This commit is contained in:
dekun
2026-05-30 11:57:00 +08:00
parent 4c4af4a464
commit 8ffe46a344
6 changed files with 165 additions and 14 deletions
+33 -1
View File
@@ -118,11 +118,43 @@ def cookie_secure_for_request(request) -> bool:
return proto == "https"
def embed_allowed() -> bool:
"""允许被本地导航等页面 iframe 嵌入(默认开启,内网场景)。"""
return (os.getenv("HUB_ALLOW_EMBED") or "true").strip().lower() in (
"1",
"true",
"yes",
"on",
)
def embed_frame_ancestors() -> str:
"""CSP frame-ancestors;默认 *,可设 HUB_EMBED_ORIGINS=http://192.168.8.6:5070"""
raw = (os.getenv("HUB_EMBED_ORIGINS") or "*").strip()
if raw == "*":
return "*"
origins = [o.strip() for o in raw.split(",") if o.strip()]
return " ".join(origins) if origins else "*"
def set_session_cookie(response, request, token: str) -> None:
secure = cookie_secure_for_request(request)
response.set_cookie(
SESSION_COOKIE,
token,
httponly=True,
samesite="lax",
path="/",
max_age=SESSION_MAX_AGE_SEC,
secure=secure,
)
def is_public_path(path: str, method: str) -> bool:
p = (path or "").split("?")[0].rstrip("/") or "/"
if p.startswith("/assets"):
return True
if p in ("/login", "/api/auth/login", "/api/auth/status", "/api/ping"):
if p in ("/login", "/embed-auth", "/api/auth/login", "/api/auth/status", "/api/ping"):
return True
if p == "/api/auth/logout" and method.upper() == "POST":
return True