
|
| 115 |
|
| 116 |
# 遍历请求中的字段,只更新非空值
|
| 117 |
# exclude_unset=True 表示只包含请求中明确传递的字段
|
| 118 |
+
update_dict = update_data.dict(exclude_unset=True)
|
| 119 |
+
|
| 120 |
+
# 🔒 安全防护:拒绝 base64 头像数据,防止 JSON 膨胀
|
| 121 |
+
if update_dict.get("avatarDataUrl", "").startswith("data:"):
|
| 122 |
+
del update_dict["avatarDataUrl"]
|
| 123 |
+
|
| 124 |
+
for k, v in update_dict.items():
|
| 125 |
if v is not None:
|
| 126 |
user[k] = v
|
| 127 |
|