From dc64f093974c06e731f04ba9cf94a70e1b55b045 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=8A=E5=AE=98=E9=B8=BF=E4=BF=A1?= <16529010+shangguanhongxin@user.noreply.gitee.com> Date: Sat, 25 Apr 2026 15:54:49 +0800 Subject: [PATCH 1/2] fix(auth): accept Referer-only browser requests behind proxies Docker and reverse-proxy deployments may strip sec-fetch metadata while still forwarding Referer, causing browser session requests to be misclassified as remote non-browser traffic and bounce users back to login. Treat Referer as a browser signal and cover the regression with an auth compatibility test. Made-with: Cursor --- flocks/server/auth.py | 2 ++ tests/server/test_auth_compat.py | 33 ++++++++++++++++++++++++++++++++ 2 files changed, 35 insertions(+) diff --git a/flocks/server/auth.py b/flocks/server/auth.py index 7e0590425..f736898af 100644 --- a/flocks/server/auth.py +++ b/flocks/server/auth.py @@ -163,6 +163,8 @@ def _is_browser_like_request(request: Request) -> bool: return True if headers.get("origin"): return True + if headers.get("referer"): + return True return False diff --git a/tests/server/test_auth_compat.py b/tests/server/test_auth_compat.py index 9640cb9a7..d39550bc6 100644 --- a/tests/server/test_auth_compat.py +++ b/tests/server/test_auth_compat.py @@ -152,6 +152,39 @@ async def _get_user_by_session_id(_session_id: str): assert "必须先修改密码" in str(exc_info.value.detail) +@pytest.mark.asyncio +async def test_apply_auth_for_request_treats_referer_only_remote_request_as_browser(monkeypatch): + async def _has_users(): + return True + + async def _get_user_by_session_id(_session_id: str): + return _FakeLocalUser(must_reset_password=False) + + monkeypatch.setattr(auth_module.AuthService, "has_users", _has_users) + monkeypatch.setattr(auth_module.AuthService, "get_user_by_session_id", _get_user_by_session_id) + monkeypatch.setattr( + auth_module, + "get_secret_manager", + lambda: _FakeSecrets({auth_module.API_TOKEN_SECRET_ID: "abc123"}), + ) + + request = _make_request( + headers={ + "user-agent": "Mozilla/5.0", + "referer": "http://10.0.0.9:5173/login", + "cookie": f"{auth_module.SESSION_COOKIE_NAME}=session-123", + }, + client_host="10.0.0.2", + path="/api/auth/me", + ) + _, token, user = await auth_module.apply_auth_for_request(request) + try: + assert user is not None + assert user.username == "test-user" + finally: + auth_module.clear_auth_context(token) + + class TestAuthMiddlewareExempt: """Cover ``auth_middleware_exempt`` — both fixed paths and regex patterns.""" From cdd0421a2ed44a192b852a3ad02d7f38fbc64675 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E4=B8=8A=E5=AE=98=E9=B8=BF=E4=BF=A1?= <16529010+shangguanhongxin@user.noreply.gitee.com> Date: Sat, 25 Apr 2026 15:56:19 +0800 Subject: [PATCH 2/2] chore: bump version to v2026.4.24.1 Advance the project version for the follow-up patch release and keep the lockfile metadata aligned with the package manifest. Made-with: Cursor --- pyproject.toml | 2 +- uv.lock | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pyproject.toml b/pyproject.toml index 9ea0d626b..980b2bb88 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "flocks" -version = "v2026.4.24" +version = "v2026.4.24.1" description = "AI-Native SecOps platform with multi-agent collaboration" authors = [ {name = "Flocks Team", email = "team@example.com"} diff --git a/uv.lock b/uv.lock index caa5652e9..e894f7aea 100644 --- a/uv.lock +++ b/uv.lock @@ -482,7 +482,7 @@ wheels = [ [[package]] name = "flocks" -version = "2026.4.24" +version = "2026.4.24.1" source = { editable = "." } dependencies = [ { name = "aiofiles" },